写点什么

hive metastore 配置 kerberos 认证

  • 2022 年 1 月 11 日
  • 本文字数:5377 字

    阅读完需:约 18 分钟

hive metastore配置kerberos认证

hive 从 3.0.0 开始提供 hive metastore 单独服务作为像 presto、flink、spark 等组件的元数据中心。但是默认情况下 hive metastore 在启动之后是不需要进行认证就可以访问的。所以本文基于大数据组件中流行的 kerberos 认证方式,对 hive metastore 进行认证配置。


如果您还不了解如何单独启用 hive metastore 服务,那么您可以参考下述文章。


Presto使用Docker独立运行Hive Standalone Metastore管理MinIO(S3)

kdc 安装

已知安装 kdc 的主机的 hostname 为:hadoop


yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation
复制代码

修改配置文件

修改/var/kerberos/krb5kdc/kdc.conf,默认内容为


[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88
[realms] EXAMPLE.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
复制代码


可修改 EXAMPLE.COM 为您自己设定的域,例如本文将此设置为 BIGDATATOAI.COM


[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88
[realms] BIGDATATOAI.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
复制代码


修改/etc/krb5.conf,默认文件为


# Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt# default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid}
[realms]# EXAMPLE.COM = {# kdc = kerberos.example.com# admin_server = kerberos.example.com# }
[domain_realm]# .example.com = EXAMPLE.COM# example.com = EXAMPLE.COM
复制代码


修改为如下所示,其中,将域设置为 BIGDATATOAI.COM,kdc 和 admin_server 设置为 hadoop


# Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt default_realm = BIGDATATOAI.COM default_ccache_name = KEYRING:persistent:%{uid}
[realms]BIGDATATOAI.COM = { kdc = hadoop admin_server = hadoop}
[domain_realm]
复制代码

初始化 kerberos 数据库

kdb5_util create -s -r BIGDATATOAI.COM
复制代码


初始化过程中会要求重复输入 kdc 数据库的 master key,请输入该 master key。


[root@hadoop data]# kdb5_util create -s -r BIGDATATOAI.COMLoading random dataInitializing database '/var/kerberos/krb5kdc/principal' for realm 'BIGDATATOAI.COM',master key name 'K/M@BIGDATATOAI.COM'You will be prompted for the database Master Password.It is important that you NOT FORGET this password.Enter KDC database master key: Re-enter KDC database master key to verify: 
复制代码

添加管理员用户

kadmin.local
复制代码


在添加过程中会要求重复输入用户的密码,请输入该密码两次即可。


[root@hadoop data]# kadmin.local Authenticating as principal root/admin@BIGDATATOAI.COM with password.kadmin.local:  addprinc admin/admin@BIGDATATOAI.COMWARNING: no policy specified for admin/admin@BIGDATATOAI.COM; defaulting to no policyEnter password for principal "admin/admin@BIGDATATOAI.COM": Re-enter password for principal "admin/admin@BIGDATATOAI.COM": Principal "admin/admin@BIGDATATOAI.COM" created.
复制代码


修改/var/kerberos/krb5kdc/kadm5.acl,设置为


*/admin@BIGDATATOAI.COM *
复制代码

启动相关服务

systemctl start krb5kdcsystemctl start kadmin
复制代码

使用管理员用户添加 principal

kadmin -p admin/admin
复制代码


进入 kadmin 客户端之后,添加 hive-metastore/hadoop@BIGDATATOAI.COM 这个 principal。在添加过程中会要求重复输入用户的密码,请输入该密码两次即可。


[root@hadoop data]# kadmin -p admin/adminAuthenticating as principal admin/admin with password.Password for admin/admin@BIGDATATOAI.COM: kadmin:  add_principal hive-metastore/hadoopWARNING: no policy specified for hive-metastore/hadoop@BIGDATATOAI.COM; defaulting to no policyEnter password for principal "hive-metastore/hadoop@BIGDATATOAI.COM": Re-enter password for principal "hive-metastore/hadoop@BIGDATATOAI.COM": Principal "hive-metastore/hadoop@BIGDATATOAI.COM" created.
复制代码


导出 principal


kadmin:  xst -t /root/hive-metastore.keytab -norandkey hive-metastore/hadoopkadmin: Principal -t does not exist.kadmin: Principal /root/hive-metastore.keytab does not exist.kadmin: Principal -norandkey does not exist.Entry for principal hive-metastore/hadoop with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.Entry for principal hive-metastore/hadoop with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
复制代码

hive metastore 配置 kerberos 认证

修改 metastore-site.xml


<?xml version="1.0" encoding="UTF-8" standalone="no"?><?xml-stylesheet type="text/xsl" href="configuration.xsl"?><configuration>    <property>        <name>javax.jdo.option.ConnectionURL</name>        <value>jdbc:mysql://192.168.1.3:3306/metastore_2?useSSL=false&serverTimezone=UTC</value>    </property>    <property>        <name>javax.jdo.option.ConnectionDriverName</name>        <value>com.mysql.jdbc.Driver</value>    </property>    <property>        <name>javax.jdo.option.ConnectionUserName</name>        <value>root</value>    </property>    <property>        <name>javax.jdo.option.ConnectionPassword</name>        <value>password</value>    </property>    <property>        <name>hive.metastore.event.db.notification.api.auth</name>        <value>false</value>    </property>    <property>        <name>metastore.thrift.uris</name>        <value>thrift://localhost:9083</value>        <description>Thrift URI for the remote metastore. Used by metastore client to connect to remote metastore.</description>    </property>    <property>        <name>metastore.task.threads.always</name>        <value>org.apache.hadoop.hive.metastore.events.EventCleanerTask</value>    </property>    <property>        <name>metastore.expression.proxy</name>        <value>org.apache.hadoop.hive.metastore.DefaultPartitionExpressionProxy</value>    </property>    <property>        <name>metastore.warehouse.dir</name>        <value>files:///user/hive/warehouse</value>    </property>    <property>        <name>hive.metastore.authentication.type</name>        <value>kerberos</value>    </property>    <property>        <name>hive.metastore.thrift.impersonation.enabled</name>        <value>true</value>    </property>    <property>        <name>hive.metastore.kerberos.principal</name>        <value>hive-metastore/hadoop@BIGDATATOAI.COM</value>    </property>    <property>        <name>hive.metastore.sasl.enabled</name>        <value>true</value>    </property>    <property>        <name>hive.metastore.kerberos.keytab.file</name>        <value>/etc/hive/conf/hive-metastore.keytab</value>    </property></configuration>
复制代码


由于 hive-metastore 的 kerberos 服务依赖于 hdfs 组件,所以还需要在 core-site.xml 中新增如下配置:


  <property>    <name>hadoop.proxyuser.hive-metastore.groups</name>    <value>*</value>  </property>  <property>    <name>hadoop.proxyuser.hive-metastore.hosts</name>    <value>*</value>  </property>
<property> <name>hadoop.security.authorization</name> <value>true</value></property>
<property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0](hive-metastore/.*@.*BIGDATATOAI.COM)s/.*/hive-metastore/ DEFAULT </value></property>
<property> <name>hadoop.security.authentication</name> <value>kerberos</value></property>
复制代码


接下来便可以启动 hive metastore


bin/start-metastore
复制代码



此时直接通过 Java API 对该 HIve Metastore 进行访问,如何通过 Java API 对 HIve Metastore 进行访问可参考:通过Java API获取Hive Metastore中的元数据信息


package com.zh.ch.bigdata.hms;
import org.apache.hadoop.conf.Configuration;import org.apache.hadoop.hive.metastore.IMetaStoreClient;import org.apache.hadoop.hive.metastore.RetryingMetaStoreClient;import org.apache.hadoop.hive.metastore.api.MetaException;import org.slf4j.Logger;import org.slf4j.LoggerFactory;

public class HMSClient {
public static final Logger LOGGER = LoggerFactory.getLogger(HMSClient.class);
/** * 初始化HMS连接 * @param conf org.apache.hadoop.conf.Configuration * @return IMetaStoreClient * @throws MetaException 异常 */ public static IMetaStoreClient init(Configuration conf) throws MetaException { try { return RetryingMetaStoreClient.getProxy(conf, false); } catch (MetaException e) { LOGGER.error("hms连接失败", e); throw e; } }
public static void main(String[] args) throws Exception {
Configuration conf = new Configuration(); conf.set("hive.metastore.uris", "thrift://192.168.241.134:9083");
// conf.addResource("hive-site.xml"); IMetaStoreClient client = HMSClient.init(conf);
System.out.println("----------------------------获取所有catalogs-------------------------------------"); client.getCatalogs().forEach(System.out::println);
System.out.println("------------------------获取catalog为hive的描述信息--------------------------------"); System.out.println(client.getCatalog("hive").toString());
System.out.println("--------------------获取catalog为hive的所有database-------------------------------"); client.getAllDatabases("hive").forEach(System.out::println); }}
复制代码


得到结果



可见如果不通过 kerberos 认证的话,是无法访问 hive metastore 的。

发布于: 刚刚阅读数: 2
用户头像

还未添加个人签名 2020.02.09 加入

还未添加个人简介

评论

发布
暂无评论
hive metastore配置kerberos认证