[fix-33341][hbase]hbase 全量维表kerberos开启认证

Author: simenliuxing

hbase/hbase-side/hbase-all-side/src/main/java/com/dtstack/flink/sql/side/hbase/HbaseAllReqRow.java

@@ -26,8 +26,8 @@
 import com.dtstack.flink.sql.side.JoinInfo;
 import com.dtstack.flink.sql.side.hbase.table.HbaseSideTableInfo;
 import com.dtstack.flink.sql.side.hbase.utils.HbaseConfigUtils;
-import com.dtstack.flink.sql.util.RowDataComplete;
 import com.dtstack.flink.sql.side.hbase.utils.HbaseUtils;
+import com.dtstack.flink.sql.util.RowDataComplete;
 import com.google.common.collect.Maps;
 import org.apache.calcite.sql.JoinType;
 import org.apache.commons.collections.map.HashedMap;
@@ -37,8 +37,11 @@
 import org.apache.flink.types.Row;
 import org.apache.flink.util.Collector;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.AuthUtil;
 import org.apache.hadoop.hbase.Cell;
 import org.apache.hadoop.hbase.CellUtil;
+import org.apache.hadoop.hbase.ChoreService;
+import org.apache.hadoop.hbase.ScheduledChore;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
@@ -50,9 +53,10 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import sun.security.krb5.KrbException;
 
+import java.io.File;
 import java.io.IOException;
-
 import java.security.PrivilegedAction;
 import java.sql.SQLException;
 import java.sql.Timestamp;
@@ -75,7 +79,6 @@ public class HbaseAllReqRow extends BaseAllReqRow {
     private Connection conn = null;
     private Table table = null;
     private ResultScanner resultScanner = null;
-    private Configuration conf = null;
 
     public HbaseAllReqRow(RowTypeInfo rowTypeInfo, JoinInfo joinInfo, List<FieldInfo> outFieldInfoList, AbstractSideTableInfo sideTableInfo) {
         super(new HbaseAllSideInfo(rowTypeInfo, joinInfo, outFieldInfoList, sideTableInfo));
@@ -181,26 +184,40 @@ private void loadData(Map<String, Map<String, Object>> tmpCache) throws SQLExcep
         Map<String, String> colRefType = ((HbaseAllSideInfo)sideInfo).getColRefType();
         HbaseSideTableInfo hbaseSideTableInfo = (HbaseSideTableInfo) sideTableInfo;
         boolean openKerberos = hbaseSideTableInfo.isKerberosAuthEnable();
+        Configuration conf;
         int loadDataCount = 0;
         try {
             if (openKerberos) {
                 conf = HbaseConfigUtils.getHadoopConfiguration(hbaseSideTableInfo.getHbaseConfig());
                 conf.set(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_QUORUM, hbaseSideTableInfo.getHost());
                 conf.set(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM, hbaseSideTableInfo.getParent());
+
                 String principal = HbaseConfigUtils.getPrincipal(hbaseSideTableInfo.getHbaseConfig());
                 String keytab = HbaseConfigUtils.getKeytab(hbaseSideTableInfo.getHbaseConfig());
 
-                UserGroupInformation userGroupInformation = HbaseConfigUtils.loginAndReturnUGI(conf, principal, keytab);
+                HbaseConfigUtils.fillSyncKerberosConfig(conf, hbaseSideTableInfo.getHbaseConfig());
+                keytab = System.getProperty("user.dir") + File.separator + keytab;
+
+                LOG.info("kerberos principal:{}，keytab:{}", principal, keytab);
+
+                conf.set(HbaseConfigUtils.KEY_HBASE_CLIENT_KEYTAB_FILE, keytab);
+                conf.set(HbaseConfigUtils.KEY_HBASE_CLIENT_KERBEROS_PRINCIPAL, principal);
+
+                UserGroupInformation userGroupInformation = HbaseConfigUtils.loginAndReturnUGI2(conf, principal, keytab);
                 Configuration finalConf = conf;
-                conn = userGroupInformation.doAs(new PrivilegedAction<Connection>() {
-                    @Override
-                    public Connection run() {
-                        try {
-                            return ConnectionFactory.createConnection(finalConf);
-                        } catch (IOException e) {
-                            LOG.error("Get connection fail with config:{}", finalConf);
-                            throw new RuntimeException(e);
+                conn = userGroupInformation.doAs((PrivilegedAction<Connection>) () -> {
+                    try {
+                        ScheduledChore authChore = AuthUtil.getAuthChore(finalConf);
+                        if (authChore != null) {
+                            ChoreService choreService = new ChoreService("hbaseKerberosSink");
+                            choreService.scheduleChore(authChore);
                         }
+
+                        return ConnectionFactory.createConnection(finalConf);
+
+                    } catch (IOException e) {
+                        LOG.error("Get connection fail with config:{}", finalConf);
+                        throw new RuntimeException(e);
                     }
                 });
 
@@ -226,7 +243,7 @@ public Connection run() {
                 loadDataCount++;
                 tmpCache.put(new String(r.getRow()), kv);
             }
-        } catch (IOException e) {
+        } catch (IOException | KrbException e) {
             throw new RuntimeException(e);
         } finally {
             LOG.info("load Data count: {}", loadDataCount);

hbase/hbase-side/hbase-side-core/src/main/java/com/dtstack/flink/sql/side/hbase/table/HbaseSideParser.java

@@ -47,6 +47,8 @@ public class HbaseSideParser extends AbstractSideTableParser {
 
     public static final String ZOOKEEPER_PARENT = "zookeeperParent";
 
+    public static final String KERBEROS_ENABLE = "hbase.security.auth.enable";
+
     public static final String TABLE_NAME_KEY = "tableName";
 
     public static final String PRE_ROW_KEY = "preRowKey";
@@ -69,6 +71,7 @@ public AbstractTableInfo getTableInfo(String tableName, String fieldsInfo, Map<S
         hbaseTableInfo.setParent((String)props.get(ZOOKEEPER_PARENT.toLowerCase()));
         hbaseTableInfo.setPreRowKey(MathUtil.getBoolean(props.get(PRE_ROW_KEY.toLowerCase()), false));
         hbaseTableInfo.setCacheType((String) props.get(CACHE));
+        hbaseTableInfo.setKerberosAuthEnable(MathUtil.getBoolean(props.get(KERBEROS_ENABLE), false));
         props.entrySet().stream()
                 .filter(entity -> entity.getKey().contains("."))
                 .map(entity -> hbaseTableInfo.getHbaseConfig().put(entity.getKey(), String.valueOf(entity.getValue())))

hbase/hbase-side/hbase-side-core/src/main/java/com/dtstack/flink/sql/side/hbase/utils/HbaseConfigUtils.java

@@ -25,9 +25,13 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.hadoop.hbase.exceptions.IllegalArgumentIOException;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import sun.security.krb5.Config;
+import sun.security.krb5.KrbException;
 
 import java.io.File;
 import java.io.IOException;
@@ -51,38 +55,34 @@ public class HbaseConfigUtils {
     private final static String KEY_HBASE_SECURITY_AUTHENTICATION = "hbase.security.authentication";
     private final static String KEY_HBASE_SECURITY_AUTHORIZATION =  "hbase.security.authorization";
     private final static String KEY_HBASE_MASTER_KERBEROS_PRINCIPAL = "hbase.master.kerberos.principal";
-    private final static String KEY_HBASE_MASTER_KEYTAB_FILE = "hbase.master.keytab.file";
-    private final static String KEY_HBASE_REGIONSERVER_KEYTAB_FILE = "hbase.regionserver.keytab.file";
     private final static String KEY_HBASE_REGIONSERVER_KERBEROS_PRINCIPAL = "hbase.regionserver.kerberos.principal";
 
+    public final static String KEY_HBASE_CLIENT_KEYTAB_FILE = "hbase.client.keytab.file";
+    public final static String KEY_HBASE_CLIENT_KERBEROS_PRINCIPAL = "hbase.client.kerberos.principal";
+
+    public static final String KEY_HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
+    public static final String KEY_HADOOP_SECURITY_AUTH_TO_LOCAL = "hadoop.security.auth_to_local";
+    public static final String KEY_HADOOP_SECURITY_AUTHORIZATION = "hadoop.security.authorization";
+
     // async side kerberos
     private final static String KEY_HBASE_SECURITY_AUTH_ENABLE = "hbase.security.auth.enable";
-    private final static String KEY_HBASE_SASL_CLIENTCONFIG = "hbase.sasl.clientconfig";
     public final static String KEY_HBASE_KERBEROS_REGIONSERVER_PRINCIPAL = "hbase.kerberos.regionserver.principal";
     public static final String KEY_KEY_TAB = "hbase.keytab";
     public static final String KEY_PRINCIPAL = "hbase.principal";
 
     public final static String KEY_HBASE_ZOOKEEPER_QUORUM = "hbase.zookeeper.quorum";
     public final static String KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM = "hbase.zookeeper.znode.parent";
 
-
+    public static final String KEY_ZOOKEEPER_SASL_CLIENT = "zookeeper.sasl.client";
     private static final String KEY_JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
 
     private static List<String> KEYS_KERBEROS_REQUIRED = Arrays.asList(
             KEY_HBASE_SECURITY_AUTHENTICATION,
-            KEY_HBASE_MASTER_KERBEROS_PRINCIPAL,
-            KEY_HBASE_MASTER_KEYTAB_FILE,
-            KEY_HBASE_REGIONSERVER_KEYTAB_FILE,
-            KEY_HBASE_REGIONSERVER_KERBEROS_PRINCIPAL
-    );
-
-    private static List<String> ASYNC_KEYS_KERBEROS_REQUIRED = Arrays.asList(
-            KEY_HBASE_SECURITY_AUTH_ENABLE,
-            KEY_HBASE_SASL_CLIENTCONFIG,
             KEY_HBASE_KERBEROS_REGIONSERVER_PRINCIPAL,
-            KEY_HBASE_SECURITY_AUTHENTICATION,
-            KEY_KEY_TAB);
-
+            KEY_PRINCIPAL,
+            KEY_KEY_TAB,
+            KEY_JAVA_SECURITY_KRB5_CONF
+    );
 
     public static Configuration getConfig(Map<String, Object> hbaseConfigMap) {
         Configuration hConfiguration = HBaseConfiguration.create();
@@ -124,24 +124,11 @@ public static Configuration getHadoopConfiguration(Map<String, Object> hbaseConf
                 throw new IllegalArgumentException(String.format("Must provide [%s] when authentication is Kerberos", key));
             }
         }
-        loadKrb5Conf(hbaseConfigMap);
-
-        Configuration conf = new Configuration();
-        if (hbaseConfigMap == null) {
-            return conf;
-        }
-
-        hbaseConfigMap.forEach((key, val) -> {
-            if (val != null) {
-                conf.set(key, val.toString());
-            }
-        });
-
-        return conf;
+        return HBaseConfiguration.create();
     }
 
     public static String getPrincipal(Map<String, Object> hbaseConfigMap) {
-        String principal = MapUtils.getString(hbaseConfigMap, KEY_HBASE_MASTER_KERBEROS_PRINCIPAL);
+        String principal = MapUtils.getString(hbaseConfigMap, KEY_PRINCIPAL);
         if (StringUtils.isNotEmpty(principal)) {
             return principal;
         }
@@ -150,14 +137,37 @@ public static String getPrincipal(Map<String, Object> hbaseConfigMap) {
     }
 
     public static String getKeytab(Map<String, Object> hbaseConfigMap) {
-        String keytab = MapUtils.getString(hbaseConfigMap, KEY_HBASE_MASTER_KEYTAB_FILE);
+        String keytab = MapUtils.getString(hbaseConfigMap, KEY_KEY_TAB);
         if (StringUtils.isNotEmpty(keytab)) {
             return keytab;
         }
 
         throw new IllegalArgumentException("");
     }
 
+    public static void fillSyncKerberosConfig(org.apache.hadoop.conf.Configuration config, Map<String, Object> hbaseConfigMap) throws IOException {
+        if (StringUtils.isEmpty(MapUtils.getString(hbaseConfigMap, KEY_HBASE_KERBEROS_REGIONSERVER_PRINCIPAL))) {
+            throw new IllegalArgumentException("Must provide regionserverPrincipal when authentication is Kerberos");
+        }
+
+        String regionserverPrincipal = MapUtils.getString(hbaseConfigMap, KEY_HBASE_KERBEROS_REGIONSERVER_PRINCIPAL);
+        config.set(HbaseConfigUtils.KEY_HBASE_MASTER_KERBEROS_PRINCIPAL, regionserverPrincipal);
+        config.set(HbaseConfigUtils.KEY_HBASE_REGIONSERVER_KERBEROS_PRINCIPAL, regionserverPrincipal);
+        config.set(HbaseConfigUtils.KEY_HBASE_SECURITY_AUTHORIZATION, "true");
+        config.set(HbaseConfigUtils.KEY_HBASE_SECURITY_AUTHENTICATION, "kerberos");
+
+        if (!StringUtils.isEmpty(MapUtils.getString(hbaseConfigMap, KEY_ZOOKEEPER_SASL_CLIENT))) {
+            System.setProperty(HbaseConfigUtils.KEY_ZOOKEEPER_SASL_CLIENT, MapUtils.getString(hbaseConfigMap, KEY_ZOOKEEPER_SASL_CLIENT));
+        }
+
+        String securityKrb5Conf = MapUtils.getString(hbaseConfigMap, KEY_JAVA_SECURITY_KRB5_CONF);
+        if (!StringUtils.isEmpty(securityKrb5Conf)) {
+            String krb5ConfPath = System.getProperty("user.dir") + File.separator + securityKrb5Conf;
+            LOG.info("krb5ConfPath:{}", krb5ConfPath);
+            System.setProperty(HbaseConfigUtils.KEY_JAVA_SECURITY_KRB5_CONF, krb5ConfPath);
+        }
+    }
+
     public static void loadKrb5Conf(Map<String, Object> config) {
         String krb5conf = MapUtils.getString(config, KEY_JAVA_SECURITY_KRB5_CONF);
         checkOpt(krb5conf, KEY_JAVA_SECURITY_KRB5_CONF);
@@ -190,4 +200,35 @@ public static UserGroupInformation loginAndReturnUGI(Configuration conf, String
 
         return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
     }
+
+    public static UserGroupInformation loginAndReturnUGI2(Configuration conf, String principal, String keytab) throws IOException, KrbException {
+        LOG.info("loginAndReturnUGI principal {}",principal);
+        LOG.info("loginAndReturnUGI keytab {}",keytab);
+        if (conf == null) {
+            throw new IllegalArgumentException("kerberos conf can not be null");
+        }
+
+        if (org.apache.commons.lang.StringUtils.isEmpty(principal)) {
+            throw new IllegalArgumentException("principal can not be null");
+        }
+
+        if (org.apache.commons.lang.StringUtils.isEmpty(keytab)) {
+            throw new IllegalArgumentException("keytab can not be null");
+        }
+
+        if (!new File(keytab).exists()){
+            throw new IllegalArgumentIOException("keytab ["+ keytab + "] not exist");
+        }
+
+        conf.set(KEY_HADOOP_SECURITY_AUTHENTICATION, "Kerberos");
+        //conf.set("hadoop.security.auth_to_local", "DEFAULT");
+        conf.set(KEY_HADOOP_SECURITY_AUTH_TO_LOCAL, "RULE:[1:$1] RULE:[2:$1]");
+        conf.set(KEY_HADOOP_SECURITY_AUTHORIZATION, "true");
+
+        Config.refresh();
+        KerberosName.resetDefaultRealm();
+        UserGroupInformation.setConfiguration(conf);
+
+        return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
+    }
 }