使用ApacheDS對Presto使用者進行認證
Presto可以對接LDAP/">LDAP,實現使用者密碼認證。只需要Coordinator節點對接LDAP即可。主要步驟如下:
配置ApacheDS,啟用LDAPS
在ApacheDS中建立使用者資訊
配置Presto Coordinator,重啟生效
驗證配置
下面詳細介紹相關步驟。
啟用LDAPs
建立ApacheDS服務端使用的keystore, 此處密碼全部使用'123456':
建立keystore
cd /var/lib/apacheds-2.0.0-M24/default/conf/ keytool -genkeypair -alias apacheds -keyalg RSA -validity 7 -keystore ads.keystore
Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]:apacheds What is the name of your organizational unit? [Unknown]:apacheds What is the name of your organization? [Unknown]:apacheds What is the name of your City or Locality? [Unknown]:apacheds What is the name of your State or Province? [Unknown]:apacheds What is the two-letter country code for this unit? [Unknown]:CN Is CN=apacheds, OU=apacheds, O=apacheds, L=apacheds, ST=apacheds, C=CN correct? [no]:yes
Enter key password for
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".
修改檔案使用者,否則ApacheDS沒有許可權讀取
chown apacheds:apacheds ./ads.keystore
匯出證書。
需要輸入密碼,密碼為上一步設定的值,這裡為:123456
keytool -export -alias apacheds -keystore ads.keystore -rfc -file apacheds.cer Enter keystore password: Certificate stored in file <apacheds.cer>
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".
將證書匯入系統證書庫,實現自認證
keytool -import -file apacheds.cer -alias apacheds -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts
修改配置,啟用LDAPs 開啟ApacheDS Studio,連結到叢集上到ApacheDS服務:
DN設定為:uid=admin,ou=system
密碼可以從EMR控制檯中獲取
連結後,開啟配置頁,啟用LDAPs,將第一步建立的keystore設定到相關配置中,儲存(ctrl + s)。
重啟ApacheDS服務 登入叢集,執行如下命令重啟ApacheDS,到此,LDAPs啟動, 服務埠是10636。
ApacheDS Studio有bug,在連線屬性頁測試LDAPs服務連線時會報握手失敗,主要是內部預設的超時時間太短導致的,不會影響實際使用。
service apacheds-2.0.0-M24-default restart
建立使用者資訊 本用例在DN: dc=hadoop,dc=apache,dc=org下建立相關使用者。
建立dc=hadoop,dc=apache,dc=org分割槽 開啟配置頁,作如下配置,ctrl+s儲存。重啟ApacheDS服務生效。
建立使用者 登入叢集,建立如下檔案:/tmp/users.ldif
Entry for a sample people container
Please replace with site specific values
dn: ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:organizationalUnit ou: people
Entry for a sample end user
Please replace with site specific values
dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Guest sn: User uid: guest userPassword:guest-password
entry for sample user admin
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Admin sn: Admin uid: admin userPassword:admin-password
entry for sample user sam
dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: sam sn: sam uid: sam userPassword:sam-password
entry for sample user tom
dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: tom sn: tom uid: tom userPassword:tom-password
create FIRST Level groups branch
dn: ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:organizationalUnit ou: groups description: generic groups branch
create the analyst group under groups
dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass: groupofnames cn: analyst description:analystgroup member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
create the scientist group under groups
dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass: groupofnames cn: scientist description: scientist group member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=or
執行如下命令,匯入使用者:
ldapmodify -x -h localhost -p 10389 -D "uid=admin,ou=system" -w {密碼} -a -f /tmp/users.ldif
執行完成後,可以在ApacheDS Studio上看到相關到使用者,如下所示:
配置Presto 主要分兩部分:
開啟Coordinator Https
建立presto coordinator使用的keystore
使用EMR自帶的指令碼生成keystore
keystore地址: /etc/ecm/presto-conf/keystore
keystore密碼: ******
expect /var/lib/ecm-agent/cache/ecm/service/PRESTO/0.208.0.1.2/package/files/tools/gen-keystore.exp
配置presto coordinator配置 編輯/etc/ecm/presto-conf/config.properties, 加入如下內容: http-server.https.enabled=true http-server.https.port=7778
http-server.https.keystore.path=/etc/ecm/presto-conf/keystore http-server.https.keystore.key=******
配置認證模式,接入ApacheDS
編輯/etc/ecm/presto-conf/config.properties, 加入如下內容: http-server.authentication.type=PASSWORD
編輯jvm.config, 加入如下內容: -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
建立password-authenticator.properties,加入如下內容: password-authenticator.name=ldap ldap.url=ldaps://emr-header-1.cluster-84423:10636 ldap.user-bind-pattern=uid=${USER},ou=people,dc=hadoop,dc=apache,dc=org
建立jndi.properties, 加入如下內容 java.naming.security.principal=uid=admin,ou=system java.naming.security.credentials={密碼} java.naming.security.authentication=simple
將jndi.properties打包到jar包中,複製到presto庫檔案目錄中
jar -cvf jndi-properties.jar jndi.properties cp ./jndi-properties.jar /etc/ecm/presto-current/lib/
下列3個引數用於登入LDAP服務。然而,在presto上沒地方配這幾個引數。分析原始碼可以線,將這幾個引數夾到jvm引數裡也沒不會生效(會被過濾掉,實際也沒用):
java.naming.security.principal=uid=admin,ou=system
java.naming.security.credentials={LDAP 密碼}
java.naming.security.authentication=simple
進一步分析程式碼,發現JNDI庫會用classload載入jndi.properties這個資原始檔,因此可以將這幾個引數放到jndi.properties這個檔案裡;
presto的launcher只會把jar檔案加到classpath裡,所以還需把這個jndi.properties打成jar包,複製到lib目錄中。
重啟presto,自此完成所有配置
驗證配置 使用presto cli驗證配置是否生效。
使用使用者sam,輸入正確的密碼
presto--server https://emr-header-1:7778--keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password Password: <輸入了正確的密碼> presto:default> show schemas; Schema
tpcds_bin_partitioned_orc_5 tpcds_oss_bin_partitioned_orc_10 tpcds_oss_text_10 tpcds_text_5 tst (5 rows)
Query 20181115_030713_00002_kp5ih, FINISHED, 3 nodes Splits: 36 total, 36 done (100.00%) 0:00 [20 rows, 331B] [41 rows/s, 694B/s]
使用使用者sam,輸入錯誤的密碼
presto--server https://emr-header-1:7778--keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password Password: <輸入了錯誤的密碼> presto:default> show schemas;
Error running command: Authentication failed: Access Denied: Invalid credentials