作者小头像 Lv.1
更多个人资料
3 成长值
0 关注
0 粉丝
+ 关注 私信

个人介绍

这个人很懒,什么都没有留下

感兴趣或擅长的领域

暂无数据
个人勋章
TA还没获得勋章~
成长雷达
0
3
0
0
0

个人资料

个人介绍

这个人很懒,什么都没有留下

感兴趣或擅长的领域

暂无数据

达成规则

以上满足项可达成此勋章

主题 | 回复
FusionInsight安全模式ES使用java-transport-client认证问题
发布时间 2022/01/07 00:10:13 最后回复 tmtmtm1 2022/01/07 01:19:08 版块 混合云FusionInsight
3618 3 0
他的回复:
认证相关代码public class LoginUtil { private static final Object OBJECT_LOCK = new Object(); public enum Module { STORM("StormClient"), KAFKA("KafkaClient"), Elasticsearch("EsClient"), ZOOKEEPER("Client"); private String name; private Module(String name) { this.name = name; } public String getName() { return name; } } private static final String LINE_SEPARATOR = System.getProperty("line.separator"); private static final String ES_FLAG = "es."; private static final String JAAS_POSTFIX = ".jaas.conf"; private static final String IBM_LOGIN_MODULE = "com.ibm.security.auth.module.Krb5LoginModule required"; private static final String SUN_LOGIN_MODULE = "com.sun.security.auth.module.Krb5LoginModule required"; private static final String ZOOKEEPER_SERVER_PRINCIPAL_KEY = "zookeeper.server.principal"; private static final String LOGIN_FAILED_CAUSE_PASSWORD_WRONG = "(wrong password) keytab file and user not match, you can kinit -k -t keytab user in client server to check"; private static final String LOGIN_FAILED_CAUSE_TIME_WRONG = "(clock skew) time of local server and remote server not match, please check ntp to remote server"; private static final String LOGIN_FAILED_CAUSE_AES256_WRONG = "(aes256 not support) aes256 not support by default jdk/jre, need copy local_policy.jar and US_export_policy.jar from remote server in path /opt/huawei/Bigdata/jdk/jre/lib/security"; private static final String LOGIN_FAILED_CAUSE_PRINCIPAL_WRONG = "(no rule) principal format not support by default, need add property hadoop.security.auth_to_local(in core-site.xml) value RULE:[1:$1] RULE:[2:$1]"; private static final String LOGIN_FAILED_CAUSE_TIME_OUT = "(time out) can not connect to kdc server or there is fire wall in the network"; private static final boolean IS_IBM_JDK = System.getProperty("java.vendor").contains("IBM"); private static boolean WriteFlag = false; public static void setKrb5Config(String krb5ConfFile) throws IOException { System.setProperty(JAVA_SECURITY_KRB5_CONF_KEY, krb5ConfFile); String ret = System.getProperty(JAVA_SECURITY_KRB5_CONF_KEY); if (ret == null) { log.error(JAVA_SECURITY_KRB5_CONF_KEY + " is null."); throw new IOException(JAVA_SECURITY_KRB5_CONF_KEY + " is null."); } if (!ret.equals(krb5ConfFile)) { log.error(JAVA_SECURITY_KRB5_CONF_KEY + " is " + ret + " is not " + krb5ConfFile + "."); throw new IOException(JAVA_SECURITY_KRB5_CONF_KEY + " is " + ret + " is not " + krb5ConfFile + "."); } } public synchronized static void setJaasFile(String principal, String keytabPath) throws IOException { if (null == principal || null == keytabPath) { log.error("Please check your principal or keytabPath."); } String jaasPath = new File(LoadProperties.keytabPath) + File.separator + ES_FLAG + System.getProperty("user.name") + JAAS_POSTFIX; // windows路径下分隔符替换 jaasPath = jaasPath.replace("\\", "\\\\"); keytabPath = keytabPath.replace("\\", "\\\\"); // 删除jaas文件 if (new File(jaasPath).exists()) { if (WriteFlag == false) { deleteJaasFile(jaasPath); writeJaasFile(jaasPath, principal, keytabPath); System.setProperty(JAVA_SECURITY_LOGIN_CONF_KEY, jaasPath); WriteFlag = true; } } else { writeJaasFile(jaasPath, principal, keytabPath); System.setProperty(JAVA_SECURITY_LOGIN_CONF_KEY, jaasPath); WriteFlag = true; } } private static void writeJaasFile(String jaasPath, String principal, String keytabPath) throws IOException { FileWriter writer = new FileWriter(new File(jaasPath)); try { writer.write(getJaasConfContext(principal, keytabPath)); writer.flush(); } catch (IOException e) { throw new IOException("Failed to create jaas.conf File"); } finally { writer.close(); } } private static void deleteJaasFile(String jaasPath) throws IOException { File jaasFile = new File(jaasPath); if (jaasFile.exists()) { if (!jaasFile.delete()) { throw new IOException("Failed to delete exists jaas file."); } } } private static String getJaasConfContext(String principal, String keytabPath) { Module[] allModule = Module.values(); StringBuilder builder = new StringBuilder(); for (Module modlue : allModule) { builder.append(getModuleContext(principal, keytabPath, modlue)); } return builder.toString(); } private static String getModuleContext(String userPrincipal, String keyTabPath, Module module) { StringBuilder builder = new StringBuilder(); if (IS_IBM_JDK) { builder.append(module.getName()).append(" {").append(LINE_SEPARATOR); builder.append(IBM_LOGIN_MODULE).append(LINE_SEPARATOR); builder.append("credsType=both").append(LINE_SEPARATOR); builder.append("principal=\"" + userPrincipal + "\"").append(LINE_SEPARATOR); builder.append("useKeytab=\"" + keyTabPath + "\"").append(LINE_SEPARATOR); builder.append("debug=true;").append(LINE_SEPARATOR); builder.append("};").append(LINE_SEPARATOR); } else { builder.append(module.getName()).append(" {").append(LINE_SEPARATOR); builder.append(SUN_LOGIN_MODULE).append(LINE_SEPARATOR); builder.append("useKeyTab=true").append(LINE_SEPARATOR); builder.append("keyTab=\"" + keyTabPath + "\"").append(LINE_SEPARATOR); builder.append("principal=\"" + userPrincipal + "\"").append(LINE_SEPARATOR); builder.append("useTicketCache=false").append(LINE_SEPARATOR); builder.append("storeKey=true").append(LINE_SEPARATOR); builder.append("debug=true;").append(LINE_SEPARATOR); builder.append("};").append(LINE_SEPARATOR); } return builder.toString(); } }
FusionInsight安全模式ES使用java-transport-client认证问题
发布时间 2022/01/07 00:10:13 最后回复 tmtmtm1 2022/01/07 01:19:08 版块 混合云FusionInsight
3618 3 0
他的回复:
认证代码public class LoadProperties { private static String ipPattern = "((2[0-4]\\d|25[0-5]|[01]?\\d\\d?)\\.){3}(2[0-4]\\d|25[0-5]|[01]?\\d\\d?)"; private static Properties properties = new Properties(); public static String keytabPath; public static final String CONFIGURATION_FILE_NAME = "esParams.properties"; public static final String FUSIONINSIGHT_ES_PARAM_LOCATION = "fusioninsight_es_param_location"; public static final String FUSIONINSIGHT_ES_PARAM_LOCATION_DEFAULT = "/data/app/zjaudit/fi-authorization"; private static String configPath; public static Configuration loadProperties() throws IOException { initProperties(); Configuration configuration = new Configuration(); configuration.setClusterName(loadClusterName()); configuration.setTransportAddress(loadTransportAddress()); configuration.setSecureMode(loadIsSecureMode()); if (configuration.isSecureMode()) { configuration.setPrincipal(loadPrincipal()); configuration.setKeyTabPath(loadPath("keytabPath")); configuration.setKrb5Path(loadPath("krb5Path")); keytabPath = configuration.getKeyTabPath(); setSecurityConfig(configuration.getPrincipal(), keytabPath, configuration.getKrb5Path()); } configuration.setSniff(loadIsSniff()); log.info("configuration:" + configuration); return configuration; } private static void initProperties() { try { configPath = System.getProperty(FUSIONINSIGHT_ES_PARAM_LOCATION, FUSIONINSIGHT_ES_PARAM_LOCATION_DEFAULT) + File.separator + CONFIGURATION_FILE_NAME; properties.load(new FileInputStream(configPath)); } catch (Exception e) { log.error("Failed to load properties file {}.", configPath); throw new IllegalArgumentException(); } } public static String loadClusterName() { String clusterName = properties.getProperty("clusterName"); if (null == clusterName || clusterName.isEmpty()) { log.error("clusterName is empty, please configure it in {}", configPath); throw new IllegalArgumentException(); } return clusterName; } private static Set loadTransportAddress() { String serverHosts = properties.getProperty("esServerHosts"); if (null == serverHosts || serverHosts.isEmpty()) { log.error("Please configure esServerHosts in {}.", configPath); log.error("The format of esServerHosts is ip1:port1,ip2:port2,ipn,portn"); throw new IllegalArgumentException(); } String[] hosts = serverHosts.split(","); Set transportAddresses = new HashSet(hosts.length); for (String host : hosts) { String[] ipAndPort = host.split(":"); String esClientIP = ipAndPort[0]; String esClientPort = ipAndPort[1]; if (!Pattern.matches(ipPattern, esClientIP)) { log.error("The configuration clientIP format is wrong, please configure it in {}.", configPath); throw new IllegalArgumentException(); } if (null == esClientPort || esClientPort.isEmpty()) { log.error("The configuration esClientIPPort is empty, please configure it in {}.", configPath); throw new IllegalArgumentException(); } try { transportAddresses.add(new TransportAddress(InetAddress.getByName(esClientIP), Integer.valueOf(esClientPort))); } catch (Exception e) { log.error("Init esServerHosts occur error : {}", e.getMessage()); throw new IllegalArgumentException(); } } return transportAddresses; } private static String loadPath(String path) { String loadedPath = properties.getProperty(path); if (null == loadedPath || loadedPath.isEmpty()) { loadedPath = System.getProperty(FUSIONINSIGHT_ES_PARAM_LOCATION, FUSIONINSIGHT_ES_PARAM_LOCATION_DEFAULT) + File.separator; log.warn(path + " is empty, using the default path [{}].", loadedPath); } return loadedPath; } private static boolean loadIsSecureMode() { return !properties.getProperty("isSecureMode").equals("false"); } private static boolean loadIsSniff() { return !properties.getProperty("isSniff").equals("false"); } private static String loadPrincipal() { String principal = properties.getProperty("principal"); if (null == principal || principal.isEmpty()) { log.error("Please configure principal in {}.", configPath); throw new IllegalArgumentException(); } return principal; } private static void setSecurityConfig(String principal, String keytabPath, String krb5Path) throws IOException { LoginUtil.setJaasFile(principal, keytabPath + "user.keytab"); System.setProperty("es.security.indication", "true"); LoginUtil.setKrb5Config(krb5Path + "krb5.conf"); } }