Merge branch 'hotfix_1.8_4.0.x_30855' into 1.8_release_4.0.x

Author: gituser

flinkx-core/src/main/java/com/dtstack/flinkx/options/Options.java

@@ -76,6 +76,15 @@ public class Options {
     @OptionRequired(description = "plugin load mode, by classpath or shipfile")
     private String pluginLoadMode = "shipfile";
 
+    @OptionRequired(description = "kerberos krb5conf")
+    private String krb5conf ;
+
+    @OptionRequired(description = "kerberos keytabPath")
+    private String keytab ;
+
+    @OptionRequired(description = "kerberos principal")
+    private String principal ;
+
     public String getS() {
         return s;
     }
@@ -195,4 +204,51 @@ public String getPluginLoadMode() {
     public void setPluginLoadMode(String pluginLoadMode) {
         this.pluginLoadMode = pluginLoadMode;
     }
+
+    public String getKrb5conf() {
+        return krb5conf;
+    }
+
+    public void setKrb5conf(String krb5conf) {
+        this.krb5conf = krb5conf;
+    }
+
+    public String getKeytab() {
+        return keytab;
+    }
+
+    public void setKeytab(String keytab) {
+        this.keytab = keytab;
+    }
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+    public void setPrincipal(String principal) {
+        this.principal = principal;
+    }
+
+    @Override
+    public String toString() {
+        return "Options{" +
+                "mode='" + mode + '\'' +
+                ", job='" + job + '\'' +
+                ", monitor='" + monitor + '\'' +
+                ", jobid='" + jobid + '\'' +
+                ", flinkconf='" + flinkconf + '\'' +
+                ", pluginRoot='" + pluginRoot + '\'' +
+                ", yarnconf='" + yarnconf + '\'' +
+                ", parallelism='" + parallelism + '\'' +
+                ", priority='" + priority + '\'' +
+                ", queue='" + queue + '\'' +
+                ", flinkLibJar='" + flinkLibJar + '\'' +
+                ", confProp='" + confProp + '\'' +
+                ", s='" + s + '\'' +
+                ", pluginLoadMode='" + pluginLoadMode + '\'' +
+                ", krb5conf='" + krb5conf + '\'' +
+                ", keytab='" + keytab + '\'' +
+                ", principal='" + principal + '\'' +
+                '}';
+    }
 }

flinkx-core/src/main/java/com/dtstack/flinkx/util/FileSystemUtil.java

@@ -69,8 +69,9 @@ public static void setHadoopUserName(Configuration conf){
         }
 
         try {
-            String ticketCachePath = conf.get("hadoop.security.kerberos.ticket.cache.path");
-            UserGroupInformation ugi = UserGroupInformation.getBestUGI(ticketCachePath, hadoopUserName);
+            String previousUserName = UserGroupInformation.getLoginUser().getUserName();
+            LOG.info("Hadoop user from '{}' switch to '{}' with SIMPLE auth", previousUserName, hadoopUserName);
+            UserGroupInformation ugi = UserGroupInformation.createRemoteUser(hadoopUserName);
             UserGroupInformation.setLoginUser(ugi);
         } catch (Exception e) {
             LOG.warn("Set hadoop user name error:", e);
@@ -87,7 +88,6 @@ public static boolean isOpenKerberos(Map<String, Object> hadoopConfig){
 
     private static FileSystem getFsWithKerberos(Map<String, Object> hadoopConfig, String defaultFs) throws Exception{
         UserGroupInformation ugi = getUGI(hadoopConfig, defaultFs);
-        UserGroupInformation.setLoginUser(ugi);
 
         return ugi.doAs(new PrivilegedAction<FileSystem>() {
             @Override
@@ -110,7 +110,6 @@ public static UserGroupInformation getUGI(Map<String, Object> hadoopConfig, Stri
         KerberosUtil.refreshConfig();
 
         UserGroupInformation ugi = KerberosUtil.loginAndReturnUgi(getConfiguration(hadoopConfig, defaultFs), principal, keytabFileName);
-        UserGroupInformation.setLoginUser(ugi);
 
         return ugi;
     }

flinkx-hive/flinkx-hive-core/src/main/java/com/dtstack/flinkx/hive/util/HiveDbUtil.java

@@ -63,7 +63,7 @@ public final class HiveDbUtil {
     public static final String PARAM_DELIMITER = "&";
     public static final String KEY_PRINCIPAL = "principal";
 
-    public static Pattern HIVE_JDBC_PATTERN = Pattern.compile("(?i)jdbc:hive2://(?<host>[0-9a-zA-Z\\.]+):(?<port>\\d+)/(?<db>[0-9a-z_%]+)(?<param>[\\?;#].*)*");
+    public static Pattern HIVE_JDBC_PATTERN = Pattern.compile("(?i)jdbc:hive2://(?<host>[^:]+):(?<port>\\d+)/(?<db>[^;]+)(?<param>[\\?;#].*)*");
     public static final String HOST_KEY = "host";
     public static final String PORT_KEY = "port";
     public static final String DB_KEY = "db";
@@ -264,7 +264,8 @@ public static String parseIpAndPort(String url) {
         if (matcher.find()) {
             addr = matcher.group(HOST_KEY) + ":" + matcher.group(PORT_KEY);
         } else {
-            addr = url.substring(url.indexOf("//") + 2, url.lastIndexOf("/"));
+            addr = url.substring(url.indexOf("//") + 2);
+            addr=  addr.substring(0,addr.indexOf("/"));
         }
         return addr;
     }

flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/ClusterClientFactory.java

@@ -91,6 +91,10 @@ public static ClusterClient createYarnClient(Options launcherOptions) throws Exc
             config.setString(ConfigConstants.PATH_HADOOP_CONFIG, yarnConfDir);
             FileSystem.initialize(config);
 
+            //进行kerberos验证 如果需要的话
+            KerberosInfo kerberosInfo = new KerberosInfo(launcherOptions.getKrb5conf(), launcherOptions.getKeytab(), launcherOptions.getPrincipal(), config);
+            kerberosInfo.verify();
+
             YarnConfiguration yarnConf = YarnConfLoader.getYarnConf(yarnConfDir);
 
             try (YarnClient yarnClient = YarnClient.createYarnClient()) {

flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/KerberosInfo.java

@@ -0,0 +1,149 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.dtstack.flinkx.launcher;
+
+import com.dtstack.flinkx.util.ExceptionUtil;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.flink.configuration.Configuration;
+import org.apache.flink.configuration.SecurityOptions;
+import org.apache.flink.runtime.util.HadoopUtils;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.IOException;
+
+/**
+ * KerberosInfo
+ *
+ * @author by [email protected]
+ * @Date 2020/8/21
+ */
+public class KerberosInfo {
+
+    private static final Logger LOG = LoggerFactory.getLogger(KerberosInfo.class);
+
+
+    private final String krb5confPath;
+    private final String keytab;
+    private final String principal;
+    private final Configuration config;
+    private final org.apache.hadoop.conf.Configuration hadoopConfiguration;
+
+    public KerberosInfo(String krb5confPath, String keytab, String principal, Configuration config) {
+        this.krb5confPath = krb5confPath;
+        this.config = config;
+        this.hadoopConfiguration = HadoopUtils.getHadoopConfiguration(this.config);
+
+        //keytab, launcherOptions.getKeytab() 比flinkConfiguration里配置的优先级高
+        if (StringUtils.isBlank(keytab)) {
+            this.keytab = this.config.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
+        } else {
+            this.keytab = keytab;
+        }
+        //principal信息, launcherOptions.getPrincipal() 比flinkConfiguration里配置的优先级高
+        if (StringUtils.isBlank(principal)) {
+            this.principal = this.config.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
+        } else {
+            this.principal = principal;
+        }
+    }
+
+    public void verify() {
+        if (!isVerify()) {
+            return;
+        }
+
+        check();
+
+        //如果指定了Krb5conf位置
+        if (StringUtils.isNotBlank(this.getKrb5confPath())) {
+            System.setProperty("java.security.krb5.conf", this.getKrb5confPath());
+        }
+
+        String keyTabpath;
+        try {
+            keyTabpath = (new File(keytab)).getAbsolutePath();
+        } catch (Exception e) {
+            String message = String.format("can not get the file 【%s】,error info-> %s ",
+                    keytab,
+                    ExceptionUtil.getErrorMessage(e));
+            LOG.error("{}", message);
+            throw new RuntimeException(message, e);
+        }
+
+
+        LOG.info("kerberos info:Krb5confPath ->{}, Principal ->{}, keytab->{}", System.getProperty("java.security.krb5.conf"), principal, keyTabpath);
+
+        //开始kerberos验证
+        UserGroupInformation.setConfiguration(hadoopConfiguration);
+        try {
+            UserGroupInformation.getCurrentUser().setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
+        } catch (IOException e) {
+            String message = "UserGroupInformation getCurrentUser has error," + ExceptionUtil.getErrorMessage(e);
+            LOG.error("{}", message);
+            throw new RuntimeException(message, e);
+        }
+
+
+        try {
+            UserGroupInformation.loginUserFromKeytab(principal, keyTabpath);
+        } catch (IOException e) {
+            String message = String.format("Unable to set the Hadoop login principal【%s】,keytab 【%s】error info-> %s ",
+                    principal,
+                    keyTabpath,
+                    ExceptionUtil.getErrorMessage(e));
+            LOG.error("{}", message);
+            throw new RuntimeException(message, e);
+        }
+    }
+
+    //是否需要kerberos验证
+    public boolean isVerify() {
+        UserGroupInformation.AuthenticationMethod authenticationMethod = SecurityUtil.getAuthenticationMethod(hadoopConfiguration);
+        return UserGroupInformation.AuthenticationMethod.SIMPLE != authenticationMethod;
+    }
+
+    protected void check() {
+        if (StringUtils.isBlank(getKeytab())) {
+            throw new RuntimeException("keytabPath can not be null");
+        }
+
+        if (StringUtils.isBlank(getPrincipal())) {
+            throw new RuntimeException("principal can not be null");
+        }
+    }
+
+
+    public String getKrb5confPath() {
+        return krb5confPath;
+    }
+
+    public String getKeytab() {
+        return keytab;
+    }
+
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+
+}

flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/perjob/PerJobClusterClientBuilder.java

@@ -17,6 +17,7 @@
  */
 package com.dtstack.flinkx.launcher.perjob;
 
+import com.dtstack.flinkx.launcher.KerberosInfo;
 import com.dtstack.flinkx.launcher.YarnConfLoader;
 import com.dtstack.flinkx.options.Options;
 import com.google.common.base.Strings;
@@ -58,6 +59,9 @@ public class PerJobClusterClientBuilder {
 
     private Configuration flinkConfig;
 
+    //kerberos验证信息
+    private KerberosInfo kerberosInfo;
+
     /**
      * init yarnClient
      * @param yarnConfDir the path of yarnconf
@@ -69,6 +73,10 @@ public void init(String yarnConfDir, Configuration flinkConfig, Properties userC
         }
         userConf.forEach((key, val) -> flinkConfig.setString(key.toString(), val.toString()));
         this.flinkConfig = flinkConfig;
+        if(userConf.size()>0){
+            this.kerberosInfo = new KerberosInfo(kerberosInfo.getKrb5confPath(),kerberosInfo.getKeytab(),kerberosInfo.getPrincipal(),this.flinkConfig);
+        }
+        kerberosInfo.verify();
         SecurityUtils.install(new SecurityConfiguration(flinkConfig));
 
         yarnConf = YarnConfLoader.getYarnConf(yarnConfDir);
@@ -135,4 +143,13 @@ public AbstractYarnClusterDescriptor createPerJobClusterDescriptor(Properties co
         descriptor.addShipFiles(shipFiles);
         return descriptor;
     }
+
+
+    public KerberosInfo getKerberosInfo() {
+        return kerberosInfo;
+    }
+
+    public void setKerberosInfo(KerberosInfo kerberosInfo) {
+        this.kerberosInfo = kerberosInfo;
+    }
 }

flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/perjob/PerJobSubmitter.java

@@ -18,6 +18,7 @@
 
 package com.dtstack.flinkx.launcher.perjob;
 
+import com.dtstack.flinkx.launcher.KerberosInfo;
 import com.dtstack.flinkx.options.Options;
 import com.dtstack.flinkx.util.MapUtil;
 import org.apache.commons.lang.StringUtils;
@@ -54,6 +55,7 @@ public static String submit(Options options, JobGraph jobGraph) throws Exception
         ClusterSpecification clusterSpecification = FlinkPerJobResourceUtil.createClusterSpecification(conProp);
         PerJobClusterClientBuilder perJobClusterClientBuilder = new PerJobClusterClientBuilder();
         Configuration config = StringUtils.isEmpty(options.getFlinkconf()) ? new Configuration() : GlobalConfiguration.loadConfiguration(options.getFlinkconf());
+        perJobClusterClientBuilder.setKerberosInfo(new KerberosInfo(options.getKrb5conf(),options.getKeytab(),options.getPrincipal(),config));
         perJobClusterClientBuilder.init(options.getYarnconf(), config, conProp);
 
         AbstractYarnClusterDescriptor descriptor = perJobClusterClientBuilder.createPerJobClusterDescriptor(conProp, options, jobGraph);