Merge branch 'hotfix_1.8_3.10.x_29470' into hotfix_1.8_4.0.x_30855

a49a · a49a · commit d2406a40ad82 · 2020-09-27T11:15:39.000+08:00
diff --git a/flinkx-core/src/main/java/com/dtstack/flinkx/options/Options.java b/flinkx-core/src/main/java/com/dtstack/flinkx/options/Options.java
@@ -76,6 +76,15 @@ public class Options {
     @OptionRequired(description = "plugin load mode, by classpath or shipfile")
     private String pluginLoadMode = "shipfile";
 
+    @OptionRequired(description = "kerberos krb5conf")
+    private String krb5conf ;
+
+    @OptionRequired(description = "kerberos keytabPath")
+    private String keytab ;
+
+    @OptionRequired(description = "kerberos principal")
+    private String principal ;
+
     public String getS() {
         return s;
     }
@@ -195,4 +204,51 @@ public String getPluginLoadMode() {
     public void setPluginLoadMode(String pluginLoadMode) {
         this.pluginLoadMode = pluginLoadMode;
     }
+
+    public String getKrb5conf() {
+        return krb5conf;
+    }
+
+    public void setKrb5conf(String krb5conf) {
+        this.krb5conf = krb5conf;
+    }
+
+    public String getKeytab() {
+        return keytab;
+    }
+
+    public void setKeytab(String keytab) {
+        this.keytab = keytab;
+    }
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+    public void setPrincipal(String principal) {
+        this.principal = principal;
+    }
+
+    @Override
+    public String toString() {
+        return "Options{" +
+                "mode='" + mode + '\'' +
+                ", job='" + job + '\'' +
+                ", monitor='" + monitor + '\'' +
+                ", jobid='" + jobid + '\'' +
+                ", flinkconf='" + flinkconf + '\'' +
+                ", pluginRoot='" + pluginRoot + '\'' +
+                ", yarnconf='" + yarnconf + '\'' +
+                ", parallelism='" + parallelism + '\'' +
+                ", priority='" + priority + '\'' +
+                ", queue='" + queue + '\'' +
+                ", flinkLibJar='" + flinkLibJar + '\'' +
+                ", confProp='" + confProp + '\'' +
+                ", s='" + s + '\'' +
+                ", pluginLoadMode='" + pluginLoadMode + '\'' +
+                ", krb5conf='" + krb5conf + '\'' +
+                ", keytab='" + keytab + '\'' +
+                ", principal='" + principal + '\'' +
+                '}';
+    }
 }
diff --git a/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/ClusterClientFactory.java b/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/ClusterClientFactory.java
@@ -91,6 +91,10 @@ public static ClusterClient createYarnClient(Options launcherOptions) throws Exc
             config.setString(ConfigConstants.PATH_HADOOP_CONFIG, yarnConfDir);
             FileSystem.initialize(config);
 
+            //进行kerberos验证 如果需要的话
+            KerberosInfo kerberosInfo = new KerberosInfo(launcherOptions.getKrb5conf(), launcherOptions.getKeytab(), launcherOptions.getPrincipal(), config);
+            kerberosInfo.verify();
+
             YarnConfiguration yarnConf = YarnConfLoader.getYarnConf(yarnConfDir);
 
             try (YarnClient yarnClient = YarnClient.createYarnClient()) {
diff --git a/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/KerberosInfo.java b/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/KerberosInfo.java
@@ -0,0 +1,149 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.dtstack.flinkx.launcher;
+
+import com.dtstack.flinkx.util.ExceptionUtil;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.flink.configuration.Configuration;
+import org.apache.flink.configuration.SecurityOptions;
+import org.apache.flink.runtime.util.HadoopUtils;
+import org.apache.hadoop.security.SecurityUtil;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.IOException;
+
+/**
+ * KerberosInfo
+ *
+ * @author by dujie@dtstack.com
+ * @Date 2020/8/21
+ */
+public class KerberosInfo {
+
+    private static final Logger LOG = LoggerFactory.getLogger(KerberosInfo.class);
+
+
+    private final String krb5confPath;
+    private final String keytab;
+    private final String principal;
+    private final Configuration config;
+    private final org.apache.hadoop.conf.Configuration hadoopConfiguration;
+
+    public KerberosInfo(String krb5confPath, String keytab, String principal, Configuration config) {
+        this.krb5confPath = krb5confPath;
+        this.config = config;
+        this.hadoopConfiguration = HadoopUtils.getHadoopConfiguration(this.config);
+
+        //keytab, launcherOptions.getKeytab() 比flinkConfiguration里配置的优先级高
+        if (StringUtils.isBlank(keytab)) {
+            this.keytab = this.config.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
+        } else {
+            this.keytab = keytab;
+        }
+        //principal信息, launcherOptions.getPrincipal() 比flinkConfiguration里配置的优先级高
+        if (StringUtils.isBlank(principal)) {
+            this.principal = this.config.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
+        } else {
+            this.principal = principal;
+        }
+    }
+
+    public void verify() {
+        if (!isVerify()) {
+            return;
+        }
+
+        check();
+
+        //如果指定了Krb5conf位置
+        if (StringUtils.isNotBlank(this.getKrb5confPath())) {
+            System.setProperty("java.security.krb5.conf", this.getKrb5confPath());
+        }
+
+        String keyTabpath;
+        try {
+            keyTabpath = (new File(keytab)).getAbsolutePath();
+        } catch (Exception e) {
+            String message = String.format("can not get the file 【%s】,error info-> %s ",
+                    keytab,
+                    ExceptionUtil.getErrorMessage(e));
+            LOG.error("{}", message);
+            throw new RuntimeException(message, e);
+        }
+
+
+        LOG.info("kerberos info:Krb5confPath ->{}, Principal ->{}, keytab->{}", System.getProperty("java.security.krb5.conf"), principal, keyTabpath);
+
+        //开始kerberos验证
+        UserGroupInformation.setConfiguration(hadoopConfiguration);
+        try {
+            UserGroupInformation.getCurrentUser().setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
+        } catch (IOException e) {
+            String message = "UserGroupInformation getCurrentUser has error," + ExceptionUtil.getErrorMessage(e);
+            LOG.error("{}", message);
+            throw new RuntimeException(message, e);
+        }
+
+
+        try {
+            UserGroupInformation.loginUserFromKeytab(principal, keyTabpath);
+        } catch (IOException e) {
+            String message = String.format("Unable to set the Hadoop login principal【%s】,keytab 【%s】error info-> %s ",
+                    principal,
+                    keyTabpath,
+                    ExceptionUtil.getErrorMessage(e));
+            LOG.error("{}", message);
+            throw new RuntimeException(message, e);
+        }
+    }
+
+    //是否需要kerberos验证
+    public boolean isVerify() {
+        UserGroupInformation.AuthenticationMethod authenticationMethod = SecurityUtil.getAuthenticationMethod(hadoopConfiguration);
+        return UserGroupInformation.AuthenticationMethod.SIMPLE != authenticationMethod;
+    }
+
+    protected void check() {
+        if (StringUtils.isBlank(getKeytab())) {
+            throw new RuntimeException("keytabPath can not be null");
+        }
+
+        if (StringUtils.isBlank(getPrincipal())) {
+            throw new RuntimeException("principal can not be null");
+        }
+    }
+
+
+    public String getKrb5confPath() {
+        return krb5confPath;
+    }
+
+    public String getKeytab() {
+        return keytab;
+    }
+
+
+    public String getPrincipal() {
+        return principal;
+    }
+
+
+}
diff --git a/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/perjob/PerJobClusterClientBuilder.java b/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/perjob/PerJobClusterClientBuilder.java
@@ -17,6 +17,7 @@
  */
 package com.dtstack.flinkx.launcher.perjob;
 
+import com.dtstack.flinkx.launcher.KerberosInfo;
 import com.dtstack.flinkx.launcher.YarnConfLoader;
 import com.dtstack.flinkx.options.Options;
 import com.google.common.base.Strings;
@@ -58,6 +59,9 @@ public class PerJobClusterClientBuilder {
 
     private Configuration flinkConfig;
 
+    //kerberos验证信息
+    private KerberosInfo kerberosInfo;
+
     /**
      * init yarnClient
      * @param yarnConfDir the path of yarnconf
@@ -69,6 +73,10 @@ public void init(String yarnConfDir, Configuration flinkConfig, Properties userC
         }
         userConf.forEach((key, val) -> flinkConfig.setString(key.toString(), val.toString()));
         this.flinkConfig = flinkConfig;
+        if(userConf.size()>0){
+            this.kerberosInfo = new KerberosInfo(kerberosInfo.getKrb5confPath(),kerberosInfo.getKeytab(),kerberosInfo.getPrincipal(),this.flinkConfig);
+        }
+        kerberosInfo.verify();
         SecurityUtils.install(new SecurityConfiguration(flinkConfig));
 
         yarnConf = YarnConfLoader.getYarnConf(yarnConfDir);
@@ -135,4 +143,13 @@ public AbstractYarnClusterDescriptor createPerJobClusterDescriptor(Properties co
         descriptor.addShipFiles(shipFiles);
         return descriptor;
     }
+
+
+    public KerberosInfo getKerberosInfo() {
+        return kerberosInfo;
+    }
+
+    public void setKerberosInfo(KerberosInfo kerberosInfo) {
+        this.kerberosInfo = kerberosInfo;
+    }
 }
diff --git a/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/perjob/PerJobSubmitter.java b/flinkx-launcher/src/main/java/com/dtstack/flinkx/launcher/perjob/PerJobSubmitter.java
@@ -18,6 +18,7 @@
 
 package com.dtstack.flinkx.launcher.perjob;
 
+import com.dtstack.flinkx.launcher.KerberosInfo;
 import com.dtstack.flinkx.options.Options;
 import com.dtstack.flinkx.util.MapUtil;
 import org.apache.commons.lang.StringUtils;
@@ -54,6 +55,7 @@ public static String submit(Options options, JobGraph jobGraph) throws Exception
         ClusterSpecification clusterSpecification = FlinkPerJobResourceUtil.createClusterSpecification(conProp);
         PerJobClusterClientBuilder perJobClusterClientBuilder = new PerJobClusterClientBuilder();
         Configuration config = StringUtils.isEmpty(options.getFlinkconf()) ? new Configuration() : GlobalConfiguration.loadConfiguration(options.getFlinkconf());
+        perJobClusterClientBuilder.setKerberosInfo(new KerberosInfo(options.getKrb5conf(),options.getKeytab(),options.getPrincipal(),config));
         perJobClusterClientBuilder.init(options.getYarnconf(), config, conProp);
 
         AbstractYarnClusterDescriptor descriptor = perJobClusterClientBuilder.createPerJobClusterDescriptor(conProp, options, jobGraph);
