add hbase kerbos

Author: dapeng

hbase/hbase-side/hbase-all-side/src/main/java/com/dtstack/flink/sql/side/hbase/HbaseAllReqRow.java

@@ -25,8 +25,10 @@
 import com.dtstack.flink.sql.side.FieldInfo;
 import com.dtstack.flink.sql.side.JoinInfo;
 import com.dtstack.flink.sql.side.hbase.table.HbaseSideTableInfo;
+import com.dtstack.flink.sql.side.hbase.utils.HbaseConfigUtils;
 import org.apache.calcite.sql.JoinType;
 import org.apache.commons.collections.map.HashedMap;
+import org.apache.commons.lang.StringUtils;
 import org.apache.flink.api.java.typeutils.RowTypeInfo;
 import com.google.common.collect.Maps;
 import org.apache.flink.table.runtime.types.CRow;
@@ -36,6 +38,7 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.Cell;
 import org.apache.hadoop.hbase.CellUtil;
+import org.apache.hadoop.hbase.HBaseConfiguration;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.ConnectionFactory;
@@ -44,10 +47,13 @@
 import org.apache.hadoop.hbase.client.Scan;
 import org.apache.hadoop.hbase.client.Table;
 import org.apache.hadoop.hbase.util.Bytes;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
 import java.io.IOException;
+import java.security.PrivilegedAction;
 import java.sql.SQLException;
 import java.sql.Timestamp;
 import java.util.Calendar;
@@ -166,13 +172,44 @@ public void flatMap(CRow input, Collector<CRow> out) throws Exception {
     private void loadData(Map<String, Map<String, Object>> tmpCache) throws SQLException {
         AbstractSideTableInfo sideTableInfo = sideInfo.getSideTableInfo();
         HbaseSideTableInfo hbaseSideTableInfo = (HbaseSideTableInfo) sideTableInfo;
-        Configuration conf = new Configuration();
-        conf.set("hbase.zookeeper.quorum", hbaseSideTableInfo.getHost());
-        Connection conn = null;
-        Table table = null;
-        ResultScanner resultScanner = null;
+        boolean openKerberos = hbaseSideTableInfo.isKerberosAuthEnable();
+        int loadDataCount = 0;
         try {
-            conn = ConnectionFactory.createConnection(conf);
+            conf = HBaseConfiguration.create();
+            if (openKerberos) {
+                conf.set(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_QUORUM, hbaseSideTableInfo.getHost());
+                conf.set(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM_SYNC, hbaseSideTableInfo.getParent());
+
+                fillSyncKerberosConfig(conf,hbaseSideTableInfo);
+                LOG.info("hbase.security.authentication:{}", conf.get("hbase.security.authentication"));
+                LOG.info("hbase.security.authorization:{}", conf.get("hbase.security.authorization"));
+                LOG.info("hbase.master.keytab.file:{}", conf.get("hbase.master.keytab.file"));
+                LOG.info("hbase.master.kerberos.principal:{}", conf.get("hbase.master.kerberos.principal"));
+                LOG.info("hbase.regionserver.keytab.file:{}", conf.get("hbase.regionserver.keytab.file"));
+                LOG.info("hbase.regionserver.kerberos.principal:{}", conf.get("hbase.regionserver.kerberos.principal"));
+
+                UserGroupInformation userGroupInformation = HbaseConfigUtils.loginAndReturnUGI(conf, hbaseSideTableInfo.getRegionserverPrincipal(),
+                        hbaseSideTableInfo.getRegionserverKeytabFile());
+
+                Configuration finalConf = conf;
+                conn = userGroupInformation.doAs(new PrivilegedAction<Connection>() {
+                    @Override
+                    public Connection run() {
+                        try {
+                            return ConnectionFactory.createConnection(finalConf);
+                        } catch (IOException e) {
+                            LOG.error("Get connection fail with config:{}", finalConf);
+                            throw new RuntimeException(e);
+                        }
+                    }
+                });
+
+            } else {
+                conf.set(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_QUORUM, hbaseSideTableInfo.getHost());
+                conf.set(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM_SYNC, hbaseSideTableInfo.getParent());
+                conn = ConnectionFactory.createConnection(conf);
+            }
+
             table = conn.getTable(TableName.valueOf(tableName));
             resultScanner = table.getScanner(new Scan());
             for (Result r : resultScanner) {
@@ -187,13 +224,15 @@ private void loadData(Map<String, Map<String, Object>> tmpCache) throws SQLExcep
 
                     kv.put(aliasNameInversion.get(key.toString()), value);
                 }
+                loadDataCount++;
                 tmpCache.put(new String(r.getRow()), kv);
             }
         } catch (IOException e) {
-            LOG.error("", e);
+            throw new RuntimeException(e);
         } finally {
+            LOG.info("load Data count: {}", loadDataCount);
             try {
-                if (null != conn && !conn.isClosed()) {
+                if (null != conn) {
                     conn.close();
                 }
 
@@ -209,4 +248,34 @@ private void loadData(Map<String, Map<String, Object>> tmpCache) throws SQLExcep
             }
         }
     }
+
+    private void fillSyncKerberosConfig(Configuration config, HbaseSideTableInfo hbaseSideTableInfo) throws IOException {
+        String regionserverKeytabFile = hbaseSideTableInfo.getRegionserverKeytabFile();
+        if (StringUtils.isEmpty(regionserverKeytabFile)) {
+            throw new IllegalArgumentException("Must provide regionserverKeytabFile when authentication is Kerberos");
+        }
+        String regionserverKeytabFilePath = System.getProperty("user.dir") + File.separator + regionserverKeytabFile;
+        LOG.info("regionserverKeytabFilePath:{}", regionserverKeytabFilePath);
+        config.set(HbaseConfigUtils.KEY_HBASE_MASTER_KEYTAB_FILE, regionserverKeytabFilePath);
+        config.set(HbaseConfigUtils.KEY_HBASE_REGIONSERVER_KEYTAB_FILE, regionserverKeytabFilePath);
+
+        String regionserverPrincipal = hbaseSideTableInfo.getRegionserverPrincipal();
+        if (StringUtils.isEmpty(regionserverPrincipal)) {
+            throw new IllegalArgumentException("Must provide regionserverPrincipal when authentication is Kerberos");
+        }
+        config.set(HbaseConfigUtils.KEY_HBASE_MASTER_KERBEROS_PRINCIPAL, regionserverPrincipal);
+        config.set(HbaseConfigUtils.KEY_HBASE_REGIONSERVER_KERBEROS_PRINCIPAL, regionserverPrincipal);
+        config.set(HbaseConfigUtils.KEY_HBASE_SECURITY_AUTHORIZATION, "true");
+        config.set(HbaseConfigUtils.KEY_HBASE_SECURITY_AUTHENTICATION, "kerberos");
+
+        if (!StringUtils.isEmpty(hbaseSideTableInfo.getZookeeperSaslClient())) {
+            System.setProperty(HbaseConfigUtils.KEY_ZOOKEEPER_SASL_CLIENT, hbaseSideTableInfo.getZookeeperSaslClient());
+        }
+
+        if (!StringUtils.isEmpty(hbaseSideTableInfo.getSecurityKrb5Conf())) {
+            String krb5ConfPath = System.getProperty("user.dir") + File.separator + hbaseSideTableInfo.getSecurityKrb5Conf();
+            LOG.info("krb5ConfPath:{}", krb5ConfPath);
+            System.setProperty(HbaseConfigUtils.KEY_JAVA_SECURITY_KRB5_CONF, krb5ConfPath);
+        }
+    }
 }

hbase/hbase-side/hbase-async-side/src/main/java/com/dtstack/flink/sql/side/hbase/HbaseAsyncReqRow.java

@@ -31,6 +31,7 @@
 import com.dtstack.flink.sql.side.hbase.rowkeydealer.RowKeyEqualModeDealer;
 import com.dtstack.flink.sql.side.hbase.table.HbaseSideTableInfo;
 import com.dtstack.flink.sql.factory.DTThreadFactory;
+import com.dtstack.flink.sql.side.hbase.utils.HbaseConfigUtils;
 import com.google.common.collect.Maps;
 import com.stumbleupon.async.Deferred;
 import org.apache.commons.lang3.StringUtils;
@@ -40,10 +41,13 @@
 import org.apache.flink.table.runtime.types.CRow;
 import org.apache.flink.table.typeutils.TimeIndicatorTypeInfo;
 import org.apache.flink.types.Row;
+import org.hbase.async.Config;
 import org.hbase.async.HBaseClient;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
+import java.io.IOException;
 import java.sql.Timestamp;
 import java.util.Collections;
 import java.util.List;
@@ -93,11 +97,19 @@ public void open(Configuration parameters) throws Exception {
         super.open(parameters);
         AbstractSideTableInfo sideTableInfo = sideInfo.getSideTableInfo();
         HbaseSideTableInfo hbaseSideTableInfo = (HbaseSideTableInfo) sideTableInfo;
+
         ExecutorService executorService =new ThreadPoolExecutor(DEFAULT_POOL_SIZE, DEFAULT_POOL_SIZE,
                 0L, TimeUnit.MILLISECONDS,
                 new LinkedBlockingQueue<>(), new DTThreadFactory("hbase-aysnc"));
 
-        hBaseClient = new HBaseClient(hbaseSideTableInfo.getHost(), hbaseSideTableInfo.getParent(), executorService);
+        Config config = new Config();
+        config.overrideConfig(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_QUORUM, hbaseSideTableInfo.getHost());
+        config.overrideConfig(HbaseConfigUtils.KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM_ASYNC, hbaseSideTableInfo.getParent());
+
+        if (hbaseSideTableInfo.isKerberosAuthEnable()) {
+            fillAsyncKerberosConfig(config, hbaseSideTableInfo);
+        }
+        hBaseClient = new HBaseClient(config, executorService);
 
         try {
             Deferred deferred = hBaseClient.ensureTableExists(tableName)
@@ -166,6 +178,32 @@ public void close() throws Exception {
         hBaseClient.shutdown();
     }
 
+    private void fillAsyncKerberosConfig(Config config, HbaseSideTableInfo hbaseSideTableInfo) throws IOException {
+        AuthUtil.JAASConfig jaasConfig = HbaseConfigUtils.buildJaasConfig(hbaseSideTableInfo);
+        LOG.info("jaasConfig file:\n {}", jaasConfig.toString());
+        String jaasFilePath = AuthUtil.creatJaasFile("JAAS", ".conf", jaasConfig);
+        config.overrideConfig(HbaseConfigUtils.KEY_JAVA_SECURITY_AUTH_LOGIN_CONF, jaasFilePath);
+        config.overrideConfig(HbaseConfigUtils.KEY_HBASE_SECURITY_AUTH_ENABLE, "true");
+        config.overrideConfig(HbaseConfigUtils.KEY_HBASE_SASL_CLIENTCONFIG, "Client");
+        config.overrideConfig(HbaseConfigUtils.KEY_HBASE_SECURITY_AUTHENTICATION, "kerberos");
+
+        String regionserverPrincipal = hbaseSideTableInfo.getRegionserverPrincipal();
+        if (StringUtils.isEmpty(regionserverPrincipal)) {
+            throw new IllegalArgumentException("Must provide regionserverPrincipal when authentication is Kerberos");
+        }
+        config.overrideConfig(HbaseConfigUtils.KEY_HBASE_KERBEROS_REGIONSERVER_PRINCIPAL, regionserverPrincipal);
+
+        if (!StringUtils.isEmpty(hbaseSideTableInfo.getZookeeperSaslClient())) {
+            System.setProperty(HbaseConfigUtils.KEY_ZOOKEEPER_SASL_CLIENT, hbaseSideTableInfo.getZookeeperSaslClient());
+        }
+
+        if (!StringUtils.isEmpty(hbaseSideTableInfo.getSecurityKrb5Conf())) {
+            String krb5ConfPath = System.getProperty("user.dir") + File.separator + hbaseSideTableInfo.getSecurityKrb5Conf();
+            LOG.info("krb5ConfPath:{}", krb5ConfPath);
+            System.setProperty(HbaseConfigUtils.KEY_JAVA_SECURITY_KRB5_CONF, krb5ConfPath);
+        }
+    }
+
 
     class CheckResult{
 

hbase/hbase-side/hbase-side-core/src/main/java/com/dtstack/flink/sql/side/hbase/table/HbaseSideTableInfo.java

@@ -148,6 +148,54 @@ public void setPreRowKey(boolean preRowKey) {
         this.preRowKey = preRowKey;
     }
 
+    public boolean isKerberosAuthEnable() {
+        return kerberosAuthEnable;
+    }
+
+    public void setKerberosAuthEnable(boolean kerberosAuthEnable) {
+        this.kerberosAuthEnable = kerberosAuthEnable;
+    }
+
+    public String getRegionserverKeytabFile() {
+        return regionserverKeytabFile;
+    }
+
+    public void setRegionserverKeytabFile(String regionserverKeytabFile) {
+        this.regionserverKeytabFile = regionserverKeytabFile;
+    }
+
+    public String getRegionserverPrincipal() {
+        return regionserverPrincipal;
+    }
+
+    public void setRegionserverPrincipal(String regionserverPrincipal) {
+        this.regionserverPrincipal = regionserverPrincipal;
+    }
+
+    public String getJaasPrincipal() {
+        return jaasPrincipal;
+    }
+
+    public void setJaasPrincipal(String jaasPrincipal) {
+        this.jaasPrincipal = jaasPrincipal;
+    }
+
+    public String getSecurityKrb5Conf() {
+        return securityKrb5Conf;
+    }
+
+    public void setSecurityKrb5Conf(String securityKrb5Conf) {
+        this.securityKrb5Conf = securityKrb5Conf;
+    }
+
+    public String getZookeeperSaslClient() {
+        return zookeeperSaslClient;
+    }
+
+    public void setZookeeperSaslClient(String zookeeperSaslClient) {
+        this.zookeeperSaslClient = zookeeperSaslClient;
+    }
+
     @Override
     public void finish(){
         super.finish();

hbase/hbase-side/hbase-side-core/src/main/java/com/dtstack/flink/sql/side/hbase/utils/HbaseConfigUtils.java

@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.dtstack.flink.sql.side.hbase.utils;
+
+import com.dtstack.flink.sql.side.hbase.table.HbaseSideTableInfo;
+import com.dtstack.flink.sql.util.AuthUtil;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+/**
+ *
+ *  The utility class of HBase connection
+ *
+ * Date: 2019/12/24
+ * Company: www.dtstack.com
+ * @author maqi
+ */
+public class HbaseConfigUtils {
+
+    private static final Logger LOG = LoggerFactory.getLogger(HbaseConfigUtils.class);
+    // sync side kerberos
+    public final static String KEY_HBASE_SECURITY_AUTHENTICATION = "hbase.security.authentication";
+    public final static String KEY_HBASE_SECURITY_AUTHORIZATION = "hbase.security.authorization";
+    public final static String KEY_HBASE_MASTER_KEYTAB_FILE = "hbase.master.keytab.file";
+    public final static String KEY_HBASE_MASTER_KERBEROS_PRINCIPAL = "hbase.master.kerberos.principal";
+    public final static String KEY_HBASE_REGIONSERVER_KEYTAB_FILE = "hbase.regionserver.keytab.file";
+    public final static String KEY_HBASE_REGIONSERVER_KERBEROS_PRINCIPAL = "hbase.regionserver.kerberos.principal";
+
+    // async side kerberos
+    public final static String KEY_HBASE_SECURITY_AUTH_ENABLE = "hbase.security.auth.enable";
+    public final static String KEY_HBASE_SASL_CLIENTCONFIG = "hbase.sasl.clientconfig";
+    public final static String KEY_HBASE_KERBEROS_REGIONSERVER_PRINCIPAL = "hbase.kerberos.regionserver.principal";
+
+    public final static String KEY_HBASE_ZOOKEEPER_QUORUM = "hbase.zookeeper.quorum";
+    public final static String KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM_SYNC = "zookeeper.znode.parent";
+    public final static String KEY_HBASE_ZOOKEEPER_ZNODE_QUORUM_ASYNC = "hbase.zookeeper.znode.parent";
+
+
+    public static final String KEY_JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
+    public static final String KEY_ZOOKEEPER_SASL_CLIENT = "zookeeper.sasl.client";
+
+    public static final String KEY_JAVA_SECURITY_AUTH_LOGIN_CONF = "java.security.auth.login.config";
+
+
+    public static AuthUtil.JAASConfig buildJaasConfig(HbaseSideTableInfo hbaseSideTableInfo) {
+        String keytabPath = System.getProperty("user.dir") + File.separator + hbaseSideTableInfo.getRegionserverKeytabFile();
+        Map<String, String> loginModuleOptions = new HashMap<>();
+        loginModuleOptions.put("useKeyTab", "true");
+        loginModuleOptions.put("useTicketCache", "false");
+        loginModuleOptions.put("keyTab", "\"" + keytabPath + "\"");
+        loginModuleOptions.put("principal", "\"" + hbaseSideTableInfo.getJaasPrincipal() + "\"");
+        return AuthUtil.JAASConfig.builder().setEntryName("Client")
+                .setLoginModule("com.sun.security.auth.module.Krb5LoginModule")
+                .setLoginModuleFlag("required").setLoginModuleOptions(loginModuleOptions).build();
+    }
+
+
+    public static UserGroupInformation loginAndReturnUGI(Configuration conf, String principal, String keytab) throws IOException {
+        if (conf == null) {
+            throw new IllegalArgumentException("kerberos conf can not be null");
+        }
+
+        if (org.apache.commons.lang.StringUtils.isEmpty(principal)) {
+            throw new IllegalArgumentException("principal can not be null");
+        }
+
+        if (org.apache.commons.lang.StringUtils.isEmpty(keytab)) {
+            throw new IllegalArgumentException("keytab can not be null");
+        }
+
+        conf.set("hadoop.security.authentication", "Kerberos");
+        UserGroupInformation.setConfiguration(conf);
+
+        return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
+    }
+
+}