使用ApacheDS对Presto用户进行认证-阿里云开发者社区

开发者社区> 阿里云EMR> 正文

使用ApacheDS对Presto用户进行认证

简介: Presto可以对接LDAP,实现用户密码认证。只需要Coordinator节点对接LDAP即可。主要步骤如下: 1.配置ApacheDS,启用LDAPS 2. 在ApacheDS中创建用户信息 3. 配置Presto Coordinator,重启生效 4. 验证配置
Presto可以对接LDAP,实现用户密码认证。只需要Coordinator节点对接LDAP即可。主要步骤如下:
  1. 配置ApacheDS,启用LDAPS
  2. 在ApacheDS中创建用户信息
  3. 配置Presto Coordinator,重启生效
  4. 验证配置
下面详细介绍相关步骤。

启用LDAPs

  1. 创建ApacheDS服务端使用的keystore, 此处密码全部使用'123456':
    ## 创建keystore
    > cd /var/lib/apacheds-2.0.0-M24/default/conf/
    > keytool -genkeypair -alias apacheds -keyalg RSA -validity 7 -keystore ads.keystore
    
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  apacheds
    What is the name of your organizational unit?
      [Unknown]:  apacheds
    What is the name of your organization?
      [Unknown]:  apacheds
    What is the name of your City or Locality?
      [Unknown]:  apacheds
    What is the name of your State or Province?
      [Unknown]:  apacheds
    What is the two-letter country code for this unit?
      [Unknown]:  CN
    Is CN=apacheds, OU=apacheds, O=apacheds, L=apacheds, ST=apacheds, C=CN correct?
      [no]:  yes
    
    Enter key password for <apacheds>
    	(RETURN if same as keystore password):
    Re-enter new password:
    
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".
    
    ## 修改文件用户,否则ApacheDS没有权限读取
    > chown apacheds:apacheds ./ads.keystore
    
    ## 导出证书。
    ## 需要输入密码,密码为上一步设置的值,这里为:123456
    > keytool -export -alias apacheds -keystore ads.keystore -rfc -file apacheds.cer
    Enter keystore password:
    Certificate stored in file <apacheds.cer>
    
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12".
    
    ## 将证书导入系统证书库,实现自认证
    > keytool -import -file apacheds.cer -alias apacheds -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts
    
    
  2. 修改配置,启用LDAPs
    打开ApacheDS Studio,链接到集群上到ApacheDS服务:
    • DN设置为:uid=admin,ou=system
    • 密码可以从EMR控制台中获取
    7e17b75198906a501a16cd41fab505b471a63a8e8db6c8545f6279d658d72d36136e6f8fd4dc5ea2

    链接后,打开配置页,启用LDAPs,将第一步创建的keystore设置到相关配置中,保存(ctrl + s)。
    4a463c273eb06e8f8cd94fe5826749909332975b

  3. 重启ApacheDS服务
    登入集群,执行如下命令重启ApacheDS,到此,LDAPs启动, 服务端口是10636。
    ApacheDS Studio有bug,在连接属性页测试LDAPs服务连接时会报握手失败,主要是内部默认的超时时间太短导致的,不会影响实际使用。
    > service apacheds-2.0.0-M24-default restart
    

创建用户信息

本用例在DN: dc=hadoop,dc=apache,dc=org下创建相关用户。
  1. 创建dc=hadoop,dc=apache,dc=org分区
    打开配置页,作如下配置,ctrl+s保存。重启ApacheDS服务生效。
    3bbe703c8df02312db9df85dfaa3a9ff379be220
  2. 创建用户
    登入集群,创建如下文件:/tmp/users.ldif
    # Entry for a sample people container
    # Please replace with site specific values
    dn: ou=people,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass:organizationalUnit
    ou: people
    
    # Entry for a sample end user
    # Please replace with site specific values
    dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass:person
    objectclass:organizationalPerson
    objectclass:inetOrgPerson
    cn: Guest
    sn: User
    uid: guest
    userPassword:guest-password
    
    # entry for sample user admin
    dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass:person
    objectclass:organizationalPerson
    objectclass:inetOrgPerson
    cn: Admin
    sn: Admin
    uid: admin
    userPassword:admin-password
    
    # entry for sample user sam
    dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass:person
    objectclass:organizationalPerson
    objectclass:inetOrgPerson
    cn: sam
    sn: sam
    uid: sam
    userPassword:sam-password
    
    # entry for sample user tom
    dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass:person
    objectclass:organizationalPerson
    objectclass:inetOrgPerson
    cn: tom
    sn: tom
    uid: tom
    userPassword:tom-password
    
    # create FIRST Level groups branch
    dn: ou=groups,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass:organizationalUnit
    ou: groups
    description: generic groups branch
    
    # create the analyst group under groups
    dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass: groupofnames
    cn: analyst
    description:analyst  group
    member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
    member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
    
    
    # create the scientist group under groups
    dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
    objectclass:top
    objectclass: groupofnames
    cn: scientist
    description: scientist group
    member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=or
    
    执行如下命令,导入用户:
    > ldapmodify -x -h localhost -p 10389 -D "uid=admin,ou=system" -w {密码} -a -f /tmp/users.ldif
    
    执行完成后,可以在ApacheDS Studio上看到相关到用户,如下所示:
    3e12b259a0068318e96eed92eafb54bdb34b57ca

配置Presto

主要分两部分:
  1. 开启Coordinator Https
    1. 创建presto coordinator使用的keystore
      ## 使用EMR自带的脚本生成keystore
      ## keystore地址: /etc/ecm/presto-conf/keystore
      ## keystore密码: ******
      > expect /var/lib/ecm-agent/cache/ecm/service/PRESTO/0.208.0.1.2/package/files/tools/gen-keystore.exp
      
    2. 配置presto coordinator配置
      编辑/etc/ecm/presto-conf/config.properties, 加入如下内容:
      http-server.https.enabled=true
      http-server.https.port=7778
      
      http-server.https.keystore.path=/etc/ecm/presto-conf/keystore
      http-server.https.keystore.key=******
      
  2. 配置认证模式,接入ApacheDS
    1. 编辑/etc/ecm/presto-conf/config.properties, 加入如下内容:
      http-server.authentication.type=PASSWORD
      
    2. 编辑jvm.config, 加入如下内容:
      -Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts
      -Djavax.net.ssl.trustStorePassword=changeit
      
    3. 创建password-authenticator.properties,加入如下内容:
      password-authenticator.name=ldap
      ldap.url=ldaps://emr-header-1.cluster-84423:10636
      ldap.user-bind-pattern=uid=${USER},ou=people,dc=hadoop,dc=apache,dc=org
      
    4. 创建jndi.properties, 加入如下内容
      java.naming.security.principal=uid=admin,ou=system
      java.naming.security.credentials={密码}
      java.naming.security.authentication=simple
      
    5. 将jndi.properties打包到jar包中,复制到presto库文件目录中
      > jar -cvf jndi-properties.jar jndi.properties
      > cp ./jndi-properties.jar /etc/ecm/presto-current/lib/
      
    • 下列3个参数用于登入LDAP服务。然而,在presto上没地方配这几个参数。分析源码可以线,将这几个参数夹到jvm参数里也没不会生效(会被过滤掉,实际也没用):
    java.naming.security.principal=uid=admin,ou=system
    java.naming.security.credentials={LDAP 密码}
    java.naming.security.authentication=simple
    • 进一步分析代码,发现JNDI库会用classload加载jndi.properties这个资源文件,因此可以将这几个参数放到jndi.properties这个文件里;
    • presto的launcher只会把jar文件加到classpath里,所以还需把这个jndi.properties打成jar包,复制到lib目录中。
  3. 重启presto,自此完成所有配置

验证配置

使用presto cli验证配置是否生效。
## 使用用户sam,输入正确的密码
> presto  --server https://emr-header-1:7778  --keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password
Password: <输入了正确的密码>
presto:default> show schemas;
              Schema
----------------------------------
 tpcds_bin_partitioned_orc_5
 tpcds_oss_bin_partitioned_orc_10
 tpcds_oss_text_10
 tpcds_text_5
 tst
(5 rows)

Query 20181115_030713_00002_kp5ih, FINISHED, 3 nodes
Splits: 36 total, 36 done (100.00%)
0:00 [20 rows, 331B] [41 rows/s, 694B/s]

## 使用用户sam,输入错误的密码
> presto  --server https://emr-header-1:7778  --keystore-path /etc/ecm/presto-conf/keystore --keystore-password ****** --catalog hive --schema default --user sam --password
Password: <输入了错误的密码>
presto:default> show schemas;
Error running command: Authentication failed: Access Denied: Invalid credentials


版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
+ 订阅

阿里巴巴开源大数据技术团队成立阿里云EMR技术圈, 每周推送前沿技术文章,直播分享经典案例、在线答疑,营造纯粹的开源大数据氛围,欢迎加入!加入钉钉群聊阿里云E-MapReduce交流2群,点击进入查看详情 https://qr.dingtalk.com/action/joingroup?code=v1,k1,cNBcqHn4TvG0iHpN3cSc1B86D1831SGMdvGu7PW+sm4=&_dt_no_comment=1&origin=11

官方博客
官网链接