forked from DataLinkDC/dinky
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
解决yarn webui开启Kerberos认证后递交Flink任务无法获取任务状态的问题,增加调用Flink HTTP API时候进行K…
…erberos认证,相关issues: DataLinkDC#3470
- Loading branch information
ze.miao
committed
Dec 6, 2024
1 parent
8cbd5bb
commit ad8733c
Showing
2 changed files
with
220 additions
and
56 deletions.
There are no files selected for viewing
138 changes: 138 additions & 0 deletions
138
dinky-gateway/src/main/java/org/dinky/gateway/yarn/RequestKerberosUrlUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
package org.dinky.gateway.yarn; | ||
|
||
import org.apache.http.HttpResponse; | ||
import org.apache.http.auth.AuthSchemeProvider; | ||
import org.apache.http.auth.AuthScope; | ||
import org.apache.http.auth.Credentials; | ||
import org.apache.http.client.HttpClient; | ||
import org.apache.http.client.config.AuthSchemes; | ||
import org.apache.http.client.methods.HttpGet; | ||
import org.apache.http.config.Lookup; | ||
import org.apache.http.config.RegistryBuilder; | ||
import org.apache.http.impl.auth.SPNegoSchemeFactory; | ||
import org.apache.http.impl.client.BasicCredentialsProvider; | ||
import org.apache.http.impl.client.CloseableHttpClient; | ||
import org.apache.http.impl.client.HttpClientBuilder; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import javax.security.auth.Subject; | ||
import javax.security.auth.kerberos.KerberosPrincipal; | ||
import javax.security.auth.login.AppConfigurationEntry; | ||
import javax.security.auth.login.Configuration; | ||
import javax.security.auth.login.LoginContext; | ||
import java.io.IOException; | ||
import java.security.Principal; | ||
import java.security.PrivilegedAction; | ||
import java.util.HashMap; | ||
import java.util.HashSet; | ||
import java.util.Set; | ||
|
||
public class RequestKerberosUrlUtils { | ||
public static Logger logger = LoggerFactory.getLogger(RequestKerberosUrlUtils.class); | ||
private String principal; | ||
private String keyTabLocation; | ||
|
||
public RequestKerberosUrlUtils(){} | ||
|
||
public RequestKerberosUrlUtils(String principal, String keyTabLocation) { | ||
this.principal = principal; | ||
this.keyTabLocation = keyTabLocation; | ||
} | ||
|
||
public RequestKerberosUrlUtils(String principal, String keyTabLocation, boolean isDebug) { | ||
this(principal, keyTabLocation); | ||
if (isDebug) { | ||
System.setProperty("sun.security.spnego.debug", "true"); | ||
System.setProperty("sun.security.krb5.debug", "true"); | ||
} | ||
} | ||
|
||
public RequestKerberosUrlUtils(String principal, String keyTabLocation, String krb5Location, boolean isDebug) { | ||
this(principal, keyTabLocation, isDebug); | ||
// System.setProperty("java.security.krb5.conf", krb5Location); | ||
} | ||
|
||
private static HttpClient buildSpengoHttpClient() { | ||
|
||
Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder | ||
.<AuthSchemeProvider>create() | ||
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)) | ||
.build(); | ||
|
||
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); | ||
credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials() { | ||
@Override | ||
public Principal getUserPrincipal() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public String getPassword() { | ||
return null; | ||
} | ||
}); | ||
|
||
CloseableHttpClient httpClient = HttpClientBuilder | ||
.create() | ||
.setDefaultAuthSchemeRegistry(authSchemeRegistry) | ||
.setDefaultCredentialsProvider(credentialsProvider) | ||
.build(); | ||
return httpClient; | ||
} | ||
|
||
public HttpResponse callRestUrl(final String url, final String userId) { | ||
logger.warn(String.format("Calling KerberosHttpClient %s %s %s", this.principal, this.keyTabLocation, url)); | ||
Configuration config = new Configuration() { | ||
@Override | ||
public AppConfigurationEntry[] getAppConfigurationEntry(String name) { | ||
HashMap<String, Object> options = new HashMap<String, Object>(){ | ||
{ | ||
put("useTicketCache", "false"); | ||
put("useKeyTab", "true"); | ||
put("keyTab", keyTabLocation); | ||
//Krb5 in GSS API needs to be refreshed so it does not throw the error | ||
//Specified version of key is not available | ||
put("refreshKrb5Config", "true"); | ||
put("principal", principal); | ||
put("storeKey", "true"); | ||
put("doNotPrompt", "true"); | ||
put("isInitiator", "true"); | ||
put("debug", "true"); | ||
} | ||
}; | ||
return new AppConfigurationEntry[] { | ||
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", | ||
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, | ||
options) | ||
}; | ||
} | ||
}; | ||
Set<Principal> princ = new HashSet<Principal>(1); | ||
princ.add(new KerberosPrincipal(userId)); | ||
Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>()); | ||
try { | ||
//auth module:Krb5Login | ||
LoginContext lc = new LoginContext("Krb5Login", sub, null, config); | ||
lc.login(); | ||
Subject serviceSubject = lc.getSubject(); | ||
return Subject.doAs(serviceSubject, new PrivilegedAction<HttpResponse>() { | ||
HttpResponse httpResponse = null; | ||
@Override | ||
public HttpResponse run() { | ||
try { | ||
HttpClient spnegoHttpClient = buildSpengoHttpClient(); | ||
httpResponse = spnegoHttpClient.execute(new HttpGet(url)); | ||
return httpResponse; | ||
} catch (IOException ioe) { | ||
ioe.printStackTrace(); | ||
} | ||
return httpResponse; | ||
} | ||
}); | ||
} catch (Exception le) { | ||
le.printStackTrace(); | ||
} | ||
return null; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters