complete impala kerberos

Author: a49a

core/src/main/java/com/dtstack/flink/sql/util/Krb5Utils.java

@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.dtstack.flink.sql.util;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import java.io.IOException;
+
+/**
+ * @program: flinkStreamSQL
+ * @author: wuren
+ * @create: 2020/09/14
+ **/
+public class Krb5Utils {
+
+    public static final String KRB5_CONF_KEY = "java.security.krb5.conf";
+    public static final String HADOOP_AUTH_KEY = "hadoop.security.authentication";
+    public static final String KRB_STR = "Kerberos";
+
+    public static UserGroupInformation getUgi(String principal, String keytabPath, String krb5confPath) throws IOException {
+        System.setProperty(KRB5_CONF_KEY, krb5confPath);
+        Configuration configuration = new Configuration();
+        configuration.set(HADOOP_AUTH_KEY , KRB_STR);
+        UserGroupInformation.setConfiguration(configuration);
+        return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytabPath);
+    }
+}

core/src/test/java/com/dtstack/flink/sql/util/Krb5UtilsTest.java

@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.dtstack.flink.sql.util;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.IOException;
+
+/**
+ * @program: flinkStreamSQL
+ * @author: wuren
+ * @create: 2020/09/14
+ **/
+public class Krb5UtilsTest {
+    @Test
+    public void testGetUgi() throws IOException {
+        String principal = "";
+        String keytabPath = "";
+        String krb5confPath = "";
+        try {
+            Krb5Utils.getUgi(principal, keytabPath, krb5confPath);
+        } catch (IllegalArgumentException e) {
+            Assert.assertEquals(e.getMessage(), "Can't get Kerberos realm");
+        }
+
+    }
+}

impala/impala-side/impala-all-side/src/main/java/com/dtstack/flink/sql/side/impala/ImpalaAllReqRow.java

@@ -24,15 +24,18 @@
 import com.dtstack.flink.sql.side.impala.table.ImpalaSideTableInfo;
 import com.dtstack.flink.sql.side.rdb.all.AbstractRdbAllReqRow;
 import com.dtstack.flink.sql.util.JDBCUtils;
+import com.dtstack.flink.sql.util.Krb5Utils;
 import org.apache.flink.api.java.typeutils.RowTypeInfo;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
+import java.security.PrivilegedAction;
 import java.sql.Connection;
 import java.sql.DriverManager;
+import java.sql.SQLException;
 import java.util.List;
 
 /**
@@ -61,10 +64,29 @@ public ImpalaAllReqRow(RowTypeInfo rowTypeInfo, JoinInfo joinInfo, List<FieldInf
     @Override
     public Connection getConn(String dbUrl, String userName, String password) {
         try {
-            Connection connection ;
+            Connection connection;
             String url = getUrl();
             JDBCUtils.forName(IMPALA_DRIVER, getClass().getClassLoader());
-            connection = DriverManager.getConnection(url);
+            // Kerberos
+            if (impalaSideTableInfo.getAuthMech() == 1) {
+                String keyTabFilePath = impalaSideTableInfo.getKeyTabFilePath();
+                String krb5FilePath = impalaSideTableInfo.getKrb5FilePath();
+                String principal = impalaSideTableInfo.getPrincipal();
+                UserGroupInformation ugi = Krb5Utils.getUgi(principal, keyTabFilePath, krb5FilePath);
+                connection = ugi.doAs(new PrivilegedAction<Connection>() {
+                    @Override
+                    public Connection run() {
+                        try {
+                            return DriverManager.getConnection(url);
+                        } catch (SQLException e) {
+                            e.printStackTrace();
+                        }
+                        return null;
+                    }
+                });
+            } else {
+                connection = DriverManager.getConnection(url);
+            }
             connection.setAutoCommit(false);
             return connection;
         } catch (Exception e) {
@@ -83,9 +105,6 @@ public String getUrl() throws IOException {
             newUrl = urlBuffer.toString();
 
         } else if (authMech == 1) {
-            String keyTabFilePath = impalaSideTableInfo.getKeyTabFilePath();
-            String krb5FilePath = impalaSideTableInfo.getKrb5FilePath();
-            String principal = impalaSideTableInfo.getPrincipal();
             String krbRealm = impalaSideTableInfo.getKrbRealm();
             String krbHostFQDN = impalaSideTableInfo.getKrbHostFQDN();
             String krbServiceName = impalaSideTableInfo.getKrbServiceName();
@@ -96,11 +115,7 @@ public String getUrl() throws IOException {
                     .concat("KrbServiceName=").concat(krbServiceName).concat(";")
             );
             newUrl = urlBuffer.toString();
-            System.setProperty("java.security.krb5.conf", krb5FilePath);
-            Configuration configuration = new Configuration();
-            configuration.set("hadoop.security.authentication" , "Kerberos");
-            UserGroupInformation.setConfiguration(configuration);
-            UserGroupInformation.loginUserFromKeytab(principal, keyTabFilePath);
+
 
         } else if (authMech == 2) {
             String uName = impalaSideTableInfo.getUserName();

impala/impala-side/impala-async-side/src/main/java/com/dtstack/flink/sql/side/impala/ImpalaAsyncReqRow.java

@@ -18,27 +18,33 @@
 
 package com.dtstack.flink.sql.side.impala;
 
-import com.dtstack.flink.sql.factory.DTThreadFactory;
 import com.dtstack.flink.sql.side.FieldInfo;
 import com.dtstack.flink.sql.side.JoinInfo;
 import com.dtstack.flink.sql.side.AbstractSideTableInfo;
 import com.dtstack.flink.sql.side.impala.table.ImpalaSideTableInfo;
 import com.dtstack.flink.sql.side.rdb.async.RdbAsyncReqRow;
+import com.dtstack.flink.sql.util.Krb5Utils;
 import io.vertx.core.Vertx;
 import io.vertx.core.VertxOptions;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.jdbc.JDBCClient;
+import io.vertx.ext.sql.SQLClient;
 import org.apache.flink.api.java.typeutils.RowTypeInfo;
 import org.apache.flink.configuration.Configuration;
+import org.apache.flink.streaming.api.functions.async.ResultFuture;
+import org.apache.flink.table.dataformat.BaseRow;
+import org.apache.flink.types.Row;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.IOException;
+import java.security.PrivilegedAction;
 import java.util.List;
-import java.util.concurrent.LinkedBlockingQueue;
-import java.util.concurrent.ThreadPoolExecutor;
-import java.util.concurrent.TimeUnit;
+import java.util.Map;
+import java.util.concurrent.CountDownLatch;
+
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicLong;
 
 /**
  * Date: 2019/11/12
@@ -53,27 +59,40 @@ public class ImpalaAsyncReqRow extends RdbAsyncReqRow {
 
     private final static String IMPALA_DRIVER = "com.cloudera.impala.jdbc41.Driver";
 
+    protected UserGroupInformation ugi = null;
 
     public ImpalaAsyncReqRow(RowTypeInfo rowTypeInfo, JoinInfo joinInfo, List<FieldInfo> outFieldInfoList, AbstractSideTableInfo sideTableInfo) {
         super(new ImpalaAsyncSideInfo(rowTypeInfo, joinInfo, outFieldInfoList, sideTableInfo));
     }
 
     @Override
     public void open(Configuration parameters) throws Exception {
-        super.open(parameters);
         ImpalaSideTableInfo impalaSideTableInfo = (ImpalaSideTableInfo) sideInfo.getSideTableInfo();
+        if (impalaSideTableInfo.getAuthMech() == 1) {
+            String keyTabFilePath = impalaSideTableInfo.getKeyTabFilePath();
+            String krb5FilePath = impalaSideTableInfo.getKrb5FilePath();
+            String principal = impalaSideTableInfo.getPrincipal();
+            ugi = Krb5Utils.getUgi(principal, keyTabFilePath, krb5FilePath);
+            openJdbc(parameters);
+        } else {
+            openJdbc(parameters);
+        }
+    }
 
+    public void openJdbc(Configuration parameters) throws Exception {
+        super.open(parameters);
+        ImpalaSideTableInfo impalaSideTableInfo = (ImpalaSideTableInfo) sideInfo.getSideTableInfo();
         JsonObject impalaClientConfig = new JsonObject();
         impalaClientConfig.put("url", getUrl())
-                .put("driver_class", IMPALA_DRIVER)
-                .put("max_pool_size", impalaSideTableInfo.getAsyncPoolSize())
-                .put("provider_class", DT_PROVIDER_CLASS)
-                .put("idle_connection_test_period", 300)
-                .put("test_connection_on_checkin", DEFAULT_TEST_CONNECTION_ON_CHECKIN)
-                .put("max_idle_time", 600)
-                .put("preferred_test_query", PREFERRED_TEST_QUERY_SQL)
-                .put("idle_connection_test_period", DEFAULT_IDLE_CONNECTION_TEST_PEROID)
-                .put("test_connection_on_checkin", DEFAULT_TEST_CONNECTION_ON_CHECKIN);
+            .put("driver_class", IMPALA_DRIVER)
+            .put("max_pool_size", impalaSideTableInfo.getAsyncPoolSize())
+            .put("provider_class", DT_PROVIDER_CLASS)
+            .put("idle_connection_test_period", 300)
+            .put("test_connection_on_checkin", DEFAULT_TEST_CONNECTION_ON_CHECKIN)
+            .put("max_idle_time", 600)
+            .put("preferred_test_query", PREFERRED_TEST_QUERY_SQL)
+            .put("idle_connection_test_period", DEFAULT_IDLE_CONNECTION_TEST_PEROID)
+            .put("test_connection_on_checkin", DEFAULT_TEST_CONNECTION_ON_CHECKIN);
 
         System.setProperty("vertx.disableFileCPResolving", "true");
 
@@ -85,7 +104,6 @@ public void open(Configuration parameters) throws Exception {
         setRdbSqlClient(JDBCClient.createNonShared(vertx, impalaClientConfig));
     }
 
-
     public String getUrl() {
         ImpalaSideTableInfo impalaSideTableInfo = (ImpalaSideTableInfo) sideInfo.getSideTableInfo();
 
@@ -95,11 +113,7 @@ public String getUrl() {
         StringBuffer urlBuffer = new StringBuffer(impalaSideTableInfo.getUrl());
         if (authMech == 0) {
             newUrl = urlBuffer.toString();
-
         } else if (authMech == 1) {
-            String keyTabFilePath = impalaSideTableInfo.getKeyTabFilePath();
-            String krb5FilePath = impalaSideTableInfo.getKrb5FilePath();
-            String principal = impalaSideTableInfo.getPrincipal();
             String krbRealm = impalaSideTableInfo.getKrbRealm();
             String krbHostFQDN = impalaSideTableInfo.getKrbHostFQDN();
             String krbServiceName = impalaSideTableInfo.getKrbServiceName();
@@ -110,16 +124,6 @@ public String getUrl() {
                     .concat("KrbServiceName=").concat(krbServiceName).concat(";")
             );
             newUrl = urlBuffer.toString();
-            System.setProperty("java.security.krb5.conf", krb5FilePath);
-            org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
-            configuration.set("hadoop.security.authentication" , "Kerberos");
-            UserGroupInformation.setConfiguration(configuration);
-            try {
-                UserGroupInformation.loginUserFromKeytab(principal, keyTabFilePath);
-            } catch (IOException e) {
-                throw new RuntimeException("kerberos login fail! e: " + e);
-            }
-
         } else if (authMech == 2) {
             String uName = impalaSideTableInfo.getUserName();
             urlBuffer.append(";"
@@ -129,7 +133,6 @@ public String getUrl() {
                     .concat("UseSasl=0")
             );
             newUrl = urlBuffer.toString();
-
         } else if (authMech == 3) {
             String uName = impalaSideTableInfo.getUserName();
             String pwd = impalaSideTableInfo.getPassword();
@@ -139,11 +142,41 @@ public String getUrl() {
                     .concat("PWD=").concat(pwd)
             );
             newUrl = urlBuffer.toString();
-
         } else {
             throw new IllegalArgumentException("The value of authMech is illegal, Please select 0, 1, 2, 3");
         }
-
         return newUrl;
     }
+
+    @Override
+    protected void asyncQueryData(Map<String, Object> inputParams,
+                          Row input,
+                          ResultFuture<BaseRow> resultFuture,
+                          SQLClient rdbSqlClient,
+                          AtomicLong failCounter,
+                          AtomicBoolean finishFlag,
+                          CountDownLatch latch) {
+        if (ugi == null) {
+            doAsyncQueryData(inputParams,
+                input, resultFuture,
+                rdbSqlClient,
+                failCounter,
+                finishFlag,
+                latch);
+        } else {
+            // Kerberos
+            ugi.doAs(new PrivilegedAction<Object>() {
+                @Override
+                public Object run() {
+                    doAsyncQueryData(inputParams,
+                        input, resultFuture,
+                        rdbSqlClient,
+                        failCounter,
+                        finishFlag,
+                        latch);
+                    return null;
+                }
+            });
+        }
+    }
 }

impala/impala-sink/src/main/java/com/dtstack/flink/sql/sink/impala/ImpalaOutputFormat.java

@@ -2,10 +2,11 @@
 
 import com.dtstack.flink.sql.sink.rdb.JDBCOptions;
 import com.dtstack.flink.sql.sink.rdb.format.JDBCUpsertOutputFormat;
-import org.apache.hadoop.conf.Configuration;
+import com.dtstack.flink.sql.util.Krb5Utils;
 import org.apache.hadoop.security.UserGroupInformation;
 
 import java.io.IOException;
+import java.security.PrivilegedAction;
 import java.util.List;
 
 import static org.apache.flink.util.Preconditions.checkNotNull;
@@ -52,17 +53,17 @@ public ImpalaOutputFormat(
 
     @Override
     public void open(int taskNumber, int numTasks) throws IOException {
-        super.open(taskNumber, numTasks);
         if (authMech == 1) {
-            System.setProperty("java.security.krb5.conf", krb5confPath);
-            Configuration configuration = new Configuration();
-            configuration.set("hadoop.security.authentication", "Kerberos");
-            UserGroupInformation.setConfiguration(configuration);
-            try {
-                UserGroupInformation.loginUserFromKeytab(principal, keytabPath);
-            } catch (IOException e) {
-                throw new RuntimeException("loginUserFromKeytab error ..", e);
-            }
+            UserGroupInformation ugi = Krb5Utils.getUgi(principal, keytabPath, krb5confPath);
+            ugi.doAs(new PrivilegedAction<Object>() {
+                @Override
+                public Object run() {
+                    openJdbc();
+                    return null;
+                }
+            });
+        } else {
+            super.open(taskNumber, numTasks);
         }
     }