基于Hadoop SLA认证机制实现权限控制
Hadoop集群上存储数据,同时基于MapReduce计算框架可以实现计算任务,那么无论是从数据保护的角度,还是从提交计算任务占用资源的角度来看,都需要存在一种权限管理与分配机制,能够很好地限制哪些人可以在HDFS上存储数据,哪些人可以利用集群的资源来处理特
Hadoop集群上存储数据,同时基于MapReduce计算框架可以实现计算任务,那么无论是从数据保护的角度,还是从提交计算任务占用资源的角度来看,都需要存在一种权限管理与分配机制,能够很好地限制哪些人可以在HDFS上存储数据,哪些人可以利用集群的资源来处理特定的计算任务。当然,如果能够非常完美地解决这些问题是最好的。当前Hadoop本身提供的权限管理功能还不能满足普遍的需要,或者我们从Hadoop已有的一些简单或复杂的认证机制选择适合自己所在组织机构需要的,或者我们在外围开发一些权限管理系统与Hadoop整合作为补充。
对比Kerberos认证(Authentication)配置方式与SLA授权(Service Level Authorization)方式,Kerberos配置相当复杂,而且还要依赖于外部的密钥分发中心KDC(Key Distribution Center)服务器,如果KDC出现问题,那么就会导致依赖于KDC认证的整个Hadoop集群无法使用,鉴于此,对于一些相对小的开发团队来说还是更倾向于粗粒度的Hadoop SLA授权机制。
Hadoop SLA基于Hadoop的各种服务(基于协议来划分)与Linux系统的用户、用户组来实现。Hadoop通过制定接口协议的方式来实现节点之间服务调用的逻辑,这样每一个协议所指定的一组服务就是一个认证单元,再基于底层Linux系统的用户和用户组来限制用户(可能是节点服务)有权限执行某一种协议所包含的操作集合,下面我们看一下Hadoop中的各种协议:
| 协议名称 | 范围 | 说明 |
| ClientProtocol | HDFS | 用户代码基于DistributedFileSystem与NameNode交互,可以操作Hadoop的Namespace,以及打开/关闭文件流操作。 |
| ClientDatanodeProtocol | HDFS | 客户端与DataNode交互协议,用来实现数据库恢复(Block Recovery)。 |
| DatanodeProtocol | HDFS | DataNode与NameNode通信的协议,DataNode基于此协议向NameNode发送block report,以及DataNode当前状态信息(如负载情况)。 |
| InterDatanodeProtocol | HDFS | DataNode之间进行通信的协议,用来更新Block副本(replica)信息,如时间戳、长度等信息。 |
| NamenodeProtocol | HDFS | SecondaryNameNode与NameNode进行通信的协议,用来获取NameNode的状态信息,如进行checkpoint的edits与fsimage。 |
| AdminOperationsProtocol | HDFS | HDFS管理操作协议。 |
| RefreshUserMappingsProtocol | HDFS、MR | 用来刷新缓存中用户与用户组映射关系信息,因为无论是操作HDFS,还是运行MapReduce Job,都会用到用户信息。 |
| RefreshAuthorizationPolicyProtocol | HDFS、MR | 用来更新认证策略(Authorization Policy)配置,对应于配置文件/etc/hadoop/hadoop-policy.xml,控制执行hdfs dfsadmin -refreshServiceAcl和yarn rmadmin -refreshServiceAcl的权限。 |
| HAServiceProtocol | HDFS | HDFS HA操作协议,用来管理Active NameNode与Stand-by NameNode状态。 |
| ZKFailoverController | HDFS | ZooKeeper Failover控制器操作权限,用于HDFS HA。 |
| QJournalProtocol | HDFS | QuorumJournalManager与JournalNode之间通信的协议,用于HDFS HA,用来同步edits,并协调Active NameNode与Stand-by NameNode状态。 |
| HSClientProtocol | HDFS | 客户端与MR History Server之间通讯的协议,用来查看Job历史信息。 |
| ResourceTracker | YARN | ResourceManager与NodeManager之间通信的协议。 |
| ResourceManagerAdministrationProtocol | YARN | ResourceManager管理操作协议。 |
| ApplicationClientProtocol | YARN | YARN客户端(Application)与ResourceManager通信的协议,包括Job提交、Job取消,查询Application状态信息等。 |
| ApplicationMasterProtocol | YARN | ApplicationMaster与ResourceManager之间进行通信的协议,包括AM向RM发送注册或注销请求(获取或释放资源)。 |
| ContainerManagementProtocol | YARN | ApplicationMaster与NodeManager之间进行通信的协议,包括启动/停止Container调用请求。 |
| LocalizationProtocol | YARN | NodeManager与ResourceLocalizer之间进行通信的协议。 |
| TaskUmbilicalProtocol | MR | Map/Reduce Task进程与后台父进程(向MR ApplicationMaster请求创建Map/Reduce Task)之间进行通信的协议。 |
| MRClientProtocol | MR | MR JobClient与MR ApplicationMaster之间进行通信的协议,包括查询Job状态等。 |
上表中是基于SLA划分的不同服务级别,要想使SLA认证生效,首相需要在Hadoop配置文件/etc/hadoop/core-site.xml中增加如下配置内容:
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
该配置属性hadoop.security.authorization默认是false,如果集群已经运行,修改了该配置需要重新启动Hadoop集群。然后需要进行SLA认证的详细配置,修改配置文件/etc/hadoop/hadoop-policy.xml,该配置文件中的配置项与对应的SLA协议之间的对应关系如下表所示:
| 配置项 | 协议名称 |
| security.client.protocol.acl | ClientProtocol |
| security.client.datanode.protocol.acl | ClientDatanodeProtocol |
| security.datanode.protocol.acl | DatanodeProtocol |
| security.inter.datanode.protocol.acl | InterDatanodeProtocol |
| security.namenode.protocol.acl | NamenodeProtocol |
| security.admin.operations.protocol.acl | AdminOperationsProtocol |
| security.refresh.usertogroups.mappings.protocol.acl | RefreshUserMappingsProtocol |
| security.refresh.policy.protocol.acl | RefreshAuthorizationPolicyProtocol |
| security.ha.service.protocol.acl | HAServiceProtocol |
| security.zkfc.protocol.acl | ZKFailoverController |
| security.qjournal.service.protocol.acl | QJournalProtocol |
| security.mrhs.client.protocol.acl | HSClientProtocol |
| security.resourcetracker.protocol.acl | ResourceTracker |
| security.resourcemanager-administration.protocol.acl | ResourceManagerAdministrationProtocol |
| security.applicationclient.protocol.acl | ApplicationClientProtocol |
| security.applicationmaster.protocol.acl | ApplicationMasterProtocol |
| security.containermanagement.protocol.acl | ContainerManagementProtocol |
| security.resourcelocalizer.protocol.acl | LocalizationProtocol |
| security.job.task.protocol.acl | TaskUmbilicalProtocol |
| security.job.client.protocol.acl | MRClientProtocol |
配置SLA权限,实际上是增加ACL(配置用户或用户组)基本格式要求如下:
- 如果既有用户,又有用户组,配置内容格式:user1,user2 group1,group2
- 如果只有用户组,配置内容前面增加一个空格: group1,group2
- 配置内容为*,表示所有用户都具有对应的服务操作权限
下面,我们给定如下的需求:
- hadoop用户作为Hadoop集群的管理员角色,可以执行任何操作
- 为了防止其他用户使用hadoop用户,使hadoop用户归属于用户组g_super_adm,使属于该组的用户具有集群管理员权限
- 只有hadoop用户具有修改SLA认证权限的配置
- Storm集群使用storm用户运行Topology,将实时数据写入HDFS,storm用户只具有操作HDFS权限
- 用户组g_dfs_client具有操作HDFS权限
- 用户组g_mr_client具有在Hadoop上运行MapReduce Job的权限
- 用户stater只具有操作HDFS和运行MapReduce Job的权限
通过进行配置实践,来满足上述要求。修改配置文件/etc/hadoop/hadoop-policy.xml中的部分配置项,具体修改的内容如下所示:
<property>
<name>security.client.protocol.acl</name>
<value>stater,storm g_super_adm,g_dfs_client</value>
<description>ACL for ClientProtocol, which is used by user code
via the DistributedFileSystem.
The ACL is a comma-separated list of user and group names. The user and
group list is separated by a blank. For e.g. "alice,bob users,wheel".
A special value of "*" means all users are allowed.
</description>
</property>
<property>
<name>security.refresh.policy.protocol.acl</name>
<value>hadoop</value>
<description>ACL for RefreshAuthorizationPolicyProtocol, used by the
dfsadmin and mradmin commands to refresh the security policy in-effect.
The ACL is a comma-separated list of user and group names. The user and
group list is separated by a blank. For e.g. "alice,bob users,wheel".
A special value of "*" means all users are allowed.
</description>
</property>
<property>
<name>security.job.client.protocol.acl</name>
<value>stater g_super_adm,g_mr_client</value>
<description>ACL for MRClientProtocol, used by job clients to
communciate with the MR ApplicationMaster to query job status etc.
The ACL is a comma-separated list of user and group names. The user and
group list is separated by a blank. For e.g. "alice,bob users,wheel".
A special value of "*" means all users are allowed.
</description>
</property>
其他的配置属性值保持默认值不变即可。为了保证整个Hadoop集群配置相同,需要将修改的配置文件同步到整个集群的所有节点上。
然后,为了使上述配置内容生效,需要执行如下命令:
hdfs dfsadmin -refreshServiceAcl yarn rmadmin -refreshServiceAcl
修改SLA认证配置,不需要重启服务,根据修改内容执行上述命令就可以生效。
后面参考链接中,有些关于Hadoop SLA的文档内容貌似没有随着Hadoop版本升级而更新,与实际Hadoop发行版本中配置文件的内容有一定差别,可以参考,具体以实际版本的情况为准。
参考链接
- http://hadoop.apache.org/docs/r2.2.0/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html
- http://hadoop.apache.org/docs/r2.2.0/hadoop-auth/Configuration.html
本文出自:http://shiyanjun.cn, 原文地址:http://shiyanjun.cn/archives/994.html, 感谢原作者分享。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1666
14
1426
52
1328
25
1273
29
1255
24
Enable root permissions with one click (quickly obtain root permissions)
Jun 02, 2024 pm 05:32 PM
It allows users to perform more in-depth operations and customization of the system. Root permission is an administrator permission in the Android system. Obtaining root privileges usually requires a series of tedious steps, which may not be very friendly to ordinary users, however. By enabling root permissions with one click, this article will introduce a simple and effective method to help users easily obtain system permissions. Understand the importance and risks of root permissions and have greater freedom. Root permissions allow users to fully control the mobile phone system. Strengthen security controls, customize themes, and users can delete pre-installed applications. For example, accidentally deleting system files causing system crashes, excessive use of root privileges, and inadvertent installation of malware are also risky, however. Before using root privileges
How to implement dual WeChat login on Huawei mobile phones?
Mar 24, 2024 am 11:27 AM
How to implement dual WeChat login on Huawei mobile phones? With the rise of social media, WeChat has become one of the indispensable communication tools in people's daily lives. However, many people may encounter a problem: logging into multiple WeChat accounts at the same time on the same mobile phone. For Huawei mobile phone users, it is not difficult to achieve dual WeChat login. This article will introduce how to achieve dual WeChat login on Huawei mobile phones. First of all, the EMUI system that comes with Huawei mobile phones provides a very convenient function - dual application opening. Through the application dual opening function, users can simultaneously
PHP Programming Guide: Methods to Implement Fibonacci Sequence
Mar 20, 2024 pm 04:54 PM
The programming language PHP is a powerful tool for web development, capable of supporting a variety of different programming logics and algorithms. Among them, implementing the Fibonacci sequence is a common and classic programming problem. In this article, we will introduce how to use the PHP programming language to implement the Fibonacci sequence, and attach specific code examples. The Fibonacci sequence is a mathematical sequence defined as follows: the first and second elements of the sequence are 1, and starting from the third element, the value of each element is equal to the sum of the previous two elements. The first few elements of the sequence
Discuz Forum Permission Management: Read Permission Setting Guide
Mar 10, 2024 pm 05:33 PM
Discuz forum permission management: Read the permission setting guide In Discuz forum management, permission setting is a crucial part. Among them, the setting of reading permissions is particularly important, as it determines the scope of content that different users can see in the forum. This article will introduce in detail the reading permission settings of the Discuz forum and how to flexibly configure it for different needs. 1. Basic concepts of reading permissions In the Discuz forum, reading permissions mainly include the following concepts that need to be understood: Default reading permissions: Default after new user registration
How to implement the WeChat clone function on Huawei mobile phones
Mar 24, 2024 pm 06:03 PM
How to implement the WeChat clone function on Huawei mobile phones With the popularity of social software and people's increasing emphasis on privacy and security, the WeChat clone function has gradually become the focus of people's attention. The WeChat clone function can help users log in to multiple WeChat accounts on the same mobile phone at the same time, making it easier to manage and use. It is not difficult to implement the WeChat clone function on Huawei mobile phones. You only need to follow the following steps. Step 1: Make sure that the mobile phone system version and WeChat version meet the requirements. First, make sure that your Huawei mobile phone system version has been updated to the latest version, as well as the WeChat App.
Master how Golang enables game development possibilities
Mar 16, 2024 pm 12:57 PM
In today's software development field, Golang (Go language), as an efficient, concise and highly concurrency programming language, is increasingly favored by developers. Its rich standard library and efficient concurrency features make it a high-profile choice in the field of game development. This article will explore how to use Golang for game development and demonstrate its powerful possibilities through specific code examples. 1. Golang’s advantages in game development. As a statically typed language, Golang is used in building large-scale game systems.
PHP Game Requirements Implementation Guide
Mar 11, 2024 am 08:45 AM
PHP Game Requirements Implementation Guide With the popularity and development of the Internet, the web game market is becoming more and more popular. Many developers hope to use the PHP language to develop their own web games, and implementing game requirements is a key step. This article will introduce how to use PHP language to implement common game requirements and provide specific code examples. 1. Create game characters In web games, game characters are a very important element. We need to define the attributes of the game character, such as name, level, experience value, etc., and provide methods to operate these
Introduction to how to set everyone permissions on win7 computer
Mar 26, 2024 pm 04:11 PM
1. Take e-disk as an example. Open [Computer], and click [eDisk], right-click [Properties]. As shown in the figure: 2. In the [Window] page, switch the interface to the [Security] option, and click the [Edit] option below. As shown in the figure: 3. In the [Permissions] option, click the [Add] option. As shown in the figure: 4. The users and groups window pops up and click the [Advanced] option. As shown in the figure: 5. Click to expand the [Find Now] - [Everyone] options in order. When completed, click OK. As shown in the figure: 6. When you see that the user [everyone] has been added to [Group or User] on the [E Disk Permissions] page, select [everyone] and check the box in front of [Full Control]. After the setting is completed, Just press [OK]
