【知识分享】使用hyperbase API访问启用Kerberos的服务demo

API访问实例

之前的章节介绍了有关权限授予、收回以及查看操作的相应命令，并简单介绍了Kerberos认证。如果需使用API来进行权限的管理，可考虑如下实例：

使用Java API访问启用Kerberos的服务示例

环境准备:
配置Kerberos客户端
配置默认路径：/etc/krb5.conf (Linux) 或者 C://Windows/krb5.ini (Windows)
或者
添加Java程序启动参数 -Djava.security.krb5.conf=<your_krb5_conf_path> 来指定Kerberos客户端配置
文件路径
确保客户端时间与集群时间同步

NOTE: client的机器时间和集群时间的时间差需在5分钟之内。

1.程序的 Classpath 中加入配置文件目录（hbase-site.xml, core-site.xml）时，使用UserGroupInformation.loginUserFromKeytab 登录：
Example 1. 访问Hyperbase示例

import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.HTableDescriptor;
import org.apache.hadoop.hbase.client.HBaseAdmin;
import org.apache.hadoop.security.UserGroupInformation;
public class HBaseSecureTest {
  public static void main(String[] args) throws IOException {
    UserGroupInformation.loginUserFromKeytab(“hbase/tw-node2125”,
“/etc/hyperbase1/hbase.keytab”);①
    Configuration conf = HBaseConfiguration.create();
    HBaseAdmin hBaseAdmin = new HBaseAdmin(conf);
    hBaseAdmin.createTable(new HTableDescriptor(“t1”));
  }
}

① "/etc/hyperbase1/hbase.keytab"表示客户端的加密文件所在地址，而非服务端的，所以需要根据具体
的客户端地址加以修改；“hbase/tw-node2125”中前者表示用户名，后者表示集群的任意一台机器，
可以不写。

2.当 Classpath 中没有加入配置文件目录（hbase-site.xml, core-site.xml）时，需要按如下方式在代码里设置一些配置项。
Example 2. 访问Hyperbase示例

import java.io.IOException;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.HTableDescriptor;
import org.apache.hadoop.hbase.client.HBaseAdmin;
import org.apache.hadoop.security.UserGroupInformation;

public class HBaseSecureTest {
  public static void main(String[] args) throws IOException {
    Configuration HBASE_CONFIG = new Configuration();
    HBASE_CONFIG.set(“hbase.zookeeper.quorum”,
“172.16.2.125,172.16.2.126,172.16.2.127”); ①
    HBASE_CONFIG.set(“hbase.master.kerberos.principal”,
“hbase/_HOST@TDH”);
    HBASE_CONFIG.set(“hbase.regionserver.kerberos.principal”,
“hbase/_HOST@TDH”);
    HBASE_CONFIG.set(“hbase.security.authentication”, “kerberos”);
    HBASE_CONFIG.set(“hadoop.security.authentication”, “kerberos”);

    HBASE_CONFIG.set(“zookeeper.znode.parent”, “/hyperbase1”);

    Configuration conf = HBaseConfiguration.create(HBASE_CONFIG);

    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromKeytab(“hbase/tw-node2125”,
“/etc/hyperbase1/hbase.keytab”);
    HBaseAdmin hBaseAdmin = new HBaseAdmin(conf);
    hBaseAdmin.createTable(new HTableDescriptor(“t1”));
  }
}
① 以下四条命令中的参数都是固定写法。

3.使用不同的 UserGroupInformation 对象执行不同的代码段

UserGroupInformation ugi1 =
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal1,
keytab1);
UserGroupInformation ugi2 =
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal2,
keytab2);

ugi1.doAs(new PrivilegeExceptionAction {
    override T run() {
        action1;
        return T;
    }
);
ugi2.doAs(new PrivilegeExceptionAction {
    override T run() {
        action2;
        return T;
    }
);

4.Hyperbase 操作
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.;
import org.apache.hadoop.hbase.client.;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.security.UserGroupInformation;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

/**

• Created by gordon on 2015/6/16.
  */
  public class HyperbaseSecureTest {
  private static Configuration conf = null;
  static {
  Configuration HBASE_CONFIG = new Configuration();
  HBASE_CONFIG.set(“hbase.zookeeper.quorum”, “transwarpnode5,
  transwarp-node6,transwarp-node7”);
  HBASE_CONFIG.set(“hbase.master.kerberos.principal”,
  “hbase/_HOST@TDH”);
  HBASE_CONFIG.set(“hbase.regionserver.kerberos.principal”,
  “hbase/_HOST@TDH”);
  HBASE_CONFIG.set(“hbase.security.authentication”, “kerberos”);
  HBASE_CONFIG.set(“zookeeper.znode.parent”, “/hyperbase1”);
  HBASE_CONFIG.set(“hadoop.security.authentication”, “kerberos”);
  conf = HBaseConfiguration.create(HBASE_CONFIG);

}
/**

• 创建一张表
  /
  public static void creatTable(String tableName, String[] familys)
  throws Exception {
  HBaseAdmin admin = new HBaseAdmin(conf);
  if (admin.tableExists(tableName)) {
  System.out.println(“table already exists!”);
  } else {
  HTableDescriptor tableDesc = new HTableDescriptor(tableName);
  for(int i=0; i<familys.length; i++){
  tableDesc.addFamily(new HColumnDescriptor(familys[i]));
  }
  admin.createTable(tableDesc);
  System.out.println(“create table " + tableName + " ok.”);
  }
  }
  /*
• 删除表
  /
  public static void deleteTable(String tableName) throws Exception {
  try {
  HBaseAdmin admin = new HBaseAdmin(conf);
  admin.disableTable(tableName);
  admin.deleteTable(tableName);
  System.out.println(“delete table " + tableName + " ok.”);
  } catch (MasterNotRunningException e) {
  e.printStackTrace();
  } catch (ZooKeeperConnectionException e) {
  e.printStackTrace();
  }
  }
  /*
• 插入一行记录
  /
  public static void addRecord (String tableName, String rowKey, String
  family, String qualifier, String value)
  throws Exception{
  try {
  HTable table = new HTable(conf, tableName);
  Put put = new Put(Bytes.toBytes(rowKey));
  put.add(Bytes.toBytes(family),Bytes.toBytes(qualifier),Bytes.toBytes(value
  ));
  table.put(put);
  System.out.println(“insert recored " + rowKey + " to table " +
  tableName +” ok.");
  } catch (IOException e) {
  e.printStackTrace();
  }
  }
  /*
• 删除一行记录
  */

public static void delRecord (String tableName, String rowKey) throws
IOException{
HTable table = new HTable(conf, tableName);
List list = new ArrayList();
Delete del = new Delete(rowKey.getBytes());
list.add(del);
table.delete(list);
System.out.println(“del recored " + rowKey + " ok.”);
}
/**

• 查找一行记录
  /
  public static void getOneRecord (String tableName, String rowKey)
  throws IOException{
  HTable table = new HTable(conf, tableName);
  Get get = new Get(rowKey.getBytes());
  Result rs = table.get(get);
  for(KeyValue kv : rs.raw()){
  System.out.print(new String(kv.getRow()) + " " );
  System.out.print(new String(kv.getFamily()) + “:” );
  System.out.print(new String(kv.getQualifier()) + " " );
  System.out.print(kv.getTimestamp() + " " );
  System.out.println(new String(kv.getValue()));
  }
  }
  /*
• 显示所有数据
  */
  public static void getAllRecord (String tableName) {
  try{
  HTable table = new HTable(conf, tableName);
  Scan s = new Scan();
  ResultScanner ss = table.getScanner(s);
  for(Result r:ss){
  for(KeyValue kv : r.raw()){
  System.out.print(new String(kv.getRow()) + " “);
  System.out.print(new String(kv.getFamily()) + “:”);
  System.out.print(new String(kv.getQualifier()) + " “);
  System.out.print(kv.getTimestamp() + " “);
  System.out.println(new String(kv.getValue()));
  }
  }
  } catch (IOException e){
  e.printStackTrace();
  }
  }
  public static void main(String[] args) throws IOException {
  try {
  UserGroupInformation.setConfiguration(conf);
  UserGroupInformation.loginUserFromKeytab(“hbase/transwarpnode5”,
  “/etc/hyperbase1/hbase.keytab”);
  // HBaseAdmin hBaseAdmin = new HBaseAdmin(conf);
  // hBaseAdmin.createTable(new HTableDescriptor(“gordon2”));
  String tablename = “scores”;
  String[] familys = {“grade”, “course”};
  [header]
  Preface | 5
  HyperbaseSecureTest.creatTable(tablename, familys);
  //add record zkb
  HyperbaseSecureTest.addRecord(tablename,“zkb”,“grade”,””,“5”);
  HyperbaseSecureTest.addRecord(tablename,“zkb”,“course”,”",“90”);
  HyperbaseSecureTest.addRecord(tablename,“zkb”,“course”,“math”,“97”);
  HyperbaseSecureTest.addRecord(tablename,“zkb”,“course”,“art”,“87”);
  //add record baoniu
  HyperbaseSecureTest.addRecord(tablename,“baoniu”,“grade”,"",“4”);
  HyperbaseSecureTest.addRecord(tablename,“baoniu”,“course”,“math”,“89”);
  System.out.println("===========get one record========");
  HyperbaseSecureTest.getOneRecord(tablename, “zkb”);
  System.out.println("===========show all record========");
  HyperbaseSecureTest.getAllRecord(tablename);
  System.out.println("===========del one record========");
  HyperbaseSecureTest.delRecord(tablename, “baoniu”);
  HyperbaseSecureTest.getAllRecord(tablename);
  System.out.println("===========show all record========");
  HyperbaseSecureTest.getAllRecord(tablename);
  } catch (Exception e) {
  e.printStackTrace();
  }
  }
  }
  HBase权限管理API示例（Hyperbase authorization api demo）
  // Hyperbase提供了AccessControlClient这个类用来操作Hyperbase的权限管理。
  import org.apache.hadoop.conf.Configuration;
  import org.apache.hadoop.hbase.HBaseConfiguration;
  import org.apache.hadoop.hbase.TableName;
  import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
  import org.apache.hadoop.hbase.security.access.AccessControlClient;
  import org.apache.hadoop.hbase.security.access.UserPermission;
  import org.apache.hadoop.security.UserGroupInformation;
  import java.security.PrivilegedAction;
  import java.util.List;
  public class HyperbaseAuthorization {
  public static void main(String[] args) throws Exception {
  String zkquorum = “baogang1”;
  String znode = “/hyperbase1”;
  final String targetTableName = “zhaoliu:zhaoliu_table”;
  Configuration config = new Configuration();
  config.set(“hbase.zookeeper.quorum”, zkquorum);
  config.set(“zookeeper.znode.parent”, znode);
  config.set(“hbase.master.kerberos.principal”, “hbase/_HOST@TDH”);
  config.set(“hbase.regionserver.kerberos.principal”, “hbase/_HOST@TDH”);
  config.set(“hbase.security.authentication”, “kerberos”);
  config.set(“hadoop.security.authentication”, “kerberos”);
  final Configuration conf = HBaseConfiguration.create(config);
  UserGroupInformation.setConfiguration(conf);
  // hbase user has global permissions
  UserGroupInformation ugi =
  UserGroupInformation.loginUserFromKeytabAndReturnUGI(“hbase”,
  “/home/zhaoliu/data/baogan*ase-baogang.keytab”);
  ugi.doAs(new PrivilegedAction() {
  @Override
  public Void run() {
  try {
  if (AccessControlClient.isAccessControllerRunning(conf)) {
  List permissions =
  AccessControlClient.getUserPermissions(conf, targetTableName);
  AccessControlProtos.GrantResponse grantResponse =
  AccessControlClient.grant(conf, TableName.valueOf(targetTableName), “zhu”,
  “f”.getBytes(), null,
  AccessControlProtos.Permission.Action.READ,
  AccessControlProtos.Permission.Action.WRITE);
  permissions = AccessControlClient.getUserPermissions(conf,
  targetTableName);
  AccessControlProtos.RevokeResponse revokeResponse =
  AccessControlClient.revoke(conf, “zhu”,
  TableName.valueOf(targetTableName), “f”.getBytes(), null,
  AccessControlProtos.Permission.Action.READ,
  AccessControlProtos.Permission.Action.WRITE);
  permissions = AccessControlClient.getUserPermissions(conf,
  targetTableName);
  // Global permissions
  String global = “hbase:acl”;
  grantResponse = AccessControlClient.grant(conf,
  TableName.valueOf(global), “zhu”, null, null,
  AccessControlProtos.Permission.Action.READ,
  AccessControlProtos.Permission.Action.WRITE);
  permissions = AccessControlClient.getUserPermissions(conf, global);
  revokeResponse = AccessControlClient.revoke(conf, “zhu”,
  TableName.valueOf(global), null, null,
  AccessControlProtos.Permission.Action.READ,
  AccessControlProtos.Permission.Action.WRITE);
  permissions = AccessControlClient.getUserPermissions(conf, global);
  } else {
  System.out.println(“Hbase access controller is not running.”);
  }
  } catch (Throwable e) {
  e.printStackTrace();
  }
  return null;
  }
  });
  }
  }

具体参考文档下载：链接：http://pan.baidu.com/s/1i5K* 56 密码：mbdy