上表中是基于SLA划分的不同服务级别,要想使SLA认证生效,首相需要在Hadoop配置文件/etc/hadoop/core-site.xml中增加如下配置内容:
<property><name>hadoop.security.authorization</name><value>true</value></property>该配置属性hadoop.security.authorization默认是false,如果集群已经运行,修改了该配置需要重新启动Hadoop集群。然后需要进行SLA认证的详细配置,修改配置文件/etc/hadoop/hadoop-policy.xml,该配置文件中的配置项与对应的SLA协议之间的对应关系如下表所示:
配置项 协议名称security.client.protocol.acl ClientProtocol
security.client.datanode.protocol.acl ClientDatanodeProtocol
security.datanode.protocol.acl DatanodeProtocol
security.inter.datanode.protocol.acl InterDatanodeProtocol
security.namenode.protocol.acl NamenodeProtocol
security.admin.operations.protocol.acl AdminOperationsProtocol
security.refresh.usertogroups.mappings.protocol.acl RefreshUserMappingsProtocol
security.refresh.policy.protocol.acl RefreshAuthorizationPolicyProtocol
security.ha.service.protocol.acl HAServiceProtocol
security.zkfc.protocol.acl ZKFailoverController
security.qjournal.service.protocol.acl QJournalProtocol
security.mrhs.client.protocol.acl HSClientProtocol
security.resourcetracker.protocol.acl ResourceTracker
security.resourcemanager-administration.protocol.acl ResourceManagerAdministrationProtocol
security.applicationclient.protocol.acl ApplicationClientProtocol
security.applicationmaster.protocol.acl ApplicationMasterProtocol
security.containermanagement.protocol.acl ContainerManagementProtocol
security.resourcelocalizer.protocol.acl LocalizationProtocol
security.job.task.protocol.acl TaskUmbilicalProtocol
security.job.client.protocol.acl MRClientProtocol
配置SLA权限,实际上是增加ACL(配置用户或用户组)基本格式要求如下:
如果既有用户,又有用户组,配置内容格式:user1,user2 group1,group2
如果只有用户组,配置内容前面增加一个空格: group1,group2
配置内容为*,表示所有用户都具有对应的服务操作权限
下面,我们给定如下的需求:
hadoop用户作为Hadoop集群的管理员角色,可以执行任何操作
为了防止其他用户使用hadoop用户,使hadoop用户归属于用户组g_super_adm,使属于该组的用户具有集群管理员权限
只有hadoop用户具有修改SLA认证权限的配置
Storm集群使用storm用户运行Topology,将实时数据写入HDFS,storm用户只具有操作HDFS权限
用户组g_dfs_client具有操作HDFS权限
用户组g_mr_client具有在Hadoop上运行MapReduce Job的权限
用户stater只具有操作HDFS和运行MapReduce Job的权限
通过进行配置实践,来满足上述要求。修改配置文件/etc/hadoop/hadoop-policy.xml中的部分配置项,具体修改的内容如下所示:
<property><name>security.client.protocol.acl</name><value>stater,storm g_super_adm,g_dfs_client</value><description>ACL for ClientProtocol, which is used by user code via the DistributedFileSystem. The ACL is a comma-separated list of user and group names. The user and group list is separated by a blank. For e.g. "alice,bob users,wheel". A special value of "*" means all users are allowed. </description></property><property><name>security.refresh.policy.protocol.acl</name><value>hadoop</value><description>ACL for RefreshAuthorizationPolicyProtocol, used by the dfsadmin and mradmin commands to refresh the security policy in-effect. The ACL is a comma-separated list of user and group names. The user and group list is separated by a blank. For e.g. "alice,bob users,wheel". A special value of "*" means all users are allowed. </description></property><property><name>security.job.client.protocol.acl</name><value>stater g_super_adm,g_mr_client</value><description>ACL for MRClientProtocol, used by job clients to communciate with the MR ApplicationMaster to query job status etc. The ACL is a comma-separated list of user and group names. The user and group list is separated by a blank. For e.g. "alice,bob users,wheel". A special value of "*" means all users are allowed. </description></property>