概要
Hadoop KMS是一個基於 Hadoop的 KeyProvider API的用密碼寫的 key 管理server。Client是一個KeyProvider的實現,使用KMS HTTP REST API與KMS交互。
KMS和它的客戶端內置安全和它們支持HTTP SPNEGO Kerberos 身份驗證和HTTPS安全轉換.
KMS是一個Java Web應用程序,運行在與Hadoop發行版綁定在一起的預先配置好的Tomcat服務器上。
快速搭建
既然是基於Hadoop,那最快的方法就是找個容器環境
https://hub.docker.com/r/gradiant/hdfs
https://github.com/Gradiant/dockerized-hadoop
參考https://github.com/Gradiant/dockerized-hadoop/blob/master/docker-compose.yml
基於這個docker-compose文件和kms的資料【https://hadoop.apache.org/docs/current/hadoop-kms/index.html】,容器環境的設置如下
生成秘鑰
keytool -genkey -alias 'kmskey' -keystore ./kms.jks -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass demokms -storepass demokms -validity 36500 echo "demokms" > kms.keystore.password
kms-site.xml配置
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<!-- KMS Backend KeyProvider -->
<property>
<name>hadoop.kms.key.provider.uri</name>
<value>jceks://file@/opt/hadoop/key/kms.jks</value>
<description>
URI of the backing KeyProvider for the KMS.
</description>
</property>
<property>
<name>hadoop.security.keystore.java-keystore-provider.password-file</name>
<value>kms.keystore.password</value>
<description>
If using the JavaKeyStoreProvider, the password for the keystore file.
</description>
</property>
<property>
<name>dfs.encryption.key.provider.uri</name>
<value>kms://http@172.19.0.10:9600/kms</value>
</property>
<property>
<name>hadoop.kms.authentication.type</name>
<value>simple</value>
<description>
Authentication type for the KMS. Can be either "simple"
or "kerberos".
</description>
</property>
</configuration>
docker-copose配置和啟動
# https://github.com/Gradiant/dockerized-hadoop
# http://localhost:50070 for hadoop 2.x
# http://localhost:9870 for hadoop 3.x
# CORE_CONF_fs_defaultFS hdfs://hostname -f:8020
#
version: "3"
services:
namenode:
image: gradiant/hdfs:3.2.1
container_name: hdfs-namenode
environment:
- HDFS_CONF_dfs_replication=1
volumes:
- name:/hadoop/dfs
- ./sources.list:/etc/apt/sources.list
- ./kms-site.xml:/opt/hadoop-3.2.1/etc/hadoop/kms-site.xml
- ./kms.sh:/opt/hadoop/kms.sh
- ./kms.keystore.password:/opt/hadoop-3.2.1/etc/hadoop/kms.keystore.password
command:
- namenode
ports:
- 8020:8020
- 50070:50070
- 9870:9870
- 9600:9600
networks:
hdfs-networks:
ipv4_address: 172.19.0.10
datanode-0:
image: gradiant/hdfs:3.2.1
container_name: hdfs-datanode1
environment:
- CORE_CONF_fs_defaultFS=hdfs://namenode:8020
- HDFS_CONF_dfs_replication=1
volumes:
- data-0:/hadoop/dfs
- ./sources.list:/etc/apt/sources.list
command:
- datanode
networks:
hdfs-networks:
ipv4_address: 172.19.0.11
volumes:
data-0:
name:
networks:
hdfs-networks:
ipam:
driver: default
config:
- subnet: 172.19.0.0/16
啟動docker-compose up -d
依賴的debian源 sources.list
deb http://mirrors.aliyun.com/debian/ buster main non-free contrib
deb http://mirrors.aliyun.com/debian-security buster/updates main
deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib
deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib
KMS啟動
#如上haoop的服務的啟動用戶是hdfs,因此kms.jks這個文件的權限和容器一致,不然生成秘鑰時權限問題會出錯
docker exec -it hdfs-namenode bash -c "mkdir -p /opt/hadoop/key"
docker cp kms.jks hdfs-namenode:/opt/hadoop/key/
docker exec -itd hdfs-namenode /opt/hadoop/kms.sh
kms.sh內容如下
#!/bin/bash
nohup hadoop --daemon start kms
Tip
docker exec -u root -it hdfs-namenode bash 可以使用這個命令以root權限進入容器安裝一些工具,方便診斷和檢查,這個hadoop系統是debian10,很多包沒有安裝,apt-get update后即可使用aliyun的鏡像安裝 如netstat apt-get install net-tools
如果不出現異常,服務即可使用了
REST訪問
參考官方的文檔https://hadoop.apache.org/docs/current/hadoop-kms/index.html
# ?user.name=hdfs 沒有這個會存在授權問題 401
# curl -X GET http://172.19.0.10:9600/kms/v1/keys/names
curl -X GET http://172.19.0.10:9600/kms/v1/keys/names?user.name=hdfs
# curl -i --header "Accept:application/json" -H "Content-Type:application/json" -X GET http://172.19.0.10:9600/kms/v1/keys/names?user.name=hdfs
#https://hadoop.apache.org/docs/current/hadoop-kms/index.html
#Create a Key
curl -X POST http://172.19.0.10:9600/kms/v1/keys?user.name=hdfs -H 'Content-Type: application/json' -d'
{
"name" : "testkey",
"cipher" : "AES_128_CBC",
"length" : 128,
"material" : "1234567812345678123456",
"description" : "demo"
}
'
#Get Key Metadata
curl -X GET http://172.19.0.10:9600/kms/v1/key/testkey/_metadata?user.name=hdfs
#Get Current Key
curl -X GET http://172.19.0.10:9600/kms/v1/key/testkey/_currentversion?user.name=hdfs
curl -X GET http://172.19.0.10:9600/kms/v1/keys/names?user.name=hdfs
#Generate Encrypted Key for Current KeyVersion
curl -X GET "http://172.19.0.10:9600/kms/v1/key/testkey/_eek?eek_op=generate&num_keys=3&user.name=hdfs" | tee -a /tmp/k.json
# Decrypt Encrypted Key
#取第一個的key
IV=`jq ".[0].iv" /tmp/k.json`
MAT=`jq ".[0].encryptedKeyVersion.material" /tmp/k.json`
NAME=`jq ".[0].encryptedKeyVersion.name" /tmp/k.json`
curl -X POST "http://172.19.0.10:9600/kms/v1/keyversion/testkey@0/_eek?eek_op=decrypt&user.name=hdfs" -H 'Content-Type: application/json' -d'
{
"name" : '${NAME}',
"iv" : '${IV}',
"material" : '${MAT}'
}
'
#Delete Key
curl -X DELETE http://172.19.0.10:9600/kms/v1/key/testkey?user.name=hdfs
總結
通過使用一個容器,快速的將hadoop KMS部署起來,此時其他應用即可快速集成和使用。
如上過程中涉及的rest的訪問權限問題沒有提及,集成的測試可以完成。
整體上需要用戶名/密碼或Kerberos認證時,只要rest接口上微調集成即可。