本文详细介绍了Hadoop RPC客户端在连接NN时的Connection建立过程,特别是当安全模式开启时,首先尝试使用TOKEN进行认证,如果失败则回退到使用KERBOS。文中讲解了从建立socket、发送连接头到Sasl协商的步骤,并深入到SaslRpcClient的实现,展示了如何选择和创建SaslClient进行认证。
Client
private Connection getConnection(ConnectionId remoteId,
Call call, int serviceClass, AtomicBoolean fallbackToSimpleAuth)
-->
connection.setupIOstreams(fallbackToSimpleAuth);
--> 切换realUser的UGI建立Sasl连接
UserGroupInformation ticket = remoteId.getTicket();
if (ticket != null) {
final UserGroupInformation realUser = ticket.getRealUser();
if (realUser != null) {
ticket = realUser;
}
}
--> 创建socket
setupConnection()
ipcStreams = new IpcStreams(socket, maxResponseLength);
先发送connection header
/**
* Write the connection header - this is sent when connection is established
* +----------------------------------+
* | "hrpc" 4 bytes |
* +----------------------------------+
* | Version (1 byte) |
* +----------------------------------+
* | Service Class (1 byte) |
* +----------------------------------+
* | AuthProtocol (1 byte) |
* +----------------------------------+
*/
writeConnectionHeader(ipcStreams);
如果kerbos enabled, 使用Sasl
//boolean trySasl = UserGroupInformation.isSecurityEnabled() ||
// (ticket != null && !ticket.getTokens().isEmpty());
//this.authProtocol = trySasl ? AuthProtocol.SASL : AuthProtocol.NONE;
if (authProtocol == AuthProtocol.SASL) {
try {
authMethod = ticket
.doAs(new PrivilegedExceptionAction<AuthMethod>() {
@Override
public AuthMethod run()
throws IOException, InterruptedException {
创建SaslConnection
return setupSaslConnection(ipcStreams);
}
});
&nbs
最低0.47元/天 解锁文章
扫一扫
2487
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
