Presto配置LDAP認證 & Kylin配置Presto下壓
阿新 • • 發佈:2020-12-25
技術標籤:kylinprestoldapkylinprestoldap
005_Presto配置LDAP及Kylin的下壓配置
一、啟用LDAPS
1、建立ApacheDS服務端使用的keystone
- 建立keystore
cd apacheds-2.0.0-M25/default/conf/
keytool -genkeypair -alias apacheds -keyalg RSA -validity 90 -keystore ads.keystore
輸入金鑰庫口令: 再次輸入新口令: 您的名字與姓氏是什麼? [Unknown]: dw303 您的組織單位名稱是什麼? [Unknown]: dwStudy 您的組織名稱是什麼? [Unknown]: study 您所在的城市或區域名稱是什麼? [Unknown]: shanghai 您所在的省/市/自治區名稱是什麼? [Unknown]: shanghai 該單位的雙字母國家/地區程式碼是什麼? [Unknown]: CN CN=dw303, OU=dwStudy, O=study, L=shanghai, ST=shanghai, C=CN是否正確? [否]: 是 輸入 <apacheds> 的金鑰口令 (如果和金鑰庫口令相同, 按回車): 再次輸入新口令: Warning: JKS 金鑰庫使用專用格式。建議使用 "keytool -importkeystore -srckeystore ads.keystore -destkeystore ads.keystore -deststoretype pkcs12" 遷移到行業標準格式 PKCS12。
- 修改檔案許可權
sudo chown apacheds:apacheds ads.keystore
2、匯出證書
keytool -export -alias apacheds -keystore ads.keystore -rfc -file ads.cer
輸入金鑰庫口令:
儲存在檔案 <ads.cer> 中的證書
3、匯入系統證書庫
- 將證書匯入系統證書庫,實現自認證
keytool -import -file ads.cer -alias apacheds -keystore /usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts -storepass changeit
4、啟用LDAPS
- 使用Apache Directory Studio連線叢集上的ApacheDS服務
- 開啟配置頁
- 啟用LDAPS,將建立好的keystore配置到圖示位置,儲存配置(ctrl + s)
- 登入伺服器重啟ApacheDS服務
./bin/apacheds.sh stop
./bin/apacheds.sh start
- LDAPS已啟動,服務埠預設為10636
二、建立使用者資訊
1、建立分割槽
- 開啟配置頁,建立
dc=hadoop,dc=apache,dc=org分割槽,如下圖所示
- 登入伺服器重啟ApacheDS服務,使配置生效
2、建立使用者
- 建立以下檔案:users.ldif
# Entry for a sample people container # Please replace with site specific values dn: ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:organizationalUnit ou: people # Entry for a sample end user # Please replace with site specific values # dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org # objectclass:top # objectclass:person # objectclass:organizationalPerson # objectclass:inetOrgPerson # cn: Guest # sn: User # uid: guest # userPassword:guest-password # entry for sample user admin dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Admin sn: Admin uid: admin userPassword:123456 # entry for sample user presto dn: uid=presto,ou=people,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson cn: Presto sn: Presto uid: presto userPassword:123456 # create FIRST Level groups branch dn: ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass:organizationalUnit ou: groups description: generic groups branch # create the analyst group under groups dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass: groupofnames cn: analyst description:analyst group member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org # create the scientist group under groups dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org objectclass:top objectclass: groupofnames cn: scientist description: scientist group member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
- 在Apache Directory Studio中匯入上述檔案,成功後可檢視新增的使用者資訊
三、配置Presto
1、建立Presto coordinator的keystore
keytool -genkeypair -alias presto -keyalg RSA -validity 90 -keystore presto.keystore
2、修改Presto配置
2.1. 修改 config.properties
http-server.authentication.type=PASSWORD
http-server.https.enabled=true
http-server.https.port=8443
http-server.https.keystore.path=${PRESTO_HOME}/keystore
http-server.https.keystore.key=123456
2.2. 修改 jvm.config
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0/jre/lib/security/cacerts
-Djavax.net.ssl.trustStorePasswond=changeit
2.3. 新建 password-authenticator.properties
password-authenticator.name=ldap
ldap.url=ldaps://dw303:10636
ldap.user-bind-pattern=uid=${USER},ou=people,dc=hadoop,dc=apache,dc=org
2.4. 新建 jndi.properties
java.naming.security.principal=uid=admin,ou=system
java.naming.secunity.credentials=secret
java.naming.secunity.authentication=simple
2.5. 打包 jndi.properties
- 將
jndi.properties打包為jar包,並複製到${PRESTO_HOME}/lib
jar -cvf jndi-properties.jar jndi.properties
- 重啟Presto,LDAPS配置生效
四、配置Kylin
- 將
presto.keystore複製到${KYLIN_HOME}/tomcat/conf下,重新命名為.keystore - 編輯
kylin.properties,修改下壓配置
- 官方已提供補丁,可通過
KYLIN-4491引入
####QUERY PUSH DOWN ####
kylin.query.pushdown.runner-class-name=org.apache.kylin.query.pushdown.PushdownRunnerSDKImpl
kylin.source.jdbc.dialect=presto
kylin.source.jdbc.adaptor=org.apache.kylin.sdk.datasource.adaptor.PrestoAdaptor
kylin.query.pushdown.jdbc.url=jdbc:presto://hostname:8443/hive?SSL=true
kylin.query.pushdown.jdbc.driver=com.facebook.presto.jdbc.PrestoDriver
kylin.query.pushdown.jdbc.username=presto
kylin.query.pushdown.jdbc.password=123456
kylin.query.pushdown.jdbc.pool-max-total=150
kylin.query.pushdown.jdbc.pool-max-idle=100
kylin.query.pushdown.jdbc.pool-min-idle=50
- 未打補丁也可以按如下配置,親測可生效
####QUERY PUSH DOWN ####
kylin.query.pushdown.runner-class-name=org.apache.kylin.query.adhoc.PushDownRunnerJdbcImpl
kylin.query.pushdown.jdbc.url=jdbc:presto://hostname:8443/hive?SSL=true
kylin.query.pushdown.jdbc.driver=com.facebook.presto.jdbc.PrestoDriver
kylin.query.pushdown.jdbc.username=presto
kylin.query.pushdown.jdbc.password=123456
kylin.query.pushdown.jdbc.pool-max-total=150
kylin.query.pushdown.jdbc.pool-max-idle=100
kylin.query.pushdown.jdbc.pool-min-idle=50