当前位置：首页 > news >正文

Flink SQL 在kerberos on yarn环境下提交

news 来源：原创 2024/5/5 11:44:20

yarn环境中一般都会配置kerberos 用来做权限管控，flink 在 kerberos on yarn环境中提交作业时，需要做一些配置处理，用来帮助做认证。

参考文档，需要在flink-conf.yaml中配置

security.kerberos.krb5-conf.path: /etc/krb5.conf

security.kerberos.login.use-ticket-cache: true
security.kerberos.login.keytab: /data/flink.keytab
security.kerberos.login.principal: flink/api@EXAMPLE.COM

然后通过flink-client进行提交

/data/etl/ll_test/flink-1.13.5/bin/flink run -t yarn-per-job -Dyarn.application.name=kafka2hbase -Dparallelism.default=1 -Djobmanager.memory.process.size=2048mb -Dtaskmanager.memory.process.size=2048mb -Dtaskmanager.numberOfTaskSlots=1 -Drest.flamegraph.enabled=true -c cn.com.example.bigdata.index.app.IndexServiceApp /data/etl/ll_test/jars/bigdata-etl-index-3.2.0.jar 5 30 hdfs submit_test_job /data/etl/ll_test/sql.txt

即可将作业提交到yarn上。

如果没有在flink-conf.yaml中进行配置，yarn会拒绝作业的提交。

hbase sql sink on kerberos

参考文档，官方提供的hbase sql connector 是支持Kerberos认证的，需要设定 'properties.hbase.security.authentication' = 'kerberos'

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FiyypfSC-1664086698726)(https://secure2.wostatic.cn/static/sMMLzm9XtB5oZnVn5zCjCr/image.png)]

那么还需要配置keytab证书嘛？

经验证是不需要的，hbase ddl可以这样

CREATE TABLE hbase_sink 
(
  rowkey STRING,
  cf ROW<urlC STRING>,
  PRIMARY KEY (rowkey) NOT ENFORCED) 
WITH (
  'connector' = 'hbase-1.4',
  'table-name' = 'dim_hbase',
  'sink.buffer-flush.max-rows' = '5',
  'zookeeper.quorum' = '172.17.26.201:2181,172.17.26.202:2181,172.17.26.203:2181',
  'properties.hbase.security.authentication' = 'kerberos')

在集群中是可以稳定的跑起来。

keytab是证书是有时效性的，如果失效了怎么办？其实不需要担心，因为在flink中有一个线程会定期进行认证，保证认证的有效性。

在集群中出现过一个错误，

2022-09-16 16:49:10,144 ERROR org.apache.zookeeper.client.ZooKeeperSaslClient              [] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state.
2022-09-16 16:49:10,145 ERROR org.apache.zookeeper.ClientCnxn                              [] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state.

看起来是在连接zookeeper的时候认证没有成功，不是flink可以帮助做认证嘛，为什么又失败了那？

经查，可能是sasl开启导致的。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-e4a3aQ3f-1664086698727)(https://secure2.wostatic.cn/static/gYr6HmqZgyEHeZPSzEwi4q/lQLPJxazRogkgi7NAgfNA32wadYJyPQPXHADJsqTGwAdAA_893_519.png)]

重新打开flink-conf.yaml，添加配置

# security.kerberos.login.contexts: Client,KafkaClient

#==============================================================================
# ZK Security Configuration
#==============================================================================
zookeeper.sasl.disable: true
# Below configurations are applicable if ZK ensemble is configured for security

# Override below configuration to provide custom ZK service name if configured
# zookeeper.sasl.service-name: zookeeper

# The configuration below must match one of the values set in "security.kerberos.login.contexts"
# zookeeper.sasl.login-context-name: Client

关闭sasl认证。

重新提交作业，就可以恢复了。