概要

Hadoop KMS是一個基于 Hadoop的 KeyProvider API的用密碼寫的 key 管理server。Client是一個KeyProvider的實現，使用KMS HTTP REST API與KMS交互。
KMS和它的客戶端內置安全和它們支持HTTP SPNEGO Kerberos 身份驗證和HTTPS安全轉換.
KMS是一個Java Web應用程序，運行在與Hadoop發行版綁定在一起的預先配置好的Tomcat服務器上。

快速搭建

既然是基于Hadoop，那最快的方法就是找個容器環境

https://hub.docker.com/r/gradiant/hdfs

https://github.com/Gradiant/dockerized-hadoop

參考https://github.com/Gradiant/dockerized-hadoop/blob/master/docker-compose.yml

基于這個docker-compose文件和kms的資料【https://hadoop.apache.org/docs/current/hadoop-kms/index.html】，容器環境的設置如下

 

生成秘鑰

 keytool -genkey -alias 'kmskey' -keystore ./kms.jks -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass demokms -storepass demokms -validity 36500 echo "demokms" > kms.keystore.password

kms-site.xml配置

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

<!-- KMS Backend KeyProvider -->

<property>

<name>hadoop.kms.key.provider.uri</name>

<value>jceks://file@/opt/hadoop/key/kms.jks</value>

<description>

URI of the backing KeyProvider for the KMS.

</description>

</property>

<property>

<name>hadoop.security.keystore.java-keystore-provider.password-file</name>

<value>kms.keystore.password</value>

<description>

If using the JavaKeyStoreProvider, the password for the keystore file.

</description>

</property>

 

<property>

<name>dfs.encryption.key.provider.uri</name>

<value>kms://http@172.19.0.10:9600/kms</value>

</property>

 

<property>

<name>hadoop.kms.authentication.type</name>

<value>simple</value>

<description>

Authentication type for the KMS. Can be either "simple"

or "kerberos".

</description>

</property>

</configuration>

docker-copose配置和啟動

# https://github.com/Gradiant/dockerized-hadoop

# http://localhost:50070 for hadoop 2.x

# http://localhost:9870 for hadoop 3.x

# CORE_CONF_fs_defaultFS hdfs://hostname -f:8020

#

 

version: "3"

services:

namenode:

image: gradiant/hdfs:3.2.1

container_name: hdfs-namenode

environment:

- HDFS_CONF_dfs_replication=1

volumes:

- name:/hadoop/dfs

- ./sources.list:/etc/apt/sources.list

- ./kms-site.xml:/opt/hadoop-3.2.1/etc/hadoop/kms-site.xml

- ./kms.sh:/opt/hadoop/kms.sh

- ./kms.keystore.password:/opt/hadoop-3.2.1/etc/hadoop/kms.keystore.password

command:

- namenode

ports:

- 8020:8020

- 50070:50070

- 9870:9870

- 9600:9600

networks:

hdfs-networks:

ipv4_address: 172.19.0.10

 

datanode-0:

image: gradiant/hdfs:3.2.1

container_name: hdfs-datanode1

environment:

- CORE_CONF_fs_defaultFS=hdfs://namenode:8020

- HDFS_CONF_dfs_replication=1

volumes:

- data-0:/hadoop/dfs

- ./sources.list:/etc/apt/sources.list

command:

- datanode

networks:

hdfs-networks:

ipv4_address: 172.19.0.11

 

volumes:

data-0:

name:

 

networks:

hdfs-networks:

ipam:

driver: default

config:

- subnet: 172.19.0.0/16

 

啟動docker-compose up -d

 

依賴的debian源　sources.list

 

deb http://mirrors.aliyun.com/debian/ buster main non-free contrib

deb http://mirrors.aliyun.com/debian-security buster/updates main

deb http://mirrors.aliyun.com/debian/ buster-updates main non-free contrib

deb http://mirrors.aliyun.com/debian/ buster-backports main non-free contrib

 

KMS啟動

#如上haoop的服務的啟動用戶是hdfs，因此kms.jks這個文件的權限和容器一致，不然生成秘鑰時權限問題會出錯

docker exec -it hdfs-namenode bash -c "mkdir -p /opt/hadoop/key"

docker cp kms.jks hdfs-namenode:/opt/hadoop/key/

 

docker exec -itd hdfs-namenode /opt/hadoop/kms.sh

kms.sh內容如下

#!/bin/bash

nohup hadoop --daemon start kms

Tip

docker exec -u root -it hdfs-namenode bash 可以使用這個命令以root權限進入容器安裝一些工具，方便診斷和檢查，這個hadoop系統是debian10,很多包沒有安裝，apt-get update后即可使用aliyun的鏡像安裝 如netstat apt-get install net-tools

 

如果不出現異常，服務即可使用了

REST訪問

參考官方的文檔https://hadoop.apache.org/docs/current/hadoop-kms/index.html

 

# ?user.name=hdfs 沒有這個會存在授權問題 401

# curl -X GET http://172.19.0.10:9600/kms/v1/keys/names

curl -X GET http://172.19.0.10:9600/kms/v1/keys/names?user.name=hdfs

# curl -i --header "Accept:application/json" -H "Content-Type:application/json" -X GET http://172.19.0.10:9600/kms/v1/keys/names?user.name=hdfs

 

#https://hadoop.apache.org/docs/current/hadoop-kms/index.html

#Create a Key

curl -X POST http://172.19.0.10:9600/kms/v1/keys?user.name=hdfs -H 'Content-Type: application/json' -d'

{

  "name"        : "testkey",

  "cipher"      : "AES_128_CBC",

  "length"      : 128,

  "material"    : "1234567812345678123456",

  "description" : "demo"

}

'

#Get Key Metadata

curl -X GET http://172.19.0.10:9600/kms/v1/key/testkey/_metadata?user.name=hdfs

#Get Current Key

curl -X GET http://172.19.0.10:9600/kms/v1/key/testkey/_currentversion?user.name=hdfs

 

curl -X GET http://172.19.0.10:9600/kms/v1/keys/names?user.name=hdfs

 

#Generate Encrypted Key for Current KeyVersion

curl -X GET "http://172.19.0.10:9600/kms/v1/key/testkey/_eek?eek_op=generate&num_keys=3&user.name=hdfs" | tee -a /tmp/k.json

 

# Decrypt Encrypted Key

#取第一個的key

IV=`jq ".[0].iv" /tmp/k.json`

MAT=`jq ".[0].encryptedKeyVersion.material" /tmp/k.json`

NAME=`jq ".[0].encryptedKeyVersion.name" /tmp/k.json`

 

curl -X POST "http://172.19.0.10:9600/kms/v1/keyversion/testkey@0/_eek?eek_op=decrypt&user.name=hdfs"  -H 'Content-Type: application/json' -d'

{

  "name"        : '${NAME}',

  "iv"          : '${IV}',

  "material"    : '${MAT}'

}

'

 

#Delete Key

curl -X DELETE http://172.19.0.10:9600/kms/v1/key/testkey?user.name=hdfs

總結

通過使用一個容器，快速的將hadoop　KMS部署起來，此時其他應用即可快速集成和使用。

如上過程中涉及的rest的訪問權限問題沒有提及，集成的測試可以完成。

整體上需要用戶名/密碼或Kerberos認證時，只要rest接口上微調集成即可。