dask使用kerberos认证读取hive数据库
1、首先主机需要有KERBEROS客户端,测试kinit命令是否存在;
2、执行
kinit -kt xxx.keytab xxx/zzzz@EXAMPLE.COM
在此之前需要确认xxx.keytab 文件正确,以及/etc/krb5.conf配置文件配置正确
下面是krb5.conf, 以下的配置和代码中的Example需要替换为自己的目标配置
kerberos.example.com 这个配置是hive所在主机的映射名,可在/etc/hosts中配置映射
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
3、
con = "hive://ipaddr:10000/database?auth=KERBEROS&kerberos_service_name=hive"
ipaddr是远程hive数据库主机地址,database是要连接的数据库名;
这里设置auth=KERBEROS 使用kerberos方式连接hive数据库,不需要密码,但是需要keytab认证文件,设置kerberos_service_name=hive
4、使用sqlalchemy构建sql查询语句
from sqlalchemy import Column, MetaData, Table, text
from sqlalchemy.sql import select
metadata = MetaData()
columns = "col1,col2,col3,col4"
li = [Column(col) for col in columns.split(",")]
print(*li)
t = Table('tableName', metadata,
*li,
schema='databaseName')
s = select([t]).where(text("col2>4"), text("col3>5")).limit(2)
dask的read_sql_table方法要么就是进行整表查询
5、使用krbcontext模块进行认证并进行数据读取
principal = "xxx/zzzz@EXAMPLE.COM"
keytab_path = "./xxx.keytab"
from krbcontext import krbcontext
with krbcontext(using_keytab=True, principal=principal, keytab_file=keytab_path):
df = dd.read_sql_table(s, con, index_col="col1")
有个依赖包需要sasl,这个包在linux上使用conda能够正常安装,在windows上可能会因为缺少一些不确定的东西而装不上,在linux上直接conda install sasl即可。
