Shulou(Shulou.com)05/31 Report--

This article is about how DataSphere Studio supports a variety of user login authentication methods, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

"DataSphere Studio only provides administrator accounts by default, and user login authentication depends entirely on Linkis's user login authentication system. This article will introduce in detail the user login authentication methods that Linkis already supports, and how to supplement and improve user environment information."

The username and password of the DataSphere Studio administrator are both deployment usernames. If the deployment user is hadoop, the administrator's username / password is: hadoop/hadoop. The user login authentication of DataSphere Studio depends on the user login authentication system of Linkis.

In addition to administrators, Linkis also supports the following user login authentication methods:

Log in to LDAP

Access to SSO single sign-on

Token login method

Proxy user mode

No matter which user login authentication method you access, you need to improve the user environment information for all Linkis users (except for deploying users).

The fifth chapter introduces in detail how to supplement and improve the user environment information.

01

-

Access to LDAP

Enter linkis/linkis-gateway/conf, modify the configuration file linkis.properties, and add your LDAP server configuration: vi linkis/linkis-gateway/conf/linkis.properties# your LDAP service URL

Wds.linkis.ldap.proxy.url=ldap://127.0.0.1:389/

# configuration of your LDAP service

Wds.linkis.ldap.proxy.baseDN=dc=webank,dc=com

Restart linkis-gateway to make it effective.

02

-

Access to SSO single sign-on

Accessing your company's SSO single sign-on system is a bit more complicated. First, you need to turn on the SSO single point authentication function. Specify the following parameters in linkis/linkis-gateway/conf/linkis.properties: wds.linkis.gateway.conf.enable.sso=true. Then, you need to implement the SSOInterceptor interface: trait SSOInterceptor {

/ * *

* if the SSO single sign-on feature is enabled, the current end jumps to the SSO login page and jumps back to the DSS home page after the login is successful, and the DSS frontend requests gateway again.

* gateway will obtain the user logged in by SSO by calling this method, and then write the user to cookie to ensure that subsequent requests can be released directly.

* you need to implement this method and return the user name through Request.

* @ param gatewayContext

* @ return

, /

Def getUser (gatewayContext: GatewayContext): String

/ * *

* through the DSS home page Url, the user generates a redirectable SSO login page URL.

* requirement: bring requestUrl with you so that SSO can jump back after successful login.

* @ param requestUrl DSS homepage URL

* @ return for example: https://${sso_host}:${sso_port}/cas/login?redirectUrl=${requestUrl}

, /

Def redirectTo (requestUrl: URI): String

/ * *

* when a user logs out, gateway will call this API to ensure that after gateway clears cookie, SSO single sign-on will also clear login information.

* @ param gatewayContext

, /

Def logout (gatewayContext: GatewayContext): Unit

} package your SSO implementation classes into a jar package and put them in the linkis/linkis-gateway/lib directory. Linkis provides two ways to load your SSO implementation class: declare the SSO implementation class as spring bean, which requires you to simply annotate the class name with @ Component. Specify the following parameters in linkis/linkis-gateway/conf/linkis.properties: # Please specify as your SSO implementation class

Wds.linkis.gateway.conf.sso.interceptor=com.webank.wedatasphere.linkis.gateway.security.sso.SSOInterceptor restarts linkis-gateway,SSO single sign-on to take effect.

03

-

Token login method

This method is for third-party systems to access Linkis and DSS. When a third-party system calls the Linkis and DSS background interfaces, the login can be skipped directly through token mode. Specify the following parameters in linkis/linkis-gateway/conf/linkis.properties: # turn on token mode

Wds.linkis.gateway.conf.enable.token.auth=true

# specify token configuration file

Wds.linkis.gateway.conf.token.auth.config=token.properties creates a token.properties file under the linkis/linkis-gateway/conf directory, and the content is as follows: # format:

${TOKEN_NAME} = ${USER1}, ${USER2}

# for example:

AZKABAN=*

TOKEN_NAME refers to the tokenId assigned to a third-party system, and the following value is a user who can skip login. If you fully trust all requests of the system, it can be directly equal to *, indicating full authorization.

When a third-party system requests DSS and Linkis, write the following two parameters in the header or cookie of request: {

"Token-Code": "${TOKEN_NAME}"

"Token-User": "${USER}"

}

04

-

Proxy user mode

This method allows login users to be different from those who actually use DSS, the main role: control users must be real-name users when logging in, but the actual use of big data platform, is not real-name users.

Specify the following parameters in linkis/linkis-gateway/conf/linkis.properties: # turn on proxy mode

Wds.linkis.gateway.conf.enable.proxy.user=true

# specify proxy profile

Wds.linkis.gateway.conf.proxy.user.config=proxy.properties creates a proxy.properties file under the linkis/linkis-gateway/conf directory, and the content is as follows: # format:

${LOGIN_USER} = ${PROXY_USER}

# for example:

Enjoyyin=hadoop

If the existing agent mode does not meet your needs, you can also modify it manually: com.webank.wedatasphere.linkis.gateway.security.ProxyUserUtils.

05

-

How to improve environmental information for users

Due to the top-down multi-tenant isolation of DSS & Linkis, in order for logged-in users to use DSS normally, you also need to create a corresponding Linux user on the linux server. The specific steps are as follows: create the corresponding Linux user on all Linkis & DSS servers. Create the corresponding Linux user in the NameNode of Hadoop. Ensure that the Linux user on the Linkis & DSS server can use hdfs dfs-ls / and other commands normally. At the same time, the user needs to be able to use Spark and hive tasks normally, for example, a spark application can be started through the spark-sql command, and a hive client can be started through the hive command. Since each user's workspace is strictly isolated, you also need to create a workspace and HDFS directory for that user, as follows: # create a user workspace directory

Mkdir $WORKSPACE_USER_ROOT_PATH/$ {NEW_USER}

Chmod 750$ WORKSPACE_USER_ROOT_PATH/$ {NEW_USER}

# create a user HDFS directory

Hdfs dfs-mkdir $HDFS_USER_ROOT_PATH/$ {NEW_USER}

Hdfs dfs-chown ${NEW_USER}: ${NEW_USER} $HDFS_USER_ROOT_PATH/$ {NEW_USER}

Hdfs dfs-chmod 750 $HDFS_USER_ROOT_PATH/$ {NEW_USER}

WORKSPACE_USER_ROOT_PATH and HDFS_USER_ROOT_PATH are the workspace and HDFS root path that you set when you install DSS with one click.

If you do not set it, the default is: WORKSPACE_USER_ROOT_PATH= file:///tmp/linkis

HDFS_USER_ROOT_PATH=hdfs:///tmp/linkis above is how DataSphere Studio supports a variety of user login authentication methods, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.