Repository: ambari Updated Branches: refs/heads/trunk 16affea25 -> e1ca79f6f
AMBARI-5563. Fix kerberos_setup.sh on ubuntu (aonishuk) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e1ca79f6 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e1ca79f6 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e1ca79f6 Branch: refs/heads/trunk Commit: e1ca79f6ff53d0d684a5151e42c9757034653be1 Parents: 16affea Author: Andrew Onishuk <[email protected]> Authored: Mon Apr 28 13:03:50 2014 +0300 Committer: Andrew Onishuk <[email protected]> Committed: Mon Apr 28 13:03:50 2014 +0300 ---------------------------------------------------------------------- .../main/resources/scripts/kerberos-setup.sh | 96 ++++++++++++++++---- .../src/main/resources/scripts/krb5.conf | 37 ++++++++ 2 files changed, 113 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/e1ca79f6/ambari-server/src/main/resources/scripts/kerberos-setup.sh ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/scripts/kerberos-setup.sh b/ambari-server/src/main/resources/scripts/kerberos-setup.sh index 0fee7ef..f61b448 100755 --- a/ambari-server/src/main/resources/scripts/kerberos-setup.sh +++ b/ambari-server/src/main/resources/scripts/kerberos-setup.sh @@ -89,9 +89,9 @@ processCSVFile () { seenHosts="$seenHosts$hostName"; fi - if [[ $seenPrincipals != *$principal* ]]; then + if [[ $seenPrincipals != *" $principal"* ]]; then echo -e "kadmin.local -q \"addprinc -randkey $principal\"" >> commands.addprinc; - seenPrincipals="$seenPrincipals$principal" + seenPrincipals="$seenPrincipals $principal" fi tmpKeytabFile="`pwd`/tmp_keytabs/$keytabFile"; newKeytabPath="`pwd`/keytabs_$hostName$keytabFilePath"; @@ -176,22 +176,48 @@ processCSVFile () { installKDC () { csvFile=$1; sshLoginKey=$2; + HOSTNAME=`hostname --fqdn` + scriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + krb5_new_conf=$scriptDir"/krb5.conf" krb5_conf="/etc/krb5.conf" - # Configure /etc/krb5.conf - sed -c -i "/FILE/!s/\(kdc *= *\).*/\1$HOSTNAME/" $krb5_conf - sed -c -i "/FILE/!s/\(admin_server *= *\).*/\1$HOSTNAME/" $krb5_conf + # Install rng tools + $inst_cmd rng-tools + if [ $os == 'debian' ]; then + echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools + /etc/init.d/rng-tools start + else + sed -i "s/\(EXTRAOPTIONS *= *\).*/\1\"-r \/dev\/urandom\"/" "/etc/sysconfig/rngd" + # start rngd + /etc/init.d/rngd start + fi # Install kdc server on this host - yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y; + if [ $os == 'debian' ]; then + OLD_DEBIAN_FRONTEND=$DEBIAN_FRONTEND + export DEBIAN_FRONTEND=noninteractive + $inst_cmd krb5-kdc krb5-admin-server krb5-user libpam-krb5 libpam-ccreds auth-client-config + else + $inst_cmd krb5-server krb5-libs krb5-auth-dialog krb5-workstation + fi + # Configure /etc/krb5.conf + # !!! sed -i "s/\(default_realm *= *\).*/\1$EXAMPLE.COM/" $krb5_conf + # !!! should we set default_realm? + # !!! + cp $krb5_conf $krb5_conf".bak" + cp $krb5_new_conf $krb5_conf + sed -i "s/\(kdc *= *\).*/\1$HOSTNAME/" $krb5_conf + sed -i "s/\(admin_server *= *\).*/\1$HOSTNAME/" $krb5_conf # Install rng tools - yum install rng-tools -y - sed -c -i "s/\(EXTRAOPTIONS *= *\).*/\1\"-r \/dev\/urandom\"/" "/etc/sysconfig/rngd" - # start rngd - /etc/init.d/rngd start - (echo; echo;) | kdb5_util create -s - /sbin/service krb5kdc start - /sbin/service kadmin start + if [ $os == 'debian' ]; then + echo -ne '\n\n' | kdb5_util create -s + /usr/sbin/service krb5-admin-server start + /usr/sbin/service krb5-kdc start + else + echo -ne '\n\n' | kdb5_util create -s + /sbin/service krb5kdc start + /sbin/service kadmin start + fi # Install pdsh on this host - yum install pdsh -y; + $inst_cmd pdsh; chown root:root -R /usr; eval `ssh-agent` ssh-add $sshLoginKey @@ -206,10 +232,20 @@ installKDC () { hostNames=$hostNames,$hostName; fi done < $csvFile - pdsh -w $hostNames yum install krb5-workstation -y - pdsh -w $hostNames yum install pdsh -y - pdsh -w $hostNames chown root:root -R /usr - pdcp -w $hostNames $krb5_conf $krb5_conf + export PDSH_SSH_ARGS_APPEND="-q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=publickey" + if [ $os == 'debian' ]; then + pdsh -R ssh -w $hostNames OLD_DEBIAN_FRONTEND=$DEBIAN_FRONTEND; export DEBIAN_FRONTEND=noninteractive; $inst_cmd krb5-user libpam-krb5 libpam-ccreds auth-client-config; export DEBIAN_FRONTEND=OLD_DEBIAN_FRONTEND + else + pdsh -R ssh -w $hostNames $inst_cmd krb5-workstation + fi + pdsh -R ssh -w $hostNames $inst_cmd pdsh + pdsh -R ssh -w $hostNames chown root:root -R /usr + pdcp -R ssh -w $hostNames $krb5_conf $krb5_conf + + #restore env variables to old state + if [ $os == 'debian' ]; then + export DEBIAN_FRONTEND=OLD_DEBIAN_FRONTEND + fi } distributeKeytabs () { @@ -219,15 +255,35 @@ distributeKeytabs () { derivedname=${i%.*} derivedname=${derivedname##keytabs_} echo $derivedname - scp $i root@$derivedname:/ - ssh root@$derivedname "cd /;tar xvf $i" + scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $i root@$derivedname:/ + ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$derivedname "cd /;tar xvf $i" done } +getEnvironmentCMD () { +#get linux distribution type and package manager + os=`python -c 'import sys; sys.path.append("/usr/lib/python2.6/site-packages/"); from common_functions import OSCheck; print OSCheck.get_os_family()'` + case $os in + 'debian' ) + pkgmgr='apt-get' + inst_cmd="/usr/bin/$pkgmgr --force-yes --assume-yes install " + ;; + 'redhat' ) + pkgmgr='yum' + inst_cmd="/usr/bin/$pkgmgr -d 0 -e 0 -y install " + ;; + 'suse' ) + pkgmgr='zypper' + inst_cmd="/usr/bin/$pkgmgr --quiet install --auto-agree-with-licenses --no-confirm " + ;; + esac +} + if (($# != 2)); then usage fi +getEnvironmentCMD installKDC $@ processCSVFile $@ distributeKeytabs $@ http://git-wip-us.apache.org/repos/asf/ambari/blob/e1ca79f6/ambari-server/src/main/resources/scripts/krb5.conf ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/scripts/krb5.conf b/ambari-server/src/main/resources/scripts/krb5.conf new file mode 100644 index 0000000..7061d19 --- /dev/null +++ b/ambari-server/src/main/resources/scripts/krb5.conf @@ -0,0 +1,37 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = EXAMPLE.COM + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + +[realms] + EXAMPLE.COM = { + kdc = kerberos.example.com + admin_server = kerberos.example.com + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM
