Repository: ambari Updated Branches: refs/heads/branch-2.2 59a885f81 -> 8bb69855f
AMBARI-14313: Allow hawq to be installed on a secured cluster Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/8bb69855 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/8bb69855 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/8bb69855 Branch: refs/heads/branch-2.2 Commit: 8bb69855f2379dcbabc4614920cc83893a090f3b Parents: 59a885f Author: Jun Aoki <ja...@apache.org> Authored: Tue Dec 29 12:41:41 2015 -0800 Committer: Jun Aoki <ja...@apache.org> Committed: Tue Dec 29 12:41:41 2015 -0800 ---------------------------------------------------------------------- .../common-services/HAWQ/2.0.0/kerberos.json | 60 ++++++++++++++++++++ .../HAWQ/2.0.0/package/scripts/common.py | 17 +++++- .../2.0.0/package/scripts/hawq_constants.py | 2 + .../HAWQ/2.0.0/package/scripts/master_helper.py | 10 +++- .../HAWQ/2.0.0/package/scripts/params.py | 13 +++++ 5 files changed, 100 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/8bb69855/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json new file mode 100644 index 0000000..a8130c4 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/kerberos.json @@ -0,0 +1,60 @@ +{ + "services": [ + { + "components": [ + { + "identities": [ + { + "keytab": { + "file": "${keytab_dir}/hawq.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "gpadmin" + } + }, + "name": "hawq_master_hawq", + "principal": { + "type": "service", + "value": "postgres@${realm}" + } + } + ], + "name": "HAWQMASTER" + }, + { + "identities": [ + { + "keytab": { + "file": "${keytab_dir}/hawq.service.keytab", + "group": { + "access": "", + "name": "${cluster-env/user_group}" + }, + "owner": { + "access": "r", + "name": "gpadmin" + } + }, + "name": "hawq_standby_hawq", + "principal": { + "type": "service", + "value": "postgres@${realm}" + } + } + ], + "name": "HAWQSTANDBY" + } + ], + "identities": [ + { + "name": "/hdfs" + } + ], + "name": "HAWQ" + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/8bb69855/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py index a0bc925..eed84ac 100644 --- a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py +++ b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/common.py @@ -107,6 +107,12 @@ def __update_hdfs_client(): for key in required_keys: hdfs_client_dict[key] = params.hdfs_site[key] + # security + if params.security_enabled: + hdfs_client_dict["hadoop.security.authentication"] = "kerberos" + else: + hdfs_client_dict.pop("hadoop.security.authentication", None) # remove the entry + XmlConfig("hdfs-client.xml", conf_dir=hawq_constants.hawq_config_dir, configurations=ConfigDictionary(hdfs_client_dict), @@ -173,10 +179,19 @@ def __update_hawq_site(): Sets up hawq-site.xml """ import params + + hawq_site_modifiable = dict(params.hawq_site) + + if params.security_enabled: + hawq_site_modifiable["enable_secure_filesystem"] = "ON" + hawq_site_modifiable["krb_server_keyfile"] = hawq_constants.hawq_keytab_file + else: + hawq_site_modifiable.pop("enable_secure_filesystem", None) # remove the entry + hawq_site_modifiable.pop("krb_server_keyfile", None) # remove the entry XmlConfig("hawq-site.xml", conf_dir=hawq_constants.hawq_config_dir, - configurations=params.hawq_site, + configurations=ConfigDictionary(hawq_site_modifiable), configuration_attributes=params.config['configuration_attributes']['hawq-site'], owner=hawq_constants.hawq_user, group=hawq_constants.hawq_group, http://git-wip-us.apache.org/repos/asf/ambari/blob/8bb69855/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/hawq_constants.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/hawq_constants.py b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/hawq_constants.py index 90021b1..fe3743b 100644 --- a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/hawq_constants.py +++ b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/hawq_constants.py @@ -31,6 +31,7 @@ FAST = "fast" # Users root_user = "root" hawq_user = "gpadmin" +hawq_user_secured = "postgres" hawq_group = hawq_user # Directories @@ -55,6 +56,7 @@ hawq_sysctl_tmp_file = os.path.join(hawq_tmp_dir, hawq_sysctl_filename) hawq_sysctl_file = os.path.join(sysctl_conf_dir, hawq_sysctl_filename) postmaster_opts_filename = "postmaster.opts" postmaster_pid_filename = "postmaster.pid" +hawq_keytab_file = "/etc/security/keytabs/hawq.service.keytab" # Smoke check table smoke_check_table_name = "ambari_hawq_smoke_test" http://git-wip-us.apache.org/repos/asf/ambari/blob/8bb69855/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/master_helper.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/master_helper.py b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/master_helper.py index 7182e9e..cf7dc77 100644 --- a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/master_helper.py +++ b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/master_helper.py @@ -89,7 +89,15 @@ def __create_hdfs_dirs(): Creates the required HDFS directories for HAWQ """ import params - params.HdfsResource(params.hawq_hdfs_data_dir, type="directory", action="create_on_execute", owner=hawq_constants.hawq_user, group=hawq_constants.hawq_group, mode=0755) + + data_dir_owner = hawq_constants.hawq_user_secured if params.security_enabled else hawq_constants.hawq_user + + params.HdfsResource(params.hawq_hdfs_data_dir, + type="directory", + action="create_on_execute", + owner=data_dir_owner, + group=hawq_constants.hawq_group, + mode=0755) params.HdfsResource(None, action="execute") http://git-wip-us.apache.org/repos/asf/ambari/blob/8bb69855/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/params.py index 62870f0..1c247ba 100644 --- a/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/HAWQ/2.0.0/package/scripts/params.py @@ -20,6 +20,7 @@ import functools from resource_management import Script from resource_management.libraries.functions.default import default from resource_management.libraries.resources.hdfs_resource import HdfsResource +from resource_management.libraries.functions import get_kinit_path config = Script.get_config() @@ -52,9 +53,18 @@ hawqsegment_hosts = default('/clusterHostInfo/hawqsegment_hosts', []) hdfs_site = config['configurations']['hdfs-site'] default_fs = config['configurations']['core-site']['fs.defaultFS'] +security_enabled = config['configurations']['cluster-env']['security_enabled'] +hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab'] +kinit_path_local = get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None)) +hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name'] + # HDFSResource partial function HdfsResource = functools.partial(HdfsResource, user=hdfs_superuser, + security_enabled=security_enabled, + keytab=hdfs_user_keytab, + kinit_path_local=kinit_path_local, + principal_name=hdfs_principal_name, hdfs_site=hdfs_site, default_fs=default_fs) @@ -64,6 +74,9 @@ HdfsResource = functools.partial(HdfsResource, rm_host = __get_component_host('rm_host') yarn_ha_enabled = default('/configurations/yarn-site/yarn.resourcemanager.ha.enabled', False) +# Security +security_enabled = config['configurations']['cluster-env']['security_enabled'] + # Config files gpcheck_content = config['configurations']['gpcheck-env']['content']