AMBARI-21045. Enable Storm's AutoTGT configs in secure mode.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/3499004c Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/3499004c Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/3499004c Branch: refs/heads/branch-feature-AMBARI-12556 Commit: 3499004cc6c692c142ba4f6ad857ba67ea81d254 Parents: 7dc2ddc Author: Sriharsha Chintalapani <[email protected]> Authored: Thu May 18 13:34:29 2017 -0700 Committer: Sriharsha Chintalapani <[email protected]> Committed: Thu May 18 13:34:29 2017 -0700 ---------------------------------------------------------------------- .../STORM/0.9.1/configuration/storm-env.xml | 11 ++ .../STORM/1.1.0/configuration/storm-site.xml | 44 ++++++ .../common-services/STORM/1.1.0/kerberos.json | 138 +++++++++++++++++++ .../common-services/STORM/1.1.0/metainfo.xml | 44 ++++++ .../stacks/HDP/2.6/services/STORM/metainfo.xml | 4 + 5 files changed, 241 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml b/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml index 4cfe3d5..cfa33e2 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml +++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml @@ -125,6 +125,17 @@ export STORM_LOG_DIR={{log_dir}} export STORM_CONF_DIR={{conf_dir}} export STORM_HOME={{storm_component_home_dir}} + +#set storm-auto creds +# check if storm_jaas.conf in config , only enable storm_auto_creds in secure mode. +STORM_HOME="$(dirname $(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ))" +STORM_JAAS_CONF=$STORM_HOME/config/storm_jaas.conf +STORM_AUTOCREDS_LIB_DIR=/usr/hdp/current/storm-client/external/storm-autocreds + +if [ -f $STORM_JAAS_CONF ] && [ -d $STORM_AUTOCREDS_LIB_DIR ]; then + export STORM_EXT_CLASSPATH=$STORM_AUTOCREDS_LIB_DIR +fi + </value> <value-attributes> <type>content</type> http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml b/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml new file mode 100644 index 0000000..1a5dde9 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml @@ -0,0 +1,44 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="true"> + <property> + <name>nimbus.autocredential.plugins.classes</name> + <description> + Allows users to add token based authentication for services such as HDFS, HBase, Hive + </description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>nimbus.credential.renewers.freq.secs</name> + <description> + Frequency at which tokens will be renewed. + </description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>nimbus.credential.renewers.classes</name> + <description> + List of classes for token renewal + </description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json new file mode 100644 index 0000000..643cfd3 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json @@ -0,0 +1,138 @@ +{ + "services": [ + { + "name": "STORM", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "/smokeuser" + }, + { + "name": "storm_components", + "principal": { + "value": "${storm-env/storm_user}${principal_suffix}@${realm}", + "type": "user", + "configuration": "storm-env/storm_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/storm.headless.keytab", + "owner": { + "name": "${storm-env/storm_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "storm-env/storm_keytab" + } + }, + { + "name": "/STORM/storm_components", + "principal": { + "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.principal" + }, + "keytab": { + "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.keyTab" + } + } + ], + "configurations": [ + { + "storm-site": { + "nimbus.authorizer": "org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer", + "drpc.authorizer": "org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer", + "ui.filter": "org.apache.hadoop.security.authentication.server.AuthenticationFilter", + "storm.principal.tolocal": "org.apache.storm.security.auth.KerberosPrincipalToLocal", + "supervisor.enable": "true", + "storm.zookeeper.superACL": "sasl:{{storm_bare_jaas_principal}}", + "java.security.auth.login.config": "{{conf_dir}}/storm_jaas.conf", + "nimbus.impersonation.authorizer": "org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer", + "nimbus.impersonation.acl": "{ {{storm_bare_jaas_principal}} : {hosts: ['*'], groups: ['*']}}", + "nimbus.admins": "['{{storm_bare_jaas_principal}}', '{{ambari_bare_jaas_principal}}']", + "nimbus.supervisor.users": "['{{storm_bare_jaas_principal}}']", + "ui.filter.params": "{'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab': '{{storm_ui_keytab_path}}', 'kerberos.name.rules': 'DEFAULT'}", + "nimbus.autocredential.plugins.classes": "['org.apache.storm.hdfs.security.AutoHDFS', 'org.apache.storm.hbase.security.AutoHBase', 'org.apache.storm.hive.security.AutoHive']", + "nimbus.credential.renewers.classes": "['org.apache.storm.hdfs.security.AutoHDFS', 'org.apache.storm.hbase.security.AutoHBase', 'org.apache.storm.hive.security.AutoHive']", + "nimbus.credential.renewers.freq.secs": 82800 + + } + }, + { + "ranger-storm-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ], + "components": [ + { + "name": "STORM_UI_SERVER", + "identities": [ + { + "name": "/spnego", + "principal": { + "configuration": "storm-env/storm_ui_principal_name" + }, + "keytab": { + "configuration": "storm-env/storm_ui_keytab" + } + } + ] + }, + { + "name": "NIMBUS", + "identities": [ + { + "name": "nimbus_server", + "principal": { + "value": "nimbus/_HOST@${realm}", + "type": "service", + "configuration": "storm-env/nimbus_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/nimbus.service.keytab", + "owner": { + "name": "${storm-env/storm_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "storm-env/nimbus_keytab" + } + }, + { + "name": "/STORM/storm_components", + "principal": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + }, + { + "name": "DRPC_SERVER", + "identities": [ + { + "name": "drpc_server", + "reference": "/STORM/NIMBUS/nimbus_server" + } + ] + }, + { + "name" : "SUPERVISOR" + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml b/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml new file mode 100644 index 0000000..94f5ca3 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml @@ -0,0 +1,44 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + +<metainfo> + <schemaVersion>2.0</schemaVersion> + <services> + <service> + <name>STORM</name> + <version>1.1.0</version> + <extends>common-services/STORM/1.0.1</extends> + + <configuration-dependencies> + <config-type>storm-site</config-type> + <config-type>storm-env</config-type> + <config-type>ranger-storm-plugin-properties</config-type> + <config-type>ranger-storm-audit</config-type> + <config-type>ranger-storm-policymgr-ssl</config-type> + <config-type>ranger-storm-security</config-type> + <config-type>admin-properties</config-type> + <config-type>ranger-ugsync-site</config-type> + <config-type>ranger-admin-site</config-type> + <config-type>zookeeper-env</config-type> + <config-type>zoo.cfg</config-type> + <config-type>application.properties</config-type> + <config-type>storm-atlas-application.properties</config-type> + </configuration-dependencies> + </service> + </services> +</metainfo> http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml b/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml index db5c8b8..49e00f7 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml @@ -22,6 +22,10 @@ <service> <name>STORM</name> <version>1.1.0</version> + <extends>common-services/STORM/1.1.0</extends> + <configuration-dependencies> + <config-type>application-properties</config-type> + </configuration-dependencies> </service> </services> </metainfo>
