Updated Branches: refs/heads/master 8d32a92d0 -> ea1779258
BIGTOP-931. a few improvements to secure puppet deployment code Project: http://git-wip-us.apache.org/repos/asf/bigtop/repo Commit: http://git-wip-us.apache.org/repos/asf/bigtop/commit/5bf52db1 Tree: http://git-wip-us.apache.org/repos/asf/bigtop/tree/5bf52db1 Diff: http://git-wip-us.apache.org/repos/asf/bigtop/diff/5bf52db1 Branch: refs/heads/master Commit: 5bf52db1c86d0db9d1d4728045954f37fc479b56 Parents: 701e371 Author: Roman Shaposhnik <[email protected]> Authored: Wed Apr 17 09:59:15 2013 -0700 Committer: Roman Shaposhnik <[email protected]> Committed: Wed Apr 24 15:27:54 2013 -0700 ---------------------------------------------------------------------- bigtop-deploy/puppet/manifests/cluster.pp | 5 +++++ .../puppet/modules/hadoop-hbase/manifests/init.pp | 1 + .../puppet/modules/hadoop-oozie/manifests/init.pp | 1 + .../modules/hadoop-oozie/templates/oozie-site.xml | 9 ++------- .../modules/hadoop-zookeeper/manifests/init.pp | 1 + .../puppet/modules/hadoop/manifests/init.pp | 3 +++ .../hadoop/templates/container-executor.cfg | 2 +- bigtop-deploy/puppet/modules/hue/manifests/init.pp | 1 + bigtop-deploy/puppet/modules/hue/templates/hue.ini | 2 +- .../puppet/modules/kerberos/manifests/init.pp | 10 +++++++++- .../puppet/modules/kerberos/templates/kdc.conf | 4 ++-- 11 files changed, 27 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/manifests/cluster.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/manifests/cluster.pp b/bigtop-deploy/puppet/manifests/cluster.pp index b889eb9..97b975b 100644 --- a/bigtop-deploy/puppet/manifests/cluster.pp +++ b/bigtop-deploy/puppet/manifests/cluster.pp @@ -119,6 +119,11 @@ class hadoop_worker_node inherits hadoop_cluster_node { groups => 'wheel', } + if ($hadoop_security_authentication == "kerberos") { + kerberos::host_keytab { $bigtop_real_users: } + User<||> -> Kerberos::Host_keytab<||> + } + hadoop::datanode { "datanode": namenode_host => $hadoop_namenode_host, namenode_port => $hadoop_namenode_port, http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp index 5e26ccd..e102986 100644 --- a/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp @@ -26,6 +26,7 @@ class hadoop-hbase { require kerberos::client kerberos::host_keytab { "hbase": spnego => true, + require => Package["hbase"], } file { "/etc/hbase/conf/jaas.conf": http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp index deb198f..572203a 100644 --- a/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp @@ -25,6 +25,7 @@ class hadoop-oozie { require kerberos::client kerberos::host_keytab { "oozie": spnego => true, + require => Package["oozie"], } } http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml b/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml index 0e0a852..ef39045 100644 --- a/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml +++ b/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml @@ -333,10 +333,8 @@ <!-- Proxyuser Configuration --> - <!-- - <property> - <name>oozie.service.ProxyUserService.proxyuser.#USER#.hosts</name> + <name>oozie.service.ProxyUserService.proxyuser.hue.hosts</name> <value>*</value> <description> List of hosts the '#USER#' user is allowed to perform 'doAs' @@ -353,7 +351,7 @@ </property> <property> - <name>oozie.service.ProxyUserService.proxyuser.#USER#.groups</name> + <name>oozie.service.ProxyUserService.proxyuser.hue.groups</name> <value>*</value> <description> List of groups the '#USER#' user is allowed to impersonate users @@ -368,7 +366,4 @@ in the property name. </description> </property> - - --> - </configuration> http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp index 8a809e2..8e0c757 100644 --- a/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp @@ -62,6 +62,7 @@ class hadoop-zookeeper { kerberos::host_keytab { "zookeeper": spnego => true, notify => Service["zookeeper-server"], + require => Package["zookeeper-server"], } file { "/etc/zookeeper/conf/java.env": http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp index 0b92f56..7355e7c 100644 --- a/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp @@ -26,11 +26,13 @@ class hadoop { kerberos::host_keytab { "hdfs": princs => [ "host", "hdfs" ], spnego => true, + require => Package["hadoop-hdfs"], } kerberos::host_keytab { [ "yarn", "mapred" ]: tag => "mapreduce", spnego => true, + require => Package["hadoop-yarn"], } } @@ -174,6 +176,7 @@ class hadoop { if ($auth == "kerberos") { kerberos::host_keytab { "httpfs": spnego => true, + require => Package["hadoop-httpfs"], } } http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg b/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg index 7c6fb0a..4cabe8c 100644 --- a/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg +++ b/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg @@ -1,3 +1,3 @@ yarn.nodemanager.linux-container-executor.group=yarn #banned.users=foo,bar -#min.user.id=1000 +min.user.id=499 http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hue/manifests/init.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hue/manifests/init.pp b/bigtop-deploy/puppet/modules/hue/manifests/init.pp index f4a7b57..7d0fcce 100644 --- a/bigtop-deploy/puppet/modules/hue/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hue/manifests/init.pp @@ -21,6 +21,7 @@ class hue { require kerberos::client kerberos::host_keytab { "hue": spnego => false, + require => Package["hue"], } } http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/hue/templates/hue.ini ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/hue/templates/hue.ini b/bigtop-deploy/puppet/modules/hue/templates/hue.ini index cf4fe8d..35b90f2 100644 --- a/bigtop-deploy/puppet/modules/hue/templates/hue.ini +++ b/bigtop-deploy/puppet/modules/hue/templates/hue.ini @@ -225,7 +225,7 @@ # Kerberos principal name for Hue hue_principal=hue/<%= fqdn %> # Path to kinit - kinit_path=<%= (operatingsystem == 'ubuntu') ? '/usr/bin' : '/usr/kerberos/bin' %> + kinit_path=<%= (operatingsystem == 'ubuntu') ? '/usr/bin' : '/usr/kerberos/bin' %>/kinit <% end %> http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp b/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp index a57b740..7e7f35d 100644 --- a/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp @@ -115,7 +115,7 @@ class kerberos { service { $service_name_kdc: ensure => running, require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]], - subscribe => File["${kdc_etc_path}/kdc.conf"], + subscribe => [File["${kdc_etc_path}/kadm5.acl"], File["${kdc_etc_path}/kdc.conf"]], hasrestart => true, } @@ -131,6 +131,7 @@ class kerberos { service { "$service_name_admin": ensure => running, require => [Package["$package_name_admin"], Service["$service_name_kdc"]], + subscribe => [File["${kdc_etc_path}/kadm5.acl"], File["${kdc_etc_path}/kdc.conf"]], hasrestart => true, restart => "${se_hack} ; service ${service_name_admin} restart", start => "${se_hack} ; service ${service_name_admin} start", @@ -213,5 +214,12 @@ EOF require => [ Kerberos::Principal[$requested_princs], Kerberos::Principal[$internal_princs] ], } + + exec { "aquire $title keytab": + path => $kerberos::site::exec_path, + user => $title, + command => "kinit -kt $keytab ${title}/$::fqdn", + require => Exec["ktinject.$title"], + } } } http://git-wip-us.apache.org/repos/asf/bigtop/blob/5bf52db1/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf ---------------------------------------------------------------------- diff --git a/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf b/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf index dd135fd..dc35b32 100644 --- a/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf +++ b/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf @@ -16,7 +16,7 @@ default_realm = <%= realm %> [kdcdefaults] - v4_mode = nopreauth + # v4_mode = nopreauth kdc_ports = 0 [realms] @@ -31,5 +31,5 @@ default_realm = <%= realm %> master_key_type = des3-hmac-sha1 supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 # supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 - default_principal_flags = +preauth + # default_principal_flags = -preauth }
