Repository: metron Updated Branches: refs/heads/master 47e2b735e -> 5e0cce220
METRON-963 Update document for Kerberos manual setup (MohanDV via merrimanr) closes apache/metron#594 Project: http://git-wip-us.apache.org/repos/asf/metron/repo Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/5e0cce22 Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/5e0cce22 Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/5e0cce22 Branch: refs/heads/master Commit: 5e0cce220dca80c996d173b16b9721fccb373821 Parents: 47e2b73 Author: MohanDV <[email protected]> Authored: Fri May 19 10:21:09 2017 -0500 Committer: merrimanr <[email protected]> Committed: Fri May 19 10:21:09 2017 -0500 ---------------------------------------------------------------------- metron-deployment/Kerberos-ambari-setup.md | 2 +- metron-deployment/Kerberos-manual-setup.md | 44 +++++++++++++++++-------- 2 files changed, 31 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/metron/blob/5e0cce22/metron-deployment/Kerberos-ambari-setup.md ---------------------------------------------------------------------- diff --git a/metron-deployment/Kerberos-ambari-setup.md b/metron-deployment/Kerberos-ambari-setup.md index 149e8b2..39e8dee 100644 --- a/metron-deployment/Kerberos-ambari-setup.md +++ b/metron-deployment/Kerberos-ambari-setup.md @@ -3,7 +3,7 @@ General Kerberization notes can be found in the metron-deployment [README.md](../README.md) ## Setup a KDC -See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc) +See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc) and [Verify KDC](Kerberos-manual-setup.md#verify-kdc) ## Ambari Setup 1. Kerberize the cluster via Ambari. More detailed documentation can be found [here](http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html). http://git-wip-us.apache.org/repos/asf/metron/blob/5e0cce22/metron-deployment/Kerberos-manual-setup.md ---------------------------------------------------------------------- diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md index 8a7f07a..fc46572 100644 --- a/metron-deployment/Kerberos-manual-setup.md +++ b/metron-deployment/Kerberos-manual-setup.md @@ -5,6 +5,7 @@ This document provides instructions for kerberizing Metron's Vagrant-based devel * [Setup](#setup) * [Setup a KDC](#setup-a-kdc) +* [Verify KDC](#verify-kdc) * [Enable Kerberos](#enable-kerberos) * [Kafka Authorization](#kafka-authorization) * [HBase Authorization](#hbase-authorization) @@ -75,11 +76,7 @@ Setup a KDC ``` max_renewable_life = 7d ``` - - If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies: - ``` - Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable - ``` + 1. Do not copy/paste this full set of commands as the `kdb5_util` command will not run as expected. Run the commands individually to ensure they all execute. This step takes a moment. It creates the kerberos database. @@ -100,6 +97,33 @@ Setup a KDC kadmin.local -q "addprinc metron" ``` +Verify KDC +---------- + + +Ticket renewal is by default disallowed in many linux distributions. If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies: + ``` + Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable + ``` + + +Ensure the Metron keytab is renewable. Look for the 'R' flag from the following command + ``` + klist -f + ``` + +If the 'R' flags are present, you may skip to next section. + +If the 'R' flags are absent, you will need to follow the below steps: +If the KDC is already setup, then editing max_life and max_renewable_life in `/var/kerberos/krb5kdc/kdc.conf`, and restarting kadmin and krb5kdc services will not change the policies for existing users. + +You need to set the renew lifetime for existing users and krbtgt realm. Modify the appropriate principals to allow renewable tickets using the following commands. Adjust the parameters to match your desired KDC parameters: + ``` + kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/[email protected]" + kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable [email protected]" + ``` + + Enable Kerberos --------------- @@ -247,16 +271,8 @@ Storm Authorization cd /home/metron/.storm ``` -1. Ensure the Metron keytab is renewable. Look for the 'R' flag from the following command - ``` - klist -f - ``` +1. Ensure the Metron keytab is renewable. See [Verify KDC](#verify-kdc) above - If not present, modify the appropriate principals to allow renewable tickets. Adjust the parameters to match desired KDC parameters - ``` - kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/[email protected]" - kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable [email protected]" - ``` 1. Create a client JAAS file at `/home/metron/.storm/client_jaas.conf`. This should look identical to the Storm client JAAS file located at `/etc/storm/conf/client_jaas.conf` except for the addition of a `Client` stanza. The `Client` stanza is used for Zookeeper. All quotes and semicolons are necessary.
