This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch RANGER-5373 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 2492bee1cf1c698c994884ca12b8f51dd6d46ee9 Author: Madhan Neethiraj <[email protected]> AuthorDate: Sat Oct 18 00:21:50 2025 -0700 RANGER-5373: Docker setup updated to run KDC and create keytabs for service accounts --- dev-support/ranger-docker/.env | 8 +++ dev-support/ranger-docker/Dockerfile.ranger | 5 ++ dev-support/ranger-docker/Dockerfile.ranger-hadoop | 5 ++ dev-support/ranger-docker/Dockerfile.ranger-hbase | 5 ++ dev-support/ranger-docker/Dockerfile.ranger-hive | 5 ++ dev-support/ranger-docker/Dockerfile.ranger-kafka | 5 ++ .../ranger-kms.sh => Dockerfile.ranger-kdc} | 49 +++++++---------- dev-support/ranger-docker/Dockerfile.ranger-kms | 5 ++ dev-support/ranger-docker/Dockerfile.ranger-knox | 5 ++ dev-support/ranger-docker/Dockerfile.ranger-solr | 6 +++ .../ranger-docker/Dockerfile.ranger-tagsync | 5 ++ .../ranger-docker/Dockerfile.ranger-usersync | 5 ++ .../kdc/create_keytab.sh} | 31 ++++++++--- dev-support/ranger-docker/config/kdc/entrypoint.sh | 61 ++++++++++++++++++++++ dev-support/ranger-docker/config/kdc/kadm5.acl | 1 + dev-support/ranger-docker/config/kdc/kdc.conf | 16 ++++++ dev-support/ranger-docker/config/kdc/krb5.conf | 17 ++++++ .../ranger-docker/docker-compose.ranger-hadoop.yml | 2 + .../ranger-docker/docker-compose.ranger-hbase.yml | 2 + .../ranger-docker/docker-compose.ranger-hive.yml | 2 + .../ranger-docker/docker-compose.ranger-kafka.yml | 2 + .../ranger-docker/docker-compose.ranger-kdc.yml | 24 +++++++++ .../ranger-docker/docker-compose.ranger-kms.yml | 2 + .../ranger-docker/docker-compose.ranger-knox.yml | 2 + .../docker-compose.ranger-tagsync.yml | 2 + .../ranger-docker/docker-compose.ranger-trino.yml | 2 + .../docker-compose.ranger-usersync.yml | 2 + .../ranger-docker/docker-compose.ranger.yml | 12 +++++ .../scripts/ranger-admin-install-mysql.properties | 9 ++++ .../scripts/ranger-admin-install-oracle.properties | 9 ++++ .../ranger-admin-install-postgres.properties | 9 ++++ .../ranger-admin-install-sqlserver.properties | 9 ++++ dev-support/ranger-docker/scripts/ranger-hadoop.sh | 8 ++- dev-support/ranger-docker/scripts/ranger-hbase.sh | 6 +++ dev-support/ranger-docker/scripts/ranger-hive.sh | 6 +++ dev-support/ranger-docker/scripts/ranger-kafka.sh | 6 +++ dev-support/ranger-docker/scripts/ranger-kms.sh | 6 +++ dev-support/ranger-docker/scripts/ranger-knox.sh | 6 +++ .../ranger-docker/scripts/ranger-tagsync.sh | 6 +++ .../ranger-docker/scripts/ranger-usersync.sh | 6 +++ dev-support/ranger-docker/scripts/ranger.sh | 8 +++ 41 files changed, 344 insertions(+), 38 deletions(-) diff --git a/dev-support/ranger-docker/.env b/dev-support/ranger-docker/.env index e6de538a2..7b069f033 100644 --- a/dev-support/ranger-docker/.env +++ b/dev-support/ranger-docker/.env @@ -12,6 +12,14 @@ RANGER_BASE_VERSION=20250707-1-8 # Java version used to build Apache Ranger is present as suffix: -8, valid values for suffix: -8, -11, -17 RANGER_BASE_BUILD_VERSION=20250707-1-8 +# Kerberos +KERBEROS_ENABLED=true +KERBEROS_REALM=EXAMPLE.COM +KERBEROS_KDC_HOST=ranger-kdc.example.com +KERBEROS_MASTER_PASSWORD=rangerR0cks! +KERBEROS_ADMIN_PRINCIPAL=admin/admin +KERBEROS_ADMIN_PASSWORD=rangerR0cks! + # third party image versions MARIADB_VERSION=10.7.3 POSTGRES_VERSION=12 diff --git a/dev-support/ranger-docker/Dockerfile.ranger b/dev-support/ranger-docker/Dockerfile.ranger index b6dcff30a..eac69fc88 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger +++ b/dev-support/ranger-docker/Dockerfile.ranger @@ -38,8 +38,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --direct && mkdir -p /var/log/ranger \ && chown -R ranger:ranger ${RANGER_HOME}/admin/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ \ && chmod 755 ${RANGER_SCRIPTS}/ranger.sh \ + && apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs \ && mkdir -p /usr/share/java/ +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + FROM ranger AS ranger_postgres COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/ RUN mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hadoop b/dev-support/ranger-docker/Dockerfile.ranger-hadoop index 5fc455e4b..608c9fdff 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hadoop +++ b/dev-support/ranger-docker/Dockerfile.ranger-hadoop @@ -46,8 +46,13 @@ RUN tar xvfz /home/ranger/dist/hadoop-${HADOOP_VERSION}.tar.gz --directory=/opt/ rm -f /home/ranger/dist/ranger-${YARN_PLUGIN_VERSION}-yarn-plugin.tar.gz && \ cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties /opt/ranger/ranger-yarn-plugin/install.properties && \ chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh ${RANGER_SCRIPTS}/ranger-hadoop.sh ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh && \ + apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chown hdfs:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + RUN apt-get update && \ apt-get install -y --no-install-recommends openssh-server && \ mkdir -p /var/run/sshd && \ diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hbase b/dev-support/ranger-docker/Dockerfile.ranger-hbase index 0d0120079..241cbdcdc 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hbase +++ b/dev-support/ranger-docker/Dockerfile.ranger-hbase @@ -42,9 +42,14 @@ RUN tar xvfz /home/ranger/dist/hbase-${HBASE_VERSION}-bin.tar.gz --directory=/op RUN apt-get update && \ apt-get install -y --no-install-recommends openssh-server && \ + DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ mkdir -p /var/run/sshd && \ rm -rf /var/lib/apt/lists/* +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + ENV HBASE_HOME=/opt/hbase ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hbase/bin diff --git a/dev-support/ranger-docker/Dockerfile.ranger-hive b/dev-support/ranger-docker/Dockerfile.ranger-hive index 7fddfc001..2b52309ed 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-hive +++ b/dev-support/ranger-docker/Dockerfile.ranger-hive @@ -51,8 +51,13 @@ RUN tar xvfz /home/ranger/dist/apache-hive-${HIVE_VERSION}-bin.tar.gz --director ln -s /opt/ranger/ranger-${HIVE_PLUGIN_VERSION}-hive-plugin /opt/ranger/ranger-hive-plugin && \ rm -f /home/ranger/dist/ranger-${HIVE_PLUGIN_VERSION}-hive-plugin.tar.gz && \ cp -f /home/ranger/scripts/ranger-hive-plugin-install.properties /opt/ranger/ranger-hive-plugin/install.properties && \ + apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chmod 744 ${RANGER_SCRIPTS}/ranger-hive-setup.sh ${RANGER_SCRIPTS}/ranger-hive.sh +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + ENV HIVE_HOME=/opt/hive ENV HADOOP_HOME=/opt/hadoop ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hive/bin:/opt/hadoop/bin diff --git a/dev-support/ranger-docker/Dockerfile.ranger-kafka b/dev-support/ranger-docker/Dockerfile.ranger-kafka index 48c5789a7..bf2955923 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-kafka +++ b/dev-support/ranger-docker/Dockerfile.ranger-kafka @@ -37,8 +37,13 @@ RUN tar xvfz /home/ranger/dist/kafka_2.12-${KAFKA_VERSION}.tgz --directory=/opt/ ln -s /opt/ranger/ranger-${KAFKA_PLUGIN_VERSION}-kafka-plugin /opt/ranger/ranger-kafka-plugin && \ rm -f /home/ranger/dist/ranger-${KAFKA_PLUGIN_VERSION}-kafka-plugin.tar.gz && \ cp -f /home/ranger/scripts/ranger-kafka-plugin-install.properties /opt/ranger/ranger-kafka-plugin/install.properties && \ + apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chmod 744 ${RANGER_SCRIPTS}/ranger-kafka-setup.sh ${RANGER_SCRIPTS}/ranger-kafka.sh +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + ENV KAFKA_HOME=/opt/kafka ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kafka/bin diff --git a/dev-support/ranger-docker/scripts/ranger-kms.sh b/dev-support/ranger-docker/Dockerfile.ranger-kdc old mode 100755 new mode 100644 similarity index 52% copy from dev-support/ranger-docker/scripts/ranger-kms.sh copy to dev-support/ranger-docker/Dockerfile.ranger-kdc index be5519e40..0bf395882 --- a/dev-support/ranger-docker/scripts/ranger-kms.sh +++ b/dev-support/ranger-docker/Dockerfile.ranger-kdc @@ -1,5 +1,3 @@ -#!/bin/bash - # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information @@ -16,36 +14,29 @@ # See the License for the specific language governing permissions and # limitations under the License. +ARG RANGER_BASE_JAVA_VERSION=8 -if [ ! -e ${RANGER_HOME}/.setupDone ] -then - SETUP_RANGER=true -else - SETUP_RANGER=false -fi +FROM eclipse-temurin:${RANGER_BASE_JAVA_VERSION}-jdk-jammy -if [ "${SETUP_RANGER}" == "true" ] -then - cd "${RANGER_HOME}"/kms || exit - if ./setup.sh; - then - touch "${RANGER_HOME}"/.setupDone - else - echo "Ranger KMS Setup Script didn't complete proper execution." - fi -fi +ENV DEBIAN_FRONTEND=noninteractive +ENV REALM=EXAMPLE.COM +ENV KDC_HOST=kdc.example.com +ENV ADMIN_PRINCIPAL=admin/admin +ENV ADMIN_PASSWORD=rangerR0cks! +ENV MASTER_PASSWORD=rangerR0cks! -# delete PID file if exists -rm -f /var/run/ranger_kms/rangerkms.pid +# Install Kerberos components +RUN apt-get update && \ + apt-get install -y krb5-kdc krb5-admin-server krb5-user && \ + rm -rf /var/lib/apt/lists/* -cd ${RANGER_HOME}/kms && ./ranger-kms-services.sh start +# Copy configuration files +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/kdc.conf /etc/krb5kdc/kdc.conf +COPY config/kdc/kadm5.acl /etc/krb5kdc/kadm5.acl +COPY config/kdc/entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh -RANGER_KMS_PID=`ps -ef | grep -v grep | grep "Dproc_rangerkms" | awk '{print $2}'` +EXPOSE 88/tcp 88/udp 749/tcp -# prevent the container from exiting -if [ -z "$RANGER_KMS_PID" ] -then - echo "Ranger KMS process probably exited, no process id found!" -else - tail --pid=$RANGER_KMS_PID -f /dev/null -fi +ENTRYPOINT ["/entrypoint.sh"] diff --git a/dev-support/ranger-docker/Dockerfile.ranger-kms b/dev-support/ranger-docker/Dockerfile.ranger-kms index 55401ef60..eb8e967f4 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-kms +++ b/dev-support/ranger-docker/Dockerfile.ranger-kms @@ -39,8 +39,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${KMS_VERSION}-kms.tar.gz --directory=${RA ln -s /etc/init.d/ranger-kms /etc/rc3.d/K90ranger-kms && \ ln -s ${RANGER_HOME}/kms/ranger-kms-services.sh /usr/bin/ranger-kms-services.sh && \ chown -R rangerkms:ranger ${RANGER_HOME}/kms/ ${RANGER_SCRIPTS}/ /var/run/ranger_kms/ /var/log/ranger/ && \ + apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chmod 744 ${RANGER_SCRIPTS}/ranger-kms.sh +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + FROM ranger-kms AS ranger_postgres COPY ./downloads/postgresql-42.2.16.jre7.jar /home/ranger/dist/ RUN mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar diff --git a/dev-support/ranger-docker/Dockerfile.ranger-knox b/dev-support/ranger-docker/Dockerfile.ranger-knox index 653af09ee..9b4f4805c 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-knox +++ b/dev-support/ranger-docker/Dockerfile.ranger-knox @@ -40,8 +40,13 @@ RUN tar xvfz /home/ranger/dist/knox-${KNOX_VERSION}.tar.gz --directory=/opt/ && rm -f /home/ranger/dist/ranger-${KNOX_PLUGIN_VERSION}-knox-plugin.tar.gz && \ cp -f /home/ranger/scripts/ranger-knox-plugin-install.properties /opt/ranger/ranger-knox-plugin/install.properties && \ cp -f /home/ranger/scripts/ranger-knox-sandbox.xml /opt/knox/conf/topologies/sandbox.xml && \ + apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chmod 744 ${RANGER_SCRIPTS}/ranger-knox-setup.sh ${RANGER_SCRIPTS}/ranger-knox.sh ${RANGER_SCRIPTS}/ranger-knox-expect.py +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + ENV KNOX_HOME=/opt/knox ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/knox/bin diff --git a/dev-support/ranger-docker/Dockerfile.ranger-solr b/dev-support/ranger-docker/Dockerfile.ranger-solr index 8b212d4c5..02f9d04cc 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-solr +++ b/dev-support/ranger-docker/Dockerfile.ranger-solr @@ -23,4 +23,10 @@ RUN mkdir -p /opt/solr/server/solr/configsets/ranger_audits/conf COPY config/solr-ranger_audits/* /opt/solr/server/solr/configsets/ranger_audits/conf/ RUN chown -R solr:solr /opt/solr/server/solr/configsets/ranger_audits/ +RUN apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs + +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + USER solr diff --git a/dev-support/ranger-docker/Dockerfile.ranger-tagsync b/dev-support/ranger-docker/Dockerfile.ranger-tagsync index 59efb40eb..31d610982 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-tagsync +++ b/dev-support/ranger-docker/Dockerfile.ranger-tagsync @@ -43,8 +43,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${TAGSYNC_VERSION}-tagsync.tar.gz --direct ln -s /etc/init.d/ranger-tagsync /etc/rc3.d/K00ranger-tagsync && \ ln -s ${RANGER_HOME}/tagsync/ranger-tagsync-services.sh /usr/bin/ranger-tagsync-services.sh && \ chown -R ranger:ranger ${RANGER_HOME}/tagsync/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ /etc/ranger /etc/init.d/ranger-tagsync && \ + apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chmod 744 ${RANGER_SCRIPTS}/ranger-tagsync.sh +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + USER ranger ENTRYPOINT [ "/home/ranger/scripts/ranger-tagsync.sh" ] diff --git a/dev-support/ranger-docker/Dockerfile.ranger-usersync b/dev-support/ranger-docker/Dockerfile.ranger-usersync index 9b164cad0..47d7b102e 100644 --- a/dev-support/ranger-docker/Dockerfile.ranger-usersync +++ b/dev-support/ranger-docker/Dockerfile.ranger-usersync @@ -42,8 +42,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${USERSYNC_VERSION}-usersync.tar.gz --dire ln -s /etc/init.d/ranger-usersync /etc/rc3.d/K00ranger-usersync && \ ln -s ${RANGER_HOME}/usersync/ranger-usersync-services.sh /usr/bin/ranger-usersync && \ chown -R ranger:ranger ${RANGER_HOME}/usersync/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ /etc/ranger /etc/init.d/ranger-usersync && \ + apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \ chmod 744 ${RANGER_SCRIPTS}/ranger-usersync.sh +COPY config/kdc/krb5.conf /etc/krb5.conf +COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh +RUN chmod +x /etc/keytabs/create_keytab.sh + USER ranger ENTRYPOINT [ "/home/ranger/scripts/ranger-usersync.sh" ] diff --git a/dev-support/ranger-docker/Dockerfile.ranger-solr b/dev-support/ranger-docker/config/kdc/create_keytab.sh old mode 100644 new mode 100755 similarity index 56% copy from dev-support/ranger-docker/Dockerfile.ranger-solr copy to dev-support/ranger-docker/config/kdc/create_keytab.sh index 8b212d4c5..ab7b00f72 --- a/dev-support/ranger-docker/Dockerfile.ranger-solr +++ b/dev-support/ranger-docker/config/kdc/create_keytab.sh @@ -1,3 +1,5 @@ +#!/bin/bash + # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information @@ -14,13 +16,26 @@ # See the License for the specific language governing permissions and # limitations under the License. -ARG SOLR_VERSION -FROM solr:${SOLR_VERSION} +ADMIN_PRINCIPAL=admin/admin +ADMIN_PASSWORD=rangerR0cks! + +PRINCIPAL_NAME=$1 +KEYTAB_DIR=$2 +KEYTAB_OWNER=$3 + +PRINCIPAL=${PRINCIPAL_NAME}/`hostname -f` +KEYTAB=${KEYTAB_DIR}/${PRINCIPAL_NAME}.keytab + +echo "Creating Kerberos principal ${PRINCIPAL} .." +echo ${ADMIN_PASSWORD} | kadmin -p ${ADMIN_PRINCIPAL} -q "addprinc -randkey ${PRINCIPAL}" + +mkdir -p ${KEYTAB_DIR} -# Copy audit config set -USER 0 -RUN mkdir -p /opt/solr/server/solr/configsets/ranger_audits/conf -COPY config/solr-ranger_audits/* /opt/solr/server/solr/configsets/ranger_audits/conf/ -RUN chown -R solr:solr /opt/solr/server/solr/configsets/ranger_audits/ +echo "Creating keytab for principal ${PRINCIPAL} .." +echo ${ADMIN_PASSWORD} | kadmin -p ${ADMIN_PRINCIPAL} -q "ktadd -k ${KEYTAB} ${PRINCIPAL}" -USER solr +if [ "${KEYTAB_OWNER}" != "" ] +then + chmod 400 ${KEYTAB} + chown ${KEYTAB_OWNER} ${KEYTAB} +fi diff --git a/dev-support/ranger-docker/config/kdc/entrypoint.sh b/dev-support/ranger-docker/config/kdc/entrypoint.sh new file mode 100644 index 000000000..8d35e16f6 --- /dev/null +++ b/dev-support/ranger-docker/config/kdc/entrypoint.sh @@ -0,0 +1,61 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +REALM="${REALM:-EXAMPLE.COM}" +KDC_HOST="${KDC_HOST:-ranger-kdc.example.com}" +MASTER_PASSWORD="${MASTER_PASSWORD:-masterpassword}" +ADMIN_PRINC="${ADMIN_PRINCIPAL:-admin/admin}" +ADMIN_PASSWORD="${ADMIN_PASSWORD:-adminpassword}" + +DB_DIR=/var/kerberos/krb5kdc + +# ensure directories +mkdir -p $DB_DIR +chown -R root.root /etc/krb5kdc || true +chown -R root.root $DB_DIR || true + +if [ ! -f $DB_DIR/principal ]; then + echo "=== Creating KDC database for realm $REALM ===" + # create DB noninteractive + echo "$MASTER_PASSWORD" | kdb5_util create -s -r $REALM -P "$MASTER_PASSWORD" + # create admin principal + kadmin.local -q "addprinc -pw $ADMIN_PASSWORD $ADMIN_PRINC@${REALM}" + # add kadmind keytab + kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin@$REALM" + echo "Database initialized" +else + echo "KDC DB already exists; skipping create" +fi + +# Ensure ownership and perms +chown -R root:root /var/kerberos +chmod 700 /var/kerberos/krb5kdc + +# start krb5kdc in foreground and then kadmind +echo "Starting krb5kdc..." +/usr/sbin/krb5kdc -n & +KDC_PID=$! + +echo "Starting kadmind..." +/usr/sbin/kadmind -nofork +# if kadmind exits, bring down krb5kdc +kill $KDC_PID || true +wait $KDC_PID || true + diff --git a/dev-support/ranger-docker/config/kdc/kadm5.acl b/dev-support/ranger-docker/config/kdc/kadm5.acl new file mode 100644 index 000000000..d24b163f1 --- /dev/null +++ b/dev-support/ranger-docker/config/kdc/kadm5.acl @@ -0,0 +1 @@ +*/[email protected] * diff --git a/dev-support/ranger-docker/config/kdc/kdc.conf b/dev-support/ranger-docker/config/kdc/kdc.conf new file mode 100644 index 000000000..0da32e22a --- /dev/null +++ b/dev-support/ranger-docker/config/kdc/kdc.conf @@ -0,0 +1,16 @@ +[kdcdefaults] + kdc_ports = 88 + kdc_tcp_ports = 88 + +[realms] + EXAMPLE.COM = { + # where the DB will be stored + database_name = /var/kerberos/krb5kdc/principal + admin_keytab = /etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + dict_file = /usr/share/dict/words + key_stash_file = /var/kerberos/krb5kdc/.k5.EXAMPLE.COM + max_life = 24h 0m 0s + max_renewable_life = 7d 0h 0m 0s + } + diff --git a/dev-support/ranger-docker/config/kdc/krb5.conf b/dev-support/ranger-docker/config/kdc/krb5.conf new file mode 100644 index 000000000..5fa04110f --- /dev/null +++ b/dev-support/ranger-docker/config/kdc/krb5.conf @@ -0,0 +1,17 @@ +[libdefaults] + default_realm = EXAMPLE.COM + dns_lookup_kdc = false + dns_lookup_realm = false + ticket_lifetime = 24h + forwardable = true + +[realms] + EXAMPLE.COM = { + kdc = ranger-kdc.example.com + admin_server = ranger-kdc.example.com + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM + diff --git a/dev-support/ranger-docker/docker-compose.ranger-hadoop.yml b/dev-support/ranger-docker/docker-compose.ranger-hadoop.yml index dacbbf0cc..132ec80e1 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-hadoop.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-hadoop.yml @@ -9,6 +9,7 @@ services: - HADOOP_VERSION=${HADOOP_VERSION} - HDFS_PLUGIN_VERSION=${HDFS_PLUGIN_VERSION} - YARN_PLUGIN_VERSION=${YARN_PLUGIN_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-hadoop container_name: ranger-hadoop hostname: ranger-hadoop.example.com @@ -32,6 +33,7 @@ services: - HADOOP_VERSION - HDFS_PLUGIN_VERSION - YARN_PLUGIN_VERSION + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-hbase.yml b/dev-support/ranger-docker/docker-compose.ranger-hbase.yml index e39bc7461..8e4e90bbf 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-hbase.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-hbase.yml @@ -8,6 +8,7 @@ services: - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - HBASE_VERSION=${HBASE_VERSION} - HBASE_PLUGIN_VERSION=${HBASE_PLUGIN_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-hbase container_name: ranger-hbase hostname: ranger-hbase.example.com @@ -28,6 +29,7 @@ services: environment: - HBASE_VERSION - HBASE_PLUGIN_VERSION + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-hive.yml b/dev-support/ranger-docker/docker-compose.ranger-hive.yml index 5815a472d..f2bddc924 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-hive.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-hive.yml @@ -10,6 +10,7 @@ services: - HIVE_VERSION=${HIVE_VERSION} - HIVE_PLUGIN_VERSION=${HIVE_PLUGIN_VERSION} - RANGER_DB_TYPE=${RANGER_DB_TYPE} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-hive container_name: ranger-hive hostname: ranger-hive.example.com @@ -31,6 +32,7 @@ services: - HIVE_VERSION - HIVE_PLUGIN_VERSION - RANGER_DB_TYPE + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml b/dev-support/ranger-docker/docker-compose.ranger-kafka.yml index 72fe904b1..6f5c77bb6 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-kafka.yml @@ -8,6 +8,7 @@ services: - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - KAFKA_VERSION=${KAFKA_VERSION} - KAFKA_PLUGIN_VERSION=${KAFKA_PLUGIN_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-kafka container_name: ranger-kafka hostname: ranger-kafka.example.com @@ -25,6 +26,7 @@ services: environment: - KAFKA_VERSION - KAFKA_PLUGIN_VERSION + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-kdc.yml b/dev-support/ranger-docker/docker-compose.ranger-kdc.yml new file mode 100644 index 000000000..14012199f --- /dev/null +++ b/dev-support/ranger-docker/docker-compose.ranger-kdc.yml @@ -0,0 +1,24 @@ +services: + ranger-kdc: + build: + context: . + dockerfile: Dockerfile.ranger-kdc + args: + - REALM=${KERBEROS_REALM} + - KDC_HOST=${KERBEROS_KDC_HOST} + - MASTER_PASSWORD=${KERBEROS_MASTER_PASSWORD} + - ADMIN_PRINCIPAL=${KERBEROS_ADMIN_PRINCIPAL} + - ADMIN_PASSWORD=${KERBEROS_ADMIN_PASSWORD} + image: ranger-kdc:latest + container_name: ranger-kdc + hostname: ranger-kdc.example.com + networks: + - ranger + ports: + - "88:88" + - "88:88/udp" + - "749:749" + +networks: + ranger: + name: rangernw diff --git a/dev-support/ranger-docker/docker-compose.ranger-kms.yml b/dev-support/ranger-docker/docker-compose.ranger-kms.yml index 82cd619f0..0a0a743e6 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-kms.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-kms.yml @@ -8,6 +8,7 @@ services: - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - KMS_VERSION=${KMS_VERSION} - RANGER_DB_TYPE=${RANGER_DB_TYPE} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-kms:latest container_name: ranger-kms hostname: ranger-kms.example.com @@ -23,6 +24,7 @@ services: environment: - KMS_VERSION - RANGER_DB_TYPE + - KERBEROS_ENABLED command: - /home/ranger/scripts/ranger-kms.sh diff --git a/dev-support/ranger-docker/docker-compose.ranger-knox.yml b/dev-support/ranger-docker/docker-compose.ranger-knox.yml index 6cb16d288..3f6ed0c01 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-knox.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-knox.yml @@ -8,6 +8,7 @@ services: - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - KNOX_VERSION=${KNOX_VERSION} - KNOX_PLUGIN_VERSION=${KNOX_PLUGIN_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-knox container_name: ranger-knox hostname: ranger-knox.example.com @@ -25,6 +26,7 @@ services: environment: - KNOX_VERSION - KNOX_PLUGIN_VERSION + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-tagsync.yml b/dev-support/ranger-docker/docker-compose.ranger-tagsync.yml index 3bf4ba9e8..faa6a2807 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-tagsync.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-tagsync.yml @@ -7,6 +7,7 @@ services: - RANGER_BASE_IMAGE=${RANGER_BASE_IMAGE} - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - TAGSYNC_VERSION=${TAGSYNC_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-tagsync container_name: ranger-tagsync hostname: ranger-tagsync.example.com @@ -20,6 +21,7 @@ services: environment: - TAGSYNC_VERSION - DEBUG_TAGSYNC=${DEBUG_TAGSYNC:-false} + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-trino.yml b/dev-support/ranger-docker/docker-compose.ranger-trino.yml index 5a899b99a..3239c4b69 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-trino.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-trino.yml @@ -6,6 +6,7 @@ services: args: - TRINO_PLUGIN_VERSION=${TRINO_PLUGIN_VERSION} - TRINO_VERSION=${TRINO_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-trino hostname: ranger-trino container_name: ranger-trino @@ -21,6 +22,7 @@ services: environment: - TRINO_PLUGIN_VERSION - TRINO_VERSION + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger-usersync.yml b/dev-support/ranger-docker/docker-compose.ranger-usersync.yml index 49238f674..a07e8b486 100644 --- a/dev-support/ranger-docker/docker-compose.ranger-usersync.yml +++ b/dev-support/ranger-docker/docker-compose.ranger-usersync.yml @@ -7,6 +7,7 @@ services: - RANGER_BASE_IMAGE=${RANGER_BASE_IMAGE} - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - USERSYNC_VERSION=${USERSYNC_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-usersync container_name: ranger-usersync hostname: ranger-usersync.example.com @@ -21,6 +22,7 @@ services: - USERSYNC_VERSION - ENABLE_FILE_SYNC_SOURCE - DEBUG_USERSYNC=${DEBUG_USERSYNC:-false} + - KERBEROS_ENABLED networks: ranger: diff --git a/dev-support/ranger-docker/docker-compose.ranger.yml b/dev-support/ranger-docker/docker-compose.ranger.yml index a81299682..49fcec642 100644 --- a/dev-support/ranger-docker/docker-compose.ranger.yml +++ b/dev-support/ranger-docker/docker-compose.ranger.yml @@ -8,6 +8,7 @@ services: - RANGER_BASE_VERSION=${RANGER_BASE_VERSION} - RANGER_VERSION=${RANGER_VERSION} - RANGER_DB_TYPE=${RANGER_DB_TYPE} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger:latest container_name: ranger hostname: ranger.example.com @@ -27,6 +28,7 @@ services: environment: - RANGER_VERSION - RANGER_DB_TYPE + - KERBEROS_ENABLED - DEBUG_ADMIN=${DEBUG_ADMIN:-false} command: - /home/ranger/scripts/ranger.sh @@ -42,13 +44,18 @@ services: dockerfile: Dockerfile.ranger-zk args: - ZK_VERSION=${ZK_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-zk container_name: ranger-zk hostname: ranger-zk.example.com + volumes: + - ./config/kdc/keytabs:/etc/keytabs networks: - ranger ports: - "2181:2181" + environment: + - KERBEROS_ENABLED ranger-solr: build: @@ -56,13 +63,18 @@ services: dockerfile: Dockerfile.ranger-solr args: - SOLR_VERSION=${SOLR_VERSION} + - KERBEROS_ENABLED=${KERBEROS_ENABLED} image: ranger-solr container_name: ranger-solr hostname: ranger-solr.example.com + volumes: + - ./config/kdc/keytabs:/etc/keytabs networks: - ranger ports: - "8983:8983" + environment: + - KERBEROS_ENABLED command: - solr-precreate - ranger_audits diff --git a/dev-support/ranger-docker/scripts/ranger-admin-install-mysql.properties b/dev-support/ranger-docker/scripts/ranger-admin-install-mysql.properties index 4f4ed5898..6b927d6a1 100644 --- a/dev-support/ranger-docker/scripts/ranger-admin-install-mysql.properties +++ b/dev-support/ranger-docker/scripts/ranger-admin-install-mysql.properties @@ -90,3 +90,12 @@ STALE_PATCH_ENTRY_HOLD_TIME=10 hadoop_conf= authentication_method=UNIX + +#------------ Kerberos Config ----------------- +spnego_principal=HTTP/_HOST@REALM +spnego_keytab=/etc/keytabs/HTTP.keytab +token_valid=30 +admin_principal=rangeradmin/_HOST@REALM +admin_keytab=/etc/keytabs/rangeradmin.keytab +lookup_principal=rangerlookup/_HOST@REALM +lookup_keytab=/etc/keytabs/rangerlookup.keytab diff --git a/dev-support/ranger-docker/scripts/ranger-admin-install-oracle.properties b/dev-support/ranger-docker/scripts/ranger-admin-install-oracle.properties index dfc3c5504..1bfaca6f4 100644 --- a/dev-support/ranger-docker/scripts/ranger-admin-install-oracle.properties +++ b/dev-support/ranger-docker/scripts/ranger-admin-install-oracle.properties @@ -91,3 +91,12 @@ STALE_PATCH_ENTRY_HOLD_TIME=10 hadoop_conf= authentication_method=UNIX + +#------------ Kerberos Config ----------------- +spnego_principal=HTTP/_HOST@REALM +spnego_keytab=/etc/keytabs/HTTP.keytab +token_valid=30 +admin_principal=rangeradmin/_HOST@REALM +admin_keytab=/etc/keytabs/rangeradmin.keytab +lookup_principal=rangerlookup/_HOST@REALM +lookup_keytab=/etc/keytabs/rangerlookup.keytab diff --git a/dev-support/ranger-docker/scripts/ranger-admin-install-postgres.properties b/dev-support/ranger-docker/scripts/ranger-admin-install-postgres.properties index 26ba2b8ac..291d98527 100644 --- a/dev-support/ranger-docker/scripts/ranger-admin-install-postgres.properties +++ b/dev-support/ranger-docker/scripts/ranger-admin-install-postgres.properties @@ -90,3 +90,12 @@ STALE_PATCH_ENTRY_HOLD_TIME=10 hadoop_conf= authentication_method=UNIX + +#------------ Kerberos Config ----------------- +spnego_principal=HTTP/_HOST@REALM +spnego_keytab=/etc/keytabs/HTTP.keytab +token_valid=30 +admin_principal=rangeradmin/_HOST@REALM +admin_keytab=/etc/keytabs/rangeradmin.keytab +lookup_principal=rangerlookup/_HOST@REALM +lookup_keytab=/etc/keytabs/rangerlookup.keytab diff --git a/dev-support/ranger-docker/scripts/ranger-admin-install-sqlserver.properties b/dev-support/ranger-docker/scripts/ranger-admin-install-sqlserver.properties index b69e22d1e..7cf0d0bc6 100644 --- a/dev-support/ranger-docker/scripts/ranger-admin-install-sqlserver.properties +++ b/dev-support/ranger-docker/scripts/ranger-admin-install-sqlserver.properties @@ -97,3 +97,12 @@ STALE_PATCH_ENTRY_HOLD_TIME=10 hadoop_conf= authentication_method=UNIX + +#------------ Kerberos Config ----------------- +spnego_principal=HTTP/_HOST@REALM +spnego_keytab=/etc/keytabs/HTTP.keytab +token_valid=30 +admin_principal=rangeradmin/_HOST@REALM +admin_keytab=/etc/keytabs/rangeradmin.keytab +lookup_principal=rangerlookup/_HOST@REALM +lookup_keytab=/etc/keytabs/rangerlookup.keytab diff --git a/dev-support/ranger-docker/scripts/ranger-hadoop.sh b/dev-support/ranger-docker/scripts/ranger-hadoop.sh index 164c25add..616c0ff9b 100755 --- a/dev-support/ranger-docker/scripts/ranger-hadoop.sh +++ b/dev-support/ranger-docker/scripts/ranger-hadoop.sh @@ -17,6 +17,7 @@ # limitations under the License. CREATE_HDFS_DIR=false +KEYTABS_DIR=/opt/hadoop/keytabs if [ ! -e ${HADOOP_HOME}/.setupDone ] then @@ -34,6 +35,11 @@ then # pdsh is unavailable with microdnf in rhel based image. echo "ssh" > /etc/pdsh/rcmd_default + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh hdfs ${KEYTABS_DIR} hdfs:hadoop + /etc/keytabs/create_keytab.sh yarn ${KEYTABS_DIR} yarn:hadoop + fi if "${RANGER_SCRIPTS}"/ranger-hadoop-setup.sh; then @@ -63,4 +69,4 @@ then echo "The NameNode process probably exited, no process id found!" else tail --pid=$NAMENODE_PID -f /dev/null -fi \ No newline at end of file +fi diff --git a/dev-support/ranger-docker/scripts/ranger-hbase.sh b/dev-support/ranger-docker/scripts/ranger-hbase.sh index 77b3dc0a6..0478251bb 100755 --- a/dev-support/ranger-docker/scripts/ranger-hbase.sh +++ b/dev-support/ranger-docker/scripts/ranger-hbase.sh @@ -16,6 +16,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/hbase/keytabs + if [ ! -e ${HBASE_HOME}/.setupDone ] then su -c "ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa" hbase @@ -28,6 +30,10 @@ then # pdsh is unavailable with microdnf in rhel based image. echo "ssh" > /etc/pdsh/rcmd_default + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh hbase ${KEYTABS_DIR} hbase:hadoop + fi if "${RANGER_SCRIPTS}"/ranger-hbase-setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger-hive.sh b/dev-support/ranger-docker/scripts/ranger-hive.sh index 6e8dc4f84..dc5d95099 100755 --- a/dev-support/ranger-docker/scripts/ranger-hive.sh +++ b/dev-support/ranger-docker/scripts/ranger-hive.sh @@ -16,6 +16,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/hive/keytabs + if [ "${OS_NAME}" = "UBUNTU" ]; then service ssh start fi @@ -38,6 +40,10 @@ then # pdsh is unavailable with microdnf in rhel based image. echo "ssh" > /etc/pdsh/rcmd_default + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh hive ${KEYTABS_DIR} hive:hadoop + fi if "${RANGER_SCRIPTS}"/ranger-hive-setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger-kafka.sh b/dev-support/ranger-docker/scripts/ranger-kafka.sh index c1f6139b1..5302e7af0 100755 --- a/dev-support/ranger-docker/scripts/ranger-kafka.sh +++ b/dev-support/ranger-docker/scripts/ranger-kafka.sh @@ -16,6 +16,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/kafka/keytabs + if [ "${OS_NAME}" = "UBUNTU" ]; then service ssh start fi @@ -34,6 +36,10 @@ then # pdsh is unavailable with microdnf in rhel based image. echo "ssh" > /etc/pdsh/rcmd_default + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh kafka ${KEYTABS_DIR} kafka:hadoop + fi if "${RANGER_SCRIPTS}"/ranger-kafka-setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger-kms.sh b/dev-support/ranger-docker/scripts/ranger-kms.sh index be5519e40..9f450d5fb 100755 --- a/dev-support/ranger-docker/scripts/ranger-kms.sh +++ b/dev-support/ranger-docker/scripts/ranger-kms.sh @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/ranger/kms/keytabs if [ ! -e ${RANGER_HOME}/.setupDone ] then @@ -26,6 +27,11 @@ fi if [ "${SETUP_RANGER}" == "true" ] then + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh rangerkms ${KEYTABS_DIR} rangerkms:ranger + fi + cd "${RANGER_HOME}"/kms || exit if ./setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger-knox.sh b/dev-support/ranger-docker/scripts/ranger-knox.sh index ddd04e244..b886a19ff 100755 --- a/dev-support/ranger-docker/scripts/ranger-knox.sh +++ b/dev-support/ranger-docker/scripts/ranger-knox.sh @@ -16,6 +16,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/knox/keytabs + if [ "${OS_NAME}" = "UBUNTU" ]; then service ssh start fi @@ -34,6 +36,10 @@ then # pdsh is unavailable with microdnf in rhel based image. echo "ssh" > /etc/pdsh/rcmd_default + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh knox ${KEYTABS_DIR} knox:knox + fi if "${RANGER_SCRIPTS}"/ranger-knox-setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger-tagsync.sh b/dev-support/ranger-docker/scripts/ranger-tagsync.sh index c676d3977..beba6f699 100755 --- a/dev-support/ranger-docker/scripts/ranger-tagsync.sh +++ b/dev-support/ranger-docker/scripts/ranger-tagsync.sh @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/ranger/tagsync/keytabs if [ ! -e ${RANGER_HOME}/.setupDone ] then @@ -26,6 +27,11 @@ fi if [ "${SETUP_RANGER}" == "true" ] then + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh rangertagsync ${KEYTABS_DIR} rangertagsync:ranger + fi + cd "${RANGER_HOME}"/tagsync || exit if ./setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger-usersync.sh b/dev-support/ranger-docker/scripts/ranger-usersync.sh index 8e56ce5ff..85ac0b5d8 100755 --- a/dev-support/ranger-docker/scripts/ranger-usersync.sh +++ b/dev-support/ranger-docker/scripts/ranger-usersync.sh @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/ranger/usersync/keytabs if [ ! -e ${RANGER_HOME}/.setupDone ] then @@ -26,6 +27,11 @@ fi if [ "${SETUP_RANGER}" == "true" ] then + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh rangerusersync ${KEYTABS_DIR} rangerusersync:ranger + fi + cd "${RANGER_HOME}"/usersync || exit if ./setup.sh; then diff --git a/dev-support/ranger-docker/scripts/ranger.sh b/dev-support/ranger-docker/scripts/ranger.sh index 666a07b22..f17914d73 100755 --- a/dev-support/ranger-docker/scripts/ranger.sh +++ b/dev-support/ranger-docker/scripts/ranger.sh @@ -16,6 +16,7 @@ # See the License for the specific language governing permissions and # limitations under the License. +KEYTABS_DIR=/opt/ranger/admin/keytabs if [ ! -e ${RANGER_HOME}/.setupDone ] then @@ -26,6 +27,13 @@ fi if [ "${SETUP_RANGER}" == "true" ] then + if [ "${KERBEROS_ENABLED}" == "true" ] + then + /etc/keytabs/create_keytab.sh rangeradmin ${KEYTABS_DIR} ranger:ranger + /etc/keytabs/create_keytab.sh rangerlookup ${KEYTABS_DIR} ranger:ranger + /etc/keytabs/create_keytab.sh HTTP ${KEYTABS_DIR} ranger:ranger + fi + cd "${RANGER_HOME}"/admin || exit if ./setup.sh; then
