Repository: incubator-slider Updated Branches: refs/heads/develop 7f195f662 -> 63627bc70
SLIDER-146 update accumulo secure mode to allow kerberos user auth Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/63627bc7 Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/63627bc7 Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/63627bc7 Branch: refs/heads/develop Commit: 63627bc70a7d4c77856b938e5e0fe1c32edfc6d3 Parents: 7f195f6 Author: Billie Rinaldi <[email protected]> Authored: Mon Mar 23 13:44:17 2015 -0700 Committer: Billie Rinaldi <[email protected]> Committed: Mon Mar 23 13:44:17 2015 -0700 ---------------------------------------------------------------------- .../accumulo/appConfig-secured-default.json | 18 ++++-- app-packages/accumulo/configuration/client.xml | 5 ++ .../package/scripts/accumulo_configuration.py | 67 ++++++-------------- .../accumulo/package/scripts/accumulo_script.py | 11 +++- app-packages/accumulo/package/scripts/params.py | 10 +-- 5 files changed, 52 insertions(+), 59 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/appConfig-secured-default.json ---------------------------------------------------------------------- diff --git a/app-packages/accumulo/appConfig-secured-default.json b/app-packages/accumulo/appConfig-secured-default.json index 6d8abaa..347259f 100644 --- a/app-packages/accumulo/appConfig-secured-default.json +++ b/app-packages/accumulo/appConfig-secured-default.json @@ -28,12 +28,11 @@ "site.proxy.port": "${ACCUMULO_PROXY.ALLOCATED_PORT}{PER_CONTAINER}", - "site.global.accumulo_root_password": "NOT_USED", + "site.global.accumulo_root_principal": "${USER_NAME}@EXAMPLE.COM", "site.global.monitor_protocol": "http", "site.accumulo-site.instance.volumes": "${DEFAULT_DATA_DIR}/data", "site.accumulo-site.instance.zookeeper.host": "${ZK_HOST}", - "site.accumulo-site.instance.security.authenticator": "org.apache.slider.accumulo.CustomAuthenticator", "site.accumulo-site.general.security.credential.provider.paths": "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks", "site.accumulo-site.instance.rpc.ssl.enabled": "false", @@ -41,6 +40,17 @@ "site.accumulo-site.general.kerberos.keytab": "${AGENT_WORK_ROOT}/keytabs/${USER_NAME}.ACCUMULO.service.keytab", "site.accumulo-site.general.kerberos.principal": "${USER_NAME}/[email protected]", + "site.accumulo-site.instance.rpc.sasl.enabled": "true", + "site.accumulo-site.instance.security.authenticator": "org.apache.accumulo.server.security.handler.KerberosAuthenticator", + "site.accumulo-site.instance.security.authorizor": "org.apache.accumulo.server.security.handler.KerberosAuthorizor", + "site.accumulo-site.instance.security.permissionHandler": "org.apache.accumulo.server.security.handler.KerberosPermissionHandler", + "site.accumulo-site.general.delegation.token.lifetime": "7d", + "site.accumulo-site.general.delegation.token.update.interval": "1d", + + "site.accumulo-site.trace.user": "${USER_NAME}@EXAMPLE.COM", + "site.accumulo-site.trace.token.property.keytab": "${AGENT_WORK_ROOT}/keytabs/${USER_NAME}.ACCUMULO.headless.keytab", + "site.accumulo-site.trace.token.type": "org.apache.accumulo.core.client.security.tokens.KerberosToken", + "site.accumulo-site.tserver.memory.maps.native.enabled": "false", "site.accumulo-site.tserver.memory.maps.max": "80M", "site.accumulo-site.tserver.cache.data.size": "7M", @@ -48,8 +58,6 @@ "site.accumulo-site.tserver.sort.buffer.size": "50M", "site.accumulo-site.tserver.walog.max.size": "40M", - "site.accumulo-site.trace.user": "root", - "site.accumulo-site.master.port.client": "0", "site.accumulo-site.trace.port.client": "0", "site.accumulo-site.tserver.port.client": "0", @@ -62,7 +70,7 @@ "site.accumulo-site.general.classpaths": "$ACCUMULO_HOME/lib/accumulo-server.jar,\n$ACCUMULO_HOME/lib/accumulo-core.jar,\n$ACCUMULO_HOME/lib/accumulo-start.jar,\n$ACCUMULO_HOME/lib/accumulo-fate.jar,\n$ACCUMULO_HOME/lib/accumulo-proxy.jar,\n$ACCUMULO_HOME/lib/[^.].*.jar,\n$ZOOKEEPER_HOME/zookeeper[^.].*.jar,\n$HADOOP_CONF_DIR,\n${@//site/accumulo-env/hadoop_conf_dir},\n$HADOOP_PREFIX/[^.].*.jar,\n$HADOOP_PREFIX/lib/[^.].*.jar,\n$HADOOP_PREFIX/share/hadoop/common/.*.jar,\n$HADOOP_PREFIX/share/hadoop/common/lib/.*.jar,\n$HADOOP_PREFIX/share/hadoop/hdfs/.*.jar,\n$HADOOP_PREFIX/share/hadoop/mapreduce/.*.jar,\n$HADOOP_PREFIX/share/hadoop/yarn/.*.jar,\n${hadoop.dir}/.*.jar,\n${hadoop.dir}/lib/.*.jar,\n${hdfs.dir}/.*.jar,\n${mapred.dir}/.*.jar,\n${yarn.dir}/.*.jar," }, "credentials": { - "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks": ["root.initial.password", "instance.secret", "trace.token.property.password"] + "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks": ["instance.secret"] }, "components": { "slider-appmaster": { http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/configuration/client.xml ---------------------------------------------------------------------- diff --git a/app-packages/accumulo/configuration/client.xml b/app-packages/accumulo/configuration/client.xml index 313f6b6..ea59083 100644 --- a/app-packages/accumulo/configuration/client.xml +++ b/app-packages/accumulo/configuration/client.xml @@ -41,4 +41,9 @@ <value>${@//site/accumulo-site/instance.rpc.ssl.clientAuth}</value> <description>SSL client auth enabled.</description> </property> + <property> + <name>instance.rpc.sasl.enabled</name> + <value>${@//site/accumulo-site/instance.rpc.sasl.enabled}</value> + <description>SASL enabled.</description> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/accumulo_configuration.py ---------------------------------------------------------------------- diff --git a/app-packages/accumulo/package/scripts/accumulo_configuration.py b/app-packages/accumulo/package/scripts/accumulo_configuration.py index 3a0e2ed..e7b3de8 100644 --- a/app-packages/accumulo/package/scripts/accumulo_configuration.py +++ b/app-packages/accumulo/package/scripts/accumulo_configuration.py @@ -38,41 +38,28 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or ' content=StaticFile(jarname) ) - if name != "client": - # create pid dir - Directory( params.pid_dir, - owner = params.accumulo_user, - group = params.user_group, - recursive = True - ) + # create pid dir + Directory( params.pid_dir, + owner = params.accumulo_user, + group = params.user_group, + recursive = True + ) - # create log dir - Directory (params.log_dir, - owner = params.accumulo_user, - group = params.user_group, - recursive = True - ) + # create log dir + Directory (params.log_dir, + owner = params.accumulo_user, + group = params.user_group, + recursive = True + ) - # create a site file for server processes - XmlConfig( "accumulo-site.xml", - conf_dir = params.conf_dir, - configurations = params.config['configurations']['accumulo-site'], - owner = params.accumulo_user, - group = params.user_group, - mode=0600 - ) - else: - # create a minimal site file for client processes - client_configurations = {} - client_configurations['instance.zookeeper.host'] = params.config['configurations']['accumulo-site']['instance.zookeeper.host'] - client_configurations['instance.volumes'] = params.config['configurations']['accumulo-site']['instance.volumes'] - client_configurations['general.classpaths'] = params.config['configurations']['accumulo-site']['general.classpaths'] - XmlConfig( "accumulo-site.xml", - conf_dir = params.conf_dir, - configurations = client_configurations, - owner = params.accumulo_user, - group = params.user_group - ) + # create a site file for server processes + XmlConfig( "accumulo-site.xml", + conf_dir = params.conf_dir, + configurations = params.config['configurations']['accumulo-site'], + owner = params.accumulo_user, + group = params.user_group, + mode=0600 + ) # create env file File(format("{params.conf_dir}/accumulo-env.sh"), @@ -82,20 +69,6 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or ' content=InlineTemplate(params.env_sh_template) ) - # create client.conf file - configs = {} - configs.update(params.config['configurations']['client']) - update_site_config(configs, 'general.security.credential.provider.paths') - update_site_config(configs, 'rpc.javax.net.ssl.trustStore') - update_site_config(configs, 'rpc.javax.net.ssl.trustStoreType') - update_site_config(configs, 'rpc.javax.net.ssl.keyStore') - update_site_config(configs, 'rpc.javax.net.ssl.keyStoreType') - PropertiesFile(format("{params.conf_dir}/client.conf"), - properties = configs, - owner = params.accumulo_user, - group = params.user_group - ) - # create metrics2 properties file accumulo_TemplateConfig('hadoop-metrics2-accumulo.properties') http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/accumulo_script.py ---------------------------------------------------------------------- diff --git a/app-packages/accumulo/package/scripts/accumulo_script.py b/app-packages/accumulo/package/scripts/accumulo_script.py index 6227261..b982ce1 100644 --- a/app-packages/accumulo/package/scripts/accumulo_script.py +++ b/app-packages/accumulo/package/scripts/accumulo_script.py @@ -44,9 +44,14 @@ class AccumuloScript(Script): if self.component == 'master': try: - Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --password {accumulo_root_password} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"), - not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"), - user=params.accumulo_user) + if params.kerberos_auth_enabled: + Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --user {accumulo_root_principal} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"), + not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"), + user=params.accumulo_user) + else: + Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --password {accumulo_root_password} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"), + not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"), + user=params.accumulo_user) except Exception, e: try: Execute( format("{hadoop_prefix}/bin/hadoop fs -rm -R {accumulo_hdfs_root_dir}"), http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/app-packages/accumulo/package/scripts/params.py b/app-packages/accumulo/package/scripts/params.py index 11bcbd9..29a7c7d 100644 --- a/app-packages/accumulo/package/scripts/params.py +++ b/app-packages/accumulo/package/scripts/params.py @@ -51,13 +51,15 @@ log_dir = config['configurations']['global']['app_log_dir'] daemon_script = format("{accumulo_root}/bin/accumulo") proxy_conf = format("{conf_dir}/proxy.properties") -# accumulo clientauth -clientauth_enabled = False -if 'instance.rpc.ssl.clientAuth' in config['configurations']['accumulo-site']: - clientauth_enabled = config['configurations']['accumulo-site']['instance.rpc.ssl.clientAuth'] +# accumulo kerberos user auth +kerberos_auth_enabled = False +if 'instance.security.authenticator' in config['configurations']['accumulo-site']\ + and "org.apache.accumulo.server.security.handler.KerberosAuthenticator" == config['configurations']['accumulo-site']['instance.security.authenticator']: + kerberos_auth_enabled = True # accumulo initialization parameters accumulo_instance_name = config['configurations']['client']['instance.name'] +accumulo_root_principal = config['configurations']['global']['accumulo_root_principal'] accumulo_root_password = config['configurations']['global']['accumulo_root_password'] accumulo_hdfs_root_dir = config['configurations']['accumulo-site']['instance.volumes'].split(",")[0]
