Repository: incubator-trafodion Updated Branches: refs/heads/master 2547fb1e9 -> 7ad34b175
TRAFODION [109] Instrument Trafodion to work with Secure Hadoop (Kerberos) The first phase of automation with Kerberos is ready. The following use cases are supported I. New secure install: Customer installs Trafodion on a cluster with secure Hadoop. There is no existing Trafodion installation. II. Conversion from non-secure to secure: Customer has Trafodion installed on a non-secure Hadoop cluster. Customer enables Hadoop security on this existing cluster. Customer runs a Trafodion script to enable Hadoop security integration with Trafodion. See the JIRA for details on the changes. Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/9673059c Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/9673059c Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/9673059c Branch: refs/heads/master Commit: 9673059cfb03abd8aabf37be1b4936ee520a4129 Parents: 52787ff Author: Roberta Marton <[email protected]> Authored: Fri Jun 10 14:50:06 2016 +0000 Committer: Roberta Marton <[email protected]> Committed: Fri Jun 10 14:50:06 2016 +0000 ---------------------------------------------------------------------- core/dbsecurity/auth/src/ldapcheck.cpp | 2 + core/sqf/sql/scripts/krb5check | 133 +++++++++ core/sqf/sql/scripts/krb5functions | 128 +++++++++ core/sqf/sql/scripts/krb5service | 255 ++++++++++++++++++ core/sqf/sql/scripts/sqcheck | 2 + core/sqf/sql/scripts/sqstart | 37 +++ install/installer/traf_add_kerberos | 202 ++++++++++++++ install/installer/traf_add_ldap | 88 ++++++ install/installer/traf_cloudera_mods | 16 ++ install/installer/traf_config_setup | 159 ----------- install/installer/traf_hortonworks_mods | 32 ++- install/installer/traf_secure | 63 +++++ install/installer/traf_secure_setup | 343 ++++++++++++++++++++++++ install/installer/traf_sqgen | 37 +-- install/installer/trafodion_install | 79 +++--- install/installer/trafodion_secure_install | 129 +++++++++ install/installer/trafodion_uninstaller | 21 ++ 17 files changed, 1498 insertions(+), 228 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/core/dbsecurity/auth/src/ldapcheck.cpp ---------------------------------------------------------------------- diff --git a/core/dbsecurity/auth/src/ldapcheck.cpp b/core/dbsecurity/auth/src/ldapcheck.cpp index 5443690..192ba50 100755 --- a/core/dbsecurity/auth/src/ldapcheck.cpp +++ b/core/dbsecurity/auth/src/ldapcheck.cpp @@ -316,6 +316,7 @@ LDSearchStatus searchStatus = lookupLDAPUser(username,configType,searchHostName) break; case LDSearchNotFound: cout << "User " << username << " not found" << endl; + exitCode = 3; break; case LDSearchResourceFailure: cout << "Unable to lookup user due to LDAP errors" << endl; @@ -840,6 +841,7 @@ LDAPConfigNode::LDAPConfigType configType = LDAPConfigNode::PrimaryConfiguration // 0) LDAP configuration and server(s) good, no retries // 1) LDAP configuration and server(s) good, retries occurred // 2) Could not communicate with LDAP server(s). Check LDAP configuration or server(s). + // 3) User was not defined in LDAP // exit(exitCode); } http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/core/sqf/sql/scripts/krb5check ---------------------------------------------------------------------- diff --git a/core/sqf/sql/scripts/krb5check b/core/sqf/sql/scripts/krb5check new file mode 100755 index 0000000..cbe3a95 --- /dev/null +++ b/core/sqf/sql/scripts/krb5check @@ -0,0 +1,133 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + +source krb5functions + +function msg +{ + echo "krb5check[$$] `date`: $1" >> $LOG_FILE +} + +# ******* main ****** +WAIT_INTERVAL=300 +REPORT_INTERVAL=12 +LOCK_FILE=$MY_SQROOT/tmp/krb5check +LOG_FILE=$MY_SQROOT/logs/krb5check +CACHE_FILE="" +HOST_NAME=`hostname -f` +getKeytab +echo "keytab: $KEYTAB" + +introMessage="Starting krb5check " + +# Echo this process's id to the LOCK_FILE +echo $$ > $LOCK_FILE + +while [ $# -gt 0 ]; do + + case $1 in + -h) + echo $"Usage: $0 {-c |-h |-r | -w}" + exit + ;; + -c) + shift + CACHE_FILE=$1 + ;; + -r) + shift + REPORT_INTERVAL=$1 + ;; + -w) + shift + WAIT_INTERVAL=$1 + ;; + *) + introMessage=$introMessage"Invalid option detected" + echo "$introMessage" + echo $"Usage: $0 {-c |-h |-r | -w}" + exit 1 + ;; + esac + shift +done + +# get keytab +introMessage=$introMessage"using keytab $KEYTAB " + +# get principal from the cached entry +getCachedTicket +noTicket=$? +if [[ $noTicket -eq 1 ]]; then + PRINCIPAL="Not Available" +else + PRINCIPAL="$( klist -c $CACHE_FILE | grep 'Default principal' | awk '{print $3}' )" +fi + +introMessage=$introMessage" and principal $PRINCIPAL " +msg "$introMessage" + +# go into an infinite loop with a WAIT_INTERVAL second pause between each iteration +# print a report the first time +reportCount=$( expr $REPORT_INTERVAL + 1 ) +while :; do + + # go see if a new ticket has been initd + getCachedTicket + noTicket=$? + if [[ $noTicket -eq 0 ]]; then + # expire time could change between iterations + EXPIRE_TIME=$( date -d "$( klist -c $CACHE_FILE | grep krbtgt | awk '{print $3, $4}' )" +%s ) + + # report time left every REPORT_INTERVAL times + if [ $reportCount -gt $REPORT_INTERVAL ]; then + getStatus + msg "$TICKET_STATUS" + reportCount=0 + else + reportCount=$( expr $reportCount + 1 ) + fi + + # If ticket has expired, destroy cached entry + if [ $( date +%s ) -ge $EXPIRE_TIME ]; then + kdestroy -c $CACHE_FILE &> /dev/null + msg "Removed expired ticket cache ($CACHE_FILE) for user $PRINCIPAL" + + # Otherwise renew it + elif [ $( expr $EXPIRE_TIME - $( date +%s ) ) -le $WAIT_INTERVAL ]; then + msg "Time to renew ticket for $PRINCIPAL" + kinit -R -k -t $KEYTAB $PRINCIPAL + #if [ $? -ne 0 ]; then + # msg "An error occurred while renewing $PRINCIPAL, continuing" + #else + msg "Renewed ticket cache ($CACHE_FILE) for principal $PRINCIPAL" + msg "`klist`" + #fi + fi + else + msg="Ticket has not been created or it has expired" + fi + + # wait a bit then go round again + sleep $WAIT_INTERVAL +done http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/core/sqf/sql/scripts/krb5functions ---------------------------------------------------------------------- diff --git a/core/sqf/sql/scripts/krb5functions b/core/sqf/sql/scripts/krb5functions new file mode 100755 index 0000000..178e4f2 --- /dev/null +++ b/core/sqf/sql/scripts/krb5functions @@ -0,0 +1,128 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + + +# ----------------------------------------------------------------------------- +# script: krb5functions +# +# This script contains common functions used between krb5service and krb5check +# ------------------------------------------------------------------------------ + +# ========================================================= +# getCachedTicket +# gets the location of the cached ticket +# and places it in CACHE_FILE +# +# returns: +# 0 = cached file found +# 1 = cached file not found, ticket needs to be init'd +# ========================================================= +function getCachedTicket +{ + kname="krb5cc_" + trafodionId=`id -u trafodion` + kname=$kname$trafodionId + CACHE_FILE=`find /tmp -maxdepth 1 -type f -name $kname` + if [ "$CACHE_FILE" == "" ]; then + return 1 + fi + return 0 +} + +# ========================================================= +# getStatus +# reports status of the ticket +# details are identical to what krb5check reports +# +# TICKET_STATUS is generated with ticket information +# CACHE_FILE is setup up, if not already +# +# returns: +# 0 = ticket information found +# 1 = ticket information not found +# 2 = ticket has expired or is ready to expire +# ========================================================= +function getStatus +{ + # if ticket not available, then return with message + if [[ ! -e $CACHE_FILE ]]; then + getCachedTicket + if [[ $? -eq 1 ]]; then + TICKET_STATUS="Ticket has not been created or it has expired" + return 1 + fi + fi + + # determine time remaining for current ticket + expireTime=$( date -d "$( klist -c $CACHE_FILE | grep krbtgt | awk '{print $3, $4}' )" +%s ) + timeInSecs=0 + timeInMins=0 + timeInHours=0 + timeInSecs=$( expr $expireTime - $( date +%s ) ) + if [ $timeInSecs -gt 60 ]; then + timeInMins=$( expr $timeInSecs / 60 ) + if [ $timeInMins -gt 60 ]; then + timeInHours=$( expr $timeInMins / 60 ) + fi + fi + + units="" + if [ $timeInHours -ne 0 ]; then + units="$timeInHours hours" + elif [ $timeInMins -ne 0 ]; then + units="$timeInMins minutes" + else + units="$timeInSecs seconds" + fi + + startTime=$( date -d "$( klist -c $CACHE_FILE | grep krbtgt | awk '{print $1, $2}' )" +%s ) + renewTime=$( date -d "$( klist -c $CACHE_FILE | grep "renew until" | awk '{print $3, $4}' )" +%s ) + renewInterval=$( expr $expireTime - $startTime ) + + numberRenews=$( expr $renewTime - $expireTime ) + numberRenews=$( expr $numberRenews / $renewInterval ) + + if [[ $timeInSecs -lt 300 ]]; then + TICKET_STATUS="Ticket has or is about to expire, please init a new ticket" + return 2 + else + TICKET_STATUS="Time remaining before ticket expires: $units, renewals available $numberRenews" + fi + + return 0 +} + +function getLogFile +{ + LOG_FILE=$MY_SQROOT/logs/krb5check +} + +function getLockFile +{ + LOCK_FILE=$MY_SQROOT/tmp/krb5check +} + +function getKeytab +{ + KEYTAB=`grep "trafodion keytab:" ~/.bashrc | awk '{print $4}'` +} http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/core/sqf/sql/scripts/krb5service ---------------------------------------------------------------------- diff --git a/core/sqf/sql/scripts/krb5service b/core/sqf/sql/scripts/krb5service new file mode 100755 index 0000000..6169273 --- /dev/null +++ b/core/sqf/sql/scripts/krb5service @@ -0,0 +1,255 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + + +# ----------------------------------------------------------------------------- +# script: krb5service +# +# This script manages the Kerberos ticket service for Trafodion +# +# The Kerberos ticket service consists of three scripts: +# - krb5service (this script) which manages the service +# - krb5check - wakes up periodically to log ticket status and renew tickets +# - krb5functions - contains common functions used by krb5service & krb5check +# +# (krb5check runs in an infinite loop which wakes up periodically to check to +# see if the Trafodion ticket is ready to expire. If ticket is ready to expire, +# it renews the existing ticket if retries are available. If no more retries +# are available, it reports the problem and continues. Ticket life times and +# renewal life times are based on the ticket defaults. The script periodically +# reports the ticket status to a log file.) +# +# Options: +# init - inits a new Trafodion ticket based on existing ticket attributes +# restart - stops then restarts the ticket renewal service +# start - starts the ticket renewal service +# status - displays the status of the Trafodion service ticket +# stop - stops the ticket renewal service +# +# Location attributes (see krb5functions to change these values): +# [LOG_FILE] : $MY_SQROOT/logs/krb5check - log where all events are stored +# (the log file is recreated each time the krb5service is started) +# [LOCK_FILE] : $MY_SQROOT/tmp/krb5check - file to keep track of krb5check process +# (acts as a semiphore to prevent multiple occurrances from running) +# [CACHE_FILE]: /tmp/krb5cc_(trafodion linux UID) - default location for Kerberos +# cache ticket store (CACHE_FILE) +# [KEYTAB]: /etc/security/keytabs/trafodion.service.keytab - location where trafodion keytab reside +# +# This script makes a call to krb5check and accepts the following parameters: +# (changes are required if different defaults are needed) +# -c <cache location> location of Kerberos cache, +# (defaults to /tmp/krb5cc_uid) +# -w <wnum> time (in seconds) to wait before checking ticket expiration, +# (defaults to 5 minutes) +# -r <rnum> when to display ticket status to the log file, +# (defaults to 12 times which is 60 minutes ( <wnum> * <rnum>) +# ------------------------------------------------------------------------------ + +source krb5functions + +# ================================================= +# msg: +# write a message the log +# ================================================= +function msg +{ + echo "krb5service[$$] `date`: $1" + echo "krb5service[$$] `date`: $1" >> $LOG_FILE +} + +# ================================================= +# Main +# ================================================= +LOCK_FILE="" +getLockFile +LOG_FILE="" +getLogFile +CACHE_FILE="" +KEYTAB="" +getKeytab + +currentPID="NC" +if [ -f $LOCK_FILE ]; then + PID=$( cat $LOCK_FILE ) +fi + +# if LOCK_FILE contains digits, then good PID exists +if [[ $PID = *[[:digit:]]* ]]; then + currentPID=`ps -p $PID | grep krb5check | awk '{print $1}'` +fi + +# if the current kbr5check PID matches what is stored in LOCK_FILE +# then we have an active process +serviceRunning=0 +if [[ $currentPID = *[[:digit:]]* ]]; then + if [ "$currentPID" == "$PID" ]; then + serviceRunning=1 + fi +fi + +# ========================================================================= +# parse the request +doInit=0 +doStart=0 +doStatus=0 +doStop=0 + +TICKET_STATUS="" + +case "$1" in + init) + doInit=1 + ;; + restart) + doStop=1 + doStart=1 + ;; + start) + doStart=1 + ;; + status) + doStatus=1 + ;; + stop) + doStop=1 + ;; + *) + echo $"Usage: $0 {init | restart | start | status | stop}" + exit 1 + ;; +esac + +# ========================================================================= +# Perform the <init> request +if [ $doInit -eq 1 ]; then + msg "service init requested" + + # get keytab + msg "using keytab: $KEYTAB" + + # get principal + # if cached ticket exists, extract principal from cached location + # else ask kerberos for a list of principals based on the keytab, assume + # only one entry is returned (??) + HOST_NAME=`hostname -f` + getCachedTicket + if [[ $? -eq 0 ]]; then + PRINCIPAL="$( klist -c $CACHE_FILE | grep 'Default principal' | awk '{print $3}' )" + else + PRINCIPAL=`klist -kt $KEYTAB | grep $HOST_NAME | awk '{print $4}' | uniq` + fi + + valid=`echo $PRINCIPAL | grep "$HOST_NAME" | wc -l` + if [[ $valid -eq 0 ]]; then + msg "Could not find valid principal ($PRINCIPAL)" + exit 1 + fi + msg "using principal: $PRINCIPAL" + + kinit -k -t $KEYTAB $PRINCIPAL + if [ $? -ne 0 ]; then + msg "An error occurred while initializing $PRINCIPAL" + exit 1 + else + msg "Initialized ticket for principal $PRINCIPAL" + msg "`klist`" + fi + exit 0 +fi + +# ========================================================================= +# Perform the <status> request +# +# returns: +# 0 - valid ticket +# 1 - no ticket +# 2 - expired or ready to expire ticket + +if [ $doStatus -eq 1 ]; then + if [ $serviceRunning -eq 0 ]; then + echo "service not running" + fi + getCachedTicket + if [[ $? -eq 0 ]]; then + getStatus + retcode=$? + echo $TICKET_STATUS + else + echo "Ticket information not found" + retcode=1 + fi + exit $retcode +fi + + +# ========================================================================= +# Perform the <stop> request +if [ $doStop -eq 1 ]; then + msg "service stop requested" + if [ $serviceRunning -eq 1 ]; then + msg "service is running" + kill -9 $currentPID + rm $LOCK_FILE + msg "service stopped for $currentPID" + fi +fi + +# ========================================================================= +# Perform the <start> request +if [ $doStart -eq 1 ]; then + msg "service start requested" + + # If the lockfile already exists then another process must be running + if [ -f $LOCK_FILE ]; then + if [ $serviceRunning -eq 1 ]; then + msg "service already running with pid $( cat $LOCK_FILE )" + exit 1 + fi + fi + + # remove log, may want to handle log garbage collection differently + rm $MY_SQROOT/logs/krb5check + + # kick off a process that wakes up once in a while and check for + # ticket expirations + + getCachedTicket + if [[ $? -eq 1 ]]; then + msg "ERROR: Ticket is not available" + fi + getStatus + msg "starting service (krb5check)" + msg "$TICKET_STATUS" + $MY_SQROOT/sql/scripts/krb5check -r 2 -w 300 & + krb5checkPID=`echo $!` + + # see if process started successfully + sleep 5 + existingPID=`ps -p $krb5checkPID | grep krb5check | awk '{print $1}'` + if [ ! "$existingPID" == "$krb5checkPID" ]; then + msg "service (krb5check) did not start, check $LOG_FILE for details" + fi +fi + +# ========================================================================= +exit 0 http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/core/sqf/sql/scripts/sqcheck ---------------------------------------------------------------------- diff --git a/core/sqf/sql/scripts/sqcheck b/core/sqf/sql/scripts/sqcheck index 6aaf0c0..fe10ea0 100755 --- a/core/sqf/sql/scripts/sqcheck +++ b/core/sqf/sql/scripts/sqcheck @@ -149,6 +149,8 @@ function getDcsInfo { fi } +jpscmd=$JAVA_HOME/bin/jps +tmpjps=/tmp/tmpjps-$USER.log begin_time_seconds=$(date +%s) declare -i max_checks http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/core/sqf/sql/scripts/sqstart ---------------------------------------------------------------------- diff --git a/core/sqf/sql/scripts/sqstart b/core/sqf/sql/scripts/sqstart index 93e49bd..5e5f01a 100755 --- a/core/sqf/sql/scripts/sqstart +++ b/core/sqf/sql/scripts/sqstart @@ -220,6 +220,31 @@ function SQCheckOrphanProcesses { } +function checkKerberos { + + # Check to see if kerberos is enabled in Hadoop + cat /etc/hadoop/conf/core-site.xml | while read a; do + found=`echo $a | grep "hadoop.security.authentication" | wc -l` + if [[ $found -eq 1 ]]; then + read b + enabled=`echo $b | grep kerberos | wc -l` + if [[ $enabled -eq 1 ]]; then + exit 1 + else + exit 0 + fi + fi + done + retcode=$? + + if [[ $retcode -eq 1 ]]; then + # Check to see if TGT exists (ticket granting ticket) + tktExists=`krb5service status | grep "Ticket information not found" | wc -l` + return $tktExists + fi + return 0 +} + ######################################################### # MAIN portion of sqstart begins here ######################################################### @@ -261,6 +286,18 @@ if [[ $SQ_SEAMONSTER == "1" ]]; then echoLog fi +if [[ ! -e $MY_SQROOT/sql/scripts/sw_env.sh ]]; then + checkKerberos + if [[ $? -ne 0 ]]; then + echo + echo "Kerberos is enabled on the system but cannot find a valid TGT (ticket granting ticket) for the Trafodion ID" + echo "Please run trafodion_secure_install to enable Kerberos for Trafodion" + + echo + exit -1 + fi +fi + declare -i lv_len_mysqroot declare -i lv_max_mysqroot_len lv_max_mysqroot_len=78 http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_add_kerberos ---------------------------------------------------------------------- diff --git a/install/installer/traf_add_kerberos b/install/installer/traf_add_kerberos new file mode 100755 index 0000000..aab5252 --- /dev/null +++ b/install/installer/traf_add_kerberos @@ -0,0 +1,202 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + +#****************************************************************************** +# Sets up Trafodion environment for security features: +# Kerberos +#****************************************************************************** + +TRAF_CONFIG='/etc/trafodion/trafodion_config' +source $TRAF_CONFIG +HOST_NAME=`hostname -f` + +#============================================================================== +# set up kerberos stuff +if [[ "$SECURE_HADOOP" == "N" ]]; then + echo "***INFO: KERBEROS not available, skipping to next step" + exit 0 +fi + +echo +echo "******************************" +echo " TRAFODION KERBEROS SETUP " +echo "******************************" +echo +echo "***INFO: Running KERBEROS installation" + +# get realm from admin principal +REALM=${ADMIN_PRINCIPAL#*"@"} +TRAF_PRINCIPAL="$TRAF_USER/$HOST_NAME@REALM" +HBASE_PRINCIPAL="$HBASE_USER/$HOST_NAME@$REALM" +PDCP="pdcp -R ssh " + +# test KDC server connection - always ask for the admin password +echo -n "Enter admin password:" +read -s answer +if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi +echo "" + +KADMIN_CMD="sudo kadmin -p $ADMIN_PRINCIPAL -w $ADMIN_PASSWD -s $KDC_SERVER -q" + +$KADMIN_CMD "listprincs" > /dev/null 2>&1 +if [[ $? -ne 0 ]]; then + echo "***ERROR: kadmin command failed to execute, verify that Kerberos is running, you can access it from the installation node, and that your password is valid" + ADMIN_PASSWD="***" + exit -1 +fi +echo "***INFO: Connection to KDC server successful" + +# Make a directory to hold generated keytabs, ignore if already created +mkdir -p $LOCAL_WORKDIR/keytabs 2>/dev/null + +echo "***INFO: Create principals and keytabs for $TRAF_USER" +for ITEM in $HADOOP_NODES; do + NODE=`ssh -q -n robertablue sudo hostname -f` + PRINCIPAL_EXISTS=$( $KADMIN_CMD "listprincs" | grep "$TRAF_USER/$NODE@$REALM" | wc -l ) + if [[ $PRINCIPAL_EXISTS -eq 1 ]]; then + echo "***INFO: Principal $TRAF_USER/$NODE@$REALM exists, continuing" + else + # add the principal + $KADMIN_CMD "addprinc -randkey $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1 + if [[ $? -ne 0 ]]; then + echo "***ERROR: kadmin command failed to create principal, check KDC server status" + ADMIN_PASSWD="***" + exit -1 + fi + fi + + # Adjust principal's maxlife and maxrenewlife + echo "***INFO: Set max and renew life times for principal $TRAF_USER/$NODE@$REALM" + $KADMIN_CMD "modprinc -maxlife $MAX_LIFETIME -maxrenewlife $RENEW_LIFETIME $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1 + if [[ $? -ne 0 ]]; then + echo "***ERROR: kadmin command failed to modify principal, check KDC server status" + ADMIN_PASSWD="***" + exit -1 + fi + + # Look in keytabs to see if keytab already exists, if so, then skip this step + # May want to supporting regeneration of keytabs at some point in time. + echo "***INFO: Create keytab $TRAF_KEYTAB for $NODE" + if [[ -e $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB ]]; then + echo "***INFO: The keytab for $NODE exists, continuing" + else + echo "***INFO: Adding keytab for $NODE" + $KADMIN_CMD "ktadd -k $LOCAL_WORKDIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM" + if [[ $? -ne 0 ]]; then + echo "***ERROR: failed to add keytab" + ADMIN_PASSWD="***" + exit -1 + fi + + # Each node has its own principal and keytab. The principal names have the node + # name embedded but the keytab names are the same. Save keytabs into the keytabs + # directory and prepend them with the node name to tell them apart. They will + # be copied to the individual nodes in a separate step + sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/$TRAF_KEYTAB + sudo chmod 400 $LOCAL_WORKDIR/$TRAF_KEYTAB + sudo mv $LOCAL_WORKDIR/$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB + fi + + # Copy keytab to node (probably a better way of doing this) + # - Remove the prepended node from the keytab + # - Copy the keytab to the node + # - Move the keytab to the KEYTAB directory on the node + # - Change owner to allow trafodion access + sudo cp $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB + sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB + if [[ "$all_node_count" -ne "1" ]]; then + pdcp -R ssh -w $NODE $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $HOME + ssh -q -n $NODE sudo mv $HOME/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB + ssh -q -n $NODE sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB + else + sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR + sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB + fi + echo "***INFO: Copied keytab file to $NODE" +done +ADMIN_PASSWD="***" +echo "***INFO: Done creating principals and keytabs" + +# The RENEW_TOOL is a script that get run that automatically +# renews the ticket when it get ready to expire. +RENEW_TOOL='$MY_SQROOT/sql/scripts/krb5service start' + +# modify .bashrc to add kinit command +# Steps: +# - Store the text to add to the .bashrc file in a tmp file +# - Copy the tmp file to all the nodes +# - Change owner of tmp file to the trafodion user +# - Add text to .bashrc +# This assumes that if the installation node already has the text, then this +# step can be skipped. May need to be more robust + +sudo grep -q "kinit" $HOME_DIR/$TRAF_USER/.bashrc +if [[ $? -ne 0 ]]; then + echo "***INFO: Add kinit command in .bashrc file" + echo "" > $LOCAL_WORKDIR/kerberos.tmp + echo "" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# if needed obtain and cache the Kerberos ticket-granting ticket" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# start automatic ticket renewal process" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp + echo 'klist -s >/dev/null 2>&1' >> $LOCAL_WORKDIR/kerberos.tmp + echo 'if [[ $? -eq 1 ]]; then' >> $LOCAL_WORKDIR/kerberos.tmp + echo " kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB ${TRAF_USER}/\`hostname -f\`@${REALM} >/dev/null 2>&1" >> $LOCAL_WORKDIR/kerberos.tmp + echo "fi " >> $LOCAL_WORKDIR/kerberos.tmp + echo "" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# Start trafodion kerberos ticket manager process" >> $LOCAL_WORKDIR/kerberos.tmp + echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp + + echo "${RENEW_TOOL} > /dev/null 2>&1" >> $LOCAL_WORKDIR/kerberos.tmp + + sudo cp $LOCAL_WORKDIR/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp + sudo chown $TRAF_USER:$TRAF_USER $HOME_DIR/$TRAF_USER/kerberos.tmp + if [[ "$all_node_count" -ne "1" ]]; then + sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp" + $TRAF_PDSH sudo su $TRAF_USER -c '"cat ~/kerberos.tmp >> ~/.bashrc"' + else + sudo su $TRAF_USER -c "cat ~/kerberos.tmp >> ~/.bashrc" + fi + rm $LOCAL_WORKDIR/kerberos.tmp +fi + +# Grant all privileges to the Trafodion principle in HBase +echo "***INFO: Grant HBase privileges to $TRAF_USER user" +sudo -u $HBASE_USER kinit -kt $HBASE_KEYTAB $HBASE_PRINCIPAL +if [[ $? -ne 0 ]]; then + echo "***ERROR: unable to init Kerberos ticket for HBase using keytab ($HBASE_KEYTAB) and principal ($HBASE_PRINCIPAL)" | tee -a $INSTALL_LOG + exit -1 +fi + +echo "grant \"$TRAF_USER\", \"RWXC\"" |sudo -u $HBASE_USER hbase shell > $LOCAL_WORKDIR/hbase_shell.out 2>&1 +rc=$? +grant_error=$(grep 'ERROR' $LOCAL_WORKDIR/hbase_shell.out |wc -l) + +if [[ $grant_error -ne 0 || $rc -ne 0 ]]; then + echo "***ERROR: failed to grant HBase privileges to $TRAF_USER user, see $LOCAL_WORKDIR/hbase_shell.out for details" | tee -a $INSTALL_LOG + exit -1 +else + sudo rm -f $LOCAL_WORKDIR/hbase_shell.out +fi + http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_add_ldap ---------------------------------------------------------------------- diff --git a/install/installer/traf_add_ldap b/install/installer/traf_add_ldap new file mode 100755 index 0000000..be85389 --- /dev/null +++ b/install/installer/traf_add_ldap @@ -0,0 +1,88 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + +#****************************************************************************** +# Sets up Trafodion environment for security features: +# LDAP authentication +#****************************************************************************** + +TRAF_CONFIG='/etc/trafodion/trafodion_config' +source $TRAF_CONFIG +TRAF_GROUP="trafodion" + +if [[ "$LDAP_SECURITY" == "N" ]]; then + echo "***INFO: LDAP not available, skipping to next step" + exit 0 +fi + +# setup identity store (LDAP) stuff +echo +echo "******************************" +echo " TRAFODION LDAP SETUP " +echo "******************************" +echo +echo "***INFO: Running LDAP installation" + +echo "***INFO: Copy $LDAP_AUTH_FILE to all nodes" +sudo cp -r $LOCAL_WORKDIR/$LDAP_AUTH_FILE $HOME_DIR/$TRAF_USER +sudo chown $TRAF_USER.$TRAF_GROUP $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE +sudo chmod 750 $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE + +# Check traf_authentication_config for errors +echo "***INFO: Checking LDAP Configuration file for errors." +sudo su $TRAF_USER --login --command "ldapconfigcheck -file $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE" | tee -a $INSTALL_LOG +if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: traf_authentication_config not configured correctly." + exit -1 +fi + +# Copy traf_authentication_config file to correct location and change to official name +if [[ "$all_node_count" -eq "1" ]]; then + sudo su $TRAF_USER --login --command "cp $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE $SQ_ROOT/sql/scripts/.traf_authentication_config" 2>&1 +else + sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE $SQ_ROOT/sql/scripts/.traf_authentication_config" 2>&1 +fi + +sudo su $TRAF_USER --login --command "ldapcheck --username=$DB_ROOT_NAME" | tee -a $INSTALL_LOG +if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: traf_authentication_config not configured correctly." + exit -1 +fi + +# change and copy sqenvcom.sh +echo "***INFO: Modifying sqenvcom.sh to turn on authentication" +sudo cp -r $SQ_ROOT/sqenvcom.sh $LOCAL_WORKDIR/sqenvcom.sh +sudo chown $(whoami).$(whoami) $LOCAL_WORKDIR/sqenvcom.sh +sed -i -e "s@TRAFODION_ENABLE_AUTHENTICATION=NO@TRAFODION_ENABLE_AUTHENTICATION=YES@g" $LOCAL_WORKDIR/sqenvcom.sh +sudo cp $LOCAL_WORKDIR/sqenvcom.sh $HOME_DIR/$TRAF_USER/sqenvcom.sh +sudo chown $TRAF_USER.$TRAF_GROUP $HOME_DIR/$TRAF_USER/sqenvcom.sh +sudo chmod 664 $HOME_DIR/$TRAF_USER/sqenvcom.sh +echo "***INFO: copying sqenvcom.sh to all nodes" +if [[ "$all_node_count" -ne "1" ]]; then + sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/sqenvcom.sh $SQ_ROOT/sqenvcom.sh" +else + sudo cp $HOME_DIR/$TRAF_USER/sqenvcom.sh $SQ_ROOT/sqenvcom.sh +fi +rm $LOCAL_WORKDIR/sqenvcom.sh + +echo "***INFO: LDAP has been configured" http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_cloudera_mods ---------------------------------------------------------------------- diff --git a/install/installer/traf_cloudera_mods b/install/installer/traf_cloudera_mods index f949cb6..234e682 100755 --- a/install/installer/traf_cloudera_mods +++ b/install/installer/traf_cloudera_mods @@ -35,6 +35,22 @@ export PDSH_HADOOP_NODES="$PDSH $MY_HBASE_NODES $PDSH_SSH_CMD" export PDCP_HADOOP_NODES="$PDCP $MY_HBASE_NODES" export HDFS_NODE=$(echo $HDFS_NODES | head -n1 | awk '{print $1;}') export HBASE_NODE=$(echo $HBASE_NODES | head -n1 | awk '{print $1;}') + +#===================================== +# create principals for hdfs user if secure hadoop is enabled +if [[ $SECURE_HADOOP == "Y" ]]; then + REALM=${ADMIN_PRINCIPAL#*"@"} + HDFS_PRINCIPAL=$(sudo klist -kte $HDFS_KEYTAB |grep $REALM | grep 'hdfs/' | awk '{print $4}' | uniq) + MESSAGE="***INFO: obtain and cache the Kerberos ticket-granting ticket for hdfs user" + MESSAGE=$MESSAGE" using keytab $HDFS_KEYTAB and principal $HDFS_PRINCIPAL" + echo $MESSAGE + sudo -u $HDFS_USER kinit -kt $HDFS_KEYTAB $HDFS_PRINCIPAL + if [ $? != 0 ]; then + echo "***ERROR: failed to obtain and cache the Kerberos ticket-granting ticket for hdfs user" + exit -1 + fi +fi + #===================================== # copy Trafodion trx jar to Cloudera's plugins directory on all nodes http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_config_setup ---------------------------------------------------------------------- diff --git a/install/installer/traf_config_setup b/install/installer/traf_config_setup index e83f19c..fd3a9ab 100755 --- a/install/installer/traf_config_setup +++ b/install/installer/traf_config_setup @@ -33,7 +33,6 @@ TRAF_WORKDIR="/usr/lib/trafodion" TRAF_CONFIG="/etc/trafodion/trafodion_config" TRAF_CONFIG_DIR=$(dirname $TRAF_CONFIG) LOCAL_TRAF_CONFIG="$LOCAL_WORKDIR/trafodion_config" -LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}" TRAF_USER="trafodion" TRAF_USER_PASSWORD="traf123" # must be 6-8 chars userForTrafodion=`grep "$TRAF_USER:" /etc/passwd | wc -l` @@ -67,7 +66,6 @@ DCS_SERVERS_PARM="2" ENABLE_HA="false" FLOATING_IP="" BACKUP_DCS_NODES="" -LDAP_SECURITY="N" SCANNER_MODE="N" DCS_PRIMARY_MASTER_NODE=`hostname -f` DCS_MASTER_PORT="23400" @@ -79,7 +77,6 @@ OPEN_STACK="" OTHER_CLOUD="" MANAGEMENT_ENABLED="N" MANAGEMENT_NODES="" -LDAP_LEVEL="0" #============================================== function print_usage { @@ -811,162 +808,6 @@ if [[ "$ENABLE_HA" == "true" ]]; then fi #============================================== -#Simple security -if [[ $SCANNER_MODE == "N" ]]; then - echo -n "Enable simple LDAP security (Y/N), default is N: " - read answer - - if [ ! -z $answer ]; then - if [[ "${answer}" =~ ^[Yy]$ ]]; then - LDAP_SECURITY="Y" - fi - else - LDAP_SECURITY="N" - fi - - echo "export LDAP_SECURITY=\"$LDAP_SECURITY\"" >> $LOCAL_TRAF_CONFIG - - if [[ "$LDAP_SECURITY" == "Y" ]]; then - #Hostnames - echo -n "Enter list of LDAP Hostnames (blank separated), default [$LDAP_HOSTS]: " - read answer1 - if [[ -z "$answer1" ]]; then - if [ -z "$LDAP_HOSTS" ]; then - echo "***ERROR: Must enter list of LDAP Hostnames." - exit -1 - fi - else - LDAP_HOSTS=$answer1 - fi - echo "export LDAP_HOSTS=\"$LDAP_HOSTS\"" >> $LOCAL_TRAF_CONFIG - cp -rf traf_authentication_conf_default $LOCAL_WORKDIR/$LDAP_AUTH_FILE - echo "export LDAP_AUTH_FILE=\"$LDAP_AUTH_FILE\"" >> $LOCAL_TRAF_CONFIG - - counter=0 - for host in $LDAP_HOSTS - do - counter=$[$counter+1] - if [ $counter -eq "1" ]; then - list=" LdapHostname: $host" - elif [ $counter -eq "$node_count" ]; then - list="LdapHostname: $host\n $list" - else - list=" LdapHostname: $host\n $list" - fi - done - sed -i -e "s/LdapHostname:/$list/g" $LDAP_AUTH_FILE - - #Port numbers - echo -n "Enter LDAP Port number (Example: 389 for no encryption or TLS, 636 for SSL), default [$LDAP_PORT]: " - read answer2 - if [[ -z "$answer2" ]]; then - if [ -z "$LDAP_PORT" ]; then - echo "***ERROR: Must enter LDAP port." - exit -1 - fi - else - LDAP_PORT=$answer2 - fi - - echo "export LDAP_PORT=\"$LDAP_PORT\"" >> $LOCAL_TRAF_CONFIG - port="LdapPort: $LDAP_PORT" - sed -i -e "s/LdapPort:389/$port/g" $LDAP_AUTH_FILE - - #Unique IDs - echo -n "Enter all LDAP unique identifiers (blank separated), default [$LDAP_ID]: " - read answer3 - if [[ -z "$answer3" ]]; then - if [ -z "$LDAP_ID" ]; then - echo "***ERROR: Must enter LDAP unique identifiers." - exit -1 - fi - else - LDAP_ID=$answer3 - fi - echo "export LDAP_ID=\"$LDAP_ID\"" >> $LOCAL_TRAF_CONFIG - - counter=0 - for id in $LDAP_ID - do - counter=$[$counter+1] - if [ $counter -eq "1" ]; then - list=" UniqueIdentifier: $id" - elif [ $counter -eq "$node_count" ]; then - list="UniqueIdentifier: $id\n $list" - else - list=" LdapHostname: $id\n $list" - fi - done - - sed -i -e "s/UniqueIdentifier:/$list/g" $LDAP_AUTH_FILE - - #Encryption level - echo -n "Enter LDAP Encryption Level (0: Encryption not used, 1: SSL, 2: TLS), default [$LDAP_LEVEL]: " - read answer4 - if [[ -z "$answer4" ]]; then - if [ -z "$LDAP_LEVEL" ]; then - echo "***ERROR: Must enter LDAP Encryption level." - exit -1 - fi - else - LDAP_LEVEL=$answer4 - fi - echo "export LDAP_LEVEL=\"$LDAP_LEVEL\"" >> $LOCAL_TRAF_CONFIG - - level="LDAPSSL: $LDAP_LEVEL" - sed -i -e "s/LDAPSSL:0/$level/g" $LDAP_AUTH_FILE - - - if [[ "$LDAP_LEVEL" -eq "1" ]] || [[ "$LDAP_LEVEL" -eq "2" ]]; then - echo -n "Enter full path to TLS certificate, default [$LDAP_CERT]: " - read answer7 - if [[ -z "$answer7" ]]; then - if [ -z "$LDAP_CERT" ]; then - echo "***ERROR: Encryption level 2(TLS) requires a certificate file (*.pem)" - exit -1 - fi - else - LDAP_CERT=$answer7 - LDAP_CERT_BASE=$(basename $LDAP_CERT) - - if [[ ! -f $LDAP_CERT ]]; then - echo "***ERROR: File does not exist." - echo "***ERROR: Please enter full path or check for errors." - exit -1 - fi - - fi - echo "export LDAP_CERT=\"$LDAP_CERT\"" >> $LOCAL_TRAF_CONFIG - echo "export LDAP_CERT_BASE=\"$LDAP_CERT_BASE\"" >> $LOCAL_TRAF_CONFIG - - list="TLS_CACERTFilename: $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE" - - sed -i -e "s@TLS\_CACERTFilename:@$list@" $LDAP_AUTH_FILE - fi - - #Search username and password - echo -n "Enter Search user name (if required), default [$LDAP_USER]: " - read answer5 - if [[ ! -z "$answer5" ]]; then - LDAP_USER=$answer5 - echo "export LDAP_USER=\"$LDAP_USER\"" >> $LOCAL_TRAF_CONFIG - - echo -n "Enter Search password (if required), default [$LDAP_PASSWORD]: " - read answer6 - if [[ ! -z "$answer6" ]]; then - LDAP_PASSWORD=$answer6 - echo "export LDAP_PASSWORD=\"$LDAP_PASSWORD\"" >> $LOCAL_TRAF_CONFIG - fi - fi - user="LDAPSearchDN: $LDAP_USER" - sed -i -e "s/LDAPSearchDN:/$user/g" $LDAP_AUTH_FILE - password="LDAPSearchPwd: $LDAP_PASSWORD" - sed -i -e "s/LDAPSearchPwd:/$password/g" $LDAP_AUTH_FILE - fi - -fi - -#============================================== #All items added to config file #Will add setup complete flag http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_hortonworks_mods ---------------------------------------------------------------------- diff --git a/install/installer/traf_hortonworks_mods b/install/installer/traf_hortonworks_mods index 67d1ed3..61b561c 100755 --- a/install/installer/traf_hortonworks_mods +++ b/install/installer/traf_hortonworks_mods @@ -35,6 +35,20 @@ export PDCP="pdcp -R ssh" export PDSH_HADOOP_NODES="$PDSH $MY_HBASE_NODES $PDSH_SSH_CMD" export PDCP_HADOOP_NODES="$PDCP $MY_HBASE_NODES" + +#===================================== +# create principals for hdfs user if secure hadoop is enabled +if [[ $SECURE_HADOOP == "Y" ]]; then + echo "***INFO: obtain and cache the Kerberos ticket-granting ticket for hdfs user" + HDFS_PRINCIPAL=$(sudo klist -kte $HDFS_KEYTAB | awk '{print $4}' | uniq) + echo " using keytab $HDFS_KEYTAB and principal $HDFS_PRINCIPAL" + sudo -u $HDFS_USER kinit -kt $HDFS_KEYTAB $HDFS_PRINCIPAL + if [ $? != 0 ]; then + echo "***ERROR: failed to obtain and cache the Kerberos ticket-granting ticket for hdfs user" + exit -1 + fi +fi + #===================================== # copy Trafodion hbase trx jar to /usr/lib/hbase/lib @@ -68,10 +82,10 @@ traf_util_jar="trafodion-utility-*.jar" # files does not work well with the installation process so we change them sudo chmod -R 777 $UNTAR_DIR/export/lib -if [ ! -f $UNTAR_DIR/export/lib/$hbase_trx_jar ]; then - echo "***ERROR: unable to find $UNTAR_DIR/export/lib/$hbase_trx_jar" - exit -1 -fi +#if [ ! -f $UNTAR_DIR/export/lib/$hbase_trx_jar ]; then +# echo "***ERROR: unable to find $UNTAR_DIR/export/lib/$hbase_trx_jar" +# exit -1 +#fi # if more than one node then copy to all nodes echo "***INFO: copying $hbase_trx_jar to all nodes" @@ -121,7 +135,7 @@ fi for node in $HBASE_NODES do copiedOver=$(ssh -q -n $node sudo ls $HADOOP_PATH/hbase-trx* | wc -l) - if [[ $copiedOver -ne "1" ]]; then + if [[ $copiedOver -eq "0" ]]; then echo "***ERROR: $hbase_trx_jar was not copied on $node" echo "***ERROR: Please investigate why this happened" echo "***ERROR: Trafodion can not start without this. EXITING..." @@ -196,7 +210,13 @@ if [ $? != 0 ]; then exit -1 fi sleep 2 -ssh -q -n $AMBARI_HOST "$AMBARI_DIR"'/configs.sh -u' "$ADMIN" '-p' "$PASSWORD" '-port' "$PORT" 'set' "$AMBARI_HOST" "$CLUSTER_NAME" 'hbase-site hbase.coprocessor.region.classes "org.apache.hadoop.hbase.coprocessor.transactional.TrxRegionObserver,org.apache.hadoop.hbase.coprocessor.transactional.TrxRegionEndpoint,org.apache.hadoop.hbase.coprocessor.AggregateImplementation"' +# Bug: install removes hbase co-processors installed as part of kerberozing Hadoop. Add them +# as part of adding trafodion co-processor (add JIRA #) +if [[ "$SECURE_HADOOP" == "Y" ]]; then + ssh -q -n $AMBARI_HOST "$AMBARI_DIR"'/configs.sh -u' "$ADMIN" '-p' "$PASSWORD" '-port' "$PORT" 'set' "$AMBARI_HOST" "$CLUSTER_NAME" 'hbase-site hbase.coprocessor.region.classes "org.apache.hadoop.hbase.coprocessor.transactional.TrxRegionObserver,org.apache.hadoop.hbase.coprocessor.transactional.TrxRegionEndpoint,org.apache.hadoop.hbase.coprocessor.AggregateImplementation,org.apache.hadoop.hbase.security.access.AccessController,org.apache.hadoop.hbase.security.token.TokenProvider"' +else + ssh -q -n $AMBARI_HOST "$AMBARI_DIR"'/configs.sh -u' "$ADMIN" '-p' "$PASSWORD" '-port' "$PORT" 'set' "$AMBARI_HOST" "$CLUSTER_NAME" 'hbase-site hbase.coprocessor.region.classes "org.apache.hadoop.hbase.coprocessor.transactional.TrxRegionObserver,org.apache.hadoop.hbase.coprocessor.transactional.TrxRegionEndpoint,org.apache.hadoop.hbase.coprocessor.AggregateImplementation"' +fi if [ $? != 0 ]; then echo "***ERROR: unable to modify hbase.coprocessor.region.classes through Ambari's configs.sh script." exit -1 http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_secure ---------------------------------------------------------------------- diff --git a/install/installer/traf_secure b/install/installer/traf_secure new file mode 100755 index 0000000..80309b4 --- /dev/null +++ b/install/installer/traf_secure @@ -0,0 +1,63 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + + + +export TRAF_CONFIG=/etc/trafodion/trafodion_config + +source $TRAF_CONFIG + +rm $SQ_ROOT/logs/securityErrors.txt 2>/dev/null + +if [[ "$all_node_count" -eq "1" ]]; then + STARTING_NODE=$NODE_LIST +else + STARTING_NODE=$(echo $MY_NODES | awk '{print $2}') +fi + +#========================================== + +echo "***INFO: Starting Trafodion instance, if not already started" | tee -a $SQ_ROOT/logs/securityErrors.txt + +ssh $STARTING_NODE "cd $SQ_ROOT/sql/scripts; sqstart" +SQSTART_RC=$? +if [ "$SQSTART_RC" -ne "0" -a "$SQSTART_RC" -ne "1" ]; then + echo "***ERROR: sqstart failed with RC=$SQSTART_RC. Check $SQ_ROOT/sqmon.log file for details." | tee -a $SQ_ROOT/logs/securityErrors.txt + exit -1; +fi + +# Do initialize authorization and alter predefined users +echo "***INFO: Initialize authorization and set up predefined users" | tee -a $SQ_ROOT/logs/securityErrors.txt +ssh $STARTING_NODE "cd $SQ_ROOT/sql/scripts; echo \"initialize authorization; alter user DB__ROOT set external name \"$DB_ROOT_NAME\";\" | sqlci" | tee -a $SQ_ROOT/logs/securityErrors.txt +foundError=$(grep "ERROR" $SQ_ROOT/logs/securityErrors.txt | wc -l) +if [ "$foundError" -ge "1" ];then + echo "***ERROR: Security installation failed, continuing. Check files $SQ_ROOT/logs/securityErrors.txt for details." | tee -a $SQ_ROOT/logs/securityErrors.txt +fi + +# if this script is run multiple times, then the mapping may already be completed, +# if the mapping has already been completed, then an error is returned. +# for now, continue with the installation +echo "***INFO: Please check the install log $SQ_ROOT/logs/securityErrors.txt for any issues" | tee -a $SQ_ROOT/logs/securityErrors.txt + +#========================================== +echo "***INFO: Installation setup completed successfully." | tee -a $SQ_ROOT/logs/securityErrors.txt http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_secure_setup ---------------------------------------------------------------------- diff --git a/install/installer/traf_secure_setup b/install/installer/traf_secure_setup new file mode 100755 index 0000000..307f73f --- /dev/null +++ b/install/installer/traf_secure_setup @@ -0,0 +1,343 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + +# KDC attributes +MAX_LIFETIME="24hours" +RENEW_LIFETIME="7days" + +# LDAP attributes +LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}" + +HOST_NAME=`hostname -f` + +echo "hadoop_type: $HADOOP_TYPE" +# These differ depending on the distribution +if [[ $HADOOP_TYPE == "cloudera" ]]; then + TRAF_KEYTAB_DIR='/etc/trafodion' + TRAF_KEYTAB="trafodion.keytab" + HBASE_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hbase.keytab | grep 'hbase-MASTER' | head -n 1` + HDFS_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hdfs.keytab | grep 'hdfs-NAMENODE/' | head -n 1` +else + TRAF_KEYTAB_DIR='/etc/security/keytabs' + TRAF_KEYTAB="trafodion.service.keytab" + HBASE_KEYTAB='/etc/security/keytabs/hbase.service.keytab' + HDFS_KEYTAB='/etc/security/keytabs/hdfs.headless.keytab' +fi + +#============================================== +# Setup Trafodion environment for secure Hadoop +#============================================== + +LOCAL_WORKDIR="$( cd "$( dirname "$0" )" && pwd )" + +TRAF_CONFIG="/etc/trafodion/trafodion_config" +LOCAL_SECURE_CONFIG="$LOCAL_WORKDIR/trafodion_secure_config" +rm $LOCAL_SECURE_CONFIG 2>/dev/null + + +#============================================== +# Kerberos enabled + +echo "***INFO: Starting Trafodion security configuration setup" + +# Check to see if kerberos is enabled in Hadoop +cat /etc/hadoop/conf/core-site.xml | while read a; do + found=`echo $a | grep "hadoop.security.authentication" | wc -l` + if [[ $found -eq 1 ]]; then + read b + enabled=`echo $b | grep kerberos | wc -l` + if [[ $enabled -eq 1 ]]; then + exit 1 + else + exit 0 + fi + fi +done + +retcode=$? +if [[ $retcode -eq 1 ]]; then + SECURE_HADOOP="Y" +else + SECURE_HADOOP="N" +fi +sed -i '/SECURE_HADOOP\=/d' $TRAF_CONFIG +echo "export SECURE_HADOOP=\"$SECURE_HADOOP\"" >> $LOCAL_SECURE_CONFIG + + +if [[ "$SECURE_HADOOP" == "Y" ]]; then + echo -n "Enter KDC server address, default is [$KDC_SERVER]:" + read answer + if [[ ! -z $answer ]]; then KDC_SERVER=$answer; fi + sed -i '/KDC_SERVER\=/d' $TRAF_CONFIG + echo "export KDC_SERVER=\"$KDC_SERVER\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter admin principal (include realm), default is [$ADMIN_PRINCIPAL]:" + read answer + if [[ ! -z $answer ]]; then ADMIN_PRINCIPAL=$answer; fi + sed -i '/ADMIN_PRINCIPAL\=/d' $TRAF_CONFIG + echo "export ADMIN_PRINCIPAL=\"$ADMIN_PRINCIPAL\"" >> $LOCAL_SECURE_CONFIG + + # need a secure way to save password, until then ask later + #echo -n "Enter admin password:" + #read -s answer + #if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi + #echo "" + + echo -n "Enter fully qualified name for HBase keytab, default is [$HBASE_KEYTAB]:" + read answer + if [[ ! -z $answer ]]; then HBASE_KEYTAB=$answer; fi + sed -i '/HBASE_KEYTAB\=/d' $TRAF_CONFIG + echo "export HBASE_KEYTAB=\"$HBASE_KEYTAB\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter fully qualified name for HDFS keytab, default is [$HDFS_KEYTAB]:" + read answer + if [[ ! -z $answer ]]; then HDFS_KEYTAB=$answer; fi + sed -i '/HDFS_KEYTAB\=/d' $TRAF_CONFIG + echo "export HDFS_KEYTAB=\"$HDFS_KEYTAB\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter max lifetime for Trafodion principal (valid format required), default is [$MAX_LIFETIME]:" + read answer + if [[ ! -z $answer ]]; then MAX_LIFETIME=$answer; fi + sed -i '/MAX_LIFETIME\=/d' $TRAF_CONFIG + echo "export MAX_LIFETIME=\"$MAX_LIFETIME\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter renew lifetime for Trafodion principal (valid format required), default is [$RENEW_LIFETIME]:" + read answer + if [[ ! -z $answer ]]; then RENEW_LIFETIME=$answer; fi + sed -i '/RENEW_LIFETIME\=/d' $TRAF_CONFIG + echo "export RENEW_LIFETIME=\"$RENEW_LIFETIME\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter Trafodion keytab name, default is [$TRAF_KEYTAB]:" + read answer + if [[ ! -z $answer ]]; then TRAF_KEYTAB=$answer; fi + sed -i '/TRAF_KEYTAB\=/d' $TRAF_CONFIG + echo "export TRAF_KEYTAB=\"$TRAF_KEYTAB\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter keytab location, default is [$TRAF_KEYTAB_DIR]:" + read answer + if [[ ! -d $TRAF_KEYTAB_DIR ]]; then + echo "**Missing keytab directory $TRAF_KEYTAB_DIR, create it (Y/N), default is [Y]:" + if [[ "${answer}" =~ ^[Yy]$ ]]; then + if [[ "$all_node_count" -ne "1" ]]; then + echo "***INFO: creating $TRAF_KEYTAB_DIR" + $TRAF_PDSH $MY_NODES sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null + $TRAF_PDSH $MY_NODES sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR + $TRAF_PDSH $MY_NODES sudo chmod 700 $TRAF_KEYTAB_DIR + else + echo "***INFO: creating $TRAF_KEYTAB_DIR" + sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null + sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR + sudo chmod 700 $TRAF_KEYTAB_DIR + fi + else + echo "***ERROR: Please create $TRAF_KEYTAB_DIR on all nodes and rerun" + exit 1 + fi + fi + sed -i '/TRAF_KEYTAB_DIR\=/d' $TRAF_CONFIG + echo "export TRAF_KEYTAB_DIR=\"$TRAF_KEYTAB_DIR\"" >> $LOCAL_SECURE_CONFIG +fi + +#============================================== +# LDAP security + +if [[ "$SECURE_HADOOP" == "Y" ]]; then + LDAP_SECURITY="Y" +else + echo -n "Enable LDAP security (Y/N), default is [$LDAP_SECURITY]: " + read answer + + if [ ! -z $answer ]; then + if [[ "${answer}" =~ ^[Yy]$ ]]; then + LDAP_SECURITY="Y" + else + LDAP_SECURITY="N" + fi + fi +fi +sed -i '/LDAP_SECURITY\=/d' $TRAF_CONFIG +echo "export LDAP_SECURITY=\"$LDAP_SECURITY\"" >> $LOCAL_SECURE_CONFIG + +if [[ "$LDAP_SECURITY" == "N" ]]; then + cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG + echo "***INFO: Trafodion security configuration setup complete" + exit 0; +fi + +#Hostnames +echo -n "Enter list of LDAP Hostnames (blank separated), default [$LDAP_HOSTS]: " +read answer +if [[ -z "$answer" ]]; then + if [ -z "$LDAP_HOSTS" ]; then + echo "***ERROR: Must enter list of LDAP Hostnames." + exit -1 + fi +else + LDAP_HOSTS=$answer +fi +sed -i '/LDAP_HOSTS\=/d' $TRAF_CONFIG +echo "export LDAP_HOSTS=\"$LDAP_HOSTS\"" >> $LOCAL_SECURE_CONFIG +cp -rf traf_authentication_conf_default $LOCAL_WORKDIR/$LDAP_AUTH_FILE +sed -i '/LDAP_AUTH_FILE\=/d' $TRAF_CONFIG +echo "export LDAP_AUTH_FILE=\"$LDAP_AUTH_FILE\"" >> $LOCAL_SECURE_CONFIG + +counter=0 +for host in $LDAP_HOSTS +do + counter=$[$counter+1] + if [ $counter -eq "1" ]; then + list=" LdapHostname: $host" + elif [ $counter -eq "$node_count" ]; then + list="LdapHostname: $host\n $list" + else + list=" LdapHostname: $host\n $list" + fi +done +sed -i -e "s/LdapHostname:/$list/g" $LDAP_AUTH_FILE + +#Port numbers +echo -n "Enter LDAP Port number (Example: 389 for no encryption or TLS, 636 for SSL), default [$LDAP_PORT]: " +read answer +if [[ -z "$answer" ]]; then + if [ -z "$LDAP_PORT" ]; then + echo "***ERROR: Must enter LDAP port." + exit -1 + fi +else + LDAP_PORT=$answer +fi + +sed -i '/LDAP_PORT\=/d' $TRAF_CONFIG +echo "export LDAP_PORT=\"$LDAP_PORT\"" >> $LOCAL_SECURE_CONFIG +port="LdapPort: $LDAP_PORT" +sed -i -e "s/LdapPort:389/$port/g" $LDAP_AUTH_FILE + +#Unique IDs +echo -n "Enter all LDAP unique identifiers (blank separated), default [$LDAP_ID]: " +read answer +if [[ -z "$answer" ]]; then + if [ -z "$LDAP_ID" ]; then + echo "***ERROR: Must enter LDAP unique identifiers." + exit -1 + fi +else + LDAP_ID=$answer +fi +sed -i '/LDAP_ID\=/d' $TRAF_CONFIG +echo "export LDAP_ID=\"$LDAP_ID\"" >> $LOCAL_SECURE_CONFIG + +counter=0 +for id in $LDAP_ID +do + counter=$[$counter+1] + if [ $counter -eq "1" ]; then + list=" UniqueIdentifier: $id" + elif [ $counter -eq "$node_count" ]; then + list="UniqueIdentifier: $id\n $list" + else + list=" LdapHostname: $id\n $list" + fi +done + +sed -i -e "s/UniqueIdentifier:/$list/g" $LDAP_AUTH_FILE + +#Encryption level +echo -n "Enter LDAP Encryption Level (0: Encryption not used, 1: SSL, 2: TLS), default [$LDAP_LEVEL]: " +read answer +if [[ -z "$answer" ]]; then + if [ -z "$LDAP_LEVEL" ]; then + echo "***ERROR: Must enter LDAP Encryption level." + exit -1 + fi +else + LDAP_LEVEL=$answer +fi +sed -i '/LDAP_LEVEL\=/d' $TRAF_CONFIG +echo "export LDAP_LEVEL=\"$LDAP_LEVEL\"" >> $LOCAL_SECURE_CONFIG + +level="LDAPSSL: $LDAP_LEVEL" +sed -i -e "s/LDAPSSL:0/$level/g" $LDAP_AUTH_FILE + +if [[ "$LDAP_LEVEL" -eq "1" ]] || [[ "$LDAP_LEVEL" -eq "2" ]]; then + echo -n "Enter full path to TLS certificate, default [$LDAP_CERT]: " + read answer + if [[ -z "$answer" ]]; then + if [ -z "$LDAP_CERT" ]; then + echo "***ERROR: Encryption level 2(TLS) requires a certificate file (*.pem)" + exit -1 + fi + else + LDAP_CERT=$answer + LDAP_CERT_BASE=$(basename $LDAP_CERT) + + if [[ ! -f $LDAP_CERT ]]; then + echo "***ERROR: File does not exist." + echo "***ERROR: Please enter full path or check for errors." + exit -1 + fi + + fi + sed -i '/LDAP_CERT\=/d' $TRAF_CONFIG + echo "export LDAP_CERT=\"$LDAP_CERT\"" >> $LOCAL_SECURE_CONFIG + sed -i '/LDAP_CERT_BASE\=/d' $TRAF_CONFIG + echo "export LDAP_CERT_BASE=\"$LDAP_CERT_BASE\"" >> $LOCAL_SECURE_CONFIG + + list="TLS_CACERTFilename: $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE" + + sed -i -e "s@TLS\_CACERTFilename:@$list@" $LDAP_AUTH_FILE +fi + +#Search username and password +echo -n "Enter Search user name (if required), default [$LDAP_USER]: " +read answer +if [[ ! -z "$answer" ]]; then + LDAP_USER=$answer + sed -i '/LDAP_USER\=/d' $TRAF_CONFIG + echo "export LDAP_USER=\"$LDAP_USER\"" >> $LOCAL_SECURE_CONFIG + + echo -n "Enter Search password (if required), default [$LDAP_PASSWORD]: " + read answer + if [[ ! -z "$answer" ]]; then + LDAP_PASSWORD=$answer + sed -i '/LDAP_PASSWORD\=/d' $TRAF_CONFIG + echo "export LDAP_PASSWORD=\"$LDAP_PASSWORD\"" >> $LOCAL_SECURE_CONFIG + fi +fi +user="LDAPSearchDN: $LDAP_USER" +sed -i -e "s/LDAPSearchDN:/$user/g" $LDAP_AUTH_FILE +password="LDAPSearchPwd: $LDAP_PASSWORD" +sed -i -e "s/LDAPSearchPwd:/$password/g" $LDAP_AUTH_FILE + + +#LDAP uid/cn assigned to DB__ROOT +echo -n "Enter LDAP name to be assigned DB root privileges (DB__ROOT), default [$DB_ROOT_NAME]: " +read answer +if [[ ! -z "$answer" ]]; then + DB_ROOT_NAME=$answer +fi +sed -i '/DB_ROOT_NAME\=/d' $TRAF_CONFIG +echo "export DB_ROOT_NAME=\"$DB_ROOT_NAME\"" >> $LOCAL_SECURE_CONFIG + +cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG +echo "***INFO: Trafodion security configuration setup complete" + http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/traf_sqgen ---------------------------------------------------------------------- diff --git a/install/installer/traf_sqgen b/install/installer/traf_sqgen index 271e719..fc2e903 100755 --- a/install/installer/traf_sqgen +++ b/install/installer/traf_sqgen @@ -57,40 +57,11 @@ if [ "$all_node_count" -ne "1" ]; then fi #========================================= -#Copying traf_authentication_conf to scripts directory +#Copying certificate to scripts directory if [[ "$LDAP_SECURITY" == "Y" ]]; then - if [ "$all_node_count" -ne "1" ]; then - echo "***INFO: Copying $LDAP_AUTH_FILE to all nodes" | tee -a $INSTALL_LOG - $PDCP $ALL_NODES -r $HOME/$LDAP_AUTH_FILE $SQ_ROOT/sql/scripts/traf_authentication_config - if [ "$?" != "0" ]; then - echo "***ERROR: Unable to copy $LDAP_AUTH_FILE to all machines in this cluster. Check install log files for details." | tee -a $INSTALL_LOG - exit -1; - fi - else - echo "***INFO: Copying $LDAP_AUTH_FILE to scripts directory." | tee -a $INSTALL_LOG - cp -rf $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE $SQ_ROOT/sql/scripts/traf_authentication_config - fi - - #Check traf_authentication_config for errors - echo "***INFO: Checking LDAP Configuration file for errors." - $SQ_ROOT/export/bin${SQ_MBTYPE}/ldapconfigcheck -file $SQ_ROOT/sql/scripts/traf_authentication_config - if [ "$?" != "0" ]; then - echo "***ERROR: traf_authentication_config not configured correctly." - echo "***ERROR: Install will continue WITHOUT simple security turned on." - echo "***ERROR: Please review wiki for manual steps to setup simple security." - else - if [[ $LDAP_LEVEL == "1" ]]; then - echo "TLS_CACERT $HOME/$LDAP_CERT_BASE" > $HOME_DIR/$TRAF_USER/.ldaprc - echo "TLS_REQCERT demand" >> $HOME_DIR/$TRAF_USER/.ldaprc - fi - echo "***INFO: Enabling security. Running traf_authentication_setup" - ssh $STARTING_NODE "cd $MY_SQROOT/sql/scripts; traf_authentication_setup --setup --file traf_authentication_config" - - if [[ $? != "0" ]]; then - echo "***WARNING: Error during script traf_authentication_setup" - echo "***WARNING: Install will continue WITHOUT simple security turned on." - echo "***WARNING: Please review wiki for manual steps to setup simple security." - fi + if [[ $LDAP_LEVEL == "1" ]]; then + echo "TLS_CACERT $HOME/$LDAP_CERT_BASE" > $HOME_DIR/$TRAF_USER/.ldaprc + echo "TLS_REQCERT demand" >> $HOME_DIR/$TRAF_USER/.ldaprc fi fi http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/trafodion_install ---------------------------------------------------------------------- diff --git a/install/installer/trafodion_install b/install/installer/trafodion_install index 3e4eced..1571d34 100755 --- a/install/installer/trafodion_install +++ b/install/installer/trafodion_install @@ -363,6 +363,14 @@ else sudo chmod 777 $TRAF_CONFIG fi +# prompt user for configuration info +$LOCAL_WORKDIR/traf_secure_setup | tee -a $INSTALL_LOG +if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_secure_setup." | tee -a $INSTALL_LOG + echo "***ERROR: No security configuration file created." | tee -a $INSTALL_LOG + exit -1 +fi + source $TRAF_CONFIG if [ $? -ne 0 ]; then echo "***ERROR: unable to source $TRAF_CONFIG" @@ -627,35 +635,6 @@ if [[ "$all_node_count" -ne "1" ]]; then $TRAF_PDSH sudo mkdir -p /$HOME_DIR/$TRAF_USER/installer &> /dev/null fi -#Copy over traf_authentication_config file to all nodes -if [[ "$LDAP_SECURITY" == "Y" ]]; then - echo "***INFO: Copying $LDAP_AUTH_FILE to Trafodion home dir" - - if [[ "$all_node_count" -eq "1" ]]; then - sudo cp -r $LOCAL_WORKDIR/$LDAP_AUTH_FILE $HOME_DIR/$TRAF_USER - sudo chown trafodion.trafodion $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE - sudo chmod 750 $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE - if [[ $LDAP_LEVEL == "2" ]] || [[ $LDAP_LEVEL == "1" ]]; then - echo "***INFO: Copying $LDAP_CERT to Trafodion home dir" - sudo cp -r $LDAP_CERT $HOME_DIR/$TRAF_USER - sudo chown trafodion.trafodion $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE - sudo chmod 750 $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE - fi - else - $TRAF_PDCP $LOCAL_WORKDIR/$LDAP_AUTH_FILE $HOME - $TRAF_PDSH sudo cp -r $HOME/$LDAP_AUTH_FILE $HOME_DIR/$TRAF_USER - $TRAF_PDSH sudo chown trafodion.trafodion $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE - $TRAF_PDSH sudo chmod 750 $HOME_DIR/$TRAF_USER/$LDAP_AUTH_FILE - if [[ $LDAP_LEVEL == "2" ]] || [[ $LDAP_LEVEL == "1" ]]; then - echo "***INFO: Copying $LDAP_CERT to Trafodion home dir" - $TRAF_PDCP $LDAP_CERT $HOME - $TRAF_PDSH sudo cp -r $HOME/$LDAP_CERT_BASE $HOME_DIR/$TRAF_USER - $TRAF_PDSH sudo chown trafodion.trafodion $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE - $TRAF_PDSH sudo chmod 750 $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE - fi - fi -fi - #============================================= #Run trafodion_mods @@ -704,6 +683,25 @@ fi echo "***INFO: Trafodion Mods ran successfully." +#============================================== +#Secure Hadoop setup for Trafodion +if [[ "$SECURE_HADOOP" == "Y" ]]; then + echo + echo "******************************" + echo " TRAFODION SECURE HADOOP SETUP" + echo "******************************" + echo + echo "***INFO: Running Kerberos installation" + $LOCAL_WORKDIR/traf_add_kerberos | tee -a $INSTALL_LOG + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_add_kerberos." | tee -a $INSTALL_LOG + echo "***ERROR: Kerberos not enabled" | tee -a $INSTALL_LOG + exit -1 + fi +fi + +echo "***INFO: Secure Hadoop setup for Trafodion ran successfully." + #Get HBaseSite.xml information $LOCAL_WORKDIR/parseHBaseSite.py #============================================== @@ -726,6 +724,16 @@ if [ ${PIPESTATUS[0]} != "0" ]; then exit -1 fi +# setup identity store (LDAP) stuff +if [[ "$LDAP_SECURITY" == "Y" ]]; then + $LOCAL_WORKDIR/traf_add_ldap | tee -a $INSTALL_LOG + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_add_ldap." | tee -a $INSTALL_LOG + echo "***ERROR: ldap not enabled" | tee -a $INSTALL_LOG + exit -1 + fi +fi + # Install and configure CLI for Cloud environments if [ "$ENABLE_HA" == "true" ] && [[ $CLOUD_CONFIG == "Y" ]] && [[ $all_node_count -gt 1 ]]; then echo "***INFO: Install and configure CLI for Cloud" @@ -741,8 +749,19 @@ if [[ $START_ALL == "Y" ]]; then echo "***ERROR: Setup not complete, review logs." | tee -a $INSTALL_LOG echo "***ERROR: Exiting...." | tee -a $INSTALL_LOG exit -1 - fi + fi + + if [[ "$LDAP_SECURITY" == "Y" || "$SECURE_HADOOP" == "Y" ]]; then + echo "***INFO: Configure authorization" + sudo su $TRAF_USER --login --command "$TRAF_WORKDIR/installer/traf_secure" 2>&1 | tee -a $INSTALL_LOG + + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_secure." | tee -a $INSTALL_LOG + echo "***ERROR: Security setup not complete, continuing - review logs." | tee -a $INSTALL_LOG + fi + fi fi + #============================================== MODS_COMPLETE="N" sudo chmod 777 $TRAF_CONFIG http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/trafodion_secure_install ---------------------------------------------------------------------- diff --git a/install/installer/trafodion_secure_install b/install/installer/trafodion_secure_install new file mode 100755 index 0000000..c30c7a4 --- /dev/null +++ b/install/installer/trafodion_secure_install @@ -0,0 +1,129 @@ +#!/bin/bash + +# @@@ START COPYRIGHT @@@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# @@@ END COPYRIGHT @@@ + +#****************************************************************************** +# Sets up Trafodion environment for security features: +# Kerberos +# LDAP authentication +# Database privileges (authorization) +#****************************************************************************** + +TRAF_CONFIG='/etc/trafodion/trafodion_config' +source $TRAF_CONFIG + +echo +echo "*******************************************" +echo " Enabling security features for Trafodion: " +echo " Kerberos " +echo " Authentication " +echo " Privilege setup " +echo "*******************************************" +echo + +echo "***INFO: Log out of any active sessions for $TRAF_USER user" + +#============================================================================== +# prompt user for security configuration info +# trafodion_install has already prompted for this information +$LOCAL_WORKDIR/traf_secure_setup | tee -a $INSTALL_LOG +if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_secure_setup." | tee -a $INSTALL_LOG + echo "***ERROR: No security configuration file created." | tee -a $INSTALL_LOG + exit -1 +fi +source $LOCAL_WORKDIR/trafodion_secure_config + +#============================================================================== +# set up kerberos stuff +if [[ "$SECURE_HADOOP" == "Y" ]]; then + $LOCAL_WORKDIR/traf_add_kerberos | tee -a $INSTALL_LOG + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_add_kerberos." | tee -a $INSTALL_LOG + echo "***ERROR: Kerberos not enabled" | tee -a $INSTALL_LOG + exit -1 + fi +fi + +#============================================================================== +# setup identity store (LDAP) stuff +if [[ "$LDAP_SECURITY" == "Y" ]]; then + $LOCAL_WORKDIR/traf_add_ldap | tee -a $INSTALL_LOG + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_add_ldap." | tee -a $INSTALL_LOG + echo "***ERROR: LDAP not enabled" | tee -a $INSTALL_LOG + exit -1 + fi +fi + +# return if no work is required +if [[ "$SECURE_HADOOP" == "N" && "$LDAP_SECURITY" == "N" ]]; then + exit 0 +fi + +#============================================================================== +# check to see if trafodion is down, must be down to complete +# if running as part of install (byTrafInstall == 1) then no need to check + +# 0 user does not exist +userForTrafodion=`grep "$TRAF_USER:" /etc/passwd | wc -l` +if [[ "$userForTrafodion" == "0" ]]; then + retcode=6 +else + sudo su $TRAF_USER --login --command "sqcheck" > /dev/null 2>&1 + retcode=$? +fi + +if [[ $retcode -eq 255 ]]; then + echo "***INFO: Trafodion is not running, continuing ..." +elif [[ $retcode -gt 2 ]]; then + echo "***INFO: Trafodion has not been completely configured, continuing ..." +else + echo "***ERROR: Trafodion is running or partially running." + echo -n "Stop Trafodion (Y/N), default is N: " + read answer + if [ -z $answer ]; then + echo "***ERROR: Please stop Trafodion then rerun trafodion_secure_install" + exit 1 + else + if [[ "${answer}" =~ ^[Yy]$ ]]; then + echo "***INFO: Stopping Trafodion instance." + sudo su $TRAF_USER --login --command "sqstop" + sudo su $TRAF_USER --login --command "ckillall" + else + echo "***ERROR: Please stop Trafodion then rerun trafodion_secure_install" + echo "***ERROR: Change to trafodion user id then do a 'sqstop'" + exit 1 + fi + fi +fi + +#============================================================================== +# start trafodion and initialize authorization +echo "***INFO: Enabling authorization" +sudo su $TRAF_USER --login --command "$TRAF_WORKDIR/installer/traf_secure" 2>&1 +if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_secure." + echo "***ERROR: Setup not complete, review logs." + echo "***ERROR: Exiting...." + exit -1 +fi http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/9673059c/install/installer/trafodion_uninstaller ---------------------------------------------------------------------- diff --git a/install/installer/trafodion_uninstaller b/install/installer/trafodion_uninstaller index e9e27b2..82d38cb 100755 --- a/install/installer/trafodion_uninstaller +++ b/install/installer/trafodion_uninstaller @@ -93,12 +93,33 @@ fi echo "***INFO: NOTE, rpms that were installed will not be removed." +# remove security stuff +if [[ "$SECURE_HADOOP" == "Y" ]]; then + echo "***INFO: removing $TRAF_USER from cache" + if [ $all_node_count -eq 1 ]; then + $TRAF_PDSH "sudo su $TRAF_USER --login --command \"$SQ_ROOT/sql/scripts/krb5service stop\"" + else + sudo su $TRAF_USER --login --command "$SQ_ROOT/sql/scripts/krb5service stop" + fi +fi + #Handle removing all of Trafodion echo "***INFO: stopping Trafodion instance" sudo su $TRAF_USER --login --command "sqstop" sudo su $TRAF_USER --login --command "ckillall" sudo su $TRAF_USER --login --command "vncserver -kill :1" +# remove security stuff +if [[ "$SECURE_HADOOP" == "Y" ]]; then + echo "***INFO: removing $TRAF_USER from cache" + if [ $all_node_count -eq 1 ]; then + $TRAF_PDSH "sudo su $TRAF_USER --login --command \"kdestroy -q\"" + else + sudo su $TRAF_USER --login --command "kdestroy -q" + fi +fi + + echo "***INFO: restoring linux system files that were changed" echo "***INFO: removing $HBASE_TRX from Hadoop directories" if [ $all_node_count -eq 1 ]; then
