TRAFODION [109] Instrument Trafodion to work with Secure Hadoop (Kerberos) Fixed issue where Jenkins installation was failing. Fixed problem where Kerberos ticket was not being initialized on all nodes without logging on. Fixed an issue with uninstall
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/commit/18e404b3 Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/tree/18e404b3 Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafodion/diff/18e404b3 Branch: refs/heads/master Commit: 18e404b3ca0936e6267c4006fd5676ee536a6944 Parents: 9673059 Author: Roberta Marton <[email protected]> Authored: Tue Jun 14 20:21:46 2016 +0000 Committer: Roberta Marton <[email protected]> Committed: Tue Jun 14 20:21:46 2016 +0000 ---------------------------------------------------------------------- install/installer/traf_add_kerberos | 6 ++- install/installer/traf_config_check | 2 +- install/installer/traf_secure | 3 -- install/installer/traf_secure_setup | 1 - install/installer/trafodion_config_default | 38 +++++++++++++++-- install/installer/trafodion_install | 54 ++++++++++++------------- install/installer/trafodion_uninstaller | 23 +++++------ 7 files changed, 78 insertions(+), 49 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/traf_add_kerberos ---------------------------------------------------------------------- diff --git a/install/installer/traf_add_kerberos b/install/installer/traf_add_kerberos index aab5252..e055dd4 100755 --- a/install/installer/traf_add_kerberos +++ b/install/installer/traf_add_kerberos @@ -71,7 +71,7 @@ mkdir -p $LOCAL_WORKDIR/keytabs 2>/dev/null echo "***INFO: Create principals and keytabs for $TRAF_USER" for ITEM in $HADOOP_NODES; do - NODE=`ssh -q -n robertablue sudo hostname -f` + NODE=`ssh -q -n $ITEM sudo hostname -f` PRINCIPAL_EXISTS=$( $KADMIN_CMD "listprincs" | grep "$TRAF_USER/$NODE@$REALM" | wc -l ) if [[ $PRINCIPAL_EXISTS -eq 1 ]]; then echo "***INFO: Principal $TRAF_USER/$NODE@$REALM exists, continuing" @@ -128,9 +128,11 @@ for ITEM in $HADOOP_NODES; do pdcp -R ssh -w $NODE $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $HOME ssh -q -n $NODE sudo mv $HOME/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB ssh -q -n $NODE sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB + ssh -q -n $NODE sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM else - sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR + sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB + sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM fi echo "***INFO: Copied keytab file to $NODE" done http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/traf_config_check ---------------------------------------------------------------------- diff --git a/install/installer/traf_config_check b/install/installer/traf_config_check index 14d5511..a8d8e49 100755 --- a/install/installer/traf_config_check +++ b/install/installer/traf_config_check @@ -944,7 +944,7 @@ if [[ ! -z $install_features_path ]]; then fi fi source $install_features_path - cat $install_features_path + #cat $install_features_path sudo chmod 777 $TRAF_CONFIG echo "export CDH_5_3_HDP_2_2_SUPPORT=\"$CDH_5_3_HDP_2_2_SUPPORT\"" >> $TRAF_CONFIG http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/traf_secure ---------------------------------------------------------------------- diff --git a/install/installer/traf_secure b/install/installer/traf_secure index 80309b4..fa64163 100755 --- a/install/installer/traf_secure +++ b/install/installer/traf_secure @@ -54,9 +54,6 @@ if [ "$foundError" -ge "1" ];then echo "***ERROR: Security installation failed, continuing. Check files $SQ_ROOT/logs/securityErrors.txt for details." | tee -a $SQ_ROOT/logs/securityErrors.txt fi -# if this script is run multiple times, then the mapping may already be completed, -# if the mapping has already been completed, then an error is returned. -# for now, continue with the installation echo "***INFO: Please check the install log $SQ_ROOT/logs/securityErrors.txt for any issues" | tee -a $SQ_ROOT/logs/securityErrors.txt #========================================== http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/traf_secure_setup ---------------------------------------------------------------------- diff --git a/install/installer/traf_secure_setup b/install/installer/traf_secure_setup index 307f73f..cb155a1 100755 --- a/install/installer/traf_secure_setup +++ b/install/installer/traf_secure_setup @@ -30,7 +30,6 @@ LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}" HOST_NAME=`hostname -f` -echo "hadoop_type: $HADOOP_TYPE" # These differ depending on the distribution if [[ $HADOOP_TYPE == "cloudera" ]]; then TRAF_KEYTAB_DIR='/etc/trafodion' http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/trafodion_config_default ---------------------------------------------------------------------- diff --git a/install/installer/trafodion_config_default b/install/installer/trafodion_config_default index 34b1b62..8f77e14 100755 --- a/install/installer/trafodion_config_default +++ b/install/installer/trafodion_config_default @@ -132,11 +132,43 @@ export SQCONFIG="" export CONFIG_COMPLETE="true" -#Turn on simple security. MUST have existing LDAP configured. -export LDAP_SECURITY="N" +#----------------- security configuration information ----------------- +#Enter in Kerberos details if Kerberos is enabled on your cluster + +#Indicate Kerberos is enabled +export SECURE_HADOOP="N" + +#Location of Kerberos server for admin access +export KDC_SERVER="" + +#Kerberos Admin principal used to create Trafodion principals and keytabs +#Please include realm, for example: trafadmin/[email protected] +export ADMIN_PRINCIPAL="" + +#Keytab for HBase admin user, used to grant Trafodion user CRWE privilege +export HBASE_KEYTAB="" + +#Keytab for HDFS admin user, used to create data directories for Trafodion +export HDFS_KEYTAB="" + +#Kerberos ticket defaults for the Trafodion user +export MAX_LIFETIME="24hours" +export RENEW_LIFETIME="7days" + +#Trafodion keytab information +export TRAF_KEYTAB="trafodion.service.keytab" +export TRAF_KEYTAB_DIR="/etc/security/keytabs" + +#Enter in LDAP configuration information +#Turn on authentication - MUST have existing LDAP configured. +export LDAP_SECURITY="Y" #Name of LDAP Config file -export LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}" +export LDAP_AUTH_FILE="traf_authentication_config_`hostname -s`" + +#LDAP name to map to database user DB__ROOT +DB_ROOT_NAME="trafodion" +#----------------- end security configuration ----------------- #HA configuraton enabled, if want to enable set to true and add valid floating IP address. export ENABLE_HA="false" http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/trafodion_install ---------------------------------------------------------------------- diff --git a/install/installer/trafodion_install b/install/installer/trafodion_install index 1571d34..b64389f 100755 --- a/install/installer/trafodion_install +++ b/install/installer/trafodion_install @@ -353,6 +353,14 @@ if [ -z "$USER_CONFIG" ]; then echo "***ERROR: No configuration file created." | tee -a $INSTALL_LOG exit -1 fi + + # prompt user for security configuration info + $LOCAL_WORKDIR/traf_secure_setup | tee -a $INSTALL_LOG + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_secure_setup." | tee -a $INSTALL_LOG + echo "***ERROR: No security configuration file created." | tee -a $INSTALL_LOG + exit -1 + fi else # copy the user's config file to the default location sudo cp $USER_CONFIG $TRAF_CONFIG @@ -363,14 +371,6 @@ else sudo chmod 777 $TRAF_CONFIG fi -# prompt user for configuration info -$LOCAL_WORKDIR/traf_secure_setup | tee -a $INSTALL_LOG -if [ ${PIPESTATUS[0]} != "0" ]; then - echo "***ERROR: Error while running traf_secure_setup." | tee -a $INSTALL_LOG - echo "***ERROR: No security configuration file created." | tee -a $INSTALL_LOG - exit -1 -fi - source $TRAF_CONFIG if [ $? -ne 0 ]; then echo "***ERROR: unable to source $TRAF_CONFIG" @@ -683,25 +683,6 @@ fi echo "***INFO: Trafodion Mods ran successfully." -#============================================== -#Secure Hadoop setup for Trafodion -if [[ "$SECURE_HADOOP" == "Y" ]]; then - echo - echo "******************************" - echo " TRAFODION SECURE HADOOP SETUP" - echo "******************************" - echo - echo "***INFO: Running Kerberos installation" - $LOCAL_WORKDIR/traf_add_kerberos | tee -a $INSTALL_LOG - if [ ${PIPESTATUS[0]} != "0" ]; then - echo "***ERROR: Error while running traf_add_kerberos." | tee -a $INSTALL_LOG - echo "***ERROR: Kerberos not enabled" | tee -a $INSTALL_LOG - exit -1 - fi -fi - -echo "***INFO: Secure Hadoop setup for Trafodion ran successfully." - #Get HBaseSite.xml information $LOCAL_WORKDIR/parseHBaseSite.py #============================================== @@ -724,6 +705,25 @@ if [ ${PIPESTATUS[0]} != "0" ]; then exit -1 fi +#============================================== +#Secure Hadoop setup for Trafodion +if [[ "$SECURE_HADOOP" == "Y" ]]; then + echo + echo "******************************" + echo " TRAFODION SECURE HADOOP SETUP" + echo "******************************" + echo + echo "***INFO: Running Kerberos installation" + $LOCAL_WORKDIR/traf_add_kerberos | tee -a $INSTALL_LOG + if [ ${PIPESTATUS[0]} != "0" ]; then + echo "***ERROR: Error while running traf_add_kerberos." | tee -a $INSTALL_LOG + echo "***ERROR: Kerberos not enabled" | tee -a $INSTALL_LOG + exit -1 + fi +fi + +echo "***INFO: Secure Hadoop setup for Trafodion ran successfully." + # setup identity store (LDAP) stuff if [[ "$LDAP_SECURITY" == "Y" ]]; then $LOCAL_WORKDIR/traf_add_ldap | tee -a $INSTALL_LOG http://git-wip-us.apache.org/repos/asf/incubator-trafodion/blob/18e404b3/install/installer/trafodion_uninstaller ---------------------------------------------------------------------- diff --git a/install/installer/trafodion_uninstaller b/install/installer/trafodion_uninstaller index 82d38cb..b0ec497 100755 --- a/install/installer/trafodion_uninstaller +++ b/install/installer/trafodion_uninstaller @@ -93,16 +93,6 @@ fi echo "***INFO: NOTE, rpms that were installed will not be removed." -# remove security stuff -if [[ "$SECURE_HADOOP" == "Y" ]]; then - echo "***INFO: removing $TRAF_USER from cache" - if [ $all_node_count -eq 1 ]; then - $TRAF_PDSH "sudo su $TRAF_USER --login --command \"$SQ_ROOT/sql/scripts/krb5service stop\"" - else - sudo su $TRAF_USER --login --command "$SQ_ROOT/sql/scripts/krb5service stop" - fi -fi - #Handle removing all of Trafodion echo "***INFO: stopping Trafodion instance" sudo su $TRAF_USER --login --command "sqstop" @@ -111,14 +101,23 @@ sudo su $TRAF_USER --login --command "vncserver -kill :1" # remove security stuff if [[ "$SECURE_HADOOP" == "Y" ]]; then - echo "***INFO: removing $TRAF_USER from cache" + echo "***INFO: Removing $TRAF_USER ID from Kerberos cache" if [ $all_node_count -eq 1 ]; then + sudo su $TRAF_USER --login --command "kdestroy -q" + else $TRAF_PDSH "sudo su $TRAF_USER --login --command \"kdestroy -q\"" + fi + + echo "***INFO: Stopping Kerberos ticket monitoring process" + if [ $all_node_count -eq 1 ]; then + sudo su $TRAF_USER --login --command "$SQ_ROOT/sql/scripts/krb5service stop" else - sudo su $TRAF_USER --login --command "kdestroy -q" + $TRAF_PDSH "sudo su $TRAF_USER --login --command \"$SQ_ROOT/sql/scripts/krb5service stop\"" fi fi +# Please don't start up another shell $TRAF_USER process after this point, +# the login process will create a new TGT in cache and start the ticket monitor echo "***INFO: restoring linux system files that were changed" echo "***INFO: removing $HBASE_TRX from Hadoop directories"
