Updated Branches: refs/heads/branch-0.8 af80ddcfa -> b80f01cab
WHIRR-671. Create Kerberos Service. Contributed by Graham Gear. Project: http://git-wip-us.apache.org/repos/asf/whirr/repo Commit: http://git-wip-us.apache.org/repos/asf/whirr/commit/b80f01ca Tree: http://git-wip-us.apache.org/repos/asf/whirr/tree/b80f01ca Diff: http://git-wip-us.apache.org/repos/asf/whirr/diff/b80f01ca Branch: refs/heads/branch-0.8 Commit: b80f01cab7704a33160913ec04e939eb83681040 Parents: af80ddc Author: Tom White <tomwh...@apache.org> Authored: Thu Nov 1 21:43:21 2012 -0700 Committer: Tom White <tomwh...@apache.org> Committed: Thu Nov 1 21:43:46 2012 -0700 ---------------------------------------------------------------------- CHANGES.txt | 6 +- cli/pom.xml | 5 + .../main/java/org/apache/whirr/ClusterSpec.java | 21 +++- .../apache/whirr/compute/BootstrapTemplate.java | 2 +- .../whirr/service/jclouds/VariablesToExport.java | 4 + .../java/org/apache/whirr/ClusterSpecTest.java | 13 ++ pom.xml | 1 + services/kerberos/pom.xml | 91 +++++++++++++++ .../service/kerberos/KerberosBaseHandler.java | 60 ++++++++++ .../service/kerberos/KerberosClientHandler.java | 29 +++++ .../service/kerberos/KerberosServerHandler.java | 56 +++++++++ .../whirr/service/kerberos/osgi/Activator.java | 66 +++++++++++ .../org.apache.whirr.service.ClusterActionHandler | 19 +++ .../functions/configure_kerberos_client.sh | 35 ++++++ .../functions/configure_kerberos_server.sh | 59 ++++++++++ .../resources/functions/install_kerberos_client.sh | 36 ++++++ .../resources/functions/install_kerberos_server.sh | 26 ++++ .../resources/whirr-kerberos-default.properties | 18 +++ .../service/kerberos/KerberosClientDryRunTest.java | 59 ++++++++++ .../service/kerberos/KerberosServerDryRunTest.java | 60 ++++++++++ 20 files changed, 662 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index d628e24..0abe5b0 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,12 +4,14 @@ Release 0.8.2 (unreleased changes) IMPROVEMENTS - WHIRR-672 - Allow eager caching of instance hostname based on pre-provision + WHIRR-672. Allow eager caching of instance hostname based on pre-provision instance metadata. (Graham Gear via tomwhite) - WHIRR-675 - Convert all whirr.env.* environment variable labels to upper + WHIRR-675. Convert all whirr.env.* environment variable labels to upper case. (Graham Gear via tomwhite) + WHIRR-671. Create Kerberos Service. (Graham Gear via tomwhite) + Release 0.8.1 - 2012-10-19 NEW FEATURES http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/cli/pom.xml ---------------------------------------------------------------------- diff --git a/cli/pom.xml b/cli/pom.xml index 062d61a..5a2c3c9 100644 --- a/cli/pom.xml +++ b/cli/pom.xml @@ -116,6 +116,11 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>${project.groupId}</groupId> + <artifactId>whirr-kerberos</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> </dependency> http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/core/src/main/java/org/apache/whirr/ClusterSpec.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/whirr/ClusterSpec.java b/core/src/main/java/org/apache/whirr/ClusterSpec.java index 9aabad5..fdddf14 100644 --- a/core/src/main/java/org/apache/whirr/ClusterSpec.java +++ b/core/src/main/java/org/apache/whirr/ClusterSpec.java @@ -184,6 +184,8 @@ public class ClusterSpec { "the hostname for the instances."), JDK_INSTALL_URL(String.class, false, "JDK install URL"), + + KERBEROS_REALM(String.class, false, "Kerberos realm to use in security configuration"), AWS_EC2_PLACEMENT_GROUP(String.class, false, "If given, use this existing EC2 placement group. (aws-ec2 specific option)"); @@ -309,6 +311,8 @@ public class ClusterSpec { private String jdkInstallUrl; + private String kerberosRealm; + private Configuration config; public ClusterSpec() throws ConfigurationException { @@ -344,6 +348,8 @@ public class ClusterSpec { setJdkInstallUrl(getString(Property.JDK_INSTALL_URL)); + setKerberosRealm(getString(Property.KERBEROS_REALM)); + setProvider(getString(Property.PROVIDER)); setEndpoint(getString(Property.ENDPOINT)); setIdentity(getString(Property.IDENTITY)); @@ -440,6 +446,8 @@ public class ClusterSpec { r.setJdkInstallUrl(getJdkInstallUrl()); + r.setKerberosRealm(getKerberosRealm()); + return r; } @@ -824,6 +832,14 @@ public class ClusterSpec { this.jdkInstallUrl = jdkInstallUrl; } + public String getKerberosRealm() { + return kerberosRealm; + } + + public void setKerberosRealm(String kerberosRealm) { + this.kerberosRealm = kerberosRealm; + } + /** * The rsa public key which is authorized to login to your on the cloud nodes. * @@ -977,6 +993,7 @@ public class ClusterSpec { && Objects.equal(getAutoHostnamePrefix(), that.getAutoHostnamePrefix()) && Objects.equal(getAutoHostnameSuffix(), that.getAutoHostnameSuffix()) && Objects.equal(getJdkInstallUrl(), that.getJdkInstallUrl()) + && Objects.equal(getKerberosRealm(), that.getKerberosRealm()) ; } return false; @@ -1012,7 +1029,8 @@ public class ClusterSpec { getAwsEc2PlacementGroup(), getAutoHostnamePrefix(), getAutoHostnameSuffix(), - getJdkInstallUrl() + getJdkInstallUrl(), + getKerberosRealm() ); } @@ -1048,6 +1066,7 @@ public class ClusterSpec { .add("autoHostnamePrefix",getAutoHostnamePrefix()) .add("autoHostnameSuffix",getAutoHostnameSuffix()) .add("jdkInstallUrl", getJdkInstallUrl()) + .add("kerberosRealm", getKerberosRealm()) .toString(); } } http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/core/src/main/java/org/apache/whirr/compute/BootstrapTemplate.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/whirr/compute/BootstrapTemplate.java b/core/src/main/java/org/apache/whirr/compute/BootstrapTemplate.java index 5589314..7c818b1 100644 --- a/core/src/main/java/org/apache/whirr/compute/BootstrapTemplate.java +++ b/core/src/main/java/org/apache/whirr/compute/BootstrapTemplate.java @@ -146,7 +146,7 @@ public class BootstrapTemplate { interpret( "USER_HOME=$DEFAULT_HOME/$NEW_USER", "mkdir -p $USER_HOME/.ssh", - "useradd --shell /bin/bash -d $USER_HOME $NEW_USER", + "useradd -u 2000 --shell /bin/bash -d $USER_HOME $NEW_USER", "[ $? -ne 0 ] && USER_HOME=$(grep $NEW_USER /etc/passwd | cut -d \":\" -f6)\n"), appendFile( "$USER_HOME/.ssh/authorized_keys", http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/core/src/main/java/org/apache/whirr/service/jclouds/VariablesToExport.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/whirr/service/jclouds/VariablesToExport.java b/core/src/main/java/org/apache/whirr/service/jclouds/VariablesToExport.java index 7cd9a95..6a8ed5f 100644 --- a/core/src/main/java/org/apache/whirr/service/jclouds/VariablesToExport.java +++ b/core/src/main/java/org/apache/whirr/service/jclouds/VariablesToExport.java @@ -72,6 +72,8 @@ class VariablesToExport implements Supplier<Map<String, String>> { private void addDefaultEnvironmentVariablesForInstance(Map<String, String> metadataMap, Instance instance) { if (clusterSpec.getClusterName() != null) metadataMap.put("CLUSTER_NAME", clusterSpec.getClusterName()); + if (clusterSpec.getClusterUser() != null) + metadataMap.put("CLUSTER_USER", clusterSpec.getClusterUser()); if (clusterSpec.getProvider() != null) metadataMap.put("CLOUD_PROVIDER", clusterSpec.getProvider()); if (clusterSpec.getAutoHostnameSuffix() != null @@ -85,6 +87,8 @@ class VariablesToExport implements Supplier<Map<String, String>> { if(clusterSpec.getJdkInstallUrl() != null) { metadataMap.put("JDK_INSTALL_URL", clusterSpec.getJdkInstallUrl()); } + metadataMap.put("KERBEROS_REALM", + clusterSpec.getKerberosRealm() == null ? "HADOOPCLUSTER.COM" : clusterSpec.getKerberosRealm()); if (instance != null) { metadataMap.put("ROLES", Joiner.on(",").join(instance.getRoles())); if (instance.getPublicIp() != null) http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/core/src/test/java/org/apache/whirr/ClusterSpecTest.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/whirr/ClusterSpecTest.java b/core/src/test/java/org/apache/whirr/ClusterSpecTest.java index 302fe05..f139e25 100644 --- a/core/src/test/java/org/apache/whirr/ClusterSpecTest.java +++ b/core/src/test/java/org/apache/whirr/ClusterSpecTest.java @@ -375,7 +375,20 @@ public class ClusterSpecTest { assertEquals("http://whirr-third-party.s3.amazonaws.com/jdk-6u21-linux-i586-rpm.bin";, cloudServersSpec.getJdkInstallUrl()); } + @Test + public void testKerberosRealm() throws Exception { + Configuration cloudServersConfig = new PropertiesConfiguration(); + ClusterSpec cloudServersSpec = ClusterSpec.withTemporaryKeys(cloudServersConfig); + assertEquals(null, cloudServersSpec.getKerberosRealm()); + + cloudServersConfig = new PropertiesConfiguration(); + cloudServersConfig.addProperty("whirr.kerberos-realm", "CDHCLUSTER.COM"); + + cloudServersSpec = ClusterSpec.withTemporaryKeys(cloudServersConfig); + assertEquals("CDHCLUSTER.COM", cloudServersSpec.getKerberosRealm()); + } + @Test public void testApplySubroleAliases() throws ConfigurationException { CompositeConfiguration c = new CompositeConfiguration(); http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 1915a05..b05dcba 100644 --- a/pom.xml +++ b/pom.xml @@ -56,6 +56,7 @@ <module>services/mahout</module> <module>services/pig</module> <module>services/solr</module> + <module>services/kerberos</module> </modules> <properties> http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/pom.xml ---------------------------------------------------------------------- diff --git a/services/kerberos/pom.xml b/services/kerberos/pom.xml new file mode 100644 index 0000000..901ee50 --- /dev/null +++ b/services/kerberos/pom.xml @@ -0,0 +1,91 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.whirr</groupId> + <artifactId>whirr</artifactId> + <version>0.9.0-SNAPSHOT</version> + <relativePath>../../pom.xml</relativePath> + </parent> + <artifactId>whirr-kerberos</artifactId> + <packaging>bundle</packaging> + <name>Apache Whirr Kerberos</name> + <properties> + <osgi.import> + !org.apache.whirr.service.kerberos*, + org.apache.commons.configuration*;version="[1.6,2)", + * + </osgi.import> + <osgi.export> + org.apache.whirr.service.kerberos*;version="${project.version}" + </osgi.export> + <osgi.bundle.activator>org.apache.whirr.service.kerberos.osgi.Activator</osgi.bundle.activator> + </properties> + <dependencies> + <dependency> + <groupId>${project.groupId}</groupId> + <artifactId>whirr-core</artifactId> + <version>${project.version}</version> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>org.osgi</groupId> + <artifactId>org.osgi.core</artifactId> + <scope>provided</scope> + </dependency> + <dependency> + <groupId>${project.groupId}</groupId> + <artifactId>whirr-core</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>log4j</groupId> + <artifactId>log4j</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-log4j12</artifactId> + <scope>test</scope> + </dependency> + </dependencies> + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-site-plugin</artifactId> + <configuration> + <skip>true</skip> + </configuration> + </plugin> + </plugins> + </build> +</project> http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosBaseHandler.java ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosBaseHandler.java b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosBaseHandler.java new file mode 100644 index 0000000..e86555c --- /dev/null +++ b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosBaseHandler.java @@ -0,0 +1,60 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.whirr.service.kerberos; + +import static org.apache.whirr.RolePredicates.role; +import static org.jclouds.scriptbuilder.domain.Statements.call; + +import java.io.IOException; +import java.util.NoSuchElementException; + +import org.apache.commons.configuration.Configuration; +import org.apache.whirr.Cluster.Instance; +import org.apache.whirr.ClusterSpec; +import org.apache.whirr.service.ClusterActionEvent; +import org.apache.whirr.service.ClusterActionHandlerSupport; + +public abstract class KerberosBaseHandler extends ClusterActionHandlerSupport { + + protected Configuration getConfiguration(ClusterSpec spec) throws IOException { + return getConfiguration(spec, "whirr-kerberos-default.properties"); + } + + @Override + protected void beforeBootstrap(ClusterActionEvent event) throws IOException { + addStatement(event, call("configure_hostnames")); + addStatement(event, call("retry_helpers")); + addStatement(event, call(getInstallFunction(event.getClusterSpec().getConfiguration(), "java", "install_openjdk"))); + addStatement(event, call("install_kerberos_client")); + } + + @Override + protected void beforeConfigure(ClusterActionEvent event) throws IOException { + Instance kerberosServerInstance = null; + try { + kerberosServerInstance = event.getCluster().getInstanceMatching(role(KerberosServerHandler.ROLE)); + } catch (NoSuchElementException noSuchElementException) { + // ignore exception which a indicates client role has been configured + // without a cluster KDC role, but ensure the configure client script is + // not executed, which depends on the KDC hostname + } + if (kerberosServerInstance != null) { + addStatement(event, call("configure_kerberos_client", "-h", kerberosServerInstance.getPublicHostName())); + } + } +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosClientHandler.java ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosClientHandler.java b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosClientHandler.java new file mode 100644 index 0000000..227e3f6 --- /dev/null +++ b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosClientHandler.java @@ -0,0 +1,29 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.whirr.service.kerberos; + +public class KerberosClientHandler extends KerberosBaseHandler { + + public static final String ROLE = "kerberosclient"; + + @Override + public String getRole() { + return ROLE; + } + +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosServerHandler.java ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosServerHandler.java b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosServerHandler.java new file mode 100644 index 0000000..cdfd93a --- /dev/null +++ b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/KerberosServerHandler.java @@ -0,0 +1,56 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.whirr.service.kerberos; + +import static org.apache.whirr.RolePredicates.role; +import static org.jclouds.scriptbuilder.domain.Statements.call; + +import java.io.IOException; + +import org.apache.whirr.service.ClusterActionEvent; +import org.apache.whirr.service.FirewallManager.Rule; + +public class KerberosServerHandler extends KerberosBaseHandler { + + public static final String ROLE = "kerberosserver"; + + private static final String PROPERTY_PORTS = "kerberosserver.ports"; + + @Override + public String getRole() { + return ROLE; + } + + @Override + protected void beforeBootstrap(ClusterActionEvent event) throws IOException { + super.beforeBootstrap(event); + addStatement(event, call("install_kerberos_server")); + } + + @Override + protected void beforeConfigure(ClusterActionEvent event) throws IOException { + super.beforeConfigure(event); + addStatement(event, call("configure_kerberos_server")); + for (Object port : getConfiguration(event.getClusterSpec()).getList(PROPERTY_PORTS)) { + if (port != null && !"".equals(port)) + event.getFirewallManager().addRule( + Rule.create().destination(role(ROLE)).port(Integer.parseInt(port.toString()))); + } + } + +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/osgi/Activator.java ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/osgi/Activator.java b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/osgi/Activator.java new file mode 100644 index 0000000..0138c8e --- /dev/null +++ b/services/kerberos/src/main/java/org/apache/whirr/service/kerberos/osgi/Activator.java @@ -0,0 +1,66 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.whirr.service.kerberos.osgi; + +import java.util.Properties; + +import org.apache.whirr.service.ClusterActionHandler; +import org.apache.whirr.service.kerberos.KerberosClientHandler; +import org.apache.whirr.service.kerberos.KerberosServerHandler; +import org.jclouds.scriptbuilder.functionloader.osgi.BundleFunctionLoader; +import org.osgi.framework.BundleActivator; +import org.osgi.framework.BundleContext; +import org.osgi.framework.ServiceRegistration; + +public class Activator implements BundleActivator { + + private BundleFunctionLoader functionLoader; + + private final ClusterActionHandler clientActionHandler = new KerberosClientHandler(); + private ServiceRegistration clientRegistration; + + private final ClusterActionHandler serverClusterActionHandler = new KerberosServerHandler(); + private ServiceRegistration serverRegistration; + + @Override + public void start(BundleContext context) throws Exception { + functionLoader = new BundleFunctionLoader(context); + functionLoader.start(); + Properties clientProps = new Properties(); + clientProps.put("name", KerberosClientHandler.ROLE); + clientRegistration = context + .registerService(ClusterActionHandler.class.getName(), clientActionHandler, clientProps); + Properties serverProps = new Properties(); + serverProps.put("name", KerberosServerHandler.ROLE); + serverRegistration = context.registerService(ClusterActionHandler.class.getName(), serverClusterActionHandler, + serverProps); + } + + @Override + public void stop(BundleContext context) throws Exception { + if (clientRegistration != null) { + clientRegistration.unregister(); + } + if (serverRegistration != null) { + serverRegistration.unregister(); + } + if (functionLoader != null) { + functionLoader.stop(); + } + } +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/resources/META-INF/services/org.apache.whirr.service.ClusterActionHandler ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/resources/META-INF/services/org.apache.whirr.service.ClusterActionHandler b/services/kerberos/src/main/resources/META-INF/services/org.apache.whirr.service.ClusterActionHandler new file mode 100644 index 0000000..a4e84c0 --- /dev/null +++ b/services/kerberos/src/main/resources/META-INF/services/org.apache.whirr.service.ClusterActionHandler @@ -0,0 +1,19 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +org.apache.whirr.service.kerberos.KerberosClientHandler +org.apache.whirr.service.kerberos.KerberosServerHandler http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/resources/functions/configure_kerberos_client.sh ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/resources/functions/configure_kerberos_client.sh b/services/kerberos/src/main/resources/functions/configure_kerberos_client.sh new file mode 100644 index 0000000..506fece --- /dev/null +++ b/services/kerberos/src/main/resources/functions/configure_kerberos_client.sh @@ -0,0 +1,35 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -x + +function configure_kerberos_client() { + local OPTIND + local OPTARG + KERBEROS_SERVER_HOST=localhost + while getopts "h:" OPTION; do + case $OPTION in + h) + KERBEROS_SERVER_HOST="$OPTARG" + ;; + esac + done + KERBEROS_REALM_REGEX=$(echo $KERBEROS_REALM | sed s/\\\./\\\\\./g) + sed -i -e "s/kerberos\.example\.com/$KERBEROS_SERVER_HOST/" /etc/krb5.conf + sed -i -e "s/example\.com/$KERBEROS_SERVER_HOST/" /etc/krb5.conf + sed -i -e "s/EXAMPLE\.COM/$KERBEROS_REALM_REGEX/" /etc/krb5.conf +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/resources/functions/configure_kerberos_server.sh ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/resources/functions/configure_kerberos_server.sh b/services/kerberos/src/main/resources/functions/configure_kerberos_server.sh new file mode 100644 index 0000000..0bb1cc1 --- /dev/null +++ b/services/kerberos/src/main/resources/functions/configure_kerberos_server.sh @@ -0,0 +1,59 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -x + +function configure_kerberos_server() { + KERBEROS_REALM_REGEX=$(echo $KERBEROS_REALM | sed s/\\\./\\\\\./g) + service krb5kdc stop + service kadmin stop + sed -i -e "s/EXAMPLE\.COM/$KERBEROS_REALM_REGEX/" /var/kerberos/krb5kdc/kdc.conf + yum install -y expect + cat >> run_kdb5_util <<END +#!/usr/bin/expect -f +set timeout 5000 +spawn sudo kdb5_util create -s +expect {Enter KDC database master key: } { send "admin\r" } +expect {Re-enter KDC database master key to verify: } { send "admin\r" } +expect EOF +END + chmod +x run_kdb5_util + ./run_kdb5_util + rm -rf run_kdb5_util + sed -i -e "s/EXAMPLE\.COM/$KERBEROS_REALM_REGEX/" /var/kerberos/krb5kdc/kadm5.acl + cat >> run_addpinc <<END +#!/usr/bin/expect -f +set timeout 5000 +set principal_primary [lindex \$argv 0] +set principal_instance [lindex \$argv 1] +set realm [lindex \$argv 2] +spawn sudo kadmin.local -q "addprinc \$principal_instance@\$realm" +expect -re {Enter password for principal .*} { send "\$principal_primary\r" } +expect -re {Re-enter password for principal .* } { send "\$principal_primary\r" } +expect EOF +END + chmod +x run_addpinc + ./run_addpinc $CLUSTER_USER $CLUSTER_USER/admin $KERBEROS_REALM + ./run_addpinc $CLUSTER_USER $CLUSTER_USER $KERBEROS_REALM + ./run_addpinc hdfs hdfs $KERBEROS_REALM + rm -rf ./run_addpinc + service krb5kdc start + service kadmin start + chkconfig krb5kdc on + chkconfig kadmin on + CONFIGURE_KERBEROS_DONE=1 +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/resources/functions/install_kerberos_client.sh ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/resources/functions/install_kerberos_client.sh b/services/kerberos/src/main/resources/functions/install_kerberos_client.sh new file mode 100644 index 0000000..74a4189 --- /dev/null +++ b/services/kerberos/src/main/resources/functions/install_kerberos_client.sh @@ -0,0 +1,36 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -x + +function install_kerberos_client() { + if which dpkg &> /dev/null; then + retry_apt_get -y install krb5-libs krb5-workstation unzip + elif which rpm &> /dev/null; then + retry_yum install -y krb5-libs krb5-workstation unzip + fi + if [ ! -z "${JDK_INSTALL_URL+xxx}" ]; then + JCE_POLICY_URL=$(dirname $JDK_INSTALL_URL)"/jce_policy-6.zip" + wget $JCE_POLICY_URL + if [ -f jce_policy-6.zip ]; then + unzip jce_policy-6.zip + mkdir -p /tmp/java_security_old + mv /usr/java/default/jre/lib/security/US_export_policy.jar /usr/java/default/jre/lib/security/local_policy.jar /tmp/java_security_old + mv jce/*.jar /usr/java/default/jre/lib/security + fi + fi +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/resources/functions/install_kerberos_server.sh ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/resources/functions/install_kerberos_server.sh b/services/kerberos/src/main/resources/functions/install_kerberos_server.sh new file mode 100644 index 0000000..7a9b86c --- /dev/null +++ b/services/kerberos/src/main/resources/functions/install_kerberos_server.sh @@ -0,0 +1,26 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -x + +function install_kerberos_server() { + if which dpkg &> /dev/null; then + retry_apt_get -y install krb5-server + elif which rpm &> /dev/null; then + retry_yum install -y krb5-server + fi +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/main/resources/whirr-kerberos-default.properties ---------------------------------------------------------------------- diff --git a/services/kerberos/src/main/resources/whirr-kerberos-default.properties b/services/kerberos/src/main/resources/whirr-kerberos-default.properties new file mode 100644 index 0000000..8d75111 --- /dev/null +++ b/services/kerberos/src/main/resources/whirr-kerberos-default.properties @@ -0,0 +1,18 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +kerberosserver.ports=88,464,749 http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosClientDryRunTest.java ---------------------------------------------------------------------- diff --git a/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosClientDryRunTest.java b/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosClientDryRunTest.java new file mode 100644 index 0000000..cb76972 --- /dev/null +++ b/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosClientDryRunTest.java @@ -0,0 +1,59 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.whirr.service.kerberos; + +import static com.google.common.base.Predicates.and; +import static com.google.common.base.Predicates.containsPattern; + +import java.util.Set; + +import org.apache.whirr.service.BaseServiceDryRunTest; +import org.apache.whirr.service.DryRunModule.DryRun; +import org.junit.Test; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class KerberosClientDryRunTest extends BaseServiceDryRunTest { + + @Override + protected Set<String> getInstanceRoles() { + return ImmutableSet.of(KerberosServerHandler.ROLE + "+" + KerberosClientHandler.ROLE); + } + + @Override + protected Predicate<CharSequence> bootstrapPredicate() { + return and(containsPattern("configure_hostnames"), + and(containsPattern("java"), containsPattern("install_kerberos_client"))); + } + + @Override + protected Predicate<CharSequence> configurePredicate() { + return containsPattern("configure_kerberos_client"); + } + + @Test + public void testNoServer() throws Exception { + DryRun dryRun = launchWithClusterSpec(newClusterSpecForProperties(ImmutableMap.of("whirr.instance-templates", "1 " + + KerberosClientHandler.ROLE))); + assertScriptPredicateOnPhase(dryRun, "bootstrap", bootstrapPredicate()); + } + +} http://git-wip-us.apache.org/repos/asf/whirr/blob/b80f01ca/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosServerDryRunTest.java ---------------------------------------------------------------------- diff --git a/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosServerDryRunTest.java b/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosServerDryRunTest.java new file mode 100644 index 0000000..5a80478 --- /dev/null +++ b/services/kerberos/src/test/java/org/apache/whirr/service/kerberos/KerberosServerDryRunTest.java @@ -0,0 +1,60 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.whirr.service.kerberos; + +import static com.google.common.base.Predicates.and; +import static com.google.common.base.Predicates.containsPattern; + +import java.util.Set; + +import org.apache.whirr.service.BaseServiceDryRunTest; +import org.apache.whirr.service.DryRunModule.DryRun; +import org.junit.Test; + +import com.google.common.base.Predicate; +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.ImmutableSet; + +public class KerberosServerDryRunTest extends BaseServiceDryRunTest { + + @Override + protected Set<String> getInstanceRoles() { + return ImmutableSet.of(KerberosServerHandler.ROLE); + } + + @Override + protected Predicate<CharSequence> bootstrapPredicate() { + return and(containsPattern("configure_hostnames"), + and(containsPattern("java"), containsPattern("install_kerberos_server"))); + } + + @Override + protected Predicate<CharSequence> configurePredicate() { + return containsPattern("configure_kerberos_server"); + } + + @Test + public void testKerberosRealm() throws Exception { + DryRun dryRun = launchWithClusterSpec(newClusterSpecForProperties(ImmutableMap.of("whirr.instance-templates", "1 " + + KerberosServerHandler.ROLE))); + assertScriptPredicateOnPhase(dryRun, "bootstrap", bootstrapPredicate()); + assertScriptPredicateOnPhase(dryRun, "configure", configurePredicate()); + } + +}
