Github user anandsubbu commented on a diff in the pull request:
https://github.com/apache/incubator-metron/pull/497#discussion_r108781952
--- Diff: metron-deployment/vagrant/KERBEROS_SETUP.md ---
@@ -0,0 +1,238 @@
+# Setting Up Kerberos in Vagrant Full Dev
+**Note:** These are manual instructions for Kerberizing Metron Storm
topologies from Kafka to Kafka. This does not cover the Ambari MPack, sensor
connections, or MAAS.
+
+1. Build full dev and ssh into the machine
+```
+cd incubator-metron/metron-deployment/vagrant/full-dev-platform
+vagrant up
+vagrant ssh
+```
+
+2. Export env vars
+```
+# execute as root
+sudo su -
+export ZOOKEEPER=node1
+export BROKERLIST=node1
+export HDP_HOME="/usr/hdp/current"
+export METRON_VERSION="0.3.1"
+export METRON_HOME="/usr/metron/${METRON_VERSION}"
+```
+
+3. Stop all topologies - we will restart them again once Kerberos has
been enabled.
+```
+for topology in bro snort enrichment indexing; do storm kill $topology;
done
+```
+
+4. Setup Kerberos
+```
+# Note: if you copy/paste this full set of commands, the kdb5_util command
will not run as expected, so run the commands individually to ensure they all
execute
+yum -y install krb5-server krb5-libs krb5-workstation
+sed -i 's/kerberos.example.com/node1/g' /etc/krb5.conf
+cp /etc/krb5.conf /var/lib/ambari-server/resources/scripts
+# This step takes a moment. It creates the kerberos database.
+kdb5_util create -s
+/etc/rc.d/init.d/krb5kdc start
+/etc/rc.d/init.d/kadmin start
+chkconfig krb5kdc on
+chkconfig kadmin on
+```
+
+5. Setup the admin and metron user principals. You'll kinit as the metron
user when running topologies. Make sure to remember the passwords.
+```
+kadmin.local -q "addprinc admin/admin"
+kadmin.local -q "addprinc metron"
+```
+
+6. Create the metron user HDFS home directory
+```
+sudo -u hdfs hdfs dfs -mkdir /user/metron && \
+sudo -u hdfs hdfs dfs -chown metron:hdfs /user/metron && \
+sudo -u hdfs hdfs dfs -chmod 770 /user/metron
+```
+
+7. In Ambari, setup Storm to run with Kerberos and run worker jobs as the
submitting user. Add the following properties to custom storm-site. In the
Storm config section in Ambari, choose âAdd Propertyâ under custom
storm-site. In the dialog window, choose the âbulk property add modeâ
toggle button and add the below values.
+```
+topology.auto-credentials=['org.apache.storm.security.auth.kerberos.AutoTGT']
+nimbus.credential.renewers.classes=['org.apache.storm.security.auth.kerberos.AutoTGT']
+supervisor.run.worker.as.user=true
+```
+
+
+
+
+
+8. Kerberize the cluster via Ambari. More detailed documentation can be
found
[here](http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html).
+ 1. For this exercise, choose existing MIT KDC (this is what we setup
and installed in the previous steps.)
+ 
+ 
+ 2. Setup Kerberos configuration. Realm is EXAMPLE.COM. The admin
principal will end up as admin/ad...@example.com when testing the KDC. Use the
password you entered during the step for adding the admin principal.
+ 
+ 3. Click through to âStart and Test Services.â Let the cluster spin
up, but don't worry about starting up Metron via Ambari - we're going to run
the parsers manually against the rest of the Hadoop cluster Kerberized. The
wizard will fail at starting Metron, but this is OK. Click âcontinue.â When
youâre finished, the custom storm-site should look similar to the following:
+ 
+
+9. Setup Metron keytab
+```
+kadmin.local -q "ktadd -k metron.headless.keytab met...@example.com" && \
+cp metron.headless.keytab /etc/security/keytabs && \
+chown metron:hadoop /etc/security/keytabs/metron.headless.keytab && \
+chmod 440 /etc/security/keytabs/metron.headless.keytab
+```
+
+10. Kinit with the metron user
+```
+kinit -kt /etc/security/keytabs/metron.headless.keytab met...@example.com
+```
+
+11. First create any additional Kafka topics you will need. We need to
create the topics before adding the required ACLs. The current full dev
installation will deploy bro, snort, enrichments, and indexing only. e.g.
+```
+${HDP_HOME}/kafka-broker/bin/kafka-topics.sh --zookeeper $ZOOKEEPER:2181
--create --topic yaf --partitions 1 --replication-factor 1
+```
+
+12. Setup Kafka ACLs for the topics
+```
+export KERB_USER=metron;
+for topic in bro enrichments indexing snort; do
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --topic
${topic};
+done;
+```
+
+13. Setup Kafka ACLs for the consumer groups
+```
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
bro_parser;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
snort_parser;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
yaf_parser;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
enrichments;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
indexing;
+```
+
+14. Add metron user to the Kafka cluster ACL
+```
+/usr/hdp/current/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER}
--cluster kafka-cluster
+```
+
+15. We also need to grant permissions to the HBase tables. Kinit as the
hbase user and add ACLs for metron.
+```
+kinit -kt /etc/security/keytabs/hbase.headless.keytab
hbase-metron_clus...@example.com
+echo "grant 'metron', 'RW', 'threatintel'" | hbase shell
+echo "grant 'metron', 'RW', enrichment" | hbase shell
+```
+
+16. Create a â.stormâ directory in the metron userâs home directory
and switch to that directory.
+```
+su - metron
+mkdir .storm
+cd .storm
+```
+
+17. Create a custom client jaas file. This should look identical to the
Storm client jaas file located in /etc/storm/conf/client_jaas.conf except for
the addition of a Client stanza. The Client stanza is used for Zookeeper. All
quotes and semicolons are necessary.
+```
+[metron@node1 .storm]$ cat client_jaas.conf
+StormClient {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ renewTicket=true
+ serviceName="nimbus";
+};
+Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ renewTicket=true
+ serviceName="zookeeper";
+};
+KafkaClient {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ renewTicket=true
+ serviceName="kafka";
+};
+```
+
+18. Create a storm.yaml with jaas file info.
+```
+[metron@node1 .storm]$ cat storm.yaml
+nimbus.seeds : ['node1']
+java.security.auth.login.config : '/home/metron/.storm/client_jaas.conf'
+storm.thrift.transport :
'org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin'
+```
+
+19. Create an auxiliary storm configuration json file in the metron
userâs home directory. Note the login config option in the file points to our
custom client_jaas.conf.
+```
+cd /home/metron
+[metron@node1 ~]$ cat storm-config.json
+{
+ "topology.worker.childopts" :
"-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf"
+}
+```
+
+20. Setup enrichment and indexing.
+ 1. Modify enrichment.properties -
`${METRON_HOME}/config/enrichment.properties`
+```
+kafka.security.protocol=PLAINTEXTSASL
+topology.worker.childopts=-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf
+```
+
+ 2. Modify elasticsearch.properties -
`${METRON_HOME}/config/elasticsearch.properties`
+```
+kafka.security.protocol=PLAINTEXTSASL
+topology.worker.childopts=-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf
+```
+
+21. Restart the parser topologies. Be sure to pass in the new parameter,
â-kspâ or â--kafka_security_protocol.â Run this from the metron home
directory.
+```
+for parser in bro snort; do ${METRON_HOME}/bin/start_parser_topology.sh -z
node1:2181 -s ${parser} -ksp PLAINTEXTSASL -e storm-config.json; done
--- End diff --
At this step however, I am getting the following error. The full log
message with the command is available [here](https://pastebin.com/ynHzkeWy).
Any idea why I am seeing this error?
`
3770 [main] WARN o.a.s.s.a.k.ClientCallbackHandler - Could not login: the
client is being asked for a password, but the client code does not currently
support obtaining a password from the user. Make sure that the client is
configured to use a ticket cache (using the JAAS configuration setting
'useTicketCache=true)' and restart the client. If you still get this message
after that, the TGT in the ticket cache has expired and must be manually
refreshed. To do so, first determine if you are using a password or a keytab.
If the former, run kinit in a Unix shell in the environment of the user who is
running this client using the command 'kinit <princ>' (where <princ> is the
name of the client's Kerberos principal). If the latter, do 'kinit -k -t
<keytab> <princ>' (where <princ> is the name of the Kerberos principal, and
<keytab> is the location of the keytab file). After manually refreshing your
cache, restart this client. If you continue to see this message after manually
refreshin
g your cache, ensure that your KDC host's clock is in sync with this host's
clock.
java.lang.RuntimeException: javax.security.auth.login.LoginException: No
password provided
at
org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:103)
at
org.apache.storm.StormSubmitter.populateCredentials(StormSubmitter.java:94)
at
org.apache.storm.StormSubmitter.submitTopologyAs(StormSubmitter.java:214)
at
org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:310)
at
org.apache.storm.StormSubmitter.submitTopology(StormSubmitter.java:157)
at
org.apache.metron.parsers.topology.ParserTopologyCLI.main(ParserTopologyCLI.java:318)
Caused by: javax.security.auth.login.LoginException: No password provided
at
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:919)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.apache.storm.security.auth.kerberos.AutoTGT.populateCredentials(AutoTGT.java:80)
... 5 more
`
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
