tigerquoll edited a comment on issue #1519: METRON-2265: Update Kerberos settings URL: https://github.com/apache/metron/pull/1519#issuecomment-537767880 Ok, I can get kerberos Metron processing data with this PR. The jars and everything appear OK, it was the contained deployment instructions that were causing me grief. I had to deviate from the provided "metron-deployment/Kerberos-manual-setup.md" file in the following ways (Can somebody update the markup file in the PR or will there need to be a new PR for that markup changes?) ### Initial environment: source /etc/default/metron export KAFKA_HOME="/usr/hdp/current/kafka-broker" export BROKERLIST=node1:6667 export HDP_HOME="/usr/hdp/current" export KAFKA_HOME="${HDP_HOME}/kafka-broker" export CLIENT_JAAS_ARG=/etc/kafka/conf/kafka_client_jaas.conf export KAFKA_SECURITY_PROTOCOL=SASL_PLAINTEXT export ELASTICSEARCH=node1:9200 export KAFKA_OPTS="-Djava.security.auth.login.config=$CLIENT_JAAS_ARG" ### Verify KDC Step 2: add kinit metron before klist -f ### Enable kerberos Step 3: metron.headless.keytab appears to already be generated so add to start of step 3: rm metron.headless.keytab change: cp metron.headless.keytab /etc/security/keytabs to: cp -n metron.headless.keytab /etc/security/keytabs ### Kafka Authorization: The Metron user does not have permissions to edit ACLs, The Kafka Service account does have permissions, so we can temporarily use that keytab to add ACLS. Add to start of Step 3: export CLIENT_JAAS_ARG=/etc/kafka/conf/kafka_jaas.conf export KAFKA_OPTS="-Djava.security.auth.login.config=$CLIENT_JAAS_ARG" ### Storm Authoriszation An additional step should be done before the others `su metron -` Step 7 requires root access so add exit id <confirm root account> source /etc/default/metron before proceeding with the rest of the script ### Start metron Step 1: add source /etc/default/metron ### Push Data remove export KAFKA_OPTS=$CLIENT_JAAS_ARG Add source /etc/default/metron export ELASTICSEARCH=node1:9200 export KAFKA_SECURITY_PROTOCOL=SASL_PLAINTEXT export KAFKA_HOME="/usr/hdp/current/kafka-broker" export CLIENT_JAAS_ARG=/etc/kafka/conf/kafka_client_jaas.conf export KAFKA_OPTS="-Djava.security.auth.login.config=$CLIENT_JAAS_ARG" Add curl -XGET "${ELASTICSEARCH}/bro*/_count" before the dumping new sample data to kafka to get the count before hand for comparison purposes.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
