[
https://issues.apache.org/jira/browse/METRON-804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949559#comment-15949559
]
ASF GitHub Bot commented on METRON-804:
---------------------------------------
Github user anandsubbu commented on a diff in the pull request:
https://github.com/apache/incubator-metron/pull/497#discussion_r108983684
--- Diff: metron-deployment/vagrant/KERBEROS_SETUP.md ---
@@ -0,0 +1,238 @@
+# Setting Up Kerberos in Vagrant Full Dev
+**Note:** These are manual instructions for Kerberizing Metron Storm
topologies from Kafka to Kafka. This does not cover the Ambari MPack, sensor
connections, or MAAS.
+
+1. Build full dev and ssh into the machine
+```
+cd incubator-metron/metron-deployment/vagrant/full-dev-platform
+vagrant up
+vagrant ssh
+```
+
+2. Export env vars
+```
+# execute as root
+sudo su -
+export ZOOKEEPER=node1
+export BROKERLIST=node1
+export HDP_HOME="/usr/hdp/current"
+export METRON_VERSION="0.3.1"
+export METRON_HOME="/usr/metron/${METRON_VERSION}"
+```
+
+3. Stop all topologies - we will restart them again once Kerberos has
been enabled.
+```
+for topology in bro snort enrichment indexing; do storm kill $topology;
done
+```
+
+4. Setup Kerberos
+```
+# Note: if you copy/paste this full set of commands, the kdb5_util command
will not run as expected, so run the commands individually to ensure they all
execute
+yum -y install krb5-server krb5-libs krb5-workstation
+sed -i 's/kerberos.example.com/node1/g' /etc/krb5.conf
+cp /etc/krb5.conf /var/lib/ambari-server/resources/scripts
+# This step takes a moment. It creates the kerberos database.
+kdb5_util create -s
+/etc/rc.d/init.d/krb5kdc start
+/etc/rc.d/init.d/kadmin start
+chkconfig krb5kdc on
+chkconfig kadmin on
+```
+
+5. Setup the admin and metron user principals. You'll kinit as the metron
user when running topologies. Make sure to remember the passwords.
+```
+kadmin.local -q "addprinc admin/admin"
+kadmin.local -q "addprinc metron"
+```
+
+6. Create the metron user HDFS home directory
+```
+sudo -u hdfs hdfs dfs -mkdir /user/metron && \
+sudo -u hdfs hdfs dfs -chown metron:hdfs /user/metron && \
+sudo -u hdfs hdfs dfs -chmod 770 /user/metron
+```
+
+7. In Ambari, setup Storm to run with Kerberos and run worker jobs as the
submitting user. Add the following properties to custom storm-site. In the
Storm config section in Ambari, choose “Add Property” under custom storm-site.
In the dialog window, choose the “bulk property add mode” toggle button and add
the below values.
+```
+topology.auto-credentials=['org.apache.storm.security.auth.kerberos.AutoTGT']
+nimbus.credential.renewers.classes=['org.apache.storm.security.auth.kerberos.AutoTGT']
+supervisor.run.worker.as.user=true
+```
+
+
+
+
+
+8. Kerberize the cluster via Ambari. More detailed documentation can be
found
[here](http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html).
+ 1. For this exercise, choose existing MIT KDC (this is what we setup
and installed in the previous steps.)
+ 
+ 
+ 2. Setup Kerberos configuration. Realm is EXAMPLE.COM. The admin
principal will end up as admin/[email protected] when testing the KDC. Use the
password you entered during the step for adding the admin principal.
+ 
+ 3. Click through to “Start and Test Services.” Let the cluster spin up,
but don't worry about starting up Metron via Ambari - we're going to run the
parsers manually against the rest of the Hadoop cluster Kerberized. The wizard
will fail at starting Metron, but this is OK. Click “continue.” When you’re
finished, the custom storm-site should look similar to the following:
+ 
+
+9. Setup Metron keytab
+```
+kadmin.local -q "ktadd -k metron.headless.keytab [email protected]" && \
+cp metron.headless.keytab /etc/security/keytabs && \
+chown metron:hadoop /etc/security/keytabs/metron.headless.keytab && \
+chmod 440 /etc/security/keytabs/metron.headless.keytab
+```
+
+10. Kinit with the metron user
+```
+kinit -kt /etc/security/keytabs/metron.headless.keytab [email protected]
+```
+
+11. First create any additional Kafka topics you will need. We need to
create the topics before adding the required ACLs. The current full dev
installation will deploy bro, snort, enrichments, and indexing only. e.g.
+```
+${HDP_HOME}/kafka-broker/bin/kafka-topics.sh --zookeeper $ZOOKEEPER:2181
--create --topic yaf --partitions 1 --replication-factor 1
+```
+
+12. Setup Kafka ACLs for the topics
+```
+export KERB_USER=metron;
+for topic in bro enrichments indexing snort; do
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --topic
${topic};
+done;
+```
+
+13. Setup Kafka ACLs for the consumer groups
+```
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
bro_parser;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
snort_parser;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
yaf_parser;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
enrichments;
+${HDP_HOME}/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER} --group
indexing;
+```
+
+14. Add metron user to the Kafka cluster ACL
+```
+/usr/hdp/current/kafka-broker/bin/kafka-acls.sh --authorizer
kafka.security.auth.SimpleAclAuthorizer --authorizer-properties
zookeeper.connect=node1:2181 --add --allow-principal User:${KERB_USER}
--cluster kafka-cluster
+```
+
+15. We also need to grant permissions to the HBase tables. Kinit as the
hbase user and add ACLs for metron.
+```
+kinit -kt /etc/security/keytabs/hbase.headless.keytab
[email protected]
+echo "grant 'metron', 'RW', 'threatintel'" | hbase shell
+echo "grant 'metron', 'RW', enrichment" | hbase shell
+```
+
+16. Create a “.storm” directory in the metron user’s home directory and
switch to that directory.
+```
+su - metron
+mkdir .storm
+cd .storm
+```
+
+17. Create a custom client jaas file. This should look identical to the
Storm client jaas file located in /etc/storm/conf/client_jaas.conf except for
the addition of a Client stanza. The Client stanza is used for Zookeeper. All
quotes and semicolons are necessary.
+```
+[metron@node1 .storm]$ cat client_jaas.conf
+StormClient {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ renewTicket=true
+ serviceName="nimbus";
+};
+Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ renewTicket=true
+ serviceName="zookeeper";
+};
+KafkaClient {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ renewTicket=true
+ serviceName="kafka";
+};
+```
+
+18. Create a storm.yaml with jaas file info.
+```
+[metron@node1 .storm]$ cat storm.yaml
+nimbus.seeds : ['node1']
+java.security.auth.login.config : '/home/metron/.storm/client_jaas.conf'
+storm.thrift.transport :
'org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin'
+```
+
+19. Create an auxiliary storm configuration json file in the metron user’s
home directory. Note the login config option in the file points to our custom
client_jaas.conf.
+```
+cd /home/metron
+[metron@node1 ~]$ cat storm-config.json
+{
+ "topology.worker.childopts" :
"-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf"
+}
+```
+
--- End diff --
Need to export `METRON_HOME` variable here again, since we are now `su`
into `metron` user.
Also need to kinit again as metron user before attempting to start the
parsers:
`
kinit -kt /etc/security/keytabs/metron.headless.keytab @[email protected]
`
> Create a document to describe kerberizing vagrant
> -------------------------------------------------
>
> Key: METRON-804
> URL: https://issues.apache.org/jira/browse/METRON-804
> Project: Metron
> Issue Type: Improvement
> Reporter: Casey Stella
> Assignee: Michael Miklavcic
> Labels: kerberos
>
> This should cover step-by-step how to kerberize vagrant with a local KDC and
> the manual setup to get Metron running data through into the indices. This
> will enable testing in a kerberized environment.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
