adoroszlai commented on code in PR #4389: URL: https://github.com/apache/ozone/pull/4389#discussion_r1180049216
########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/docker-compose.yaml: ########## @@ -0,0 +1,142 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: "3" +services: + kdc: + image: ${OZONE_TESTKRB5_IMAGE} + hostname: kdc + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + command: ["krb5kdc","-n"] + kms: + image: apache/hadoop:${HADOOP_VERSION} + ports: + - 9600:9600 + env_file: + - ./docker-config + environment: + HADOOP_CONF_DIR: /opt/hadoop/etc/hadoop + volumes: + - ../../libexec/transformation.py:/opt/transformation.py + command: ["hadoop", "kms"] + datanode: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9864 + command: ["/opt/hadoop/bin/ozone","datanode"] + env_file: + - docker-config + environment: + OZONE_OPTS: + om: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: om + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9874:9874 + - 9862:9862 + environment: + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + OZONE_OPTS: -Dcom.sun.net.ssl.checkRevocation=false + env_file: + - docker-config + command: ["/opt/hadoop/bin/ozone","om"] + httpfs: + image: apache/ozone-runner:${OZONE_RUNNER_VERSION} + hostname: httpfs + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 14000:14000 + env_file: + - ./docker-config + command: [ "/opt/hadoop/bin/ozone","httpfs" ] + environment: + OZONE-SITE.XML_hdds.scm.safemode.min.datanode: ${OZONE_SAFEMODE_MIN_DATANODES:-1} + OZONE_OPTS: + s3g: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: s3g + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9878:9878 + env_file: + - ./docker-config + command: ["/opt/hadoop/bin/ozone","s3g"] + environment: + OZONE_OPTS: + recon: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: recon + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9888:9888 + env_file: + - ./docker-config + environment: + OZONE_OPTS: + command: ["/opt/hadoop/bin/ozone","recon"] + scm: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: scm + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9876:9876 + - 9860:9860 + env_file: + - docker-config + environment: + ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION + OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-1}" + OZONE_OPTS: + command: ["/opt/hadoop/bin/ozone","scm"] + vault: + image: hashicorp/vault + hostname: vault + cap_add: + - IPC_LOCK + env_file: + - .env Review Comment: I think this is unnecessary, Docker Compose already reads `.env` for default values. ########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/docker-compose.yaml: ########## @@ -0,0 +1,142 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: "3" +services: + kdc: + image: ${OZONE_TESTKRB5_IMAGE} + hostname: kdc + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + command: ["krb5kdc","-n"] + kms: + image: apache/hadoop:${HADOOP_VERSION} + ports: + - 9600:9600 + env_file: + - ./docker-config + environment: + HADOOP_CONF_DIR: /opt/hadoop/etc/hadoop + volumes: + - ../../libexec/transformation.py:/opt/transformation.py + command: ["hadoop", "kms"] + datanode: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9864 + command: ["/opt/hadoop/bin/ozone","datanode"] + env_file: + - docker-config + environment: + OZONE_OPTS: + om: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: om + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9874:9874 + - 9862:9862 + environment: + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + OZONE_OPTS: -Dcom.sun.net.ssl.checkRevocation=false + env_file: + - docker-config + command: ["/opt/hadoop/bin/ozone","om"] + httpfs: + image: apache/ozone-runner:${OZONE_RUNNER_VERSION} + hostname: httpfs + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 14000:14000 + env_file: + - ./docker-config + command: [ "/opt/hadoop/bin/ozone","httpfs" ] + environment: + OZONE-SITE.XML_hdds.scm.safemode.min.datanode: ${OZONE_SAFEMODE_MIN_DATANODES:-1} + OZONE_OPTS: + s3g: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: s3g + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9878:9878 + env_file: + - ./docker-config + command: ["/opt/hadoop/bin/ozone","s3g"] + environment: + OZONE_OPTS: + recon: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: recon + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9888:9888 + env_file: + - ./docker-config + environment: + OZONE_OPTS: + command: ["/opt/hadoop/bin/ozone","recon"] + scm: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: scm + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9876:9876 + - 9860:9860 + env_file: + - docker-config + environment: + ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION + OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-1}" + OZONE_OPTS: + command: ["/opt/hadoop/bin/ozone","scm"] + vault: + image: hashicorp/vault + hostname: vault + cap_add: + - IPC_LOCK + env_file: + - .env + ports: + - ${VAULT_PORT}:8200 + volumes: + - ./data/vault:/vault/file + - ./logs/vault:/vault/logs Review Comment: Why do we need to bind-mount these volumes? After running the tests these local dirs have strange ownership and cannot be simply removed. If possible, please remove this. ########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/docker-compose.yaml: ########## @@ -0,0 +1,142 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: "3" +services: + kdc: + image: ${OZONE_TESTKRB5_IMAGE} + hostname: kdc + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + command: ["krb5kdc","-n"] + kms: + image: apache/hadoop:${HADOOP_VERSION} + ports: + - 9600:9600 + env_file: + - ./docker-config + environment: + HADOOP_CONF_DIR: /opt/hadoop/etc/hadoop + volumes: + - ../../libexec/transformation.py:/opt/transformation.py + command: ["hadoop", "kms"] + datanode: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9864 + command: ["/opt/hadoop/bin/ozone","datanode"] + env_file: + - docker-config + environment: + OZONE_OPTS: + om: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: om + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9874:9874 + - 9862:9862 + environment: + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + OZONE_OPTS: -Dcom.sun.net.ssl.checkRevocation=false Review Comment: Add the new module and Vault to the classpath: ```suggestion environment: ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION OZONE_OPTS: -Dcom.sun.net.ssl.checkRevocation=false OZONE_CLASSPATH: /opt/hadoop/share/ozone/lib/[email protected]@.jar:/opt/hadoop/share/ozone/lib/vault-java-driver-5.1.0.jar ``` ########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/vault-config.json: ########## @@ -0,0 +1,14 @@ +{ + "stora ge": { Review Comment: Typo? ```suggestion "storage": { ``` ########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/docker-compose.yaml: ########## @@ -0,0 +1,142 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: "3" +services: + kdc: + image: ${OZONE_TESTKRB5_IMAGE} + hostname: kdc + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + command: ["krb5kdc","-n"] + kms: + image: apache/hadoop:${HADOOP_VERSION} + ports: + - 9600:9600 + env_file: + - ./docker-config + environment: + HADOOP_CONF_DIR: /opt/hadoop/etc/hadoop + volumes: + - ../../libexec/transformation.py:/opt/transformation.py + command: ["hadoop", "kms"] + datanode: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9864 + command: ["/opt/hadoop/bin/ozone","datanode"] + env_file: + - docker-config + environment: + OZONE_OPTS: + om: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: om + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9874:9874 + - 9862:9862 + environment: + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + OZONE_OPTS: -Dcom.sun.net.ssl.checkRevocation=false + env_file: + - docker-config + command: ["/opt/hadoop/bin/ozone","om"] + httpfs: + image: apache/ozone-runner:${OZONE_RUNNER_VERSION} + hostname: httpfs + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 14000:14000 + env_file: + - ./docker-config + command: [ "/opt/hadoop/bin/ozone","httpfs" ] + environment: + OZONE-SITE.XML_hdds.scm.safemode.min.datanode: ${OZONE_SAFEMODE_MIN_DATANODES:-1} + OZONE_OPTS: + s3g: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: s3g + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9878:9878 + env_file: + - ./docker-config + command: ["/opt/hadoop/bin/ozone","s3g"] + environment: + OZONE_OPTS: + recon: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: recon + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9888:9888 + env_file: + - ./docker-config + environment: + OZONE_OPTS: + command: ["/opt/hadoop/bin/ozone","recon"] + scm: + image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION} + hostname: scm + volumes: + - ../..:/opt/hadoop + - ../_keytabs:/etc/security/keytabs + - ./krb5.conf:/etc/krb5.conf + ports: + - 9876:9876 + - 9860:9860 + env_file: + - docker-config + environment: + ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION + OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-1}" + OZONE_OPTS: + command: ["/opt/hadoop/bin/ozone","scm"] + vault: + image: hashicorp/vault Review Comment: Please specify image version, avoid `latest`. ########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/docker-config: ########## @@ -0,0 +1,192 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +CORE-SITE.XML_fs.defaultFS=ofs://om +CORE-SITE.XML_fs.trash.interval=1 +# For HttpFS service it is required to enable proxying users. +CORE-SITE.XML_hadoop.proxyuser.httpfs.hosts=* +CORE-SITE.XML_hadoop.proxyuser.httpfs.groups=* + +OZONE-SITE.XML_ozone.om.address=om +OZONE-SITE.XML_ozone.om.http-address=om:9874 +# TODO: HDDS-7495 +# S3 security tests need object store layout from s3 gateway. Other tests on +# this cluster use `ozone fs`. The config to set an S3 gateway specific bucket +# layout will be added in HDDS-7495. Until then, the server side default must +# be changed for all tests on this cluster to work. +OZONE-SITE.XML_ozone.default.bucket.layout=LEGACY +OZONE-SITE.XML_ozone.scm.http-address=scm:9876 +OZONE-SITE.XML_ozone.scm.container.size=1GB +OZONE-SITE.XML_ozone.scm.pipeline.creation.interval=30s +OZONE-SITE.XML_ozone.scm.pipeline.owner.container.count=1 +OZONE-SITE.XML_ozone.scm.names=scm +OZONE-SITE.XML_ozone.scm.datanode.id.dir=/data +OZONE-SITE.XML_ozone.scm.block.client.address=scm +OZONE-SITE.XML_ozone.metadata.dirs=/data/metadata +OZONE-SITE.XML_ozone.handler.type=distributed +OZONE-SITE.XML_ozone.scm.client.address=scm +OZONE-SITE.XML_hdds.block.token.enabled=true +OZONE-SITE.XML_hdds.container.token.enabled=true +OZONE-SITE.XML_hdds.grpc.tls.enabled=true +OZONE-SITE.XML_ozone.replication=3 +OZONE-SITE.XML_ozone.datanode.pipeline.limit=1 +OZONE-SITE.XML_hdds.scmclient.max.retry.timeout=30s + +OZONE-SITE.XML_ozone.recon.om.snapshot.task.interval.delay=1m +OZONE-SITE.XML_ozone.recon.db.dir=/data/metadata/recon +OZONE-SITE.XML_ozone.recon.om.snapshot.task.initial.delay=20s +OZONE-SITE.XML_ozone.recon.address=recon:9891 + +OZONE-SITE.XML_ozone.security.enabled=true +OZONE-SITE.XML_ozone.acl.enabled=true +OZONE-SITE.XML_ozone.acl.authorizer.class=org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer +OZONE-SITE.XML_ozone.administrators="testuser,recon" +OZONE-SITE.XML_ozone.recon.administrators="testuser2" + +OZONE-SITE.XML_hdds.datanode.dir=/data/hdds +HDFS-SITE.XML_dfs.datanode.address=0.0.0.0:1019 +HDFS-SITE.XML_dfs.datanode.http.address=0.0.0.0:1012 +CORE-SITE.XML_dfs.data.transfer.protection=authentication +CORE-SITE.XML_hadoop.security.authentication=kerberos +CORE-SITE.XML_hadoop.security.auth_to_local="DEFAULT" +CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms + + +OZONE-SITE.XML_hdds.scm.kerberos.principal=scm/[email protected] +OZONE-SITE.XML_hdds.scm.kerberos.keytab.file=/etc/security/keytabs/scm.keytab +OZONE-SITE.XML_ozone.om.kerberos.principal=om/[email protected] +OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab +OZONE-SITE.XML_ozone.recon.kerberos.keytab.file=/etc/security/keytabs/recon.keytab +OZONE-SITE.XML_ozone.recon.kerberos.principal=recon/[email protected] + +OZONE-SITE.XML_ozone.s3g.kerberos.keytab.file=/etc/security/keytabs/s3g.keytab +OZONE-SITE.XML_ozone.s3g.kerberos.principal=s3g/[email protected] + +OZONE-SITE.XML_ozone.httpfs.kerberos.keytab.file=/etc/security/keytabs/httpfs.keytab +OZONE-SITE.XML_ozone.httpfs.kerberos.principal=httpfs/[email protected] + +OZONE-SITE.XML_hdds.scm.replication.thread.interval=5s +OZONE-SITE.XML_hdds.scm.replication.enable.legacy=false +OZONE-SITE.XML_ozone.scm.stale.node.interval=30s +OZONE-SITE.XML_ozone.scm.dead.node.interval=45s +OZONE-SITE.XML_hdds.container.report.interval=60s +OZONE-SITE.XML_ozone.om.s3.grpc.server_enabled=true + +OZONE-SITE.XML_dfs.container.ratis.datastream.enabled=true + +HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/[email protected] +HDFS-SITE.XML_dfs.datanode.kerberos.keytab.file=/etc/security/keytabs/dn.keytab +HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/[email protected] +HDFS-SITE.XML_dfs.web.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab + + +OZONE-SITE.XML_ozone.security.http.kerberos.enabled=true +OZONE-SITE.XML_ozone.http.filter.initializers=org.apache.hadoop.security.AuthenticationFilterInitializer + +OZONE-SITE.XML_ozone.om.http.auth.type=kerberos +OZONE-SITE.XML_hdds.scm.http.auth.type=kerberos +OZONE-SITE.XML_hdds.datanode.http.auth.type=kerberos +OZONE-SITE.XML_ozone.s3g.http.auth.type=kerberos +OZONE-SITE.XML_ozone.httpfs.http.auth.type=kerberos +OZONE-SITE.XML_ozone.recon.http.auth.type=kerberos + +OZONE-SITE.XML_hdds.scm.http.auth.kerberos.principal=HTTP/[email protected] +OZONE-SITE.XML_hdds.scm.http.auth.kerberos.keytab=/etc/security/keytabs/scm.keytab +OZONE-SITE.XML_ozone.om.http.auth.kerberos.principal=HTTP/[email protected] +OZONE-SITE.XML_ozone.om.http.auth.kerberos.keytab=/etc/security/keytabs/om.keytab +OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/[email protected] +OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.keytab=/etc/security/keytabs/dn.keytab +OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.keytab=/etc/security/keytabs/s3g.keytab +OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.principal=HTTP/[email protected] +OZONE-SITE.XML_ozone.httpfs.http.auth.kerberos.keytab=/etc/security/keytabs/httpfs.keytab +OZONE-SITE.XML_ozone.httpfs.http.auth.kerberos.principal=HTTP/[email protected] +OZONE-SITE.XML_ozone.recon.http.auth.kerberos.principal=HTTP/[email protected] +OZONE-SITE.XML_ozone.recon.http.auth.kerberos.keytab=/etc/security/keytabs/recon.keytab + +CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false +CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret +CORE-SITE.XML_hadoop.http.authentication.type=kerberos +CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/[email protected] +CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab + + +CORE-SITE.XML_hadoop.security.authorization=true +HADOOP-POLICY.XML_ozone.om.security.client.protocol.acl=* +HADOOP-POLICY.XML_hdds.security.client.datanode.container.protocol.acl=* +HADOOP-POLICY.XML_hdds.security.client.scm.container.protocol.acl=* +HADOOP-POLICY.XML_hdds.security.client.scm.block.protocol.acl=* +HADOOP-POLICY.XML_hdds.security.client.scm.certificate.protocol.acl=* + +HDFS-SITE.XML_rpc.metrics.quantile.enable=true +HDFS-SITE.XML_rpc.metrics.percentiles.intervals=60,300 + +HTTPFS-SITE.XML_hadoop.http.authentication.type=kerberos +HTTPFS-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/httpfs.keytab +HTTPFS-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/[email protected] +HTTPFS-SITE.XML_httpfs.hadoop.authentication.type=kerberos +HTTPFS-SITE.XML_httpfs.hadoop.authentication.kerberos.keytab=/etc/security/keytabs/httpfs.keytab +HTTPFS-SITE.XML_httpfs.hadoop.authentication.kerberos.principal=httpfs/[email protected] +KMS-SITE.XML_hadoop.kms.proxyuser.s3g.users=* +KMS-SITE.XML_hadoop.kms.proxyuser.s3g.groups=* +KMS-SITE.XML_hadoop.kms.proxyuser.s3g.hosts=* + +#Enable this variable to print out all hadoop rpc traffic to the stdout. See http://byteman.jboss.org/ to define your own instrumentation. +#BYTEMAN_SCRIPT_URL=https://raw.githubusercontent.com/apache/hadoop/trunk/dev-support/byteman/hadooprpc.btm + +OZONE_DATANODE_SECURE_USER=root +JAVA_HOME=/usr/lib/jvm/jre +JSVC_HOME=/usr/bin + +OZONE_CONF_DIR=/etc/hadoop +OZONE_LOG_DIR=/var/log/hadoop + +no_proxy=om,scm,recon,s3g,kdc,localhost,127.0.0.1 + +# Multi-Tenancy configs +OZONE-SITE.XML_ozone.om.multitenancy.enabled=true +OZONE-SITE.XML_ozone.om.ranger.service=cm_ozone + +# Note: Ranger address and credentials here doesn't matter when OM uses +# InMemoryMultiTenantAccessController (used when dev flag is set). +# But the values can't be empty otherwise OM config check would report failure. +OZONE-SITE.XML_ozone.om.ranger.https-address=https://ranger:6182 +OZONE-SITE.XML_ozone.om.ranger.https.admin.api.user=admin +OZONE-SITE.XML_ozone.om.ranger.https.admin.api.passwd=Passwd1 + +# ozone.om.kerberos.principal and ozone.om.kerberos.keytab.file +# (can be used for the RangerClient) are already defined above. + +OZONE-SITE.XML_ozone.om.multitenancy.ranger.sync.interval=30s +OZONE-SITE.XML_ozone.om.multitenancy.ranger.sync.timeout=10s + +# Use InMemoryMultiTenantAccessController as we don't have Ranger Admin Server here. +# This is fine with one OM. But for OM HA, each OM would have its own in-memory +# "Ranger" state as a result. +# New OM leader's in-memory "Ranger" state won't be consistent with OM DB until +# a BG sync run has successfully finished because only previously leader OM +# pushes updates to Ranger. +# +# Potential TODO: We could trigger BG sync automatically during OM leadership +# change or let all OMs write to AccessController if this dev flag is set. +# +OZONE-SITE.XML_ozone.om.tenant.dev.skip.ranger=true + +OZONE-SITE.XML_ozone.secret.s3.store.provider=org.apache.hadoop.ozone.s3.remote.vault.VaultS3SecretStorageProvider +OZONE-SITE.XML_ozone.secret.s3.store.remote.vault.address=localhost:8200 Review Comment: 1. need protocol (`http`) 2. OM and Vault run in separate containers, Vault is not `localhost` from OM's point of view ```suggestion OZONE-SITE.XML_ozone.secret.s3.store.remote.vault.address=http://vault:8200 ``` ########## hadoop-ozone/dist/src/main/compose/ozonesecure-vault/test.sh: ########## @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#suite:secure + +COMPOSE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +export COMPOSE_DIR + +# shellcheck source=/dev/null +source "$COMPOSE_DIR/../testlib.sh" + +export SECURITY_ENABLED=true + +: ${OZONE_BUCKET_KEY_NAME:=key1} + +start_docker_env + +execute_command_in_container kms hadoop key create ${OZONE_BUCKET_KEY_NAME} + +execute_robot_test scm kinit.robot + +execute_robot_test scm basic + +execute_robot_test scm security + +execute_robot_test scm -v SCHEME:ofs -v BUCKET_TYPE:bucket -N ozonefs-ofs-bucket ozonefs/ozonefs.robot + +#expects 4 pipelines, should be run before +#admincli which creates STANDALONE pipeline +execute_robot_test scm recon + +execute_robot_test scm admincli +execute_robot_test scm spnego +execute_robot_test scm snapshot/snapshot-acls.robot + +execute_robot_test scm httpfs + +# test replication +docker-compose up -d --scale datanode=2 +execute_robot_test scm -v container:1 -v count:2 replication/wait.robot +docker-compose up -d --scale datanode=3 +execute_robot_test scm -v container:1 -v count:3 replication/wait.robot Review Comment: Let's limit tests to S3: ``` execute_robot_test scm s3 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
