You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@bigtop.apache.org by rv...@apache.org on 2012/03/24 01:11:48 UTC
svn commit: r1304677 - in
/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules:
hadoop-hbase/manifests/ hadoop-oozie/manifests/ hadoop-zookeeper/manifests/
hadoop/manifests/ hadoop/templates/ kerberos/manifests/
Author: rvs
Date: Sat Mar 24 00:11:48 2012
New Revision: 1304677
URL: http://svn.apache.org/viewvc?rev=1304677&view=rev
Log:
BIGTOP-482. HTTPFS puppet code needs to be updated
Modified:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/httpfs-site.xml
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp Sat Mar 24 00:11:48 2012
@@ -25,6 +25,7 @@ class hadoop-hbase {
if ($kerberos_realm) {
require kerberos::client
kerberos::host_keytab { "hbase":
+ spnego => true,
}
file { "/etc/hbase/conf/jaas.conf":
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp Sat Mar 24 00:11:48 2012
@@ -24,6 +24,7 @@ class hadoop-oozie {
if ($kerberos_realm) {
require kerberos::client
kerberos::host_keytab { "oozie":
+ spnego => true,
}
}
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp Sat Mar 24 00:11:48 2012
@@ -49,6 +49,7 @@ class hadoop-zookeeper {
require kerberos::client
kerberos::host_keytab { "zookeeper":
+ spnego => true,
notify => Service["zookeeper-server"],
}
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp Sat Mar 24 00:11:48 2012
@@ -24,11 +24,13 @@ class hadoop {
require kerberos::client
kerberos::host_keytab { "hdfs":
- princs => [ "host", "hdfs", "HTTP" ],
+ princs => [ "host", "hdfs" ],
+ spnego => true,
}
kerberos::host_keytab { [ "yarn", "mapred" ]:
tag => "mapreduce",
+ spnego => true,
}
}
@@ -155,6 +157,7 @@ class hadoop {
if ($auth == "kerberos") {
kerberos::host_keytab { "httpfs":
+ spnego => true,
}
}
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/httpfs-site.xml
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/httpfs-site.xml?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/httpfs-site.xml (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/httpfs-site.xml Sat Mar 24 00:11:48 2012
@@ -18,7 +18,20 @@
<configuration>
-<% if hadoop_security_authentication == "kerberos" %>
+<% if has_variable?("hadoop_core_proxyusers") -%>
+<% hadoop_core_proxyusers.each do |superuser, data| -%>
+ <property>
+ <name>httpfs.proxyuser.<%= superuser %>.hosts</name>
+ <value><%= data['hosts'] %></value>
+ </property>
+ <property>
+ <name>httpfs.proxyuser.<%= superuser %>.groups</name>
+ <value><%= data['groups'] %></value>
+ </property>
+<% end -%>
+<% end -%>
+
+<% if hadoop_security_authentication == "kerberos" -%>
<property>
<name>httpfs.authentication.type</name>
<value>kerberos</value>
@@ -29,7 +42,7 @@
</property>
<property>
<name>httpfs.authentication.kerberos.principal</name>
- <value>httpfs/<%= fqdn %></value>
+ <value>HTTP/<%= fqdn %></value>
</property>
<property>
<name>httpfs.authentication.kerberos.keytab</name>
@@ -42,7 +55,7 @@
</property>
<property>
<name>httpfs.hadoop.authentication.kerberos.principal</name>
- <value>${httpfs.authentication.kerberos.principal}</value>
+ <value>httpfs/<%= fqdn %></value>
</property>
<property>
<name>httpfs.hadoop.authentication.kerberos.keytab</name>
@@ -52,7 +65,7 @@
<name>httpfs.hadoop.conf:dfs.namenode.kerberos.principal</name>
<value>hdfs/<%= hadoop_namenode_host %>@<%= kerberos_realm %></value>
</property>
-<% end %>
+<% end -%>
<property>
<name>httpfs.hadoop.conf:fs.default.name</name>
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml Sat Mar 24 00:11:48 2012
@@ -22,11 +22,11 @@
<!-- HistoryServer security configs -->
<property>
<name>mapreduce.jobhistory.principal</name>
- <value>mapreduce/_HOST@<%= kerberos_realm %></value>
+ <value>mapred/_HOST@<%= kerberos_realm %></value>
</property>
<property>
<name>mapreduce.jobhistory.keytab</name>
- <value>/etc/mapreduce.keytab</value> <!-- path to the MapReduce keytab -->
+ <value>/etc/mapred.keytab</value> <!-- path to the MapReduce keytab -->
</property>
<!-- JobTracker security configs -->
Modified: incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp?rev=1304677&r1=1304676&r2=1304677&view=diff
==============================================================================
--- incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp (original)
+++ incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp Sat Mar 24 00:11:48 2012
@@ -126,6 +126,11 @@ class kerberos {
}
class client inherits kerberos::site {
+ # Required for SPNEGO
+ @principal { "HTTP":
+
+ }
+
package { $package_name_client:
ensure => installed,
}
@@ -143,7 +148,7 @@ class kerberos {
Class["kerberos::client"]
}
- define create_princs {
+ define principal {
exec { "addprinc.$title":
path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here
command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $title/$fqdn'",
@@ -152,23 +157,35 @@ class kerberos {
}
}
- define host_keytab($fqdn = "$hostname.$domain", $princs = undef) {
- $real_princs = $princs ? {
+ define host_keytab($fqdn = "$hostname.$domain", $princs = undef, $spnego = disabled) {
+
+ require "kerberos::client"
+
+ $needed_princs = $princs ? {
undef => [ $title ],
default => $princs,
}
$keytab = "/etc/${title}.keytab"
- $exports = inline_template("<%= real_princs.join('/$fqdn ') + '/$fqdn ' %>")
+ $exports = inline_template("<%= needed_princs.map { |x| x+'/$fqdn' }.join(' ') %>")
+ $spnego_export = $spnego ? {
+ /(true|enabled)/ => "HTTP/$fqdn",
+ default => "",
+ }
+
+ principal { $needed_princs:
- create_princs { $real_princs:
}
exec { "xst.$title":
path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here
- command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports' ; chown $title $keytab",
+ command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports $spnego_export' ; chown $title $keytab",
unless => "klist -kt $keytab 2>/dev/null | grep -q $title/$fqdn",
- require => [ Create_princs[$real_princs] ],
+ require => [ Kerberos::Principal[$needed_princs] ],
+ }
+
+ if ($spnego =~ /(true|enabled)/) {
+ Kerberos::Principal <| title == "HTTP" |> -> Exec["xst.$title"]
}
}