You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by GitBox <gi...@apache.org> on 2019/10/03 03:29:21 UTC

[GitHub] [metron] tigerquoll edited a comment on issue #1519: METRON-2265: Update Kerberos settings

tigerquoll edited a comment on issue #1519: METRON-2265: Update Kerberos settings
URL: https://github.com/apache/metron/pull/1519#issuecomment-537767880
 
 
   Ok,
   I can get kerberos Metron processing data with this PR.  The jars and everything appear OK, it was the contained deployment instructions that were causing me grief.
   
   I had to deviate from the provided "metron-deployment/Kerberos-manual-setup.md" file in the following ways (Can somebody update the markup file in the PR or will there need to be a new PR for that markup changes?)
   
   ### Initial environment:
   source /etc/default/metron
   export KAFKA_HOME="/usr/hdp/current/kafka-broker"
   export BROKERLIST=node1:6667
   export HDP_HOME="/usr/hdp/current"
   export KAFKA_HOME="${HDP_HOME}/kafka-broker"
   export CLIENT_JAAS_ARG=/etc/kafka/conf/kafka_client_jaas.conf
   export KAFKA_SECURITY_PROTOCOL=SASL_PLAINTEXT
   export ELASTICSEARCH=node1:9200
   export KAFKA_OPTS="-Djava.security.auth.login.config=$CLIENT_JAAS_ARG"
   
   ### Verify KDC
   Step 2:
   add
   kinit metron 
   before 
   klist -f 
   
   ### Enable kerberos
   Step 3:
   metron.headless.keytab appears to already be generated
   so add to start of step 3: 
   rm metron.headless.keytab
   change:
    cp metron.headless.keytab /etc/security/keytabs
   to:
    cp -n metron.headless.keytab /etc/security/keytabs
   
   ### Kafka Authorization:
   The Metron user does not have permissions to edit ACLs, The Kafka Service account does have permissions, so we can temporarily use that keytab to add ACLS.
   
   Add to start of Step 3:
   export CLIENT_JAAS_ARG=/etc/kafka/conf/kafka_jaas.conf
   export KAFKA_OPTS="-Djava.security.auth.login.config=$CLIENT_JAAS_ARG"
   
   ### Storm Authoriszation
   An additional step should be done before the others
   `su metron -`
   
   Step 7 requires root access
   so add
   exit
   id
   <confirm root account>
   source /etc/default/metron
   before proceeding with the rest of the script
   
   ### Start metron
   
   Step 1:
   add source /etc/default/metron
   
   
   ### Push Data
   remove
   export KAFKA_OPTS=$CLIENT_JAAS_ARG
   Add
   source /etc/default/metron
   export ELASTICSEARCH=node1:9200
   export KAFKA_SECURITY_PROTOCOL=SASL_PLAINTEXT
   export KAFKA_HOME="/usr/hdp/current/kafka-broker"
   export CLIENT_JAAS_ARG=/etc/kafka/conf/kafka_client_jaas.conf
   export KAFKA_OPTS="-Djava.security.auth.login.config=$CLIENT_JAAS_ARG"
   
   Add 
   curl -XGET "${ELASTICSEARCH}/bro*/_count"
   before the dumping new sample data to kafka to get the count before hand for comparison purposes.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services