You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@slider.apache.org by bi...@apache.org on 2015/03/23 21:44:15 UTC
incubator-slider git commit: SLIDER-146 update accumulo secure mode
to allow kerberos user auth
Repository: incubator-slider
Updated Branches:
refs/heads/develop 7f195f662 -> 63627bc70
SLIDER-146 update accumulo secure mode to allow kerberos user auth
Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/63627bc7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/63627bc7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/63627bc7
Branch: refs/heads/develop
Commit: 63627bc70a7d4c77856b938e5e0fe1c32edfc6d3
Parents: 7f195f6
Author: Billie Rinaldi <bi...@gmail.com>
Authored: Mon Mar 23 13:44:17 2015 -0700
Committer: Billie Rinaldi <bi...@gmail.com>
Committed: Mon Mar 23 13:44:17 2015 -0700
----------------------------------------------------------------------
.../accumulo/appConfig-secured-default.json | 18 ++++--
app-packages/accumulo/configuration/client.xml | 5 ++
.../package/scripts/accumulo_configuration.py | 67 ++++++--------------
.../accumulo/package/scripts/accumulo_script.py | 11 +++-
app-packages/accumulo/package/scripts/params.py | 10 +--
5 files changed, 52 insertions(+), 59 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/appConfig-secured-default.json
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/appConfig-secured-default.json b/app-packages/accumulo/appConfig-secured-default.json
index 6d8abaa..347259f 100644
--- a/app-packages/accumulo/appConfig-secured-default.json
+++ b/app-packages/accumulo/appConfig-secured-default.json
@@ -28,12 +28,11 @@
"site.proxy.port": "${ACCUMULO_PROXY.ALLOCATED_PORT}{PER_CONTAINER}",
- "site.global.accumulo_root_password": "NOT_USED",
+ "site.global.accumulo_root_principal": "${USER_NAME}@EXAMPLE.COM",
"site.global.monitor_protocol": "http",
"site.accumulo-site.instance.volumes": "${DEFAULT_DATA_DIR}/data",
"site.accumulo-site.instance.zookeeper.host": "${ZK_HOST}",
- "site.accumulo-site.instance.security.authenticator": "org.apache.slider.accumulo.CustomAuthenticator",
"site.accumulo-site.general.security.credential.provider.paths": "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks",
"site.accumulo-site.instance.rpc.ssl.enabled": "false",
@@ -41,6 +40,17 @@
"site.accumulo-site.general.kerberos.keytab": "${AGENT_WORK_ROOT}/keytabs/${USER_NAME}.ACCUMULO.service.keytab",
"site.accumulo-site.general.kerberos.principal": "${USER_NAME}/_HOST@EXAMPLE.COM",
+ "site.accumulo-site.instance.rpc.sasl.enabled": "true",
+ "site.accumulo-site.instance.security.authenticator": "org.apache.accumulo.server.security.handler.KerberosAuthenticator",
+ "site.accumulo-site.instance.security.authorizor": "org.apache.accumulo.server.security.handler.KerberosAuthorizor",
+ "site.accumulo-site.instance.security.permissionHandler": "org.apache.accumulo.server.security.handler.KerberosPermissionHandler",
+ "site.accumulo-site.general.delegation.token.lifetime": "7d",
+ "site.accumulo-site.general.delegation.token.update.interval": "1d",
+
+ "site.accumulo-site.trace.user": "${USER_NAME}@EXAMPLE.COM",
+ "site.accumulo-site.trace.token.property.keytab": "${AGENT_WORK_ROOT}/keytabs/${USER_NAME}.ACCUMULO.headless.keytab",
+ "site.accumulo-site.trace.token.type": "org.apache.accumulo.core.client.security.tokens.KerberosToken",
+
"site.accumulo-site.tserver.memory.maps.native.enabled": "false",
"site.accumulo-site.tserver.memory.maps.max": "80M",
"site.accumulo-site.tserver.cache.data.size": "7M",
@@ -48,8 +58,6 @@
"site.accumulo-site.tserver.sort.buffer.size": "50M",
"site.accumulo-site.tserver.walog.max.size": "40M",
- "site.accumulo-site.trace.user": "root",
-
"site.accumulo-site.master.port.client": "0",
"site.accumulo-site.trace.port.client": "0",
"site.accumulo-site.tserver.port.client": "0",
@@ -62,7 +70,7 @@
"site.accumulo-site.general.classpaths": "$ACCUMULO_HOME/lib/accumulo-server.jar,\n$ACCUMULO_HOME/lib/accumulo-core.jar,\n$ACCUMULO_HOME/lib/accumulo-start.jar,\n$ACCUMULO_HOME/lib/accumulo-fate.jar,\n$ACCUMULO_HOME/lib/accumulo-proxy.jar,\n$ACCUMULO_HOME/lib/[^.].*.jar,\n$ZOOKEEPER_HOME/zookeeper[^.].*.jar,\n$HADOOP_CONF_DIR,\n${@//site/accumulo-env/hadoop_conf_dir},\n$HADOOP_PREFIX/[^.].*.jar,\n$HADOOP_PREFIX/lib/[^.].*.jar,\n$HADOOP_PREFIX/share/hadoop/common/.*.jar,\n$HADOOP_PREFIX/share/hadoop/common/lib/.*.jar,\n$HADOOP_PREFIX/share/hadoop/hdfs/.*.jar,\n$HADOOP_PREFIX/share/hadoop/mapreduce/.*.jar,\n$HADOOP_PREFIX/share/hadoop/yarn/.*.jar,\n${hadoop.dir}/.*.jar,\n${hadoop.dir}/lib/.*.jar,\n${hdfs.dir}/.*.jar,\n${mapred.dir}/.*.jar,\n${yarn.dir}/.*.jar,"
},
"credentials": {
- "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks": ["root.initial.password", "instance.secret", "trace.token.property.password"]
+ "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks": ["instance.secret"]
},
"components": {
"slider-appmaster": {
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/configuration/client.xml
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/configuration/client.xml b/app-packages/accumulo/configuration/client.xml
index 313f6b6..ea59083 100644
--- a/app-packages/accumulo/configuration/client.xml
+++ b/app-packages/accumulo/configuration/client.xml
@@ -41,4 +41,9 @@
<value>${@//site/accumulo-site/instance.rpc.ssl.clientAuth}</value>
<description>SSL client auth enabled.</description>
</property>
+ <property>
+ <name>instance.rpc.sasl.enabled</name>
+ <value>${@//site/accumulo-site/instance.rpc.sasl.enabled}</value>
+ <description>SASL enabled.</description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/accumulo_configuration.py
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/package/scripts/accumulo_configuration.py b/app-packages/accumulo/package/scripts/accumulo_configuration.py
index 3a0e2ed..e7b3de8 100644
--- a/app-packages/accumulo/package/scripts/accumulo_configuration.py
+++ b/app-packages/accumulo/package/scripts/accumulo_configuration.py
@@ -38,41 +38,28 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or '
content=StaticFile(jarname)
)
- if name != "client":
- # create pid dir
- Directory( params.pid_dir,
- owner = params.accumulo_user,
- group = params.user_group,
- recursive = True
- )
+ # create pid dir
+ Directory( params.pid_dir,
+ owner = params.accumulo_user,
+ group = params.user_group,
+ recursive = True
+ )
- # create log dir
- Directory (params.log_dir,
- owner = params.accumulo_user,
- group = params.user_group,
- recursive = True
- )
+ # create log dir
+ Directory (params.log_dir,
+ owner = params.accumulo_user,
+ group = params.user_group,
+ recursive = True
+ )
- # create a site file for server processes
- XmlConfig( "accumulo-site.xml",
- conf_dir = params.conf_dir,
- configurations = params.config['configurations']['accumulo-site'],
- owner = params.accumulo_user,
- group = params.user_group,
- mode=0600
- )
- else:
- # create a minimal site file for client processes
- client_configurations = {}
- client_configurations['instance.zookeeper.host'] = params.config['configurations']['accumulo-site']['instance.zookeeper.host']
- client_configurations['instance.volumes'] = params.config['configurations']['accumulo-site']['instance.volumes']
- client_configurations['general.classpaths'] = params.config['configurations']['accumulo-site']['general.classpaths']
- XmlConfig( "accumulo-site.xml",
- conf_dir = params.conf_dir,
- configurations = client_configurations,
- owner = params.accumulo_user,
- group = params.user_group
- )
+ # create a site file for server processes
+ XmlConfig( "accumulo-site.xml",
+ conf_dir = params.conf_dir,
+ configurations = params.config['configurations']['accumulo-site'],
+ owner = params.accumulo_user,
+ group = params.user_group,
+ mode=0600
+ )
# create env file
File(format("{params.conf_dir}/accumulo-env.sh"),
@@ -82,20 +69,6 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or '
content=InlineTemplate(params.env_sh_template)
)
- # create client.conf file
- configs = {}
- configs.update(params.config['configurations']['client'])
- update_site_config(configs, 'general.security.credential.provider.paths')
- update_site_config(configs, 'rpc.javax.net.ssl.trustStore')
- update_site_config(configs, 'rpc.javax.net.ssl.trustStoreType')
- update_site_config(configs, 'rpc.javax.net.ssl.keyStore')
- update_site_config(configs, 'rpc.javax.net.ssl.keyStoreType')
- PropertiesFile(format("{params.conf_dir}/client.conf"),
- properties = configs,
- owner = params.accumulo_user,
- group = params.user_group
- )
-
# create metrics2 properties file
accumulo_TemplateConfig('hadoop-metrics2-accumulo.properties')
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/accumulo_script.py
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/package/scripts/accumulo_script.py b/app-packages/accumulo/package/scripts/accumulo_script.py
index 6227261..b982ce1 100644
--- a/app-packages/accumulo/package/scripts/accumulo_script.py
+++ b/app-packages/accumulo/package/scripts/accumulo_script.py
@@ -44,9 +44,14 @@ class AccumuloScript(Script):
if self.component == 'master':
try:
- Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --password {accumulo_root_password} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"),
- not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"),
- user=params.accumulo_user)
+ if params.kerberos_auth_enabled:
+ Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --user {accumulo_root_principal} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"),
+ not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"),
+ user=params.accumulo_user)
+ else:
+ Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --password {accumulo_root_password} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"),
+ not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"),
+ user=params.accumulo_user)
except Exception, e:
try:
Execute( format("{hadoop_prefix}/bin/hadoop fs -rm -R {accumulo_hdfs_root_dir}"),
http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/package/scripts/params.py b/app-packages/accumulo/package/scripts/params.py
index 11bcbd9..29a7c7d 100644
--- a/app-packages/accumulo/package/scripts/params.py
+++ b/app-packages/accumulo/package/scripts/params.py
@@ -51,13 +51,15 @@ log_dir = config['configurations']['global']['app_log_dir']
daemon_script = format("{accumulo_root}/bin/accumulo")
proxy_conf = format("{conf_dir}/proxy.properties")
-# accumulo clientauth
-clientauth_enabled = False
-if 'instance.rpc.ssl.clientAuth' in config['configurations']['accumulo-site']:
- clientauth_enabled = config['configurations']['accumulo-site']['instance.rpc.ssl.clientAuth']
+# accumulo kerberos user auth
+kerberos_auth_enabled = False
+if 'instance.security.authenticator' in config['configurations']['accumulo-site']\
+ and "org.apache.accumulo.server.security.handler.KerberosAuthenticator" == config['configurations']['accumulo-site']['instance.security.authenticator']:
+ kerberos_auth_enabled = True
# accumulo initialization parameters
accumulo_instance_name = config['configurations']['client']['instance.name']
+accumulo_root_principal = config['configurations']['global']['accumulo_root_principal']
accumulo_root_password = config['configurations']['global']['accumulo_root_password']
accumulo_hdfs_root_dir = config['configurations']['accumulo-site']['instance.volumes'].split(",")[0]