You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@slider.apache.org by bi...@apache.org on 2015/03/23 21:44:15 UTC
incubator-slider git commit: SLIDER-146 update accumulo secure mode to allow kerberos user auth

Repository: incubator-slider
Updated Branches:
  refs/heads/develop 7f195f662 -> 63627bc70


SLIDER-146 update accumulo secure mode to allow kerberos user auth


Project: http://git-wip-us.apache.org/repos/asf/incubator-slider/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-slider/commit/63627bc7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-slider/tree/63627bc7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-slider/diff/63627bc7

Branch: refs/heads/develop
Commit: 63627bc70a7d4c77856b938e5e0fe1c32edfc6d3
Parents: 7f195f6
Author: Billie Rinaldi <bi...@gmail.com>
Authored: Mon Mar 23 13:44:17 2015 -0700
Committer: Billie Rinaldi <bi...@gmail.com>
Committed: Mon Mar 23 13:44:17 2015 -0700

----------------------------------------------------------------------
 .../accumulo/appConfig-secured-default.json     | 18 ++++--
 app-packages/accumulo/configuration/client.xml  |  5 ++
 .../package/scripts/accumulo_configuration.py   | 67 ++++++--------------
 .../accumulo/package/scripts/accumulo_script.py | 11 +++-
 app-packages/accumulo/package/scripts/params.py | 10 +--
 5 files changed, 52 insertions(+), 59 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/appConfig-secured-default.json
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/appConfig-secured-default.json b/app-packages/accumulo/appConfig-secured-default.json
index 6d8abaa..347259f 100644
--- a/app-packages/accumulo/appConfig-secured-default.json
+++ b/app-packages/accumulo/appConfig-secured-default.json
@@ -28,12 +28,11 @@
 
     "site.proxy.port": "${ACCUMULO_PROXY.ALLOCATED_PORT}{PER_CONTAINER}",
 
-    "site.global.accumulo_root_password": "NOT_USED",
+    "site.global.accumulo_root_principal": "${USER_NAME}@EXAMPLE.COM",
     "site.global.monitor_protocol": "http",
 
     "site.accumulo-site.instance.volumes": "${DEFAULT_DATA_DIR}/data",
     "site.accumulo-site.instance.zookeeper.host": "${ZK_HOST}",
-    "site.accumulo-site.instance.security.authenticator": "org.apache.slider.accumulo.CustomAuthenticator",
 
     "site.accumulo-site.general.security.credential.provider.paths": "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks",
     "site.accumulo-site.instance.rpc.ssl.enabled": "false",
@@ -41,6 +40,17 @@
     "site.accumulo-site.general.kerberos.keytab": "${AGENT_WORK_ROOT}/keytabs/${USER_NAME}.ACCUMULO.service.keytab",
     "site.accumulo-site.general.kerberos.principal": "${USER_NAME}/_HOST@EXAMPLE.COM",
 
+    "site.accumulo-site.instance.rpc.sasl.enabled": "true",
+    "site.accumulo-site.instance.security.authenticator": "org.apache.accumulo.server.security.handler.KerberosAuthenticator",
+    "site.accumulo-site.instance.security.authorizor": "org.apache.accumulo.server.security.handler.KerberosAuthorizor",
+    "site.accumulo-site.instance.security.permissionHandler": "org.apache.accumulo.server.security.handler.KerberosPermissionHandler",
+    "site.accumulo-site.general.delegation.token.lifetime": "7d",
+    "site.accumulo-site.general.delegation.token.update.interval": "1d",
+
+    "site.accumulo-site.trace.user": "${USER_NAME}@EXAMPLE.COM",
+    "site.accumulo-site.trace.token.property.keytab": "${AGENT_WORK_ROOT}/keytabs/${USER_NAME}.ACCUMULO.headless.keytab",
+    "site.accumulo-site.trace.token.type": "org.apache.accumulo.core.client.security.tokens.KerberosToken",
+
     "site.accumulo-site.tserver.memory.maps.native.enabled": "false",
     "site.accumulo-site.tserver.memory.maps.max": "80M",
     "site.accumulo-site.tserver.cache.data.size": "7M",
@@ -48,8 +58,6 @@
     "site.accumulo-site.tserver.sort.buffer.size": "50M",
     "site.accumulo-site.tserver.walog.max.size": "40M",
 
-    "site.accumulo-site.trace.user": "root",
-
     "site.accumulo-site.master.port.client": "0",
     "site.accumulo-site.trace.port.client": "0",
     "site.accumulo-site.tserver.port.client": "0",
@@ -62,7 +70,7 @@
     "site.accumulo-site.general.classpaths": "$ACCUMULO_HOME/lib/accumulo-server.jar,\n$ACCUMULO_HOME/lib/accumulo-core.jar,\n$ACCUMULO_HOME/lib/accumulo-start.jar,\n$ACCUMULO_HOME/lib/accumulo-fate.jar,\n$ACCUMULO_HOME/lib/accumulo-proxy.jar,\n$ACCUMULO_HOME/lib/[^.].*.jar,\n$ZOOKEEPER_HOME/zookeeper[^.].*.jar,\n$HADOOP_CONF_DIR,\n${@//site/accumulo-env/hadoop_conf_dir},\n$HADOOP_PREFIX/[^.].*.jar,\n$HADOOP_PREFIX/lib/[^.].*.jar,\n$HADOOP_PREFIX/share/hadoop/common/.*.jar,\n$HADOOP_PREFIX/share/hadoop/common/lib/.*.jar,\n$HADOOP_PREFIX/share/hadoop/hdfs/.*.jar,\n$HADOOP_PREFIX/share/hadoop/mapreduce/.*.jar,\n$HADOOP_PREFIX/share/hadoop/yarn/.*.jar,\n${hadoop.dir}/.*.jar,\n${hadoop.dir}/lib/.*.jar,\n${hdfs.dir}/.*.jar,\n${mapred.dir}/.*.jar,\n${yarn.dir}/.*.jar,"
   },
   "credentials": {
-    "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks": ["root.initial.password", "instance.secret", "trace.token.property.password"]
+    "jceks://hdfs/user/${USER}/accumulo-${CLUSTER_NAME}.jceks": ["instance.secret"]
   },
   "components": {
     "slider-appmaster": {

http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/configuration/client.xml
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/configuration/client.xml b/app-packages/accumulo/configuration/client.xml
index 313f6b6..ea59083 100644
--- a/app-packages/accumulo/configuration/client.xml
+++ b/app-packages/accumulo/configuration/client.xml
@@ -41,4 +41,9 @@
     <value>${@//site/accumulo-site/instance.rpc.ssl.clientAuth}</value>
     <description>SSL client auth enabled.</description>
   </property>
+  <property>
+    <name>instance.rpc.sasl.enabled</name>
+    <value>${@//site/accumulo-site/instance.rpc.sasl.enabled}</value>
+    <description>SASL enabled.</description>
+  </property>
 </configuration>

http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/accumulo_configuration.py
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/package/scripts/accumulo_configuration.py b/app-packages/accumulo/package/scripts/accumulo_configuration.py
index 3a0e2ed..e7b3de8 100644
--- a/app-packages/accumulo/package/scripts/accumulo_configuration.py
+++ b/app-packages/accumulo/package/scripts/accumulo_configuration.py
@@ -38,41 +38,28 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or '
        content=StaticFile(jarname)
   )
 
-  if name != "client":
-    # create pid dir
-    Directory( params.pid_dir,
-      owner = params.accumulo_user,
-      group = params.user_group,
-      recursive = True
-    )
+  # create pid dir
+  Directory( params.pid_dir,
+    owner = params.accumulo_user,
+    group = params.user_group,
+    recursive = True
+  )
 
-    # create log dir
-    Directory (params.log_dir,
-      owner = params.accumulo_user,
-      group = params.user_group,
-      recursive = True
-    )
+  # create log dir
+  Directory (params.log_dir,
+    owner = params.accumulo_user,
+    group = params.user_group,
+    recursive = True
+  )
 
-    # create a site file for server processes
-    XmlConfig( "accumulo-site.xml",
-            conf_dir = params.conf_dir,
-            configurations = params.config['configurations']['accumulo-site'],
-            owner = params.accumulo_user,
-            group = params.user_group,
-            mode=0600
-    )
-  else:
-    # create a minimal site file for client processes
-    client_configurations = {}
-    client_configurations['instance.zookeeper.host'] = params.config['configurations']['accumulo-site']['instance.zookeeper.host']
-    client_configurations['instance.volumes'] = params.config['configurations']['accumulo-site']['instance.volumes']
-    client_configurations['general.classpaths'] = params.config['configurations']['accumulo-site']['general.classpaths']
-    XmlConfig( "accumulo-site.xml",
-            conf_dir = params.conf_dir,
-            configurations = client_configurations,
-            owner = params.accumulo_user,
-            group = params.user_group
-    )
+  # create a site file for server processes
+  XmlConfig( "accumulo-site.xml",
+          conf_dir = params.conf_dir,
+          configurations = params.config['configurations']['accumulo-site'],
+          owner = params.accumulo_user,
+          group = params.user_group,
+          mode=0600
+  )
 
   # create env file
   File(format("{params.conf_dir}/accumulo-env.sh"),
@@ -82,20 +69,6 @@ def setup_conf_dir(name=None): # 'master' or 'tserver' or 'monitor' or 'gc' or '
        content=InlineTemplate(params.env_sh_template)
   )
 
-  # create client.conf file
-  configs = {}
-  configs.update(params.config['configurations']['client'])
-  update_site_config(configs, 'general.security.credential.provider.paths')
-  update_site_config(configs, 'rpc.javax.net.ssl.trustStore')
-  update_site_config(configs, 'rpc.javax.net.ssl.trustStoreType')
-  update_site_config(configs, 'rpc.javax.net.ssl.keyStore')
-  update_site_config(configs, 'rpc.javax.net.ssl.keyStoreType')
-  PropertiesFile(format("{params.conf_dir}/client.conf"),
-       properties = configs,
-       owner = params.accumulo_user,
-       group = params.user_group
-  )
-
   # create metrics2 properties file
   accumulo_TemplateConfig('hadoop-metrics2-accumulo.properties')
 

http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/accumulo_script.py
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/package/scripts/accumulo_script.py b/app-packages/accumulo/package/scripts/accumulo_script.py
index 6227261..b982ce1 100644
--- a/app-packages/accumulo/package/scripts/accumulo_script.py
+++ b/app-packages/accumulo/package/scripts/accumulo_script.py
@@ -44,9 +44,14 @@ class AccumuloScript(Script):
 
     if self.component == 'master':
       try:
-        Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --password {accumulo_root_password} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"),
-               not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"),
-               user=params.accumulo_user)
+        if params.kerberos_auth_enabled:
+          Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --user {accumulo_root_principal} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"),
+                   not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"),
+                   user=params.accumulo_user)
+        else:
+          Execute( format("{daemon_script} init --instance-name {accumulo_instance_name} --password {accumulo_root_password} --clear-instance-name >{log_dir}/accumulo-{accumulo_user}-init.out 2>{log_dir}/accumulo-{accumulo_user}-init.err"),
+                 not_if=format("{hadoop_prefix}/bin/hadoop fs -stat {accumulo_hdfs_root_dir}"),
+                 user=params.accumulo_user)
       except Exception, e:
         try:
           Execute( format("{hadoop_prefix}/bin/hadoop fs -rm -R {accumulo_hdfs_root_dir}"),

http://git-wip-us.apache.org/repos/asf/incubator-slider/blob/63627bc7/app-packages/accumulo/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/app-packages/accumulo/package/scripts/params.py b/app-packages/accumulo/package/scripts/params.py
index 11bcbd9..29a7c7d 100644
--- a/app-packages/accumulo/package/scripts/params.py
+++ b/app-packages/accumulo/package/scripts/params.py
@@ -51,13 +51,15 @@ log_dir = config['configurations']['global']['app_log_dir']
 daemon_script = format("{accumulo_root}/bin/accumulo")
 proxy_conf = format("{conf_dir}/proxy.properties")
 
-# accumulo clientauth
-clientauth_enabled = False
-if 'instance.rpc.ssl.clientAuth' in config['configurations']['accumulo-site']:
-  clientauth_enabled = config['configurations']['accumulo-site']['instance.rpc.ssl.clientAuth']
+# accumulo kerberos user auth
+kerberos_auth_enabled = False
+if 'instance.security.authenticator' in config['configurations']['accumulo-site']\
+    and "org.apache.accumulo.server.security.handler.KerberosAuthenticator" == config['configurations']['accumulo-site']['instance.security.authenticator']:
+  kerberos_auth_enabled = True
 
 # accumulo initialization parameters
 accumulo_instance_name = config['configurations']['client']['instance.name']
+accumulo_root_principal = config['configurations']['global']['accumulo_root_principal']
 accumulo_root_password = config['configurations']['global']['accumulo_root_password']
 accumulo_hdfs_root_dir = config['configurations']['accumulo-site']['instance.volumes'].split(",")[0]