You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ad...@apache.org on 2017/05/23 09:53:17 UTC
[19/50] [abbrv] ambari git commit: AMBARI-21045. Enable Storm's
AutoTGT configs in secure mode.
AMBARI-21045. Enable Storm's AutoTGT configs in secure mode.
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/3499004c
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/3499004c
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/3499004c
Branch: refs/heads/ambari-rest-api-explorer
Commit: 3499004cc6c692c142ba4f6ad857ba67ea81d254
Parents: 7dc2ddc
Author: Sriharsha Chintalapani <ha...@hortonworks.com>
Authored: Thu May 18 13:34:29 2017 -0700
Committer: Sriharsha Chintalapani <ha...@hortonworks.com>
Committed: Thu May 18 13:34:29 2017 -0700
----------------------------------------------------------------------
.../STORM/0.9.1/configuration/storm-env.xml | 11 ++
.../STORM/1.1.0/configuration/storm-site.xml | 44 ++++++
.../common-services/STORM/1.1.0/kerberos.json | 138 +++++++++++++++++++
.../common-services/STORM/1.1.0/metainfo.xml | 44 ++++++
.../stacks/HDP/2.6/services/STORM/metainfo.xml | 4 +
5 files changed, 241 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml b/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml
index 4cfe3d5..cfa33e2 100644
--- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml
+++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/configuration/storm-env.xml
@@ -125,6 +125,17 @@ export STORM_LOG_DIR={{log_dir}}
export STORM_CONF_DIR={{conf_dir}}
export STORM_HOME={{storm_component_home_dir}}
+
+#set storm-auto creds
+# check if storm_jaas.conf in config , only enable storm_auto_creds in secure mode.
+STORM_HOME="$(dirname $(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ))"
+STORM_JAAS_CONF=$STORM_HOME/config/storm_jaas.conf
+STORM_AUTOCREDS_LIB_DIR=/usr/hdp/current/storm-client/external/storm-autocreds
+
+if [ -f $STORM_JAAS_CONF ] && [ -d $STORM_AUTOCREDS_LIB_DIR ]; then
+ export STORM_EXT_CLASSPATH=$STORM_AUTOCREDS_LIB_DIR
+fi
+
</value>
<value-attributes>
<type>content</type>
http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml b/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml
new file mode 100644
index 0000000..1a5dde9
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/STORM/1.1.0/configuration/storm-site.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="true">
+ <property>
+ <name>nimbus.autocredential.plugins.classes</name>
+ <description>
+ Allows users to add token based authentication for services such as HDFS, HBase, Hive
+ </description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>nimbus.credential.renewers.freq.secs</name>
+ <description>
+ Frequency at which tokens will be renewed.
+ </description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>nimbus.credential.renewers.classes</name>
+ <description>
+ List of classes for token renewal
+ </description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json
new file mode 100644
index 0000000..643cfd3
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/STORM/1.1.0/kerberos.json
@@ -0,0 +1,138 @@
+{
+ "services": [
+ {
+ "name": "STORM",
+ "identities": [
+ {
+ "name": "/spnego"
+ },
+ {
+ "name": "/smokeuser"
+ },
+ {
+ "name": "storm_components",
+ "principal": {
+ "value": "${storm-env/storm_user}${principal_suffix}@${realm}",
+ "type": "user",
+ "configuration": "storm-env/storm_principal_name"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/storm.headless.keytab",
+ "owner": {
+ "name": "${storm-env/storm_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "storm-env/storm_keytab"
+ }
+ },
+ {
+ "name": "/STORM/storm_components",
+ "principal": {
+ "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.principal"
+ },
+ "keytab": {
+ "configuration": "storm-atlas-application.properties/atlas.jaas.KafkaClient.option.keyTab"
+ }
+ }
+ ],
+ "configurations": [
+ {
+ "storm-site": {
+ "nimbus.authorizer": "org.apache.storm.security.auth.authorizer.SimpleACLAuthorizer",
+ "drpc.authorizer": "org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer",
+ "ui.filter": "org.apache.hadoop.security.authentication.server.AuthenticationFilter",
+ "storm.principal.tolocal": "org.apache.storm.security.auth.KerberosPrincipalToLocal",
+ "supervisor.enable": "true",
+ "storm.zookeeper.superACL": "sasl:{{storm_bare_jaas_principal}}",
+ "java.security.auth.login.config": "{{conf_dir}}/storm_jaas.conf",
+ "nimbus.impersonation.authorizer": "org.apache.storm.security.auth.authorizer.ImpersonationAuthorizer",
+ "nimbus.impersonation.acl": "{ {{storm_bare_jaas_principal}} : {hosts: ['*'], groups: ['*']}}",
+ "nimbus.admins": "['{{storm_bare_jaas_principal}}', '{{ambari_bare_jaas_principal}}']",
+ "nimbus.supervisor.users": "['{{storm_bare_jaas_principal}}']",
+ "ui.filter.params": "{'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab': '{{storm_ui_keytab_path}}', 'kerberos.name.rules': 'DEFAULT'}",
+ "nimbus.autocredential.plugins.classes": "['org.apache.storm.hdfs.security.AutoHDFS', 'org.apache.storm.hbase.security.AutoHBase', 'org.apache.storm.hive.security.AutoHive']",
+ "nimbus.credential.renewers.classes": "['org.apache.storm.hdfs.security.AutoHDFS', 'org.apache.storm.hbase.security.AutoHBase', 'org.apache.storm.hive.security.AutoHive']",
+ "nimbus.credential.renewers.freq.secs": 82800
+
+ }
+ },
+ {
+ "ranger-storm-audit": {
+ "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+ "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+ "xasecure.audit.jaas.Client.option.useKeyTab": "true",
+ "xasecure.audit.jaas.Client.option.storeKey": "false",
+ "xasecure.audit.jaas.Client.option.serviceName": "solr",
+ "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true"
+ }
+ }
+ ],
+ "components": [
+ {
+ "name": "STORM_UI_SERVER",
+ "identities": [
+ {
+ "name": "/spnego",
+ "principal": {
+ "configuration": "storm-env/storm_ui_principal_name"
+ },
+ "keytab": {
+ "configuration": "storm-env/storm_ui_keytab"
+ }
+ }
+ ]
+ },
+ {
+ "name": "NIMBUS",
+ "identities": [
+ {
+ "name": "nimbus_server",
+ "principal": {
+ "value": "nimbus/_HOST@${realm}",
+ "type": "service",
+ "configuration": "storm-env/nimbus_principal_name"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/nimbus.service.keytab",
+ "owner": {
+ "name": "${storm-env/storm_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "storm-env/nimbus_keytab"
+ }
+ },
+ {
+ "name": "/STORM/storm_components",
+ "principal": {
+ "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal"
+ },
+ "keytab": {
+ "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab"
+ }
+ }
+ ]
+ },
+ {
+ "name": "DRPC_SERVER",
+ "identities": [
+ {
+ "name": "drpc_server",
+ "reference": "/STORM/NIMBUS/nimbus_server"
+ }
+ ]
+ },
+ {
+ "name" : "SUPERVISOR"
+ }
+ ]
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml b/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml
new file mode 100644
index 0000000..94f5ca3
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/STORM/1.1.0/metainfo.xml
@@ -0,0 +1,44 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<metainfo>
+ <schemaVersion>2.0</schemaVersion>
+ <services>
+ <service>
+ <name>STORM</name>
+ <version>1.1.0</version>
+ <extends>common-services/STORM/1.0.1</extends>
+
+ <configuration-dependencies>
+ <config-type>storm-site</config-type>
+ <config-type>storm-env</config-type>
+ <config-type>ranger-storm-plugin-properties</config-type>
+ <config-type>ranger-storm-audit</config-type>
+ <config-type>ranger-storm-policymgr-ssl</config-type>
+ <config-type>ranger-storm-security</config-type>
+ <config-type>admin-properties</config-type>
+ <config-type>ranger-ugsync-site</config-type>
+ <config-type>ranger-admin-site</config-type>
+ <config-type>zookeeper-env</config-type>
+ <config-type>zoo.cfg</config-type>
+ <config-type>application.properties</config-type>
+ <config-type>storm-atlas-application.properties</config-type>
+ </configuration-dependencies>
+ </service>
+ </services>
+</metainfo>
http://git-wip-us.apache.org/repos/asf/ambari/blob/3499004c/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml b/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml
index db5c8b8..49e00f7 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/STORM/metainfo.xml
@@ -22,6 +22,10 @@
<service>
<name>STORM</name>
<version>1.1.0</version>
+ <extends>common-services/STORM/1.1.0</extends>
+ <configuration-dependencies>
+ <config-type>application-properties</config-type>
+ </configuration-dependencies>
</service>
</services>
</metainfo>