You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by al...@apache.org on 2015/05/15 11:53:55 UTC
[4/6] ambari git commit: AMBARI-11159. Kerberos: Add
kerberos-setup.sh script back to the resources/scripts directory with
appropriate changes (alexantonenko)
AMBARI-11159. Kerberos: Add kerberos-setup.sh script back to the resources/scripts directory with appropriate changes (alexantonenko)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ea8a8046
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ea8a8046
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ea8a8046
Branch: refs/heads/trunk
Commit: ea8a8046da69a266c267ef299389d43d825505ae
Parents: 3ccfc42
Author: Alex Antonenko <hi...@gmail.com>
Authored: Fri May 15 12:37:50 2015 +0300
Committer: Alex Antonenko <hi...@gmail.com>
Committed: Fri May 15 12:53:46 2015 +0300
----------------------------------------------------------------------
.../main/resources/scripts/kerberos-setup.sh | 366 +++++++++++++++++++
1 file changed, 366 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/ea8a8046/ambari-server/src/main/resources/scripts/kerberos-setup.sh
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/scripts/kerberos-setup.sh b/ambari-server/src/main/resources/scripts/kerberos-setup.sh
new file mode 100644
index 0000000..8641616
--- /dev/null
+++ b/ambari-server/src/main/resources/scripts/kerberos-setup.sh
@@ -0,0 +1,366 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#
+# This script is provided as an example of how to parse the Kerberos CSV file.
+# It is for illustrative purposes only and should not be used for any other purpose.
+#
+
+############################
+## NOTE:
+## 1) This script should be executed on NameNode host as that host is guaranteed to have all the users needed while creating keytab file
+## 2) The script has been verified to work in gce environment and
+## vagrant environment documented at ambari wiki: https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide
+###########################
+
+usage () {
+echo "Usage: keytabs.sh <HOST_PRINCIPAL_KEYTABLE.csv> <SSH_LOGIN_KEY_PATH>";
+echo " <HOST_PRINCIPAL_KEYTABLE.csv>: CSV file generated by 'Enable Security Wizard' of Ambari";
+echo " <SSH_LOGIN_KEY_PATH>: File path to the ssh login key for root user";
+exit 1;
+}
+
+###################
+## processCSVFile()
+###################
+processCSVFile () {
+ csvFile=$1;
+ csvFile=$(printf '%q' "$csvFile")
+ # Remove blank lines
+ sed -i '/^\s*$/d' $csvFile
+ touch generate_keytabs.sh;
+ chmod 755 generate_keytabs.sh;
+
+ echo "#!/bin/bash" > generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "## " >> generate_keytabs.sh;
+ echo "## Ambari Security Script Generator" >> generate_keytabs.sh;
+ echo "## " >> generate_keytabs.sh;
+ echo "## Ambari security script is generated which should be run on the" >> generate_keytabs.sh;
+ echo "## Kerberos server machine." >> generate_keytabs.sh;
+ echo "## " >> generate_keytabs.sh;
+ echo "## Running the generated script will create host specific keytabs folders." >> generate_keytabs.sh;
+ echo "## Each of those folders will contain service specific keytab files with " >> generate_keytabs.sh;
+ echo "## appropriate permissions. There folders should be copied as the appropriate" >> generate_keytabs.sh;
+ echo "## host's '/etc/security/keytabs' folder" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+
+ rm -f commands.mkdir;
+ rm -f commands.chmod;
+ rm -f commands.addprinc;
+ rm -f commands.xst
+ rm -f commands.xst.cp
+ rm -f commands.chown.1
+ rm -f commands.chmod.1
+ rm -f commands.chmod.2
+ rm -f commands.tar
+
+ seenHosts="";
+ seenPrincipals="";
+
+ echo "mkdir -p ./tmp_keytabs" >> commands.mkdir;
+ sed 1d $csvFile | while read line; do
+ hostName=`echo $line|cut -d , -f 1`;
+ service=`echo $line|cut -d , -f 2`;
+ principal=`echo $line|cut -d , -f 3`;
+ localUserName=`echo $line|cut -d , -f 5`;
+ keytabFile=`echo $line|cut -d , -f 6 | cut -d , -f 6 | rev | cut -d '/' -f 1 | rev`;
+ fullKeytabFilePath=`echo $line|cut -d , -f 6`;
+ keytabFilePath=${fullKeytabFilePath%/*};
+ owner=`echo $line|cut -d , -f 7`;
+ group=`echo $line|cut -d , -f 9`;
+ acl=`echo $line|cut -d , -f 11`;
+
+ if [[ $seenHosts != *$hostName* ]]; then
+ echo "mkdir -p ./keytabs_$hostName" >> commands.mkdir;
+ echo "chmod 755 ./keytabs_$hostName" >> commands.chmod;
+ echo "chown -R root:$group `pwd`/keytabs_$hostName" >> commands.chown.1
+ echo "tar -cvf keytabs_$hostName.tar -C keytabs_$hostName ." >> commands.tar
+ seenHosts="$seenHosts$hostName";
+ fi
+
+ if [[ $seenPrincipals != *" $principal"* ]]; then
+ echo -e "kadmin.local -q \"addprinc -randkey $principal\"" >> commands.addprinc;
+ seenPrincipals="$seenPrincipals $principal"
+ fi
+ tmpKeytabFile="`pwd`/tmp_keytabs/$keytabFile";
+ newKeytabPath="`pwd`/keytabs_$hostName$keytabFilePath";
+ newKeytabFile="$newKeytabPath/$keytabFile";
+ if [ ! -f $tmpKeytabFile ]; then
+ echo "kadmin.local -q \"xst -k $tmpKeytabFile $principal\"" >> commands.xst;
+ fi
+ if [ ! -d $newKeytabPath ]; then
+ echo "mkdir -p $newKeytabPath" >> commands.mkdir;
+ fi
+ echo "cp $tmpKeytabFile $newKeytabFile" >> commands.xst.cp
+ echo "chmod $acl $newKeytabFile" >> commands.chmod.2
+ echo "chown $owner:$group $newKeytabFile" >> commands.chown.1
+ done;
+
+
+ echo "" >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Making host specific keytab folders" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ cat commands.mkdir >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Changing permissions for host specific keytab folders" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ cat commands.chmod >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Creating Kerberos Principals" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ cat commands.addprinc >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Creating Kerberos Principal keytabs in host specific keytab folders" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ cat commands.xst >> generate_keytabs.sh;
+ cat commands.xst.cp >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Changing ownerships of host specific keytab files" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ cat commands.chown.1 >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Changing access permissions of host specific keytab files" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ #cat commands.chmod.1
+ cat commands.chmod.2 >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Packaging keytab folders" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ cat commands.tar >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "# Cleanup" >> generate_keytabs.sh;
+ echo "###########################################################################" >> generate_keytabs.sh;
+ echo "rm -rf ./tmp_keytabs" >> generate_keytabs.sh;
+ echo "" >> generate_keytabs.sh;
+ echo "echo \"****************************************************************************\"" >> generate_keytabs.sh;
+ echo "echo \"****************************************************************************\"" >> generate_keytabs.sh;
+ echo "echo \"** Copy and extract 'keytabs_[hostname].tar' files onto respective hosts. **\"" >> generate_keytabs.sh;
+ echo "echo \"** **\"" >> generate_keytabs.sh;
+ echo "echo \"** Generated keytab files are preserved in the 'tmp_keytabs' folder. **\"" >> generate_keytabs.sh;
+ echo "echo \"****************************************************************************\"" >> generate_keytabs.sh;
+ echo "echo \"****************************************************************************\"" >> generate_keytabs.sh;
+
+ rm -f commands.mkdir >> generate_keytabs.sh;
+ rm -f commands.chmod >> generate_keytabs.sh;
+ rm -f commands.addprinc >> generate_keytabs.sh;
+ rm -f commands.xst >> generate_keytabs.sh;
+ rm -f commands.xst.cp >> generate_keytabs.sh;
+ rm -f commands.chown.1 >> generate_keytabs.sh;
+ rm -f commands.chmod.1 >> generate_keytabs.sh;
+ rm -f commands.chmod.2 >> generate_keytabs.sh;
+ rm -f commands.tar >> generate_keytabs.sh;
+ # generate keytabs
+ sh ./generate_keytabs.sh
+}
+
+########################
+## installKDC () : Install rng tools,pdsh on KDC host and KDC packages on all host. Modify krb5 file
+########################
+installKDC () {
+ csvFile=$1;
+ sshLoginKey=$2;
+ HOSTNAME=`hostname --fqdn`
+ scriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ krb5_new_conf=$scriptDir"/krb5.conf"
+ krb5_conf="/etc/krb5.conf"
+ #export additional path for suse and centos5
+ PATH=$PATH:/usr/lib/mit/sbin/:/usr/kerberos/sbin/:/usr/sbin/:/sbin/
+ # Install rng tools
+ installRngtools
+ # Install kdc server on this host
+ $inst_cmd $server_packages
+ # Configure /etc/krb5.conf
+ cp $krb5_conf $krb5_conf".bak"
+ cp $krb5_new_conf $krb5_conf
+ sed -i "s/\(kdc *= *\).*kerberos.example.com.*/\1$HOSTNAME/" $krb5_conf
+ sed -i "s/\(admin_server *= *\).*kerberos.example.com.*/\1$HOSTNAME/" $krb5_conf
+ # Create principal key and start services
+ if [[ ! -f $principal_file ]]; then
+ echo -ne '\n\n' | kdb5_util create -s
+ fi
+ eval $kdc_service_start
+ eval $kadmin_service_start
+ # Install pdsh on this host
+ $inst_cmd pdsh;
+ chown root:root -R /usr;
+ eval `ssh-agent`
+ ssh-add $sshLoginKey
+ hostNames='';
+
+ # remove empty lines
+ sed -i "/^\s*$/d" $csvFile;
+
+ sed 1d $csvFile > $csvFile.tmp
+ while read line; do
+ hostName=`echo $line|cut -d , -f 1`;
+ if [ -z "$hostNames" ]; then
+ hostNames=$hostName;
+ continue;
+ fi
+ if [[ $hostNames != *$hostName* ]]; then
+ hostNames=$hostNames,$hostName;
+ fi
+ echo "hostNames $hostNames";
+ done < $csvFile.tmp;
+ rm -f $csvFile.tmp
+ # Check all hosts for passwordless ssh
+ OLD_IFS=$IFS
+ IFS=,
+ for host in $hostNames; do
+
+ checkSSH $host
+ done
+ IFS=$OLD_IFS
+ export PDSH_SSH_ARGS_APPEND="-q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=publickey"
+ pdsh -R ssh -w $hostNames "$inst_cmd $client_packages"
+ pdsh -R ssh -w $hostNames "$inst_cmd pdsh"
+ pdsh -R ssh -w $hostNames chown root:root -R /usr
+ pdcp -R ssh -w $hostNames $krb5_conf $krb5_conf
+}
+
+########################
+## distributeKeytabs () : Distribute the tar on all respective hosts root directory and untar it
+########################
+distributeKeytabs () {
+ shopt -s nullglob
+ filearray=(keytabs_*tar)
+ for i in ${filearray[@]}; do
+ derivedname=${i%.*}
+ derivedname=${derivedname##keytabs_}
+ echo $derivedname
+ scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $i root@$derivedname:/
+ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$derivedname "cd /;tar xvf $i --no-overwrite-dir"
+ done
+}
+
+########################
+## getEnvironmentCMD () : get linux distribution type and package manager
+########################
+getEnvironmentCMD () {
+ os=`python -c 'import sys; sys.path.append("/usr/lib/python2.6/site-packages/"); from ambari_commons import OSCheck; print OSCheck.get_os_family()'`
+ version=`python -c 'import sys; sys.path.append("/usr/lib/python2.6/site-packages/"); from ambari_commons import OSCheck; print OSCheck.get_os_major_version()'`
+ os=$os$version;
+ case $os in
+ 'ubuntu12' )
+ pkgmgr='apt-get'
+ inst_cmd="env DEBIAN_FRONTEND=noninteractive /usr/bin/$pkgmgr --allow-unauthenticated --assume-yes install -f "
+ client_packages="krb5-user libpam-krb5 libpam-ccreds auth-client-config"
+ server_packages="krb5-kdc krb5-admin-server $client_packages"
+ rng_tools="rng-tools"
+ principal_file="/etc/krb5kdc/principal"
+ kdc_service_start="service krb5-kdc start || service krb5-kdc status"
+ kadmin_service_start="service krb5-admin-server start || service krb5-admin-server status"
+ ;;
+ 'redhat5' )
+ pkgmgr='yum'
+ inst_cmd="/usr/bin/$pkgmgr -y install "
+ client_packages="krb5-workstation"
+ server_packages="krb5-server krb5-libs krb5-auth-dialog $client_packages"
+ rng_tools="rng-utils"
+ principal_file="/var/kerberos/krb5kdc/principal"
+ kdc_service_start="service kadmin start; service kadmin status"
+ kadmin_service_start="service krb5kdc start || service krb5kdc status"
+ ;;
+ 'redhat6' )
+ pkgmgr='yum'
+ inst_cmd="/usr/bin/$pkgmgr -y install "
+ client_packages="krb5-workstation"
+ server_packages="krb5-server krb5-libs krb5-auth-dialog $client_packages"
+ rng_tools="rng-tools"
+ principal_file="/var/kerberos/krb5kdc/principal"
+ kdc_service_start="service kadmin start; service kadmin status"
+ kadmin_service_start="service krb5kdc start || service krb5kdc status"
+ ;;
+ 'suse11' )
+ pkgmgr='zypper'
+ inst_cmd="/usr/bin/$pkgmgr install --auto-agree-with-licenses --no-confirm "
+ client_packages="krb5-client"
+ server_packages="krb5 krb5-server $client_packages"
+ rng_tools="rng-tools"
+ principal_file="/var/lib/kerberos/krb5kdc/principal"
+ kdc_service_start="service kadmind start || service kadmind status"
+ kadmin_service_start="service krb5kdc start || service krb5kdc status"
+ ;;
+ esac
+}
+
+########################
+## checkUser () : If the user executing the script is not "root" then exit
+########################
+checkUser () {
+ userid=`id -u`;
+ if (($userid != 0)); then
+ echo "ERROR: The script needs to be executed by root user"
+ exit 1;
+ fi
+}
+
+########################
+## checkSSH () : If passwordless ssh for root is not configured then exit
+########################
+checkSSH () {
+ host=$1
+ ssh -oPasswordAuthentication=no -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $host "exit 0" && return_value=0 || return_value=$? && true
+ if [[ $return_value != 0 ]]; then
+ echo "ERROR: Passwordless ssh for user root is not configured for host $host"
+ exit 1;
+ fi
+}
+
+########################
+## installRngtools () : Install and start rng-tools
+########################
+installRngtools () {
+ $inst_cmd $rng_tools
+ echo $inst_cmd $rng_utils
+ if [ $os == 'ubuntu12' ] || [ $os == 'suse11' ]; then
+ echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
+ /etc/init.d/rng-tools start || true
+ elif [ $os == 'redhat5' ]; then
+ /sbin/rngd -r /dev/urandom -o /dev/random -f -t .001 --background
+ else
+ sed -i "s/\(EXTRAOPTIONS *= *\).*/\1\"-r \/dev\/urandom\"/" "/etc/sysconfig/rngd"
+ # start rngd
+ /etc/init.d/rngd start
+ fi
+}
+
+if (($# != 2)); then
+ usage
+fi
+
+set -e
+checkUser
+getEnvironmentCMD
+installKDC $@
+processCSVFile $@
+distributeKeytabs $@
\ No newline at end of file