You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ao...@apache.org on 2014/04/28 12:03:59 UTC
git commit: AMBARI-5563. Fix kerberos_setup.sh on ubuntu (aonishuk)
Repository: ambari
Updated Branches:
refs/heads/trunk 16affea25 -> e1ca79f6f
AMBARI-5563. Fix kerberos_setup.sh on ubuntu (aonishuk)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e1ca79f6
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e1ca79f6
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e1ca79f6
Branch: refs/heads/trunk
Commit: e1ca79f6ff53d0d684a5151e42c9757034653be1
Parents: 16affea
Author: Andrew Onishuk <ao...@hortonworks.com>
Authored: Mon Apr 28 13:03:50 2014 +0300
Committer: Andrew Onishuk <ao...@hortonworks.com>
Committed: Mon Apr 28 13:03:50 2014 +0300
----------------------------------------------------------------------
.../main/resources/scripts/kerberos-setup.sh | 96 ++++++++++++++++----
.../src/main/resources/scripts/krb5.conf | 37 ++++++++
2 files changed, 113 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/e1ca79f6/ambari-server/src/main/resources/scripts/kerberos-setup.sh
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/scripts/kerberos-setup.sh b/ambari-server/src/main/resources/scripts/kerberos-setup.sh
index 0fee7ef..f61b448 100755
--- a/ambari-server/src/main/resources/scripts/kerberos-setup.sh
+++ b/ambari-server/src/main/resources/scripts/kerberos-setup.sh
@@ -89,9 +89,9 @@ processCSVFile () {
seenHosts="$seenHosts$hostName";
fi
- if [[ $seenPrincipals != *$principal* ]]; then
+ if [[ $seenPrincipals != *" $principal"* ]]; then
echo -e "kadmin.local -q \"addprinc -randkey $principal\"" >> commands.addprinc;
- seenPrincipals="$seenPrincipals$principal"
+ seenPrincipals="$seenPrincipals $principal"
fi
tmpKeytabFile="`pwd`/tmp_keytabs/$keytabFile";
newKeytabPath="`pwd`/keytabs_$hostName$keytabFilePath";
@@ -176,22 +176,48 @@ processCSVFile () {
installKDC () {
csvFile=$1;
sshLoginKey=$2;
+ HOSTNAME=`hostname --fqdn`
+ scriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+ krb5_new_conf=$scriptDir"/krb5.conf"
krb5_conf="/etc/krb5.conf"
- # Configure /etc/krb5.conf
- sed -c -i "/FILE/!s/\(kdc *= *\).*/\1$HOSTNAME/" $krb5_conf
- sed -c -i "/FILE/!s/\(admin_server *= *\).*/\1$HOSTNAME/" $krb5_conf
+ # Install rng tools
+ $inst_cmd rng-tools
+ if [ $os == 'debian' ]; then
+ echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
+ /etc/init.d/rng-tools start
+ else
+ sed -i "s/\(EXTRAOPTIONS *= *\).*/\1\"-r \/dev\/urandom\"/" "/etc/sysconfig/rngd"
+ # start rngd
+ /etc/init.d/rngd start
+ fi
# Install kdc server on this host
- yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y;
+ if [ $os == 'debian' ]; then
+ OLD_DEBIAN_FRONTEND=$DEBIAN_FRONTEND
+ export DEBIAN_FRONTEND=noninteractive
+ $inst_cmd krb5-kdc krb5-admin-server krb5-user libpam-krb5 libpam-ccreds auth-client-config
+ else
+ $inst_cmd krb5-server krb5-libs krb5-auth-dialog krb5-workstation
+ fi
+ # Configure /etc/krb5.conf
+ # !!! sed -i "s/\(default_realm *= *\).*/\1$EXAMPLE.COM/" $krb5_conf
+ # !!! should we set default_realm?
+ # !!!
+ cp $krb5_conf $krb5_conf".bak"
+ cp $krb5_new_conf $krb5_conf
+ sed -i "s/\(kdc *= *\).*/\1$HOSTNAME/" $krb5_conf
+ sed -i "s/\(admin_server *= *\).*/\1$HOSTNAME/" $krb5_conf
# Install rng tools
- yum install rng-tools -y
- sed -c -i "s/\(EXTRAOPTIONS *= *\).*/\1\"-r \/dev\/urandom\"/" "/etc/sysconfig/rngd"
- # start rngd
- /etc/init.d/rngd start
- (echo; echo;) | kdb5_util create -s
- /sbin/service krb5kdc start
- /sbin/service kadmin start
+ if [ $os == 'debian' ]; then
+ echo -ne '\n\n' | kdb5_util create -s
+ /usr/sbin/service krb5-admin-server start
+ /usr/sbin/service krb5-kdc start
+ else
+ echo -ne '\n\n' | kdb5_util create -s
+ /sbin/service krb5kdc start
+ /sbin/service kadmin start
+ fi
# Install pdsh on this host
- yum install pdsh -y;
+ $inst_cmd pdsh;
chown root:root -R /usr;
eval `ssh-agent`
ssh-add $sshLoginKey
@@ -206,10 +232,20 @@ installKDC () {
hostNames=$hostNames,$hostName;
fi
done < $csvFile
- pdsh -w $hostNames yum install krb5-workstation -y
- pdsh -w $hostNames yum install pdsh -y
- pdsh -w $hostNames chown root:root -R /usr
- pdcp -w $hostNames $krb5_conf $krb5_conf
+ export PDSH_SSH_ARGS_APPEND="-q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=publickey"
+ if [ $os == 'debian' ]; then
+ pdsh -R ssh -w $hostNames OLD_DEBIAN_FRONTEND=$DEBIAN_FRONTEND; export DEBIAN_FRONTEND=noninteractive; $inst_cmd krb5-user libpam-krb5 libpam-ccreds auth-client-config; export DEBIAN_FRONTEND=OLD_DEBIAN_FRONTEND
+ else
+ pdsh -R ssh -w $hostNames $inst_cmd krb5-workstation
+ fi
+ pdsh -R ssh -w $hostNames $inst_cmd pdsh
+ pdsh -R ssh -w $hostNames chown root:root -R /usr
+ pdcp -R ssh -w $hostNames $krb5_conf $krb5_conf
+
+ #restore env variables to old state
+ if [ $os == 'debian' ]; then
+ export DEBIAN_FRONTEND=OLD_DEBIAN_FRONTEND
+ fi
}
distributeKeytabs () {
@@ -219,15 +255,35 @@ distributeKeytabs () {
derivedname=${i%.*}
derivedname=${derivedname##keytabs_}
echo $derivedname
- scp $i root@$derivedname:/
- ssh root@$derivedname "cd /;tar xvf $i"
+ scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $i root@$derivedname:/
+ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$derivedname "cd /;tar xvf $i"
done
}
+getEnvironmentCMD () {
+#get linux distribution type and package manager
+ os=`python -c 'import sys; sys.path.append("/usr/lib/python2.6/site-packages/"); from common_functions import OSCheck; print OSCheck.get_os_family()'`
+ case $os in
+ 'debian' )
+ pkgmgr='apt-get'
+ inst_cmd="/usr/bin/$pkgmgr --force-yes --assume-yes install "
+ ;;
+ 'redhat' )
+ pkgmgr='yum'
+ inst_cmd="/usr/bin/$pkgmgr -d 0 -e 0 -y install "
+ ;;
+ 'suse' )
+ pkgmgr='zypper'
+ inst_cmd="/usr/bin/$pkgmgr --quiet install --auto-agree-with-licenses --no-confirm "
+ ;;
+ esac
+}
+
if (($# != 2)); then
usage
fi
+getEnvironmentCMD
installKDC $@
processCSVFile $@
distributeKeytabs $@
http://git-wip-us.apache.org/repos/asf/ambari/blob/e1ca79f6/ambari-server/src/main/resources/scripts/krb5.conf
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/scripts/krb5.conf b/ambari-server/src/main/resources/scripts/krb5.conf
new file mode 100644
index 0000000..7061d19
--- /dev/null
+++ b/ambari-server/src/main/resources/scripts/krb5.conf
@@ -0,0 +1,37 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = kerberos.example.com
+ admin_server = kerberos.example.com
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM