You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by ma...@apache.org on 2017/06/01 21:41:48 UTC

[29/44] metron git commit: METRON-963 Update document for Kerberos manual setup (MohanDV via merrimanr) closes apache/metron#594

METRON-963 Update document for Kerberos manual setup (MohanDV via merrimanr) closes apache/metron#594


Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/5e0cce22
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/5e0cce22
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/5e0cce22

Branch: refs/heads/Metron_0.4.0
Commit: 5e0cce220dca80c996d173b16b9721fccb373821
Parents: 47e2b73
Author: MohanDV <mo...@gmail.com>
Authored: Fri May 19 10:21:09 2017 -0500
Committer: merrimanr <me...@apache.org>
Committed: Fri May 19 10:21:09 2017 -0500

----------------------------------------------------------------------
 metron-deployment/Kerberos-ambari-setup.md |  2 +-
 metron-deployment/Kerberos-manual-setup.md | 44 +++++++++++++++++--------
 2 files changed, 31 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/metron/blob/5e0cce22/metron-deployment/Kerberos-ambari-setup.md
----------------------------------------------------------------------
diff --git a/metron-deployment/Kerberos-ambari-setup.md b/metron-deployment/Kerberos-ambari-setup.md
index 149e8b2..39e8dee 100644
--- a/metron-deployment/Kerberos-ambari-setup.md
+++ b/metron-deployment/Kerberos-ambari-setup.md
@@ -3,7 +3,7 @@
 General Kerberization notes can be found in the metron-deployment [README.md](../README.md)
 
 ## Setup a KDC
-See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc)
+See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc) and [Verify KDC](Kerberos-manual-setup.md#verify-kdc)
 
 ## Ambari Setup
 1. Kerberize the cluster via Ambari. More detailed documentation can be found [here](http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html).

http://git-wip-us.apache.org/repos/asf/metron/blob/5e0cce22/metron-deployment/Kerberos-manual-setup.md
----------------------------------------------------------------------
diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md
index 8a7f07a..fc46572 100644
--- a/metron-deployment/Kerberos-manual-setup.md
+++ b/metron-deployment/Kerberos-manual-setup.md
@@ -5,6 +5,7 @@ This document provides instructions for kerberizing Metron's Vagrant-based devel
 
 * [Setup](#setup)
 * [Setup a KDC](#setup-a-kdc)
+* [Verify KDC](#verify-kdc)
 * [Enable Kerberos](#enable-kerberos)
 * [Kafka Authorization](#kafka-authorization)
 * [HBase Authorization](#hbase-authorization)
@@ -75,11 +76,7 @@ Setup a KDC
    ```
    max_renewable_life = 7d
    ```
-
-   If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies:
-   ```
-   Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
-   ```
+ 
 
 1. Do not copy/paste this full set of commands as the `kdb5_util` command will not run as expected. Run the commands individually to ensure they all execute.  This step takes a moment. It creates the kerberos database.
 
@@ -100,6 +97,33 @@ Setup a KDC
   	kadmin.local -q "addprinc metron"
   	```
 
+Verify KDC
+----------
+
+
+Ticket renewal is by default disallowed in many linux distributions. If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies:
+   ```
+   Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
+   ```
+
+
+Ensure the Metron keytab is renewable.  Look for the 'R' flag from the following command
+   ```
+   klist -f
+   ```
+
+If the 'R' flags are present, you may skip to next section.
+
+If the 'R' flags are absent, you will need to follow the below steps:
+If the KDC is already setup, then editing max_life and max_renewable_life in `/var/kerberos/krb5kdc/kdc.conf`, and restarting kadmin and krb5kdc services will not change the policies for existing users. 
+
+You need to set the renew lifetime for existing users and krbtgt realm. Modify the appropriate principals to allow renewable tickets using the following commands. Adjust the parameters to match your desired KDC parameters:
+   ```
+   kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM"
+   kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM"
+   ```
+
+
 Enable Kerberos
 ---------------
 
@@ -247,16 +271,8 @@ Storm Authorization
   	cd /home/metron/.storm
   	```
 
-1. Ensure the Metron keytab is renewable.  Look for the 'R' flag from the following command
-    ```
-    klist -f
-    ```
+1. Ensure the Metron keytab is renewable. See [Verify KDC](#verify-kdc) above
 
-    If not present, modify the appropriate principals to allow renewable tickets.  Adjust the parameters to match desired KDC parameters
-    ```
-    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM"
-    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM"
-    ```
 
 1. Create a client JAAS file at `/home/metron/.storm/client_jaas.conf`.  This should look identical to the Storm client JAAS file located at `/etc/storm/conf/client_jaas.conf` except for the addition of a `Client` stanza. The `Client` stanza is used for Zookeeper. All quotes and semicolons are necessary.