Skip to content
Snippets Groups Projects
Commit e3f88c8c authored by František Dvořák's avatar František Dvořák
Browse files

Kerberos support in Hadoop + handle persistent variables with secrets

parent c93e3462
No related branches found
No related tags found
No related merge requests found
......@@ -5,6 +5,7 @@ config.json
inventory
hosts
public_hosts
secrets.auto.tfvars
site.pp
site2.pp
terraform
......
......@@ -53,6 +53,11 @@ EOF
}
}
variable "secrets" {
type = map(string)
# sensitive = true # terraform >= 0.14
}
output "config" {
value = {
n = var.n,
......@@ -61,6 +66,7 @@ output "config" {
master_hostname = var.master_hostname,
node_hostname = var.node_hostname,
type = var.type,
secrets = var.secrets,
}
}
......
......@@ -20,6 +20,8 @@ write_files:
#!/usr/bin/env ruby
#^syntax detection
forge "https://forgeapi.puppetlabs.com"
mod 'cesnet-kerberos',
:git => 'https://github.com/MetaCenterCloudPuppet/cesnet-kerberos/'
mod 'cesnet-site_hadoop',
:git => 'https://github.com/MetaCenterCloudPuppet/cesnet-site_hadoop/'
mod 'cesnet-hadoop',
......
import os
import string
DEFAULT_DISTRIBUTION = 'bigtop'
......@@ -16,7 +17,9 @@ class ComponentHadoop:
'master_hostname': config['master_hostname'],
'node_hostname': config['node_hostname'],
'nodes': list([h for h in hosts.keys() if h != config['master_hostname']]),
'realm': '',
'realm': 'HADOOP',
'kerberos_admin_password': config['secrets']['kerberos_admin_password'],
'kerberos_master_password': config['secrets']['kerberos_master_password'],
}
def action(self, action):
......@@ -29,11 +32,13 @@ class ComponentHadoop:
print('-> site.pp')
site = template.substitute(self.params)
with open('site.pp', 'w') as f:
os.chmod('site.pp', 0o600)
f.write(site)
self.params['hdfs_deployed'] = 'true'
site = template.substitute(self.params)
print('-> site2.pp')
with open('site2.pp', 'w') as f:
os.chmod('site2.pp', 0o600)
f.write(site)
def commands(self, action):
......
......@@ -34,6 +34,40 @@ $$db_type = "$${operatingsystem}-$${operatingsystemmajrelease}" ? {
default => 'mariadb',
}
$$principals = suffix(concat(
prefix(concat([$$master], $$nodes), 'host/'),
prefix(concat([$$master], $$nodes), 'HTTP/'),
["httpfs/$$master"],
prefix(concat([$$master], $$nodes), 'hbase/'),
["hive/$$master"],
prefix($$nodes, 'dn/'),
["jhs/$$master"],
["nfs/$$master"],
prefix($$nodes, 'nm/'),
["nn/$$master"],
["oozie/$$master"],
["rm/$$master"],
["spark/$$master"],
["zookeeper/$$master"]
), "@$${realm}")
stage { 'kerberos':
before => Stage['main'],
}
class{"kerberos":
kadmin_hostname => $$master,
admin_principal => "puppet/admin@$${realm}",
admin_password => '$kerberos_admin_password',
master_password => '$kerberos_master_password',
realm => $$realm,
default_attributes => {
'requires_preauth' => true,
},
default_policy => 'default_host',
stage => 'kerberos',
}
class{'hadoop':
acl => true,
hdfs_hostname => $$master,
......@@ -63,7 +97,8 @@ class{'hadoop':
},
properties => {
'dfs.replication' => 2,
'hadoop.proxyuser.hive.groups' => "*",
'hadoop.proxyuser.hive.groups' => "hive,impala,oozie,users",
#'hadoop.proxyuser.hive.groups' => "*",
'hadoop.proxyuser.hive.hosts' => "*",
},
version => $$hadoop_version,
......@@ -133,6 +168,9 @@ class{'site_hadoop':
'example',
'hawking',
],
user_realms => [
'$$realm',
],
accounting_enable => false,
hbase_enable => true,
nfs_frontend_enable => false,
......@@ -142,12 +180,126 @@ class{'site_hadoop':
}
# site_hadoop::users hasn't shell on the nodes, we need exception for '${image_user}'
$$touchfile = 'hdfs-user-${image_user}-created'
hadoop::user{'${image_user}':
shell => true,
hdfs => $$hadoop::hdfs_hostname == $$::fqdn,
groups => 'users',
realms => $$site_hadoop::user_realms,
touchfile => 'hdfs-user-${image_user}-created',
touchfile => $$touchfile,
}
if $$hadoop::hdfs_hostname == $$::fqdn {
hadoop::kinit{$$touchfile:
}
->
Hadoop::User <| touchfile == $$touchfile |>
->
hadoop::kdestroy{$$touchfile:
touch => true,
}
}
class local_kerberos {
file{'/etc/security/keytab':
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0755',
}
File['/etc/security/keytab'] -> Kerberos::Keytab <| |>
}
class local_kerberos_master {
include local_kerberos
kerberos::policy{'default':
ensure => 'present',
minlength => 6,
history => 2,
}
kerberos::policy{'default_host':
ensure => 'present',
minlength => 6,
}
kerberos::principal{$$::kerberos::admin_principal:
ensure => 'present',
password => $$::kerberos::admin_password,
}
kerberos::principal{$$principals:}
kerberos::keytab{'/etc/krb5.keytab':
principals => ["host/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/hive.service.keytab':
principals => ["hive/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/hbase.service.keytab':
principals => ["hbase/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/http.service.keytab':
principals => ["HTTP/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/httpfs.service.keytab':
principals => ["httpfs/$${::fqdn}@$${realm}"],
}
# works only locally on Kerberos admin server!
kerberos::keytab{'/etc/security/keytab/httpfs-http.service.keytab':
principals => [
"httpfs/$${::fqdn}@$${realm}",
"HTTP/$${::fqdn}@$${realm}",
],
}
kerberos::keytab{'/etc/security/keytab/jhs.service.keytab':
principals => ["jhs/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/nfs.service.keytab':
principals => ["nfs/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/nn.service.keytab':
principals => ["nn/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/oozie.service.keytab':
principals => ["oozie/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/rm.service.keytab':
principals => ["rm/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/spark.service.keytab':
principals => ["spark/$${::fqdn}@$${realm}"],
}
kerberos::keytab{'/etc/security/keytab/zookeeper.service.keytab':
principals => ["zookeeper/$${::fqdn}@$${realm}"],
}
}
class local_kerberos_node {
include local_kerberos
# this will use kerberos::admin_principal and kerberos::admin_password parameters
kerberos::keytab{'/etc/krb5.keytab':
principals => ["host/$${::fqdn}@$${realm}"],
wait => 600,
}
kerberos::keytab{'/etc/security/keytab/dn.service.keytab':
principals => ["dn/$${::fqdn}@$${realm}"],
wait => 600,
}
kerberos::keytab{'/etc/security/keytab/hbase.service.keytab':
principals => ["hbase/$${::fqdn}@$${realm}"],
wait => 600,
}
kerberos::keytab{'/etc/security/keytab/http.service.keytab':
principals => ["HTTP/$${::fqdn}@$${realm}"],
wait => 600,
}
kerberos::keytab{'/etc/security/keytab/nm.service.keytab':
principals => ["nm/$${::fqdn}@$${realm}"],
wait => 600,
}
}
node /${master_hostname}\..*/ {
......@@ -163,8 +315,16 @@ node /${master_hostname}\..*/ {
root_password => 'root',
}
#include ::oozie::client
class{'local_kerberos_master':
stage => 'kerberos',
}
}
node /${node_hostname}\d*\..*/ {
include ::site_hadoop::role::slave
class{'local_kerberos_node':
stage => 'kerberos',
}
}
......@@ -3,6 +3,9 @@
forge "https://forgeapi.puppetlabs.com"
mod 'cesnet-kerberos',
:git => 'https://github.com/MetaCenterCloudPuppet/cesnet-kerberos/'
mod 'cesnet-site_hadoop',
:git => 'https://github.com/MetaCenterCloudPuppet/cesnet-site_hadoop/'
......
#! /bin/sh -xe
if [ ! -s ./secrets.auto.tfvars ]; then
touch ./secrets.auto.tfvars
chmod 0600 ./secrets.auto.tfvars
{
echo 'secrets = {'
for k in kerberos_master_password kerberos_admin_password http_signature_secret; do
echo " $k = \"`dd if=/dev/random bs=27 count=1 2>/dev/null | base64 -`\""
done
echo "}"
} >> ./secrets.auto.tfvars
fi
./terraform apply -auto-approve "$@"
touch config.json; chmod 0600 config.json
./terraform output -json > config.json
if [ -z "$NO_DEPLOYMENT" ]; then
./orchestrate.py
else
./orchestrate.py files ping init wait
./orchestrate.py -n deployment
fi
......@@ -52,6 +52,7 @@ public_hosts = j['public_hosts']['value']
master_hostname = config['master_hostname']
master_ip = public_hosts[master_hostname]
user = config['image_user']
secrets = config['secrets']
t = config.get('type', None)
print('== plugin ==')
......
secrets = {
kerberos_master_password = "SECRET"
kerberos_admin_password = "SECRET"
http_signature_secret = "SECRET"
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment