metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mmiklavc <...@git.apache.org>
Subject [GitHub] incubator-metron pull request #510: METRON-821 Minor fixes in full dev kerbe...
Date Wed, 05 Apr 2017 15:33:39 GMT
Github user mmiklavc commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/510#discussion_r109948537
  
    --- Diff: metron-deployment/vagrant/Kerberos-setup.md ---
    @@ -135,71 +135,77 @@ echo "grant 'metron', 'RW', 'enrichment'" | hbase shell
     
     16. Create a “.storm” directory in the metron user’s home directory and switch
to that directory.
       ```
    -su metron && cd ~/
    -mkdir .storm
    -cd .storm
    +su metron
    +mkdir ~/.storm
    +cd ~/.storm
       ```
     
     17. Create a custom client jaas file. This should look identical to the Storm client
jaas file located in /etc/storm/conf/client_jaas.conf except for the addition of a Client
stanza. The Client stanza is used for Zookeeper. All quotes and semicolons are necessary.
       ```
    -[metron@node1 .storm]$ cat client_jaas.conf
    +cat << EOF > client_jaas.conf
     StormClient {
    -   com.sun.security.auth.module.Krb5LoginModule required
    -   useTicketCache=true
    -   renewTicket=true
    -   serviceName="nimbus";
    + com.sun.security.auth.module.Krb5LoginModule required
    + useTicketCache=true
    + renewTicket=true
    + serviceName="nimbus";
     };
     Client {
    -   com.sun.security.auth.module.Krb5LoginModule required
    -   useKeyTab=true
    -   keyTab="/etc/security/keytabs/metron.headless.keytab"
    -   storeKey=true
    -   useTicketCache=false
    -   serviceName="zookeeper"
    -   principal="metron@EXAMPLE.COM";
    + com.sun.security.auth.module.Krb5LoginModule required
    + useKeyTab=true
    + keyTab="/etc/security/keytabs/metron.headless.keytab"
    + storeKey=true
    + useTicketCache=false
    + serviceName="zookeeper"
    + principal="metron@EXAMPLE.COM";
     };
     KafkaClient {
    -   com.sun.security.auth.module.Krb5LoginModule required
    -   useKeyTab=true
    -   keyTab="/etc/security/keytabs/metron.headless.keytab"
    -   storeKey=true
    -   useTicketCache=false
    -   serviceName="kafka"
    -   principal="metron@EXAMPLE.COM";
    + com.sun.security.auth.module.Krb5LoginModule required
    + useKeyTab=true
    + keyTab="/etc/security/keytabs/metron.headless.keytab"
    + storeKey=true
    + useTicketCache=false
    + serviceName="kafka"
    + principal="metron@EXAMPLE.COM";
     };
    +EOF
       ```
     
     18. Create a storm.yaml with jaas file info. Set the array of nimbus hosts accordingly.
       ```
    -[metron@node1 .storm]$ cat storm.yaml
    +cat << EOF > storm.yaml
     nimbus.seeds : ['node1']
     java.security.auth.login.config : '/home/metron/.storm/client_jaas.conf'
     storm.thrift.transport : 'org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin'
    +EOF
       ```
     
     19. Create an auxiliary storm configuration json file in the metron user’s home directory.
Note the login config option in the file points to our custom client_jaas.conf.
       ```
    -cd /home/metron
    -[metron@node1 ~]$ cat storm-config.json
    +cd
    +cat << EOF > storm-config.json
     {
       "topology.worker.childopts" : "-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf"
     }
    +EOF
       ```
     
     20. Setup enrichment and indexing.
     
         a. Modify enrichment.properties - `${METRON_HOME}/config/enrichment.properties`
     
         ```
    -    kafka.security.protocol=PLAINTEXTSASL
    -    topology.worker.childopts=-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf
    +    [[ $EUID -eq 0 ]] || exit
    --- End diff --
    
    I wonder if it would be better to print a message about needing to be root? This will
log out the user and close their screen altogether in some instances.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message