trafodion-codereview mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DaveBirdsall <...@git.apache.org>
Subject [GitHub] incubator-trafodion pull request #546: TRAFODION [109] Instrument Trafodion ...
Date Wed, 15 Jun 2016 15:46:05 GMT
Github user DaveBirdsall commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/546#discussion_r67188129
  
    --- Diff: install/installer/traf_add_kerberos ---
    @@ -0,0 +1,204 @@
    +#!/bin/bash
    +
    +# @@@ START COPYRIGHT @@@
    +#
    +# Licensed to the Apache Software Foundation (ASF) under one
    +# or more contributor license agreements.  See the NOTICE file
    +# distributed with this work for additional information
    +# regarding copyright ownership.  The ASF licenses this file
    +# to you under the Apache License, Version 2.0 (the
    +# "License"); you may not use this file except in compliance
    +# with the License.  You may obtain a copy of the License at
    +#
    +#   http://www.apache.org/licenses/LICENSE-2.0
    +#
    +# Unless required by applicable law or agreed to in writing,
    +# software distributed under the License is distributed on an
    +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    +# KIND, either express or implied.  See the License for the
    +# specific language governing permissions and limitations
    +# under the License.
    +#
    +# @@@ END COPYRIGHT @@@
    +
    +#******************************************************************************
    +#  Sets up Trafodion environment for security features:
    +#    Kerberos
    +#******************************************************************************
    +
    +TRAF_CONFIG='/etc/trafodion/trafodion_config'
    +source $TRAF_CONFIG
    +HOST_NAME=`hostname -f`
    +
    +#==============================================================================
    +# set up kerberos stuff
    +if [[ "$SECURE_HADOOP" == "N" ]]; then
    +  echo "***INFO: KERBEROS not available, skipping to next step"
    +  exit 0
    +fi
    +
    +echo
    +echo "******************************"
    +echo " TRAFODION KERBEROS SETUP     "
    +echo "******************************"
    +echo
    +echo "***INFO: Running KERBEROS installation"
    +
    +# get realm from admin principal
    +REALM=${ADMIN_PRINCIPAL#*"@"}
    +TRAF_PRINCIPAL="$TRAF_USER/$HOST_NAME@REALM"
    +HBASE_PRINCIPAL="$HBASE_USER/$HOST_NAME@$REALM"
    +PDCP="pdcp -R ssh "
    +
    +# test KDC server connection - always ask for the admin password
    +echo -n "Enter admin password:"
    +read -s answer
    +if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi
    +echo ""
    +
    +KADMIN_CMD="sudo kadmin -p $ADMIN_PRINCIPAL -w $ADMIN_PASSWD -s $KDC_SERVER -q"
    +
    +$KADMIN_CMD "listprincs" > /dev/null 2>&1
    +if [[ $? -ne 0 ]]; then
    +  echo "***ERROR: kadmin command failed to execute, verify that Kerberos is running,
you can access it from the installation node, and that your password is valid"
    +  ADMIN_PASSWD="***"
    +  exit -1
    +fi
    +echo "***INFO: Connection to  KDC server successful" 
    +
    +# Make a directory to hold generated keytabs, ignore if already created
    +mkdir -p $LOCAL_WORKDIR/keytabs 2>/dev/null
    +
    +echo "***INFO: Create principals and keytabs for $TRAF_USER" 
    +for ITEM in $HADOOP_NODES; do
    +  NODE=`ssh -q -n $ITEM sudo hostname -f`
    +  PRINCIPAL_EXISTS=$( $KADMIN_CMD "listprincs" | grep "$TRAF_USER/$NODE@$REALM" | wc
-l )
    +  if [[ $PRINCIPAL_EXISTS -eq 1 ]]; then
    +    echo "***INFO: Principal $TRAF_USER/$NODE@$REALM exists, continuing" 
    +  else
    +    # add the principal
    +    $KADMIN_CMD "addprinc -randkey $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1

    +    if [[ $? -ne 0 ]]; then
    +      echo "***ERROR: kadmin command failed to create principal, check KDC server status"

    +      ADMIN_PASSWD="***"
    +      exit -1
    +    fi
    +  fi
    +
    +  # Adjust principal's maxlife and maxrenewlife
    +  echo "***INFO: Set max and renew life times for principal $TRAF_USER/$NODE@$REALM"

    +  $KADMIN_CMD "modprinc -maxlife $MAX_LIFETIME -maxrenewlife $RENEW_LIFETIME $TRAF_USER/$NODE@$REALM"
> /dev/null 2>&1 
    +  if [[ $? -ne 0 ]]; then
    +    echo "***ERROR: kadmin command failed to modify principal, check KDC server status"

    +    ADMIN_PASSWD="***"
    +    exit -1
    +  fi
    +  
    +  # Look in keytabs to see if keytab already exists, if so, then skip this step
    +  # May want to supporting regeneration of keytabs at some point in time.
    +  echo "***INFO: Create keytab $TRAF_KEYTAB for $NODE" 
    +  if [[ -e $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB ]]; then
    +    echo "***INFO: The keytab for $NODE exists, continuing" 
    +  else
    +    echo "***INFO: Adding keytab for $NODE" 
    +    $KADMIN_CMD "ktadd -k $LOCAL_WORKDIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM"
    +    if [[ $? -ne 0 ]]; then
    +      echo "***ERROR: failed to add keytab" 
    +      ADMIN_PASSWD="***"
    +      exit -1
    +    fi
    +
    +    # Each node has its own principal and keytab.  The principal names have the node
    +    # name embedded but the keytab names are the same.  Save keytabs into the keytabs

    +    # directory and prepend them with the node name to tell them apart.  They will
    +    # be copied to the individual nodes in a separate step 
    +    sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/$TRAF_KEYTAB
    +    sudo chmod 400 $LOCAL_WORKDIR/$TRAF_KEYTAB
    +    sudo mv $LOCAL_WORKDIR/$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB
    +  fi
    +
    +  # Copy keytab to node (probably a better way of doing this)
    +  #   - Remove the prepended node from the keytab
    +  #   - Copy the keytab to the node
    +  #   - Move the keytab to the KEYTAB directory on the node
    +  #   - Change owner to allow trafodion access
    +  sudo cp $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB
    +  sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB
    +  if [[ "$all_node_count" -ne "1" ]]; then
    +    pdcp -R ssh -w $NODE $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $HOME
    +    ssh -q -n $NODE sudo mv $HOME/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
    +    ssh -q -n $NODE sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
    +    ssh -q -n $NODE sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM
    +  else
    +    sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
    +    sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
    +    sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM
    +  fi
    +  echo "***INFO: Copied keytab file to $NODE" 
    +done
    +ADMIN_PASSWD="***"
    +echo "***INFO: Done creating principals and keytabs" 
    +
    +# The RENEW_TOOL is a script that get run that automatically
    +# renews the ticket when it get ready to expire.
    +RENEW_TOOL='$MY_SQROOT/sql/scripts/krb5service start'
    +
    +# modify .bashrc to add kinit command
    +# Steps:
    +#  - Store the text to add to the .bashrc file in a tmp file
    +#  - Copy the tmp file to all the nodes
    +#  - Change owner of tmp file to the trafodion user
    +#  - Add text to .bashrc
    +# This assumes that if the installation node already has the text, then this
    +# step can be skipped.  May need to be more robust
    +
    +sudo grep -q "kinit" $HOME_DIR/$TRAF_USER/.bashrc
    +if [[ $? -ne 0 ]]; then
    +  echo "***INFO: Add kinit command in .bashrc file"
    +  echo ""                                                                   > $LOCAL_WORKDIR/kerberos.tmp
    +  echo ""                                                                  >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# if needed obtain and cache the Kerberos ticket-granting ticket"  >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# start automatic ticket renewal process"                          >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo 'klist -s >/dev/null 2>&1'                                         
>> $LOCAL_WORKDIR/kerberos.tmp
    +  echo 'if [[ $? -eq 1 ]]; then'                                           >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "  kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB ${TRAF_USER}/\`hostname -f\`@${REALM}
>/dev/null 2>&1"                                                               
                                  >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "fi "                                                               >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo ""                                                                  >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# Start trafodion kerberos ticket manager process"                 >> $LOCAL_WORKDIR/kerberos.tmp
    +  echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
    +
    +  echo "${RENEW_TOOL} > /dev/null 2>&1"                                   
>> $LOCAL_WORKDIR/kerberos.tmp
    +  
    +  sudo cp $LOCAL_WORKDIR/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp
    +  sudo chown $TRAF_USER:$TRAF_USER $HOME_DIR/$TRAF_USER/kerberos.tmp
    +  if [[ "$all_node_count" -ne "1" ]]; then
    +    sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp"

    +    $TRAF_PDSH sudo su $TRAF_USER -c '"cat ~/kerberos.tmp >> ~/.bashrc"'
    +  else
    +    sudo su $TRAF_USER -c "cat ~/kerberos.tmp >> ~/.bashrc"
    +  fi
    +  rm $LOCAL_WORKDIR/kerberos.tmp
    +fi
    +
    +# Grant all privileges to the Trafodion principle in HBase
    --- End diff --
    
    Do you mean "principal"?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message