trafodion-codereview mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robertamarton <...@git.apache.org>
Subject [GitHub] incubator-trafodion pull request #558: TRAFODION [2056] Update installation ...
Date Tue, 28 Jun 2016 14:12:54 GMT
Github user robertamarton commented on a diff in the pull request:

    https://github.com/apache/incubator-trafodion/pull/558#discussion_r68763759
  
    --- Diff: docs/provisioning_guide/src/asciidoc/_chapters/enable_security.adoc ---
    @@ -26,25 +26,100 @@
     [[enable-security]]
     = Enable Security
     
    -If you do not enable security in {project-name}, then a client interface to {project-name}
may request a user name and password,
    -but {project-name} ignores the user name and password entered in the client interface,
and the session runs as the database *root* user,
    -`DB__ROOT`, without restrictions. If you want to restrict users, restrict access to certain
users only, or restrict access to an
    -object or operation, then you must enable security, which enforces authentication and
authorization. You can enable security
    -during installation by answering the {project-name} Installer's prompts or after installation
by running the `traf_authentication_setup`
    -script, which enables both authentication and authorization. For more information, see
    -<<enable-security-authentication-setup-script,Authentication Setup Script>>
below.
    +{project-name} supports user authentication with LDAP, integrates in Hadoop's Kerberos
environment and
    +supports authorization through database grant and revoke requests (privileges).
    +
    +If this is an initial installation, both LDAP and Kerberos can be configured by running
{project-name} installer.
    +If {project-name} is already installed, then both LDAP and Kerberos can be configured
by running {project-name} 
    +security installer. 
    +
    +* If Hadoop has enabled Kerberos, then {project-name} must also enable Kerberos.
    +* If Kerberos is enabled, then LDAP must be enabled.
    +* If LDAP is enabled, then database authorization (privilege support) is automatically
enabled.
    +* If Kerberos is not enabled, then enabling LDAP is optional.
    +
    +[[enable-security-kerberos]]
    +== Configuring {project-name} for Kerberos
    +Kerberos is a protocol for authenticating a request for a service or operation.  It uses
the notion of a ticket to verify accessibility.  
    +The ticket is proof of identity encrypted with a secret key for the particular requested
service.  Tickets exist for a short time and 
    +then expire. Therefore, you can use the service as long as your ticket is valid (i.e.
not expired).  Hadoop uses Kerberos to provide 
    +security for its services, as such {project-name} needs to function properly with Hadoop
that has Kerberos enabled.  
    +
    +=== Kerberos configuration file
    +It is assumed that Kerberos has already been setup on all the nodes by the time Trafodion
is installed. 
    +This section briefly discusses the Kerberos configuration file for reference.
    +
    +The Kerberos configuration file defaults to /etc/krb5.conf and contains, among other
attributes:
    +
    +```
    +* log location: location where Kerberos errors and other information is logged
    +* KDC location: host location where the KDC (Key Distribution Center) is located
    +* admin server location: host location where the Kerberos admin server is located
    +* realm: the set of nodes that share a Kerberos database 
    +* ticket defaults: contains defaults for ticket lifetimes, encoding, and other attributes
    +```
     
    -{project-name} does not manage user names and passwords internally but does support authentication
via directory servers that support
    +You need to have access to a Kerberos administrator account to enable Kerberos for Trafodion.
 The following is an example request that lists principals defined in the Kerberos database
that can be used to test connectivity: 
    +
    +```
    +kadmin -p 'kdcadmin/admin' -w 'kdcadmin123' -s 'kdc.server' -q 'listprincs'
    +* -p (principal): please replace 'kdcadmin/admin' with your admin principal
    +* -w (password): please replace 'kdadmin123' with the password for the admin principal
    +* -s (server location): please replace 'kdc.server' with your KDC admin server location
    +* -q (command): defines the command to run, in this case principals are returned
    +```
    +=== Ticket Management
    +When Kerberos is enabled in {project-name}, the security installation process:
    +
    +* Adds a Trafodion principal in Kerberos, one per node with the name trafodion/hostname@realm.
    +* Creates a keytab for each principal and distributes the keytab to each node. The keytab
name is the same for all nodes 
    +and defaults to a value based on the distribution, for example: etc/trafodion/keytabs/trafodion.service.keytab.
    +* Performs a "kinit" on all nodes in the cluster for the `trafodion` user.
    +* Add commands to perform "kinit" and to start the ticket renewal procedure to the `trafodion`
.bashrc scripts on each node. 
    +
    +The ticket renewal service renews tickets up until the maximum number of renewals allowed.
 So if your ticket lifetime is 
    +one day and the number of renewals is seven days, the ticket renewal service automatically
renews tickets six times.  Once 
    +the ticket expires, it must be initialized again to continue running Trafodion.  Connecting
to each node as the `trafodion` 
    +user initializes the ticket if one does not exist.
    +
    +TBD - add details on how tickets can be managed at the cluster level.
    +
    +=== Kerberos installation
    +The {project-name} installation scripts automatically determine if Kerberos is enabled
on the node.  If it is enabled,
    +then the environment variable SECURE_HADOOP is set to "Y".  
    +
    +The following are questions that will be asked related to Kerberos:
    +
    +* Enter KDC server address, default is []: – no default
    +* Enter admin principal (include realm), default is []:  - no default
    +* Enter fully qualified name for HBase keytab, default is []: - Installer searches for
a valid keytab based on the distribution
    +* Enter fully qualified name for HBase keytab, default is []: - Installer searches for
a valid keytab based on the distribution
    --- End diff --
    
    The second bullet should be HDFS keytab - thanks for pointing this out.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message