diff options
author | Roman Shaposhnik <rvs@apache.org> | 2012-02-11 03:40:08 +0000 |
---|---|---|
committer | Roman Shaposhnik <rvs@apache.org> | 2012-02-11 03:40:08 +0000 |
commit | ce1d9d3c5dea28c269cb3f0e25ec7297607a73de (patch) | |
tree | 715a92061198358d41eb4da872080caa98a99584 /bigtop-deploy | |
parent | d77e4fa1903986171bb0c84c972f4dbba4291c07 (diff) |
BIGTOP-396. Missing resource dependencies in puppet for secure clusters (Patrick Taylor Ramsey via rvs)
git-svn-id: https://svn.apache.org/repos/asf/incubator/bigtop/trunk@1243000 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'bigtop-deploy')
5 files changed, 95 insertions, 31 deletions
diff --git a/bigtop-deploy/puppet/manifests/cluster.pp b/bigtop-deploy/puppet/manifests/cluster.pp index 09980122..7879821e 100644 --- a/bigtop-deploy/puppet/manifests/cluster.pp +++ b/bigtop-deploy/puppet/manifests/cluster.pp @@ -53,12 +53,6 @@ class hadoop_cluster_node { $kerberos_kdc_server = extlookup("hadoop_kerberos_kdc_server") include kerberos::client - kerberos::client::host_keytab { ["hdfs", "mapred", "hbase", "oozie"]: - princs_map => { hdfs => [ "host", "hdfs" ], - mapred => [ "mapred" ], - hbase => [ "hbase" ], - oozie => [ "oozie" ], }, - } } } @@ -89,7 +83,7 @@ class hadoop_worker_node inherits hadoop_cluster_node { class hadoop_head_node inherits hadoop_cluster_node { if ($hadoop_security_authentication == "kerberos") { - include kerberos::kdc, kerberos::kdc::admin_server + include kerberos::server } hadoop::namenode { "namenode": @@ -133,6 +127,7 @@ class hadoop_head_node inherits hadoop_cluster_node { } hadoop::create_hdfs_dirs { [ "/mapred", "/tmp", "/system", "/user", "/hbase", "/benchmarks", "/user/jenkins", "/user/hive" ]: + auth => $hadoop_security_authentication, hdfs_dirs_meta => { "/tmp" => { perm => "777", user => "hdfs" }, "/mapred" => { perm => "755", user => "mapred" }, "/system" => { perm => "755", user => "hdfs" }, diff --git a/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp index a151c07b..40943672 100644 --- a/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp @@ -22,6 +22,11 @@ class hadoop-hbase { class common-server-config { include client-package + if ($kerberos_realm) { + require kerberos::client + kerberos::host_keytab { "hbase": + } + } file { "/etc/hbase/conf/hbase-site.xml": content => template("hadoop-hbase/hbase-site.xml"), @@ -51,6 +56,7 @@ class hadoop-hbase { hasrestart => true, hasstatus => true, } + Kerberos::Host_keytab <| title == "hbase" |> -> Service["hbase-regionserver"] } define master($rootdir, $zookeeper_quorum, $kerberos_realm = "") { @@ -67,5 +73,6 @@ class hadoop-hbase { hasrestart => true, hasstatus => true, } + Kerberos::Host_keytab <| title == "hbase" |> -> Service["hbase-master"] } } diff --git a/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp index b99d1a7a..0fa16e74 100644 --- a/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp @@ -21,6 +21,12 @@ class hadoop-oozie { } define server($kerberos_realm = "") { + if ($kerberos_realm) { + require kerberos::client + kerberos::host_keytab { "oozie": + } + } + package { "oozie": ensure => latest, } @@ -36,6 +42,7 @@ class hadoop-oozie { hasrestart => true, hasstatus => true, } + Kerberos::Host_keytab <| title == "oozie" |> -> Service["oozie"] } } diff --git a/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp index cc419ffe..aac835f6 100644 --- a/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp @@ -19,7 +19,23 @@ class hadoop { * Common definitions for hadoop nodes. * They all need these files so we can access hdfs/jobs from any node */ + + class kerberos { + require kerberos::client + + kerberos::host_keytab { "hdfs": + princs => [ "host", "hdfs" ], + } + + kerberos::host_keytab { [ "yarn", "mapred" ]: + } + } + class common { + if ($auth == "kerberos") { + include hadoop::kerberos + } + file { "/etc/hadoop/conf/core-site.xml": content => template('hadoop/core-site.xml'), @@ -88,6 +104,7 @@ class hadoop { subscribe => [Package["hadoop-datanode"], File["/etc/hadoop/conf/core-site.xml"], File["/etc/hadoop/conf/hdfs-site.xml"], File["/etc/hadoop/conf/hadoop-env.sh"]], require => [ Package["hadoop-datanode"], File[$dirs] ], } + Kerberos::Host_keytab <| title == "hdfs" |> -> Service["hadoop-datanode"] file { $dirs: ensure => directory, @@ -98,10 +115,25 @@ class hadoop { } } - define create_hdfs_dirs($hdfs_dirs_meta) { + class kinit { + include hadoop::kerberos + + exec { "HDFS kinit": + command => "/usr/bin/kinit -kt /etc/hdfs.keytab hdfs/$fqdn && /usr/bin/kinit -R", + user => "hdfs", + require => Kerberos::Host_keytab["hdfs"], + } + } + + define create_hdfs_dirs($hdfs_dirs_meta, $auth="simple") { $user = $hdfs_dirs_meta[$title][user] $perm = $hdfs_dirs_meta[$title][perm] + if ($auth == "kerberos") { + require hadoop::kinit + Exec["HDFS kinit"] -> Exec["HDFS init $title"] + } + exec { "HDFS init $title": user => "hdfs", command => "/bin/bash -c 'hadoop fs -mkdir $title && hadoop fs -chmod $perm $title && hadoop fs -chown $user $title'", @@ -132,6 +164,7 @@ class hadoop { subscribe => [Package["hadoop-namenode"], File["/etc/hadoop/conf/core-site.xml"], File["/etc/hadoop/conf/hadoop-env.sh"]], require => [Package["hadoop-namenode"], Exec["namenode format"]], } + Kerberos::Host_keytab <| title == "hdfs" |> -> Service["hadoop-namenode"] exec { "namenode format": user => "hdfs", @@ -180,6 +213,7 @@ class hadoop { mode => 755, require => [Package["hadoop"]], } + Kerberos::Host_keytab <| title == "mapred" |> -> Service["hadoop-jobtracker"] } @@ -216,6 +250,7 @@ class hadoop { mode => 755, require => [Package["hadoop"]], } + Kerberos::Host_keytab <| title == "mapred" |> -> Service["hadoop-tasktracker"] } @@ -236,6 +271,7 @@ class hadoop { subscribe => [Package["hadoop-secondarynamenode"], File["/etc/hadoop/conf/core-site.xml"], File["/etc/hadoop/conf/hadoop-env.sh"]], require => [Package["hadoop-secondarynamenode"]], } + Kerberos::Host_keytab <| title == "hdfs" |> -> Service["hadoop-secondarynamenode"] } define client ($namenode_host, $namenode_port, $jobtracker_host, $jobtracker_port, $auth = "simple") { diff --git a/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp b/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp index 5e98741c..3748571d 100644 --- a/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp @@ -61,15 +61,16 @@ class kerberos { } class kdc inherits kerberos::site { - package { "$package_name_kdc": + package { $package_name_kdc: ensure => installed, } - file { "$kdc_etc_path": + file { $kdc_etc_path: ensure => directory, owner => root, group => root, mode => "0700", + require => Package["$package_name_kdc"], } file { "${kdc_etc_path}/kdc.conf": content => template('kerberos/kdc.conf'), @@ -98,7 +99,7 @@ class kerberos { require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], File["/etc/krb5.conf"]], } - service { "$service_name_kdc": + service { $service_name_kdc: ensure => running, require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]], subscribe => File["${kdc_etc_path}/kdc.conf"], @@ -125,32 +126,50 @@ class kerberos { } class client inherits kerberos::site { - define create_princs { - exec { "addprinc.$title": - path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here - command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $title/$fqdn'", - unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $title/$fqdn" - } + package { $package_name_client: + ensure => installed, } + } - define host_keytab($fqdn = "$hostname.$domain", $princs_map) { - $princs = $princs_map[$title] - $keytab = "/etc/${title}.keytab" - $exports = inline_template("<%= princs.join('/$fqdn ') + '/$fqdn ' %>") + class server { + include kerberos::client - create_princs { $princs: - } + class { "kerberos::kdc": } + -> + Class["kerberos::client"] - exec { "xst.$title": - path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here - command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports' ; chown $title $keytab", - unless => "klist -kt $keytab 2>/dev/null | grep -q $title/$fqdn", - require => [ Create_princs[$princs] ], - } + class { "kerberos::kdc::admin_server": } + -> + Class["kerberos::client"] + } + + define create_princs { + exec { "addprinc.$title": + path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here + command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $title/$fqdn'", + unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $title/$fqdn", + require => Package[$kerberos::site::package_name_client], } + } - package { "$package_name_client": - ensure => installed, + define host_keytab($fqdn = "$hostname.$domain", $princs = undef) { + $real_princs = $princs ? { + undef => [ $title ], + default => $princs, + } + + $keytab = "/etc/${title}.keytab" + $exports = inline_template("<%= real_princs.join('/$fqdn ') + '/$fqdn ' %>") + + create_princs { $real_princs: + } + + exec { "xst.$title": + path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here + command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports' ; chown $title $keytab", + unless => "klist -kt $keytab 2>/dev/null | grep -q $title/$fqdn", + require => [ Create_princs[$real_princs] ], } } + } |