diff options
author | Roman Shaposhnik <rvs@cloudera.com> | 2013-04-17 09:59:15 -0700 |
---|---|---|
committer | Roman Shaposhnik <rvs@cloudera.com> | 2013-04-24 15:27:54 -0700 |
commit | 5bf52db1c86d0db9d1d4728045954f37fc479b56 (patch) | |
tree | ac2f7b994596b39c55bbf6c5085263b2c2b69203 /bigtop-deploy | |
parent | 701e3715efc453fcf3e69c782e68474375bf2111 (diff) |
BIGTOP-931. a few improvements to secure puppet deployment code
Diffstat (limited to 'bigtop-deploy')
11 files changed, 27 insertions, 12 deletions
diff --git a/bigtop-deploy/puppet/manifests/cluster.pp b/bigtop-deploy/puppet/manifests/cluster.pp index b889eb9d..97b975b2 100644 --- a/bigtop-deploy/puppet/manifests/cluster.pp +++ b/bigtop-deploy/puppet/manifests/cluster.pp @@ -119,6 +119,11 @@ class hadoop_worker_node inherits hadoop_cluster_node { groups => 'wheel', } + if ($hadoop_security_authentication == "kerberos") { + kerberos::host_keytab { $bigtop_real_users: } + User<||> -> Kerberos::Host_keytab<||> + } + hadoop::datanode { "datanode": namenode_host => $hadoop_namenode_host, namenode_port => $hadoop_namenode_port, diff --git a/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp index 5e26ccd9..e1029864 100644 --- a/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp @@ -26,6 +26,7 @@ class hadoop-hbase { require kerberos::client kerberos::host_keytab { "hbase": spnego => true, + require => Package["hbase"], } file { "/etc/hbase/conf/jaas.conf": diff --git a/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp index deb198f6..572203ab 100644 --- a/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp @@ -25,6 +25,7 @@ class hadoop-oozie { require kerberos::client kerberos::host_keytab { "oozie": spnego => true, + require => Package["oozie"], } } diff --git a/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml b/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml index 0e0a8524..ef39045b 100644 --- a/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml +++ b/bigtop-deploy/puppet/modules/hadoop-oozie/templates/oozie-site.xml @@ -333,10 +333,8 @@ <!-- Proxyuser Configuration --> - <!-- - <property> - <name>oozie.service.ProxyUserService.proxyuser.#USER#.hosts</name> + <name>oozie.service.ProxyUserService.proxyuser.hue.hosts</name> <value>*</value> <description> List of hosts the '#USER#' user is allowed to perform 'doAs' @@ -353,7 +351,7 @@ </property> <property> - <name>oozie.service.ProxyUserService.proxyuser.#USER#.groups</name> + <name>oozie.service.ProxyUserService.proxyuser.hue.groups</name> <value>*</value> <description> List of groups the '#USER#' user is allowed to impersonate users @@ -368,7 +366,4 @@ in the property name. </description> </property> - - --> - </configuration> diff --git a/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp index 8a809e29..8e0c7576 100644 --- a/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp @@ -62,6 +62,7 @@ class hadoop-zookeeper { kerberos::host_keytab { "zookeeper": spnego => true, notify => Service["zookeeper-server"], + require => Package["zookeeper-server"], } file { "/etc/zookeeper/conf/java.env": diff --git a/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp b/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp index 0b92f563..7355e7c0 100644 --- a/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp @@ -26,11 +26,13 @@ class hadoop { kerberos::host_keytab { "hdfs": princs => [ "host", "hdfs" ], spnego => true, + require => Package["hadoop-hdfs"], } kerberos::host_keytab { [ "yarn", "mapred" ]: tag => "mapreduce", spnego => true, + require => Package["hadoop-yarn"], } } @@ -174,6 +176,7 @@ class hadoop { if ($auth == "kerberos") { kerberos::host_keytab { "httpfs": spnego => true, + require => Package["hadoop-httpfs"], } } diff --git a/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg b/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg index 7c6fb0ae..4cabe8c4 100644 --- a/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg +++ b/bigtop-deploy/puppet/modules/hadoop/templates/container-executor.cfg @@ -1,3 +1,3 @@ yarn.nodemanager.linux-container-executor.group=yarn #banned.users=foo,bar -#min.user.id=1000 +min.user.id=499 diff --git a/bigtop-deploy/puppet/modules/hue/manifests/init.pp b/bigtop-deploy/puppet/modules/hue/manifests/init.pp index f4a7b570..7d0fccee 100644 --- a/bigtop-deploy/puppet/modules/hue/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/hue/manifests/init.pp @@ -21,6 +21,7 @@ class hue { require kerberos::client kerberos::host_keytab { "hue": spnego => false, + require => Package["hue"], } } diff --git a/bigtop-deploy/puppet/modules/hue/templates/hue.ini b/bigtop-deploy/puppet/modules/hue/templates/hue.ini index cf4fe8d6..35b90f21 100644 --- a/bigtop-deploy/puppet/modules/hue/templates/hue.ini +++ b/bigtop-deploy/puppet/modules/hue/templates/hue.ini @@ -225,7 +225,7 @@ # Kerberos principal name for Hue hue_principal=hue/<%= fqdn %> # Path to kinit - kinit_path=<%= (operatingsystem == 'ubuntu') ? '/usr/bin' : '/usr/kerberos/bin' %> + kinit_path=<%= (operatingsystem == 'ubuntu') ? '/usr/bin' : '/usr/kerberos/bin' %>/kinit <% end %> diff --git a/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp b/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp index a57b7404..7e7f35d2 100644 --- a/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp +++ b/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp @@ -115,7 +115,7 @@ class kerberos { service { $service_name_kdc: ensure => running, require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]], - subscribe => File["${kdc_etc_path}/kdc.conf"], + subscribe => [File["${kdc_etc_path}/kadm5.acl"], File["${kdc_etc_path}/kdc.conf"]], hasrestart => true, } @@ -131,6 +131,7 @@ class kerberos { service { "$service_name_admin": ensure => running, require => [Package["$package_name_admin"], Service["$service_name_kdc"]], + subscribe => [File["${kdc_etc_path}/kadm5.acl"], File["${kdc_etc_path}/kdc.conf"]], hasrestart => true, restart => "${se_hack} ; service ${service_name_admin} restart", start => "${se_hack} ; service ${service_name_admin} start", @@ -213,5 +214,12 @@ EOF require => [ Kerberos::Principal[$requested_princs], Kerberos::Principal[$internal_princs] ], } + + exec { "aquire $title keytab": + path => $kerberos::site::exec_path, + user => $title, + command => "kinit -kt $keytab ${title}/$::fqdn", + require => Exec["ktinject.$title"], + } } } diff --git a/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf b/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf index dd135fd9..dc35b324 100644 --- a/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf +++ b/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf @@ -16,7 +16,7 @@ default_realm = <%= realm %> [kdcdefaults] - v4_mode = nopreauth + # v4_mode = nopreauth kdc_ports = 0 [realms] @@ -31,5 +31,5 @@ default_realm = <%= realm %> master_key_type = des3-hmac-sha1 supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 # supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 - default_principal_flags = +preauth + # default_principal_flags = -preauth } |