Google Git
Sign in
apache / metron / 410993daf60dfe898a973fa8a9906ddbffd83208 / . / current-book / metron-deployment / Kerberos-manual-setup.html
blob: 9de283b892fcadcd692262f53e8badd41716ee1e [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia Site Renderer 1.8 from src/site/markdown/metron-deployment/Kerberos-manual-setup.md at 2019-05-14
| Rendered using Apache Maven Fluido Skin 1.7
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20190514" />
<meta http-equiv="Content-Language" content="en" />
<title>Metron &#x2013; Kerberos Setup</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.7.min.css" />
<link rel="stylesheet" href="../css/site.css" />
<link rel="stylesheet" href="../css/print.css" media="print" />
<script type="text/javascript" src="../js/apache-maven-fluido-1.7.min.js"></script>
<script type="text/javascript">
$( document ).ready( function() { $( '.carousel' ).carousel( { interval: 3500 } ) } );
</script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<div id="banner">
<div class="pull-left"><a href="http://metron.apache.org/" id="bannerLeft"><img src="../images/metron-logo.png" alt="Apache Metron" width="148px" height="48px"/></a></div>
<div class="pull-right"></div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class=""><a href="http://www.apache.org" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li>
<li class=""><a href="http://metron.apache.org/" class="externalLink" title="Metron">Metron</a><span class="divider">/</span></li>
<li class=""><a href="../index.html" title="Documentation">Documentation</a><span class="divider">/</span></li>
<li class="active ">Kerberos Setup</li>
<li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 2019-05-14</li>
<li id="projectVersion" class="pull-right">Version: 0.7.1</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span2">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">User Documentation</li>
<li><a href="../index.html" title="Metron"><span class="icon-chevron-down"></span>Metron</a>
<ul class="nav nav-list">
<li><a href="../CONTRIBUTING.html" title="CONTRIBUTING"><span class="none"></span>CONTRIBUTING</a></li>
<li><a href="../Upgrading.html" title="Upgrading"><span class="none"></span>Upgrading</a></li>
<li><a href="../metron-analytics/index.html" title="Analytics"><span class="icon-chevron-right"></span>Analytics</a></li>
<li><a href="../metron-contrib/metron-docker/index.html" title="Docker"><span class="none"></span>Docker</a></li>
<li><a href="../metron-contrib/metron-performance/index.html" title="Performance"><span class="none"></span>Performance</a></li>
<li><a href="../metron-deployment/index.html" title="Deployment"><span class="icon-chevron-down"></span>Deployment</a>
<ul class="nav nav-list">
<li><a href="../metron-deployment/Kerberos-ambari-setup.html" title="Kerberos-ambari-setup"><span class="none"></span>Kerberos-ambari-setup</a></li>
<li class="active"><a href="#"><span class="none"></span>Kerberos-manual-setup</a></li>
<li><a href="../metron-deployment/amazon-ec2/index.html" title="Amazon-ec2"><span class="none"></span>Amazon-ec2</a></li>
<li><a href="../metron-deployment/ansible/index.html" title="Ansible"><span class="icon-chevron-right"></span>Ansible</a></li>
<li><a href="../metron-deployment/development/index.html" title="Development"><span class="icon-chevron-right"></span>Development</a></li>
<li><a href="../metron-deployment/other-examples/index.html" title="Other-examples"><span class="icon-chevron-right"></span>Other-examples</a></li>
<li><a href="../metron-deployment/packaging/ambari/index.html" title="Ambari"><span class="icon-chevron-right"></span>Ambari</a></li>
<li><a href="../metron-deployment/packaging/docker/ansible-docker/index.html" title="Ansible-docker"><span class="none"></span>Ansible-docker</a></li>
<li><a href="../metron-deployment/packaging/docker/deb-docker/index.html" title="Deb-docker"><span class="none"></span>Deb-docker</a></li>
<li><a href="../metron-deployment/packaging/docker/rpm-docker/index.html" title="Rpm-docker"><span class="none"></span>Rpm-docker</a></li>
<li><a href="../metron-deployment/packaging/packer-build/index.html" title="Packer-build"><span class="none"></span>Packer-build</a></li>
</ul>
</li>
<li><a href="../metron-interface/index.html" title="Interface"><span class="icon-chevron-right"></span>Interface</a></li>
<li><a href="../metron-platform/index.html" title="Platform"><span class="icon-chevron-right"></span>Platform</a></li>
<li><a href="../metron-sensors/index.html" title="Sensors"><span class="icon-chevron-right"></span>Sensors</a></li>
<li><a href="../metron-stellar/stellar-3rd-party-example/index.html" title="Stellar-3rd-party-example"><span class="none"></span>Stellar-3rd-party-example</a></li>
<li><a href="../metron-stellar/stellar-common/index.html" title="Stellar-common"><span class="icon-chevron-right"></span>Stellar-common</a></li>
<li><a href="../metron-stellar/stellar-zeppelin/index.html" title="Stellar-zeppelin"><span class="none"></span>Stellar-zeppelin</a></li>
<li><a href="../use-cases/index.html" title="Use-cases"><span class="icon-chevron-right"></span>Use-cases</a></li>
</ul>
</li>
</ul>
<hr />
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="../images/logos/maven-feather.png" /></a>
</div>
</div>
</div>
<div id="bodyColumn" class="span10" >
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<h1>Kerberos Setup</h1>
<p>This document provides instructions for kerberizing Metron&#x2019;s Vagrant-based development environments. These instructions do not cover the Ambari MPack or sensors. General Kerberization notes can be found in the metron-deployment <a href="../index.html">README.md</a>.</p>
<ul>
<li><a href="#Setup">Setup</a></li>
<li><a href="#Setup_a_KDC">Setup a KDC</a></li>
<li><a href="#Verify_KDC">Verify KDC</a></li>
<li><a href="#Enable_Kerberos">Enable Kerberos</a></li>
<li><a href="#Kafka_Authorization">Kafka Authorization</a></li>
<li><a href="#HBase_Authorization">HBase Authorization</a></li>
<li><a href="#Storm_Authorization">Storm Authorization</a></li>
<li><a href="#Start_Metron">Start Metron</a></li>
<li><a href="#Push_Data">Push Data</a></li>
<li><a href="#More_Information">More Information</a></li>
<li><a href="#X-Pack">Elasticseach X-Pack</a></li>
<li><a href="#TGT_Ticket_Renew">TGT Ticket Renew</a></li>
</ul>
<div class="section">
<h2><a name="Setup"></a>Setup</h2>
<ol style="list-style-type: decimal">
<li>
<p>Deploy the <a href="development/centos6/index.html">development environment.</a>.</p>
</li>
<li>
<p>Export the following environment variables. These need to be set for the remainder of the instructions. Replace <tt>node1</tt> with the appropriate hosts, if you are running Metron anywhere other than Vagrant.</p>
<div>
<div>
<pre class="source"># execute as root
sudo su -
export KAFKA_HOME=&quot;/usr/hdp/current/kafka-broker&quot;
export ZOOKEEPER=node1:2181
export ELASTICSEARCH=node1:9200
export BROKERLIST=node1:6667
export HDP_HOME=&quot;/usr/hdp/current&quot;
export KAFKA_HOME=&quot;${HDP_HOME}/kafka-broker&quot;
export METRON_VERSION=&quot;${METRON_VERSION}&quot;
export METRON_HOME=&quot;/usr/metron/${METRON_VERSION}&quot;
</pre></div></div>
</li>
<li>
<p>Execute the following commands as root.</p>
<div>
<div>
<pre class="source">sudo su -
</pre></div></div>
</li>
<li>
<p>Stop all Metron topologies. They will be restarted again once Kerberos has been enabled.</p>
<div>
<div>
<pre class="source">for topology in bro snort enrichment indexing; do
storm kill $topology;
done
</pre></div></div>
</li>
<li>
<p>Create the <tt>metron</tt> user&#x2019;s home directory in HDFS.</p>
<div>
<div>
<pre class="source">sudo -u hdfs hdfs dfs -mkdir /user/metron
sudo -u hdfs hdfs dfs -chown metron:hdfs /user/metron
sudo -u hdfs hdfs dfs -chmod 770 /user/metron
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="Setup_a_KDC"></a>Setup a KDC</h2>
<ol style="list-style-type: decimal">
<li>
<p>Install dependencies.</p>
<div>
<div>
<pre class="source">yum -y install krb5-server krb5-libs krb5-workstation
</pre></div></div>
</li>
<li>
<p>Define the current host as the KDC.</p>
<div>
<div>
<pre class="source">KDC=`hostname`
sed -i.orig 's/kerberos.example.com/'&quot;$KDC&quot;'/g' /etc/krb5.conf
cp -f /etc/krb5.conf /var/lib/ambari-server/resources/scripts
</pre></div></div>
</li>
<li>
<p>Ensure that the KDC can issue renewable tickets. This may be necessary on a real cluster, but should not be on a <a href="development/centos6/index.html">single VM</a>.</p>
<p>Edit <tt>/var/kerberos/krb5kdc/kdc.conf</tt> and ensure the following is added to the <tt>realm</tt> section</p>
<div>
<div>
<pre class="source">max_renewable_life = 7d
</pre></div></div>
</li>
<li>
<p>Create the KDC principal database. You will be prompted for a password. This step takes a moment.</p>
<div>
<div>
<pre class="source">kdb5_util create -s
</pre></div></div>
</li>
<li>
<p>Start the KDC and ensure that it starts on boot.</p>
<div>
<div>
<pre class="source">/etc/rc.d/init.d/krb5kdc start
chkconfig krb5kdc on
</pre></div></div>
</li>
<li>
<p>Start the Kerberos Admin service and ensure that it starts on boot.</p>
<div>
<div>
<pre class="source">/etc/rc.d/init.d/kadmin start
chkconfig kadmin on
</pre></div></div>
</li>
<li>
<p>Setup the <tt>admin</tt> principal. You will be prompted for a password; do not forget it.</p>
<div>
<div>
<pre class="source">kadmin.local -q &quot;addprinc admin/admin&quot;
</pre></div></div>
</li>
<li>
<p>Setup the <tt>metron</tt> principal. You will <tt>kinit</tt> as the <tt>metron</tt> principal when running topologies. You will be prompted for a password; do not forget it.</p>
<div>
<div>
<pre class="source">kadmin.local -q &quot;addprinc metron&quot;
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="Verify_KDC"></a>Verify KDC</h2>
<ol style="list-style-type: decimal">
<li>
<p>Ticket renewal is disallowed by default in many Linux distributions. If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron&#x2019;s Storm topologies:</p>
<div>
<div>
<pre class="source">Exception in thread &quot;main&quot; java.lang.RuntimeException:
java.lang.RuntimeException: The TGT found is not renewable
</pre></div></div>
</li>
<li>
<p>Ensure the Metron keytab is renewable. Look for the &#x2018;R&#x2019; flag in the output of the following command.</p>
<div>
<div>
<pre class="source">klist -f
</pre></div></div>
<ul>
<li>If the &#x2018;R&#x2019; flags are present, you may skip to next section.</li>
<li>If the &#x2018;R&#x2019; flags are absent, you will need to follow the below steps:</li>
</ul>
</li>
<li>
<p>If the KDC is already setup, then editing <tt>max_life</tt> and <tt>max_renewable_life</tt> in <tt>/var/kerberos/krb5kdc/kdc.conf</tt>, then restarting <tt>kadmin</tt> and <tt>krb5kdc</tt> services will not change the policies for existing users.</p>
<p>You need to set the renew lifetime for existing users and the <tt>krbtgt</tt> realm. Modify the appropriate principals to allow renewable tickets using the following commands. Adjust the parameters to match your desired KDC parameters:</p>
<div>
<div>
<pre class="source">kadmin.local -q &quot;modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM&quot;
kadmin.local -q &quot;modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM&quot;
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="Enable_Kerberos"></a>Enable Kerberos</h2>
<ol style="list-style-type: decimal">
<li>
<p>In <a class="externalLink" href="http://node1:8080">Ambari</a>, setup Storm to use Kerberos and run worker jobs as the submitting user.</p>
<p>a. Add the following properties to the custom storm-site:</p>
<div>
<div>
<pre class="source">topology.auto-credentials=['org.apache.storm.security.auth.kerberos.AutoTGT']
nimbus.credential.renewers.classes=['org.apache.storm.security.auth.kerberos.AutoTGT']
supervisor.run.worker.as.user=true
</pre></div></div>
<p>b. In the Storm config section in Ambari, choose &#x201c;Add Property&#x201d; under custom storm-site:</p>
<p><img src="../images/ambari-storm-site.png" alt="custom storm-site" /></p>
<p>c. In the dialog window, choose the &#x201c;bulk property add mode&#x201d; toggle button and add the below values:</p>
<p><img src="../images/ambari-storm-site-properties.png" alt="custom storm-site properties" /></p>
</li>
<li>
<p>Kerberize the cluster via Ambari. More detailed documentation can be found <a class="externalLink" href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html">here</a>.</p>
<p>a. For this exercise, choose existing MIT KDC (this is what we setup and installed in the previous steps.)</p>
<p><img src="../images/enable-kerberos.png" alt="enable keberos" /></p>
<p><img src="../images/enable-kerberos-started.png" alt="enable keberos get started" /></p>
<p>b. Setup Kerberos configuration. Realm is EXAMPLE.COM. The admin principal will end up as <a class="externalLink" href="mailto:admin/admin@EXAMPLE.COM">admin/admin@EXAMPLE.COM</a> when testing the KDC. Use the password you entered during the step for adding the admin principal.</p>
<p><img src="../images/enable-kerberos-configure-kerberos.png" alt="enable keberos configure" /></p>
<p>c. Click through to &#x201c;Start and Test Services.&#x201d; Let the cluster spin up, but don&#x2019;t worry about starting up Metron via Ambari - we&#x2019;re going to run the parsers manually against the rest of the Hadoop cluster Kerberized. The wizard will fail at starting Metron, but this is OK. Click &#x201c;continue.&#x201d; When you&#x2019;re finished, the custom storm-site should look similar to the following:</p>
<p><img src="../images/custom-storm-site-final.png" alt="enable keberos configure" /></p>
</li>
<li>
<p>Create a Metron keytab</p>
<div>
<div>
<pre class="source">kadmin.local -q &quot;ktadd -k metron.headless.keytab metron@EXAMPLE.COM&quot;
cp metron.headless.keytab /etc/security/keytabs
chown metron:hadoop /etc/security/keytabs/metron.headless.keytab
chmod 440 /etc/security/keytabs/metron.headless.keytab
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="Kafka_Authorization"></a>Kafka Authorization</h2>
<ol style="list-style-type: decimal">
<li>
<p>Acquire a Kerberos ticket using the <tt>metron</tt> principal.</p>
<div>
<div>
<pre class="source">kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
</pre></div></div>
</li>
<li>
<p>Create any additional Kafka topics that you will need. We need to create the topics before adding the required ACLs. The current full dev installation will deploy bro, snort, enrichments, and indexing only. For example, you may want to add a topic for &#x2018;yaf&#x2019; telemetry.</p>
<div>
<div>
<pre class="source">${KAFKA_HOME}/bin/kafka-topics.sh \
--zookeeper ${ZOOKEEPER} \
--create \
--topic yaf \
--partitions 1 \
--replication-factor 1
</pre></div></div>
</li>
<li>
<p>Setup Kafka ACLs for the <tt>bro</tt>, <tt>snort</tt>, <tt>enrichments</tt>, and <tt>indexing</tt> topics. Run the same command against any additional topics that you might be using; for example <tt>yaf</tt>.</p>
<div>
<div>
<pre class="source">export KERB_USER=metron
for topic in bro snort enrichments indexing; do
${KAFKA_HOME}/bin/kafka-acls.sh \
--authorizer kafka.security.auth.SimpleAclAuthorizer \
--authorizer-properties zookeeper.connect=${ZOOKEEPER} \
--add \
--allow-principal User:${KERB_USER} \
--topic ${topic}
done
</pre></div></div>
</li>
<li>
<p>Setup Kafka ACLs for the consumer groups. This command sets the ACLs for Bro, Snort, YAF, Enrichments, Indexing, and the Profiler. Execute the same command for any additional Parsers that you may be running.</p>
<div>
<div>
<pre class="source">export KERB_USER=metron
for group in bro_parser snort_parser yaf_parser enrichments indexing-ra indexing-batch profiler; do
${KAFKA_HOME}/bin/kafka-acls.sh \
--authorizer kafka.security.auth.SimpleAclAuthorizer \
--authorizer-properties zookeeper.connect=${ZOOKEEPER} \
--add \
--allow-principal User:${KERB_USER} \
--group ${group}
done
</pre></div></div>
</li>
<li>
<p>Add the <tt>metron</tt> principal to the <tt>kafka-cluster</tt> ACL.</p>
<div>
<div>
<pre class="source">${KAFKA_HOME}/bin/kafka-acls.sh \
--authorizer kafka.security.auth.SimpleAclAuthorizer \
--authorizer-properties zookeeper.connect=${ZOOKEEPER} \
--add \
--allow-principal User:${KERB_USER} \
--cluster kafka-cluster
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="HBase_Authorization"></a>HBase Authorization</h2>
<ol style="list-style-type: decimal">
<li>
<p>Acquire a Kerberos ticket using the <tt>hbase</tt> principal</p>
<div>
<div>
<pre class="source">kinit -kt /etc/security/keytabs/hbase.headless.keytab hbase-metron_cluster@EXAMPLE.COM
</pre></div></div>
</li>
<li>
<p>Grant permissions for the HBase tables used in Metron.</p>
<div>
<div>
<pre class="source">echo &quot;grant 'metron', 'RW', 'threatintel'&quot; | hbase shell
echo &quot;grant 'metron', 'RW', 'enrichment'&quot; | hbase shell
</pre></div></div>
</li>
<li>
<p>If you are using the Profiler, do the same for its HBase table.</p>
<div>
<div>
<pre class="source">echo &quot;create 'profiler', 'P'&quot; | hbase shell
echo &quot;grant 'metron', 'RW', 'profiler', 'P'&quot; | hbase shell
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="Storm_Authorization"></a>Storm Authorization</h2>
<ol style="list-style-type: decimal">
<li>
<p>Switch to the <tt>metron</tt> user and acquire a Kerberos ticket for the <tt>metron</tt> principal.</p>
<div>
<div>
<pre class="source">su metron
kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
</pre></div></div>
</li>
<li>
<p>Create the directory <tt>/home/metron/.storm</tt> and switch to that directory.</p>
<div>
<div>
<pre class="source">mkdir /home/metron/.storm
cd /home/metron/.storm
</pre></div></div>
</li>
<li>
<p>Ensure the Metron keytab is renewable. See <a href="#Verify_KDC">Verify KDC</a> above.</p>
</li>
<li>
<p>Create a client JAAS file at <tt>/home/metron/.storm/client_jaas.conf</tt>. This should look identical to the Storm client JAAS file located at <tt>/etc/storm/conf/client_jaas.conf</tt> except for the addition of a <tt>Client</tt> stanza. The <tt>Client</tt> stanza is used for Zookeeper. All quotes and semicolons are necessary.</p>
<div>
<div>
<pre class="source">cat &lt;&lt; EOF &gt; client_jaas.conf
StormClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
renewTicket=true
serviceName=&quot;nimbus&quot;;
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab=&quot;/etc/security/keytabs/metron.headless.keytab&quot;
storeKey=true
useTicketCache=false
serviceName=&quot;zookeeper&quot;
principal=&quot;metron@EXAMPLE.COM&quot;;
};
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab=&quot;/etc/security/keytabs/metron.headless.keytab&quot;
storeKey=true
useTicketCache=false
serviceName=&quot;kafka&quot;
principal=&quot;metron@EXAMPLE.COM&quot;;
};
EOF
</pre></div></div>
</li>
<li>
<p>Create a YAML file at <tt>/home/metron/.storm/storm.yaml</tt>. This should point to the client JAAS file. Set the array of nimbus hosts accordingly.</p>
<div>
<div>
<pre class="source">cat &lt;&lt; EOF &gt; /home/metron/.storm/storm.yaml
nimbus.seeds : ['node1']
java.security.auth.login.config : '/home/metron/.storm/client_jaas.conf'
storm.thrift.transport : 'org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin'
EOF
</pre></div></div>
</li>
<li>
<p>Create an auxiliary storm configuration file at <tt>/home/metron/storm-config.json</tt>. Note the login config option in the file points to the client JAAS file.</p>
<div>
<div>
<pre class="source">cat &lt;&lt; EOF &gt; /home/metron/storm-config.json
{
&quot;topology.worker.childopts&quot; : &quot;-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf&quot;
}
EOF
</pre></div></div>
</li>
<li>
<p>Configure the Enrichment, Indexing and Profiler topologies to use the client JAAS file. To do this, the following key-value pairs:</p>
<ul>
<li><tt>kafka.security.protocol=PLAINTEXTSASL</tt></li>
<li><tt>topology.worker.childopts=-Djava.security.auth.login.config=/home/metron/.storm/client_jaas.conf</tt></li>
</ul>
<p>must be added to each of the topology properties files:</p>
<ul>
<li><tt>${METRON_HOME}/config/enrichment.properties</tt></li>
<li><tt>${METRON_HOME}/config/elasticsearch.properties</tt></li>
<li><tt>${METRON_HOME}/config/profiler.properties</tt></li>
</ul>
<p>You may use the following command to automate this step:</p>
<div>
<div>
<pre class="source">for file in enrichment.properties elasticsearch.properties profiler.properties; do
echo ${file}
sed -i &quot;s/^kafka.security.protocol=.*/kafka.security.protocol=PLAINTEXTSASL/&quot; &quot;${METRON_HOME}/config/${file}&quot;
sed -i &quot;s/^topology.worker.childopts=.*/topology.worker.childopts=-Djava.security.auth.login.config=\/home\/metron\/.storm\/client_jaas.conf/&quot; &quot;${METRON_HOME}/config/${file}&quot;
done
</pre></div></div>
</li>
</ol></div>
<div class="section">
<h2><a name="Start_Metron"></a>Start Metron</h2>
<ol style="list-style-type: decimal">
<li>
<p>Switch to the <tt>metron</tt> user and acquire a Kerberos ticket for the <tt>metron</tt> principal.</p>
<div>
<div>
<pre class="source">su metron
kinit -kt /etc/security/keytabs/metron.headless.keytab metron@EXAMPLE.COM
</pre></div></div>
</li>
<li>
<p>Restart the parser topologies. Be sure to pass in the new parameter, <tt>-ksp</tt> or <tt>--kafka_security_protocol</tt>. The following command will start only the Bro and Snort topologies. Execute the same command for any other Parsers that you may need, for example <tt>yaf</tt>.</p>
<div>
<div>
<pre class="source">for parser in bro snort; do
${METRON_HOME}/bin/start_parser_topology.sh \
-z ${ZOOKEEPER} \
-s ${parser} \
-ksp SASL_PLAINTEXT \
-e /home/metron/storm-config.json;
done
</pre></div></div>
</li>
<li>
<p>Restart the Enrichment and Indexing topologies.</p>
<div>
<div>
<pre class="source">${METRON_HOME}/bin/start_enrichment_topology.sh
${METRON_HOME}/bin/start_elasticsearch_topology.sh
</pre></div></div>
</li>
</ol>
<p>Metron should be ready to receive data.</p></div>
<div class="section">
<h2><a name="Push_Data"></a>Push Data</h2>
<ol style="list-style-type: decimal">
<li>
<p>Push some sample data to one of the parser topics. E.g for Bro we took raw data from <a href="../metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput/index.html">metron/metron-platform/metron-integration-test/src/main/sample/data/bro/raw/BroExampleOutput</a></p>
<div>
<div>
<pre class="source">cat sample-bro.txt | ${KAFKA_HOME}/kafka-broker/bin/kafka-console-producer.sh \
--broker-list ${BROKERLIST} \
--security-protocol SASL_PLAINTEXT \
--topic bro
</pre></div></div>
</li>
<li>
<p>Wait a few moments for data to flow through the system and then check for data in the Elasticsearch indices. Replace yaf with whichever parser type you&#x2019;ve chosen.</p>
<div>
<div>
<pre class="source">curl -XGET &quot;${ELASTICSEARCH}/bro*/_search&quot;
curl -XGET &quot;${ELASTICSEARCH}/bro*/_count&quot;
</pre></div></div>
</li>
<li>
<p>You should have data flowing from the parsers all the way through to the indexes. This completes the Kerberization instructions</p>
</li>
</ol></div>
<div class="section">
<h2><a name="More_Information"></a>More Information</h2>
<div class="section">
<h3><a name="Kerberos"></a>Kerberos</h3>
<p>Unsure of your Kerberos principal associated with a keytab? There are a couple ways to get this. One is via the list of principals that Ambari provides via downloadable csv. If you didn&#x2019;t download this list, you can also check the principal manually by running the following against the keytab.</p>
<div>
<div>
<pre class="source">klist -kt /etc/security/keytabs/&lt;keytab-file-name&gt;
</pre></div></div>
<p>E.g.</p>
<div>
<div>
<pre class="source">klist -kt /etc/security/keytabs/hbase.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hbase.headless.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 03/28/17 19:29:36 hbase-metron_cluster@EXAMPLE.COM
1 03/28/17 19:29:36 hbase-metron_cluster@EXAMPLE.COM
1 03/28/17 19:29:36 hbase-metron_cluster@EXAMPLE.COM
1 03/28/17 19:29:36 hbase-metron_cluster@EXAMPLE.COM
1 03/28/17 19:29:36 hbase-metron_cluster@EXAMPLE.COM
</pre></div></div>
</div>
<div class="section">
<h3><a name="Kafka_with_Kerberos_enabled"></a>Kafka with Kerberos enabled</h3>
<div class="section">
<h4><a name="Running_Sensors"></a>Running Sensors</h4>
<p>A couple steps are required to produce data to a Kerberized Kafka topic. On the host you&#x2019;ll be setting up your sensor(s), switch to the metron user and create a client_jaas.conf file in the metron home directory if one doesn&#x2019;t already exist. It should be owned by metron:metron and contain at least the following stanza that tells the Kafka client how to interact with Kerberos:</p>
<div>
<div>
<pre class="source">su - metron
cat ${METRON_HOME}/client_jaas.conf
...
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab=&quot;/etc/security/keytabs/metron.headless.keytab&quot;
storeKey=true
useTicketCache=false
serviceName=&quot;kafka&quot;
principal=&quot;metron@EXAMPLE.COM&quot;;
};
</pre></div></div>
<p>You&#x2019;ll also need to set KAFKA_OPTS to tell the Kafka client how to interact with Kerberos.</p>
<div>
<div>
<pre class="source">export KAFKA_OPTS=&quot;-Djava.security.auth.login.config=${METRON_HOME}/client_jaas.conf&quot;
</pre></div></div>
<p>For sensors that leverage the Kafka console producer to pipe data into Metron, e.g. Snort and Yaf, you will need to modify the corresponding sensor shell scripts or config to append the SASL security protocol property. <tt>--security-protocol SASL_PLAINTEXT</tt>. Be sure to kinit with the metron user&#x2019;s keytab before executing the script that starts the sensor.</p>
<p>More notes can be found in <a href="../metron-sensors/index.html">metron/metron-sensors/README.md</a></p></div>
<div class="section">
<h4><a name="Write_data_to_a_topic_with_SASL"></a>Write data to a topic with SASL</h4>
<div>
<div>
<pre class="source">cat sample-yaf.txt | ${KAFKA_HOME}/bin/kafka-console-producer.sh \
--broker-list ${BROKERLIST} \
--security-protocol PLAINTEXTSASL \
--topic yaf
</pre></div></div>
</div>
<div class="section">
<h4><a name="View_topic_data_from_latest_offset_with_SASL"></a>View topic data from latest offset with SASL</h4>
<div>
<div>
<pre class="source">${KAFKA_HOME}/bin/kafka-console-consumer.sh \
--zookeeper ${ZOOKEEPER} \
--security-protocol PLAINTEXTSASL \
--topic yaf
</pre></div></div>
</div>
<div class="section">
<h4><a name="Modify_the_sensor-stubs_to_send_logs_via_SASL"></a>Modify the sensor-stubs to send logs via SASL</h4>
<div>
<div>
<pre class="source">sed -i 's/node1:6667 --topic/node1:6667 --security-protocol PLAINTEXTSASL --topic/' /opt/sensor-stubs/bin/start-*-stub
for sensorstub in bro snort; do
service sensor-stubs stop ${sensorstub};
service sensor-stubs start ${sensorstub};
done
</pre></div></div>
</div>
<div class="section">
<h4><a name="Model_as_a_Service_on_Kerberos"></a>Model as a Service on Kerberos</h4>
<p>MaaS works with kerberos, you have to remember to kinit with the metron user. There is one small issue out of the box (particularly on vagrant), you get an error like so when running <tt>$METRON_HOME/bin/maas_service.sh</tt>:</p>
<div>
<div>
<pre class="source">Requested user metron is not whitelisted and has id 501,which is below the minimum allowed 1000.
</pre></div></div>
<p>In order to correct this, you should:</p>
<ul>
<li>Navigate to the Yarn configuration in Ambari</li>
<li>Click on &#x201c;Advanced&#x201d;</li>
<li>Scroll to &#x201c;Advanced yarn-env&#x201d;</li>
<li>Adjust the &#x201c;Minimum user ID for submitting job&#x201d; config to 500 from 1000</li>
<li>You should then restart Yarn to have the change take effect.</li>
</ul></div></div>
<div class="section">
<h3><a name="References"></a>References</h3>
<ul>
<li><a class="externalLink" href="https://github.com/apache/storm/blob/master/SECURITY.md">https://github.com/apache/storm/blob/master/SECURITY.md</a></li>
</ul></div></div>
<div class="section">
<h2><a name="X-Pack"></a>X-Pack</h2>
<ol style="list-style-type: decimal">
<li>
<p>Stop the random_access_indexing topology through the Storm UI or from the CLI, e.g.</p>
<div>
<div>
<pre class="source">storm kill random_access_indexing
</pre></div></div>
</li>
<li>
<p><a class="externalLink" href="https://www.elastic.co/guide/en/x-pack/5.6/installing-xpack.html">Follow these instructions</a> to enable the X-Pack with Elasticsearch and Kibana. The X-Pack plugin will need installed on each of the nodes running Elasticsearch.</p>
</li>
<li>
<p>You need to be sure to add the appropriate username and password for Elasticsearch and Kibana to enable external connections from Metron components. e.g. the following will create a user &#x201c;transport_client_user&#x201d; with password &#x201c;changeme&#x201d; and &#x201c;superuser&#x201d; credentials.</p>
<div>
<div>
<pre class="source">sudo /usr/share/elasticsearch/bin/x-pack/users useradd transport_client_user -p changeme -r superuser
</pre></div></div>
</li>
<li>
<p>Once you&#x2019;ve picked a password to connect to ES, you need to upload a 1-line file to HDFS with that password in it. Metron will use this file to securely read the password in order to connect to ES securely.</p>
<p>Here is an example using &#x201c;changeme&#x201d; as the password</p>
<div>
<div>
<pre class="source">echo changeme &gt; /tmp/xpack-password
sudo -u hdfs hdfs dfs -mkdir /apps/metron/elasticsearch/
sudo -u hdfs hdfs dfs -put /tmp/xpack-password /apps/metron/elasticsearch/
sudo -u hdfs hdfs dfs -chown metron:metron /apps/metron/elasticsearch/xpack-password
</pre></div></div>
</li>
<li>
<p>New settings have been added to configure the Elasticsearch client.</p>
<p>Modify the <tt>es.client.settings</tt> key in global.json</p>
<div>
<div>
<pre class="source">$METRON_HOME/config/zookeeper/global.json -&gt;
&quot;es.client.settings&quot; : {
&quot;xpack.username&quot; : &quot;transport_client_user&quot;,
&quot;xpack.password.file&quot; : &quot;/apps/metron/elasticsearch/xpack-password&quot;
}
</pre></div></div>
<p>Submit the update to Zookeeper</p>
<div>
<div>
<pre class="source">$METRON_HOME/bin/zk_load_configs.sh -m PUSH -i $METRON_HOME/config/zookeeper/ -z $ZOOKEEPER
</pre></div></div>
</li>
<li>
<p>Now you can restart the Elasticsearch topology. Note, you should perform this step manually, as follows.</p>
<div>
<div>
<pre class="source">$METRON_HOME/bin/start_elasticsearch_topology.sh
</pre></div></div>
</li>
<li>
<p>Restart the metron-rest service, and make sure the elasticsearch-xpack-shaded-5.6.14.jar is in the METRON_REST_CLASSPATH when the metron-rest starts.</p>
</li>
</ol>
<p>Once you&#x2019;ve performed these steps, you should be able to start seeing data in your ES indexes.</p>
<div class="section">
<h3><a name="X-Pack_Common_Problems"></a>X-Pack Common Problems</h3>
<div class="section">
<h4><a name="java.io.FileNotFoundException:_File_.2Fapps.2Fmetron.2Felasticsearch.2Fxpack-password_does_not_exist"></a>java.io.FileNotFoundException: File /apps/metron/elasticsearch/xpack-password does not exist</h4></div>
<div class="section">
<h4><a name="Problem"></a>Problem</h4>
<p>The random access indexer topology fails with the following exception. This exception might occur on only some of the Storm worker nodes.</p>
<div>
<div>
<pre class="source"> 2018-07-02 10:24:08.267 o.a.s.util Thread-8-indexingBolt-executor[3 3] [ERROR] Async loop died!
java.lang.RuntimeException: java.lang.IllegalArgumentException: Unable to read XPack password file from HDFS location '/apps/metron/elasticsearch/xpack-password'
at org.apache.metron.writer.bolt.BulkMessageWriterBolt.prepare(BulkMessageWriterBolt.java:201) ~[stormjar.jar:?]
at org.apache.storm.daemon.executor$fn__10195$fn__10208.invoke(executor.clj:800) ~[storm-core-1.1.0.2.6.5.0-292.jar:1.1.0.2.6.5.0-292]
at org.apache.storm.util$async_loop$fn__1221.invoke(util.clj:482) [storm-core-1.1.0.2.6.5.0-292.jar:1.1.0.2.6.5.0-292]
at clojure.lang.AFn.run(AFn.java:22) [clojure-1.7.0.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
Caused by: java.lang.IllegalArgumentException: Unable to read XPack password file from HDFS location '/apps/metron/elasticsearch/xpack-password'
at org.apache.metron.elasticsearch.utils.ElasticsearchUtils.getPasswordFromFile(ElasticsearchUtils.java:201) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.utils.ElasticsearchUtils.setXPackSecurityOrNone(ElasticsearchUtils.java:187) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.utils.ElasticsearchUtils.getClient(ElasticsearchUtils.java:147) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.writer.ElasticsearchWriter.init(ElasticsearchWriter.java:53) ~[stormjar.jar:?]
at org.apache.metron.writer.bolt.BulkMessageWriterBolt.prepare(BulkMessageWriterBolt.java:199) ~[stormjar.jar:?]
... 4 more
Caused by: java.io.FileNotFoundException: File /apps/metron/elasticsearch/xpack-password does not exist
at org.apache.hadoop.fs.RawLocalFileSystem.deprecatedGetFileStatus(RawLocalFileSystem.java:606) ~[stormjar.jar:?]
at org.apache.hadoop.fs.RawLocalFileSystem.getFileLinkStatusInternal(RawLocalFileSystem.java:819) ~[stormjar.jar:?]
at org.apache.hadoop.fs.RawLocalFileSystem.getFileStatus(RawLocalFileSystem.java:596) ~[stormjar.jar:?]
at org.apache.hadoop.fs.FilterFileSystem.getFileStatus(FilterFileSystem.java:421) ~[stormjar.jar:?]
at org.apache.hadoop.fs.ChecksumFileSystem$ChecksumFSInputChecker.&lt;init&gt;(ChecksumFileSystem.java:140) ~[stormjar.jar:?]
at org.apache.hadoop.fs.ChecksumFileSystem.open(ChecksumFileSystem.java:341) ~[stormjar.jar:?]
at org.apache.hadoop.fs.FileSystem.open(FileSystem.java:767) ~[stormjar.jar:?]
at org.apache.metron.common.utils.HDFSUtils.readFile(HDFSUtils.java:55) ~[stormjar.jar:?]
at org.apache.metron.common.utils.HDFSUtils.readFile(HDFSUtils.java:40) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.utils.ElasticsearchUtils.getPasswordFromFile(ElasticsearchUtils.java:198) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.utils.ElasticsearchUtils.setXPackSecurityOrNone(ElasticsearchUtils.java:187) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.utils.ElasticsearchUtils.getClient(ElasticsearchUtils.java:147) ~[stormjar.jar:?]
at org.apache.metron.elasticsearch.writer.ElasticsearchWriter.init(ElasticsearchWriter.java:53) ~[stormjar.jar:?]
at org.apache.metron.writer.bolt.BulkMessageWriterBolt.prepare(BulkMessageWriterBolt.java:199) ~[stormjar.jar:?]
... 4 more
</pre></div></div>
</div>
<div class="section">
<h4><a name="Solution"></a>Solution</h4>
<p>This can occur when an HDFS Client is not installed on the Storm worker nodes. This might occur on any Storm worker node where an HDFS Client is not installed. Installing the HDFS Client on all Storm worker nodes should resolve the problem.</p></div></div></div>
<div class="section">
<h2><a name="TGT_Ticket_Renew"></a>TGT Ticket Renew</h2>
<p>Apache Storm doesn&#x2019;t handle automatic TGT ticket renewal for their running topologies. Instead, it is left up to the operations team deploying the Storm topologies in a Kerberized environment to manage this themselves. We&#x2019;ve included a Python script that can be setup with a cron process to automatically manage the renewal process for you. The script should be run on an interval that is shorter than the renew_lifetime configured for your TGT.</p>
<div class="section">
<h3><a name="Setup_Instructions"></a>Setup Instructions</h3>
<p>Run the following on a node with a Storm and Metron client installed. We need python 2.7 via virtualenv for this to work correctly.</p>
<div>
<div>
<pre class="source"># run yum commands as root
for item in epel-release centos-release-scl &quot;@Development tools&quot; python27 python27-scldevel python27-python-virtualenv libselinux-python; do yum install -y $item; done
sudo yum install -y gcc krb5-devel python-devel
sudo yum install -y libffi libffi-devel
sudo yum install -y python-cffi
sudo yum install -y openssl-devel
# setup python with metron user
su - metron
export PYTHON27_HOME=/opt/rh/python27/root
export LD_LIBRARY_PATH=&quot;/opt/rh/python27/root/usr/lib64&quot;
mkdir project_dir
cd project_dir
${PYTHON27_HOME}/usr/bin/virtualenv venv
source venv/bin/activate
pip install --upgrade setuptools==18.5
pip install requests-kerberos
</pre></div></div>
<p>The script <tt>$METRON_HOME/bin/tgt_renew.py</tt> takes two arguments:</p>
<ul>
<li>arg1 = host:port for Storm UI server</li>
<li>arg2 = topology owner - typically &#x201c;metron&#x201d; for a kerberized cluster with metron topologies</li>
</ul>
<p>Execute it like the following example:</p>
<div>
<div>
<pre class="source"># run as the metron user
su - metron
python $METRON_HOME/bin/tgt_renew.py node1:8744 metron
</pre></div></div></div></div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row-fluid">
© 2015-2016 The Apache Software Foundation. Apache Metron, Metron, Apache, the Apache feather logo,
and the Apache Metron project logo are trademarks of The Apache Software Foundation.
</div>
</div>
</footer>
</body>
</html>