| #!/bin/bash |
| |
| # @@@ START COPYRIGHT @@@ |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # @@@ END COPYRIGHT @@@ |
| |
| #****************************************************************************** |
| # Sets up Trafodion environment for security features: |
| # Kerberos |
| #****************************************************************************** |
| |
| TRAF_CONFIG='/etc/trafodion/trafodion_config' |
| source $TRAF_CONFIG |
| HOST_NAME=`hostname -f` |
| |
| #============================================================================== |
| # set up kerberos stuff |
| if [[ "$SECURE_HADOOP" == "N" ]]; then |
| echo "***INFO: KERBEROS not available, skipping to next step" |
| exit 0 |
| fi |
| |
| echo |
| echo "******************************" |
| echo " TRAFODION KERBEROS SETUP " |
| echo "******************************" |
| echo |
| echo "***INFO: Running KERBEROS installation" |
| |
| # get realm from admin principal |
| REALM=${ADMIN_PRINCIPAL#*"@"} |
| TRAF_PRINCIPAL="$TRAF_USER/$HOST_NAME@REALM" |
| HBASE_PRINCIPAL="$HBASE_USER/$HOST_NAME@$REALM" |
| PDCP="pdcp -R ssh " |
| |
| # test KDC server connection - always ask for the admin password |
| echo -n "Enter admin password:" |
| read -s answer |
| if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi |
| echo "" |
| |
| KADMIN_CMD="sudo kadmin -p $ADMIN_PRINCIPAL -w $ADMIN_PASSWD -s $KDC_SERVER -q" |
| |
| $KADMIN_CMD "listprincs" > /dev/null 2>&1 |
| if [[ $? -ne 0 ]]; then |
| echo "***ERROR: kadmin command failed to execute, verify that Kerberos is running, you can access it from the installation node, and that your password is valid" |
| ADMIN_PASSWD="***" |
| exit -1 |
| fi |
| echo "***INFO: Connection to KDC server successful" |
| |
| # Make a directory to hold generated keytabs, ignore if already created |
| mkdir -p $LOCAL_WORKDIR/keytabs 2>/dev/null |
| |
| echo "***INFO: Create principals and keytabs for $TRAF_USER" |
| for ITEM in $HADOOP_NODES; do |
| NODE=`ssh -q -n $ITEM sudo hostname -f` |
| PRINCIPAL_EXISTS=$( $KADMIN_CMD "listprincs" | grep "$TRAF_USER/$NODE@$REALM" | wc -l ) |
| if [[ $PRINCIPAL_EXISTS -eq 1 ]]; then |
| echo "***INFO: Principal $TRAF_USER/$NODE@$REALM exists, continuing" |
| else |
| # add the principal |
| $KADMIN_CMD "addprinc -randkey $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1 |
| if [[ $? -ne 0 ]]; then |
| echo "***ERROR: kadmin command failed to create principal, check KDC server status" |
| ADMIN_PASSWD="***" |
| exit -1 |
| fi |
| fi |
| |
| # Adjust principal's maxlife and maxrenewlife |
| echo "***INFO: Set max and renew life times for principal $TRAF_USER/$NODE@$REALM" |
| $KADMIN_CMD "modprinc -maxlife $MAX_LIFETIME -maxrenewlife $RENEW_LIFETIME $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1 |
| if [[ $? -ne 0 ]]; then |
| echo "***ERROR: kadmin command failed to modify principal, check KDC server status" |
| ADMIN_PASSWD="***" |
| exit -1 |
| fi |
| |
| # Look in keytabs to see if keytab already exists, if so, then skip this step |
| # May want to supporting regeneration of keytabs at some point in time. |
| echo "***INFO: Create keytab $TRAF_KEYTAB for $NODE" |
| if [[ -e $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB ]]; then |
| echo "***INFO: The keytab for $NODE exists, continuing" |
| else |
| echo "***INFO: Adding keytab for $NODE" |
| $KADMIN_CMD "ktadd -k $LOCAL_WORKDIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM" |
| if [[ $? -ne 0 ]]; then |
| echo "***ERROR: failed to add keytab" |
| ADMIN_PASSWD="***" |
| exit -1 |
| fi |
| |
| # Each node has its own principal and keytab. The principal names have the node |
| # name embedded but the keytab names are the same. Save keytabs into the keytabs |
| # directory and prepend them with the node name to tell them apart. They will |
| # be copied to the individual nodes in a separate step |
| sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/$TRAF_KEYTAB |
| sudo chmod 400 $LOCAL_WORKDIR/$TRAF_KEYTAB |
| sudo mv $LOCAL_WORKDIR/$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB |
| fi |
| |
| # Copy keytab to node (probably a better way of doing this) |
| # - Remove the prepended node from the keytab |
| # - Copy the keytab to the node |
| # - Move the keytab to the KEYTAB directory on the node |
| # - Change owner to allow trafodion access |
| sudo cp $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB |
| sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB |
| if [[ "$all_node_count" -ne "1" ]]; then |
| pdcp -R ssh -w $NODE $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $HOME |
| ssh -q -n $NODE sudo mv $HOME/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB |
| ssh -q -n $NODE sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB |
| ssh -q -n $NODE sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM |
| else |
| sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB |
| sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB |
| sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM |
| fi |
| echo "***INFO: Copied keytab file to $NODE" |
| done |
| ADMIN_PASSWD="***" |
| echo "***INFO: Done creating principals and keytabs" |
| |
| # The RENEW_TOOL is a script that get run that automatically |
| # renews the ticket when it get ready to expire. |
| RENEW_TOOL='$TRAF_HOME/sql/scripts/krb5service start' |
| |
| # modify .bashrc to add kinit command |
| # Steps: |
| # - Store the text to add to the .bashrc file in a tmp file |
| # - Copy the tmp file to all the nodes |
| # - Change owner of tmp file to the trafodion user |
| # - Add text to .bashrc |
| # This assumes that if the installation node already has the text, then this |
| # step can be skipped. May need to be more robust |
| |
| sudo grep -q "kinit" $HOME_DIR/$TRAF_USER/.bashrc |
| if [[ $? -ne 0 ]]; then |
| echo "***INFO: Add kinit command in .bashrc file" |
| echo "" > $LOCAL_WORKDIR/kerberos.tmp |
| echo "" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# if needed obtain and cache the Kerberos ticket-granting ticket" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# start automatic ticket renewal process" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo 'klist -s >/dev/null 2>&1' >> $LOCAL_WORKDIR/kerberos.tmp |
| echo 'if [[ $? -eq 1 ]]; then' >> $LOCAL_WORKDIR/kerberos.tmp |
| echo " kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB ${TRAF_USER}/\`hostname -f\`@${REALM} >/dev/null 2>&1" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "fi " >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# Start trafodion kerberos ticket manager process" >> $LOCAL_WORKDIR/kerberos.tmp |
| echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp |
| |
| echo "${RENEW_TOOL} > /dev/null 2>&1" >> $LOCAL_WORKDIR/kerberos.tmp |
| |
| sudo cp $LOCAL_WORKDIR/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp |
| sudo chown $TRAF_USER:$TRAF_USER $HOME_DIR/$TRAF_USER/kerberos.tmp |
| if [[ "$all_node_count" -ne "1" ]]; then |
| sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp" |
| $TRAF_PDSH sudo su $TRAF_USER -c '"cat ~/kerberos.tmp >> ~/.bashrc"' |
| else |
| sudo su $TRAF_USER -c "cat ~/kerberos.tmp >> ~/.bashrc" |
| fi |
| rm $LOCAL_WORKDIR/kerberos.tmp |
| fi |
| |
| # Grant all privileges to the Trafodion principal in HBase |
| echo "***INFO: Grant HBase privileges to $TRAF_USER user" |
| sudo -u $HBASE_USER kinit -kt $HBASE_KEYTAB $HBASE_PRINCIPAL |
| if [[ $? -ne 0 ]]; then |
| echo "***ERROR: unable to init Kerberos ticket for HBase using keytab ($HBASE_KEYTAB) and principal ($HBASE_PRINCIPAL)" | tee -a $INSTALL_LOG |
| exit -1 |
| fi |
| |
| echo "grant \"$TRAF_USER\", \"RWXC\"" |sudo -u $HBASE_USER hbase shell > $LOCAL_WORKDIR/hbase_shell.out 2>&1 |
| rc=$? |
| grant_error=$(grep 'ERROR' $LOCAL_WORKDIR/hbase_shell.out |wc -l) |
| |
| if [[ $grant_error -ne 0 || $rc -ne 0 ]]; then |
| echo "***ERROR: failed to grant HBase privileges to $TRAF_USER user, see $LOCAL_WORKDIR/hbase_shell.out for details" | tee -a $INSTALL_LOG |
| exit -1 |
| else |
| sudo rm -f $LOCAL_WORKDIR/hbase_shell.out |
| fi |
| |