install/installer/traf_add_kerberos - trafodion - Git at Google

 #!/bin/bash

 # @@@ START COPYRIGHT @@@
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 # @@@ END COPYRIGHT @@@

 #******************************************************************************
 #  Sets up Trafodion environment for security features:
 #    Kerberos
 #******************************************************************************

 TRAF_CONFIG='/etc/trafodion/trafodion_config'
 source $TRAF_CONFIG
 HOST_NAME=`hostname -f`

 #==============================================================================
 # set up kerberos stuff
 if [[ "$SECURE_HADOOP" == "N" ]]; then
   echo "***INFO: KERBEROS not available, skipping to next step"
   exit 0
 fi

 echo
 echo "******************************"
 echo " TRAFODION KERBEROS SETUP     "
 echo "******************************"
 echo
 echo "***INFO: Running KERBEROS installation"

 # get realm from admin principal
 REALM=${ADMIN_PRINCIPAL#*"@"}
 TRAF_PRINCIPAL="$TRAF_USER/$HOST_NAME@REALM"
 HBASE_PRINCIPAL="$HBASE_USER/$HOST_NAME@$REALM"
 PDCP="pdcp -R ssh "

 # test KDC server connection - always ask for the admin password
 echo -n "Enter admin password:"
 read -s answer
 if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi
 echo ""

 KADMIN_CMD="sudo kadmin -p $ADMIN_PRINCIPAL -w $ADMIN_PASSWD -s $KDC_SERVER -q"

 $KADMIN_CMD "listprincs" > /dev/null 2>&1
 if [[ $? -ne 0 ]]; then
   echo "***ERROR: kadmin command failed to execute, verify that Kerberos is running, you can access it from the installation node, and that your password is valid"
   ADMIN_PASSWD="***"
   exit -1
 fi
 echo "***INFO: Connection to  KDC server successful"

 # Make a directory to hold generated keytabs, ignore if already created
 mkdir -p $LOCAL_WORKDIR/keytabs 2>/dev/null

 echo "***INFO: Create principals and keytabs for $TRAF_USER"
 for ITEM in $HADOOP_NODES; do
   NODE=`ssh -q -n $ITEM sudo hostname -f`
   PRINCIPAL_EXISTS=$( $KADMIN_CMD "listprincs" | grep "$TRAF_USER/$NODE@$REALM" | wc -l )
   if [[ $PRINCIPAL_EXISTS -eq 1 ]]; then
     echo "***INFO: Principal $TRAF_USER/$NODE@$REALM exists, continuing"
   else
     # add the principal
     $KADMIN_CMD "addprinc -randkey $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1
     if [[ $? -ne 0 ]]; then
       echo "***ERROR: kadmin command failed to create principal, check KDC server status"
       ADMIN_PASSWD="***"
       exit -1
     fi
   fi

   # Adjust principal's maxlife and maxrenewlife
   echo "***INFO: Set max and renew life times for principal $TRAF_USER/$NODE@$REALM"
   $KADMIN_CMD "modprinc -maxlife $MAX_LIFETIME -maxrenewlife $RENEW_LIFETIME $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1
   if [[ $? -ne 0 ]]; then
     echo "***ERROR: kadmin command failed to modify principal, check KDC server status"
     ADMIN_PASSWD="***"
     exit -1
   fi

   # Look in keytabs to see if keytab already exists, if so, then skip this step
   # May want to supporting regeneration of keytabs at some point in time.
   echo "***INFO: Create keytab $TRAF_KEYTAB for $NODE"
   if [[ -e $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB ]]; then
     echo "***INFO: The keytab for $NODE exists, continuing"
   else
     echo "***INFO: Adding keytab for $NODE"
     $KADMIN_CMD "ktadd -k $LOCAL_WORKDIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM"
     if [[ $? -ne 0 ]]; then
       echo "***ERROR: failed to add keytab"
       ADMIN_PASSWD="***"
       exit -1
     fi

     # Each node has its own principal and keytab.  The principal names have the node
     # name embedded but the keytab names are the same.  Save keytabs into the keytabs
     # directory and prepend them with the node name to tell them apart.  They will
     # be copied to the individual nodes in a separate step
     sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/$TRAF_KEYTAB
     sudo chmod 400 $LOCAL_WORKDIR/$TRAF_KEYTAB
     sudo mv $LOCAL_WORKDIR/$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB
   fi

   # Copy keytab to node (probably a better way of doing this)
   #   - Remove the prepended node from the keytab
   #   - Copy the keytab to the node
   #   - Move the keytab to the KEYTAB directory on the node
   #   - Change owner to allow trafodion access
   sudo cp $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB
   sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB
   if [[ "$all_node_count" -ne "1" ]]; then
     pdcp -R ssh -w $NODE $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $HOME
     ssh -q -n $NODE sudo mv $HOME/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
     ssh -q -n $NODE sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
     ssh -q -n $NODE sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM
   else
     sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
     sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
     sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM
   fi
   echo "***INFO: Copied keytab file to $NODE"
 done
 ADMIN_PASSWD="***"
 echo "***INFO: Done creating principals and keytabs"

 # The RENEW_TOOL is a script that get run that automatically
 # renews the ticket when it get ready to expire.
 RENEW_TOOL='$TRAF_HOME/sql/scripts/krb5service start'

 # modify .bashrc to add kinit command
 # Steps:
 #  - Store the text to add to the .bashrc file in a tmp file
 #  - Copy the tmp file to all the nodes
 #  - Change owner of tmp file to the trafodion user
 #  - Add text to .bashrc
 # This assumes that if the installation node already has the text, then this
 # step can be skipped.  May need to be more robust

 sudo grep -q "kinit" $HOME_DIR/$TRAF_USER/.bashrc
 if [[ $? -ne 0 ]]; then
   echo "***INFO: Add kinit command in .bashrc file"
   echo ""                                                                   > $LOCAL_WORKDIR/kerberos.tmp
   echo ""                                                                  >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# if needed obtain and cache the Kerberos ticket-granting ticket"  >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# start automatic ticket renewal process"                          >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
   echo 'klist -s >/dev/null 2>&1'                                          >> $LOCAL_WORKDIR/kerberos.tmp
   echo 'if [[ $? -eq 1 ]]; then'                                           >> $LOCAL_WORKDIR/kerberos.tmp
   echo "  kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB ${TRAF_USER}/\`hostname -f\`@${REALM} >/dev/null 2>&1"                                                                                                  >> $LOCAL_WORKDIR/kerberos.tmp
   echo "fi "                                                               >> $LOCAL_WORKDIR/kerberos.tmp
   echo ""                                                                  >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# Start trafodion kerberos ticket manager process"                 >> $LOCAL_WORKDIR/kerberos.tmp
   echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp

   echo "${RENEW_TOOL} > /dev/null 2>&1"                                    >> $LOCAL_WORKDIR/kerberos.tmp

   sudo cp $LOCAL_WORKDIR/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp
   sudo chown $TRAF_USER:$TRAF_USER $HOME_DIR/$TRAF_USER/kerberos.tmp
   if [[ "$all_node_count" -ne "1" ]]; then
     sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp"
     $TRAF_PDSH sudo su $TRAF_USER -c '"cat ~/kerberos.tmp >> ~/.bashrc"'
   else
     sudo su $TRAF_USER -c "cat ~/kerberos.tmp >> ~/.bashrc"
   fi
   rm $LOCAL_WORKDIR/kerberos.tmp
 fi

 # Grant all privileges to the Trafodion principal in HBase
 echo "***INFO: Grant HBase privileges to $TRAF_USER user"
 sudo -u $HBASE_USER  kinit -kt $HBASE_KEYTAB $HBASE_PRINCIPAL
 if [[ $? -ne 0 ]]; then
   echo "***ERROR: unable to init Kerberos ticket for HBase using keytab ($HBASE_KEYTAB) and principal ($HBASE_PRINCIPAL)" | tee -a $INSTALL_LOG
   exit -1
 fi

 echo "grant \"$TRAF_USER\", \"RWXC\"" |sudo -u $HBASE_USER hbase shell > $LOCAL_WORKDIR/hbase_shell.out 2>&1
 rc=$?
 grant_error=$(grep 'ERROR' $LOCAL_WORKDIR/hbase_shell.out |wc -l)

 if [[ $grant_error -ne 0 || $rc -ne 0 ]]; then
   echo "***ERROR: failed to grant HBase privileges to $TRAF_USER user, see $LOCAL_WORKDIR/hbase_shell.out for details" | tee -a $INSTALL_LOG
   exit -1
 else
   sudo rm -f $LOCAL_WORKDIR/hbase_shell.out
 fi
	#!/bin/bash

	# @@@ START COPYRIGHT @@@
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#
	# @@@ END COPYRIGHT @@@

	#******************************************************************************
	# Sets up Trafodion environment for security features:
	# Kerberos
	#******************************************************************************

	TRAF_CONFIG='/etc/trafodion/trafodion_config'
	source $TRAF_CONFIG
	HOST_NAME=`hostname -f`

	#==============================================================================
	# set up kerberos stuff
	if [[ "$SECURE_HADOOP" == "N" ]]; then
	echo "***INFO: KERBEROS not available, skipping to next step"
	exit 0
	fi

	echo
	echo "******************************"
	echo " TRAFODION KERBEROS SETUP "
	echo "******************************"
	echo
	echo "***INFO: Running KERBEROS installation"

	# get realm from admin principal
	REALM=${ADMIN_PRINCIPAL#*"@"}
	TRAF_PRINCIPAL="$TRAF_USER/$HOST_NAME@REALM"
	HBASE_PRINCIPAL="$HBASE_USER/$HOST_NAME@$REALM"
	PDCP="pdcp -R ssh "

	# test KDC server connection - always ask for the admin password
	echo -n "Enter admin password:"
	read -s answer
	if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi
	echo ""

	KADMIN_CMD="sudo kadmin -p $ADMIN_PRINCIPAL -w $ADMIN_PASSWD -s $KDC_SERVER -q"

	$KADMIN_CMD "listprincs" > /dev/null 2>&1
	if [[ $? -ne 0 ]]; then
	echo "***ERROR: kadmin command failed to execute, verify that Kerberos is running, you can access it from the installation node, and that your password is valid"
	ADMIN_PASSWD="***"
	exit -1
	fi
	echo "***INFO: Connection to KDC server successful"

	# Make a directory to hold generated keytabs, ignore if already created
	mkdir -p $LOCAL_WORKDIR/keytabs 2>/dev/null

	echo "***INFO: Create principals and keytabs for $TRAF_USER"
	for ITEM in $HADOOP_NODES; do
	NODE=`ssh -q -n $ITEM sudo hostname -f`
	PRINCIPAL_EXISTS=$( $KADMIN_CMD "listprincs" \| grep "$TRAF_USER/$NODE@$REALM" \| wc -l )
	if [[ $PRINCIPAL_EXISTS -eq 1 ]]; then
	echo "***INFO: Principal $TRAF_USER/$NODE@$REALM exists, continuing"
	else
	# add the principal
	$KADMIN_CMD "addprinc -randkey $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1
	if [[ $? -ne 0 ]]; then
	echo "***ERROR: kadmin command failed to create principal, check KDC server status"
	ADMIN_PASSWD="***"
	exit -1
	fi
	fi

	# Adjust principal's maxlife and maxrenewlife
	echo "***INFO: Set max and renew life times for principal $TRAF_USER/$NODE@$REALM"
	$KADMIN_CMD "modprinc -maxlife $MAX_LIFETIME -maxrenewlife $RENEW_LIFETIME $TRAF_USER/$NODE@$REALM" > /dev/null 2>&1
	if [[ $? -ne 0 ]]; then
	echo "***ERROR: kadmin command failed to modify principal, check KDC server status"
	ADMIN_PASSWD="***"
	exit -1
	fi

	# Look in keytabs to see if keytab already exists, if so, then skip this step
	# May want to supporting regeneration of keytabs at some point in time.
	echo "***INFO: Create keytab $TRAF_KEYTAB for $NODE"
	if [[ -e $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB ]]; then
	echo "***INFO: The keytab for $NODE exists, continuing"
	else
	echo "***INFO: Adding keytab for $NODE"
	$KADMIN_CMD "ktadd -k $LOCAL_WORKDIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM"
	if [[ $? -ne 0 ]]; then
	echo "***ERROR: failed to add keytab"
	ADMIN_PASSWD="***"
	exit -1
	fi

	# Each node has its own principal and keytab. The principal names have the node
	# name embedded but the keytab names are the same. Save keytabs into the keytabs
	# directory and prepend them with the node name to tell them apart. They will
	# be copied to the individual nodes in a separate step
	sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/$TRAF_KEYTAB
	sudo chmod 400 $LOCAL_WORKDIR/$TRAF_KEYTAB
	sudo mv $LOCAL_WORKDIR/$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB
	fi

	# Copy keytab to node (probably a better way of doing this)
	# - Remove the prepended node from the keytab
	# - Copy the keytab to the node
	# - Move the keytab to the KEYTAB directory on the node
	# - Change owner to allow trafodion access
	sudo cp $LOCAL_WORKDIR/keytabs/$NODE-$TRAF_KEYTAB $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB
	sudo chown $(whoami):$(whoami) $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB
	if [[ "$all_node_count" -ne "1" ]]; then
	pdcp -R ssh -w $NODE $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $HOME
	ssh -q -n $NODE sudo mv $HOME/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
	ssh -q -n $NODE sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
	ssh -q -n $NODE sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM
	else
	sudo cp $LOCAL_WORKDIR/keytabs/$TRAF_KEYTAB $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
	sudo chown $TRAF_USER:hadoop $TRAF_KEYTAB_DIR/$TRAF_KEYTAB
	sudo -u $TRAF_USER kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB $TRAF_USER/$NODE@$REALM
	fi
	echo "***INFO: Copied keytab file to $NODE"
	done
	ADMIN_PASSWD="***"
	echo "***INFO: Done creating principals and keytabs"

	# The RENEW_TOOL is a script that get run that automatically
	# renews the ticket when it get ready to expire.
	RENEW_TOOL='$TRAF_HOME/sql/scripts/krb5service start'

	# modify .bashrc to add kinit command
	# Steps:
	# - Store the text to add to the .bashrc file in a tmp file
	# - Copy the tmp file to all the nodes
	# - Change owner of tmp file to the trafodion user
	# - Add text to .bashrc
	# This assumes that if the installation node already has the text, then this
	# step can be skipped. May need to be more robust

	sudo grep -q "kinit" $HOME_DIR/$TRAF_USER/.bashrc
	if [[ $? -ne 0 ]]; then
	echo "***INFO: Add kinit command in .bashrc file"
	echo "" > $LOCAL_WORKDIR/kerberos.tmp
	echo "" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# if needed obtain and cache the Kerberos ticket-granting ticket" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# start automatic ticket renewal process" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
	echo 'klist -s >/dev/null 2>&1' >> $LOCAL_WORKDIR/kerberos.tmp
	echo 'if [[ $? -eq 1 ]]; then' >> $LOCAL_WORKDIR/kerberos.tmp
	echo " kinit -kt $TRAF_KEYTAB_DIR/$TRAF_KEYTAB ${TRAF_USER}/\`hostname -f\`@${REALM} >/dev/null 2>&1" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "fi " >> $LOCAL_WORKDIR/kerberos.tmp
	echo "" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# Start trafodion kerberos ticket manager process" >> $LOCAL_WORKDIR/kerberos.tmp
	echo "# ---------------------------------------------------------------" >> $LOCAL_WORKDIR/kerberos.tmp

	echo "${RENEW_TOOL} > /dev/null 2>&1" >> $LOCAL_WORKDIR/kerberos.tmp

	sudo cp $LOCAL_WORKDIR/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp
	sudo chown $TRAF_USER:$TRAF_USER $HOME_DIR/$TRAF_USER/kerberos.tmp
	if [[ "$all_node_count" -ne "1" ]]; then
	sudo su $TRAF_USER --command "$TRAF_PDCP $HOME_DIR/$TRAF_USER/kerberos.tmp $HOME_DIR/$TRAF_USER/kerberos.tmp"
	$TRAF_PDSH sudo su $TRAF_USER -c '"cat ~/kerberos.tmp >> ~/.bashrc"'
	else
	sudo su $TRAF_USER -c "cat ~/kerberos.tmp >> ~/.bashrc"
	fi
	rm $LOCAL_WORKDIR/kerberos.tmp
	fi

	# Grant all privileges to the Trafodion principal in HBase
	echo "***INFO: Grant HBase privileges to $TRAF_USER user"
	sudo -u $HBASE_USER kinit -kt $HBASE_KEYTAB $HBASE_PRINCIPAL
	if [[ $? -ne 0 ]]; then
	echo "***ERROR: unable to init Kerberos ticket for HBase using keytab ($HBASE_KEYTAB) and principal ($HBASE_PRINCIPAL)" \| tee -a $INSTALL_LOG
	exit -1
	fi

	echo "grant \"$TRAF_USER\", \"RWXC\"" \|sudo -u $HBASE_USER hbase shell > $LOCAL_WORKDIR/hbase_shell.out 2>&1
	rc=$?
	grant_error=$(grep 'ERROR' $LOCAL_WORKDIR/hbase_shell.out \|wc -l)

	if [[ $grant_error -ne 0 \|\| $rc -ne 0 ]]; then
	echo "***ERROR: failed to grant HBase privileges to $TRAF_USER user, see $LOCAL_WORKDIR/hbase_shell.out for details" \| tee -a $INSTALL_LOG
	exit -1
	else
	sudo rm -f $LOCAL_WORKDIR/hbase_shell.out
	fi