| #!/bin/bash |
| |
| # @@@ START COPYRIGHT @@@ |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # @@@ END COPYRIGHT @@@ |
| |
| # KDC attributes |
| MAX_LIFETIME="24hours" |
| RENEW_LIFETIME="7days" |
| |
| # LDAP attributes |
| LDAP_AUTH_FILE="traf_authentication_config_${HOSTNAME}" |
| |
| HOST_NAME=`hostname -f` |
| |
| #============================================== |
| # Setup Trafodion environment for secure Hadoop |
| #============================================== |
| |
| LOCAL_WORKDIR="$( cd "$( dirname "$0" )" && pwd )" |
| |
| TRAF_CONFIG="/etc/trafodion/trafodion_config" |
| LOCAL_SECURE_CONFIG="$LOCAL_WORKDIR/trafodion_secure_config" |
| rm $LOCAL_SECURE_CONFIG 2>/dev/null |
| source $TRAF_CONFIG |
| |
| # Get Kerberos key details |
| # These differ depending on the distribution |
| if [[ $HADOOP_TYPE == "cloudera" ]]; then |
| TRAF_KEYTAB_DIR='/etc/trafodion' |
| TRAF_KEYTAB="trafodion.keytab" |
| HBASE_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hbase.keytab | grep 'hbase-MASTER' | head -n 1` |
| HDFS_KEYTAB=`sudo find /var/run/cloudera-scm-agent/process/ -name hdfs.keytab | grep 'hdfs-NAMENODE/' | head -n 1` |
| else |
| TRAF_KEYTAB_DIR='/etc/security/keytabs' |
| TRAF_KEYTAB="trafodion.service.keytab" |
| HBASE_KEYTAB='/etc/security/keytabs/hbase.service.keytab' |
| HDFS_KEYTAB='/etc/security/keytabs/hdfs.headless.keytab' |
| fi |
| |
| |
| #============================================== |
| # Kerberos enabled |
| |
| echo "***INFO: Starting Trafodion security configuration setup" |
| |
| # Check to see if kerberos is enabled in Hadoop |
| cat /etc/hadoop/conf/core-site.xml | while read a; do |
| found=`echo $a | grep "hadoop.security.authentication" | wc -l` |
| if [[ $found -eq 1 ]]; then |
| read b |
| enabled=`echo $b | grep kerberos | wc -l` |
| if [[ $enabled -eq 1 ]]; then |
| exit 1 |
| else |
| exit 0 |
| fi |
| fi |
| done |
| |
| retcode=$? |
| if [[ $retcode -eq 1 ]]; then |
| SECURE_HADOOP="Y" |
| else |
| SECURE_HADOOP="N" |
| fi |
| sed -i '/SECURE_HADOOP\=/d' $TRAF_CONFIG |
| echo "export SECURE_HADOOP=\"$SECURE_HADOOP\"" >> $LOCAL_SECURE_CONFIG |
| |
| |
| if [[ "$SECURE_HADOOP" == "Y" ]]; then |
| echo -n "Enter KDC server address, default is [$KDC_SERVER]:" |
| read answer |
| if [[ ! -z $answer ]]; then KDC_SERVER=$answer; fi |
| sed -i '/KDC_SERVER\=/d' $TRAF_CONFIG |
| echo "export KDC_SERVER=\"$KDC_SERVER\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter admin principal (include realm), default is [$ADMIN_PRINCIPAL]:" |
| read answer |
| if [[ ! -z $answer ]]; then ADMIN_PRINCIPAL=$answer; fi |
| sed -i '/ADMIN_PRINCIPAL\=/d' $TRAF_CONFIG |
| echo "export ADMIN_PRINCIPAL=\"$ADMIN_PRINCIPAL\"" >> $LOCAL_SECURE_CONFIG |
| |
| # need a secure way to save password, until then ask later |
| #echo -n "Enter admin password:" |
| #read -s answer |
| #if [[ ! -z $answer ]]; then ADMIN_PASSWD=$answer; fi |
| #echo "" |
| |
| echo -n "Enter fully qualified name for HBase keytab, default is [$HBASE_KEYTAB]:" |
| read answer |
| if [[ ! -z $answer ]]; then HBASE_KEYTAB=$answer; fi |
| sed -i '/HBASE_KEYTAB\=/d' $TRAF_CONFIG |
| echo "export HBASE_KEYTAB=\"$HBASE_KEYTAB\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter fully qualified name for HDFS keytab, default is [$HDFS_KEYTAB]:" |
| read answer |
| if [[ ! -z $answer ]]; then HDFS_KEYTAB=$answer; fi |
| sed -i '/HDFS_KEYTAB\=/d' $TRAF_CONFIG |
| echo "export HDFS_KEYTAB=\"$HDFS_KEYTAB\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter max lifetime for Trafodion principal (valid format required), default is [$MAX_LIFETIME]:" |
| read answer |
| if [[ ! -z $answer ]]; then MAX_LIFETIME=$answer; fi |
| sed -i '/MAX_LIFETIME\=/d' $TRAF_CONFIG |
| echo "export MAX_LIFETIME=\"$MAX_LIFETIME\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter renew lifetime for Trafodion principal (valid format required), default is [$RENEW_LIFETIME]:" |
| read answer |
| if [[ ! -z $answer ]]; then RENEW_LIFETIME=$answer; fi |
| sed -i '/RENEW_LIFETIME\=/d' $TRAF_CONFIG |
| echo "export RENEW_LIFETIME=\"$RENEW_LIFETIME\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter Trafodion keytab name, default is [$TRAF_KEYTAB]:" |
| read answer |
| if [[ ! -z $answer ]]; then TRAF_KEYTAB=$answer; fi |
| sed -i '/TRAF_KEYTAB\=/d' $TRAF_CONFIG |
| echo "export TRAF_KEYTAB=\"$TRAF_KEYTAB\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter keytab location, default is [$TRAF_KEYTAB_DIR]:" |
| read answer |
| if [[ ! -d $TRAF_KEYTAB_DIR ]]; then |
| echo -n "**Missing keytab directory $TRAF_KEYTAB_DIR, create it (Y/N), default is [Y]:" |
| read answer |
| if [[ "${answer}" =~ ^[Yy]$ ]]; then |
| if [[ "$all_node_count" -ne "1" ]]; then |
| echo "***INFO: creating $TRAF_KEYTAB_DIR" |
| $TRAF_PDSH $MY_NODES sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null |
| $TRAF_PDSH $MY_NODES sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR |
| $TRAF_PDSH $MY_NODES sudo chmod 700 $TRAF_KEYTAB_DIR |
| else |
| echo "***INFO: creating $TRAF_KEYTAB_DIR" |
| sudo mkdir -p $TRAF_KEYTAB_DIR 2>/dev/null |
| sudo chown $TRAF_USER:$TRAF_GROUP $TRAF_KEYTAB_DIR |
| sudo chmod 700 $TRAF_KEYTAB_DIR |
| fi |
| else |
| echo "***ERROR: Please create $TRAF_KEYTAB_DIR on all nodes and rerun" |
| exit 1 |
| fi |
| fi |
| sed -i '/TRAF_KEYTAB_DIR\=/d' $TRAF_CONFIG |
| echo "export TRAF_KEYTAB_DIR=\"$TRAF_KEYTAB_DIR\"" >> $LOCAL_SECURE_CONFIG |
| fi |
| |
| #============================================== |
| # LDAP security |
| |
| if [[ "$SECURE_HADOOP" == "Y" ]]; then |
| LDAP_SECURITY="Y" |
| else |
| echo -n "Enable LDAP security (Y/N), default is [$LDAP_SECURITY]: " |
| read answer |
| |
| if [ ! -z $answer ]; then |
| if [[ "${answer}" =~ ^[Yy]$ ]]; then |
| LDAP_SECURITY="Y" |
| else |
| LDAP_SECURITY="N" |
| fi |
| fi |
| fi |
| sed -i '/LDAP_SECURITY\=/d' $TRAF_CONFIG |
| echo "export LDAP_SECURITY=\"$LDAP_SECURITY\"" >> $LOCAL_SECURE_CONFIG |
| |
| if [[ "$LDAP_SECURITY" == "N" ]]; then |
| cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG |
| echo "***INFO: Trafodion security configuration setup complete" |
| exit 0; |
| fi |
| |
| #Hostnames |
| echo -n "Enter list of LDAP Hostnames (blank separated), default [$LDAP_HOSTS]: " |
| read answer |
| if [[ -z "$answer" ]]; then |
| if [ -z "$LDAP_HOSTS" ]; then |
| echo "***ERROR: Must enter list of LDAP Hostnames." |
| exit -1 |
| fi |
| else |
| LDAP_HOSTS=$answer |
| fi |
| sed -i '/LDAP_HOSTS\=/d' $TRAF_CONFIG |
| echo "export LDAP_HOSTS=\"$LDAP_HOSTS\"" >> $LOCAL_SECURE_CONFIG |
| cp -rf traf_authentication_conf_default $LOCAL_WORKDIR/$LDAP_AUTH_FILE |
| sed -i '/LDAP_AUTH_FILE\=/d' $TRAF_CONFIG |
| echo "export LDAP_AUTH_FILE=\"$LDAP_AUTH_FILE\"" >> $LOCAL_SECURE_CONFIG |
| |
| counter=0 |
| for host in $LDAP_HOSTS |
| do |
| counter=$[$counter+1] |
| if [ $counter -eq "1" ]; then |
| list=" LdapHostname: $host" |
| elif [ $counter -eq "$node_count" ]; then |
| list="LdapHostname: $host\n $list" |
| else |
| list=" LdapHostname: $host\n $list" |
| fi |
| done |
| sed -i -e "s/LdapHostname:/$list/g" $LDAP_AUTH_FILE |
| |
| #Port numbers |
| echo -n "Enter LDAP Port number (Example: 389 for no encryption or TLS, 636 for SSL), default [$LDAP_PORT]: " |
| read answer |
| if [[ -z "$answer" ]]; then |
| if [ -z "$LDAP_PORT" ]; then |
| echo "***ERROR: Must enter LDAP port." |
| exit -1 |
| fi |
| else |
| LDAP_PORT=$answer |
| fi |
| |
| sed -i '/LDAP_PORT\=/d' $TRAF_CONFIG |
| echo "export LDAP_PORT=\"$LDAP_PORT\"" >> $LOCAL_SECURE_CONFIG |
| port="LdapPort: $LDAP_PORT" |
| sed -i -e "s/LdapPort:389/$port/g" $LDAP_AUTH_FILE |
| |
| #Unique IDs |
| echo -n "Enter all LDAP unique identifiers (blank separated), default [$LDAP_ID]: " |
| read answer |
| if [[ -z "$answer" ]]; then |
| if [ -z "$LDAP_ID" ]; then |
| echo "***ERROR: Must enter LDAP unique identifiers." |
| exit -1 |
| fi |
| else |
| LDAP_ID=$answer |
| fi |
| sed -i '/LDAP_ID\=/d' $TRAF_CONFIG |
| echo "export LDAP_ID=\"$LDAP_ID\"" >> $LOCAL_SECURE_CONFIG |
| |
| counter=0 |
| for id in $LDAP_ID |
| do |
| counter=$[$counter+1] |
| if [ $counter -eq "1" ]; then |
| list=" UniqueIdentifier: $id" |
| elif [ $counter -eq "$node_count" ]; then |
| list="UniqueIdentifier: $id\n $list" |
| else |
| list=" LdapHostname: $id\n $list" |
| fi |
| done |
| |
| sed -i -e "s/UniqueIdentifier:/$list/g" $LDAP_AUTH_FILE |
| |
| #Encryption level |
| echo -n "Enter LDAP Encryption Level (0: Encryption not used, 1: SSL, 2: TLS), default [$LDAP_LEVEL]: " |
| read answer |
| if [[ -z "$answer" ]]; then |
| if [ -z "$LDAP_LEVEL" ]; then |
| echo "***ERROR: Must enter LDAP Encryption level." |
| exit -1 |
| fi |
| else |
| LDAP_LEVEL=$answer |
| fi |
| sed -i '/LDAP_LEVEL\=/d' $TRAF_CONFIG |
| echo "export LDAP_LEVEL=\"$LDAP_LEVEL\"" >> $LOCAL_SECURE_CONFIG |
| |
| level="LDAPSSL: $LDAP_LEVEL" |
| sed -i -e "s/LDAPSSL:0/$level/g" $LDAP_AUTH_FILE |
| |
| if [[ "$LDAP_LEVEL" -eq "1" ]] || [[ "$LDAP_LEVEL" -eq "2" ]]; then |
| echo -n "Enter full path to TLS certificate, default [$LDAP_CERT]: " |
| read answer |
| if [[ -z "$answer" ]]; then |
| if [ -z "$LDAP_CERT" ]; then |
| echo "***ERROR: Encryption level 2(TLS) requires a certificate file (*.pem)" |
| exit -1 |
| fi |
| else |
| LDAP_CERT=$answer |
| LDAP_CERT_BASE=$(basename $LDAP_CERT) |
| |
| if [[ ! -f $LDAP_CERT ]]; then |
| echo "***ERROR: File does not exist." |
| echo "***ERROR: Please enter full path or check for errors." |
| exit -1 |
| fi |
| |
| fi |
| sed -i '/LDAP_CERT\=/d' $TRAF_CONFIG |
| echo "export LDAP_CERT=\"$LDAP_CERT\"" >> $LOCAL_SECURE_CONFIG |
| sed -i '/LDAP_CERT_BASE\=/d' $TRAF_CONFIG |
| echo "export LDAP_CERT_BASE=\"$LDAP_CERT_BASE\"" >> $LOCAL_SECURE_CONFIG |
| |
| list="TLS_CACERTFilename: $HOME_DIR/$TRAF_USER/$LDAP_CERT_BASE" |
| |
| sed -i -e "s@TLS\_CACERTFilename:@$list@" $LDAP_AUTH_FILE |
| fi |
| |
| #Search username and password |
| echo -n "Enter Search user name (if required), default [$LDAP_USER]: " |
| read answer |
| if [[ ! -z "$answer" ]]; then |
| LDAP_USER=$answer |
| sed -i '/LDAP_USER\=/d' $TRAF_CONFIG |
| echo "export LDAP_USER=\"$LDAP_USER\"" >> $LOCAL_SECURE_CONFIG |
| |
| echo -n "Enter Search password (if required), default [$LDAP_PASSWORD]: " |
| read answer |
| if [[ ! -z "$answer" ]]; then |
| LDAP_PASSWORD=$answer |
| sed -i '/LDAP_PASSWORD\=/d' $TRAF_CONFIG |
| echo "export LDAP_PASSWORD=\"$LDAP_PASSWORD\"" >> $LOCAL_SECURE_CONFIG |
| fi |
| fi |
| user="LDAPSearchDN: $LDAP_USER" |
| sed -i -e "s/LDAPSearchDN:/$user/g" $LDAP_AUTH_FILE |
| password="LDAPSearchPwd: $LDAP_PASSWORD" |
| sed -i -e "s/LDAPSearchPwd:/$password/g" $LDAP_AUTH_FILE |
| |
| |
| #LDAP uid/cn assigned to DB__ROOT |
| echo -n "Enter LDAP name to be assigned DB root privileges (DB__ROOT), default [$DB_ROOT_NAME]: " |
| read answer |
| if [[ ! -z "$answer" ]]; then |
| DB_ROOT_NAME=$answer |
| fi |
| sed -i '/DB_ROOT_NAME\=/d' $TRAF_CONFIG |
| echo "export DB_ROOT_NAME=\"$DB_ROOT_NAME\"" >> $LOCAL_SECURE_CONFIG |
| |
| cat $LOCAL_SECURE_CONFIG >> $TRAF_CONFIG |
| echo "***INFO: Trafodion security configuration setup complete" |
| |