Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/hdfs-site.xml URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/hdfs-site.xml?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/hdfs-site.xml (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/hdfs-site.xml Fri Oct 14 23:33:44 2011 @@ -0,0 +1,165 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> + +<!-- Licensed to the Apache Software Foundation (ASF) under one or more --> +<!-- contributor license agreements. See the NOTICE file distributed with --> +<!-- this work for additional information regarding copyright ownership. --> +<!-- The ASF licenses this file to You under the Apache License, Version 2.0 --> +<!-- (the "License"); you may not use this file except in compliance with --> +<!-- the License. You may obtain a copy of the License at --> +<!-- --> +<!-- http://www.apache.org/licenses/LICENSE-2.0 --> +<!-- --> +<!-- Unless required by applicable law or agreed to in writing, software --> +<!-- distributed under the License is distributed on an "AS IS" BASIS, --> +<!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. --> +<!-- See the License for the specific language governing permissions and --> +<!-- limitations under the License. --> + +<configuration> + +<% if hadoop_security_authentication == "kerberos" %> + <property> + <name>dfs.block.access.token.enable</name> + <value>true</value> + </property> + + <!-- NameNode security config --> + <property> + <name>dfs.https.address</name> + <value><%= hadoop_namenode_host %>:50475</value> + </property> + <property> + <name>dfs.https.port</name> + <value>50475</value> + </property> + <property> + <name>dfs.namenode.keytab.file</name> + <value>/etc/hdfs.keytab</value> <!-- path to the HDFS keytab --> + </property> + <property> + <name>dfs.namenode.kerberos.principal</name> + <value>hdfs/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>dfs.namenode.kerberos.https.principal</name> + <value>host/_HOST@<%= kerberos_realm %></value> + </property> + + <!-- Secondary NameNode security config --> + <property> + <name>dfs.secondary.http.address</name> + <value><%= hadoop_namenode_host %>:0</value> + </property> + <property> + <name>dfs.secondary.https.address</name> + <value><%= hadoop_namenode_host %>:50495</value> + </property> + <property> + <name>dfs.secondary.https.port</name> + <value>50495</value> + </property> + <property> + <name>dfs.secondary.namenode.keytab.file</name> + <value>/etc/hdfs.keytab</value> <!-- path to the HDFS keytab --> + </property> + <property> + <name>dfs.secondary.namenode.kerberos.principal</name> + <value>hdfs/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>dfs.secondary.namenode.kerberos.https.principal</name> + <value>host/_HOST@<%= kerberos_realm %></value> + </property> + + <!-- DataNode security config --> + <property> + <name>dfs.datanode.data.dir.perm</name> + <value>700</value> + </property> + <property> + <name>dfs.datanode.address</name> + <value>0.0.0.0:1004</value> + </property> + <property> + <name>dfs.datanode.http.address</name> + <value>0.0.0.0:1006</value> + </property> + <property> + <name>dfs.datanode.keytab.file</name> + <value>/etc/hdfs.keytab</value> <!-- path to the HDFS keytab --> + </property> + <property> + <name>dfs.datanode.kerberos.principal</name> + <value>hdfs/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>dfs.datanode.kerberos.https.principal</name> + <value>host/_HOST@<%= kerberos_realm %></value> + </property> +<% end %> + + <!-- name node --> + <property> + <!-- URI of NN. Fully qualified. No IP.--> + <name>fs.default.name</name> + <value>hdfs://<%= hadoop_namenode_host %>:<%= hadoop_namenode_port%></value> + </property> + + <property> + <name>dfs.data.dir</name> + <value><% hadoop_storage_locations.split(";").each do |storage_location| %><%= storage_location%>/hdfs,<% end %></value> + </property> + + <property> + <name>dfs.name.dir</name> + <value><% hadoop_storage_locations.split(";").each do |storage_location| %><%= storage_location%>/namenode,<% end %></value> + </property> + + <!-- Enable Hue plugins --> +<% if has_variable?("hadoop_dfs_namenode_plugins") %> + <property> + <name>dfs.namenode.plugins</name> + <value><%= hadoop_dfs_namenode_plugins %></value> + <description>Comma-separated list of namenode plug-ins to be activated. + </description> + </property> +<% end %> +<% if has_variable?("hadoop_dfs_datanode_plugins") %> + <property> + <name>dfs.datanode.plugins</name> + <value><%= hadoop_dfs_datanode_plugins %></value> + <description>Comma-separated list of datanode plug-ins to be activated. + </description> + </property> +<% end %> +<% if has_variable?("hadoop_namenode_thrift_port") %> + <property> + <name>dfs.thrift.address</name> + <value>0.0.0.0:<%= hadoop_namenode_thrift_port %></value> + </property> +<% end %> + + <!-- increase the number of datanode transceivers way above the default of 256 + - this is for hbase --> + <property> + <name>dfs.datanode.max.xcievers</name> + <value>4096</value> + </property> + + <!-- Configurations for large cluster --> +<% if has_variable?("hadoop_config_dfs_block_size") %> + <property> + <name>dfs.block.size</name> + <value><%= hadoop_config_dfs_block_size %></value> + </property> +<% end %> + +<% if has_variable?("hadoop_config_namenode_handler_count") %> + <property> + <name>dfs.namenode.handler.count</name> + <value><%= hadoop_config_namenode_handler_count %></value> + </property> +<% end %> + +</configuration>
Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/mapred-site.xml Fri Oct 14 23:33:44 2011 @@ -0,0 +1,290 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> + +<!-- Licensed to the Apache Software Foundation (ASF) under one or more --> +<!-- contributor license agreements. See the NOTICE file distributed with --> +<!-- this work for additional information regarding copyright ownership. --> +<!-- The ASF licenses this file to You under the Apache License, Version 2.0 --> +<!-- (the "License"); you may not use this file except in compliance with --> +<!-- the License. You may obtain a copy of the License at --> +<!-- --> +<!-- http://www.apache.org/licenses/LICENSE-2.0 --> +<!-- --> +<!-- Unless required by applicable law or agreed to in writing, software --> +<!-- distributed under the License is distributed on an "AS IS" BASIS, --> +<!-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. --> +<!-- See the License for the specific language governing permissions and --> +<!-- limitations under the License. --> + +<configuration> + +<% if hadoop_security_authentication == "kerberos" %> + <!-- JobTracker security configs --> + <property> + <name>mapreduce.jobtracker.kerberos.principal</name> + <value>mapred/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>mapreduce.jobtracker.kerberos.https.principal</name> + <value>host/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>mapreduce.jobtracker.keytab.file</name> + <value>/etc/mapred.keytab</value> <!-- path to the MapReduce keytab --> + </property> + + <!-- TaskTracker security configs --> + <property> + <name>mapreduce.tasktracker.kerberos.principal</name> + <value>mapred/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>mapreduce.tasktracker.kerberos.https.principal</name> + <value>host/_HOST@<%= kerberos_realm %></value> + </property> + <property> + <name>mapreduce.tasktracker.keytab.file</name> + <value>/etc/mapred.keytab</value> <!-- path to the MapReduce keytab --> + </property> + + <!-- TaskController settings --> + <property> + <name>mapred.task.tracker.task-controller</name> + <value>org.apache.hadoop.mapred.LinuxTaskController</value> + </property> + <property> + <name>mapreduce.tasktracker.group</name> + <value>mapred</value> + </property> +<% end %> + +<% if has_variable?("mapred_acls_enabled") %> + <property> + <name>mapred.acls.enabled</name> + <value><%= mapred_acls_enabled %></value> + </property> +<% end %> + +<!-- specify JobTracker TaskScheduler --> +<% if has_variable?("hadoop_jobtracker_taskscheduler") %> + <property> + <name>mapred.jobtracker.taskScheduler</name> + <value><%= hadoop_jobtracker_taskscheduler %></value> + </property> +<% end %> + +<% if has_variable?("hadoop_config_mapred_fairscheduler_assignmultiple") %> + <property> + <name>mapred.fairscheduler.assignmultiple</name> + <value><%= hadoop_config_mapred_fairscheduler_assignmultiple %></value> + </property> +<% end %> + +<% if has_variable?("hadoop_config_mapred_fairscheduler_sizebasedweight") %> + <property> + <name>mapred.fairscheduler.sizebasedweight</name> + <value><%= hadoop_config_mapred_fairscheduler_assignmultiple %></value> + </property> +<% end %> + +<% if has_variable?("hadoop_jobtracker_fairscheduler_weightadjuster") %> + <property> + <name>mapred.fairscheduler.weightadjuster</name> + <value><%= hadoop_jobtracker_fairscheduler_weightadjuster %></value> + </property> +<% end %> + + <property> + <name>mapred.job.tracker</name> + <value><%= hadoop_jobtracker_host %>:<%= hadoop_jobtracker_port%></value> + </property> + + <property> + <name>mapred.local.dir</name> + <value><% hadoop_storage_locations.split(";").each do |storage_location| %><%= storage_location%>/scratch,<% end %></value> + <final>true</final> + </property> + + <property> + <name>mapred.child.java.opts</name> + <value>-Xmx1024m</value> + </property> + + <property> + <name>mapreduce.jobtracker.staging.root.dir</name> + <value>/user</value> + </property> + + <property> + <name>mapred.system.dir</name> + <value>/mapred/system</value> + </property> + +<% if has_variable?("hadoop_config_mapred_child_ulimit") %> + <property> + <!-- set this to ~1.5x the heap size in mapred.child.java.opts --> + <name>mapred.child.ulimit</name> + <value><%= hadoop_config_mapred_child_ulimit %></value> + </property> +<% else %> + <property> + <!-- set this to ~1.5x the heap size in mapred.child.java.opts --> + <name>mapred.child.ulimit</name> + <value>1572864</value> <!-- 1.5 GB in KB --> + </property> +<% end %> + +<% if has_variable?("hadoop_config_io_sort_mb") %> + <property> + <name>io.sort.mb</name> + <value><%= hadoop_config_io_sort_mb %></value> + </property> +<% else %> + <property> + <name>io.sort.mb</name> + <value>256</value> + </property> +<% end %> + +<% if has_variable?("hadoop_config_io_sort_factor") %> + <property> + <name>io.sort.factor</name> + <value><%= hadoop_config_io_sort_factor %></value> + </property> +<% else %> + <property> + <name>io.sort.factor</name> + <value>64</value> + </property> +<% end %> + +<% if has_variable?("hadoop_config_mapred_job_tracker_handler_count") %> + <property> + <name>mapred.job.tracker.handler.count</name> + <value><%= hadoop_config_mapred_job_tracker_handler_count %></value> + <final>true</final> + </property> +<% else %> + <property> + <name>mapred.job.tracker.handler.count</name> + <value>10</value> + <final>true</final> + </property> +<% end %> + + <property> + <name>mapred.map.tasks.speculative.execution</name> + <value>true</value> + </property> + +<% if has_variable?("hadoop_config_mapred_reduce_parallel_copies") %> + <property> + <name>mapred.reduce.parallel.copies</name> + <!-- set this to somewhere between sqrt(nodes) and nodes/2. + for <20 nodes, set == |nodes| --> + <value><%= hadoop_config_mapred_reduce_parallel_copies %></value> + </property> +<% else %> + <property> + <name>mapred.reduce.parallel.copies</name> + <!-- set this to somewhere between sqrt(nodes) and nodes/2. + for <20 nodes, set == |nodes| --> + <value>5</value> + </property> +<% end %> + + <property> + <name>mapred.reduce.tasks</name> + <!-- set to numnodes * mapred.tasktracker.reduce.tasks.maximum --> + <value>30</value> + </property> + +<% if has_variable?("hadoop_config_mapred_reduce_tasks_speculative_execution") %> + <property> + <name>mapred.reduce.tasks.speculative.execution</name> + <value><%= hadoop_config_mapred_reduce_tasks_speculative_execution %></value> + </property> +<% else %> + <property> + <name>mapred.reduce.tasks.speculative.execution</name> + <value>false</value> + </property> +<% end %> + + <property> + <name>mapred.tasktracker.map.tasks.maximum</name> + <!-- see other kb entry about this one. --> + <value><%= [1, processorcount.to_i * 0.80].max.round %></value> + <final>true</final> + </property> + + <property> + <name>mapred.tasktracker.reduce.tasks.maximum</name> + <!-- see other kb entry about this one. --> + <value><%= [1, processorcount.to_i * 0.20].max.round %></value> + <final>true</final> + </property> + +<% if has_variable?("hadoop_config_tasktracker_http_threads") %> + <property> + <name>tasktracker.http.threads</name> + <value><%= hadoop_config_tasktracker_http_threads %></value> + <final>true</final> + </property> +<% else %> + <property> + <name>tasktracker.http.threads</name> + <value>60</value> + <final>true</final> + </property> +<% end %> + + <property> + <name>mapred.output.compression.type</name> + <value>BLOCK</value> + <description>If the job outputs are to compressed as + SequenceFiles, how should they be compressed? Should be one of + NONE, RECORD or BLOCK.</description> + </property> + +<% if has_variable?("hadoop_config_use_compression") %> + <property> + <name>mapred.compress.map.output</name> + <value><%= hadoop_config_use_compression %></value> + </property> +<% else %> + <property> + <name>mapred.compress.map.output</name> + <value>false</value> + </property> +<% end %> + +<% if has_variable?("hadoop_config_mapred_reduce_slowstart_completed_maps") %> + <property> + <name>mapred.reduce.slowstart.completed.maps</name> + <value><%= hadoop_config_mapred_reduce_slowstart_completed_maps %></value> + </property> +<% end %> + +<% if has_variable?("hadoop_jobtracker_thrift_port") %> + <!-- Enable Hue plugins --> + <property> + <name>jobtracker.thrift.address</name> + <value>0.0.0.0:<%= hadoop_jobtracker_thrift_port %></value> + </property> +<% end %> +<% if has_variable?("hadoop_mapred_jobtracker_plugins") %> + <property> + <name>mapred.jobtracker.plugins</name> + <value><%= hadoop_mapred_jobtracker_plugins %></value> + <description>Comma-separated list of jobtracker plug-ins to be activated.</description> + </property> +<% end %> +<% if has_variable?("hadoop_mapred_tasktracker_plugins") %> + <property> + <name>mapred.tasktracker.instrumentation</name> + <value><%= hadoop_mapred_tasktracker_plugins %></value> + </property> +<% end %> + +</configuration> Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/taskcontroller.cfg URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/taskcontroller.cfg?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/taskcontroller.cfg (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/templates/taskcontroller.cfg Fri Oct 14 23:33:44 2011 @@ -0,0 +1,3 @@ +mapred.local.dir=<% hadoop_storage_locations.split(";").each do |storage_location| %><%= storage_location%>/scratch,<% end %> +hadoop.log.dir=/var/log/hadoop-0.20/ +mapreduce.tasktracker.group=mapred Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/lib/facter/kadm_keytab.rb URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/lib/facter/kadm_keytab.rb?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/lib/facter/kadm_keytab.rb (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/lib/facter/kadm_keytab.rb Fri Oct 14 23:33:44 2011 @@ -0,0 +1,21 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require 'facter' +Facter.add("kadm_keytab") do + setcode do + %x{[ -f /etc/kadm5.keytab ] && base64 </etc/kadm5.keytab 2>/dev/null} + "\n" + end +end Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp Fri Oct 14 23:33:44 2011 @@ -0,0 +1,157 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +class kerberos { + class site { + # The following is our interface to the world. This is what we allow + # users to tweak from the outside (see tests/init.pp for a complete + # example) before instantiating target classes. + # Once we migrate to Puppet 2.6 we can potentially start using + # parametrized classes instead. + $domain = $kerberos_domain ? { '' => inline_template('<%= domain %>'), + default => $kerberos_domain } + $realm = $kerberos_realm ? { '' => inline_template('<%= domain.upcase %>'), + default => $kerberos_realm } + $kdc_server = $kerberos_kdc_server ? { '' => 'localhost', + default => $kerberos_kdc_server } + $kdc_port = $kerberos_kdc_port ? { '' => '88', + default => $kerberos_kdc_port } + $admin_port = 749 /* BUG: linux daemon packaging doesn't let us tweak this */ + + case $operatingsystem { + 'ubuntu': { + $package_name_kdc = 'krb5-kdc' + $service_name_kdc = 'krb5-kdc' + $package_name_admin = 'krb5-admin-server' + $service_name_admin = 'krb5-admin-server' + $package_name_client = 'krb5-user' + $exec_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + $kdc_etc_path = '/etc/krb5kdc/' + } + # default assumes CentOS, Redhat 5 series (just look at how random it all looks :-() + default: { + $package_name_kdc = 'krb5-server' + $service_name_kdc = 'krb5kdc' + $package_name_admin = 'krb5-libs' + $service_name_admin = 'kadmin' + $package_name_client = 'krb5-workstation' + $exec_path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/kerberos/sbin:/usr/kerberos/bin' + $kdc_etc_path = '/var/kerberos/krb5kdc/' + } + } + + file { "/etc/krb5.conf": + content => template('kerberos/krb5.conf'), + owner => "root", + group => "root", + mode => "0644", + } + } + + class kdc inherits kerberos::site { + package { "$package_name_kdc": + ensure => installed, + } + + file { "$kdc_etc_path": + ensure => directory, + owner => root, + group => root, + mode => "0700", + } + file { "${kdc_etc_path}/kdc.conf": + content => template('kerberos/kdc.conf'), + require => Package["$package_name_kdc"], + owner => "root", + group => "root", + mode => "0644", + } + file { "${kdc_etc_path}/kadm5.acl": + content => template('kerberos/kadm5.acl'), + require => Package["$package_name_kdc"], + owner => "root", + group => "root", + mode => "0644", + } + + exec { "kdb5_util": + path => $exec_path, + command => "rm -f /etc/kadm5.keytab ; kdb5_util -P cthulhu -r ${realm} create -s && kadmin.local -q 'cpw -pw secure kadmin/admin'", + + creates => "${kdc_etc_path}/stash", + + subscribe => File["${kdc_etc_path}/kdc.conf"], + # refreshonly => true, + + require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], File["/etc/krb5.conf"]], + } + + service { "$service_name_kdc": + ensure => running, + require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]], + subscribe => File["${kdc_etc_path}/kdc.conf"], + hasrestart => true, + } + + + class admin_server inherits kerberos::kdc { + /* BUG: KITCHEN-751 */ + $se_hack = "setsebool -P kadmind_disable_trans 1 ; setsebool -P krb5kdc_disable_trans 1" + + package { "$package_name_admin": + ensure => installed, + require => Package["$package_name_kdc"], + } + + service { "$service_name_admin": + ensure => running, + require => [Package["$package_name_admin"], Service["$service_name_kdc"]], + hasrestart => true, + restart => "${se_hack} ; service ${service_name_admin} restart", + start => "${se_hack} ; service ${service_name_admin} start", + } + } + } + + class client inherits kerberos::site { + define create_princs { + exec { "addprinc.$title": + path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here + command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $title/$fqdn'", + unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $title/$fqdn" + } + } + + define host_keytab($fqdn = "$hostname.$domain", $princs_map) { + $princs = $princs_map[$title] + $keytab = "/etc/${title}.keytab" + $exports = inline_template("<%= princs.join('/$fqdn ') + '/$fqdn ' %>") + + create_princs { $princs: + } + + exec { "xst.$title": + path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here + command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports' ; chown $title $keytab", + unless => "klist -kt $keytab 2>/dev/null | grep -q $title/$fqdn", + require => [ Create_princs[$princs] ], + } + } + + package { "$package_name_client": + ensure => installed, + } + } +} Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kadm5.acl URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kadm5.acl?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kadm5.acl (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kadm5.acl Fri Oct 14 23:33:44 2011 @@ -0,0 +1,21 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file Is the access control list for krb5 administration. +# When this file is edited run /etc/init.d/krb5-admin-server restart to activate +# One common way to set up Kerberos administration is to allow any principal +# ending in /admin is given full administrative rights. +# To enable this, uncomment the following line: +*/admin * Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/kdc.conf Fri Oct 14 23:33:44 2011 @@ -0,0 +1,20 @@ +default_realm = <%= realm %> + +[kdcdefaults] + v4_mode = nopreauth + kdc_ports = 0 + +[realms] + <%= realm %> = { + kdc_ports = <%= kdc_port %> + admin_keytab = /etc/kadm5.keytab + database_name = <%= kdc_etc_path %>/principal + acl_file = <%= kdc_etc_path %>/kadm5.acl + key_stash_file = <%= kdc_etc_path %>/stash + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3-hmac-sha1 + supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 +# supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 + default_principal_flags = +preauth + } Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/krb5.conf URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/krb5.conf?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/krb5.conf (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/templates/krb5.conf Fri Oct 14 23:33:44 2011 @@ -0,0 +1,23 @@ +[libdefaults] + default_realm = <%= realm %> + dns_lookup_realm = false + dns_lookup_kdc = false + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 1000000 + +[realms] + <%= realm %> = { + kdc = <%= kdc_server %>.<%= domain %>:<%= kdc_port %> + admin_server = <%= kdc_server %>.<%= domain %>:<%= admin_port %> + default_domain = <%= domain %> + } + +[domain_realm] + .<%= domain %> = <%= realm %> + <%= domain %> = <%= realm %> + +[logging] + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmin.log + default = FILE:/var/log/krb5lib.log Added: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/tests/init.pp URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/tests/init.pp?rev=1183561&view=auto ============================================================================== --- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/tests/init.pp (added) +++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/tests/init.pp Fri Oct 14 23:33:44 2011 @@ -0,0 +1,31 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +$kerberos_domain = "krb.test.com" +$kerberos_realm = "KRB.TEST.COM" +$kerberos_kdc_server = "localhost" +$kerberos_kdc_port = 88 +# the following turns a node into a fully functional KDC +include kerberos::kdc +# the following opens up KDC principle datbase for remote +# administration (it really should be optional, but it is +# required for now in order to make kerberos::client::host_keytab +# work) +include kerberos::kdc::admin_server + +# the following turns a node into a Kerberos client hosts with.. +include kerberos::client +# ...an optional host_keytab for as many services as you want: +kerberos::client::host_keytab { ["host", "hdfs", "mapred"]: }
