Author: rvs
Date: Tue Mar 20 17:58:10 2012
New Revision: 1303053
URL: http://svn.apache.org/viewvc?rev=1303053&view=rev
Log:
BIGTOP-466. Secure zookeeper support missing from puppet (Patrick Taylor Ramsey
via rvs)
Added:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/files/
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/files/java.env
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/jaas.conf
Modified:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/manifests/cluster.pp
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/zoo.cfg
Modified:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/manifests/cluster.pp
URL:
http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/manifests/cluster.pp?rev=1303053&r1=1303052&r2=1303053&view=diff
==============================================================================
---
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/manifests/cluster.pp
(original)
+++
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/manifests/cluster.pp
Tue Mar 20 17:58:10 2012
@@ -158,6 +158,7 @@ class hadoop_head_node inherits hadoop_c
hadoop-zookeeper::server { "zookeeper":
myid => "0",
ensemble => $hadoop_zookeeper_ensemble,
+ kerberos_realm => $kerberos_realm,
}
hadoop::create_hdfs_dirs { [ "/mapred", "/tmp", "/system", "/user",
"/hbase", "/benchmarks", "/user/jenkins", "/user/hive", "/user/root",
"/user/history" ]:
Added:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/files/java.env
URL:
http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/files/java.env?rev=1303053&view=auto
==============================================================================
---
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/files/java.env
(added)
+++
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/files/java.env
Tue Mar 20 17:58:10 2012
@@ -0,0 +1 @@
+export
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf"
Modified:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp
URL:
http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp?rev=1303053&r1=1303052&r2=1303053&view=diff
==============================================================================
---
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp
(original)
+++
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/manifests/init.pp
Tue Mar 20 17:58:10 2012
@@ -20,7 +20,9 @@ class hadoop-zookeeper {
}
}
- define server($myid, $ensemble = ["localhost:2888:3888"]) {
+ define server($myid, $ensemble = ["localhost:2888:3888"],
+ $kerberos_realm = "")
+ {
package { "zookeeper-server":
ensure => latest,
}
@@ -42,5 +44,25 @@ class hadoop-zookeeper {
content => inline_template("<%= myid %>"),
require => Package["zookeeper-server"],
}
+
+ if ($kerberos_realm) {
+ require kerberos::client
+
+ kerberos::host_keytab { "zookeeper":
+ notify => Service["zookeeper-server"],
+ }
+
+ file { "/etc/zookeeper/conf/java.env":
+ source => "puppet:///modules/hadoop-zookeeper/java.env",
+ require => Package["zookeeper-server"],
+ notify => Service["zookeeper-server"],
+ }
+
+ file { "/etc/zookeeper/conf/jaas.conf":
+ content => template("hadoop-zookeeper/jaas.conf"),
+ require => Package["zookeeper-server"],
+ notify => Service["zookeeper-server"],
+ }
+ }
}
}
Added:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/jaas.conf
URL:
http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/jaas.conf?rev=1303053&view=auto
==============================================================================
---
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/jaas.conf
(added)
+++
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/jaas.conf
Tue Mar 20 17:58:10 2012
@@ -0,0 +1,8 @@
+Server {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ keyTab="/etc/zookeeper.keytab"
+ storeKey=true
+ useTicketCache=false
+ principal="zookeeper/<%= fqdn %>@<%= kerberos_realm %>";
+};
Modified:
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/zoo.cfg
URL:
http://svn.apache.org/viewvc/incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/zoo.cfg?rev=1303053&r1=1303052&r2=1303053&view=diff
==============================================================================
---
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/zoo.cfg
(original)
+++
incubator/bigtop/branches/hadoop-0.23/bigtop-deploy/puppet/modules/hadoop-zookeeper/templates/zoo.cfg
Tue Mar 20 17:58:10 2012
@@ -29,3 +29,14 @@ clientPort=2181
<% ensemble.each_with_index do |server,idx| %>
server.<%= idx %>=<%= server %>
<% end %>
+
+<% if kerberos_realm != "" -%>
+authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
+jaasLoginRenew=3600000
+
+# HBase needs these configs so that different hbase daemons
+# (master, regionservers), which run on different hosts, can
+# read from and write to znodes that others create
+kerberos.removeHostFromPrincipal=true
+kerberos.removeRealmFromPrincipal=true
+<% end -%>
