AMBARI-11159. Kerberos: Add kerberos-setup.sh script back to the resources/scripts directory with appropriate changes (alexantonenko)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/ea8a8046 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/ea8a8046 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/ea8a8046 Branch: refs/heads/trunk Commit: ea8a8046da69a266c267ef299389d43d825505ae Parents: 3ccfc42 Author: Alex Antonenko <hiv...@gmail.com> Authored: Fri May 15 12:37:50 2015 +0300 Committer: Alex Antonenko <hiv...@gmail.com> Committed: Fri May 15 12:53:46 2015 +0300 ---------------------------------------------------------------------- .../main/resources/scripts/kerberos-setup.sh | 366 +++++++++++++++++++ 1 file changed, 366 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/ea8a8046/ambari-server/src/main/resources/scripts/kerberos-setup.sh ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/scripts/kerberos-setup.sh b/ambari-server/src/main/resources/scripts/kerberos-setup.sh new file mode 100644 index 0000000..8641616 --- /dev/null +++ b/ambari-server/src/main/resources/scripts/kerberos-setup.sh @@ -0,0 +1,366 @@ +#!/bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# +# This script is provided as an example of how to parse the Kerberos CSV file. +# It is for illustrative purposes only and should not be used for any other purpose. +# + +############################ +## NOTE: +## 1) This script should be executed on NameNode host as that host is guaranteed to have all the users needed while creating keytab file +## 2) The script has been verified to work in gce environment and +## vagrant environment documented at ambari wiki: https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+Guide +########################### + +usage () { +echo "Usage: keytabs.sh <HOST_PRINCIPAL_KEYTABLE.csv> <SSH_LOGIN_KEY_PATH>"; +echo " <HOST_PRINCIPAL_KEYTABLE.csv>: CSV file generated by 'Enable Security Wizard' of Ambari"; +echo " <SSH_LOGIN_KEY_PATH>: File path to the ssh login key for root user"; +exit 1; +} + +################### +## processCSVFile() +################### +processCSVFile () { + csvFile=$1; + csvFile=$(printf '%q' "$csvFile") + # Remove blank lines + sed -i '/^\s*$/d' $csvFile + touch generate_keytabs.sh; + chmod 755 generate_keytabs.sh; + + echo "#!/bin/bash" > generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "## " >> generate_keytabs.sh; + echo "## Ambari Security Script Generator" >> generate_keytabs.sh; + echo "## " >> generate_keytabs.sh; + echo "## Ambari security script is generated which should be run on the" >> generate_keytabs.sh; + echo "## Kerberos server machine." >> generate_keytabs.sh; + echo "## " >> generate_keytabs.sh; + echo "## Running the generated script will create host specific keytabs folders." >> generate_keytabs.sh; + echo "## Each of those folders will contain service specific keytab files with " >> generate_keytabs.sh; + echo "## appropriate permissions. There folders should be copied as the appropriate" >> generate_keytabs.sh; + echo "## host's '/etc/security/keytabs' folder" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + + rm -f commands.mkdir; + rm -f commands.chmod; + rm -f commands.addprinc; + rm -f commands.xst + rm -f commands.xst.cp + rm -f commands.chown.1 + rm -f commands.chmod.1 + rm -f commands.chmod.2 + rm -f commands.tar + + seenHosts=""; + seenPrincipals=""; + + echo "mkdir -p ./tmp_keytabs" >> commands.mkdir; + sed 1d $csvFile | while read line; do + hostName=`echo $line|cut -d , -f 1`; + service=`echo $line|cut -d , -f 2`; + principal=`echo $line|cut -d , -f 3`; + localUserName=`echo $line|cut -d , -f 5`; + keytabFile=`echo $line|cut -d , -f 6 | cut -d , -f 6 | rev | cut -d '/' -f 1 | rev`; + fullKeytabFilePath=`echo $line|cut -d , -f 6`; + keytabFilePath=${fullKeytabFilePath%/*}; + owner=`echo $line|cut -d , -f 7`; + group=`echo $line|cut -d , -f 9`; + acl=`echo $line|cut -d , -f 11`; + + if [[ $seenHosts != *$hostName* ]]; then + echo "mkdir -p ./keytabs_$hostName" >> commands.mkdir; + echo "chmod 755 ./keytabs_$hostName" >> commands.chmod; + echo "chown -R root:$group `pwd`/keytabs_$hostName" >> commands.chown.1 + echo "tar -cvf keytabs_$hostName.tar -C keytabs_$hostName ." >> commands.tar + seenHosts="$seenHosts$hostName"; + fi + + if [[ $seenPrincipals != *" $principal"* ]]; then + echo -e "kadmin.local -q \"addprinc -randkey $principal\"" >> commands.addprinc; + seenPrincipals="$seenPrincipals $principal" + fi + tmpKeytabFile="`pwd`/tmp_keytabs/$keytabFile"; + newKeytabPath="`pwd`/keytabs_$hostName$keytabFilePath"; + newKeytabFile="$newKeytabPath/$keytabFile"; + if [ ! -f $tmpKeytabFile ]; then + echo "kadmin.local -q \"xst -k $tmpKeytabFile $principal\"" >> commands.xst; + fi + if [ ! -d $newKeytabPath ]; then + echo "mkdir -p $newKeytabPath" >> commands.mkdir; + fi + echo "cp $tmpKeytabFile $newKeytabFile" >> commands.xst.cp + echo "chmod $acl $newKeytabFile" >> commands.chmod.2 + echo "chown $owner:$group $newKeytabFile" >> commands.chown.1 + done; + + + echo "" >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Making host specific keytab folders" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + cat commands.mkdir >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Changing permissions for host specific keytab folders" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + cat commands.chmod >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Creating Kerberos Principals" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + cat commands.addprinc >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Creating Kerberos Principal keytabs in host specific keytab folders" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + cat commands.xst >> generate_keytabs.sh; + cat commands.xst.cp >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Changing ownerships of host specific keytab files" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + cat commands.chown.1 >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Changing access permissions of host specific keytab files" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + #cat commands.chmod.1 + cat commands.chmod.2 >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Packaging keytab folders" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + cat commands.tar >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "# Cleanup" >> generate_keytabs.sh; + echo "###########################################################################" >> generate_keytabs.sh; + echo "rm -rf ./tmp_keytabs" >> generate_keytabs.sh; + echo "" >> generate_keytabs.sh; + echo "echo \"****************************************************************************\"" >> generate_keytabs.sh; + echo "echo \"****************************************************************************\"" >> generate_keytabs.sh; + echo "echo \"** Copy and extract 'keytabs_[hostname].tar' files onto respective hosts. **\"" >> generate_keytabs.sh; + echo "echo \"** **\"" >> generate_keytabs.sh; + echo "echo \"** Generated keytab files are preserved in the 'tmp_keytabs' folder. **\"" >> generate_keytabs.sh; + echo "echo \"****************************************************************************\"" >> generate_keytabs.sh; + echo "echo \"****************************************************************************\"" >> generate_keytabs.sh; + + rm -f commands.mkdir >> generate_keytabs.sh; + rm -f commands.chmod >> generate_keytabs.sh; + rm -f commands.addprinc >> generate_keytabs.sh; + rm -f commands.xst >> generate_keytabs.sh; + rm -f commands.xst.cp >> generate_keytabs.sh; + rm -f commands.chown.1 >> generate_keytabs.sh; + rm -f commands.chmod.1 >> generate_keytabs.sh; + rm -f commands.chmod.2 >> generate_keytabs.sh; + rm -f commands.tar >> generate_keytabs.sh; + # generate keytabs + sh ./generate_keytabs.sh +} + +######################## +## installKDC () : Install rng tools,pdsh on KDC host and KDC packages on all host. Modify krb5 file +######################## +installKDC () { + csvFile=$1; + sshLoginKey=$2; + HOSTNAME=`hostname --fqdn` + scriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + krb5_new_conf=$scriptDir"/krb5.conf" + krb5_conf="/etc/krb5.conf" + #export additional path for suse and centos5 + PATH=$PATH:/usr/lib/mit/sbin/:/usr/kerberos/sbin/:/usr/sbin/:/sbin/ + # Install rng tools + installRngtools + # Install kdc server on this host + $inst_cmd $server_packages + # Configure /etc/krb5.conf + cp $krb5_conf $krb5_conf".bak" + cp $krb5_new_conf $krb5_conf + sed -i "s/\(kdc *= *\).*kerberos.example.com.*/\1$HOSTNAME/" $krb5_conf + sed -i "s/\(admin_server *= *\).*kerberos.example.com.*/\1$HOSTNAME/" $krb5_conf + # Create principal key and start services + if [[ ! -f $principal_file ]]; then + echo -ne '\n\n' | kdb5_util create -s + fi + eval $kdc_service_start + eval $kadmin_service_start + # Install pdsh on this host + $inst_cmd pdsh; + chown root:root -R /usr; + eval `ssh-agent` + ssh-add $sshLoginKey + hostNames=''; + + # remove empty lines + sed -i "/^\s*$/d" $csvFile; + + sed 1d $csvFile > $csvFile.tmp + while read line; do + hostName=`echo $line|cut -d , -f 1`; + if [ -z "$hostNames" ]; then + hostNames=$hostName; + continue; + fi + if [[ $hostNames != *$hostName* ]]; then + hostNames=$hostNames,$hostName; + fi + echo "hostNames $hostNames"; + done < $csvFile.tmp; + rm -f $csvFile.tmp + # Check all hosts for passwordless ssh + OLD_IFS=$IFS + IFS=, + for host in $hostNames; do + + checkSSH $host + done + IFS=$OLD_IFS + export PDSH_SSH_ARGS_APPEND="-q -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PreferredAuthentications=publickey" + pdsh -R ssh -w $hostNames "$inst_cmd $client_packages" + pdsh -R ssh -w $hostNames "$inst_cmd pdsh" + pdsh -R ssh -w $hostNames chown root:root -R /usr + pdcp -R ssh -w $hostNames $krb5_conf $krb5_conf +} + +######################## +## distributeKeytabs () : Distribute the tar on all respective hosts root directory and untar it +######################## +distributeKeytabs () { + shopt -s nullglob + filearray=(keytabs_*tar) + for i in ${filearray[@]}; do + derivedname=${i%.*} + derivedname=${derivedname##keytabs_} + echo $derivedname + scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $i root@$derivedname:/ + ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@$derivedname "cd /;tar xvf $i --no-overwrite-dir" + done +} + +######################## +## getEnvironmentCMD () : get linux distribution type and package manager +######################## +getEnvironmentCMD () { + os=`python -c 'import sys; sys.path.append("/usr/lib/python2.6/site-packages/"); from ambari_commons import OSCheck; print OSCheck.get_os_family()'` + version=`python -c 'import sys; sys.path.append("/usr/lib/python2.6/site-packages/"); from ambari_commons import OSCheck; print OSCheck.get_os_major_version()'` + os=$os$version; + case $os in + 'ubuntu12' ) + pkgmgr='apt-get' + inst_cmd="env DEBIAN_FRONTEND=noninteractive /usr/bin/$pkgmgr --allow-unauthenticated --assume-yes install -f " + client_packages="krb5-user libpam-krb5 libpam-ccreds auth-client-config" + server_packages="krb5-kdc krb5-admin-server $client_packages" + rng_tools="rng-tools" + principal_file="/etc/krb5kdc/principal" + kdc_service_start="service krb5-kdc start || service krb5-kdc status" + kadmin_service_start="service krb5-admin-server start || service krb5-admin-server status" + ;; + 'redhat5' ) + pkgmgr='yum' + inst_cmd="/usr/bin/$pkgmgr -y install " + client_packages="krb5-workstation" + server_packages="krb5-server krb5-libs krb5-auth-dialog $client_packages" + rng_tools="rng-utils" + principal_file="/var/kerberos/krb5kdc/principal" + kdc_service_start="service kadmin start; service kadmin status" + kadmin_service_start="service krb5kdc start || service krb5kdc status" + ;; + 'redhat6' ) + pkgmgr='yum' + inst_cmd="/usr/bin/$pkgmgr -y install " + client_packages="krb5-workstation" + server_packages="krb5-server krb5-libs krb5-auth-dialog $client_packages" + rng_tools="rng-tools" + principal_file="/var/kerberos/krb5kdc/principal" + kdc_service_start="service kadmin start; service kadmin status" + kadmin_service_start="service krb5kdc start || service krb5kdc status" + ;; + 'suse11' ) + pkgmgr='zypper' + inst_cmd="/usr/bin/$pkgmgr install --auto-agree-with-licenses --no-confirm " + client_packages="krb5-client" + server_packages="krb5 krb5-server $client_packages" + rng_tools="rng-tools" + principal_file="/var/lib/kerberos/krb5kdc/principal" + kdc_service_start="service kadmind start || service kadmind status" + kadmin_service_start="service krb5kdc start || service krb5kdc status" + ;; + esac +} + +######################## +## checkUser () : If the user executing the script is not "root" then exit +######################## +checkUser () { + userid=`id -u`; + if (($userid != 0)); then + echo "ERROR: The script needs to be executed by root user" + exit 1; + fi +} + +######################## +## checkSSH () : If passwordless ssh for root is not configured then exit +######################## +checkSSH () { + host=$1 + ssh -oPasswordAuthentication=no -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $host "exit 0" && return_value=0 || return_value=$? && true + if [[ $return_value != 0 ]]; then + echo "ERROR: Passwordless ssh for user root is not configured for host $host" + exit 1; + fi +} + +######################## +## installRngtools () : Install and start rng-tools +######################## +installRngtools () { + $inst_cmd $rng_tools + echo $inst_cmd $rng_utils + if [ $os == 'ubuntu12' ] || [ $os == 'suse11' ]; then + echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools + /etc/init.d/rng-tools start || true + elif [ $os == 'redhat5' ]; then + /sbin/rngd -r /dev/urandom -o /dev/random -f -t .001 --background + else + sed -i "s/\(EXTRAOPTIONS *= *\).*/\1\"-r \/dev\/urandom\"/" "/etc/sysconfig/rngd" + # start rngd + /etc/init.d/rngd start + fi +} + +if (($# != 2)); then + usage +fi + +set -e +checkUser +getEnvironmentCMD +installKDC $@ +processCSVFile $@ +distributeKeytabs $@ \ No newline at end of file