AMBARI-19594. configure kerberos authentication for Druid UIs (Nishant Bangarwa via smohanty)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/4f39bdf8 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/4f39bdf8 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/4f39bdf8 Branch: refs/heads/branch-dev-patch-upgrade Commit: 4f39bdf8cc5aa58d05647725078aaa0223b7021d Parents: ed92827 Author: Sumit Mohanty <smoha...@hortonworks.com> Authored: Fri Feb 3 13:24:24 2017 -0800 Committer: Nate Cole <nc...@hortonworks.com> Committed: Mon Feb 13 15:45:35 2017 -0500 ---------------------------------------------------------------------- .../DRUID/0.9.2/configuration/druid-common.xml | 6 ++++++ .../DRUID/0.9.2/package/scripts/druid.py | 2 ++ .../DRUID/0.9.2/package/scripts/params.py | 5 ++++- .../stacks/HDP/2.6/services/DRUID/kerberos.json | 19 ++++++++++++++++++- .../test/python/stacks/2.6/DRUID/test_druid.py | 2 ++ .../test/python/stacks/2.6/configs/default.json | 3 ++- 6 files changed, 34 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/4f39bdf8/ambari-server/src/main/resources/common-services/DRUID/0.9.2/configuration/druid-common.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/DRUID/0.9.2/configuration/druid-common.xml b/ambari-server/src/main/resources/common-services/DRUID/0.9.2/configuration/druid-common.xml index e00480e..a494750 100644 --- a/ambari-server/src/main/resources/common-services/DRUID/0.9.2/configuration/druid-common.xml +++ b/ambari-server/src/main/resources/common-services/DRUID/0.9.2/configuration/druid-common.xml @@ -46,6 +46,12 @@ <on-ambari-upgrade add="false"/> </property> <property> + <name>druid.security.extensions.loadList</name> + <value>[]</value> + <description>A comma-separated list of one or more druid security extensions to load. This property will be set via the kerberos wizard and User will not be allowed to modify this when security is enabled.</description> + <on-ambari-upgrade add="false"/> + </property> + <property> <name>druid.zk.service.host</name> <value>localhost:2181</value> <description> http://git-wip-us.apache.org/repos/asf/ambari/blob/4f39bdf8/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/druid.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/druid.py b/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/druid.py index 20eda92..18febeb 100644 --- a/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/druid.py +++ b/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/druid.py @@ -48,6 +48,8 @@ def druid(upgrade_type=None, nodeType=None): 'druid.service'] druid_common_config['druid.selectors.coordinator.serviceName'] = \ params.config['configurations']['druid-coordinator']['druid.service'] + druid_common_config['druid.extensions.loadList'] = json.dumps(eval(params.druid_extensions_load_list) + + eval(params.druid_security_extensions_load_list)) # delete the password and user if empty otherwiswe derby will fail. if 'derby' == druid_common_config['druid.metadata.storage.type']: http://git-wip-us.apache.org/repos/asf/ambari/blob/4f39bdf8/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/params.py b/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/params.py index 558087d..aed4043 100644 --- a/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/DRUID/0.9.2/package/scripts/params.py @@ -74,6 +74,9 @@ druid_log_dir = config['configurations']['druid-env']['druid_log_dir'] druid_classpath = config['configurations']['druid-env']['druid_classpath'] druid_extensions = config['configurations']['druid-common']['druid.extensions.pullList'] druid_repo_list = config['configurations']['druid-common']['druid.extensions.repositoryList'] +druid_extensions_load_list = config['configurations']['druid-common']['druid.extensions.loadList'] +druid_security_extensions_load_list = config['configurations']['druid-common']['druid.security.extensions.loadList'] + # status params druid_pid_dir = status_params.druid_pid_dir @@ -121,7 +124,7 @@ hdfs_site = config['configurations']['hdfs-site'] default_fs = config['configurations']['core-site']['fs.defaultFS'] dfs_type = default("/commandParams/dfs_type", "") -# Kerberose +# Kerberos druid_principal_name = default('/configurations/druid-common/druid.hadoop.security.kerberos.principal', 'missing_principal') druid_user_keytab = default('/configurations/druid-common/druid.hadoop.security.kerberos.keytab', 'missing_keytab') http://git-wip-us.apache.org/repos/asf/ambari/blob/4f39bdf8/ambari-server/src/main/resources/stacks/HDP/2.6/services/DRUID/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/DRUID/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.6/services/DRUID/kerberos.json index 1661285..251975b 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.6/services/DRUID/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/DRUID/kerberos.json @@ -4,7 +4,13 @@ "name": "DRUID", "identities": [ { - "name": "/spnego" + "name": "/spnego", + "principal": { + "configuration": "druid-common/druid.hadoop.security.spnego.principal" + }, + "keytab": { + "configuration": "druid-common/druid.hadoop.security.spnego.keytab" + } }, { "name": "druid", @@ -72,6 +78,17 @@ } ] } + ], + "configurations": [ + { + "druid-common": { + "druid.hadoop.security.spnego.excludedPaths": "[\"/status\"]", + "druid.security.extensions.loadList" : "[\"druid-kerberos\"]" + } + } + ], + "auth_to_local_properties" : [ + "druid-common/druid.hadoop.security.spnego.authToLocal|new_lines_escaped" ] } ] http://git-wip-us.apache.org/repos/asf/ambari/blob/4f39bdf8/ambari-server/src/test/python/stacks/2.6/DRUID/test_druid.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/DRUID/test_druid.py b/ambari-server/src/test/python/stacks/2.6/DRUID/test_druid.py index 0a143ae..422e9ba 100644 --- a/ambari-server/src/test/python/stacks/2.6/DRUID/test_druid.py +++ b/ambari-server/src/test/python/stacks/2.6/DRUID/test_druid.py @@ -445,6 +445,8 @@ class TestDruid(RMFTestCase): druid_common_config['druid.extensions.hadoopDependenciesDir'] = format('/usr/hdp/current/{role}/hadoop-dependencies') druid_common_config['druid.selectors.indexing.serviceName'] = 'druid/overlord' druid_common_config['druid.selectors.coordinator.serviceName'] = 'druid/coordinator' + druid_common_config['druid.extensions.loadList'] = '["mysql-metadata-storage", "druid-datasketches", "druid-kerberos"]' + self.assertResourceCalled('PropertiesFile', 'common.runtime.properties', dir=format("/usr/hdp/current/{role}/conf/_common"), http://git-wip-us.apache.org/repos/asf/ambari/blob/4f39bdf8/ambari-server/src/test/python/stacks/2.6/configs/default.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/configs/default.json b/ambari-server/src/test/python/stacks/2.6/configs/default.json index 963c4a4..4d9f98c 100644 --- a/ambari-server/src/test/python/stacks/2.6/configs/default.json +++ b/ambari-server/src/test/python/stacks/2.6/configs/default.json @@ -430,7 +430,8 @@ "druid.indexer.logs.directory": "/user/druid/logs", "druid.extensions.pullList": "[\"custom-druid-extension\"]", "druid.extensions.repositoryList": "[\"http://custom-mvn-repo/public/release\"]";, - "druid.extensions.loadList": "[\"mysql-metadata-storage\", \"druid-datasketches\"]" + "druid.extensions.loadList": "[\"mysql-metadata-storage\", \"druid-datasketches\"]", + "druid.security.extensions.loadList": "[\"druid-kerberos\"]" }, "druid-historical" : { "druid.segmentCache.infoDir" : "/apps/druid/segmentCache/info_dir",
