[MediaWiki-commits] [Gerrit] operations/puppet[production]: Add a proxy to the Yarn UI on stat1001

Tue, 06 Sep 2016 07:25:16 -0700 

Elukey has submitted this change and it was merged.

Change subject: Add a proxy to the Yarn UI on stat1001
......................................................................


Add a proxy to the Yarn UI on stat1001

This is an attempt to add a LDAP Basic auth in front of the Yarn UI
to avoid using ssh tunnels to get information about the health
of the Hadoop cluster. This code change enables only the ops group
but it can be easily extended.

Known downside: I added a Proxy directive with a domain name
(analytics1001.eqiad.wmnet) rather than a straight IP, this will
of course cause more work for during each request handling.

Bug: T116192
Change-Id: If7d1a2b46e1d645e3ac749fea069318d27dee390
---
M manifests/role/statistics.pp
A modules/statistics/manifests/sites/yarn.pp
A modules/statistics/templates/yarn.wikimedia.org.erb
3 files changed, 68 insertions(+), 0 deletions(-)

Approvals:
  Elukey: Verified; Looks good to me, approved



diff --git a/manifests/role/statistics.pp b/manifests/role/statistics.pp
index ce2423f..af975cc 100644
--- a/manifests/role/statistics.pp
+++ b/manifests/role/statistics.pp
@@ -207,6 +207,8 @@
     # analytics.wikimedia.org will eventually supercede
     # datasets and stats.
     include ::statistics::sites::analytics
+    # Proxy to securely access Yarn (authentication via LDAP)
+    include ::statistics::sites::yarn
 
     ferm::service {'statistics-web':
         proto => 'tcp',
diff --git a/modules/statistics/manifests/sites/yarn.pp 
b/modules/statistics/manifests/sites/yarn.pp
new file mode 100644
index 0000000..f1c9334
--- /dev/null
+++ b/modules/statistics/manifests/sites/yarn.pp
@@ -0,0 +1,28 @@
+# == Class statistics::sites::yarn
+# yarn.wikimedia.org
+#
+# This site will be a simple reverse proxy to analytics1001,
+# uset to limit the access to authenticated clients (via LDAP).
+#
+# Bug: T116192
+#
+class statistics::sites::yarn {
+    require statistics::web
+
+    include ::apache::mod::proxy_http
+    include ::apache::mod::proxy
+    include ::apache::mod::auth_basic
+    include ::apache::mod::authnz_ldap
+    include ::passwords::ldap::production
+
+    # Set up the VirtualHost
+    apache::site { 'yarn.wikimedia.org':
+        content => template('statistics/yarn.wikimedia.org.erb'),
+    }
+
+    ferm::service { 'yarn-http':
+        proto => 'tcp',
+        port  => '80',
+    }
+
+}
\ No newline at end of file
diff --git a/modules/statistics/templates/yarn.wikimedia.org.erb 
b/modules/statistics/templates/yarn.wikimedia.org.erb
new file mode 100644
index 0000000..5120385
--- /dev/null
+++ b/modules/statistics/templates/yarn.wikimedia.org.erb
@@ -0,0 +1,38 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+#####################################################################
+# vim: filetype=apache
+
+<VirtualHost *:80>
+    ServerName yarn.wikimedia.org
+    ServerSignature Off
+
+    # Not used since this VHost will only act as proxy,
+    # but it is needed to avoid error messages in the httpd
+    # logs and logrotate crons.
+    DocumentRoot /var/www
+
+    <Directory />
+        Options FollowSymLinks
+        AllowOverride None
+        Require all denied
+    </Directory>
+
+    <Location />
+        AuthName "WMF Labs (use wiki login name not shell)"
+        AuthType Basic
+        AuthBasicProvider ldap
+        AuthLDAPBindDN cn=proxyagent,ou=profile,dc=wikimedia,dc=org
+        AuthLDAPBindPassword <%= @proxypass %>
+        AuthLDAPURL "ldaps://ldap-labs.eqiad.wikimedia.org 
ldap-labs.codfw.wikimedia.org/ou=people,dc=wikimedia,dc=org?cn"
+        Require ldap-group cn=ops,ou=groups,dc=wikimedia,dc=org
+    </Location>
+
+    CustomLog /var/log/apache2/yarn.wikimedia.org-access.log wmf
+    ErrorLog /var/log/apache2/yarn.wikimedia.org-error.log
+
+    LogLevel warn
+
+    ProxyPass / http://analytics1001.eqiad.wmnet:8088/
+    ProxyPassReverse / http://analytics1001.eqiad.wmnet:8088/
+</VirtualHost>
\ No newline at end of file

-- 
To view, visit https://gerrit.wikimedia.org/r/308721
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If7d1a2b46e1d645e3ac749fea069318d27dee390
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Elukey <ltosc...@wikimedia.org>
Gerrit-Reviewer: Elukey <ltosc...@wikimedia.org>
Gerrit-Reviewer: Ottomata <o...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to