mrmichalis · December 15, 2015 09:29
diff --git a/krb5conf.sh b/krb5conf.sh
 #!/usr/bin/env bash
 #http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_3.html
 #http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Cloudera-Manager-Managing-Clusters/cmmc_hadoop_security.html
 #pre-req
 yum install krb5-server krb5-workstation krb5-libs -y
 echo "* Downloading Java Cryptography Extension (JCE) ..."
 wget --no-check-certificate --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com" http://download.oracle.com/otn-pub/java/jce_policy/6/jce_policy-6.zip -O /root/CDH/jce_policy-6.zip
 [[ -d "/usr/java/default/jre/lib/security/" ]] && unzip -oj /root/CDH/jce_policy-6.zip -d /usr/java/default/jre/lib/security/
 
 if [ $# -lt 1 ]; then
    echo "usage: $0 [REALM]" 1>&2
    exit 1
 fi
 REALM=${1^^}
 FQDN=$(hostname -f)
 (
 TIMESTAMP=$(date "+%Y%m%d_%H%M%S")
 cp /etc/krb5.conf /etc/krb5.conf.backup.$TIMESTAMP
 cp /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.acl.backup.$TIMESTAMP
 cp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.backup.$TIMESTAMP
 sed -n 'H;${x;s/  supported_enctypes = .*\n/  max_life = 1d\n  max_renewable_life = 7d\n&/;p;}' /var/kerberos/krb5kdc/kdc.conf.backup.$TIMESTAMP > /var/kerberos/krb5kdc/kdc.conf
 sed -n 'H;${x;s/ ticket_lifetime = .*\n/ max_life = 1d\n max_renewable_life = 7d\n&/;p;}' /etc/krb5.conf.backup.$TIMESTAMP > /etc/krb5.conf
 sed -i "s/kerberos.example.com/$FQDN/g" /etc/krb5.conf
 sed -i "s/example.com/$FQDN/g" /etc/krb5.conf
 sed -i "s/EXAMPLE.COM/$REALM/g" /etc/krb5.conf
 sed -i "s/EXAMPLE.COM/$REALM/g" /var/kerberos/krb5kdc/kadm5.acl
 sed -i "s/EXAMPLE.COM/$REALM/g" /var/kerberos/krb5kdc/kdc.conf
 )
 
 (
 echo "Creating the KDC with password: cloudera"
 kdb5_util -P "cloudera" create -s

 chkconfig krb5kdc on
 chkconfig kadmin on
 service krb5kdc start
 service kadmin start
 sleep 10 
 kadmin.local -q "addprinc root/admin"
 kadmin.local -q "addprinc hdfs@$REALM"

 echo "Generating cloudera-scm/admin principal for Cloudera Manager"
 kadmin.local >/dev/null <<EOF
 addprinc -randkey cloudera-scm/admin
 xst -k cmf.keytab cloudera-scm/admin
 EOF
 
 echo "cloudera-scm/[email protected]" > /etc/cloudera-scm-server/cmf.principal
 mv cmf.keytab /etc/cloudera-scm-server/cmf.keytab
 chown cloudera-scm:cloudera-scm /etc/cloudera-scm-server/cmf.keytab /etc/cloudera-scm-server/cmf.principal
 chmod 0600 /etc/cloudera-scm-server/cmf.keytab /etc/cloudera-scm-server/cmf.principal
 )

 dd if=/dev/urandom of=/etc/hadoop/hadoop-http-auth-signature-secret bs=1024 count=1"
 # Additional Kerberos post-conf
 # adduser michalis -G hdfs -u 10001 -d /home/michalis -m"
 # hadoop fs -mkdir /user/michalis
 # hadoop fs -chown michalis:supergroup /user/michalis
 # curl -v -u michalis:xxxxx --negotiate http://$(hostname -f):50070/dfshealth.jsp
diff --git a/zhdfs-site.xml b/zhdfs-site.xml
 <!--
 You need to enter these settings in the HDFS service configuration safety valve  
 and the MapReduce service configuration safety valve.

 Note, you have to create the hadoop-http-auth-signature-secret file and populate it with some random data. 
 A quick way to generate 1024 bytes of random data:
 dd if=/dev/urandom of=/etc/hadoop/hadoop-http-auth-signature-secret bs=1024 count=1
 -->

 <property> 
 <name>hadoop.http.filter.initializers</name> 
 <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value> 
 </property> 
 <property> 
 <name>hadoop.http.authentication.type</name> 
 <value>kerberos</value> 
 </property> 
 <property> 
 <name>hadoop.http.authentication.signature.secret.file</name> 
 <value>/etc/hadoop/hadoop-http-auth-signature-secret</value> 
 </property> 
 <property> 
 <name>hadoop.http.authentication.cookie.domain</name> 
 <value>lunix.co</value> 
 </property> 
 <property> 
 <name>hadoop.http.authentication.kerberos.principal</name> 
 <value>HTTP/[email protected]</value> 
 </property> 
 <property> 
 <name>hadoop.http.authentication.kerberos.keytab</name> 
 <value>/etc/hadoop/http.keytab</value> 
 </property>
	#!/usr/bin/env bash
	#http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_3.html
	#http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Cloudera-Manager-Managing-Clusters/cmmc_hadoop_security.html
	#pre-req
	yum install krb5-server krb5-workstation krb5-libs -y
	echo "* Downloading Java Cryptography Extension (JCE) ..."
	wget --no-check-certificate --no-cookies --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com" http://download.oracle.com/otn-pub/java/jce_policy/6/jce_policy-6.zip -O /root/CDH/jce_policy-6.zip
	[[ -d "/usr/java/default/jre/lib/security/" ]] && unzip -oj /root/CDH/jce_policy-6.zip -d /usr/java/default/jre/lib/security/

	if [ $# -lt 1 ]; then
	echo "usage: $0 [REALM]" 1>&2
	exit 1
	fi
	REALM=${1^^}
	FQDN=$(hostname -f)
	(
	TIMESTAMP=$(date "+%Y%m%d_%H%M%S")
	cp /etc/krb5.conf /etc/krb5.conf.backup.$TIMESTAMP
	cp /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.acl.backup.$TIMESTAMP
	cp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.backup.$TIMESTAMP
	sed -n 'H;${x;s/ supported_enctypes = .*\n/ max_life = 1d\n max_renewable_life = 7d\n&/;p;}' /var/kerberos/krb5kdc/kdc.conf.backup.$TIMESTAMP > /var/kerberos/krb5kdc/kdc.conf
	sed -n 'H;${x;s/ ticket_lifetime = .*\n/ max_life = 1d\n max_renewable_life = 7d\n&/;p;}' /etc/krb5.conf.backup.$TIMESTAMP > /etc/krb5.conf
	sed -i "s/kerberos.example.com/$FQDN/g" /etc/krb5.conf
	sed -i "s/example.com/$FQDN/g" /etc/krb5.conf
	sed -i "s/EXAMPLE.COM/$REALM/g" /etc/krb5.conf
	sed -i "s/EXAMPLE.COM/$REALM/g" /var/kerberos/krb5kdc/kadm5.acl
	sed -i "s/EXAMPLE.COM/$REALM/g" /var/kerberos/krb5kdc/kdc.conf
	)

	(
	echo "Creating the KDC with password: cloudera"
	kdb5_util -P "cloudera" create -s

	chkconfig krb5kdc on
	chkconfig kadmin on
	service krb5kdc start
	service kadmin start
	sleep 10
	kadmin.local -q "addprinc root/admin"
	kadmin.local -q "addprinc hdfs@$REALM"

	echo "Generating cloudera-scm/admin principal for Cloudera Manager"
	kadmin.local >/dev/null <<EOF
	addprinc -randkey cloudera-scm/admin
	xst -k cmf.keytab cloudera-scm/admin
	EOF

	echo "cloudera-scm/[email protected]" > /etc/cloudera-scm-server/cmf.principal
	mv cmf.keytab /etc/cloudera-scm-server/cmf.keytab
	chown cloudera-scm:cloudera-scm /etc/cloudera-scm-server/cmf.keytab /etc/cloudera-scm-server/cmf.principal
	chmod 0600 /etc/cloudera-scm-server/cmf.keytab /etc/cloudera-scm-server/cmf.principal
	)

	dd if=/dev/urandom of=/etc/hadoop/hadoop-http-auth-signature-secret bs=1024 count=1"
	# Additional Kerberos post-conf
	# adduser michalis -G hdfs -u 10001 -d /home/michalis -m"
	# hadoop fs -mkdir /user/michalis
	# hadoop fs -chown michalis:supergroup /user/michalis
	# curl -v -u michalis:xxxxx --negotiate http://$(hostname -f):50070/dfshealth.jsp
	<!--
	You need to enter these settings in the HDFS service configuration safety valve
	and the MapReduce service configuration safety valve.

	Note, you have to create the hadoop-http-auth-signature-secret file and populate it with some random data.
	A quick way to generate 1024 bytes of random data:
	dd if=/dev/urandom of=/etc/hadoop/hadoop-http-auth-signature-secret bs=1024 count=1
	-->

	<property>
	<name>hadoop.http.filter.initializers</name>
	<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
	</property>
	<property>
	<name>hadoop.http.authentication.type</name>
	<value>kerberos</value>
	</property>
	<property>
	<name>hadoop.http.authentication.signature.secret.file</name>
	<value>/etc/hadoop/hadoop-http-auth-signature-secret</value>
	</property>
	<property>
	<name>hadoop.http.authentication.cookie.domain</name>
	<value>lunix.co</value>
	</property>
	<property>
	<name>hadoop.http.authentication.kerberos.principal</name>
	<value>HTTP/[email protected]</value>
	</property>
	<property>
	<name>hadoop.http.authentication.kerberos.keytab</name>
	<value>/etc/hadoop/http.keytab</value>
	</property>