BIGTOP-3300. Add puppet manifests for hadoop-kms.

[iwasakims]

No description provided.

[iwasakims]

I manually tested that HDFS transparent encryption works on following config.yaml::

docker:
        memory_limit: "8g"
        image: "bigtop/puppet:trunk-centos-7"
distro: centos
components: [hdfs, yarn, kms]
enable_local_repo: true
smoke_test_components: [hdfs, yarn]

test steps::

$ cd provisioner/docker
$ ./docker-hadoop.sh -c 3
$ ./docker-hadoop.sh --exec 3 /bin/bash

 # hdfs dfs -mkdir /user/root/zone1
 
 # hadoop key create key1
 key1 has been successfully created with options Options{cipher='AES/CTR/NoPadding', bitLength=128, description='null', attributes=null}.
 org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider@1dde4cb2 has been updated.
 
 # sudo -u hdfs hdfs crypto -createZone -keyName key1 -path /user/root/zone1
 Added encryption zone /user/root/zone1
 
 # hdfs dfs -put /etc/hosts /user/root/zone1/
 # hdfs dfs -get /user/root/zone1/hosts /tmp/

[iwasakims]

also tested on kerberos enabled cluster on config.yaml::

docker:
        memory_limit: "8g"
        image: "bigtop/puppet:trunk-centos-7"
distro: centos
components: [kerberos, hdfs, yarn, kms]
enable_local_repo: true
smoke_test_components: [hdfs]

with the following configs in bigtop-deploy/puppet/hieradata/bigtop/cluster.yaml::

# Kerberos
hadoop::hadoop_security_authentication: "kerberos"
kerberos::krb_site::domain: "bigtop.apache.org"
kerberos::krb_site::realm: "BIGTOP.APACHE.ORG"
kerberos::krb_site::kdc_server: "%{hiera('bigtop::hadoop_head_node')}"
kerberos::krb_site::kdc_port: "88"
kerberos::krb_site::admin_port: "749"
kerberos::krb_site::keytab_export_dir: "/var/lib/bigtop_keytabs"
hadoop::kerberos_realm: "%{hiera('kerberos::krb_site::realm')}"

test steps::

$ cd provisioner/docker
$ ./docker-hadoop.sh -c 3
$ ./docker-hadoop.sh --exec 3 /bin/bash

 # kinit -kt /etc/hdfs.keytab hdfs/$(hostname --fqdn)
 # hadoop key create key1
 # hdfs dfs -mkdir /zone1
 # hdfs crypto -createZone -keyName key1 -path /zone1
 # hdfs dfs -put /etc/hosts /zone1/
 # hdfs dfs -get /zone1/hosts /tmp/

[iwasakims]

TODOs in follow-up JIRAs are

• HA deployment with multiple KMS instances
• https enabled configruation

[evans-ye]

May I know why the name is changed to from site to krb_site? I think this may break compatibility.

[iwasakims]

The Hiera variables are not injected unless the name space of properties match the class name of Puppet classes. The relevant class name was changed from site to krb_site in 3386a9d. The commented out configs (as example) seem to be left unchanged.

[evans-ye]

OK. That was me ;) Glad you catch this. Thanks!

[evans-ye]

I'm zero knowledge about this, just wondering can this be https?

[iwasakims]

Yes. We need additional configurations in files such as ssl-client.xml, ssl-server.xml and server.xml (of Tomcat) for that. I would like to address that in another JIRA since all services of HDFS and YARN should be cared when we enable HTTPS on Web-UI and REST API.

[evans-ye]

Sure. No problem and thanks for the explanation.

[evans-ye]

The original code won't work hence you refactor here?

[iwasakims]

Yes. The credential of HTTP/host@REALM did not written to keytab file since boolean true was not covered in the conditional of previous code.

[evans-ye]

This is super awesome feature! I've left some comments. Thanks!

[evans-ye]

Looks nice. +1.

[evans-ye]

I'm not aware that there's a convention to put keytab under /etc, is it?

[iwasakims]

I used the keytab created by kerberos::host_keytab resource. Other modules using the host_keytab resource such as HDFS and YARN seem to follow this convention as I can see.

[evans-ye]

Got It. Pretty comprehensive. Thanks!

[evans-ye]

Is this intentional for replacement?

[iwasakims]

This part came from the original kms-site.xml bundled with Hadoop. The value is used only if the value of hadoop.kms.authentication.signer.secret.provider is changed to zookeeper. ZKSignerSecretProvider is a feature for HA setup by which multiple KMS instances share the same signer secret via ZooKeeper. Since KMS HA is not supported in this patch, it is left as is.

[evans-ye]

Thanks for the detailed explanation!

[iwasakims]

Thanks, @evans-ye.