From 4d22953a398661db793a144f884eaf1eb1bd368a Mon Sep 17 00:00:00 2001 From: Mohan Venkateshaiah Date: Thu, 18 May 2017 16:07:03 +0530 Subject: [PATCH 1/2] Updated readme to add section for ensuring the KDC can issue renewable tickets --- metron-deployment/Kerberos-ambari-setup.md | 2 +- metron-deployment/Kerberos-manual-setup.md | 42 ++++++++++++++-------- 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/metron-deployment/Kerberos-ambari-setup.md b/metron-deployment/Kerberos-ambari-setup.md index 149e8b21e5..39e8dee849 100644 --- a/metron-deployment/Kerberos-ambari-setup.md +++ b/metron-deployment/Kerberos-ambari-setup.md @@ -3,7 +3,7 @@ General Kerberization notes can be found in the metron-deployment [README.md](../README.md) ## Setup a KDC -See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc) +See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc) and [Verify KDC](Kerberos-manual-setup.md#verify-kdc) ## Ambari Setup 1. Kerberize the cluster via Ambari. More detailed documentation can be found [here](http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html). diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md index 8a7f07a25c..60f2d84c6c 100644 --- a/metron-deployment/Kerberos-manual-setup.md +++ b/metron-deployment/Kerberos-manual-setup.md @@ -5,6 +5,7 @@ This document provides instructions for kerberizing Metron's Vagrant-based devel * [Setup](#setup) * [Setup a KDC](#setup-a-kdc) +* [Verify KDC](#verify-kdc) * [Enable Kerberos](#enable-kerberos) * [Kafka Authorization](#kafka-authorization) * [HBase Authorization](#hbase-authorization) @@ -75,11 +76,7 @@ Setup a KDC ``` max_renewable_life = 7d ``` - - If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies: - ``` - Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable - ``` + 1. Do not copy/paste this full set of commands as the `kdb5_util` command will not run as expected. Run the commands individually to ensure they all execute. This step takes a moment. It creates the kerberos database. @@ -100,6 +97,31 @@ Setup a KDC kadmin.local -q "addprinc metron" ``` +Verify KDC +----------- +Ticket renewal is by default disallowed in many linux distributions. If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies: + ``` + Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable + ``` + + +Ensure the Metron keytab is renewable. Look for the 'R' flag from the following command + ``` + klist -f + ``` + +If the 'R' flags are present, you may skip to next section. + +If the 'R' flags are absent, you will need to follow the below steps: +If the KDC is already setup, then editing max_life and max_renewable_life in ```/var/kerberos/krb5kdc/kdc.conf```, and restarting kadmin and krb5kdc services will not change the policies for existing users. + +You need to set the renew lifetime for existing users and krbtgt realm. Modify the appropriate principals to allow renewable tickets using the following commands. Adjust the parameters to match your desired KDC parameters: + ``` + kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM" + kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM" + ``` + + Enable Kerberos --------------- @@ -247,16 +269,8 @@ Storm Authorization cd /home/metron/.storm ``` -1. Ensure the Metron keytab is renewable. Look for the 'R' flag from the following command - ``` - klist -f - ``` +1. Ensure the Metron keytab is renewable. See [Verify KDC](#verify-kdc) above - If not present, modify the appropriate principals to allow renewable tickets. Adjust the parameters to match desired KDC parameters - ``` - kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM" - kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM" - ``` 1. Create a client JAAS file at `/home/metron/.storm/client_jaas.conf`. This should look identical to the Storm client JAAS file located at `/etc/storm/conf/client_jaas.conf` except for the addition of a `Client` stanza. The `Client` stanza is used for Zookeeper. All quotes and semicolons are necessary. From a263385e110b31d5261f4dbde899b28756a26a36 Mon Sep 17 00:00:00 2001 From: Mohan Venkateshaiah Date: Thu, 18 May 2017 16:23:39 +0530 Subject: [PATCH 2/2] Fixed rendering issues --- metron-deployment/Kerberos-manual-setup.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md index 60f2d84c6c..fc46572546 100644 --- a/metron-deployment/Kerberos-manual-setup.md +++ b/metron-deployment/Kerberos-manual-setup.md @@ -97,8 +97,10 @@ Setup a KDC kadmin.local -q "addprinc metron" ``` -Verify KDC ------------ +Verify KDC +---------- + + Ticket renewal is by default disallowed in many linux distributions. If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies: ``` Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable @@ -113,7 +115,7 @@ Ensure the Metron keytab is renewable. Look for the 'R' flag from the following If the 'R' flags are present, you may skip to next section. If the 'R' flags are absent, you will need to follow the below steps: -If the KDC is already setup, then editing max_life and max_renewable_life in ```/var/kerberos/krb5kdc/kdc.conf```, and restarting kadmin and krb5kdc services will not change the policies for existing users. +If the KDC is already setup, then editing max_life and max_renewable_life in `/var/kerberos/krb5kdc/kdc.conf`, and restarting kadmin and krb5kdc services will not change the policies for existing users. You need to set the renew lifetime for existing users and krbtgt realm. Modify the appropriate principals to allow renewable tickets using the following commands. Adjust the parameters to match your desired KDC parameters: ```