directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From plusplusjia...@apache.org
Subject [1/2] directory-kerby git commit: DIRKRB-705 Add documents: HAS Introduction, Getting Started.
Date Tue, 20 Mar 2018 02:06:09 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk a3007464b -> 1d37c238b


DIRKRB-705 Add documents: HAS Introduction,Getting Started.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/34107e4e
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/34107e4e
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/34107e4e

Branch: refs/heads/trunk
Commit: 34107e4e9246cac215bc4462bfd9c0a12df7f9aa
Parents: a4ee9e8
Author: plusplusjiajia <jiajia.li@intel.com>
Authored: Tue Mar 20 10:02:47 2018 +0800
Committer: plusplusjiajia <jiajia.li@intel.com>
Committed: Tue Mar 20 10:02:47 2018 +0800

----------------------------------------------------------------------
 has-project/README.md             |  44 ++++++++++
 has-project/docs/deploy-https.md  | 153 +++++++++++++++++++++++++++++++++
 has-project/docs/deploy-spnego.md |  13 +++
 has-project/docs/has-design.png   | Bin 0 -> 70653 bytes
 has-project/docs/has-overall.png  | Bin 0 -> 74116 bytes
 has-project/docs/has-start.md     |  88 +++++++++++++++++++
 6 files changed, 298 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34107e4e/has-project/README.md
----------------------------------------------------------------------
diff --git a/has-project/README.md b/has-project/README.md
new file mode 100644
index 0000000..a3c6c1f
--- /dev/null
+++ b/has-project/README.md
@@ -0,0 +1,44 @@
+# Hadoop Authentication Service (HAS)
+A dedicated Hadoop Authentication Server to support various authentication mechanisms other
than just Kerberos.
+
+# High level considerations
+* Hadoop services are still strongly authenticated by Kerberos, as Kerberos is the only means
so far to enable Hadoop security.
+* Hadoop users can remain to use their familiar login methods.
+* Security admins won't have to migrate and sync up their user accounts to Kerberos back
and forth.
+* New authentication mechanism can be customized and plugined.
+
+# Architecture
+![](https://github.com/apache/directory-kerby/tree/trunk/has-project/docs/has-overall.png)
+
+# Design
+Assuming existing users are stored in a SQL database (like MySQL), the detailed design and
workflow may go like the following:
+![](https://github.com/apache/directory-kerby/tree/trunk/has-project/docs/has-design.png)
+
+# New mechanism plugin API
+
+## HAS client plugin HasClientPlugin:
+
+```Java
+// Get the login module type ID, used to distinguish this module from others. 
+// Should correspond to the server side module.
+String getLoginType()
+
+// Perform all the client side login logics, the results wrapped in an AuthToken, 
+// will be validated by HAS server.
+AuthToken login(Conf loginConf) throws HasLoginException
+```
+
+## HAS server plugin HasServerPlugin:
+
+```Java
+// Get the login module type ID, used to distinguish this module from others. 
+// Should correspond to the client side module.
+String getLoginType()
+
+// Perform all the server side authentication logics, the results wrapped in an AuthToken,

+// will be used to exchange a Kerberos ticket.
+AuthToken authenticate(AuthToken userToken) throws HasAuthenException
+```
+
+## Getting Started
+Please look at [Getting Started](https://github.com/apache/directory-kerby/blob/has-project/has/doc/has-start.md)
for details.

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34107e4e/has-project/docs/deploy-https.md
----------------------------------------------------------------------
diff --git a/has-project/docs/deploy-https.md b/has-project/docs/deploy-https.md
new file mode 100644
index 0000000..bd6c3c5
--- /dev/null
+++ b/has-project/docs/deploy-https.md
@@ -0,0 +1,153 @@
+Deploy HTTPS
+===============
+
+## 1. Create a keystore file for each host
+
+> keystore: the keystore file that stores the certificate.
+> validity: the valid time of the certificate in days.
+```
+keytool -alias {hostname} -keystore {keystore} -validity {validity} -genkey
+```
+
+> The keytool will ask for more details such as the keystore password, keypassword and
CN(hostname).
+
+## 2. Export the certificate public key to a certificate file for each host
+```
+keytool -export -alias {hostname} -keystore {keystore} -rfc -file {cert-file}
+```
+
+## 3. Create a common truststore file (trustAll)
+The truststore file contains the public key from all certificates. If you assume a 2-node
cluster with node1 and node2,
+login to node1 and import the truststore file for node1.
+```
+keytool -import -alias {hostname} -keystore {trustAll} -file {cert-file}
+```
+
+## 4. Update the common truststore file
+* Move {trustAll} from node1 to node2 ({trustAll} already has the certificate entry of node1),
and repeat Step 3.
+
+* Move the updated {trustAll} from node2 to node1. Repeat these steps for each node in the
cluster.
+When you finish, the {trustAll} file will have the certificates from all nodes.
+
+> Note these work could be done on the same node, just notice the hostname.
+
+## 5. Copy {trustAll} from node1 to all of the other nodes
+
+## 6. Validate the common truststore file
+```
+keytool -list -v -keystore {trustAll}
+```
+
+## 7. Edit the Configuration files
+> Deploy {keystore} and {trustAll} files and config /<conf-dir>/ssl-server.conf
for HAS server
+```
+ssl.server.keystore.location = {path to keystore}
+ssl.server.keystore.password = {keystore password set in step 1}
+ssl.server.keystore.keypassword = {keypassword set in step 1}
+ssl.server.truststore.reload.interval = 1000
+ssl.server.truststore.location = {path to trustAll}
+ssl.server.truststore.password = {trustAll password set in step 2}
+```
+
+> Config /etc/has/<https_host>/ssl-client.conf for HAS client, the <https_host>
+is the has server address, the same as the value configured in has-client.conf
+```
+ssl.client.truststore.location = {path to trustAll}
+ssl.client.truststore.password = {trustAll password}
+```
+
+> Config $HADOOP_HOME/etc/hadoop/ssl-server.xml for Hadoop
+```
+<configuration>
+
+<property>
+  <name>ssl.server.truststore.location</name>
+  <value>path to trustAll</value>
+</property>
+
+<property>
+  <name>ssl.server.truststore.password</name>
+  <value>trustAll password</value>
+</property>
+
+<property>
+  <name>ssl.server.truststore.type</name>
+  <value>jks</value>
+</property>
+
+<property>
+  <name>ssl.server.truststore.reload.interval</name>
+  <value>10000</value>
+</property>
+
+<property>
+  <name>ssl.server.keystore.location</name>
+  <value>path to keystore</value>
+</property>
+
+<property>
+  <name>ssl.server.keystore.password</name>
+  <value>keystore password</value>
+</property>
+
+<property>
+  <name>ssl.server.keystore.keypassword</name>
+  <value>keystore keypassword</value>
+</property>
+
+<property>
+  <name>ssl.server.keystore.type</name>
+  <value>jks</value>
+</property>
+
+</configuration>
+```
+
+> Config $HADOOP_HOME/etc/hadoop/ssl-client.xml for Hadoop
+```
+<configuration>
+
+<property>
+  <name>ssl.client.truststore.location</name>
+  <value>patch to trustAll</value>
+</property>
+
+<property>
+  <name>ssl.client.truststore.password</name>
+  <value>trustAll password</value>
+</property>
+
+<property>
+  <name>ssl.client.truststore.type</name>
+  <value>jks</value>
+</property>
+
+<property>
+  <name>ssl.client.truststore.reload.interval</name>
+  <value>10000</value>
+</property>
+
+<property>
+  <name>ssl.client.keystore.location</name>
+  <value>path to keystore</value>
+</property>
+
+<property>
+  <name>ssl.client.keystore.password</name>
+  <value>keystore password</value>
+</property>
+
+<property>
+  <name>ssl.client.keystore.keypassword</name>
+  <value>keystore keypassword</value>
+</property>
+
+<property>
+  <name>ssl.client.keystore.type</name>
+  <value>jks</value>
+</property>
+
+</configuration>
+```
+
+> To make the nodes in the cluster communicate bidirectionally, deploy all the configuration
files.

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34107e4e/has-project/docs/deploy-spnego.md
----------------------------------------------------------------------
diff --git a/has-project/docs/deploy-spnego.md b/has-project/docs/deploy-spnego.md
new file mode 100644
index 0000000..d86922b
--- /dev/null
+++ b/has-project/docs/deploy-spnego.md
@@ -0,0 +1,13 @@
+Deploy SPNEGO
+================
+
+## 1. Server Side Configuration(in server side has-server.conf)
+
+To use Kerberos SPNEGO as the authentication mechanism, the authentication filter must be
configured with the following init parameters:
+- filter_auth_type : the keyword kerberos. For example: filter_auth_type = kerberos
+
+## 2. Client Side Configuration(in client side admin.conf)
+
+- filter_auth_type the keyword kerberos.  For example: filter_auth_type = kerberos
+- admin_keytab: The path to the keytab file containing the credential for the admin principal.
For example: admin_keytab = /etc/has/admin.keytab
+- admin_keytab_principal: The admin principal. For example: admin_keytab_principal = kadmin/<YOUR-REALM.COM>@<YOUR-REALM.COM>

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34107e4e/has-project/docs/has-design.png
----------------------------------------------------------------------
diff --git a/has-project/docs/has-design.png b/has-project/docs/has-design.png
new file mode 100644
index 0000000..575c503
Binary files /dev/null and b/has-project/docs/has-design.png differ

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34107e4e/has-project/docs/has-overall.png
----------------------------------------------------------------------
diff --git a/has-project/docs/has-overall.png b/has-project/docs/has-overall.png
new file mode 100644
index 0000000..2df5e48
Binary files /dev/null and b/has-project/docs/has-overall.png differ

http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/34107e4e/has-project/docs/has-start.md
----------------------------------------------------------------------
diff --git a/has-project/docs/has-start.md b/has-project/docs/has-start.md
new file mode 100644
index 0000000..cc22768
--- /dev/null
+++ b/has-project/docs/has-start.md
@@ -0,0 +1,88 @@
+Getting Started
+================
+
+## 1. Install
+
+### Download Kerby source code:
+```
+git clone https://github.com/apache/directory-kerby.git
+```
+
+### Install HAS:
+```
+cd directory-kerby
+mvn clean install -Pdist -DskipTests
+```
+
+## 2. Start and configure HAS server
+
+### Deploy https
+Please look at [How to deploy https](https://github.com/apache/directory-kerby/tree/trunk/has-project/docs/deploy-https.md)
for details.
+
+### Configure has-server.conf in <conf_dir>:
+An example of has-server.conf:
+```
+[HAS]
+  https_host = localhost
+  https_port = 8092
+  filter_auth_type = kerberos
+  
+[PLUGIN]
+  auth_type = MySQL
+```
+
+### Start HAS server:
+```
+cd HAS/has-dist
+sh bin/start-has.sh <conf_dir> <work_dir>
+```
+
+also:
+```
+export HAS_CONF_DIR=<conf_dir>
+export HAS_WORK_DIR=<work_dir>
+cd HAS/has-dist
+sh bin/start-has.sh
+```
+
+Root privileges required if https_port or KDC port numbers range from 0 to 1023.
+
+### Configure HAS KDC:
+
+Please make sure the following configuration files exist in the conf directory:
+has-server.conf backend.conf kdc.conf
+
+### Start HAS KDC server:
+```
+cd kerby-dist/has-dist
+// Start HAS init tool
+sh bin/has-init.sh <conf_dir>
+HasInitTool: start
+HasInitTool: exit
+```
+
+### Init HAS server:
+```
+cd kerby-dist/has-dist
+// Start HAS init tool
+sh bin/has-init.sh <conf_dir>
+HasInitTool: init
+HasInitTool: exit
+```
+
+### Deploy http spnego
+Please look at [How to deploy http spnego](https://github.com/apache/directory-kerby/tree/trunk/has-project/docs/deploy-spnego.md)
for details.
+Please restart the HAS server
+
+```
+cd kerby-dist/has-dist
+sh bin/stop-has.sh
+
+cd kerby-dist/has-dist
+sh bin/start-has.sh <conf_dir> <work_dir>
+
+cd kerby-dist/has-dist
+sh bin/kdcinit.sh <conf_dir>
+HasInitTool: start
+HasInitTool: exit
+```


Mime
View raw message