Return-Path: 
 <bigtop-commits-return-651-apmail-incubator-bigtop-commits-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-bigtop-commits-archive@minotaur.apache.org
Delivered-To: apmail-incubator-bigtop-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 16E1690E1
	for <apmail-incubator-bigtop-commits-archive@minotaur.apache.org>;
 Sat, 11 Feb 2012 03:40:50 +0000 (UTC)
Received: (qmail 18026 invoked by uid 500); 11 Feb 2012 03:40:47 -0000
Delivered-To: apmail-incubator-bigtop-commits-archive@incubator.apache.org
Received: (qmail 17966 invoked by uid 500); 11 Feb 2012 03:40:38 -0000
Mailing-List: contact bigtop-commits-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:bigtop-commits-help@incubator.apache.org>
List-Unsubscribe: <mailto:bigtop-commits-unsubscribe@incubator.apache.org>
List-Post: <mailto:bigtop-commits@incubator.apache.org>
List-Id: <bigtop-commits.incubator.apache.org>
Reply-To: bigtop-dev@incubator.apache.org
Delivered-To: mailing list bigtop-commits@incubator.apache.org
Received: (qmail 17955 invoked by uid 99); 11 Feb 2012 03:40:35 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Feb 2012 03:40:35 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Feb 2012 03:40:30 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
	by eris.apache.org (Postfix) with ESMTP id A74572388865;
	Sat, 11 Feb 2012 03:40:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1243000 - in
 /incubator/bigtop/trunk/bigtop-deploy/puppet:
 manifests/cluster.pp modules/hadoop-hbase/manifests/init.pp
 modules/hadoop-oozie/manifests/init.pp modules/hadoop/manifests/init.pp
 modules/kerberos/manifests/init.pp
Date: Sat, 11 Feb 2012 03:40:09 -0000
To: bigtop-commits@incubator.apache.org
From: rvs@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20120211034009.A74572388865@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: rvs
Date: Sat Feb 11 03:40:08 2012
New Revision: 1243000

URL: http://svn.apache.org/viewvc?rev=1243000&view=rev
Log:
BIGTOP-396. Missing resource dependencies in puppet for secure clusters (Patrick Taylor Ramsey via rvs)

Modified:
    incubator/bigtop/trunk/bigtop-deploy/puppet/manifests/cluster.pp
    incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp
    incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp
    incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp
    incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp

Modified: incubator/bigtop/trunk/bigtop-deploy/puppet/manifests/cluster.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/manifests/cluster.pp?rev=1243000&r1=1242999&r2=1243000&view=diff
==============================================================================
--- incubator/bigtop/trunk/bigtop-deploy/puppet/manifests/cluster.pp (original)
+++ incubator/bigtop/trunk/bigtop-deploy/puppet/manifests/cluster.pp Sat Feb 11 03:40:08 2012
@@ -53,12 +53,6 @@ class hadoop_cluster_node {
     $kerberos_kdc_server = extlookup("hadoop_kerberos_kdc_server")
 
     include kerberos::client
-    kerberos::client::host_keytab { ["hdfs", "mapred", "hbase", "oozie"]:
-      princs_map => { hdfs   => [ "host", "hdfs" ],
-                      mapred => [ "mapred" ],
-                      hbase  => [ "hbase"  ],
-                      oozie  => [ "oozie"  ], },
-    }
   }
 }
 
@@ -89,7 +83,7 @@ class hadoop_worker_node inherits hadoop
 class hadoop_head_node inherits hadoop_cluster_node {
 
   if ($hadoop_security_authentication == "kerberos") {
-    include kerberos::kdc, kerberos::kdc::admin_server
+    include kerberos::server
   }
 
   hadoop::namenode { "namenode":
@@ -133,6 +127,7 @@ class hadoop_head_node inherits hadoop_c
   }
 
   hadoop::create_hdfs_dirs { [ "/mapred", "/tmp", "/system", "/user", "/hbase", "/benchmarks", "/user/jenkins", "/user/hive" ]:
+    auth           => $hadoop_security_authentication,
     hdfs_dirs_meta => { "/tmp"          => { perm => "777", user => "hdfs"   },
                         "/mapred"       => { perm => "755", user => "mapred" },
                         "/system"       => { perm => "755", user => "hdfs"   },

Modified: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp?rev=1243000&r1=1242999&r2=1243000&view=diff
==============================================================================
--- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp (original)
+++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-hbase/manifests/init.pp Sat Feb 11 03:40:08 2012
@@ -22,6 +22,11 @@ class hadoop-hbase {
 
   class common-server-config {
     include client-package
+    if ($kerberos_realm) {
+      require kerberos::client
+      kerberos::host_keytab { "hbase": 
+      }
+    }
 
     file { "/etc/hbase/conf/hbase-site.xml":
       content => template("hadoop-hbase/hbase-site.xml"),
@@ -51,6 +56,7 @@ class hadoop-hbase {
       hasrestart => true,
       hasstatus => true,
     } 
+    Kerberos::Host_keytab <| title == "hbase" |> -> Service["hbase-regionserver"]
   }
 
   define master($rootdir, $zookeeper_quorum, $kerberos_realm = "") {
@@ -67,5 +73,6 @@ class hadoop-hbase {
       hasrestart => true,
       hasstatus => true,
     } 
+    Kerberos::Host_keytab <| title == "hbase" |> -> Service["hbase-master"]
   }
 }

Modified: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp?rev=1243000&r1=1242999&r2=1243000&view=diff
==============================================================================
--- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp (original)
+++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop-oozie/manifests/init.pp Sat Feb 11 03:40:08 2012
@@ -21,6 +21,12 @@ class hadoop-oozie {
   }
 
   define server($kerberos_realm = "") {
+    if ($kerberos_realm) {
+      require kerberos::client
+      kerberos::host_keytab { "oozie":
+      }
+    }
+
     package { "oozie":
       ensure => latest,
     }
@@ -36,6 +42,7 @@ class hadoop-oozie {
       hasrestart => true,
       hasstatus => true,
     } 
+    Kerberos::Host_keytab <| title == "oozie" |> -> Service["oozie"]
 
   }
 }

Modified: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp?rev=1243000&r1=1242999&r2=1243000&view=diff
==============================================================================
--- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp (original)
+++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/hadoop/manifests/init.pp Sat Feb 11 03:40:08 2012
@@ -19,7 +19,23 @@ class hadoop {
    * Common definitions for hadoop nodes.
    * They all need these files so we can access hdfs/jobs from any node
    */
+   
+  class kerberos {
+    require kerberos::client
+    
+    kerberos::host_keytab { "hdfs":
+      princs => [ "host", "hdfs" ],
+    }
+   
+    kerberos::host_keytab { [ "yarn", "mapred" ]:
+    }
+  }
+
   class common {
+    if ($auth == "kerberos") {
+      include hadoop::kerberos
+    }
+
     file {
       "/etc/hadoop/conf/core-site.xml":
         content => template('hadoop/core-site.xml'),
@@ -88,6 +104,7 @@ class hadoop {
       subscribe => [Package["hadoop-datanode"], File["/etc/hadoop/conf/core-site.xml"], File["/etc/hadoop/conf/hdfs-site.xml"], File["/etc/hadoop/conf/hadoop-env.sh"]],
       require => [ Package["hadoop-datanode"], File[$dirs] ],
     }
+    Kerberos::Host_keytab <| title == "hdfs" |> -> Service["hadoop-datanode"]
 
     file { $dirs:
       ensure => directory,
@@ -98,10 +115,25 @@ class hadoop {
     }
   }
 
-  define create_hdfs_dirs($hdfs_dirs_meta) {
+  class kinit {
+    include hadoop::kerberos
+
+    exec { "HDFS kinit":
+      command => "/usr/bin/kinit -kt /etc/hdfs.keytab hdfs/$fqdn && /usr/bin/kinit -R",
+      user    => "hdfs",
+      require => Kerberos::Host_keytab["hdfs"],
+    }
+  }
+
+  define create_hdfs_dirs($hdfs_dirs_meta, $auth="simple") {
     $user = $hdfs_dirs_meta[$title][user]
     $perm = $hdfs_dirs_meta[$title][perm]
 
+    if ($auth == "kerberos") {
+      require hadoop::kinit
+      Exec["HDFS kinit"] -> Exec["HDFS init $title"]
+    }
+
     exec { "HDFS init $title":
       user => "hdfs",
       command => "/bin/bash -c 'hadoop fs -mkdir $title && hadoop fs -chmod $perm $title && hadoop fs -chown $user $title'",
@@ -132,6 +164,7 @@ class hadoop {
       subscribe => [Package["hadoop-namenode"], File["/etc/hadoop/conf/core-site.xml"], File["/etc/hadoop/conf/hadoop-env.sh"]],
       require => [Package["hadoop-namenode"], Exec["namenode format"]],
     } 
+    Kerberos::Host_keytab <| title == "hdfs" |> -> Service["hadoop-namenode"]
 
     exec { "namenode format":
       user => "hdfs",
@@ -180,6 +213,7 @@ class hadoop {
       mode => 755,
       require => [Package["hadoop"]],
     }
+    Kerberos::Host_keytab <| title == "mapred" |> -> Service["hadoop-jobtracker"]
   }
 
 
@@ -216,6 +250,7 @@ class hadoop {
       mode => 755,
       require => [Package["hadoop"]],
     }
+    Kerberos::Host_keytab <| title == "mapred" |> -> Service["hadoop-tasktracker"]
   }
 
 
@@ -236,6 +271,7 @@ class hadoop {
       subscribe => [Package["hadoop-secondarynamenode"], File["/etc/hadoop/conf/core-site.xml"], File["/etc/hadoop/conf/hadoop-env.sh"]],
       require => [Package["hadoop-secondarynamenode"]],
     }
+    Kerberos::Host_keytab <| title == "hdfs" |> -> Service["hadoop-secondarynamenode"]
   }
 
   define client ($namenode_host, $namenode_port, $jobtracker_host, $jobtracker_port, $auth = "simple") {

Modified: incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp
URL: http://svn.apache.org/viewvc/incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp?rev=1243000&r1=1242999&r2=1243000&view=diff
==============================================================================
--- incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp (original)
+++ incubator/bigtop/trunk/bigtop-deploy/puppet/modules/kerberos/manifests/init.pp Sat Feb 11 03:40:08 2012
@@ -61,15 +61,16 @@ class kerberos {
   }
 
   class kdc inherits kerberos::site {
-    package { "$package_name_kdc":
+    package { $package_name_kdc:
       ensure => installed,
     }
 
-    file { "$kdc_etc_path":
+    file { $kdc_etc_path:
     	ensure => directory,
         owner => root,
         group => root,
         mode => "0700",
+        require => Package["$package_name_kdc"],
     }
     file { "${kdc_etc_path}/kdc.conf":
       content => template('kerberos/kdc.conf'),
@@ -98,7 +99,7 @@ class kerberos {
       require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], File["/etc/krb5.conf"]],
     }
 
-    service { "$service_name_kdc":
+    service { $service_name_kdc:
       ensure => running,
       require => [Package["$package_name_kdc"], File["${kdc_etc_path}/kdc.conf"], Exec["kdb5_util"]],
       subscribe => File["${kdc_etc_path}/kdc.conf"],
@@ -125,32 +126,50 @@ class kerberos {
   }
 
   class client inherits kerberos::site {
-    define create_princs {
-      exec { "addprinc.$title":
-         path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here
-         command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $title/$fqdn'",
-         unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $title/$fqdn"
-      }
+    package { $package_name_client:
+      ensure => installed,
     }
+  }
 
-    define host_keytab($fqdn = "$hostname.$domain", $princs_map) {
-      $princs = $princs_map[$title]
-      $keytab = "/etc/${title}.keytab"
-      $exports = inline_template("<%= princs.join('/$fqdn ') + '/$fqdn ' %>")
+  class server {
+    include kerberos::client
 
-      create_princs { $princs:
-      }
+    class { "kerberos::kdc": } 
+    ->
+    Class["kerberos::client"] 
+
+    class { "kerberos::kdc::admin_server": }
+    -> 
+    Class["kerberos::client"]
+  }
 
-      exec { "xst.$title":
-         path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here
-         command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports' ; chown $title $keytab",
-         unless => "klist -kt $keytab 2>/dev/null | grep -q $title/$fqdn",
-         require => [ Create_princs[$princs] ],
-      }
+  define create_princs {
+    exec { "addprinc.$title":
+       path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here
+       command => "kadmin -w secure -p kadmin/admin -q 'addprinc -randkey $title/$fqdn'",
+       unless => "kadmin -w secure -p kadmin/admin -q listprincs | grep -q $title/$fqdn",
+       require => Package[$kerberos::site::package_name_client],
     }
+  }
 
-    package { "$package_name_client":
-      ensure => installed,
+  define host_keytab($fqdn = "$hostname.$domain", $princs = undef) {
+    $real_princs = $princs ? { 
+      undef   => [ $title ],
+      default => $princs,
+    }
+ 
+    $keytab = "/etc/${title}.keytab"
+    $exports = inline_template("<%= real_princs.join('/$fqdn ') + '/$fqdn ' %>")
+
+    create_princs { $real_princs:
+    }
+
+    exec { "xst.$title":
+       path => $kerberos::site::exec_path, # BUG: I really shouldn't need to do a FQVN here
+       command => "kadmin -w secure -p kadmin/admin -q 'xst -k $keytab $exports' ; chown $title $keytab",
+       unless => "klist -kt $keytab 2>/dev/null | grep -q $title/$fqdn",
+       require => [ Create_princs[$real_princs] ],
     }
   }
+
 }