metron-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject [08/44] metron git commit: METRON-896 Document Having Kerberos Issue Renewable Tickets (justinleet) closes apache/incubator-metron#553
Date Thu, 01 Jun 2017 21:41:27 GMT
METRON-896 Document Having Kerberos Issue Renewable Tickets (justinleet) closes apache/incubator-metron#553


Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/e08b7d47
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/e08b7d47
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/e08b7d47

Branch: refs/heads/Metron_0.4.0
Commit: e08b7d47f3f644e12a9abb59bd3901d93c6d34af
Parents: 716bda3
Author: justinleet <justinjleet@gmail.com>
Authored: Mon May 8 09:33:09 2017 -0400
Committer: leet <leet@apache.org>
Committed: Mon May 8 09:33:09 2017 -0400

----------------------------------------------------------------------
 metron-deployment/Kerberos-manual-setup.md | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/metron/blob/e08b7d47/metron-deployment/Kerberos-manual-setup.md
----------------------------------------------------------------------
diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md
index b444b0e..8a7f07a 100644
--- a/metron-deployment/Kerberos-manual-setup.md
+++ b/metron-deployment/Kerberos-manual-setup.md
@@ -27,7 +27,6 @@ Setup
     export ZOOKEEPER=node1:2181
     export ELASTICSEARCH=node1:9200
     export BROKERLIST=node1:6667
-
     export HDP_HOME="/usr/hdp/current"
     export KAFKA_HOME="${HDP_HOME}/kafka-broker"
     export METRON_VERSION="0.4.0"
@@ -72,6 +71,16 @@ Setup a KDC
   	cp -f /etc/krb5.conf /var/lib/ambari-server/resources/scripts
   	```
 
+1. Ensure the KDC can issue renewable tickets. This can be necessary on a real cluster, but
should not be on full-dev. In /var/kerberos/krb5kdc/kdc.conf ensure the following is in the
realm section
+   ```
+   max_renewable_life = 7d
+   ```
+
+   If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's
Storm topologies:
+   ```
+   Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The
TGT found is not renewable
+   ```
+
 1. Do not copy/paste this full set of commands as the `kdb5_util` command will not run as
expected. Run the commands individually to ensure they all execute.  This step takes a moment.
It creates the kerberos database.
 
   	```
@@ -238,6 +247,17 @@ Storm Authorization
   	cd /home/metron/.storm
   	```
 
+1. Ensure the Metron keytab is renewable.  Look for the 'R' flag from the following command
+    ```
+    klist -f
+    ```
+
+    If not present, modify the appropriate principals to allow renewable tickets.  Adjust
the parameters to match desired KDC parameters
+    ```
+    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM"
+    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM"
+    ```
+
 1. Create a client JAAS file at `/home/metron/.storm/client_jaas.conf`.  This should look
identical to the Storm client JAAS file located at `/etc/storm/conf/client_jaas.conf` except
for the addition of a `Client` stanza. The `Client` stanza is used for Zookeeper. All quotes
and semicolons are necessary.
 
     ```


Mime
View raw message