metron-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject [29/44] metron git commit: METRON-963 Update document for Kerberos manual setup (MohanDV via merrimanr) closes apache/metron#594
Date Thu, 01 Jun 2017 21:41:48 GMT
METRON-963 Update document for Kerberos manual setup (MohanDV via merrimanr) closes apache/metron#594


Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/5e0cce22
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/5e0cce22
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/5e0cce22

Branch: refs/heads/Metron_0.4.0
Commit: 5e0cce220dca80c996d173b16b9721fccb373821
Parents: 47e2b73
Author: MohanDV <mohan.dv@gmail.com>
Authored: Fri May 19 10:21:09 2017 -0500
Committer: merrimanr <merrimanr@apache.org>
Committed: Fri May 19 10:21:09 2017 -0500

----------------------------------------------------------------------
 metron-deployment/Kerberos-ambari-setup.md |  2 +-
 metron-deployment/Kerberos-manual-setup.md | 44 +++++++++++++++++--------
 2 files changed, 31 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/metron/blob/5e0cce22/metron-deployment/Kerberos-ambari-setup.md
----------------------------------------------------------------------
diff --git a/metron-deployment/Kerberos-ambari-setup.md b/metron-deployment/Kerberos-ambari-setup.md
index 149e8b2..39e8dee 100644
--- a/metron-deployment/Kerberos-ambari-setup.md
+++ b/metron-deployment/Kerberos-ambari-setup.md
@@ -3,7 +3,7 @@
 General Kerberization notes can be found in the metron-deployment [README.md](../README.md)
 
 ## Setup a KDC
-See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc)
+See [Setup a KDC](Kerberos-manual-setup.md#setup-a-kdc) and [Verify KDC](Kerberos-manual-setup.md#verify-kdc)
 
 ## Ambari Setup
 1. Kerberize the cluster via Ambari. More detailed documentation can be found [here](http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/_enabling_kerberos_security_in_ambari.html).

http://git-wip-us.apache.org/repos/asf/metron/blob/5e0cce22/metron-deployment/Kerberos-manual-setup.md
----------------------------------------------------------------------
diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md
index 8a7f07a..fc46572 100644
--- a/metron-deployment/Kerberos-manual-setup.md
+++ b/metron-deployment/Kerberos-manual-setup.md
@@ -5,6 +5,7 @@ This document provides instructions for kerberizing Metron's Vagrant-based
devel
 
 * [Setup](#setup)
 * [Setup a KDC](#setup-a-kdc)
+* [Verify KDC](#verify-kdc)
 * [Enable Kerberos](#enable-kerberos)
 * [Kafka Authorization](#kafka-authorization)
 * [HBase Authorization](#hbase-authorization)
@@ -75,11 +76,7 @@ Setup a KDC
    ```
    max_renewable_life = 7d
    ```
-
-   If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's
Storm topologies:
-   ```
-   Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The
TGT found is not renewable
-   ```
+ 
 
 1. Do not copy/paste this full set of commands as the `kdb5_util` command will not run as
expected. Run the commands individually to ensure they all execute.  This step takes a moment.
It creates the kerberos database.
 
@@ -100,6 +97,33 @@ Setup a KDC
   	kadmin.local -q "addprinc metron"
   	```
 
+Verify KDC
+----------
+
+
+Ticket renewal is by default disallowed in many linux distributions. If the KDC cannot issue
renewable tickets, an error will be thrown when starting Metron's Storm topologies:
+   ```
+   Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The
TGT found is not renewable
+   ```
+
+
+Ensure the Metron keytab is renewable.  Look for the 'R' flag from the following command
+   ```
+   klist -f
+   ```
+
+If the 'R' flags are present, you may skip to next section.
+
+If the 'R' flags are absent, you will need to follow the below steps:
+If the KDC is already setup, then editing max_life and max_renewable_life in `/var/kerberos/krb5kdc/kdc.conf`,
and restarting kadmin and krb5kdc services will not change the policies for existing users.

+
+You need to set the renew lifetime for existing users and krbtgt realm. Modify the appropriate
principals to allow renewable tickets using the following commands. Adjust the parameters
to match your desired KDC parameters:
+   ```
+   kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM"
+   kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM"
+   ```
+
+
 Enable Kerberos
 ---------------
 
@@ -247,16 +271,8 @@ Storm Authorization
   	cd /home/metron/.storm
   	```
 
-1. Ensure the Metron keytab is renewable.  Look for the 'R' flag from the following command
-    ```
-    klist -f
-    ```
+1. Ensure the Metron keytab is renewable. See [Verify KDC](#verify-kdc) above
 
-    If not present, modify the appropriate principals to allow renewable tickets.  Adjust
the parameters to match desired KDC parameters
-    ```
-    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM"
-    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM"
-    ```
 
 1. Create a client JAAS file at `/home/metron/.storm/client_jaas.conf`.  This should look
identical to the Storm client JAAS file located at `/etc/storm/conf/client_jaas.conf` except
for the addition of a `Client` stanza. The `Client` stanza is used for Zookeeper. All quotes
and semicolons are necessary.
 


Mime
View raw message