Return-Path: <commits-return-1737-archive-asf-public=cust-asf.ponee.io@metron.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 125C8200CA3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  1 Jun 2017 23:41:22 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 110E2160BE0; Thu,  1 Jun 2017 21:41:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 64A45160BE6
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  1 Jun 2017 23:41:21 +0200 (CEST)
Received: (qmail 81974 invoked by uid 500); 1 Jun 2017 21:41:20 -0000
Mailing-List: contact commits-help@metron.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@metron.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@metron.apache.org>
List-Post: <mailto:commits@metron.apache.org>
List-Id: <commits.metron.apache.org>
Reply-To: dev@metron.apache.org
Delivered-To: mailing list commits@metron.apache.org
Received: (qmail 81874 invoked by uid 99); 1 Jun 2017 21:41:20 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 01 Jun 2017 21:41:20 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 4B086E8E6B; Thu,  1 Jun 2017 21:41:20 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: mattf@apache.org
To: commits@metron.apache.org
Date: Thu, 01 Jun 2017 21:41:27 -0000
Message-Id: <ab678c1132b440c18f4b508d6b012249@git.apache.org>
In-Reply-To: <aeaf2a81d3d54ddaa4a895b7ca0021c1@git.apache.org>
References: <aeaf2a81d3d54ddaa4a895b7ca0021c1@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [08/44] metron git commit: METRON-896 Document Having Kerberos Issue
 Renewable Tickets (justinleet) closes apache/incubator-metron#553
archived-at: Thu, 01 Jun 2017 21:41:22 -0000

METRON-896 Document Having Kerberos Issue Renewable Tickets (justinleet) closes apache/incubator-metron#553


Project: http://git-wip-us.apache.org/repos/asf/metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/metron/commit/e08b7d47
Tree: http://git-wip-us.apache.org/repos/asf/metron/tree/e08b7d47
Diff: http://git-wip-us.apache.org/repos/asf/metron/diff/e08b7d47

Branch: refs/heads/Metron_0.4.0
Commit: e08b7d47f3f644e12a9abb59bd3901d93c6d34af
Parents: 716bda3
Author: justinleet <justinjleet@gmail.com>
Authored: Mon May 8 09:33:09 2017 -0400
Committer: leet <leet@apache.org>
Committed: Mon May 8 09:33:09 2017 -0400

----------------------------------------------------------------------
 metron-deployment/Kerberos-manual-setup.md | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/metron/blob/e08b7d47/metron-deployment/Kerberos-manual-setup.md
----------------------------------------------------------------------
diff --git a/metron-deployment/Kerberos-manual-setup.md b/metron-deployment/Kerberos-manual-setup.md
index b444b0e..8a7f07a 100644
--- a/metron-deployment/Kerberos-manual-setup.md
+++ b/metron-deployment/Kerberos-manual-setup.md
@@ -27,7 +27,6 @@ Setup
     export ZOOKEEPER=node1:2181
     export ELASTICSEARCH=node1:9200
     export BROKERLIST=node1:6667
-
     export HDP_HOME="/usr/hdp/current"
     export KAFKA_HOME="${HDP_HOME}/kafka-broker"
     export METRON_VERSION="0.4.0"
@@ -72,6 +71,16 @@ Setup a KDC
   	cp -f /etc/krb5.conf /var/lib/ambari-server/resources/scripts
   	```
 
+1. Ensure the KDC can issue renewable tickets. This can be necessary on a real cluster, but should not be on full-dev. In /var/kerberos/krb5kdc/kdc.conf ensure the following is in the realm section
+   ```
+   max_renewable_life = 7d
+   ```
+
+   If the KDC cannot issue renewable tickets, an error will be thrown when starting Metron's Storm topologies:
+   ```
+   Exception in thread "main" java.lang.RuntimeException: java.lang.RuntimeException: The TGT found is not renewable
+   ```
+
 1. Do not copy/paste this full set of commands as the `kdb5_util` command will not run as expected. Run the commands individually to ensure they all execute.  This step takes a moment. It creates the kerberos database.
 
   	```
@@ -238,6 +247,17 @@ Storm Authorization
   	cd /home/metron/.storm
   	```
 
+1. Ensure the Metron keytab is renewable.  Look for the 'R' flag from the following command
+    ```
+    klist -f
+    ```
+
+    If not present, modify the appropriate principals to allow renewable tickets.  Adjust the parameters to match desired KDC parameters
+    ```
+    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/EXAMPLE.COM@EXAMPLE.COM"
+    kadmin.local -q "modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable metron@EXAMPLE.COM"
+    ```
+
 1. Create a client JAAS file at `/home/metron/.storm/client_jaas.conf`.  This should look identical to the Storm client JAAS file located at `/etc/storm/conf/client_jaas.conf` except for the addition of a `Client` stanza. The `Client` stanza is used for Zookeeper. All quotes and semicolons are necessary.
 
     ```