Конференция Arenadata
Новое время — новый Greenplum
Мы приглашаем вас принять участие в конференции, посвященной будущему Open-Source Greenplum 19 сентября в 18:00:00 UTC +3. Встреча будет проходить в гибридном формате — и офлайн, и онлайн. Онлайн-трансляция будет доступна для всех желающих.
Внезапное закрытие Greenplum его владельцем — компанией Broadcom - стало неприятным сюрпризом для всех, кто использует или планирует начать использовать решения на базе этой технологии. Многие ожидают выхода стабильной версии Greenplum 7 и надеются на её дальнейшее активное развитие.
Arenadata не могла допустить, чтобы разрабатываемый годами Open-Source проект Greenplum прекратил своё существование, поэтому 19 сентября мы представим наш ответ на данное решение Broadcom, а участники сообщества получат исчерпывающие разъяснения на все вопросы о дальнейшей судьбе этой технологии.

На конференции вас ждёт обсуждение следующих тем:

  • План возрождения Greenplum;
  • Дорожная карта;
  • Экспертное обсуждение и консультации.
Осталось до события

Configure Kerberos authentication based on Samba via ADCM

Overview

Samba acts as an Active Directory domain controller, so its configuration is very similar to that of Active Directory.

CentOS 7 specifics

 
On CentOS 7, the bundle doesn’t handle the keytab generation because a standard Samba package for CentOS 7 doesn’t support creating principals on a remote domain controller. Hence, you need to prepare the keytabs yourself. For that, you can edit the variables in the sample script provided below and use it. On other systems, the generation is automatic.

Kerberization in ADCM

To kerberize a cluster using Samba, follow the steps below:

  1. In the ADCM web UI, go to the Clusters page. Select an installed and prepared ADH cluster, and run the Manage Kerberos action.

    Running Manage Kerberos
    Manage Kerberos
  2. In the pop-up window, turn on the Existing Samba option.

    Kerberos activation options
    Choose the relevant option
  3. Fill in the Samba Kerberos parameters.

    Samba parameters
    Samba Kerberos fields
  4. Click Run, wait for the job to complete and proceed to setting up Kerberos in the cluster.

    Activating Kerberos with Samba
    Run the action

To check, run the kinit command. If it doesn’t work with the generated keytabs on your system, it might be useful to add the following password encryption options to the libdefaults section of your custom krb5.conf cluster parameter in ADCM:

[libdefaults]
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac rc4-hmac arcfour-hmac-md5
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
Implementation specifics

 
In the script, the principals are created in a very specific way (same as in the bundle) for the following reasons:

  • In order for the keytab authentication to work, a UPN (User Principal Name) has to be an SPN (Service Principal Name). This is required because Samba doesn’t allow searching for principals by a UPN during kinit.

  • Since a UPN can hold only one record, SPNs have to be created for each host.

  • By default, when working with principals and keytabs, Samba consults with a local database, not a remote domain controller. To make it run an action on the actual domain controller, the -H ldap://$SAMBA_SERVER argument has to be used.

This approach also has an advantage: there is no need to add a host into a domain and set up local replicas of the Samba databases to create service users and principals. Also, the principal authentication happens with a different keytab for each user, not with a single keytab per host.

Keytab generation script
#!/bin/bash
# Script for adding services and keytabs to Cluster hosts
# Edit  HOSTS as it will be suitable for your case.
# EDIT your Samba parameters
# Select services according to the bundle

# Samba credentials
SAMBA_USER='Administrator'
SAMBA_PASSWORD='adminPassword'
SAMBA_SERVER='<samba_server>'
REALM='<samba_realm>'
SAMBA_HOST='<samba_host>'
USER_PASSWORD='userPassword'
OU_NAME='CN=Users,DC=samba,DC=test'

declare -a HOSTS

SSH_OPTS='-o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no'

HOSTS=(
    "List your hosts here"
)
encoded_password=$(echo -n "\"$USER_PASSWORD\"" | iconv -f UTF-8 -t UTF-16LE | base64)

# ADH services
SERVICES=(HTTP airflow flink hbase-phoenix_queryserver hbase-thrift2 hbase hdfs-datanode hdfs-journalnode hdfs-namenode hdfs-zkfc hdfs hive httpfs livy mapreduce-historyserver solr spark sqoop yarn-nodemanager yarn-resourcemanager yarn-timelineserver yarn zeppelin zookeeper impala ssm ssm-agent kyuubi)

mkdir /tmp/keytabs

for HOST in ${HOSTS[@]}; do
    echo "Set hostname"
        ssh $SSH_OPTS $HOST "sudo hostnamectl --static set-hostname $HOST"
    echo "Create keytab dir"
	    ssh $SSH_OPTS $HOST "sudo mkdir -p /etc/security/keytabs"
    for SERVICE in ${SERVICES[@]}; do
        echo "Create service user"
        ssh $SSH_OPTS $SAMBA_HOST "sudo useradd $SERVICE"
        echo "Create service principal"
        echo "Create add.ldif"
        ssh $SSH_OPTS $SAMBA_HOST "cat <<EOF > /tmp/add.ldif
DN: CN=${SERVICE}/${HOST},${OU_NAME}
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
accountExpires: 0
sAMAccountName: ${SERVICE}-${HOST}
userPrincipalName: ${SERVICE}/${HOST}@${REALM}
servicePrincipalName: ${SERVICE}/${HOST}
distinguishedName: CN=${SERVICE}/${HOST},${OU_NAME}
userAccountControl: 514

DN: CN=${SERVICE}/${HOST},${OU_NAME}
changetype: modify
replace: unicodePwd
unicodePwd:: $encoded_password

DN: CN=${SERVICE}/${HOST},${OU_NAME}
changetype: modify
replace: userAccountControl
userAccountControl: 66048

EOF"

        echo "sudo ldbmodify -H ldap://$SAMBA_SERVER /tmp/add.ldif -U $SAMBA_USER --password=$SAMBA_PASSWORD"
        ssh $SSH_OPTS $SAMBA_HOST "sudo ldbmodify -H ldap://$SAMBA_SERVER /tmp/add.ldif -U $SAMBA_USER --password=$SAMBA_PASSWORD"

        echo "Delete keytab"
        ssh $SSH_OPTS $SAMBA_HOST "sudo rm -f /tmp/$SERVICE.service.keytab"

        echo "Extract keytab"
        TMP_SCRIPT="/tmp/extract_keytab_${SERVICE}_${HOST}.sh"
        KTUTIL_SCRIPT="/tmp/ktutil_commands_${SERVICE}_${HOST}.txt"
        cat <<EOT > $TMP_SCRIPT
#!/bin/bash
cd /tmp
sudo ktutil < $KTUTIL_SCRIPT
EOT

        cat <<EOT > $KTUTIL_SCRIPT
add_entry -password -p ${SERVICE}/${HOST}@${REALM} -k 1 -e aes256-cts-hmac-sha1-96
${USER_PASSWORD}
add_entry -password -p ${SERVICE}/${HOST}@${REALM} -k 1 -e aes128-cts-hmac-sha1-96
${USER_PASSWORD}
add_entry -password -p ${SERVICE}/${HOST}@${REALM} -k 1 -e arcfour-hmac
${USER_PASSWORD}
wkt ${SERVICE}.service.keytab
quit
EOT

        scp $SSH_OPTS $TMP_SCRIPT $SAMBA_HOST:$TMP_SCRIPT
        scp $SSH_OPTS $KTUTIL_SCRIPT $SAMBA_HOST:$KTUTIL_SCRIPT
        ssh $SSH_OPTS $SAMBA_HOST "chmod +x $TMP_SCRIPT && $TMP_SCRIPT && rm $TMP_SCRIPT && rm $KTUTIL_SCRIPT"
        rm $TMP_SCRIPT
        rm $KTUTIL_SCRIPT

        echo "Try kinit"
        ssh $SSH_OPTS $SAMBA_HOST "sudo klist -k /tmp/$SERVICE.service.keytab"
        echo "Change permission"
        ssh $SSH_OPTS $SAMBA_HOST "sudo chmod 777 /tmp/${SERVICE}.service.keytab"
        echo "Export keytab to local"
        scp $SAMBA_HOST:/tmp/${SERVICE}.service.keytab /tmp/keytabs/${SERVICE}.service.keytab
        echo "Export keytab to host"
        scp /tmp/keytabs/${SERVICE}.service.keytab $HOST:/tmp/${SERVICE}.service.keytab
        ssh $SSH_OPTS $HOST "sudo mv /tmp/${SERVICE}.service.keytab /etc/security/keytabs/${SERVICE}.service.keytab"
        echo "Clean up local temporary keytab"
        rm /tmp/keytabs/$SERVICE.service.keytab
    done

    echo "Change owner and group"

    ssh $SSH_OPTS $HOST sudo chown zookeeper:zookeeper /etc/security/keytabs/zookeeper*
    ssh $SSH_OPTS $HOST sudo chown hdfs:hadoop /etc/security/keytabs/hdfs*
    ssh $SSH_OPTS $HOST sudo chown hdfs:hadoop /etc/security/keytabs/HTTP*
    ssh $SSH_OPTS $HOST sudo chown yarn:hadoop /etc/security/keytabs/yarn*
    ssh $SSH_OPTS $HOST sudo chown hbase:hadoop /etc/security/keytabs/hbase*
    ssh $SSH_OPTS $HOST sudo chown flink:flink /etc/security/keytabs/flink*
    ssh $SSH_OPTS $HOST sudo chown sqoop:sqoop /etc/security/keytabs/sqoop*
    ssh $SSH_OPTS $HOST sudo chown zeppelin:zeppelin /etc/security/keytabs/zeppelin*
    ssh $SSH_OPTS $HOST sudo chown spark:spark /etc/security/keytabs/spark*
    ssh $SSH_OPTS $HOST sudo chown hive:hive /etc/security/keytabs/hive*
    ssh $SSH_OPTS $HOST sudo chown livy:hadoop /etc/security/keytabs/livy*
    ssh $SSH_OPTS $HOST sudo chown httpfs:httpfs /etc/security/keytabs/httpfs*
    ssh $SSH_OPTS $HOST sudo chown mapred:hadoop /etc/security/keytabs/mapreduce-historyserver*
    ssh $SSH_OPTS $HOST sudo chown solr:solr /etc/security/keytabs/solr*
    ssh $SSH_OPTS $HOST sudo chown airflow:airflow /etc/security/keytabs/airflow*
    ssh $SSH_OPTS $HOST sudo chown impala:impala /etc/security/keytabs/impala*

    echo "Change permissions"

    ssh $SSH_OPTS $HOST "sudo chmod -R 777 /etc/security/keytabs/"

done

Samba Kerberos parameters

Parameter Description

Authentication on WEB UIs

Enables Kerberos authentication on Web UIs

KDC hosts

One or more domain controller hosts

Realm

A Kerberos realm

Domains

Domains associated with hosts

Kadmin server

A host where kadmin is running

Kadmin principal

A principal name used to connect via kadmin, for example admin@RU-CENTRAL1.INTERNAL

Kadmin password

A principal password used to connect via kadmin

Keytabs directory

Directory of the keytab file that contains one or several principals along with their keys

Additional realms

Additional Kerberos realms

LDAP URL

LDAP URL consists of ldap:// or ldaps://, hostname or IP address, and port of the LDAP server

Container DN

Container distinguished name

Trusted Active Directory server

A trusted DC server

Trusted Active Directory realm

A realm for cross-realm trust

Found a mistake? Seleсt text and press Ctrl+Enter to report it