def kerberos(configure_security):
try:
principals = auth.get_service_principals(config.FOLDERED_SERVICE_NAME,
sdk_auth.REALM)
kerberos_env = sdk_auth.KerberosEnvironment()
kerberos_env.add_principals(principals)
kerberos_env.finalize()
yield kerberos_env
finally:
kerberos_env.cleanup()
def kerberos(configure_security):
try:
kerberos_env = sdk_auth.KerberosEnvironment()
principals = auth.get_service_principals(config.SERVICE_NAME,
kerberos_env.get_realm())
kerberos_env.add_principals(principals)
kerberos_env.finalize()
yield kerberos_env
finally:
kerberos_env.cleanup()
def kerberos(configure_security, kafka_principals):
try:
principals = []
principals.extend(kafka_principals)
kerberos_env = sdk_auth.KerberosEnvironment()
kerberos_env.add_principals(principals)
kerberos_env.finalize()
yield kerberos_env
finally:
kerberos_env.cleanup()
def create_keytab_secret(args: dict, kerberos=None):
if not kerberos:
kerberos = sdk_auth.KerberosEnvironment(persist=True)
principals = parse_principals(args.principals_file)
kerberos.add_principals(principals)
if args.secret_name:
kerberos.set_keytab_path(args.secret_name, args.binary_secret)
kerberos.finalize()
log.info("KDC cluster successfully deployed")
def kerberos(configure_security):
try:
principals = auth.get_service_principals(
config.SERVICE_NAME, sdk_auth.REALM, sdk_hosts.get_crypto_id_domain()
)
kerberos_env = sdk_auth.KerberosEnvironment()
kerberos_env.add_principals(principals)
kerberos_env.finalize()
yield kerberos_env
finally:
kerberos_env.cleanup()
def kerberos(configure_security):
try:
fqdn = "{service_name}.{host_suffix}".format(
service_name=config.SERVICE_NAME,
host_suffix=sdk_hosts.AUTOIP_HOST_SUFFIX)
brokers = [
"kafka-0-broker",
"kafka-1-broker",
"kafka-2-broker",
]
principals = []
for b in brokers:
principals.append("kafka/{instance}.{domain}@{realm}".format(
instance=b, domain=fqdn, realm=sdk_auth.REALM))
principals.append("client@{realm}".format(realm=sdk_auth.REALM))
kerberos_env = sdk_auth.KerberosEnvironment()
kerberos_env.add_principals(principals)
kerberos_env.finalize()
service_kerberos_options = {
"service": {
"name": config.SERVICE_NAME,
"security": {
"kerberos": {
"enabled": True,
"kdc_host_name": kerberos_env.get_host(),
"kdc_host_port": int(kerberos_env.get_port()),
"keytab_secret": kerberos_env.get_keytab_path(),
}
}
}
}
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME,
config.SERVICE_NAME,
config.DEFAULT_BROKER_COUNT,
additional_options=service_kerberos_options,
timeout_seconds=30 * 60)
yield kerberos_env
finally:
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
kerberos_env.cleanup()
def kerberos():
"""
A pytest fixture that installs and configures a KDC used for testing.
On teardown, the KDC application is removed.
"""
try:
kerberos_env = sdk_auth.KerberosEnvironment()
principals = auth.get_service_principals(config.SERVICE_NAME, kerberos_env.get_realm())
kerberos_env.add_principals(principals)
kerberos_env.finalize()
yield kerberos_env
finally:
kerberos_env.cleanup()
def kerberos(configure_security):
try:
kerberos_env = sdk_auth.KerberosEnvironment()
principals = auth.get_service_principals(config.FOLDERED_SERVICE_NAME,
kerberos_env.get_realm())
kerberos_env.add_principals(principals)
kerberos_env.finalize()
service_kerberos_options = {
"service": {
"name": config.FOLDERED_SERVICE_NAME,
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos_env.get_host(),
"port": int(kerberos_env.get_port())
},
"keytab_secret": kerberos_env.get_keytab_path(),
"realm": kerberos.get_realm()
}
}
},
"hdfs": {
"security_auth_to_local": auth.get_principal_to_user_mapping()
}
}
sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME)
sdk_install.install(config.PACKAGE_NAME,
config.FOLDERED_SERVICE_NAME,
config.DEFAULT_TASK_COUNT,
additional_options=service_kerberos_options,
timeout_seconds=30 * 60)
yield kerberos_env
finally:
sdk_install.uninstall(config.PACKAGE_NAME,
config.FOLDERED_SERVICE_NAME)
if kerberos_env:
kerberos_env.cleanup()
def hdfs_with_kerberos(configure_security_hdfs):
try:
primaries = ["hdfs", "HTTP"]
fqdn = "{service_name}.{host_suffix}".format(
service_name=HDFS_SERVICE_NAME,
host_suffix=sdk_hosts.AUTOIP_HOST_SUFFIX)
instances = [
"name-0-node",
"name-0-zkfc",
"name-1-node",
"name-1-zkfc",
"journal-0-node",
"journal-1-node",
"journal-2-node",
"data-0-node",
"data-1-node",
"data-2-node",
]
principals = []
for (instance, primary) in itertools.product(instances, primaries):
principals.append("{primary}/{instance}.{fqdn}@{REALM}".format(
primary=primary,
instance=instance,
fqdn=fqdn,
REALM=sdk_auth.REALM))
principals.append(GENERIC_HDFS_USER_PRINCIPAL)
principals.append(ALICE_PRINCIPAL)
kerberos_env = sdk_auth.KerberosEnvironment()
kerberos_env.add_principals(principals)
kerberos_env.finalize()
service_kerberos_options = {
"service": {
"security": {
"kerberos": {
"enabled": True,
"kdc": {
"hostname": kerberos_env.get_host(),
"port": int(kerberos_env.get_port())
},
"keytab_secret": kerberos_env.get_keytab_path(),
"realm": kerberos_env.get_realm()
}
}
},
"hdfs": {
"security_auth_to_local":
hdfs_auth.get_principal_to_user_mapping()
}
}
sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME)
sdk_install.install(HDFS_PACKAGE_NAME,
HDFS_SERVICE_NAME,
DEFAULT_HDFS_TASK_COUNT,
additional_options=service_kerberos_options,
timeout_seconds=30 * 60)
yield kerberos_env
finally:
sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME)
sdk_cmd.run_cli('package repo remove hdfs-aws')
if kerberos_env:
kerberos_env.cleanup()
def hdfs_with_kerberos(configure_security_hdfs):
try:
# To do: remove the following as soon as HDFS with kerberos is released
log.warning(
'Temporarily using HDFS stub universe until kerberos is released')
sdk_cmd.run_cli('package repo add --index=0 {} {}'.format(
'hdfs-aws',
'https://universe-converter.mesosphere.com/transform?url=https://infinity-artifacts.s3.amazonaws.com/permanent/beta-hdfs/20171122-112028-Vl2QaSERix2q6Dhk/stub-universe-beta-hdfs.json'
))
primaries = ["hdfs", "HTTP"]
fqdn = "{service_name}.{host_suffix}".format(
service_name=HDFS_SERVICE_NAME,
host_suffix=sdk_hosts.AUTOIP_HOST_SUFFIX)
instances = [
"name-0-node",
"name-0-zkfc",
"name-1-node",
"name-1-zkfc",
"journal-0-node",
"journal-1-node",
"journal-2-node",
"data-0-node",
"data-1-node",
"data-2-node",
]
principals = []
for (instance, primary) in itertools.product(instances, primaries):
principals.append("{primary}/{instance}.{fqdn}@{REALM}".format(
primary=primary,
instance=instance,
fqdn=fqdn,
REALM=sdk_auth.REALM))
principals.append(GENERIC_HDFS_USER_PRINCIPAL)
kerberos_env = sdk_auth.KerberosEnvironment()
kerberos_env.add_principals(principals)
kerberos_env.finalize()
service_kerberos_options = {
"service": {
"kerberos": {
"enabled": True,
"kdc_host_name": kerberos_env.get_host(),
"kdc_host_port": kerberos_env.get_port(),
"keytab_secret": kerberos_env.get_keytab_path(),
"primary": primaries[0],
"primary_http": primaries[1],
"realm": sdk_auth.REALM
}
}
}
sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME)
sdk_install.install(HDFS_PACKAGE_NAME,
HDFS_SERVICE_NAME,
DEFAULT_HDFS_TASK_COUNT,
additional_options=service_kerberos_options,
timeout_seconds=30 * 60)
yield kerberos_env
finally:
sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME)
sdk_cmd.run_cli('package repo remove hdfs-aws')
if kerberos_env:
kerberos_env.cleanup()
