def kerberos(configure_security): try: principals = auth.get_service_principals(config.FOLDERED_SERVICE_NAME, sdk_auth.REALM) kerberos_env = sdk_auth.KerberosEnvironment() kerberos_env.add_principals(principals) kerberos_env.finalize() yield kerberos_env finally: kerberos_env.cleanup()
def kerberos(configure_security): try: kerberos_env = sdk_auth.KerberosEnvironment() principals = auth.get_service_principals(config.SERVICE_NAME, kerberos_env.get_realm()) kerberos_env.add_principals(principals) kerberos_env.finalize() yield kerberos_env finally: kerberos_env.cleanup()
def kerberos(configure_security, kafka_principals): try: principals = [] principals.extend(kafka_principals) kerberos_env = sdk_auth.KerberosEnvironment() kerberos_env.add_principals(principals) kerberos_env.finalize() yield kerberos_env finally: kerberos_env.cleanup()
def create_keytab_secret(args: dict, kerberos=None): if not kerberos: kerberos = sdk_auth.KerberosEnvironment(persist=True) principals = parse_principals(args.principals_file) kerberos.add_principals(principals) if args.secret_name: kerberos.set_keytab_path(args.secret_name, args.binary_secret) kerberos.finalize() log.info("KDC cluster successfully deployed")
def kerberos(configure_security): try: principals = auth.get_service_principals( config.SERVICE_NAME, sdk_auth.REALM, sdk_hosts.get_crypto_id_domain() ) kerberos_env = sdk_auth.KerberosEnvironment() kerberos_env.add_principals(principals) kerberos_env.finalize() yield kerberos_env finally: kerberos_env.cleanup()
def kerberos(configure_security): try: fqdn = "{service_name}.{host_suffix}".format( service_name=config.SERVICE_NAME, host_suffix=sdk_hosts.AUTOIP_HOST_SUFFIX) brokers = [ "kafka-0-broker", "kafka-1-broker", "kafka-2-broker", ] principals = [] for b in brokers: principals.append("kafka/{instance}.{domain}@{realm}".format( instance=b, domain=fqdn, realm=sdk_auth.REALM)) principals.append("client@{realm}".format(realm=sdk_auth.REALM)) kerberos_env = sdk_auth.KerberosEnvironment() kerberos_env.add_principals(principals) kerberos_env.finalize() service_kerberos_options = { "service": { "name": config.SERVICE_NAME, "security": { "kerberos": { "enabled": True, "kdc_host_name": kerberos_env.get_host(), "kdc_host_port": int(kerberos_env.get_port()), "keytab_secret": kerberos_env.get_keytab_path(), } } } } sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) sdk_install.install(config.PACKAGE_NAME, config.SERVICE_NAME, config.DEFAULT_BROKER_COUNT, additional_options=service_kerberos_options, timeout_seconds=30 * 60) yield kerberos_env finally: sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) kerberos_env.cleanup()
def kerberos(): """ A pytest fixture that installs and configures a KDC used for testing. On teardown, the KDC application is removed. """ try: kerberos_env = sdk_auth.KerberosEnvironment() principals = auth.get_service_principals(config.SERVICE_NAME, kerberos_env.get_realm()) kerberos_env.add_principals(principals) kerberos_env.finalize() yield kerberos_env finally: kerberos_env.cleanup()
def kerberos(configure_security): try: kerberos_env = sdk_auth.KerberosEnvironment() principals = auth.get_service_principals(config.FOLDERED_SERVICE_NAME, kerberos_env.get_realm()) kerberos_env.add_principals(principals) kerberos_env.finalize() service_kerberos_options = { "service": { "name": config.FOLDERED_SERVICE_NAME, "security": { "kerberos": { "enabled": True, "kdc": { "hostname": kerberos_env.get_host(), "port": int(kerberos_env.get_port()) }, "keytab_secret": kerberos_env.get_keytab_path(), "realm": kerberos.get_realm() } } }, "hdfs": { "security_auth_to_local": auth.get_principal_to_user_mapping() } } sdk_install.uninstall(config.PACKAGE_NAME, config.SERVICE_NAME) sdk_install.install(config.PACKAGE_NAME, config.FOLDERED_SERVICE_NAME, config.DEFAULT_TASK_COUNT, additional_options=service_kerberos_options, timeout_seconds=30 * 60) yield kerberos_env finally: sdk_install.uninstall(config.PACKAGE_NAME, config.FOLDERED_SERVICE_NAME) if kerberos_env: kerberos_env.cleanup()
def hdfs_with_kerberos(configure_security_hdfs): try: primaries = ["hdfs", "HTTP"] fqdn = "{service_name}.{host_suffix}".format( service_name=HDFS_SERVICE_NAME, host_suffix=sdk_hosts.AUTOIP_HOST_SUFFIX) instances = [ "name-0-node", "name-0-zkfc", "name-1-node", "name-1-zkfc", "journal-0-node", "journal-1-node", "journal-2-node", "data-0-node", "data-1-node", "data-2-node", ] principals = [] for (instance, primary) in itertools.product(instances, primaries): principals.append("{primary}/{instance}.{fqdn}@{REALM}".format( primary=primary, instance=instance, fqdn=fqdn, REALM=sdk_auth.REALM)) principals.append(GENERIC_HDFS_USER_PRINCIPAL) principals.append(ALICE_PRINCIPAL) kerberos_env = sdk_auth.KerberosEnvironment() kerberos_env.add_principals(principals) kerberos_env.finalize() service_kerberos_options = { "service": { "security": { "kerberos": { "enabled": True, "kdc": { "hostname": kerberos_env.get_host(), "port": int(kerberos_env.get_port()) }, "keytab_secret": kerberos_env.get_keytab_path(), "realm": kerberos_env.get_realm() } } }, "hdfs": { "security_auth_to_local": hdfs_auth.get_principal_to_user_mapping() } } sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME) sdk_install.install(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME, DEFAULT_HDFS_TASK_COUNT, additional_options=service_kerberos_options, timeout_seconds=30 * 60) yield kerberos_env finally: sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME) sdk_cmd.run_cli('package repo remove hdfs-aws') if kerberos_env: kerberos_env.cleanup()
def hdfs_with_kerberos(configure_security_hdfs): try: # To do: remove the following as soon as HDFS with kerberos is released log.warning( 'Temporarily using HDFS stub universe until kerberos is released') sdk_cmd.run_cli('package repo add --index=0 {} {}'.format( 'hdfs-aws', 'https://universe-converter.mesosphere.com/transform?url=https://infinity-artifacts.s3.amazonaws.com/permanent/beta-hdfs/20171122-112028-Vl2QaSERix2q6Dhk/stub-universe-beta-hdfs.json' )) primaries = ["hdfs", "HTTP"] fqdn = "{service_name}.{host_suffix}".format( service_name=HDFS_SERVICE_NAME, host_suffix=sdk_hosts.AUTOIP_HOST_SUFFIX) instances = [ "name-0-node", "name-0-zkfc", "name-1-node", "name-1-zkfc", "journal-0-node", "journal-1-node", "journal-2-node", "data-0-node", "data-1-node", "data-2-node", ] principals = [] for (instance, primary) in itertools.product(instances, primaries): principals.append("{primary}/{instance}.{fqdn}@{REALM}".format( primary=primary, instance=instance, fqdn=fqdn, REALM=sdk_auth.REALM)) principals.append(GENERIC_HDFS_USER_PRINCIPAL) kerberos_env = sdk_auth.KerberosEnvironment() kerberos_env.add_principals(principals) kerberos_env.finalize() service_kerberos_options = { "service": { "kerberos": { "enabled": True, "kdc_host_name": kerberos_env.get_host(), "kdc_host_port": kerberos_env.get_port(), "keytab_secret": kerberos_env.get_keytab_path(), "primary": primaries[0], "primary_http": primaries[1], "realm": sdk_auth.REALM } } } sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME) sdk_install.install(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME, DEFAULT_HDFS_TASK_COUNT, additional_options=service_kerberos_options, timeout_seconds=30 * 60) yield kerberos_env finally: sdk_install.uninstall(HDFS_PACKAGE_NAME, HDFS_SERVICE_NAME) sdk_cmd.run_cli('package repo remove hdfs-aws') if kerberos_env: kerberos_env.cleanup()