def run(user, pwd):
""" gen ssh key on local and copy to all nodes
copy traf package file from local to all nodes
"""
dbcfgs = json.loads(dbcfgs_json)
hosts = dbcfgs['node_list'].split(',')
traf_package = dbcfgs['traf_package']
sudo_prefix = get_sudo_prefix()
run_cmd('%s rm -rf %s*' % (sudo_prefix, SSHKEY_FILE))
run_cmd('%s echo -e "y" | ssh-keygen -t rsa -N "" -f %s' %
(sudo_prefix, SSHKEY_FILE))
files = [SSHKEY_FILE, SSHKEY_FILE + '.pub', traf_package]
remote_insts = [Remote(h, user=user, pwd=pwd) for h in hosts]
threads = [
Thread(target=r.copy, args=(files, '/tmp')) for r in remote_insts
]
for thread in threads:
thread.start()
for thread in threads:
thread.join()
for r in remote_insts:
if r.rc != 0: err('Failed to copy files to %s' % r.host)
def run():
hdfs_bin = DEF_HDFS_BIN
dbcfgs = json.loads(dbcfgs_json)
distro = dbcfgs['distro']
if 'CDH' in distro:
parcel_lib = PARCEL_HBASE_LIB
if os.path.exists(parcel_lib): hdfs_bin = PARCEL_HDFS_BIN
elif 'APACHE' in distro:
hdfs_bin = dbcfgs['hadoop_home'] + '/bin/hdfs'
traf_loc = '/user/trafodion'
traf_user = dbcfgs['traf_user']
hdfs_user = dbcfgs['hdfs_user']
hbase_user = dbcfgs['hbase_user']
hbase_group = cmd_output('%s groups %s | cut -d" " -f3' %
(hdfs_bin, hbase_user))
run_cmd_as_user(hdfs_user, '%s dfsadmin -safemode wait' % hdfs_bin)
run_cmd_as_user(
hdfs_user,
'%s dfs -mkdir -p %s/{trafodion_backups,bulkload,lobs} /hbase/archive'
% (hdfs_bin, traf_loc))
run_cmd_as_user(
hdfs_user, '%s dfs -chown -R %s:%s /hbase/archive' %
(hdfs_bin, hbase_user, hbase_user))
run_cmd_as_user(
hdfs_user,
'%s dfs -chown -R %s:%s %s %s/{trafodion_backups,bulkload,lobs}' %
(hdfs_bin, traf_user, traf_user, traf_loc, traf_loc))
run_cmd_as_user(hdfs_user, '%s dfs -chmod 0755 %s' % (hdfs_bin, traf_loc))
run_cmd_as_user(
hdfs_user, '%s dfs -chmod 0750 %s/{trafodion_backups,bulkload,lobs}' %
(hdfs_bin, traf_loc))
run_cmd_as_user(
hdfs_user,
'%s dfs -chgrp %s %s/bulkload' % (hdfs_bin, hbase_group, traf_loc))
run_cmd_as_user(
hdfs_user, '%s dfs -setfacl -R -m user:%s:rwx /hbase/archive' %
(hdfs_bin, traf_user))
run_cmd_as_user(
hdfs_user, '%s dfs -setfacl -R -m default:user:%s:rwx /hbase/archive' %
(hdfs_bin, traf_user))
run_cmd_as_user(
hdfs_user, '%s dfs -setfacl -R -m mask::rwx /hbase/archive' % hdfs_bin)
# Grant all privileges to the Trafodion principal in HBase
if dbcfgs['secure_hadoop'] == 'Y':
run_cmd(
'echo "grant \'%s\', \'RWXC\'" | %s su - %s -s /bin/bash -c "hbase shell" > /tmp/hbase_shell.out'
% (traf_user, get_sudo_prefix(), hbase_user))
has_err = cmd_output('grep -c ERROR /tmp/hbase_shell.out')
if int(has_err):
err('Failed to grant HBase privileges to %s' % traf_user)
run_cmd('rm /tmp/hbase_shell.out')
def __init__(self, host, logger, user='', pwd='', quiet=False):
self.sudo_prefix = ''
self.host = host
self.user = user
self.pwd = pwd
self.quiet = quiet # no output
self.logger = logger
if not self.user:
self.sudo_prefix = get_sudo_prefix()
elif self.user != 'root':
self.sudo_prefix = 'sudo -n'
def __init__(self, host, logger, user='', pwd='', quiet=False):
self.sudo_prefix = ''
self.host = host
self.user = user
self.pwd = pwd
self.quiet = quiet # no output
self.logger = logger
if not self.user:
self.sudo_prefix = get_sudo_prefix()
elif self.user != 'root':
self.sudo_prefix = 'sudo -n'
def run(user, pwd):
""" gen ssh key on local and copy to all nodes
copy traf package file from local to all nodes
"""
dbcfgs = json.loads(dbcfgs_json)
hosts = dbcfgs['node_list'].split(',')
traf_package = dbcfgs['traf_package']
sudo_prefix = get_sudo_prefix()
run_cmd('%s rm -rf %s*' % (sudo_prefix, SSHKEY_FILE))
run_cmd('%s echo -e "y" | ssh-keygen -t rsa -N "" -f %s' % (sudo_prefix, SSHKEY_FILE))
files = [SSHKEY_FILE, SSHKEY_FILE+'.pub', traf_package]
remote_insts = [Remote(h, user=user, pwd=pwd) for h in hosts]
threads = [Thread(target=r.copy, args=(files, '/tmp')) for r in remote_insts]
for thread in threads: thread.start()
for thread in threads: thread.join()
for r in remote_insts:
if r.rc != 0: err('Failed to copy files to %s' % r.host)
def check_sudo(self):
""" check sudo access """
run_cmd('%s echo -n "check sudo access" > /dev/null 2>&1' %
get_sudo_prefix())
def run():
""" setup Kerberos security """
dbcfgs = json.loads(dbcfgs_json)
distro = dbcfgs['distro']
admin_principal = dbcfgs['admin_principal']
admin_passwd = dbcfgs['kdcadmin_pwd']
kdc_server = dbcfgs['kdc_server']
cluster_name = dbcfgs['cluster_name']
# maxlife = dbcfgs['max_lifetime']
# max_renewlife = dbcfgs['max_renew_lifetime']
maxlife = '24hours'
max_renewlife = '7days'
kadmin_cmd = 'kadmin -p %s -w %s -s %s -q' % (admin_principal,
admin_passwd, kdc_server)
host_name = socket.getfqdn()
traf_user = dbcfgs['traf_user']
hdfs_user = '******'
hbase_user = '******'
realm = re.match('.*@(.*)', admin_principal).groups()[0]
traf_keytab_dir = '/etc/%s/keytab' % traf_user
traf_keytab = '%s/%s.keytab' % (traf_keytab_dir, traf_user)
traf_principal = '%s/%s@%s' % (traf_user, host_name, realm)
hbase_principal = '%s/%s@%s' % (hbase_user, host_name, realm)
### setting start ###
print 'Checking KDC server connection'
run_cmd('%s listprincs' % kadmin_cmd)
# create principals and keytabs for trafodion user
principal_exists = cmd_output('%s listprincs | grep -c %s' %
(kadmin_cmd, traf_principal))
if int(principal_exists) == 0: # not exist
run_cmd('%s \'addprinc -randkey %s\'' % (kadmin_cmd, traf_principal))
# Adjust principal's maxlife and maxrenewlife
run_cmd(
'%s \'modprinc -maxlife %s -maxrenewlife %s\' %s >/dev/null 2>&1' %
(kadmin_cmd, maxlife, max_renewlife, traf_principal))
run_cmd('mkdir -p %s' % traf_keytab_dir)
# TODO: need skip add keytab if exist?
print 'Create keytab file for trafodion user'
run_cmd('%s \'ktadd -k %s %s\'' %
(kadmin_cmd, traf_keytab, traf_principal))
run_cmd('chown %s %s' % (traf_user, traf_keytab))
run_cmd('chmod 400 %s' % traf_keytab)
# create principals for hdfs/hbase user
print 'Create principals for hdfs/hbase user'
if 'CDH' in distro:
hdfs_keytab = cmd_output(
'find /var/run/cloudera-scm-agent/process/ -name hdfs.keytab | head -n 1'
)
hbase_keytab = cmd_output(
'find /var/run/cloudera-scm-agent/process/ -name hbase.keytab | head -n 1'
)
hdfs_principal = '%s/%s@%s' % (hdfs_user, host_name, realm)
elif 'HDP' in distro:
hdfs_keytab = '/etc/security/keytabs/hdfs.headless.keytab'
hbase_keytab = '/etc/security/keytabs/hbase.service.keytab'
hdfs_principal = '%s-%s@%s' % (hdfs_user, cluster_name, realm)
sudo_prefix = get_sudo_prefix()
kinit_cmd_ptr = '%s su - %s -s /bin/bash -c "kinit -kt %s %s"'
run_cmd(kinit_cmd_ptr %
(sudo_prefix, hdfs_user, hdfs_keytab, hdfs_principal))
run_cmd(kinit_cmd_ptr %
(sudo_prefix, hbase_user, hbase_keytab, hbase_principal))
print 'Done creating principals and keytabs'
kinit_bashrc = """
# ---------------------------------------------------------------
# if needed obtain and cache the Kerberos ticket-granting ticket
# start automatic ticket renewal process
# ---------------------------------------------------------------
klist -s >/dev/null 2>&1
if [[ $? -eq 1 ]]; then
kinit -kt %s %s >/dev/null 2>&1
fi
# ---------------------------------------------------------------
# Start trafodion kerberos ticket manager process
# ---------------------------------------------------------------
$TRAF_HOME/sql/scripts/krb5service start >/dev/null 2>&1
""" % (traf_keytab, traf_principal)
traf_bashrc = '/home/%s/.bashrc' % traf_user
with open(traf_bashrc, 'a') as f:
f.write(kinit_bashrc)
def run():
""" setup Kerberos security """
dbcfgs = json.loads(dbcfgs_json)
distro = dbcfgs['distro']
admin_principal = dbcfgs['admin_principal']
admin_passwd = dbcfgs['kdcadmin_pwd']
kdc_server = dbcfgs['kdc_server']
cluster_name = dbcfgs['cluster_name']
# maxlife = dbcfgs['max_lifetime']
# max_renewlife = dbcfgs['max_renew_lifetime']
maxlife = '24hours'
max_renewlife = '7days'
kadmin_cmd = 'kadmin -p %s -w %s -s %s -q' % (admin_principal, admin_passwd, kdc_server)
host_name = socket.getfqdn()
traf_user = dbcfgs['traf_user']
hdfs_user = '******'
hbase_user = '******'
realm = re.match('.*@(.*)', admin_principal).groups()[0]
traf_keytab_dir = '/etc/%s/keytab' % traf_user
traf_keytab = '%s/%s.keytab' % (traf_keytab_dir, traf_user)
traf_principal = '%s/%s@%s' % (traf_user, host_name, realm)
hbase_principal = '%s/%s@%s' % (hbase_user, host_name, realm)
### setting start ###
print 'Checking KDC server connection'
run_cmd('%s listprincs' % kadmin_cmd)
# create principals and keytabs for trafodion user
principal_exists = cmd_output('%s listprincs | grep -c %s' % (kadmin_cmd, traf_principal))
if int(principal_exists) == 0: # not exist
run_cmd('%s \'addprinc -randkey %s\'' % (kadmin_cmd, traf_principal))
# Adjust principal's maxlife and maxrenewlife
run_cmd('%s \'modprinc -maxlife %s -maxrenewlife %s\' %s >/dev/null 2>&1' % (kadmin_cmd, maxlife, max_renewlife, traf_principal))
run_cmd('mkdir -p %s' % traf_keytab_dir)
# TODO: need skip add keytab if exist?
print 'Create keytab file for trafodion user'
run_cmd('%s \'ktadd -k %s %s\'' % (kadmin_cmd, traf_keytab, traf_principal))
run_cmd('chown %s %s' % (traf_user, traf_keytab))
run_cmd('chmod 400 %s' % traf_keytab)
# create principals for hdfs/hbase user
print 'Create principals for hdfs/hbase user'
if 'CDH' in distro:
hdfs_keytab = cmd_output('find /var/run/cloudera-scm-agent/process/ -name hdfs.keytab | head -n 1')
hbase_keytab = cmd_output('find /var/run/cloudera-scm-agent/process/ -name hbase.keytab | head -n 1')
hdfs_principal = '%s/%s@%s' % (hdfs_user, host_name, realm)
elif 'HDP' in distro:
hdfs_keytab = '/etc/security/keytabs/hdfs.headless.keytab'
hbase_keytab = '/etc/security/keytabs/hbase.service.keytab'
hdfs_principal = '%s-%s@%s' % (hdfs_user, cluster_name, realm)
sudo_prefix = get_sudo_prefix()
kinit_cmd_ptr = '%s su - %s -s /bin/bash -c "kinit -kt %s %s"'
run_cmd(kinit_cmd_ptr % (sudo_prefix, hdfs_user, hdfs_keytab, hdfs_principal))
run_cmd(kinit_cmd_ptr % (sudo_prefix, hbase_user, hbase_keytab, hbase_principal))
print 'Done creating principals and keytabs'
kinit_bashrc = """
# ---------------------------------------------------------------
# if needed obtain and cache the Kerberos ticket-granting ticket
# start automatic ticket renewal process
# ---------------------------------------------------------------
klist -s >/dev/null 2>&1
if [[ $? -eq 1 ]]; then
kinit -kt %s %s >/dev/null 2>&1
fi
# ---------------------------------------------------------------
# Start trafodion kerberos ticket manager process
# ---------------------------------------------------------------
$TRAF_HOME/sql/scripts/krb5service start >/dev/null 2>&1
""" % (traf_keytab, traf_principal)
traf_bashrc = '/home/%s/.bashrc' % traf_user
with open(traf_bashrc, 'a') as f:
f.write(kinit_bashrc)
def run():
hdfs_bin = DEF_HDFS_BIN
dbcfgs = json.loads(dbcfgs_json)
distro = dbcfgs['distro']
if 'CDH' in distro:
parcel_lib = PARCEL_HBASE_LIB
if os.path.exists(parcel_lib): hdfs_bin = PARCEL_HDFS_BIN
elif 'APACHE' in distro:
hdfs_bin = dbcfgs['hadoop_home'] + '/bin/hdfs'
traf_loc = '/user/trafodion'
traf_user = dbcfgs['traf_user']
hdfs_user = dbcfgs['hdfs_user']
hbase_user = dbcfgs['hbase_user']
hbase_group = cmd_output('%s groups %s | cut -d" " -f3' % (hdfs_bin, hbase_user))
run_cmd_as_user(hdfs_user, '%s dfsadmin -safemode wait' % hdfs_bin)
run_cmd_as_user(hdfs_user, '%s dfs -mkdir -p %s/{trafodion_backups,bulkload,lobs} /hbase/archive' % (hdfs_bin, traf_loc))
run_cmd_as_user(hdfs_user, '%s dfs -chown -R %s:%s /hbase/archive' % (hdfs_bin, hbase_user, hbase_user))
run_cmd_as_user(hdfs_user, '%s dfs -chown -R %s:%s %s %s/{trafodion_backups,bulkload,lobs}' % (hdfs_bin, traf_user, traf_user, traf_loc, traf_loc))
run_cmd_as_user(hdfs_user, '%s dfs -chmod 0755 %s' % (hdfs_bin, traf_loc))
run_cmd_as_user(hdfs_user, '%s dfs -chmod 0750 %s/{trafodion_backups,bulkload,lobs}' % (hdfs_bin, traf_loc))
run_cmd_as_user(hdfs_user, '%s dfs -chgrp %s %s/bulkload' % (hdfs_bin, hbase_group, traf_loc))
run_cmd_as_user(hdfs_user, '%s dfs -setfacl -R -m user:%s:rwx /hbase/archive' % (hdfs_bin, traf_user))
run_cmd_as_user(hdfs_user, '%s dfs -setfacl -R -m default:user:%s:rwx /hbase/archive' % (hdfs_bin, traf_user))
run_cmd_as_user(hdfs_user, '%s dfs -setfacl -R -m mask::rwx /hbase/archive' % hdfs_bin)
# Grant all privileges to the Trafodion principal in HBase
if dbcfgs['secure_hadoop'] == 'Y':
run_cmd('echo "grant \'%s\', \'RWXC\'" | %s su - %s -s /bin/bash -c "hbase shell" > /tmp/hbase_shell.out' % (traf_user, get_sudo_prefix(), hbase_user))
has_err = cmd_output('grep -c ERROR /tmp/hbase_shell.out')
if int(has_err):
err('Failed to grant HBase privileges to %s' % traf_user)
run_cmd('rm /tmp/hbase_shell.out')
def check_sudo(self):
""" check sudo access """
run_cmd('%s echo -n "check sudo access" > /dev/null 2>&1' % get_sudo_prefix())