forked from trinodb/docker-images
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
aa18ed4
commit ccde9e5
Showing
12 changed files
with
524 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
FROM testing/hdp3.1-hive:unlabelled | ||
|
||
# INSTALL KERBEROS | ||
RUN yum install -y krb5-libs krb5-server krb5-workstation \ | ||
&& yum -y clean all && rm -rf /tmp/* /var/tmp/* | ||
|
||
# COPY CONFIGURATION | ||
COPY ./files / | ||
|
||
# Apply configuration overrides and remove them so they don't get reapplied | ||
RUN /usr/local/bin/apply-all-site-xml-overrides /overrides && rm -Rf /overrides | ||
|
||
# CREATE KERBEROS DATABASE | ||
RUN /usr/sbin/kdb5_util create -s -P password | ||
|
||
# ADD HADOOP PRINCIPALS | ||
RUN /usr/sbin/kadmin.local -q "addprinc -randkey hdfs/hadoop-master-2@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey mapred/hadoop-master-2@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey yarn/hadoop-master-2@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey HTTP/hadoop-master-2@OTHERREALM.COM" | ||
|
||
# CREATE HADOOP KEYTAB FILES | ||
RUN /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/hdfs.keytab hdfs/hadoop-master-2 HTTP/hadoop-master-2" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/mapred.keytab mapred/hadoop-master-2 HTTP/hadoop-master-2" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/yarn.keytab yarn/hadoop-master-2 HTTP/hadoop-master-2" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/HTTP.keytab HTTP/hadoop-master-2" | ||
RUN chown hdfs:hadoop /etc/hadoop/conf/hdfs.keytab \ | ||
&& chown mapred:hadoop /etc/hadoop/conf/mapred.keytab \ | ||
&& chown yarn:hadoop /etc/hadoop/conf/yarn.keytab \ | ||
&& chown hdfs:hadoop /etc/hadoop/conf/HTTP.keytab \ | ||
&& chmod 644 /etc/hadoop/conf/*.keytab | ||
|
||
# CREATE HIVE PRINCIPAL AND KEYTAB | ||
RUN /usr/sbin/kadmin.local -q "addprinc -randkey hive/hadoop-master-2@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hive/conf/hive.keytab hive/hadoop-master-2" | ||
RUN chown hive:hadoop /etc/hive/conf/hive.keytab \ | ||
&& chmod 644 /etc/hive/conf/hive.keytab | ||
|
||
# Create legacy Presto and updated Trino principals and add them to keytabs | ||
RUN set -xeu && \ | ||
for hostname in presto-master trino-coordinator presto-worker trino-worker presto-worker-1 trino-worker-1 presto-worker-2 trino-worker-2; do \ | ||
/usr/sbin/kadmin.local -q "addprinc -randkey presto-server/${hostname}.docker.cluster@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey trino-server/${hostname}.docker.cluster@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey HTTP/${hostname}.docker.cluster@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey presto-client/${hostname}.docker.cluster@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey trino-client/${hostname}.docker.cluster@OTHERREALM.COM" \ | ||
&& /usr/sbin/kadmin.local -q "addprinc -randkey hive/${hostname}.docker.cluster@OTHERREALM.COM" \ | ||
&& mkdir -p /etc/trino/conf \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/presto-server.keytab presto-server/${hostname}.docker.cluster" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/trino-server.keytab trino-server/${hostname}.docker.cluster" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/presto-server-HTTP.keytab HTTP/${hostname}.docker.cluster" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/trino-client.keytab trino-client/${hostname}.docker.cluster" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/presto-client.keytab presto-client/${hostname}.docker.cluster" \ | ||
&& /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/hive-presto-master.keytab hive/${hostname}.docker.cluster"; \ | ||
done && echo "OK" && \ | ||
chmod 644 /etc/trino/conf/*.keytab | ||
|
||
# CREATE SSL KEYSTORE | ||
RUN keytool -genkeypair \ | ||
-alias presto \ | ||
-keyalg RSA \ | ||
-keystore /etc/trino/conf/keystore.jks \ | ||
-keypass password \ | ||
-storepass password \ | ||
-dname "CN=presto-master, OU=, O=, L=, S=, C=" \ | ||
-validity 100000 && \ | ||
keytool -genkeypair \ | ||
-alias trino \ | ||
-keyalg RSA \ | ||
-keystore /etc/trino/conf/keystore.jks \ | ||
-keypass password \ | ||
-storepass password \ | ||
-dname "CN=trino-coordinator, OU=, O=, L=, S=, C=" \ | ||
-validity 100000 | ||
RUN chmod 644 /etc/trino/conf/keystore.jks | ||
|
||
# Provide convenience bash history | ||
RUN set -xeu; \ | ||
for user in root hive hdfs; do \ | ||
sudo -u "${user}" bash -c ' echo "klist -kt /etc/hive/conf/hive.keytab" >> ~/.bash_history '; \ | ||
sudo -u "${user}" bash -c ' echo "kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master-2@OTHERREALM.COM" >> ~/.bash_history '; \ | ||
sudo -u "${user}" bash -c ' echo "beeline -u \"jdbc:hive2://hadoop-master-2:10000/default;principal=hive/hadoop-master-2@OTHERREALM.COM\"" >> ~/.bash_history '; \ | ||
done | ||
|
||
# EXPOSE KERBEROS PORTS | ||
EXPOSE 88 | ||
EXPOSE 89 | ||
EXPOSE 749 | ||
|
||
CMD supervisord -c /etc/supervisord.conf |
44 changes: 44 additions & 0 deletions
44
testing/hdp3.1-hive-kerberized-2/files/etc/hive/conf/hiveserver2-site.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one or more | ||
contributor license agreements. See the NOTICE file distributed with | ||
this work for additional information regarding copyright ownership. | ||
The ASF licenses this file to You under the Apache License, Version 2.0 | ||
(the "License"); you may not use this file except in compliance with | ||
the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
--> | ||
<configuration> | ||
|
||
<!-- Disable embedded Metastore --> | ||
<property> | ||
<name>hive.metastore.uris</name> | ||
<value>thrift://localhost:9083</value> | ||
</property> | ||
|
||
<!-- Enable authentication --> | ||
<property> | ||
<name>hive.security.authenticator.manager</name> | ||
<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> | ||
</property> | ||
|
||
<!-- Enable authorization --> | ||
<property> | ||
<name>hive.security.authorization.manager</name> | ||
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value> | ||
<description>SQL standards based Hive authorization</description> | ||
</property> | ||
|
||
<property> | ||
<name>hive.security.authorization.enabled</name> | ||
<value>true</value> | ||
</property> | ||
|
||
</configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
[logging] | ||
default = FILE:/var/log/krb5libs.log | ||
kdc = FILE:/var/log/krb5kdc.log | ||
admin_server = FILE:/var/log/kadmind.log | ||
|
||
[libdefaults] | ||
default_realm = OTHERREALM.COM | ||
dns_lookup_realm = false | ||
dns_lookup_kdc = false | ||
forwardable = true | ||
allow_weak_crypto = true | ||
|
||
[realms] | ||
OTHERREALM.COM = { | ||
kdc = hadoop-master-2:88 | ||
admin_server = hadoop-master-2 | ||
} |
15 changes: 15 additions & 0 deletions
15
testing/hdp3.1-hive-kerberized-2/files/etc/supervisord.d/kdc.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
[program:krb5kdc] | ||
command=/bin/bash -c "exec /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -n -r OTHERREALM.COM" | ||
autostart=true | ||
autorestart=true | ||
redirect_stderr=true | ||
stdout_logfile=/dev/stdout | ||
stdout_logfile_maxbytes=0 | ||
|
||
[program:kadmind] | ||
command=/bin/bash -c "exec /usr/sbin/kadmind -P /var/run/kadmind.pid -nofork -r OTHERREALM.COM" | ||
autostart=true | ||
autorestart=true | ||
redirect_stderr=true | ||
stdout_logfile=/dev/stdout | ||
stdout_logfile_maxbytes=0 |
55 changes: 55 additions & 0 deletions
55
testing/hdp3.1-hive-kerberized-2/files/overrides/etc/hadoop/conf/core-site.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one or more | ||
contributor license agreements. See the NOTICE file distributed with | ||
this work for additional information regarding copyright ownership. | ||
The ASF licenses this file to You under the Apache License, Version 2.0 | ||
(the "License"); you may not use this file except in compliance with | ||
the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
--> | ||
<configuration> | ||
|
||
<property> | ||
<name>fs.defaultFS</name> | ||
<value>hdfs://hadoop-master-2:9000</value> | ||
</property> | ||
|
||
<!-- Trino impersonation --> | ||
<property> | ||
<name>hadoop.proxyuser.presto-server.groups</name> | ||
<value>*</value> | ||
</property> | ||
|
||
<property> | ||
<name>hadoop.proxyuser.presto-server.hosts</name> | ||
<value>*</value> | ||
</property> | ||
|
||
<!-- Enable authentication --> | ||
<property> | ||
<name>hadoop.security.authentication</name> | ||
<value>kerberos</value> | ||
</property> | ||
|
||
<property> | ||
<name>hadoop.security.authorization</name> | ||
<value>true</value> | ||
</property> | ||
|
||
<property> | ||
<name>hadoop.security.auth_to_local</name> | ||
<value> | ||
RULE:[2:$1@$0](.*@OTHERLABS.TERADATA.COM)s/@.*// | ||
DEFAULT | ||
</value> | ||
</property> | ||
|
||
</configuration> |
89 changes: 89 additions & 0 deletions
89
testing/hdp3.1-hive-kerberized-2/files/overrides/etc/hadoop/conf/hdfs-site.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
~ Licensed under the Apache License, Version 2.0 (the "License"); | ||
~ you may not use this file except in compliance with the License. | ||
~ You may obtain a copy of the License at | ||
~ | ||
~ http://www.apache.org/licenses/LICENSE-2.0 | ||
~ | ||
~ Unless required by applicable law or agreed to in writing, software | ||
~ distributed under the License is distributed on an "AS IS" BASIS, | ||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
~ See the License for the specific language governing permissions and | ||
~ limitations under the License. | ||
~ | ||
--> | ||
<configuration> | ||
|
||
<!-- General HDFS security config --> | ||
<property> | ||
<name>dfs.block.access.token.enable</name> | ||
<value>true</value> | ||
</property> | ||
|
||
<!-- NameNode security config --> | ||
<property> | ||
<name>dfs.namenode.keytab.file</name> | ||
<value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab --> | ||
</property> | ||
<property> | ||
<name>dfs.namenode.kerberos.principal</name> | ||
<value>hdfs/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
<property> | ||
<name>dfs.namenode.kerberos.internal.spnego.principal</name> | ||
<value>HTTP/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<!-- Secondary NameNode security config --> | ||
<property> | ||
<name>dfs.secondary.namenode.keytab.file</name> | ||
<value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab --> | ||
</property> | ||
<property> | ||
<name>dfs.secondary.namenode.kerberos.principal</name> | ||
<value>hdfs/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
<property> | ||
<name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name> | ||
<value>HTTP/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<!-- DataNode security config --> | ||
<property> | ||
<name>dfs.datanode.keytab.file</name> | ||
<value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab --> | ||
</property> | ||
<property> | ||
<name>dfs.datanode.kerberos.principal</name> | ||
<value>hdfs/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<!-- WebHDFS security config --> | ||
<property> | ||
<name>dfs.webhdfs.enabled</name> | ||
<value>true</value> | ||
</property> | ||
|
||
<!-- Web Authentication config --> | ||
<property> | ||
<name>dfs.web.authentication.kerberos.principal</name> | ||
<value>HTTP/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<property> | ||
<name>dfs.web.authentication.kerberos.keytab</name> | ||
<value>/etc/hadoop/conf/HTTP.keytab</value> <!-- path to the HTTP keytab --> | ||
</property> | ||
|
||
<property> | ||
<name>ignore.secure.ports.for.testing</name> | ||
<value>true</value> | ||
</property> | ||
|
||
<property> | ||
<name>dfs.http.policy</name> | ||
<value>HTTP_ONLY</value> | ||
</property> | ||
|
||
</configuration> |
68 changes: 68 additions & 0 deletions
68
testing/hdp3.1-hive-kerberized-2/files/overrides/etc/hadoop/conf/mapred-site.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
<?xml version="1.0"?> | ||
<!-- | ||
Licensed to the Apache Software Foundation (ASF) under one or more | ||
contributor license agreements. See the NOTICE file distributed with | ||
this work for additional information regarding copyright ownership. | ||
The ASF licenses this file to You under the Apache License, Version 2.0 | ||
(the "License"); you may not use this file except in compliance with | ||
the License. You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
--> | ||
<configuration> | ||
|
||
<property> | ||
<name>mapred.job.tracker</name> | ||
<value>hadoop-master-2:8021</value> | ||
</property> | ||
|
||
<property> | ||
<name>mapreduce.jobhistory.address</name> | ||
<value>hadoop-master-2:10020</value> | ||
</property> | ||
|
||
<property> | ||
<name>mapreduce.jobhistory.webapp.address</name> | ||
<value>hadoop-master-2:19888</value> | ||
</property> | ||
|
||
<!-- MapReduce Job History Server security configs --> | ||
<property> | ||
<name>mapreduce.jobhistory.keytab</name> | ||
<value>/etc/hadoop/conf/mapred.keytab</value> <!-- path to the MAPRED keytab for the Job History Server --> | ||
</property> | ||
|
||
<property> | ||
<name>mapreduce.jobhistory.principal</name> | ||
<value>mapred/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<!-- JobTracker security configs --> | ||
<property> | ||
<name>mapreduce.jobtracker.kerberos.principal</name> | ||
<value>mapred/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<property> | ||
<name>mapreduce.jobtracker.keytab.file</name> | ||
<value>/etc/hadoop/conf/mapred.keytab</value> <!-- path to the MapReduce keytab --> | ||
</property> | ||
|
||
<!-- TaskTracker security configs --> | ||
<property> | ||
<name>mapreduce.tasktracker.kerberos.principal</name> | ||
<value>mapred/hadoop-master-2@OTHERREALM.COM</value> | ||
</property> | ||
|
||
<property> | ||
<name>mapreduce.tasktracker.keytab.file</name> | ||
<value>/etc/hadoop/conf/mapred.keytab</value> <!-- path to the MapReduce keytab --> | ||
</property> | ||
|
||
</configuration> |
Oops, something went wrong.