Add kerberized-2 variant for hdp3

testing/hdp3.1-hive-kerberized-2/Dockerfile

@@ -0,0 +1,102 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM testing/hdp3.1-hive:unlabelled
+
+# INSTALL KERBEROS
+RUN yum install -y krb5-libs krb5-server krb5-workstation \
+  && yum -y clean all && rm -rf /tmp/* /var/tmp/*
+
+# COPY CONFIGURATION
+COPY ./files /
+
+# Apply configuration overrides and remove them so they don't get reapplied
+RUN /usr/local/bin/apply-all-site-xml-overrides /overrides && rm -Rf /overrides
+
+# CREATE KERBEROS DATABASE
+RUN /usr/sbin/kdb5_util create -s -P password
+
+# ADD HADOOP PRINCIPALS
+RUN /usr/sbin/kadmin.local -q "addprinc -randkey hdfs/hadoop-master-2@OTHERREALM.COM" \
+  && /usr/sbin/kadmin.local -q "addprinc -randkey mapred/hadoop-master-2@OTHERREALM.COM" \
+  && /usr/sbin/kadmin.local -q "addprinc -randkey yarn/hadoop-master-2@OTHERREALM.COM" \
+  && /usr/sbin/kadmin.local -q "addprinc -randkey HTTP/hadoop-master-2@OTHERREALM.COM"
+
+# CREATE HADOOP KEYTAB FILES
+RUN /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/hdfs.keytab hdfs/hadoop-master-2 HTTP/hadoop-master-2" \
+  && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/mapred.keytab mapred/hadoop-master-2 HTTP/hadoop-master-2" \
+  && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/yarn.keytab yarn/hadoop-master-2 HTTP/hadoop-master-2" \
+  && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hadoop/conf/HTTP.keytab HTTP/hadoop-master-2"
+RUN chown hdfs:hadoop /etc/hadoop/conf/hdfs.keytab \
+  && chown mapred:hadoop /etc/hadoop/conf/mapred.keytab \
+  && chown yarn:hadoop /etc/hadoop/conf/yarn.keytab \
+  && chown hdfs:hadoop /etc/hadoop/conf/HTTP.keytab \
+  && chmod 644 /etc/hadoop/conf/*.keytab
+
+# CREATE HIVE PRINCIPAL AND KEYTAB
+RUN /usr/sbin/kadmin.local -q "addprinc -randkey hive/hadoop-master-2@OTHERREALM.COM" \
+  && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hive/conf/hive.keytab hive/hadoop-master-2"
+RUN chown hive:hadoop /etc/hive/conf/hive.keytab \
+  && chmod 644 /etc/hive/conf/hive.keytab
+
+# Create legacy Presto and updated Trino principals and add them to keytabs
+RUN set -xeu && \
+  for hostname in presto-master trino-coordinator presto-worker trino-worker presto-worker-1 trino-worker-1 presto-worker-2 trino-worker-2; do \
+      /usr/sbin/kadmin.local -q "addprinc -randkey presto-server/${hostname}.docker.cluster@OTHERREALM.COM" \
+      && /usr/sbin/kadmin.local -q "addprinc -randkey trino-server/${hostname}.docker.cluster@OTHERREALM.COM" \
+      && /usr/sbin/kadmin.local -q "addprinc -randkey HTTP/${hostname}.docker.cluster@OTHERREALM.COM" \
+      && /usr/sbin/kadmin.local -q "addprinc -randkey presto-client/${hostname}.docker.cluster@OTHERREALM.COM" \
+      && /usr/sbin/kadmin.local -q "addprinc -randkey trino-client/${hostname}.docker.cluster@OTHERREALM.COM" \
+      && /usr/sbin/kadmin.local -q "addprinc -randkey hive/${hostname}.docker.cluster@OTHERREALM.COM" \
+      && mkdir -p /etc/trino/conf \
+      && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/presto-server.keytab presto-server/${hostname}.docker.cluster" \
+      && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/trino-server.keytab trino-server/${hostname}.docker.cluster" \
+      && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/presto-server-HTTP.keytab HTTP/${hostname}.docker.cluster" \
+      && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/trino-client.keytab trino-client/${hostname}.docker.cluster" \
+      && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/presto-client.keytab presto-client/${hostname}.docker.cluster" \
+      && /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/trino/conf/hive-presto-master.keytab hive/${hostname}.docker.cluster"; \
+  done && echo "OK" && \
+  chmod 644 /etc/trino/conf/*.keytab
+
+# CREATE SSL KEYSTORE
+RUN keytool -genkeypair \
+    -alias presto \
+    -keyalg RSA \
+    -keystore /etc/trino/conf/keystore.jks \
+    -keypass password \
+    -storepass password \
+    -dname "CN=presto-master, OU=, O=, L=, S=, C=" \
+    -validity 100000 && \
+    keytool -genkeypair \
+    -alias trino \
+    -keyalg RSA \
+    -keystore /etc/trino/conf/keystore.jks \
+    -keypass password \
+    -storepass password \
+    -dname "CN=trino-coordinator, OU=, O=, L=, S=, C=" \
+    -validity 100000
+RUN chmod 644 /etc/trino/conf/keystore.jks
+
+# Provide convenience bash history
+RUN set -xeu; \
+    for user in root hive hdfs; do \
+        sudo -u "${user}" bash -c ' echo "klist -kt /etc/hive/conf/hive.keytab" >> ~/.bash_history '; \
+        sudo -u "${user}" bash -c ' echo "kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master-2@OTHERREALM.COM" >> ~/.bash_history '; \
+        sudo -u "${user}" bash -c ' echo "beeline -u \"jdbc:hive2://hadoop-master-2:10000/default;principal=hive/hadoop-master-2@OTHERREALM.COM\"" >> ~/.bash_history '; \
+    done
+
+# EXPOSE KERBEROS PORTS
+EXPOSE	88
+EXPOSE	89
+EXPOSE	749
+
+CMD supervisord -c /etc/supervisord.conf

testing/hdp3.1-hive-kerberized-2/files/etc/hive/conf/hiveserver2-site.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+
+    <!-- Disable embedded Metastore -->
+    <property>
+        <name>hive.metastore.uris</name>
+        <value>thrift://localhost:9083</value>
+    </property>
+
+    <!-- Enable authentication -->
+    <property>
+        <name>hive.security.authenticator.manager</name>
+        <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
+    </property>
+
+    <!-- Enable authorization -->
+    <property>
+        <name>hive.security.authorization.manager</name>
+        <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
+        <description>SQL standards based Hive authorization</description>
+    </property>
+
+    <property>
+        <name>hive.security.authorization.enabled</name>
+        <value>true</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-2/files/etc/krb5.conf

@@ -0,0 +1,17 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ default_realm = OTHERREALM.COM
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ forwardable = true
+ allow_weak_crypto = true
+
+[realms]
+ OTHERREALM.COM = {
+  kdc = hadoop-master-2:88
+  admin_server = hadoop-master-2
+ }

testing/hdp3.1-hive-kerberized-2/files/etc/supervisord.d/kdc.conf

@@ -0,0 +1,15 @@
+[program:krb5kdc]
+command=/bin/bash -c "exec /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid -n -r OTHERREALM.COM"
+autostart=true
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+
+[program:kadmind]
+command=/bin/bash -c "exec /usr/sbin/kadmind -P /var/run/kadmind.pid -nofork -r OTHERREALM.COM"
+autostart=true
+autorestart=true
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0

testing/hdp3.1-hive-kerberized-2/files/overrides/etc/hadoop/conf/core-site.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+
+    <property>
+        <name>fs.defaultFS</name>
+        <value>hdfs://hadoop-master-2:9000</value>
+    </property>
+
+    <!-- Trino impersonation -->
+    <property>
+        <name>hadoop.proxyuser.presto-server.groups</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.presto-server.hosts</name>
+        <value>*</value>
+    </property>
+
+    <!-- Enable authentication -->
+    <property>
+        <name>hadoop.security.authentication</name>
+        <value>kerberos</value>
+    </property>
+
+    <property>
+        <name>hadoop.security.authorization</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>hadoop.security.auth_to_local</name>
+        <value>
+            RULE:[2:$1@$0](.*@OTHERLABS.TERADATA.COM)s/@.*//
+            DEFAULT
+        </value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-2/files/overrides/etc/hadoop/conf/hdfs-site.xml

@@ -0,0 +1,89 @@
+<?xml version="1.0"?>
+<!--
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  ~
+  -->
+<configuration>
+
+    <!-- General HDFS security config -->
+    <property>
+        <name>dfs.block.access.token.enable</name>
+        <value>true</value>
+    </property>
+
+    <!-- NameNode security config -->
+    <property>
+        <name>dfs.namenode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
+    </property>
+    <property>
+        <name>dfs.namenode.kerberos.principal</name>
+        <value>hdfs/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+    <property>
+        <name>dfs.namenode.kerberos.internal.spnego.principal</name>
+        <value>HTTP/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <!-- Secondary NameNode security config -->
+    <property>
+        <name>dfs.secondary.namenode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
+    </property>
+    <property>
+        <name>dfs.secondary.namenode.kerberos.principal</name>
+        <value>hdfs/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+    <property>
+        <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>
+        <value>HTTP/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <!-- DataNode security config -->
+    <property>
+        <name>dfs.datanode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
+    </property>
+    <property>
+        <name>dfs.datanode.kerberos.principal</name>
+        <value>hdfs/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <!-- WebHDFS security config -->
+    <property>
+        <name>dfs.webhdfs.enabled</name>
+        <value>true</value>
+    </property>
+
+    <!-- Web Authentication config -->
+    <property>
+        <name>dfs.web.authentication.kerberos.principal</name>
+        <value>HTTP/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.web.authentication.kerberos.keytab</name>
+        <value>/etc/hadoop/conf/HTTP.keytab</value> <!-- path to the HTTP keytab -->
+    </property>
+
+    <property>
+        <name>ignore.secure.ports.for.testing</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>dfs.http.policy</name>
+        <value>HTTP_ONLY</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-2/files/overrides/etc/hadoop/conf/mapred-site.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+
+    <property>
+        <name>mapred.job.tracker</name>
+        <value>hadoop-master-2:8021</value>
+    </property>
+
+    <property>
+        <name>mapreduce.jobhistory.address</name>
+        <value>hadoop-master-2:10020</value>
+    </property>
+
+    <property>
+        <name>mapreduce.jobhistory.webapp.address</name>
+        <value>hadoop-master-2:19888</value>
+    </property>
+
+    <!-- MapReduce Job History Server security configs -->
+    <property>
+        <name>mapreduce.jobhistory.keytab</name>
+        <value>/etc/hadoop/conf/mapred.keytab</value>    <!-- path to the MAPRED keytab for the Job History Server -->
+    </property>
+
+    <property>
+        <name>mapreduce.jobhistory.principal</name>
+        <value>mapred/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <!-- JobTracker security configs -->
+    <property>
+        <name>mapreduce.jobtracker.kerberos.principal</name>
+        <value>mapred/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <property>
+        <name>mapreduce.jobtracker.keytab.file</name>
+        <value>/etc/hadoop/conf/mapred.keytab</value> <!-- path to the MapReduce keytab -->
+    </property>
+
+    <!-- TaskTracker security configs -->
+    <property>
+        <name>mapreduce.tasktracker.kerberos.principal</name>
+        <value>mapred/hadoop-master-2@OTHERREALM.COM</value>
+    </property>
+
+    <property>
+        <name>mapreduce.tasktracker.keytab.file</name>
+        <value>/etc/hadoop/conf/mapred.keytab</value> <!-- path to the MapReduce keytab -->
+    </property>
+
+</configuration>