Versions Compared

Old Version 22

changes.mady.by.user Wu DouDou

Saved on

compared with

New Version 23

changes.mady.by.user Wu DouDou

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
#!/usr/bin/env bash

set -e
set -x

# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH

KEYTAB_OUT=$1
PRINC=$2
MAX_RENEW_LIFE=$3

IPASERVER=`ipa env server|sed 's/  server: //g'`

kinit -kt /opt/cloudera/freeipa/admin.keytab admin

if ipa service-find $PRINC; then
    echo Service principle $PRINC found
else
    echo Service principle $PRINC not created, creating
    ipa service-add $PRINC --pac-type=NONE
fi

if ipa service-show $PRINC | grep 'Keytab' | grep 'False'; then
    echo Creating keytab for $PRINC for $KEYTAB_OUT
    ipa-getkeytab -s $IPASERVER -p $PRINC -k $KEYTAB_OUT
else
    echo Retrieving keytab for $PRINC for $KEYTAB_OUT
    ipa-getkeytab -r -s $IPASERVER -p $PRINC -k $KEYTAB_OUT -D "cn=directory manager" -w hadoop123
fi

chmod 600 $KEYTAB_OUT

kdestroy

脚本有两个问题:一个是不能直接使用第一个生成的 脚本有两个问题:一个是不能直接使用第一个步骤中生成的 admin 的 keytab,另外一个是需要显式的把 ldap 密码写入到脚本中,这种方式并不安全。

于是我直接修改 /usr/share/cmf/bin 下的安装脚本,使其 CM 能直接将 kinit 的参数传入,然后通过修改权限,让本机和本用户可以获取 service principal keytab 。

Code Block
#!/usr/bin/env bash

# Copyright (c) 2011 Cloudera, Inc. All rights reserved.

set -e
set -x

# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH

CMF_USER=${CMF_PRINCIPAL%%\@*}
CMF_REALM=${CMF_PRINCIPAL##*\@}

KEYTAB_OUT=$1
PRINC=$2
MAX_RENEW_LIFE=$3

kinit -k -t $CMF_KEYTAB_FILE -p $CMF_PRINCIPAL

IPASERVER=`ipa env server|sed 's/  server: //g'`
IPACLIENT=`ipa env host|sed 's/  host: //g'`

if ipa service-find $PRINC; then
    echo Service principle $PRINC found
else
    echo Service principle $PRINC not created, creating
    ipa service-add $PRINC --pac-type=NONE
fi

ipa service-allow-create-keytab --users=$CMF_USER --hosts=$IPACLIENT $PRINC
ipa service-allow-retrieve-keytab --users=$CMF_USER --hosts=$IPACLIENT $PRINC

if ipa service-show $PRINC | grep 'Keytab' | grep 'False'; then
    echo Creating keytab for $PRINC for $KEYTAB_OUT
    ipa-getkeytab -s $IPASERVER -p $PRINC -k $KEYTAB_OUT
else
    echo Retrieving keytab for $PRINC for $KEYTAB_OUT
    ipa-getkeytab -r -s $IPASERVER -p $PRINC -k $KEYTAB_OUT
fi

kdestroy

chmod 600 $KEYTAB_OUT

krb5kdc - Kerberos V5 KDC

...