├── README.md ├── goKerberos_afterCMwizard.sh └── goKerberos_beforeCM.sh /README.md: -------------------------------------------------------------------------------- 1 | # quickKerberos 2 | -------------------------------------------------------------------------------- /goKerberos_afterCMwizard.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # (c) copyright 2014 martin lurie sample code not suppoted 3 | set -x 4 | 5 | echo have to import credentials into CM 6 | echo admin -> kerb > import credentials 7 | read foo 8 | 9 | kinit hdfs@CLOUDERA 10 | hadoop fs -mkdir /eraseme 11 | hadoop fs -rmdir /eraseme 12 | 13 | echo Requested user cloudera is not whitelisted and has id 501,which is below the minimum allowed 1000 14 | echo must kinit prior to using cluster 15 | # Application initialization failed (exitCode=255) with output: Requested user cloudera is not whitelisted and has id 501,which is below the minimum allowed 1000 16 | 17 | kinit cloudera@CLOUDERA 18 | hadoop jar /usr/lib/hadoop-0.20-mapreduce/hadoop-examples.jar pi 10 10000 19 | -------------------------------------------------------------------------------- /goKerberos_beforeCM.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # (c) copyright 2014 martin lurie sample code not supported 3 | 4 | # reminder to activate CM in the quickstart 5 | echo Activate CM in the quickstart vmware image 6 | echo Hit enter when you are ready to proceed 7 | # pause until the user hits enter 8 | read foo 9 | # for debugging - set -x 10 | 11 | # fix the permissions in the quickstart vm 12 | # may not be an issue in later versions of the vm 13 | # this fixes the following error 14 | # failed to start File /etc/hadoop must not be world 15 | # or group writable, but is 775 16 | # File /etc must not be world or group writable, but is 775 17 | # 18 | #  run this as root 19 | #  to become root 20 | #  sudo su - 21 | cd /root 22 | chmod 755 /etc 23 | chmod 755 /etc/hadoop 24 | 25 | # install the kerberos components 26 | yum install -y krb5-server 27 | yum install -y openldap-clients 28 | yum install -y krb5-workstation 29 | 30 | # update the config files for the realm name and hostname 31 | # in the quickstart VM 32 | # notice the -i.xxx for sed will create an automatic backup 33 | # of the file before making edits in place 34 | # 35 | # set the Realm 36 | sed -i.orig 's/EXAMPLE.COM/CLOUDERA/g' /etc/krb5.conf 37 | # set the hostname for the kerberos server 38 | sed -i.m1 's/kerberos.example.com/quickstart.cloudera/g' /etc/krb5.conf 39 | # change domain name to cloudera 40 | sed -i.m2 's/example.com/cloudera/g' /etc/krb5.conf 41 | 42 | # download UnlimitedJCEPolicyJDK7.zip from Oracle into 43 | # the /root directory 44 | # we will use this for full strength 256 bit encryption 45 | 46 | mkdir jce 47 | cd jce 48 | unzip ../UnlimitedJCEPolicyJDK7.zip 49 | # save the original jar files 50 | cp /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/local_policy.jar local_policy.jar.orig 51 | cp /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/US_export_policy.jar US_export_policy.jar.orig 52 | 53 | # copy the new jars into place 54 | cp /root/jce/UnlimitedJCEPolicy/local_policy.jar /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/local_policy.jar 55 | cp /root/jce/UnlimitedJCEPolicy/US_export_policy.jar /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/US_export_policy.jar 56 | 57 | # now create the kerberos database 58 | kdb5_util create -s 59 | 60 | # type in cloudera at the password prompt 61 | echo suggested password is cloudera 62 | 63 | # update the kdc.conf file 64 | sed -i.orig 's/EXAMPLE.COM/CLOUDERA/g' /var/kerberos/krb5kdc/kdc.conf 65 | # this will add a line to the file with ticket life 66 | sed -i.m1 '/dict_file/a max_life = 1d' /var/kerberos/krb5kdc/kdc.conf 67 | # add a max renewable life 68 | sed -i.m2 '/dict_file/a max_renewable_life = 7d' /var/kerberos/krb5kdc/kdc.conf 69 | # indent the two new lines in the file 70 | sed -i.m3 's/^max_/ max_/' /var/kerberos/krb5kdc/kdc.conf 71 | 72 | # the acl file needs to be updated so the */admin 73 | # is enabled with admin privileges 74 | sed -i 's/EXAMPLE.COM/CLOUDERA/' /var/kerberos/krb5kdc/kadm5.acl 75 | 76 | # The kerberos authorization tickets need to be renewable 77 | # if not the Hue service will show bad (red) status 78 | # and the Hue “Kerberos Ticket Renewer” will not start 79 | # the error message in the log will look like this: 80 | #  kt_renewer   ERROR    Couldn't renew # kerberos ticket in 81 | #  order to work around Kerberos 1.8.1 issue. 82 | #  Please check that the ticket for 'hue/quickstart.cloudera' 83 | #  is still renewable 84 | 85 | # update the kdc.conf file to allow renewable 86 | sed -i.m3 '/supported_enctypes/a default_principal_flags = +renewable, +forwardable' /var/kerberos/krb5kdc/kdc.conf 87 | # fix the indenting 88 | sed -i.m4 's/^default_principal_flags/  default_principal_flags/' /var/kerberos/krb5kdc/kdc.conf 89 | 90 | # start up the kdc server and the admin server 91 | service krb5kdc start 92 | service kadmin start 93 | 94 | # There is an addition error message you may encounter 95 | # this requires an update to the krbtgt principal 96 | 97 | # 5:39:59 PM ERROR kt_renewer 98 | # 99 | #Couldn't renew kerberos ticket in order to work around 100 | # Kerberos 1.8.1 issue. Please check that the ticket 101 | # for 'hue/quickstart.cloudera' is still renewable: 102 | #  $ kinit -f -c /tmp/hue_krb5_ccache 103 | #If the 'renew until' date is the same as the 'valid starting' 104 | # date, the ticket cannot be renewed. Please check your 105 | # KDC configuration, and the ticket renewal policy 106 | # (maxrenewlife) for the 'hue/quickstart.cloudera' 107 | # and `krbtgt' principals. 108 | # 109 | 110 | kadmin.local < 115 | # cloudera-scm/admin@YOUR-LOCAL-REALM.COM 116 | 117 | # add the admin user that CM will use to provision 118 | # kerberos in the cluster 119 | kadmin.local <