├── README.md
├── goKerberos_afterCMwizard.sh
└── goKerberos_beforeCM.sh


/README.md:
--------------------------------------------------------------------------------
1 | # quickKerberos
2 | 


--------------------------------------------------------------------------------
/goKerberos_afterCMwizard.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # (c) copyright 2014 martin lurie sample code not suppoted
 3 | set -x
 4 | 
 5 | echo have to import credentials into CM
 6 | echo admin -> kerb > import credentials
 7 | read foo
 8 | 
 9 | kinit hdfs@CLOUDERA
10 | hadoop fs -mkdir /eraseme
11 | hadoop fs -rmdir /eraseme
12 | 
13 | echo Requested user cloudera is not whitelisted and has id 501,which is below the minimum allowed 1000
14 | echo must kinit prior to using cluster
15 | # Application initialization failed (exitCode=255) with output: Requested user cloudera is not whitelisted and has id 501,which is below the minimum allowed 1000
16 | 
17 | kinit cloudera@CLOUDERA
18 | hadoop jar /usr/lib/hadoop-0.20-mapreduce/hadoop-examples.jar pi 10 10000
19 | 


--------------------------------------------------------------------------------
/goKerberos_beforeCM.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # (c) copyright 2014 martin lurie sample code not supported
  3 | 
  4 | # reminder to activate CM in the quickstart
  5 | echo Activate CM in the quickstart vmware image
  6 | echo Hit enter when you are ready to proceed
  7 | # pause until the user hits enter
  8 | read foo
  9 | # for debugging - set -x
 10 | 
 11 | # fix the permissions in the quickstart vm
 12 | # may not be an issue in later versions of the vm
 13 | # this fixes the following error
 14 | # failed to start File /etc/hadoop must not be world 
 15 | # or group writable, but is 775
 16 | # File /etc must not be world or group writable, but is 775
 17 | #
 18 | #  run this as root
 19 | #  to become root
 20 | #  sudo su - 
 21 | cd /root
 22 | chmod 755 /etc
 23 | chmod 755 /etc/hadoop
 24 | 
 25 | # install the kerberos components
 26 | yum install -y krb5-server
 27 | yum install -y openldap-clients
 28 | yum install -y krb5-workstation
 29 | 
 30 | # update the config files for the realm name and hostname
 31 | # in the quickstart VM
 32 | # notice the -i.xxx for sed will create an automatic backup
 33 | # of the file before making edits in place
 34 | # 
 35 | # set the Realm
 36 | sed -i.orig 's/EXAMPLE.COM/CLOUDERA/g' /etc/krb5.conf
 37 | # set the hostname for the kerberos server
 38 | sed -i.m1 's/kerberos.example.com/quickstart.cloudera/g' /etc/krb5.conf
 39 | # change domain name to cloudera 
 40 | sed -i.m2 's/example.com/cloudera/g' /etc/krb5.conf
 41 | 
 42 | # download UnlimitedJCEPolicyJDK7.zip from Oracle into
 43 | # the /root directory
 44 | # we will use this for full strength 256 bit encryption
 45 | 
 46 | mkdir jce
 47 | cd jce
 48 | unzip ../UnlimitedJCEPolicyJDK7.zip 
 49 | # save the original jar files
 50 | cp /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/local_policy.jar local_policy.jar.orig
 51 | cp /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/US_export_policy.jar US_export_policy.jar.orig
 52 | 
 53 | # copy the new jars into place
 54 | cp /root/jce/UnlimitedJCEPolicy/local_policy.jar /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/local_policy.jar
 55 | cp /root/jce/UnlimitedJCEPolicy/US_export_policy.jar /usr/java/jdk1.7.0_67-cloudera/jre/lib/security/US_export_policy.jar
 56 | 
 57 | # now create the kerberos database
 58 | kdb5_util create -s
 59 | 
 60 | # type in cloudera at the password prompt
 61 | echo suggested password is cloudera 
 62 | 
 63 | # update the kdc.conf file
 64 | sed -i.orig 's/EXAMPLE.COM/CLOUDERA/g' /var/kerberos/krb5kdc/kdc.conf
 65 | # this will add a line to the file with ticket life
 66 | sed -i.m1 '/dict_file/a max_life = 1d' /var/kerberos/krb5kdc/kdc.conf
 67 | # add a max renewable life
 68 | sed -i.m2 '/dict_file/a max_renewable_life = 7d' /var/kerberos/krb5kdc/kdc.conf
 69 | # indent the two new lines in the file
 70 | sed -i.m3 's/^max_/  max_/' /var/kerberos/krb5kdc/kdc.conf
 71 | 
 72 | # the acl file needs to be updated so the */admin
 73 | # is enabled with admin privileges 
 74 | sed -i 's/EXAMPLE.COM/CLOUDERA/' /var/kerberos/krb5kdc/kadm5.acl
 75 | 
 76 | # The kerberos authorization tickets need to be renewable
 77 | # if not the Hue service will show bad (red) status
 78 | # and the Hue “Kerberos Ticket Renewer” will not start
 79 | # the error message in the log will look like this:
 80 | #  kt_renewer   ERROR    Couldn't renew # kerberos ticket in 
 81 | #  order to work around Kerberos 1.8.1 issue.
 82 | #  Please check that the ticket for 'hue/quickstart.cloudera' 
 83 | #  is still renewable
 84 | 
 85 | # update the kdc.conf file to allow renewable
 86 | sed -i.m3 '/supported_enctypes/a default_principal_flags = +renewable, +forwardable' /var/kerberos/krb5kdc/kdc.conf
 87 | # fix the indenting
 88 | sed -i.m4 's/^default_principal_flags/  default_principal_flags/' /var/kerberos/krb5kdc/kdc.conf
 89 | 
 90 | # start up the kdc server and the admin server
 91 | service krb5kdc start
 92 | service kadmin start
 93 | 
 94 | # There is an addition error message you may encounter
 95 | # this requires an update to the krbtgt principal
 96 | 
 97 | # 5:39:59 PM 	ERROR 	kt_renewer 	
 98 | #
 99 | #Couldn't renew kerberos ticket in order to work around 
100 | # Kerberos 1.8.1 issue. Please check that the ticket 
101 | # for 'hue/quickstart.cloudera' is still renewable:
102 | #  $ kinit -f -c /tmp/hue_krb5_ccache
103 | #If the 'renew until' date is the same as the 'valid starting' 
104 | # date, the ticket cannot be renewed. Please check your 
105 | # KDC configuration, and the ticket renewal policy 
106 | # (maxrenewlife) for the 'hue/quickstart.cloudera' 
107 | # and `krbtgt' principals.
108 | #
109 | 
110 | kadmin.local <<eoj
111 | modprinc -maxrenewlife 1week krbtgt/CLOUDERA@CLOUDERA
112 | eoj
113 | # now just add a few user principals 
114 | #kadmin:  addprinc -pw <Password>
115 | # cloudera-scm/admin@YOUR-LOCAL-REALM.COM
116 | 
117 | # add the admin user that CM will use to provision
118 | # kerberos in the cluster
119 | kadmin.local <<eoj
120 | addprinc -pw cloudera cloudera-scm/admin@CLOUDERA
121 | modprinc -maxrenewlife 1week cloudera-scm/admin@CLOUDERA
122 | eoj
123 | 
124 | # add the hdfs principal so you have a superuser for hdfs
125 | kadmin.local <<eoj
126 | addprinc -pw cloudera hdfs@CLOUDERA
127 | eoj
128 | 
129 | # add a cloudera principal  for the standard user 
130 | # in the Cloudera Quickstart VM
131 | kadmin.local <<eoj
132 | addprinc -pw cloudera cloudera@CLOUDERA
133 | eoj
134 | 
135 | # test the server by authenticating as the CM admin user
136 | # enter the password cloudera when you are prompted
137 | kinit cloudera-scm/admin@CLOUDERA
138 | 
139 | # once you have a valid ticket you can see the 
140 | # characteristics of the ticket with klist -e
141 | # you will see the encryption type which you will
142 | # need for a screen in the wizard, for example
143 | #  Etype (skey, tkt): aes256-cts-hmac-sha1-96
144 | klist -e
145 | 
146 | # to see the contents of the files cat them
147 | cat /var/kerberos/krb5kdc/kdc.conf
148 | cat /var/kerberos/krb5kdc/kadm5.acl
149 | cat /etc/krb5.conf
150 | 
151 | #The files will look like this:
152 | 
153 | # make the kerberos services autostart
154 | chkconfig kadmin on
155 | chkconfig krb5kdc on
156 | 
157 | 


--------------------------------------------------------------------------------