commit e5933bedd3cfc13a40a14091d1d4dcec59cfe508 Author: Eric Yang Date: Tue Feb 5 17:20:19 2019 -0500 YARN-8530. Add SPNEGO filter to application catalog. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/entrypoint.sh b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/entrypoint.sh index eb1f20b..75f4ee2 100755 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/entrypoint.sh +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/entrypoint.sh @@ -42,4 +42,16 @@ if [ -e "$KEYTAB" ]; then export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=/etc/tomcat/jaas.config -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false" template_generator /etc/tomcat/jaas.config.template /etc/tomcat/jaas.config fi +echo "auth.filter=org.apache.hadoop.http.lib.StaticUserWebFilter" >> /etc/tomcat/catalina.properties +if [ -e "$SPNEGO_KEYTAB" ]; then + sed -i.bak 's/authentication.type=.*$/authentication.type=kerberos/g' /etc/tomcat/catalina.properties + sed -i.bak 's/auth.filter=.*$/auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter/g' /etc/tomcat/catalina.properties + if [ -z "$SPNEGO_PRINCIPAL" ]; then + echo "kerberos.principal=HTTP/$HOSTNAME" >> /etc/tomcat/catalina.properties + else + echo "kerberos.principal=$SPNEGO_PRINCIPAL" >> /etc/tomcat/catalina.properties + fi + echo "kerberos.keytab=$SPNEGO_KEYTAB" >> /etc/tomcat/catalina.properties + echo "hostname=$HOSTNAME" >> /etc/tomcat/catalina.properties +fi /usr/libexec/tomcat/server start diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/setup-image.sh b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/setup-image.sh index 447d012..e0169f3 100755 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/setup-image.sh +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-docker/src/main/scripts/setup-image.sh @@ -19,5 +19,4 @@ mkdir -p /etc/hadoop tar xvf solr-6.6.0.tgz chmod -R 777 /solr-6.6.0/server/logs /var/log/tomcat /var/cache/tomcat /var/lib/tomcat/webapps /solr-6.6.0/server/solr chmod 777 /etc/tomcat -#groupadd -g 1001 hadoop -#useradd -u 1013 -g 1001 hbase +echo "authentication.type=simple" >> /etc/tomcat/catalina.properties diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/java/org/apache/hadoop/yarn/appcatalog/application/AppCatalogInitializer.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/java/org/apache/hadoop/yarn/appcatalog/application/AppCatalogInitializer.java new file mode 100644 index 0000000..397fd06 --- /dev/null +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/java/org/apache/hadoop/yarn/appcatalog/application/AppCatalogInitializer.java @@ -0,0 +1,34 @@ +package org.apache.hadoop.yarn.appcatalog.application; + +import java.io.IOException; + +import javax.servlet.ServletContextEvent; +import javax.servlet.ServletContextListener; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.HadoopKerberosName; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class AppCatalogInitializer implements ServletContextListener { + + static final Logger LOG = LoggerFactory.getLogger( + AppCatalogInitializer.class); + + @Override + public void contextInitialized(ServletContextEvent sce) { + Configuration conf = new Configuration(); + if (!HadoopKerberosName.hasRulesBeenSet()) { + try { + HadoopKerberosName.setConfiguration(conf); + } catch (IOException e) { + LOG.error("Application Catalog initialization failed:", e); + } + } + } + + @Override + public void contextDestroyed(ServletContextEvent sce) { + } + +} diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/webapp/WEB-INF/web.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/webapp/WEB-INF/web.xml index fac7c5b..08a5a5a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/webapp/WEB-INF/web.xml +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-applications-catalog/hadoop-yarn-applications-catalog-webapp/src/main/webapp/WEB-INF/web.xml @@ -30,6 +30,44 @@ appcatalog + + org.apache.hadoop.yarn.appcatalog.application.AppCatalogInitializer + + + + AuthFilter + ${auth.filter} + + type + ${authentication.type} + + + token.validity + 30 + + + cookie.path + / + + + cookie.domain + ${hostname} + + + kerberos.principal + ${kerberos.principal} + + + kerberos.keytab + ${kerberos.keytab} + + + + + AuthFilter + /* + + REST_API com.sun.jersey.spi.container.servlet.ServletContainer diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/yarn-service/Examples.md b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/yarn-service/Examples.md index e0d1c01..7aae830 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/yarn-service/Examples.md +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/yarn-service/Examples.md @@ -178,6 +178,16 @@ where `service-name` is user defined name. The deployment progress of the application catalog is located in Resource Manager UI. When the service reaches STABLE state, application catalog UI is available at: http://appcatalog.${SERVICE_NAME}.${USER}.${DOMAIN}:8080/ +For secure cluster, Kerberos settings for application catalog can be configured in Yarn service JSON using environment variable settings: + +| Environment Variable | Example | Description | +|:---- |:---- |:----| +| YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS | /etc/hadoop/conf:/etc/hadoop/conf:ro,/etc/krb5.conf:/etc/krb5.conf:ro,/etc/security/keytabs/yarn.service.keytab:/etc/security/keytabs/yarn.service.keytab:ro,/etc/security/keytabs/spnego.service.keytab:/etc/security/keytabs/spnego.service.keytab:ro | Container mount path for Hadoop configuration, Kerberos krb5.conf, and list of Kerberos keytab files. | +| SPNEGO_KEYTAB | /etc/security/keytabs/spnego.service.keytab | Service principal for Application catalog. | +| SPNEGO_PRINCIPAL | HTTP/appcatalog.catalog.yarn.example.com@EXAMPLE.COM | Service principal for Application catalog. | +| KEYTAB | /etc/security/keytabs/yarn.service.ketab | Path to keytab file, used by YARN service application master. | +| PRINCIPAL | yarn/_HOST@EXAMPLE.COM | Service principal used by YARN service application master. | + ## Docker image ENTRYPOINT support Docker images may have built with ENTRYPOINT to enable start up of docker image without any parameters.