YARN-8530. Add SPNEGO filter to application catalog. Contributed by Eric Yang
This commit is contained in:
parent
bfcb6534cd
commit
ad865888a6
@ -42,4 +42,15 @@ if [ -e "$KEYTAB" ]; then
|
||||
export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=/etc/tomcat/jaas.config -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false"
|
||||
template_generator /etc/tomcat/jaas.config.template /etc/tomcat/jaas.config
|
||||
fi
|
||||
if [ -e "$SPNEGO_KEYTAB" ]; then
|
||||
sed -i.bak 's/authentication.type=.*$/authentication.type=kerberos/g' /etc/tomcat/catalina.properties
|
||||
sed -i.bak 's/simple.anonymous.allowed=.*$/simple.anonymous.allowed=false/g' /etc/tomcat/catalina.properties
|
||||
if [ -z "$SPNEGO_PRINCIPAL" ]; then
|
||||
echo "kerberos.principal=HTTP/$HOSTNAME" >> /etc/tomcat/catalina.properties
|
||||
else
|
||||
echo "kerberos.principal=$SPNEGO_PRINCIPAL" >> /etc/tomcat/catalina.properties
|
||||
fi
|
||||
echo "kerberos.keytab=$SPNEGO_KEYTAB" >> /etc/tomcat/catalina.properties
|
||||
echo "hostname=$HOSTNAME" >> /etc/tomcat/catalina.properties
|
||||
fi
|
||||
/usr/libexec/tomcat/server start
|
||||
|
@ -19,3 +19,8 @@ mkdir -p /etc/hadoop
|
||||
mkdir -p /opt/apache/solr/server/logs
|
||||
chmod -R 777 /opt/apache/solr/server/logs /var/log/tomcat /var/cache/tomcat /var/lib/tomcat/webapps /opt/apache/solr/server/solr
|
||||
chmod 777 /etc/tomcat
|
||||
{
|
||||
echo "auth.filter=org.apache.hadoop.security.authentication.server.AuthenticationFilter"
|
||||
echo "authentication.type=simple"
|
||||
echo "simple.anonymous.allowed=true"
|
||||
} >> /etc/tomcat/catalina.properties
|
||||
|
@ -0,0 +1,54 @@
|
||||
/*
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.apache.hadoop.yarn.appcatalog.application;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.servlet.ServletContextEvent;
|
||||
import javax.servlet.ServletContextListener;
|
||||
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.security.HadoopKerberosName;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
/**
|
||||
* Initialization class for setting Kerberos configuration.
|
||||
*/
|
||||
public class AppCatalogInitializer implements ServletContextListener {
|
||||
|
||||
static final Logger LOG = LoggerFactory.getLogger(
|
||||
AppCatalogInitializer.class);
|
||||
|
||||
@Override
|
||||
public void contextInitialized(ServletContextEvent sce) {
|
||||
Configuration conf = new Configuration();
|
||||
if (!HadoopKerberosName.hasRulesBeenSet()) {
|
||||
try {
|
||||
HadoopKerberosName.setConfiguration(conf);
|
||||
} catch (IOException e) {
|
||||
LOG.error("Application Catalog initialization failed:", e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public void contextDestroyed(ServletContextEvent sce) {
|
||||
}
|
||||
|
||||
}
|
@ -30,6 +30,48 @@
|
||||
</description>
|
||||
<display-name>appcatalog</display-name>
|
||||
|
||||
<listener>
|
||||
<listener-class>org.apache.hadoop.yarn.appcatalog.application.AppCatalogInitializer</listener-class>
|
||||
</listener>
|
||||
|
||||
<filter>
|
||||
<filter-name>AuthFilter</filter-name>
|
||||
<filter-class>${auth.filter}</filter-class>
|
||||
<init-param>
|
||||
<param-name>type</param-name>
|
||||
<param-value>${authentication.type}</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>simple.anonymous.allowed</param-name>
|
||||
<param-value>${simple.anonymous.allowed}</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>token.validity</param-name>
|
||||
<param-value>30</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.path</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>cookie.domain</param-name>
|
||||
<param-value>${hostname}</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.principal</param-name>
|
||||
<param-value>${kerberos.principal}</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>kerberos.keytab</param-name>
|
||||
<param-value>${kerberos.keytab}</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>AuthFilter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<servlet>
|
||||
<servlet-name>REST_API</servlet-name>
|
||||
<servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
|
||||
|
@ -178,6 +178,16 @@ where `service-name` is user defined name.
|
||||
The deployment progress of the application catalog is located in Resource Manager UI. When the service reaches STABLE state, application catalog UI is available at:
|
||||
http://appcatalog.${SERVICE_NAME}.${USER}.${DOMAIN}:8080/
|
||||
|
||||
For secure cluster, Kerberos settings for application catalog can be configured in Yarn service JSON using environment variable settings:
|
||||
|
||||
| Environment Variable | Example | Description |
|
||||
|:---- |:---- |:----|
|
||||
| YARN_CONTAINER_RUNTIME_DOCKER_MOUNTS | /etc/hadoop/conf:/etc/hadoop/conf:ro,/etc/krb5.conf:/etc/krb5.conf:ro,/etc/security/keytabs/yarn.service.keytab:/etc/security/keytabs/yarn.service.keytab:ro,/etc/security/keytabs/spnego.service.keytab:/etc/security/keytabs/spnego.service.keytab:ro | Container mount path for Hadoop configuration, Kerberos krb5.conf, and list of Kerberos keytab files. |
|
||||
| SPNEGO_KEYTAB | /etc/security/keytabs/spnego.service.keytab | Service principal for Application catalog. |
|
||||
| SPNEGO_PRINCIPAL | HTTP/appcatalog.catalog.yarn.example.com@EXAMPLE.COM | Service principal for Application catalog. |
|
||||
| KEYTAB | /etc/security/keytabs/yarn.service.ketab | Path to keytab file, used by YARN service application master. |
|
||||
| PRINCIPAL | yarn/_HOST@EXAMPLE.COM | Service principal used by YARN service application master. |
|
||||
|
||||
## Docker image ENTRYPOINT support
|
||||
|
||||
Docker images may have built with ENTRYPOINT to enable start up of docker image without any parameters.
|
||||
|
Loading…
Reference in New Issue
Block a user