Merge pull request #336 from catpineapple/kerberos-support

[feature](dcr) add kerberos support

api/doris/v1/types.go

@@ -52,6 +52,24 @@ type DorisClusterSpec struct {
 	// EnableRestartWhenConfigChange configmap monitoring, default is false.
 	// When EnableRestartWhenConfigChange is true, changing the doris core configmap will cause a rolling restart of the corresponding node
 	EnableRestartWhenConfigChange bool `json:"enableRestartWhenConfigChange,omitempty"`
+
+	// KerberosInfo contains a series of access key files, Provides access to kerberos.
+	KerberosInfo *KerberosInfo `json:"kerberosInfo,omitempty"`
+}
+
+type KerberosInfo struct {
+	// Krb5ConfigMap is the name of configmap within 'krb5.conf'
+	Krb5ConfigMap string `json:"krb5ConfigMap"`
+
+	// SecretName is the name of sercet within '*.keytab' files,
+	// refer to the following command to create a Secret :
+	// 	'kubectl create secret generic {secret-name} --from-file=. '
+	KeytabSecretName string `json:"keytabSecretName"`
+
+	// KeytabPath is the path where the Secret is finally stored inside the pod. default '/etc/keytab/'.
+	// It is not recommended to modify it unless necessary.
+	// This path is the path filled in when configuring "hadoop.kerberos.keytab".
+	KeytabPath string `json:"keytabPath,omitempty"`
 }
 
 // AdminUser describe administrator for manage components in specified cluster.

config/crd/bases/crds.yaml

@@ -7914,6 +7914,28 @@ spec:
                 required:
                 - image
                 type: object
+              kerberosInfo:
+                description: KerberosInfo contains a series of access key files, Provides
+                  access to kerberos.
+                properties:
+                  keytabPath:
+                    description: |-
+                      KeytabPath is the path where the Secret is finally stored inside the pod. default '/etc/keytab/'.
+                      It is not recommended to modify it unless necessary.
+                      This path is the path filled in when configuring "hadoop.kerberos.keytab".
+                    type: string
+                  keytabSecretName:
+                    description: "SecretName is the name of sercet within '*.keytab'
+                      files,\nrefer to the following command to create a Secret :\n\t'kubectl
+                      create secret generic {secret-name} --from-file=. '"
+                    type: string
+                  krb5ConfigMap:
+                    description: Krb5ConfigMap is the name of configmap within 'krb5.conf'
+                    type: string
+                required:
+                - keytabSecretName
+                - krb5ConfigMap
+                type: object
             type: object
           status:
             description: DorisClusterStatus defines the observed state of DorisCluster

config/crd/bases/doris.apache.com_dorisclusters.yaml

@@ -7914,6 +7914,28 @@ spec:
                 required:
                 - image
                 type: object
+              kerberosInfo:
+                description: KerberosInfo contains a series of access key files, Provides
+                  access to kerberos.
+                properties:
+                  keytabPath:
+                    description: |-
+                      KeytabPath is the path where the Secret is finally stored inside the pod. default '/etc/keytab/'.
+                      It is not recommended to modify it unless necessary.
+                      This path is the path filled in when configuring "hadoop.kerberos.keytab".
+                    type: string
+                  keytabSecretName:
+                    description: "SecretName is the name of sercet within '*.keytab'
+                      files,\nrefer to the following command to create a Secret :\n\t'kubectl
+                      create secret generic {secret-name} --from-file=. '"
+                    type: string
+                  krb5ConfigMap:
+                    description: Krb5ConfigMap is the name of configmap within 'krb5.conf'
+                    type: string
+                required:
+                - keytabSecretName
+                - krb5ConfigMap
+                type: object
             type: object
           status:
             description: DorisClusterStatus defines the observed state of DorisCluster

config/crd/bases/doris.selectdb.com_dorisclusters.yaml

@@ -7914,6 +7914,28 @@ spec:
                 required:
                 - image
                 type: object
+              kerberosInfo:
+                description: KerberosInfo contains a series of access key files, Provides
+                  access to kerberos.
+                properties:
+                  keytabPath:
+                    description: |-
+                      KeytabPath is the path where the Secret is finally stored inside the pod. default '/etc/keytab/'.
+                      It is not recommended to modify it unless necessary.
+                      This path is the path filled in when configuring "hadoop.kerberos.keytab".
+                    type: string
+                  keytabSecretName:
+                    description: "SecretName is the name of sercet within '*.keytab'
+                      files,\nrefer to the following command to create a Secret :\n\t'kubectl
+                      create secret generic {secret-name} --from-file=. '"
+                    type: string
+                  krb5ConfigMap:
+                    description: Krb5ConfigMap is the name of configmap within 'krb5.conf'
+                    type: string
+                required:
+                - keytabSecretName
+                - krb5ConfigMap
+                type: object
             type: object
           status:
             description: DorisClusterStatus defines the observed state of DorisCluster

helm-charts/doris-operator/crds/doris.apache.com_dorisclusters.yaml

@@ -7914,6 +7914,28 @@ spec:
                 required:
                 - image
                 type: object
+              kerberosInfo:
+                description: KerberosInfo contains a series of access key files, Provides
+                  access to kerberos.
+                properties:
+                  keytabPath:
+                    description: |-
+                      KeytabPath is the path where the Secret is finally stored inside the pod. default '/etc/keytab/'.
+                      It is not recommended to modify it unless necessary.
+                      This path is the path filled in when configuring "hadoop.kerberos.keytab".
+                    type: string
+                  keytabSecretName:
+                    description: "SecretName is the name of sercet within '*.keytab'
+                      files,\nrefer to the following command to create a Secret :\n\t'kubectl
+                      create secret generic {secret-name} --from-file=. '"
+                    type: string
+                  krb5ConfigMap:
+                    description: Krb5ConfigMap is the name of configmap within 'krb5.conf'
+                    type: string
+                required:
+                - keytabSecretName
+                - krb5ConfigMap
+                type: object
             type: object
           status:
             description: DorisClusterStatus defines the observed state of DorisCluster

pkg/common/utils/kerberos/kerberos.go

@@ -0,0 +1,60 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package kerberos
+
+import "strings"
+
+const (
+	KRB5_DEFAULT_CONFIG = "/etc/krb5.conf"
+)
+
+// GetKrb5ConfFromJavaOpts extracts the path to the Kerberos configuration file from the Java configuration options
+// This function searches for configuration values in java.security.krb5.conf in the following order of priority:
+// 1. First search for the configuration in JAVA_OPTS_FOR_JDK_17 (JDK17 specific configuration)
+// 2. If not found, search for the general JAVA_OPTS configuration
+// 3. If none is found, return the default value "/etc/krb5.conf"
+// This behavior is documented: https://doris.apache.org/docs/3.0/lakehouse/datalake-analytics/hive?_highlight=kerberos_krb5_conf_path#connect-to-kerberos-enabled-hive
+func GetKrb5ConfFromJavaOpts(javaOpts map[string]interface{}) string {
+	krb5Property := "-Djava.security.krb5.conf="
+
+	// All keys in the parsed config map are lowercase, so 'java_opts_for_jdk_17' is used here instead of 'JAVA_OPTS_FOR_JDK_17'.
+	if jdk17Opts, exists := javaOpts["java_opts_for_jdk_17"]; exists {
+		//  The jvm configuration value in the configuration file(fe.conf/be.conf) has  "  symbol, so it needs to be cleared
+		jdk17OptsString := strings.ReplaceAll(jdk17Opts.(string), "\"", "")
+		for _, opt := range strings.Split(jdk17OptsString, " ") {
+			if strings.Contains(opt, krb5Property) {
+				split := strings.Split(opt, "=")
+				return split[len(split)-1]
+			}
+		}
+	}
+
+	// All keys in the parsed config map are lowercase, so 'java_opts' is used here instead of 'JAVA_OPTS'.
+	if commonOpts, exists := javaOpts["java_opts"]; exists {
+		//  The jvm configuration value in the configuration file(fe.conf/be.conf) has  "  symbol, so it needs to be cleared
+		commonOptsString := strings.ReplaceAll(commonOpts.(string), "\"", "")
+		for _, opt := range strings.Split(commonOptsString, " ") {
+			if strings.Contains(opt, krb5Property) {
+				split := strings.Split(opt, "=")
+				return split[len(split)-1]
+			}
+		}
+	}
+
+	return KRB5_DEFAULT_CONFIG
+}