Skip to content

Commit

Permalink
[Opt](external-docker) Modify kerberos network mode to host (#47043)
Browse files Browse the repository at this point in the history
### What problem does this PR solve?
In order to be able to perform kerberos testing on a multi-node doris
cluster.
  • Loading branch information
zgxme authored Jan 16, 2025
1 parent 93f8da1 commit eb40d0a
Show file tree
Hide file tree
Showing 22 changed files with 501 additions and 156 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@
# specific language governing permissions and limitations
# under the License.

/usr/bin/mysqld_safe &
while ! mysqladmin ping -proot --silent; do sleep 1; done

hive --service metatool -updateLocation hdfs://hadoop-master-2:9000/user/hive/warehouse hdfs://hadoop-master:9000/user/hive/warehouse

killall mysqld
while pgrep mysqld; do sleep 1; done
function exec_success_hook() {
echo "Executing success hook"
echo "Creating /tmp/success and /tmp/SUCCESS"
touch /tmp/success /tmp/SUCCESS
echo "Do not exit, just tailing /dev/null"
tail -f /dev/null
}
50 changes: 50 additions & 0 deletions docker/thirdparties/docker-compose/common/hive-configure.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

# Referenced from [docker-hive](https://github.com/big-data-europe/docker-hive)

# Set some sensible defaults
export CORE_CONF_fs_defaultFS=${CORE_CONF_fs_defaultFS:-hdfs://`hostname -f`:8020}

function addProperty() {
local path=$1
local name=$2
local value=$3

local entry="<property><name>$name</name><value>${value}</value></property>"
local escapedEntry=$(echo $entry | sed 's/\//\\\//g')
sed -i "/<\/configuration>/ s/.*/${escapedEntry}\n&/" $path
}

function configure() {
local path=$1
local module=$2
local envPrefix=$3

local var
local value

echo "Configuring $module"
for c in `printenv | perl -sne 'print "$1 " if m/^${envPrefix}_(.+?)=.*/' -- -envPrefix=$envPrefix`; do
name=`echo ${c} | perl -pe 's/___/-/g; s/__/_/g; s/_/./g'`
var="${envPrefix}_${c}"
value=${!var}
echo " - Setting $name=$ "
addProperty $path $name "$value"
done
}
Original file line number Diff line number Diff line change
Expand Up @@ -32,21 +32,18 @@

[realms]
LABS.TERADATA.COM = {
kdc = hadoop-master:88
admin_server = hadoop-master
kdc = hadoop-master:5588
admin_server = hadoop-master:5749
}
OTHERLABS.TERADATA.COM = {
kdc = hadoop-master:89
admin_server = hadoop-master
kdc = hadoop-master:5589
admin_server = hadoop-master:5750
}
OTHERLABS.TERADATA.COM = {
kdc = hadoop-master:89
admin_server = hadoop-master
}
OTHERREALM.COM = {
kdc = hadoop-master-2:88
admin_server = hadoop-master
OTHERREALM.COM = {
kdc = hadoop-master-2:6688
admin_server = hadoop-master-2:6749
}

[domain_realm]
hadoop-master-2 = OTHERREALM.COM
hadoop-master = LABS.TERADATA.COM
Original file line number Diff line number Diff line change
Expand Up @@ -38,5 +38,7 @@ fi
trap exit INT

echo "Running services with supervisord"
rm -rf /etc/supervisord.d/socks-proxy.conf
rm -rf /etc/supervisord.d/sshd.conf

supervisord -c /etc/supervisord.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

[kdcdefaults]
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}

[realms]
LABS.TERADATA.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_listen = ${KDC_PORT1}
kdc_tcp_listen = ${KDC_PORT1}
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}
}

OTHERLABS.TERADATA.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5-other.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5-other.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_listen = ${KDC_PORT2}
kdc_tcp_listen = ${KDC_PORT2}
kdc_ports = ${KDC_PORT2}
kdc_tcp_ports = ${KDC_PORT2}
kadmind_port = ${KADMIND_PORT2}
kpasswd_port = ${KPASSWD_PORT2}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = LABS.TERADATA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
allow_weak_crypto = true

[realms]
LABS.TERADATA.COM = {
kdc = ${HOST}:${KDC_PORT1}
admin_server = ${HOST}:${KADMIND_PORT1}
}
OTHERLABS.TERADATA.COM = {
kdc = ${HOST}:${KDC_PORT2}
admin_server = ${HOST}:${KADMIND_PORT2}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

[kdcdefaults]
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}


[realms]
OTHERREALM.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_listen = ${KDC_PORT1}
kdc_tcp_listen = ${KDC_PORT1}
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = OTHERREALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
allow_weak_crypto = true

[realms]
OTHERREALM.COM = {
kdc = ${HOST}:${KDC_PORT1}
admin_server = ${HOST}:${KADMIND_PORT1}
}
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,23 @@
# specific language governing permissions and limitations
# under the License.

set -exuo pipefail
[mysqld]
port=${MYSQL_PORT}
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

TICKET_LIFETIME='30m'
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/presto-server-krbcc \
-kt /etc/trino/conf/presto-server.keytab presto-server/$(hostname -f)@LABS.TERADATA.COM

kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/hive-presto-master-krbcc \
-kt /etc/trino/conf/hive-presto-master.keytab hive/$(hostname -f)@LABS.TERADATA.COM

kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/hdfs-krbcc \
-kt /etc/hadoop/conf/hdfs.keytab hdfs/[email protected]
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d

kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/hive-krbcc \
-kt /etc/hive/conf/hive.keytab hive/[email protected]

This file was deleted.

Loading

0 comments on commit eb40d0a

Please sign in to comment.