RANGER-5373: update Hive container for Kerberos authentication apache#4

Author: mneethiraj

dev-support/ranger-docker/Dockerfile.ranger-hive

@@ -37,6 +37,7 @@ COPY ./scripts/ranger-hive-setup.sh                     /home/ranger/scripts/
 COPY ./scripts/ranger-hive.sh                           /home/ranger/scripts/
 COPY ./scripts/ranger-hive-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/hive-site-${RANGER_DB_TYPE}.xml          /home/ranger/scripts/hive-site.xml
+COPY ./scripts/core-site.xml                            /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/apache-hive-${HIVE_VERSION}-bin.tar.gz --directory=/opt/ && \
     ln -s /opt/apache-hive-${HIVE_VERSION}-bin /opt/hive && \

dev-support/ranger-docker/config/kdc/create_keytab.sh

@@ -36,6 +36,6 @@ echo ${ADMIN_PASSWORD} | kadmin -p ${ADMIN_PRINCIPAL} -q "ktadd -k ${KEYTAB} ${P
 
 if [ "${KEYTAB_OWNER}" != "" ]
 then
-    chmod 400 ${KEYTAB}
+    chmod 440 ${KEYTAB}
     chown ${KEYTAB_OWNER} ${KEYTAB}
 fi

dev-support/ranger-docker/docker-compose.ranger-hadoop.yml

@@ -24,7 +24,7 @@ services:
       ranger:
         condition: service_started
     healthcheck:
-      test: "hdfs dfs -ls /hbase"
+      test: ["CMD-SHELL", "kinit -kt /opt/hadoop/keytabs/healthcheck.keytab healthcheck/[email protected] && hdfs dfs -ls /hbase > /dev/null"]
       interval: 1m30s
       timeout: 10s
       retries: 30

dev-support/ranger-docker/scripts/hdfs-site.xml

@@ -48,6 +48,10 @@
     <name>dfs.datanode.keytab.file</name>
     <value>/opt/hadoop/keytabs/dn.keytab</value>
   </property>
+  <property>
+    <name>ignore.secure.ports.for.testing</name>
+    <value>true</value>
+  </property>
   <property>
     <name>dfs.web.authentication.kerberos.principal</name>
     <value>HTTP/[email protected]</value>

dev-support/ranger-docker/scripts/hive-site-mysql.xml

@@ -36,6 +36,30 @@
         <value>rangerR0cks!</value>
     </property>
 
+    <property>
+        <name>hive.server2.authentication</name>
+        <value>KERBEROS</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.keytab</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
+    <property>
+        <name>hive.metastore.sasl.enabled</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.keytab.file</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
     <property>
         <name>hive.server2.enable.doAs</name>
         <value>false</value>

dev-support/ranger-docker/scripts/hive-site-oracle.xml

@@ -36,6 +36,30 @@
         <value>rangerR0cks!</value>
     </property>
 
+    <property>
+        <name>hive.server2.authentication</name>
+        <value>KERBEROS</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.keytab</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
+    <property>
+        <name>hive.metastore.sasl.enabled</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.keytab.file</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
     <property>
         <name>hive.server2.enable.doAs</name>
         <value>false</value>

dev-support/ranger-docker/scripts/hive-site-postgres.xml

@@ -36,6 +36,30 @@
         <value>rangerR0cks!</value>
     </property>
 
+    <property>
+        <name>hive.server2.authentication</name>
+        <value>KERBEROS</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.keytab</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
+    <property>
+        <name>hive.metastore.sasl.enabled</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.keytab.file</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
     <property>
         <name>hive.server2.enable.doAs</name>
         <value>false</value>

dev-support/ranger-docker/scripts/hive-site-sqlserver.xml

@@ -35,6 +35,30 @@
         <name>javax.jdo.option.ConnectionPassword</name>
         <value>rangerR0cks!</value>
     </property>
+    <property>
+        <name>hive.server2.authentication</name>
+        <value>KERBEROS</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.server2.authentication.kerberos.keytab</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
+    <property>
+        <name>hive.metastore.sasl.enabled</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.principal</name>
+        <value>hive/[email protected]</value>
+    </property>
+    <property>
+        <name>hive.metastore.kerberos.keytab.file</name>
+        <value>/opt/hive/keytabs/hive.keytab</value>
+    </property>
     <property>
         <name>hive.server2.enable.doAs</name>
         <value>false</value>

dev-support/ranger-docker/scripts/ranger-hadoop.sh

@@ -38,12 +38,13 @@ then
   if [ "${KERBEROS_ENABLED}" == "true" ]
   then
     /etc/keytabs/create_keytab.sh hdfs ${KEYTABS_DIR} hdfs:hadoop
-    /etc/keytabs/create_keytab.sh yarn ${KEYTABS_DIR} yarn:hadoop
     /etc/keytabs/create_keytab.sh nn ${KEYTABS_DIR} hdfs:hadoop
     /etc/keytabs/create_keytab.sh dn ${KEYTABS_DIR} hdfs:hadoop
+    /etc/keytabs/create_keytab.sh HTTP ${KEYTABS_DIR} hdfs:hadoop
     /etc/keytabs/create_keytab.sh nm ${KEYTABS_DIR} yarn:hadoop
     /etc/keytabs/create_keytab.sh rm ${KEYTABS_DIR} yarn:hadoop
-    /etc/keytabs/create_keytab.sh HTTP ${KEYTABS_DIR} hdfs:hadoop
+    /etc/keytabs/create_keytab.sh yarn ${KEYTABS_DIR} yarn:hadoop
+    /etc/keytabs/create_keytab.sh healthcheck ${KEYTABS_DIR} hdfs:hadoop
   fi
 
   if "${RANGER_SCRIPTS}"/ranger-hadoop-setup.sh;

dev-support/ranger-docker/scripts/ranger-hive-setup.sh

@@ -24,17 +24,9 @@ Host *
    UserKnownHostsFile=/dev/null
 EOF
 
-cat <<EOF > ${HADOOP_HOME}/etc/hadoop/core-site.xml
-<configuration>
-  <property>
-    <name>fs.defaultFS</name>
-    <value>hdfs://ranger-hadoop:9000</value>
-  </property>
-</configuration>
-EOF
-
 cp ${RANGER_SCRIPTS}/hive-site.xml ${HIVE_HOME}/conf/hive-site.xml
 cp ${RANGER_SCRIPTS}/hive-site.xml ${HIVE_HOME}/conf/hiveserver2-site.xml
+cp ${RANGER_SCRIPTS}/core-site.xml ${HIVE_HOME}/conf/core-site.xml
 su -c "${HIVE_HOME}/bin/schematool -dbType ${RANGER_DB_TYPE} -initSchema" hive
 
 mkdir -p /opt/hive/logs