RANGER-5373: update HBase container for Kerberos authentication - apache#5

Author: mneethiraj

dev-support/ranger-docker/Dockerfile.ranger-hadoop

@@ -31,6 +31,7 @@ COPY ./downloads/hadoop-${HADOOP_VERSION}.tar.gz             /home/ranger/dist/
 COPY ./scripts/ranger-hadoop-setup.sh                   /home/ranger/scripts/
 COPY ./scripts/ranger-hadoop.sh                         /home/ranger/scripts/
 COPY ./scripts/ranger-hadoop-mkdir.sh                   /home/ranger/scripts/
+COPY ./scripts/ranger-hadoop-healthcheck.sh             /home/ranger/scripts/
 COPY ./scripts/ranger-hdfs-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/ranger-yarn-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/core-site.xml                            /home/ranger/scripts/
@@ -49,6 +50,9 @@ RUN tar xvfz /home/ranger/dist/hadoop-${HADOOP_VERSION}.tar.gz --directory=/opt/
     rm -f /home/ranger/dist/ranger-${YARN_PLUGIN_VERSION}-yarn-plugin.tar.gz && \
     cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties /opt/ranger/ranger-yarn-plugin/install.properties && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh ${RANGER_SCRIPTS}/ranger-hadoop.sh ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh && \
+    useradd -g hadoop -ms /bin/bash healthcheck && \
+    chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-healthcheck.sh && \
+    chown healthcheck:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-healthcheck.sh && \
     apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chown hdfs:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh
 

dev-support/ranger-docker/Dockerfile.ranger-hbase

@@ -30,6 +30,7 @@ COPY ./scripts/ranger-hbase-setup.sh                     /home/ranger/scripts/
 COPY ./scripts/ranger-hbase.sh                           /home/ranger/scripts/
 COPY ./scripts/ranger-hbase-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/hbase-site.xml                            /home/ranger/scripts/
+COPY ./scripts/core-site.xml                             /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/hbase-${HBASE_VERSION}-bin.tar.gz --directory=/opt/ && \
     ln -s /opt/hbase-${HBASE_VERSION} /opt/hbase && \

dev-support/ranger-docker/config/kdc/krb5.conf

@@ -1,5 +1,6 @@
 [libdefaults]
  default_realm = EXAMPLE.COM
+ dns_canonicalize_hostname = false
  dns_lookup_kdc = false
  dns_lookup_realm = false
  ticket_lifetime = 24h

dev-support/ranger-docker/docker-compose.ranger-hadoop.yml

@@ -24,11 +24,11 @@ services:
       ranger:
         condition: service_started
     healthcheck:
-      test: ["CMD-SHELL", "kinit -kt /opt/hadoop/keytabs/healthcheck.keytab healthcheck/ranger-hadoop[email protected] && hdfs dfs -ls /hbase > /dev/null"]
-      interval: 1m30s
+      test: 'su -c "/home/ranger/scripts/ranger-hadoop-healthcheck.sh" healthcheck'
+      interval: 15s
       timeout: 10s
       retries: 30
-      start_period: 40s
+      start_period: 1m30s
     environment:
       - HADOOP_VERSION
       - HDFS_PLUGIN_VERSION

dev-support/ranger-docker/docker-compose.ranger-kdc.yml

@@ -2,6 +2,7 @@ services:
   datanode:
     image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION}
     container_name: ozone-datanode
+    hostname: datanode.rangernw
     volumes:
       - ./downloads/ozone-${OZONE_VERSION}:/opt/hadoop
     networks:
@@ -24,7 +25,7 @@ services:
         - OZONE_PLUGIN_VERSION=${OZONE_PLUGIN_VERSION}
     image: ranger-ozone:latest
     container_name: ozone-om
-    hostname: om
+    hostname: om.rangernw
     volumes:
       - ./downloads/ozone-${OZONE_VERSION}:/opt/hadoop
       - ./dist/ranger-${OZONE_PLUGIN_VERSION}-ozone-plugin:/opt/hadoop/ranger-ozone-plugin
@@ -50,7 +51,7 @@ services:
   scm:
     image: ${OZONE_RUNNER_IMAGE}:${OZONE_RUNNER_VERSION}
     container_name: ozone-scm
-    hostname: scm
+    hostname: scm.rangernw
     volumes:
       - ./downloads/ozone-${OZONE_VERSION}:/opt/hadoop
     networks:

dev-support/ranger-docker/docker-compose.ranger-ozone.yml

@@ -19,6 +19,8 @@ services:
     ports:
       - "6080:6080"
     depends_on:
+      ranger-kdc:
+        condition: service_started
       ranger-zk:
         condition: service_started
       ranger-db:
@@ -33,6 +35,26 @@ services:
     command:
       - /home/ranger/scripts/ranger.sh
 
+  ranger-kdc:
+    build:
+      context: .
+      dockerfile: Dockerfile.ranger-kdc
+      args:
+        - REALM=${KERBEROS_REALM}
+        - KDC_HOST=${KERBEROS_KDC_HOST}
+        - MASTER_PASSWORD=${KERBEROS_MASTER_PASSWORD}
+        - ADMIN_PRINCIPAL=${KERBEROS_ADMIN_PRINCIPAL}
+        - ADMIN_PASSWORD=${KERBEROS_ADMIN_PASSWORD}
+    image: ranger-kdc:latest
+    container_name: ranger-kdc
+    hostname: ranger-kdc.rangernw
+    networks:
+      - ranger
+    ports:
+      - "88:88"
+      - "88:88/udp"
+      - "749:749"
+
   ranger-db:
     extends:
       service: ${RANGER_DB_TYPE}
@@ -48,8 +70,6 @@ services:
     image: ranger-zk
     container_name: ranger-zk
     hostname: ranger-zk.rangernw
-    volumes:
-      - ./config/kdc/keytabs:/etc/keytabs
     networks:
       - ranger
     ports:
@@ -67,8 +87,6 @@ services:
     image: ranger-solr
     container_name: ranger-solr
     hostname: ranger-solr.rangernw
-    volumes:
-      - ./config/kdc/keytabs:/etc/keytabs
     networks:
       - ranger
     ports:

dev-support/ranger-docker/docker-compose.ranger.yml

@@ -2,7 +2,7 @@
 <configuration>
   <property>
     <name>fs.defaultFS</name>
-    <value>hdfs://ranger-hadoop:9000</value>
+    <value>hdfs://ranger-hadoop.rangernw:9000</value>
   </property>
   <property>
     <name>hadoop.security.authentication</name>

dev-support/ranger-docker/scripts/core-site.xml

@@ -15,7 +15,7 @@ def service_not_exists(service):
 
 hdfs = RangerService({'name': 'dev_hdfs', 'type': 'hdfs',
                       'configs': {'username': 'hdfs', 'password': 'hdfs',
-                                  'fs.default.name': 'hdfs://ranger-hadoop:9000',
+                                  'fs.default.name': 'hdfs://ranger-hadoop.rangernw:9000',
                                   'hadoop.security.authentication': 'simple',
                                   'hadoop.security.authorization': 'true',
                                   'policy.download.auth.users': 'hdfs',
@@ -26,7 +26,7 @@ def service_not_exists(service):
 hive = RangerService({'name': 'dev_hive', 'type': 'hive',
                       'configs': {'username': 'hive', 'password': 'hive',
                                   'jdbc.driverClassName': 'org.apache.hive.jdbc.HiveDriver',
-                                  'jdbc.url': 'jdbc:hive2://ranger-hive:10000',
+                                  'jdbc.url': 'jdbc:hive2://ranger-hive.rangernw:10000',
                                   'hadoop.security.authorization': 'true',
                                   'policy.download.auth.users': 'hive',
                                   'tag.download.auth.users': 'hive',
@@ -42,15 +42,15 @@ def service_not_exists(service):
                                    'ranger.plugin.kafka.policy.refresh.synchronous':'true'}})
 
 knox = RangerService({'name': 'dev_knox', 'type': 'knox',
-                      'configs': {'username': 'knox', 'password': 'knox', 'knox.url': 'https://ranger-knox:8443',
+                      'configs': {'username': 'knox', 'password': 'knox', 'knox.url': 'https://ranger-knox.rangernw:8443',
                       'policy.download.auth.users': 'knox',
                       'tag.download.auth.users': 'knox',
                       'userstore.download.auth.users': 'knox',
                       'ranger.plugin.knox.policy.refresh.synchronous':'true'}})
 
 yarn = RangerService({'name': 'dev_yarn', 'type': 'yarn',
                       'configs': {'username': 'yarn', 'password': 'yarn',
-                                  'yarn.url': 'http://ranger-hadoop:8088',
+                                  'yarn.url': 'http://ranger-hadoop.rangernw:8088',
                                   'policy.download.auth.users': 'yarn',
                                   'tag.download.auth.users': 'yarn',
                                   'userstore.download.auth.users': 'yarn',
@@ -62,7 +62,7 @@ def service_not_exists(service):
                                    'hbase.security.authentication': 'simple',
                                    'hadoop.security.authorization': 'true',
                                    'hbase.zookeeper.property.clientPort': '2181',
-                                   'hbase.zookeeper.quorum': 'ranger-zk',
+                                   'hbase.zookeeper.quorum': 'ranger-zk.rangernw',
                                    'zookeeper.znode.parent': '/hbase',
                                    'policy.download.auth.users': 'hbase',
                                    'tag.download.auth.users': 'hbase',
@@ -71,7 +71,7 @@ def service_not_exists(service):
 
 kms = RangerService({'name': 'dev_kms', 'type': 'kms',
                      'configs': {'username': 'keyadmin', 'password': 'rangerR0cks!',
-                                 'provider': 'http://ranger-kms:9292',
+                                 'provider': 'http://ranger-kms.rangernw:9292',
                                  'policy.download.auth.users': 'rangerkms',
                                  'tag.download.auth.users': 'rangerkms',
                                  'userstore.download.auth.users': 'rangerkms',
@@ -83,7 +83,7 @@ def service_not_exists(service):
                            'username': 'trino',
                            'password': 'trino',
                            'jdbc.driverClassName': 'io.trino.jdbc.TrinoDriver',
-                           'jdbc.url': 'jdbc:trino://ranger-trino:8080',
+                           'jdbc.url': 'jdbc:trino://ranger-trino.rangernw:8080',
                            'policy.download.auth.users': 'trino',
                            'tag.download.auth.users': 'trino',
                            'userstore.download.auth.users': 'trino',

dev-support/ranger-docker/scripts/create-ranger-services.py

@@ -49,4 +49,32 @@
     <name>hbase.zookeeper.quorum</name>
     <value>ranger-zk.rangernw</value>
   </property>
+  <property>
+    <name>hbase.security.authentication</name>
+    <value>kerberos</value>
+  </property>
+  <property>
+    <name>hbase.security.authorization</name>
+    <value>true</value>
+  </property>
+  <property>
+    <name>hbase.master.kerberos.principal</name>
+    <value>hbase/[email protected]</value>
+  </property>
+  <property>
+    <name>hbase.master.keytab.file</name>
+    <value>/opt/hbase/keytabs/hbase.keytab</value>
+  </property>
+  <property>
+    <name>hbase.regionserver.kerberos.principal</name>
+    <value>hbase/[email protected]</value>
+  </property>
+  <property>
+    <name>hbase.regionserver.keytab.file</name>
+    <value>/opt/hbase/keytabs/hbase.keytab</value>
+  </property>
+  <property>
+    <name>hbase.coprocessor.region.classes</name>
+    <value>org.apache.hadoop.hbase.security.token.TokenProvider</value>
+  </property>
 </configuration>