#! /usr/bin/env bashset -efunction terminate() { if [ "${PAUSE}" == 'tru

1. #! /usr/bin/env bash
2.  
3. set -e
4.  
5. function terminate() {
6. if [ "${PAUSE}" == 'true' ]; then
7. read -p "Press [Enter] to exit..."
8. fi
9. exit ${1}
10. }
11.  
12. function ensure_user_is_root() {
13. if [[ "$EUID" -ne "0" ]]; then
14. echo "You must run this script as root. Try 'sudo ${0} ${@}'."
15. terminate 1
16. fi
17. }
18.  
19. function parse_arguments() {
20. for argument in ${@}; do
21. if [ "${argument}" == '--force' ]; then
22. export FORCE='true'
23. elif [ "${argument}" == '--pause' ]; then
24. export PAUSE='true'
25. else
26. echo "Unknown option: ${argument}"
27. terminate 1
28. fi
29. done
30. }
31.  
32. function log() {
33. echo "[QuickStart] ${1}"
34. }
35.  
36. parse_arguments ${@}
37.  
38. KERBEROS_REALM=${KERBEROS_REALM:-CLOUDERA}
39. KERBEROS_DOMAIN=${KERBEROS_DOMAIN:-cloudera}
40. KERBEROS_HOSTNAME=${KERBEROS_HOSTNAME:-quickstart.${KERBEROS_DOMAIN}}
41. KERBEROS_PRINCIPAL=${KERBEROS_PRINCIPAL:-cloudera-scm/admin}
42. KERBEROS_PASSWORD=${KERBEROS_PASSWORD:-cloudera}
43. JAVA_HOME=${JAVA_HOME:-/usr/java/jdk1.7.0_*-cloudera}
44.  
45. ensure_user_is_root
46.  
47. # Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
48. # for JDK/JRE 7 must be installed in order to use 256-bit AES encryption
49. #if [ ! -e /home/cloudera/Downloads/UnlimitedJCEPolicyJDK7.zip ]; then
50. # echo "You must first download the "Java Cryptography Extension (JCE) Unlimited"
51. # echo "Strength Jurisdiction Policy Files for JDK/JRE 7" to /home/cloudera/Downloads."
52. # echo "You can download them here:"
53. # echo ""
54. # echo " http://www.oracle.com/technetwork/java/javase/downloads/index.html"
55. # echo ""
56. # terminate 2
57. #fi
58.  
59. #log 'Unpacking Unlimited JCE policy files...'
60. #cd /tmp
61. #unzip /home/cloudera/Downloads/UnlimitedJCEPolicyJDK7.zip
62.  
63. #log 'Installing Unlimited JCE policy files...'
64. #mv UnlimitedJCEPolicy/*.jar ${JAVA_HOME}/jre/lib/security/
65.  
66. log 'Installing Kerberos...'
67. yum install -y krb5-server krb5-workstation openldap
68. chkconfig krb5kdc on
69. chkconfig kadmin on
70.  
71. touch /var/lib/cloudera-quickstart/.kerberos
72.  
73. log 'Configuring Kerberos...'
74.  
75. cat > /etc/krb5.conf <<EOF
76. [logging]
77. default = FILE:/var/log/krb5libs.log
78. kdc = FILE:/var/log/krb5kdc.log
79. admin_server = FILE:/var/log/kadmind.log
80.  
81. [libdefaults]
82. default_realm = ${KERBEROS_REALM}
83. dns_lookup_realm = false
84. dns_lookup_kdc = false
85. ticket_lifetime = 24h
86. renew_lifetime = 7d
87. forwardable = true
88.  
89. [realms]
90. ${KERBEROS_REALM} = {
91. kdc = ${KERBEROS_HOSTNAME}
92. admin_server = ${KERBEROS_HOSTNAME}
93. max_renewable_life = 7d 0h 0m 0s
94. default_principal_flags = +renewable
95. }
96.  
97. [domain_realm]
98. .${KERBEROS_DOMAIN} = ${KERBEROS_REALM}
99. ${KERBEROS_DOMAIN} = ${KERBEROS_REALM}
100. EOF
101.  
102. cat > /var/kerberos/krb5kdc/kdc.conf <<EOF
103. [kdcdefaults]
104. kdc_ports = 88
105. kdc_tcp_ports = 88
106.  
107. [realms]
108. ${KERBEROS_REALM} = {
109. #master_key_type = aes256-cts
110. acl_file = /var/kerberos/krb5kdc/kadm5.acl
111. dict_file = /usr/share/dict/words
112. admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
113. # Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
114. # for JDK/JRE 7 must be installed in order to use 256-bit AES encryption (aes256-cts:normal)
115. supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal max_life = 30d
116. max_renewable_life = 30d
117. }
118. EOF
119.  
120. echo "*/admin@${KERBEROS_REALM} *" > /var/kerberos/krb5kdc/kadm5.acl
121.  
122. log 'Setting root password for Kerberos...'
123. expect - <<EOF
124. set timeout 60
125.  
126. spawn kdb5_util create -s
127. expect "Enter KDC database master key:"
128. send "${KERBEROS_PASSWORD}r"
129. expect "Re-enter KDC database master key to verify:"
130. send "${KERBEROS_PASSWORD}r"
131. expect eof
132. EOF
133.  
134. log 'Creating Kerberos principal...'
135. expect - <<EOF
136. set timeout 60
137.  
138. spawn kadmin.local -q "addprinc ${KERBEROS_PRINCIPAL}"
139. expect "Enter password for principal "${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}":"
140. send "${KERBEROS_PASSWORD}r"
141. expect "Re-enter password for principal "${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}":"
142. send "${KERBEROS_PASSWORD}r"
143. expect eof
144. EOF
145.  
146. log 'Starting Kerberos services...'
147. service krb5kdc start
148. service kadmin start
149.  
150. cat <<EOF
151. ________________________________________________________________________________
152.  
153. Success! Kerberos is now running. You can enable Kerberos in a Cloudera Manager
154. cluster from the drop-down menu for that cluster on the CM home page. It will
155. ask you to confirm that this script performed the following steps:
156.  
157. * set up a working KDC.
158. * checked that the KDC allows renewable tickets.
159. * installed the client libraries.
160. * created a proper account for Cloudera Manager.
161.  
162. Then, it will prompt you for the following details (accept defaults if not
163. specified here):
164.  
165. KDC Type: MIT KDC
166. KDC Server Host: ${KERBEROS_HOSTNAME}
167. Kerberos Security Realm: ${KERBEROS_REALM}
168.  
169. Later, it will prompt you for KDC account manager credentials:
170.  
171. Username: ${KERBEROS_PRINCIPAL} (@ ${KERBEROS_REALM})
172. Password: ${KERBEROS_PASSWORD}
173.  
174. EOF
175.  
176. terminate
177.  
178. [root@quickstart /]# sudo ./home/cloudera/kerberos
179. [QuickStart] Installing Kerberos...
180. Loaded plugins: fastestmirror
181. Setting up Install Process
182. Loading mirror speeds from cached hostfile
183. * base: ftp.cvut.cz
184. * epel: mirror.slu.cz
185. * extras: ftp.cvut.cz
186. * updates: ftp.cvut.cz
187. Package krb5-server-1.10.3-65.el6.x86_64 already installed and latest version
188. Package krb5-workstation-1.10.3-65.el6.x86_64 already installed and latest version
189. Package openldap-2.4.40-16.el6.x86_64 already installed and latest version
190. Nothing to do
191. [QuickStart] Configuring Kerberos...
192. [QuickStart] Setting root password for Kerberos...
193. spawn kdb5_util create -s
194. Loading random data
195. cloudera
196. cloudera
197. [QuickStart] Creating Kerberos principal...
198. spawn kadmin.local -q addprinc cloudera-scm/admin
199. Authenticating as principal root/admin@CLOUDERA with password.
200. kadmin.local: No such file or directory while initializing kadmin.local interface
201. send: spawn id exp4 not open
202. while executing
203. "send "clouderar""
204.  
205. log 'Creating Kerberos principal...'
206. expect - <<EOF
207. set timeout 60
208.  
209. spawn kadmin.local -q "addprinc ${KERBEROS_PRINCIPAL}"
210. expect "Enter password for principal "${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}":"
211. send "${KERBEROS_PASSWORD}r"
212. expect "Re-enter password for principal "${KERBEROS_PRINCIPAL}@${KERBEROS_REALM}":"
213. send "${KERBEROS_PASSWORD}r"
214. expect eof
215. EOF