diff --git a/hadoop-ozone/dist/dev-support/bin/dist-layout-stitching b/hadoop-ozone/dist/dev-support/bin/dist-layout-stitching
index 255b168536b8..2491a1a565e6 100755
--- a/hadoop-ozone/dist/dev-support/bin/dist-layout-stitching
+++ b/hadoop-ozone/dist/dev-support/bin/dist-layout-stitching
@@ -120,6 +120,9 @@ run cp -p -r "${ROOT}/hadoop-ozone/dist/src/main/smoketest" .
run cp -p -r "${ROOT}/hadoop-ozone/dist/target/k8s" kubernetes
run cp -p -r "${ROOT}/hadoop-ozone/dist/target/Dockerfile" .
+#Copy pre-generated keytabs
+run cp -p -R "${ROOT}/hadoop-ozone/dist/src/main/keytabs" compose/_keytabs
+
#workaround for https://issues.apache.org/jira/browse/MRESOURCES-236
find ./compose -name "*.sh" -exec chmod 755 {} \;
find ./kubernetes -name "*.sh" -exec chmod 755 {} \;
diff --git a/hadoop-ozone/dist/pom.xml b/hadoop-ozone/dist/pom.xml
index 0addb0f45c1b..88d74a7c73b0 100644
--- a/hadoop-ozone/dist/pom.xml
+++ b/hadoop-ozone/dist/pom.xml
@@ -29,6 +29,7 @@
UTF-8
true
20210329-1
+ apache/ozone-testkrb5:20210419-1
diff --git a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/Dockerfile-krb5 b/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/Dockerfile-krb5
deleted file mode 100644
index 69caa54a3613..000000000000
--- a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/Dockerfile-krb5
+++ /dev/null
@@ -1,35 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-FROM openjdk:8u191-jdk-alpine3.9
-# hadolint ignore=DL3018
-RUN apk add --no-cache bash ca-certificates openssl krb5-server krb5 wget && update-ca-certificates
-RUN wget -O /usr/local/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64
-RUN chmod +x /usr/local/bin/dumb-init
-RUN wget -c https://github.com/flokkr/issuer/releases/download/1.0.3/issuer_1.0.3_linux_amd64.tar.gz -O - | tar -xz -C /root
-RUN chmod +x /root/issuer
-WORKDIR /opt
-COPY krb5.conf /etc/
-COPY kadm5.acl /var/lib/krb5kdc/kadm5.acl
-RUN kdb5_util create -s -P Welcome1
-RUN kadmin.local -q "addprinc -randkey admin/admin@EXAMPLE.COM"
-RUN kadmin.local -q "ktadd -k /tmp/admin.keytab admin/admin@EXAMPLE.COM"
-COPY launcher.sh .
-RUN chmod +x /opt/launcher.sh
-RUN mkdir -p /data
-ENTRYPOINT ["/usr/local/bin/dumb-init", "--", "/opt/launcher.sh"]
-
diff --git a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/README.md b/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/README.md
deleted file mode 100644
index 60b675c8db5f..000000000000
--- a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/README.md
+++ /dev/null
@@ -1,34 +0,0 @@
-
-
-# Experimental UNSECURE krb5 Kerberos container.
-
-Only for development. Not for production.
-
-The docker image contains a rest service which provides keystore and keytab files without any authentication!
-
-Master password: Welcome1
-
-Principal: admin/admin@EXAMPLE.COM Password: Welcome1
-
-Test:
-
-```
-docker run --net=host krb5
-
-docker run --net=host -it --entrypoint=bash krb5
-kinit admin/admin
-#pwd: Welcome1
-klist
-```
diff --git a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/kadm5.acl b/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/kadm5.acl
deleted file mode 100644
index f0cd66016fa4..000000000000
--- a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/kadm5.acl
+++ /dev/null
@@ -1,20 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-*/admin@EXAMPLE.COM x
diff --git a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/launcher.sh b/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/launcher.sh
deleted file mode 100644
index 0824f7b7ae62..000000000000
--- a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/launcher.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -e
-/root/issuer &
-krb5kdc -n &
-sleep 4
-kadmind -nofork &
-sleep 2
-tail -f /var/log/krb5kdc.log &
-tail -f /var/log/kadmind.log
-
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/.env b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/.env
index cf43c7613e11..85cf1d28af5f 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/.env
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/.env
@@ -17,4 +17,5 @@
HDDS_VERSION=${hdds.version}
HADOOP_VERSION=3
OZONE_RUNNER_VERSION=${docker.ozone-runner.version}
+OZONE_TESTKRB5_IMAGE=${docker.ozone-testkr5b.image}
OZONE_OPTS=
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-compose.yaml b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-compose.yaml
index b96034b399cf..c74ef15f402d 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-compose.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-compose.yaml
@@ -17,13 +17,12 @@
version: "3"
services:
kdc:
- build:
- context: ../common/docker-image/docker-krb5
- dockerfile: Dockerfile-krb5
- image: ozone-insecure-krb5
+ image: ${OZONE_TESTKRB5_IMAGE}
hostname: kdc
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ command: ["krb5kdc","-n"]
networks:
ozone_net:
ipv4_address: 172.25.0.100
@@ -33,10 +32,12 @@ services:
- 9600:9600
env_file:
- ./docker-config
- environment:
- HADOOP_CONF_DIR: /opt/hadoop/etc/hadoop
volumes:
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
- ../../libexec/transformation.py:/opt/transformation.py
+ environment:
+ HADOOP_CONF_DIR: /opt/hadoop/etc/hadoop
command: ["hadoop", "kms"]
networks:
ozone_net:
@@ -45,6 +46,8 @@ services:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9864:9999
command: ["/opt/hadoop/bin/ozone","datanode"]
@@ -57,7 +60,6 @@ services:
- docker-config
environment:
WAITFOR: scm3.org:9894
- KERBEROS_KEYTABS: dn HTTP
OZONE_OPTS:
networks:
ozone_net:
@@ -66,6 +68,8 @@ services:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9866:9999
command: ["/opt/hadoop/bin/ozone","datanode"]
@@ -78,7 +82,6 @@ services:
- docker-config
environment:
WAITFOR: scm3.org:9894
- KERBEROS_KEYTABS: dn HTTP
OZONE_OPTS:
networks:
ozone_net:
@@ -87,6 +90,8 @@ services:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9868:9999
command: ["/opt/hadoop/bin/ozone","datanode"]
@@ -99,7 +104,6 @@ services:
- docker-config
environment:
WAITFOR: scm3.org:9894
- KERBEROS_KEYTABS: dn HTTP
OZONE_OPTS:
networks:
ozone_net:
@@ -109,6 +113,8 @@ services:
hostname: om1
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9880:9874
- 9890:9872
@@ -116,7 +122,6 @@ services:
environment:
WAITFOR: scm3.org:9894
ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION
- KERBEROS_KEYTABS: om HTTP
OZONE_OPTS:
env_file:
- ./docker-config
@@ -133,6 +138,8 @@ services:
hostname: om2
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9882:9874
- 9892:9872
@@ -140,7 +147,6 @@ services:
environment:
WAITFOR: scm3.org:9894
ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION
- KERBEROS_KEYTABS: om HTTP
OZONE_OPTS:
env_file:
- ./docker-config
@@ -157,6 +163,8 @@ services:
hostname: om3
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9884:9874
- 9894:9872
@@ -164,7 +172,6 @@ services:
environment:
WAITFOR: scm3.org:9894
ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION
- KERBEROS_KEYTABS: om HTTP
OZONE_OPTS:
env_file:
- ./docker-config
@@ -181,13 +188,14 @@ services:
hostname: s3g
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9878:9878
env_file:
- ./docker-config
command: ["/opt/hadoop/bin/ozone","s3g"]
environment:
- KERBEROS_KEYTABS: s3g HTTP testuser
OZONE_OPTS:
networks:
ozone_net:
@@ -197,13 +205,14 @@ services:
hostname: scm1.org
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9990:9876
- 9992:9860
env_file:
- docker-config
environment:
- KERBEROS_KEYTABS: scm HTTP testuser testuser2
ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION
OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-3}"
OZONE_OPTS:
@@ -223,6 +232,8 @@ services:
hostname: scm2.org
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9994:9876
- 9996:9860
@@ -230,7 +241,6 @@ services:
- docker-config
environment:
WAITFOR: scm1.org:9894
- KERBEROS_KEYTABS: scm HTTP testuser testuser2
ENSURE_SCM_BOOTSTRAPPED: /data/metadata/scm/current/VERSION
OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-3}"
OZONE_OPTS:
@@ -250,6 +260,8 @@ services:
hostname: scm3.org
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9998:9876
- 10002:9860
@@ -257,7 +269,6 @@ services:
- docker-config
environment:
WAITFOR: scm2.org:9894
- KERBEROS_KEYTABS: scm HTTP testuser testuser2
ENSURE_SCM_BOOTSTRAPPED: /data/metadata/scm/current/VERSION
OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-3}"
OZONE_OPTS:
@@ -282,7 +293,6 @@ services:
env_file:
- ./docker-config
environment:
- KERBEROS_KEYTABS: recon HTTP
OZONE_OPTS:
command: ["/opt/hadoop/bin/ozone","recon"]
extra_hosts:
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
index 565b0a1cf773..6718365feb80 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/docker-config
@@ -69,16 +69,16 @@ CORE-SITE.XML_hadoop.security.auth_to_local=RULE:[2:$1](testuser2.*) RULE:[2:$1@
CORE-SITE.XML_hadoop.security.key.provider.path=kms://http@kms:9600/kms
-OZONE-SITE.XML_hdds.scm.kerberos.principal=scm/_HOST@EXAMPLE.COM
+OZONE-SITE.XML_hdds.scm.kerberos.principal=scm/scm@EXAMPLE.COM
OZONE-SITE.XML_hdds.scm.kerberos.keytab.file=/etc/security/keytabs/scm.keytab
-OZONE-SITE.XML_ozone.om.kerberos.principal=om/_HOST@EXAMPLE.COM
+OZONE-SITE.XML_ozone.om.kerberos.principal=om/om@EXAMPLE.COM
OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab
OZONE-SITE.XML_ozone.recon.kerberos.keytab.file=/etc/security/keytabs/recon.keytab
OZONE-SITE.XML_ozone.recon.kerberos.principal=recon/recon@EXAMPLE.COM
-HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
+HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/dn@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
-HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/ozone@EXAMPLE.COM
HDFS-SITE.XML_dfs.web.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
@@ -91,21 +91,22 @@ OZONE-SITE.XML_hdds.datanode.http.auth.type=kerberos
OZONE-SITE.XML_ozone.s3g.http.auth.type=kerberos
OZONE-SITE.XML_ozone.recon.http.auth.type=kerberos
-OZONE-SITE.XML_hdds.scm.http.auth.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+OZONE-SITE.XML_hdds.scm.http.auth.kerberos.principal=HTTP/scm@EXAMPLE.COM
OZONE-SITE.XML_hdds.scm.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
-OZONE-SITE.XML_ozone.om.http.auth.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+OZONE-SITE.XML_ozone.om.http.auth.kerberos.principal=HTTP/om@EXAMPLE.COM
OZONE-SITE.XML_ozone.om.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
-OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/db@EXAMPLE.COM
OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.principal=HTTP/s3g@EXAMPLE.COM
OZONE-SITE.XML_ozone.recon.http.auth.kerberos.principal=HTTP/recon@EXAMPLE.COM
-OZONE-SITE.XML_ozone.recon.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.recon.http.auth.kerberos.keytab=/etc/security/keytabs/recon.keytab
+OZONE-SITE.XML_ozone.recon.http.auth.kerberos.keytab=/etc/security/keytabs/recon.keytab
CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
CORE-SITE.XML_hadoop.http.authentication.type=kerberos
-CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/ozone@EXAMPLE.COM
CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
@@ -123,14 +124,9 @@ HDFS-SITE.XML_rpc.metrics.percentiles.intervals=60,300
#BYTEMAN_SCRIPT_URL=https://raw.githubusercontent.com/apache/hadoop/trunk/dev-support/byteman/hadooprpc.btm
OZONE_DATANODE_SECURE_USER=root
-SECURITY_ENABLED=true
-KEYTAB_DIR=/etc/security/keytabs
-KERBEROS_KEYSTORES=hadoop
-KERBEROS_SERVER=kdc
JAVA_HOME=/usr/lib/jvm/jre
JSVC_HOME=/usr/bin
SLEEP_SECONDS=5
-KERBEROS_ENABLED=true
OZONE_CONF_DIR=/etc/hadoop
OZONE_LOG_DIR=/var/log/hadoop
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/HTTP.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/HTTP.keytab
new file mode 100755
index 000000000000..073055f48c3e
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/HTTP.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/dn.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/dn.keytab
new file mode 100755
index 000000000000..263047401e46
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/dn.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/om.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/om.keytab
new file mode 100755
index 000000000000..1241ec25ce0c
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/om.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/recon.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/recon.keytab
new file mode 100755
index 000000000000..4a35968edc9a
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/recon.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/s3g.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/s3g.keytab
new file mode 100755
index 000000000000..8cbe7cd6f9c1
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/s3g.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/scm.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/scm.keytab
new file mode 100755
index 000000000000..9bbfd84dc6f8
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/scm.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/testuser.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/testuser.keytab
new file mode 100755
index 000000000000..5242d2e75d20
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/testuser.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/testuser2.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/testuser2.keytab
new file mode 100755
index 000000000000..9adeb6e408d7
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/keytabs/testuser2.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/krb5.conf b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/krb5.conf
similarity index 96%
rename from hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/krb5.conf
rename to hadoop-ozone/dist/src/main/compose/ozonesecure-ha/krb5.conf
index 0c274d36bb52..eefc5b9c6858 100644
--- a/hadoop-ozone/dist/src/main/compose/common/docker-image/docker-krb5/krb5.conf
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-ha/krb5.conf
@@ -30,8 +30,8 @@ admin_server = FILE:/var/log/kadmind.log
[realms]
EXAMPLE.COM = {
- kdc = localhost
- admin_server = localhost
+ kdc = kdc
+ admin_server = kdc
max_renewable_life = 7d
}
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/.env b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/.env
index 43a4a9cbf9e5..2490b1f44698 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/.env
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/.env
@@ -18,4 +18,5 @@ HDDS_VERSION=${hdds.version}
HADOOP_IMAGE=flokkr/hadoop
HADOOP_VERSION=3.2.2
OZONE_RUNNER_VERSION=${docker.ozone-runner.version}
+OZONE_TESTKRB5_IMAGE=${docker.ozone-testkr5b.image}
OZONE_OPTS=
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-compose.yaml b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-compose.yaml
index 4af21df776c1..124d2b8ad2a8 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-compose.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-compose.yaml
@@ -17,15 +17,14 @@
version: "3.5"
services:
kdc:
- build:
- context: ../common/docker-image/docker-krb5
- dockerfile: Dockerfile-krb5
- image: ozone-insecure-krb5
+ image: ${OZONE_TESTKRB5_IMAGE}
hostname: kdc
networks:
- ozone
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ command: ["krb5kdc","-n"]
kms:
image: ${HADOOP_IMAGE}:${HADOOP_VERSION}
networks:
@@ -35,6 +34,7 @@ services:
env_file:
- ./docker-config
volumes:
+ - ./krb5.conf:/etc/krb5.conf
- ../../libexec/transformation.py:/opt/transformation.py
command: ["hadoop", "kms"]
datanode:
@@ -43,13 +43,14 @@ services:
- ozone
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9864
command: ["/opt/hadoop/bin/ozone","datanode"]
env_file:
- docker-config
environment:
- KERBEROS_KEYTABS: dn HTTP
OZONE_OPTS:
om:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
@@ -58,12 +59,13 @@ services:
- ozone
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9874:9874
- 9862:9862
environment:
ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION
- KERBEROS_KEYTABS: om HTTP testuser
OZONE_OPTS:
env_file:
- docker-config
@@ -75,12 +77,13 @@ services:
- ozone
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9878:9878
env_file:
- ./docker-config
environment:
- KERBEROS_KEYTABS: s3g HTTP
OZONE_OPTS:
command: ["/opt/hadoop/bin/ozone","s3g"]
scm:
@@ -90,6 +93,8 @@ services:
- ozone
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9876:9876
- 9860:9860
@@ -98,7 +103,6 @@ services:
environment:
ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION
OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-1}"
- KERBEROS_KEYTABS: scm HTTP
OZONE_OPTS:
command: ["/opt/hadoop/bin/ozone","scm"]
rm:
@@ -108,13 +112,13 @@ services:
- ozone
volumes:
- ../..:/opt/ozone
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
- ../../libexec/transformation.py:/opt/transformation.py
ports:
- 8088:8088
env_file:
- ./docker-config
- environment:
- KERBEROS_KEYTABS: rm HTTP hadoop
command: ["yarn", "resourcemanager"]
nm:
image: ${HADOOP_IMAGE}:${HADOOP_VERSION}
@@ -123,12 +127,13 @@ services:
- ozone
volumes:
- ../..:/opt/ozone
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
- ../../libexec/transformation.py:/opt/transformation.py
env_file:
- ./docker-config
environment:
WAITFOR: rm:8088
- KERBEROS_KEYTABS: nm HTTP
command: ["yarn","nodemanager"]
jhs:
image: ${HADOOP_IMAGE}:${HADOOP_VERSION}
@@ -138,13 +143,14 @@ services:
- ozone
volumes:
- ../..:/opt/ozone
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
- ../../libexec/transformation.py:/opt/transformation.py
ports:
- 8188:8188
env_file:
- ./docker-config
environment:
- KERBEROS_KEYTABS: jhs HTTP
WAITFOR: rm:8088
command: ["yarn","timelineserver"]
networks:
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
index 896819693d82..c95a956b1ec4 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-config
@@ -37,18 +37,19 @@ OZONE-SITE.XML_ozone.administrators=*
OZONE-SITE.XML_ozone.security.enabled=true
OZONE-SITE.XML_hdds.scm.http.auth.kerberos.principal=HTTP/scm@EXAMPLE.COM
-OZONE-SITE.XML_hdds.scm.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_hdds.scm.http.auth.kerberos.keytab=/etc/security/keytabs/scm.keytab
OZONE-SITE.XML_ozone.om.http.auth.kerberos.principal=HTTP/om@EXAMPLE.COM
-OZONE-SITE.XML_ozone.om.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
-OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+OZONE-SITE.XML_ozone.om.http.auth.kerberos.keytab=/etc/security/keytabs/om.keytab
+OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/dn@EXAMPLE.COM
OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
-OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.keytab=/etc/security/keytabs/s3g.keytab
OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.principal=HTTP/s3g@EXAMPLE.COM
-HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
+HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/dn@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
-HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
-HDFS-SITE.XML_dfs.web.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/dn@EXAMPLE.COM
+HDFS-SITE.XML_dfs.web.authentication.kerberos.keytab=/etc/security/keytabs/dn.keytab
+
OZONE-SITE.XML_hdds.datanode.dir=/data/hdds
HDFS-SITE.XML_dfs.datanode.address=0.0.0.0:1019
HDFS-SITE.XML_dfs.datanode.http.address=0.0.0.0:1012
@@ -90,7 +91,7 @@ YARN-SITE.XML_yarn.timeline-service.principal=jhs/jhs@EXAMPLE.COM
YARN-SITE.XML_yarn.timeline-service.keytab=/etc/security/keytabs/jhs.keytab
YARN-SITE.XML_yarn.log.server.url=http://jhs:8188/applicationhistory/logs/
-YARN-SITE.XML_yarn.nodemanager.principal=nm/_HOST@EXAMPLE.COM
+YARN-SITE.XML_yarn.nodemanager.principal=nm/nm@EXAMPLE.COM
YARN-SITE.XML_yarn.nodemanager.keytab=/etc/security/keytabs/nm.keytab
YARN-SITE.XML_yarn.nodemanager.pmem-check-enabled=false
YARN-SITE.XML_yarn.nodemanager.delete.debug-delay-sec=600
@@ -133,13 +134,9 @@ CAPACITY-SCHEDULER.XML_yarn.scheduler.capacity.queue-mappings-override.enable=fa
#BYTEMAN_SCRIPT_URL=https://raw.githubusercontent.com/apache/hadoop/trunk/dev-support/byteman/hadooprpc.btm
OZONE_DATANODE_SECURE_USER=root
-KEYTAB_DIR=/etc/security/keytabs
-KERBEROS_KEYSTORES=hadoop
-KERBEROS_SERVER=kdc
JAVA_HOME=/usr/lib/jvm/jre
JSVC_HOME=/usr/bin
SLEEP_SECONDS=5
-KERBEROS_ENABLED=true
HADOOP_CLASSPATH=/opt/ozone/share/ozone/lib/hadoop-ozone-filesystem-hadoop3-@project.version@.jar
OZONE_CLASSPATH=
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/HTTP.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/HTTP.keytab
new file mode 100755
index 000000000000..073055f48c3e
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/HTTP.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/dn.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/dn.keytab
new file mode 100755
index 000000000000..263047401e46
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/dn.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/om.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/om.keytab
new file mode 100755
index 000000000000..1241ec25ce0c
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/om.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/recon.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/recon.keytab
new file mode 100755
index 000000000000..4a35968edc9a
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/recon.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/s3g.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/s3g.keytab
new file mode 100755
index 000000000000..8cbe7cd6f9c1
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/s3g.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/scm.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/scm.keytab
new file mode 100755
index 000000000000..9bbfd84dc6f8
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/scm.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/testuser.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/testuser.keytab
new file mode 100755
index 000000000000..5242d2e75d20
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/testuser.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/testuser2.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/testuser2.keytab
new file mode 100755
index 000000000000..9adeb6e408d7
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/keytabs/testuser2.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/krb5.conf b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/krb5.conf
new file mode 100644
index 000000000000..309752e1f475
--- /dev/null
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/krb5.conf
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_realm = EXAMPLE.COM
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = kdc
+ admin_server = kdc
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/.env b/hadoop-ozone/dist/src/main/compose/ozonesecure/.env
index cf43c7613e11..85cf1d28af5f 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/.env
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/.env
@@ -17,4 +17,5 @@
HDDS_VERSION=${hdds.version}
HADOOP_VERSION=3
OZONE_RUNNER_VERSION=${docker.ozone-runner.version}
+OZONE_TESTKRB5_IMAGE=${docker.ozone-testkr5b.image}
OZONE_OPTS=
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml
index 31011fa93112..cfd0de853a40 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml
@@ -17,13 +17,12 @@
version: "3"
services:
kdc:
- build:
- context: ../common/docker-image/docker-krb5
- dockerfile: Dockerfile-krb5
- image: ozone-insecure-krb5
+ image: ${OZONE_TESTKRB5_IMAGE}
hostname: kdc
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ command: ["krb5kdc","-n"]
kms:
image: apache/hadoop:${HADOOP_VERSION}
ports:
@@ -35,30 +34,31 @@ services:
volumes:
- ../../libexec/transformation.py:/opt/transformation.py
command: ["hadoop", "kms"]
-
datanode:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9864
command: ["/opt/hadoop/bin/ozone","datanode"]
env_file:
- docker-config
environment:
- KERBEROS_KEYTABS: dn HTTP
OZONE_OPTS:
om:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
hostname: om
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9874:9874
- 9862:9862
environment:
ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION
- KERBEROS_KEYTABS: om HTTP
OZONE_OPTS:
env_file:
- docker-config
@@ -69,25 +69,27 @@ services:
hostname: s3g
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9878:9878
env_file:
- ./docker-config
command: ["/opt/hadoop/bin/ozone","s3g"]
environment:
- KERBEROS_KEYTABS: s3g HTTP testuser
OZONE_OPTS:
recon:
image: apache/ozone-runner:${OZONE_RUNNER_VERSION}
hostname: recon
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9888:9888
env_file:
- ./docker-config
environment:
- KERBEROS_KEYTABS: recon HTTP
OZONE_OPTS:
command: ["/opt/hadoop/bin/ozone","recon"]
scm:
@@ -95,13 +97,14 @@ services:
hostname: scm
volumes:
- ../..:/opt/hadoop
+ - ../_keytabs:/etc/security/keytabs
+ - ./krb5.conf:/etc/krb5.conf
ports:
- 9876:9876
- 9860:9860
env_file:
- docker-config
environment:
- KERBEROS_KEYTABS: scm HTTP testuser testuser2
ENSURE_SCM_INITIALIZED: /data/metadata/scm/current/VERSION
OZONE-SITE.XML_hdds.scm.safemode.min.datanode: "${OZONE_SAFEMODE_MIN_DATANODES:-1}"
OZONE_OPTS:
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
index 926b1c5c60e8..49946371f2e3 100644
--- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config
@@ -66,9 +66,9 @@ OZONE-SITE.XML_hdds.scm.replication.event.timeout=10s
OZONE-SITE.XML_ozone.scm.stale.node.interval=30s
OZONE-SITE.XML_ozone.scm.dead.node.interval=45s
-HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/_HOST@EXAMPLE.COM
+HDFS-SITE.XML_dfs.datanode.kerberos.principal=dn/dn@EXAMPLE.COM
HDFS-SITE.XML_dfs.datanode.keytab.file=/etc/security/keytabs/dn.keytab
-HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+HDFS-SITE.XML_dfs.web.authentication.kerberos.principal=HTTP/ozone@EXAMPLE.COM
HDFS-SITE.XML_dfs.web.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
@@ -82,20 +82,20 @@ OZONE-SITE.XML_ozone.s3g.http.auth.type=kerberos
OZONE-SITE.XML_ozone.recon.http.auth.type=kerberos
OZONE-SITE.XML_hdds.scm.http.auth.kerberos.principal=HTTP/scm@EXAMPLE.COM
-OZONE-SITE.XML_hdds.scm.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_hdds.scm.http.auth.kerberos.keytab=/etc/security/keytabs/scm.keytab
OZONE-SITE.XML_ozone.om.http.auth.kerberos.principal=HTTP/om@EXAMPLE.COM
-OZONE-SITE.XML_ozone.om.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
-OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
-OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
-OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.om.http.auth.kerberos.keytab=/etc/security/keytabs/om.keytab
+OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.principal=HTTP/dn@EXAMPLE.COM
+OZONE-SITE.XML_hdds.datanode.http.auth.kerberos.keytab=/etc/security/keytabs/datanode.keytab
+OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.keytab=/etc/security/keytabs/s3g.keytab
OZONE-SITE.XML_ozone.s3g.http.auth.kerberos.principal=HTTP/s3g@EXAMPLE.COM
OZONE-SITE.XML_ozone.recon.http.auth.kerberos.principal=HTTP/recon@EXAMPLE.COM
-OZONE-SITE.XML_ozone.recon.http.auth.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
+OZONE-SITE.XML_ozone.recon.http.auth.kerberos.keytab=/etc/security/keytabs/recon.keytab
CORE-SITE.XML_hadoop.http.authentication.simple.anonymous.allowed=false
CORE-SITE.XML_hadoop.http.authentication.signature.secret.file=/etc/security/http_secret
CORE-SITE.XML_hadoop.http.authentication.type=kerberos
-CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/_HOST@EXAMPLE.COM
+CORE-SITE.XML_hadoop.http.authentication.kerberos.principal=HTTP/ozone@EXAMPLE.COM
CORE-SITE.XML_hadoop.http.authentication.kerberos.keytab=/etc/security/keytabs/HTTP.keytab
@@ -113,14 +113,8 @@ HDFS-SITE.XML_rpc.metrics.percentiles.intervals=60,300
#BYTEMAN_SCRIPT_URL=https://raw.githubusercontent.com/apache/hadoop/trunk/dev-support/byteman/hadooprpc.btm
OZONE_DATANODE_SECURE_USER=root
-SECURITY_ENABLED=true
-KEYTAB_DIR=/etc/security/keytabs
-KERBEROS_KEYSTORES=hadoop
-KERBEROS_SERVER=kdc
JAVA_HOME=/usr/lib/jvm/jre
JSVC_HOME=/usr/bin
-SLEEP_SECONDS=5
-KERBEROS_ENABLED=true
OZONE_CONF_DIR=/etc/hadoop
OZONE_LOG_DIR=/var/log/hadoop
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/HTTP.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/HTTP.keytab
new file mode 100755
index 000000000000..073055f48c3e
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/HTTP.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/dn.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/dn.keytab
new file mode 100755
index 000000000000..263047401e46
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/dn.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/om.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/om.keytab
new file mode 100755
index 000000000000..1241ec25ce0c
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/om.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/recon.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/recon.keytab
new file mode 100755
index 000000000000..4a35968edc9a
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/recon.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/s3g.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/s3g.keytab
new file mode 100755
index 000000000000..8cbe7cd6f9c1
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/s3g.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/scm.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/scm.keytab
new file mode 100755
index 000000000000..9bbfd84dc6f8
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/scm.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/testuser.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/testuser.keytab
new file mode 100755
index 000000000000..5242d2e75d20
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/testuser.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/testuser2.keytab b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/testuser2.keytab
new file mode 100755
index 000000000000..9adeb6e408d7
Binary files /dev/null and b/hadoop-ozone/dist/src/main/compose/ozonesecure/keytabs/testuser2.keytab differ
diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/krb5.conf b/hadoop-ozone/dist/src/main/compose/ozonesecure/krb5.conf
new file mode 100644
index 000000000000..eefc5b9c6858
--- /dev/null
+++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/krb5.conf
@@ -0,0 +1,41 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[logging]
+default = FILE:/var/log/krb5libs.log
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_canonicalize_hostname = false
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_realm = EXAMPLE.COM
+
+[realms]
+ EXAMPLE.COM = {
+ kdc = kdc
+ admin_server = kdc
+ max_renewable_life = 7d
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+
diff --git a/hadoop-ozone/dist/src/main/compose/testlib.sh b/hadoop-ozone/dist/src/main/compose/testlib.sh
index 4cb4542859fa..695970bf78a6 100755
--- a/hadoop-ozone/dist/src/main/compose/testlib.sh
+++ b/hadoop-ozone/dist/src/main/compose/testlib.sh
@@ -76,7 +76,7 @@ wait_for_safemode_exit(){
#This line checks the safemode status in scm
local command="${OZONE_SAFEMODE_STATUS_COMMAND}"
if [[ "${SECURITY_ENABLED}" == 'true' ]]; then
- status=$(docker-compose exec -T ${SCM} bash -c "kinit -k HTTP/${SCM}@EXAMPLE.COM -t /etc/security/keytabs/HTTP.keytab && $command" || true)
+ status=$(docker-compose exec -T ${SCM} bash -c "kinit -k HTTP/scm@EXAMPLE.COM -t /etc/security/keytabs/HTTP.keytab && $command" || true)
else
status=$(docker-compose exec -T ${SCM} bash -c "$command")
fi
@@ -112,7 +112,7 @@ wait_for_om_leader() {
while [[ $SECONDS -lt 120 ]]; do
local command="ozone admin om roles --service-id '${OM_SERVICE_ID}'"
if [[ "${SECURITY_ENABLED}" == 'true' ]]; then
- status=$(docker-compose exec -T ${SCM} bash -c "kinit -k scm/${SCM}@EXAMPLE.COM -t /etc/security/keytabs/scm.keytab && $command" | grep LEADER)
+ status=$(docker-compose exec -T ${SCM} bash -c "kinit -k scm/scm@EXAMPLE.COM -t /etc/security/keytabs/scm.keytab && $command" | grep LEADER)
else
status=$(docker-compose exec -T ${SCM} bash -c "$command" | grep LEADER)
fi
diff --git a/hadoop-ozone/dist/src/main/keytabs/HTTP.keytab b/hadoop-ozone/dist/src/main/keytabs/HTTP.keytab
new file mode 100755
index 000000000000..9e7a36919981
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/HTTP.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/dn.keytab b/hadoop-ozone/dist/src/main/keytabs/dn.keytab
new file mode 100755
index 000000000000..ee982cb52c0f
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/dn.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/hadoop.keytab b/hadoop-ozone/dist/src/main/keytabs/hadoop.keytab
new file mode 100755
index 000000000000..68f52383f88f
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/hadoop.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/jhs.keytab b/hadoop-ozone/dist/src/main/keytabs/jhs.keytab
new file mode 100755
index 000000000000..51eeebff807b
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/jhs.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/nm.keytab b/hadoop-ozone/dist/src/main/keytabs/nm.keytab
new file mode 100755
index 000000000000..5cfcf9a7ed00
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/nm.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/om.keytab b/hadoop-ozone/dist/src/main/keytabs/om.keytab
new file mode 100755
index 000000000000..ec571b309f6d
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/om.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/recon.keytab b/hadoop-ozone/dist/src/main/keytabs/recon.keytab
new file mode 100755
index 000000000000..653e0751f349
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/recon.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/rm.keytab b/hadoop-ozone/dist/src/main/keytabs/rm.keytab
new file mode 100755
index 000000000000..d9a55f0c2ea8
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/rm.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/s3g.keytab b/hadoop-ozone/dist/src/main/keytabs/s3g.keytab
new file mode 100755
index 000000000000..be6684639dc2
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/s3g.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/scm.keytab b/hadoop-ozone/dist/src/main/keytabs/scm.keytab
new file mode 100755
index 000000000000..dbd316694a53
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/scm.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/testuser.keytab b/hadoop-ozone/dist/src/main/keytabs/testuser.keytab
new file mode 100755
index 000000000000..c9c455056bfb
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/testuser.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/testuser2.keytab b/hadoop-ozone/dist/src/main/keytabs/testuser2.keytab
new file mode 100755
index 000000000000..57c77ca87619
Binary files /dev/null and b/hadoop-ozone/dist/src/main/keytabs/testuser2.keytab differ
diff --git a/hadoop-ozone/dist/src/main/keytabs/update-keytabs.sh b/hadoop-ozone/dist/src/main/keytabs/update-keytabs.sh
new file mode 100755
index 000000000000..be60da64b99a
--- /dev/null
+++ b/hadoop-ozone/dist/src/main/keytabs/update-keytabs.sh
@@ -0,0 +1,77 @@
+#!/usr/bin/env bash
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+SCRIPT_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )
+set -ex
+
+export_keytab() {
+ kadmin.local -q "ktadd -norandkey -k /etc/security/keytabs/$2.keytab $1@EXAMPLE.COM"
+}
+
+#this section supposed to be executed inside a docker image which already
+#has these credentials
+#
+# the rest of the code executes this part inside a container
+#
+if [ "$1" == "internal" ]; then
+ rm /etc/security/keytabs/*.keytab
+
+ export_keytab scm/scm scm
+ export_keytab HTTP/scm scm
+ export_keytab testuser/scm scm
+ export_keytab testuser2/scm scm
+
+ export_keytab testuser/scm testuser
+ export_keytab testuser/s3g testuser
+ export_keytab testuser/om testuser
+
+ export_keytab testuser2/scm testuser2
+
+ export_keytab om/om om
+ export_keytab HTTP/om om
+
+ export_keytab s3g/s3g s3g
+ export_keytab HTTP/s3g s3g
+ export_keytab testuser/s3g s3g
+
+ export_keytab recon/recon recon
+ export_keytab HTTP/recon recon
+
+ export_keytab dn/dn dn
+ export_keytab HTTP/dn dn
+
+ export_keytab HTTP/scm HTTP
+ export_keytab HTTP/s3g HTTP
+ export_keytab HTTP/ozone HTTP
+
+ export_keytab hadoop/rm hadoop
+
+ export_keytab rm/rm rm
+ export_keytab nm/nm nm
+ export_keytab jhs/jhs jhs
+
+
+
+ chmod 755 /etc/security/keytabs/*.keytab
+ chown 1000. /etc/security/keytabs/*.keytab
+ exit 0
+fi
+
+TESTKRB5_IMAGE=$(mvn -f "$SCRIPT_DIR"/../../../pom.xml help:evaluate -Dexpression=docker.ozone-testkr5b.image -q -DforceStdout)
+
+docker run -it --entrypoint=/etc/security/keytabs/update-keytabs.sh -v "$SCRIPT_DIR":/etc/security/keytabs $TESTKRB5_IMAGE internal
+
+
diff --git a/hadoop-ozone/dist/src/main/smoketest/basic/links.robot b/hadoop-ozone/dist/src/main/smoketest/basic/links.robot
index 6efa3d738740..847c4b1afd1b 100644
--- a/hadoop-ozone/dist/src/main/smoketest/basic/links.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/basic/links.robot
@@ -42,11 +42,11 @@ Setup ACL tests
Execute ozone sh bucket link ${source}/readable-bucket ${target}/readable-link
Execute ozone sh bucket link ${source}/readable-bucket ${target}/unreadable-link
Execute ozone sh bucket link ${source}/unreadable-bucket ${target}/link-to-unreadable-bucket
- Execute ozone sh volume addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:r ${target}
- Execute ozone sh volume addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:rl ${source}
- Execute ozone sh bucket addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:rl ${source}/readable-bucket
- Execute ozone sh bucket addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:r ${target}/readable-link
- Execute ozone sh bucket addacl --acl user:testuser2/${SCM}@EXAMPLE.COM:r ${target}/link-to-unreadable-bucket
+ Execute ozone sh volume addacl --acl user:testuser2/scm@EXAMPLE.COM:r ${target}
+ Execute ozone sh volume addacl --acl user:testuser2/scm@EXAMPLE.COM:rl ${source}
+ Execute ozone sh bucket addacl --acl user:testuser2/scm@EXAMPLE.COM:rl ${source}/readable-bucket
+ Execute ozone sh bucket addacl --acl user:testuser2/scm@EXAMPLE.COM:r ${target}/readable-link
+ Execute ozone sh bucket addacl --acl user:testuser2/scm@EXAMPLE.COM:r ${target}/link-to-unreadable-bucket
Can follow link with read access
Execute kdestroy
diff --git a/hadoop-ozone/dist/src/main/smoketest/basic/ozone-shell-lib.robot b/hadoop-ozone/dist/src/main/smoketest/basic/ozone-shell-lib.robot
index 54a12b362ddc..7671e20f1ecf 100644
--- a/hadoop-ozone/dist/src/main/smoketest/basic/ozone-shell-lib.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/basic/ozone-shell-lib.robot
@@ -97,7 +97,7 @@ Test Volume Acls
${result} = Execute ozone sh volume removeacl ${protocol}${server}/${volume} -a user:superuser1:xy
${result} = Execute ozone sh volume getacl ${protocol}${server}/${volume}
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"DEFAULT\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\" .
- ${result} = Execute ozone sh volume setacl ${protocol}${server}/${volume} -al user:superuser1:rwxy[DEFAULT],group:superuser1:a,user:testuser/${SCM}@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
+ ${result} = Execute ozone sh volume setacl ${protocol}${server}/${volume} -al user:superuser1:rwxy[DEFAULT],group:superuser1:a,user:testuser/scm@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
${result} = Execute ozone sh volume getacl ${protocol}${server}/${volume}
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclScope\" : \"DEFAULT\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\" .
Should Match Regexp ${result} \"type\" : \"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"DEFAULT\",\n.*\"aclList\" : . \"ALL\" .
@@ -113,7 +113,7 @@ Test Bucket Acls
${result} = Execute ozone sh bucket removeacl ${protocol}${server}/${volume}/bb1 -a user:superuser1:xy
${result} = Execute ozone sh bucket getacl ${protocol}${server}/${volume}/bb1
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
- ${result} = Execute ozone sh bucket setacl ${protocol}${server}/${volume}/bb1 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/${SCM}@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
+ ${result} = Execute ozone sh bucket setacl ${protocol}${server}/${volume}/bb1 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/scm@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
${result} = Execute ozone sh bucket getacl ${protocol}${server}/${volume}/bb1
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1*\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
Should Match Regexp ${result} \"type\" : \"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"DEFAULT\",\n.*\"aclList\" : . \"ALL\" .
@@ -164,7 +164,7 @@ Test key Acls
${result} = Execute ozone sh key removeacl ${protocol}${server}/${volume}/bb1/key2 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${protocol}${server}/${volume}/bb1/key2
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
- ${result} = Execute ozone sh key setacl ${protocol}${server}/${volume}/bb1/key2 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/${SCM}@EXAMPLE.COM:rwxyc
+ ${result} = Execute ozone sh key setacl ${protocol}${server}/${volume}/bb1/key2 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/scm@EXAMPLE.COM:rwxyc
${result} = Execute ozone sh key getacl ${protocol}${server}/${volume}/bb1/key2
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
Should Match Regexp ${result} \"type\" : \"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"ALL\" .
diff --git a/hadoop-ozone/dist/src/main/smoketest/commonlib.robot b/hadoop-ozone/dist/src/main/smoketest/commonlib.robot
index ac21a65cd48e..41a1e284677d 100644
--- a/hadoop-ozone/dist/src/main/smoketest/commonlib.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/commonlib.robot
@@ -27,14 +27,14 @@ ${OM_SERVICE_ID} om
*** Keywords ***
Kinit HTTP user
- ${hostname} = Execute hostname
+ ${hostname} = Execute hostname | sed 's/scm[0-9].org/scm/'
Wait Until Keyword Succeeds 2min 10sec Execute kinit -k HTTP/${hostname}@EXAMPLE.COM -t /etc/security/keytabs/HTTP.keytab
Kinit test user
[arguments] ${user} ${keytab}
- ${hostname} = Execute hostname
- Set Suite Variable ${TEST_USER} ${user}/${hostname}@EXAMPLE.COM
- Wait Until Keyword Succeeds 2min 10sec Execute kinit -k ${user}/${hostname}@EXAMPLE.COM -t /etc/security/keytabs/${keytab}
+ ${instance} = Execute hostname | sed 's/scm[0-9].org/scm/'
+ Set Suite Variable ${TEST_USER} ${user}/${instance}@EXAMPLE.COM
+ Wait Until Keyword Succeeds 2min 10sec Execute kinit -k ${user}/${instance}@EXAMPLE.COM -t /etc/security/keytabs/${keytab}
Access should be denied
[arguments] ${command}
diff --git a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
index b587cc638f28..9736968a970a 100644
--- a/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
+++ b/hadoop-ozone/dist/src/main/smoketest/security/ozone-secure-fs.robot
@@ -84,7 +84,7 @@ Test Volume Acls
${result} = Execute ozone sh volume removeacl ${volume3} -a user:superuser1:xy
${result} = Execute ozone sh volume getacl ${volume3}
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"DEFAULT\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
- ${result} = Execute ozone sh volume setacl ${volume3} -al user:superuser1:rwxy,user:testuser/${SCM}@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
+ ${result} = Execute ozone sh volume setacl ${volume3} -al user:superuser1:rwxy,user:testuser/scm@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
${result} = Execute ozone sh volume getacl ${volume3}
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
Should Match Regexp ${result} \"type\" : \"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"DEFAULT\",\n.*\"aclList\" : . \"ALL\"
@@ -100,7 +100,7 @@ Test Bucket Acls
${result} = Execute ozone sh bucket removeacl ${volume3}/bk1 -a user:superuser1:xy
${result} = Execute ozone sh bucket getacl ${volume3}/bk1
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
- ${result} = Execute ozone sh bucket setacl ${volume3}/bk1 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/${SCM}@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
+ ${result} = Execute ozone sh bucket setacl ${volume3}/bk1 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/scm@EXAMPLE.COM:rwxyc,group:superuser1:a[DEFAULT]
${result} = Execute ozone sh bucket getacl ${volume3}/bk1
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
Should Match Regexp ${result} \"type\" : \"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"ALL\"
@@ -115,7 +115,7 @@ Test key Acls
${result} = Execute ozone sh key removeacl ${volume3}/bk1/key1 -a user:superuser1:xy
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\"
- ${result} = Execute ozone sh key setacl ${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/${SCM}@EXAMPLE.COM:rwxyc
+ ${result} = Execute ozone sh key setacl ${volume3}/bk1/key1 -al user:superuser1:rwxy,group:superuser1:a,user:testuser/scm@EXAMPLE.COM:rwxyc
${result} = Execute ozone sh key getacl ${volume3}/bk1/key1
Should Match Regexp ${result} \"type\" : \"USER\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"READ\", \"WRITE\", \"READ_ACL\", \"WRITE_ACL\"
Should Match Regexp ${result} \"type\" : \"GROUP\",\n.*\"name\" : \"superuser1\",\n.*\"aclScope\" : \"ACCESS\",\n.*\"aclList\" : . \"ALL\"
@@ -128,16 +128,16 @@ Test native authorizer
Should contain ${result} PERMISSION_DENIED
${result} = Execute And Ignore Error ozone sh key list /${volume3}/bk1
Should contain ${result} PERMISSION_DENIED
- ${result} = Execute And Ignore Error ozone sh volume addacl ${volume3} -a user:testuser2/${SCM}@EXAMPLE.COM:xy
- Should contain ${result} PERMISSION_DENIED User testuser2/${SCM}@EXAMPLE.COM doesn't have WRITE_ACL permission to access volume
+ ${result} = Execute And Ignore Error ozone sh volume addacl ${volume3} -a user:testuser2/scm@EXAMPLE.COM:xy
+ Should contain ${result} PERMISSION_DENIED User testuser2/scm@EXAMPLE.COM doesn't have WRITE_ACL permission to access volume
Execute kdestroy
Run Keyword Kinit test user testuser testuser.keytab
- Execute ozone sh volume addacl ${volume3} -a user:testuser2/${SCM}@EXAMPLE.COM:xyrw
+ Execute ozone sh volume addacl ${volume3} -a user:testuser2/scm@EXAMPLE.COM:xyrw
Execute kdestroy
Run Keyword Kinit test user testuser2 testuser2.keytab
${result} = Execute And Ignore Error ozone sh bucket list /${volume3}/
- Should contain ${result} PERMISSION_DENIED User testuser2/${SCM}@EXAMPLE.COM doesn't have LIST permission to access volume
- Execute ozone sh volume addacl ${volume3} -a user:testuser2/${SCM}@EXAMPLE.COM:l
+ Should contain ${result} PERMISSION_DENIED User testuser2/scm@EXAMPLE.COM doesn't have LIST permission to access volume
+ Execute ozone sh volume addacl ${volume3} -a user:testuser2/scm@EXAMPLE.COM:l
Execute ozone sh bucket list /${volume3}/
Execute ozone sh volume getacl /${volume3}/
@@ -145,7 +145,7 @@ Test native authorizer
Should contain ${result} PERMISSION_DENIED
Execute kdestroy
Run Keyword Kinit test user testuser testuser.keytab
- Execute ozone sh bucket addacl ${volume3}/bk1 -a user:testuser2/${SCM}@EXAMPLE.COM:a
+ Execute ozone sh bucket addacl ${volume3}/bk1 -a user:testuser2/scm@EXAMPLE.COM:a
Execute ozone sh bucket getacl /${volume3}/bk1
Execute kdestroy
Run Keyword Kinit test user testuser2 testuser2.keytab