From ec1d453846ca7446b5372b11372311b65bef8a4b Mon Sep 17 00:00:00 2001 From: Vivek Ratnavel Subramanian Date: Sat, 3 Aug 2019 10:49:07 -0700 Subject: [PATCH] HDDS-1788. Fix kerberos principal error in Ozone Recon. (#1201) --- .../common/src/main/resources/ozone-default.xml | 6 +++--- .../docker-image/docker-krb5/Dockerfile-krb5 | 2 +- .../main/compose/ozonesecure/docker-compose.yaml | 13 +++++++++++++ .../src/main/compose/ozonesecure/docker-config | 4 ++++ .../docker-image/docker-krb5/Dockerfile-krb5 | 2 +- ...nProvider.java => ConfigurationProvider.java} | 16 ++++++++-------- .../ozone/recon/ReconControllerModule.java | 3 ++- .../apache/hadoop/ozone/recon/ReconServer.java | 2 +- .../impl/OzoneManagerServiceProviderImpl.java | 15 ++++++--------- 9 files changed, 39 insertions(+), 24 deletions(-) rename hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/{OzoneConfigurationProvider.java => ConfigurationProvider.java} (76%) diff --git a/hadoop-hdds/common/src/main/resources/ozone-default.xml b/hadoop-hdds/common/src/main/resources/ozone-default.xml index a88dd82a238..f4e4ce5e1e1 100644 --- a/hadoop-hdds/common/src/main/resources/ozone-default.xml +++ b/hadoop-hdds/common/src/main/resources/ozone-default.xml @@ -612,7 +612,7 @@ The actual address the OM web server will bind to using HTTPS. If this optional address is set, it overrides only the hostname portion of - ozone.om.http-address. + ozone.om.https-address. @@ -1040,7 +1040,7 @@ The actual address the SCM web server will bind to using HTTPS. If this optional address is set, it overrides only the hostname portion of - ozone.scm.http-address. + ozone.scm.https-address. @@ -1525,7 +1525,7 @@ 5m OZONE, OM Time interval used to store the omMetrics in to a - file. Background thread perodically stores the OM metrics in to a + file. Background thread periodically stores the OM metrics in to a file. Unit could be defined with postfix (ns,ms,s,m,h,d) diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-image/docker-krb5/Dockerfile-krb5 b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-image/docker-krb5/Dockerfile-krb5 index 4bd5d53ff4c..6c6c816f871 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-image/docker-krb5/Dockerfile-krb5 +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure-mr/docker-image/docker-krb5/Dockerfile-krb5 @@ -11,7 +11,7 @@ # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License lsfor the specific language governing permissions and +# See the License for the specific language governing permissions and # limitations under the License. diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml index 6b1f48cab29..6f599944558 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-compose.yaml @@ -65,6 +65,19 @@ services: env_file: - ./docker-config command: ["/opt/hadoop/bin/ozone","s3g"] + recon: + image: apache/ozone-runner:${HADOOP_RUNNER_VERSION} + hostname: recon + volumes: + - ../..:/opt/hadoop + ports: + - 9888:9888 + env_file: + - ./docker-config + environment: + WAITFOR: om:9874 + ENSURE_OM_INITIALIZED: /data/metadata/om/current/VERSION + command: ["/opt/hadoop/bin/ozone","recon"] scm: image: apache/ozone-runner:${HADOOP_RUNNER_VERSION} hostname: scm diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config index 7e9ed82571e..ebe1f772c65 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-config @@ -33,6 +33,10 @@ OZONE-SITE.XML_ozone.om.kerberos.principal=om/om@EXAMPLE.COM OZONE-SITE.XML_ozone.om.kerberos.keytab.file=/etc/security/keytabs/om.keytab OZONE-SITE.XML_ozone.s3g.keytab.file=/etc/security/keytabs/HTTP.keytab OZONE-SITE.XML_ozone.s3g.authentication.kerberos.principal=HTTP/s3g@EXAMPLE.COM +OZONE-SITE.XML_ozone.recon.authentication.kerberos.principal=HTTP/recon@EXAMPLE.COM +OZONE-SITE.XML_ozone.recon.keytab.file=/etc/security/keytabs/HTTP.keytab +OZONE-SITE.XML_ozone.recon.db.dir=/data/metadata/recon +OZONE-SITE.XML_recon.om.snapshot.task.initial.delay=20s OZONE-SITE.XML_ozone.security.enabled=true OZONE-SITE.XML_ozone.acl.enabled=true diff --git a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 index f44158bda8a..1a6097eaa8c 100644 --- a/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 +++ b/hadoop-ozone/dist/src/main/compose/ozonesecure/docker-image/docker-krb5/Dockerfile-krb5 @@ -11,7 +11,7 @@ # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License lsfor the specific language governing permissions and +# See the License for the specific language governing permissions and # limitations under the License. diff --git a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/OzoneConfigurationProvider.java b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ConfigurationProvider.java similarity index 76% rename from hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/OzoneConfigurationProvider.java rename to hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ConfigurationProvider.java index 3c8dae04c16..5b0195811aa 100644 --- a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/OzoneConfigurationProvider.java +++ b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ConfigurationProvider.java @@ -17,9 +17,9 @@ */ package org.apache.hadoop.ozone.recon; -import org.apache.hadoop.hdds.conf.OzoneConfiguration; - import com.google.inject.Provider; +import org.apache.hadoop.conf.Configuration; + /** * Ozone Configuration Provider. @@ -27,17 +27,17 @@ * As the OzoneConfiguration is created by the CLI application here we inject * it via a singleton instance to the Jax-RS/CDI instances. */ -public class OzoneConfigurationProvider implements - Provider { +public class ConfigurationProvider implements + Provider { - private static OzoneConfiguration configuration; + private static Configuration configuration; - static void setConfiguration(OzoneConfiguration conf) { - OzoneConfigurationProvider.configuration = conf; + static void setConfiguration(Configuration conf) { + ConfigurationProvider.configuration = conf; } @Override - public OzoneConfiguration get() { + public Configuration get() { return configuration; } } diff --git a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconControllerModule.java b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconControllerModule.java index 3473a6281ef..e7c20f0755f 100644 --- a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconControllerModule.java +++ b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconControllerModule.java @@ -29,6 +29,7 @@ import static org.apache.hadoop.ozone.recon.ReconServerConfigKeys.OZONE_RECON_SQL_MAX_IDLE_CONNECTION_AGE; import static org.apache.hadoop.ozone.recon.ReconServerConfigKeys.OZONE_RECON_SQL_MAX_IDLE_CONNECTION_TEST_STMT; +import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hdds.conf.OzoneConfiguration; import org.apache.hadoop.ozone.recon.persistence.DataSourceConfiguration; import org.apache.hadoop.ozone.recon.persistence.JooqPersistenceModule; @@ -53,7 +54,7 @@ public class ReconControllerModule extends AbstractModule { @Override protected void configure() { - bind(OzoneConfiguration.class).toProvider(OzoneConfigurationProvider.class); + bind(Configuration.class).toProvider(ConfigurationProvider.class); bind(ReconHttpServer.class).in(Singleton.class); bind(DBStore.class) .toProvider(ReconContainerDBProvider.class).in(Singleton.class); diff --git a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java index d81362280a5..39c82d0cdbc 100644 --- a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java +++ b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/ReconServer.java @@ -64,7 +64,7 @@ public static void main(String[] args) { @Override public Void call() throws Exception { OzoneConfiguration ozoneConfiguration = createOzoneConfiguration(); - OzoneConfigurationProvider.setConfiguration(ozoneConfiguration); + ConfigurationProvider.setConfiguration(ozoneConfiguration); injector = Guice.createInjector(new ReconControllerModule(), new ReconRestServletModule() { diff --git a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/OzoneManagerServiceProviderImpl.java b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/OzoneManagerServiceProviderImpl.java index b552facf623..389be1b12f9 100644 --- a/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/OzoneManagerServiceProviderImpl.java +++ b/hadoop-ozone/ozone-recon/src/main/java/org/apache/hadoop/ozone/recon/spi/impl/OzoneManagerServiceProviderImpl.java @@ -18,7 +18,6 @@ package org.apache.hadoop.ozone.recon.spi.impl; -import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_DB_CHECKPOINT_REQUEST_FLUSH; import static org.apache.hadoop.ozone.OzoneConsts.OZONE_OM_DB_CHECKPOINT_HTTP_ENDPOINT; import static org.apache.hadoop.ozone.recon.ReconConstants.RECON_OM_SNAPSHOT_DB; @@ -45,7 +44,9 @@ import javax.inject.Singleton; import org.apache.commons.io.FileUtils; -import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hdfs.DFSUtil; +import org.apache.hadoop.http.HttpConfig; import org.apache.hadoop.ozone.om.OMConfigKeys; import org.apache.hadoop.ozone.om.OMMetadataManager; import org.apache.hadoop.ozone.recon.recovery.ReconOMMetadataManager; @@ -74,14 +75,11 @@ public class OzoneManagerServiceProviderImpl private File omSnapshotDBParentDir = null; private String omDBSnapshotUrl; - @Inject - private OzoneConfiguration configuration; - @Inject private ReconOMMetadataManager omMetadataManager; @Inject - public OzoneManagerServiceProviderImpl(OzoneConfiguration configuration) { + public OzoneManagerServiceProviderImpl(Configuration configuration) { String ozoneManagerHttpAddress = configuration.get(OMConfigKeys .OZONE_OM_HTTP_ADDRESS_KEY); @@ -92,8 +90,7 @@ public OzoneManagerServiceProviderImpl(OzoneConfiguration configuration) { omSnapshotDBParentDir = getReconDbDir(configuration, OZONE_RECON_OM_SNAPSHOT_DB_DIR); - boolean ozoneSecurityEnabled = configuration.getBoolean( - OZONE_SECURITY_ENABLED_KEY, false); + HttpConfig.Policy policy = DFSUtil.getHttpPolicy(configuration); int socketTimeout = (int) configuration.getTimeDuration( RECON_OM_SOCKET_TIMEOUT, RECON_OM_SOCKET_TIMEOUT_DEFAULT, @@ -118,7 +115,7 @@ public OzoneManagerServiceProviderImpl(OzoneConfiguration configuration) { omDBSnapshotUrl = "http://" + ozoneManagerHttpAddress + OZONE_OM_DB_CHECKPOINT_HTTP_ENDPOINT; - if (ozoneSecurityEnabled) { + if (policy.isHttpsEnabled()) { omDBSnapshotUrl = "https://" + ozoneManagerHttpsAddress + OZONE_OM_DB_CHECKPOINT_HTTP_ENDPOINT; }