More work on Ansible playbooks for secured HBase

cluster/ansible/group_vars/all

@@ -1,12 +1,19 @@
 ---
 
-# ======================
+# ============================================================================
 # Configuration of a HBase Cluster
 # ---
-# The variable in this part can be changed to adapt the playbooks to your
+# The variables in this part can be changed to adapt the playbooks to your
 # specific needs. Anything further down should only be changed if you really
 # know what you are doing!
-# ======================
+# ============================================================================
+
+# The versions of software that will be installed by the playbooks.
+HADOOP_VERSION: 2.7.3
+HBASE_VERSION: 1.3.0
+HUE_VERSION: 3.10.0
+ZOOKEEPER_VERSION: 3.4.9
+SPARK_VERSION: 1.6.1
 
 # Setting this to true causes the entire cluster to be started in secure mode,
 # all services will require a kerberos ticket to allow access and all http uis
@@ -37,13 +44,6 @@ REMOTE_FETCH_TARBALLS: false
 # Defines if the monitoring packages based on Ganglia are also installed.
 MONITORING_ENABLED: false
 
-# The versions of software that will be installed by the playbooks.
-HADOOP_VERSION: 2.7.3
-HBASE_VERSION: 1.3.0
-HUE_VERSION: 3.10.0
-ZOOKEEPER_VERSION: 3.4.9
-SPARK_VERSION: 1.6.1
-
 # The paths that will be used to install software under and put configuration
 # files in, feel free to change these if you have a reason to do so, but there
 # probably won't be a need to touch these.
@@ -72,8 +72,15 @@ HBASE_THRIFT_VERSION: 1
 
 # ==== Don't change anything below this line - really! ====
 
-# List with all OS user accounts that need to be created
-OS_USERS: [ 'hdfs', 'yarn', 'mapred', 'hbase', 'hbase-rest', 'hbase-thrift', 'zookeeper', 'hue', 'hadoop' ]
+# List with all technical OS accounts, share the "hadoop" group
+HADOOP_USERS: [ 'hdfs', 'yarn', 'mapred', 'hbase', 'hbase-rest', 'hbase-thrift', 'zookeeper', 'hue', 'hadoop' ]
+
+# List with all non-technical OS user accounts, mainly used for testing
+END_USERS:
+  - { user: hbasebook, group: hbasebook, extra_groups: [] }
+  - { user: foobar, group: foobar, extra_groups: [] }
+  - { user: app1user1, group: app1user1, extra_groups: [ app1group ] }
+  - { user: app1user2, group: app1user2, extra_groups: [ app1group ] }
 
 # This group defines all Kerberos related accounts that need a principal
 KRB_ADMIN: "hbasebook"

cluster/ansible/roles/common/tasks/main.yml

@@ -109,8 +109,30 @@
 - name: Overwrite vagrant changes to /etc/hosts
   copy: src=hosts dest=/etc/hosts owner=root group=root
 
-- name: Create Hadoop system user accounts
+- name: Create Hadoop system user accounts and shared hadoop group
   group: name=hadoop state=present
 - user: name={{ item }} group=hadoop createhome=no shell=/bin/false state=present
   with_items:
-    - "{{ OS_USERS }}"
+    - "{{ HADOOP_USERS }}"
+
+- name: Create user accounts with groups
+  group:
+    name: "{{ item.group }}"
+    state: present
+  with_items:
+    - "{{ END_USERS }}"
+- group:
+    name: "{{ item.1 }}"
+    state: present
+  with_subelements:
+    - "{{ END_USERS }}"
+    - extra_groups
+- user:
+    name: "{{ item.user }}"
+    group: "{{ item.group }}"
+    groups: "{{ item.extra_groups | join(', ') }}"
+    createhome: no
+    shell: "{{ (item.user == 'hbasebook') | ternary('/bin/bash', '/bin/false') }}"
+    state: present
+  with_items:
+    - "{{ END_USERS }}"

cluster/ansible/roles/hbase-common/templates/etc/hbase/conf/hbase-site.xml.j2

@@ -101,13 +101,16 @@
     <name>hbase.security.authorization</name>
     <value>true</value>
   </property>
-  <!--property>
+  <property>
     <name>hbase.coprocessor.master.classes</name>
-    <value>org.apache.hadoop.hbase.security.access.AccessController</value>
+    <value>org.apache.hadoop.hbase.security.access.AccessController,
+      org.apache.hadoop.hbase.security.visibility.VisibilityController</value>
   </property>
   <property>
     <name>hbase.coprocessor.region.classes</name>
-    <value>org.apache.hadoop.hbase.security.access.AccessController, org.apache.hadoop.hbase.security.token.TokenProvider</value>
+    <value>org.apache.hadoop.hbase.security.access.AccessController,
+      org.apache.hadoop.hbase.security.visibility.VisibilityController,
+      org.apache.hadoop.hbase.security.token.TokenProvider</value>
   </property>
   <property>
     <name>hbase.coprocessor.regionserver.classes</name>
@@ -116,7 +119,7 @@
   <property>
     <name>hbase.security.exec.permission.checks</name>
     <value>true</value>
-  </property-->
+  </property>
   <property>
     <name>hbase.zookeeper.property.authProvider.1</name>
     <value>org.apache.zookeeper.server.auth.SASLAuthenticationProvider</value>

cluster/ansible/roles/kdc-server/tasks/createprincs.yml

@@ -1,28 +1,34 @@
 ---
 # Purpose: Creates the Kerberos principals needed
 #
-# Notes: 
+# Notes:
 #   - Executed on KDC server as it requires kadmin.local
 #   - The principal database must already exit
 
 - name: Determine existing principals
   shell: kadmin.local -q 'listprincs'
   register: principal_list
-  changed_when: false 
+  changed_when: false
 
 - debug: var=principal_list.stdout_lines
 
-- name: Add UPNs
+- name: Add administrator and kerberos principals
   command: kadmin.local -q 'addprinc -pw krbsekret {{ KRB_ADMIN }}/admin@{{ KRB_REALM }}'
   when: principal_list.stdout.find('{{ KRB_ADMIN }}/admin@{{ KRB_REALM }}') == -1
 - command: kadmin.local -q 'addprinc -pw krbsekret {{ KRB_ADMIN }}@{{ KRB_REALM }}'
   when: principal_list.stdout.find('{{ KRB_ADMIN }}@{{ KRB_REALM }}') == -1
 - command: kadmin.local -q 'addprinc -pw krbsekret krbtgt/{{ KRB_REALM }}@{{ KRB_REALM }}'
   when: principal_list.stdout.find('krbtgt/{{ KRB_REALM }}@{{ KRB_REALM }}') == -1
 
-- name: Add SPNs
+- name: Add user principals
+  command: kadmin.local -q 'addprinc -pw {{ item.user }} {{ item.user }}@{{ KRB_REALM }}'
+  with_items:
+    - "{{ END_USERS }}"
+  when: principal_list.stdout.find('{{ item.user }}@{{ KRB_REALM }}') == -1
+
+- name: Add service principals
   command: kadmin.local -q 'add_principal -randkey {{ item[1] }}/{{ item[0] }}.{{ CLUSTER_DOMAIN }}@{{ KRB_REALM }}'
-  with_nested: 
+  with_nested:
     - "{{ groups.all }}"
     - "{{ KRB_PRINCIPALS }}"
   when: principal_list.stdout.find('{{ item[1] }}/{{ item[0] }}.{{ CLUSTER_DOMAIN }}@{{ KRB_REALM }}') == -1
@@ -36,14 +42,24 @@
   with_nested:
     - "{{ groups.all }}"
     - "{{ KRB_SERVICES_WITH_HTTP }}"
-# but for the history server there is only a single principal in the keytab
+  # but for the history server there is only a single principal in the keytab
 - command: kadmin.local -q 'xst -k /root/keytabs/mapred-{{ item }}.keytab -norandkey -q mapred/{{ item }}@{{ KRB_REALM }}'
   args:
     creates: /root/keytabs/mapred-{{ item }}.keytab
-  with_items: groups.historyserver
+  with_items:
+    - groups.historyserver
+  # finally also export the normal user principals
+- command: kadmin.local -q 'xst -k /root/keytabs/{{ item.user }}.keytab -norandkey -q {{ item.user }}@{{ KRB_REALM }}'
+  args:
+    creates: /root/keytabs/{{ item.user }}.keytab
+  with_items:
+    - "{{ END_USERS }}"
 
 - name: Download keytabs to orchestration server
   fetch: src=/root/keytabs/{{ item[1] }}-{{ item[0] }}.keytab dest=files/keytabs/ flat=yes failonmissing=yes
   with_nested:
     - "{{ groups.all }}"
     - "{{ KRB_SERVICES_WITH_HTTP }}"
+- fetch: src=/root/keytabs/{{ item.user }}.keytab dest=files/keytabs/ flat=yes failonmissing=yes
+  with_items:
+    - "{{ END_USERS }}"

cluster/ansible/roles/krb-client/tasks/main.yml

@@ -41,3 +41,8 @@
     dest={{ KEYTAB_DIR }}/{{ item }}.keytab
   with_items:
     - "{{ KRB_SERVICES_WITH_HTTP }}"
+- copy:
+    src=files/keytabs/{{ item.user }}.keytab
+    dest={{ KEYTAB_DIR }}/{{ item.user }}.keytab
+  with_items:
+    - "{{ END_USERS }}"