diff --git a/playbooks/ranger_kerberos_install.yml b/playbooks/ranger_kerberos_install.yml index 590b5a91..3ac85cd7 100644 --- a/playbooks/ranger_kerberos_install.yml +++ b/playbooks/ranger_kerberos_install.yml @@ -13,17 +13,6 @@ name: tosit.tdp.ranger.admin tasks_from: kerberos - ansible.builtin.meta: clear_facts # noqa unnamed-task -- name: Kerberos Ranger Admin HA install - hosts: spnego_ha - strategy: linear - tasks: - - tosit.tdp.resolve: # noqa unnamed-task - node_name: ranger_kerberos - - name: Install Ranger Admin Kerberos - ansible.builtin.import_role: - name: tosit.tdp.ranger.admin - tasks_from: kerberos-spnego-ha - - ansible.builtin.meta: clear_facts # noqa unnamed-task - name: Kerberos Ranger UserSync install hosts: ranger_usersync strategy: linear diff --git a/roles/hbase/phoenix/queryserver/daemon/tasks/kerberos.yml b/roles/hbase/phoenix/queryserver/daemon/tasks/kerberos.yml index 92d0142b..6007d91f 100644 --- a/roles/hbase/phoenix/queryserver/daemon/tasks/kerberos.yml +++ b/roles/hbase/phoenix/queryserver/daemon/tasks/kerberos.yml @@ -7,51 +7,26 @@ name: tosit.tdp.utils.kerberos tasks_from: install -- when: krb_create_principals_keytabs - block: - - name: Ensure phoenix queryserver principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: phoenixqueryserver/{{ ansible_fqdn }} - keytab: phoenixqueryserver.service.keytab - user: "{{ phoenix_queryserver_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" +- name: Ensure phoenix queryserver principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: phoenixqueryserver/{{ ansible_fqdn }} + keytab: phoenixqueryserver.service.keytab + user: "{{ phoenix_queryserver_user }}" + group: "{{ hadoop_group }}" + mode: "0600" + when: krb_create_principals_keytabs -- name: Phoenix QueryServer keytabs check +- name: Ensure phoenix queryserver keytab works + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: "phoenixqueryserver/{{ ansible_fqdn }}" + keytab: "phoenixqueryserver.service.keytab" + user: "{{ phoenix_queryserver_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure phoenix queryserver keytab works - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: "phoenixqueryserver/{{ ansible_fqdn }}" - keytab: "phoenixqueryserver.service.keytab" - user: "{{ phoenix_queryserver_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego keytab works - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/hbase/rest/tasks/kerberos.yml b/roles/hbase/rest/tasks/kerberos.yml index 7b90337e..ffa75d8b 100644 --- a/roles/hbase/rest/tasks/kerberos.yml +++ b/roles/hbase/rest/tasks/kerberos.yml @@ -23,52 +23,26 @@ hbase_keytab_file: "{{ hbase_site['hbase.rest.keytab.file'] }}" hbase_principal: "{{ hbase_rest_kerberos_principal }}" -- name: HBase Rest keytabs creation +- name: Ensure hbase principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: hbase/{{ ansible_fqdn }} + keytab: hbase.service.keytab + user: "{{ hbase_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure hbase principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: hbase/{{ ansible_fqdn }} - keytab: hbase.service.keytab - user: "{{ hbase_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: "HTTP/{{ ansible_fqdn }}" - keytab: "spnego.service.keytab" - user: "root" - group: "{{ hadoop_group }}" - mode: "0640" -- name: HBase Rest keytabs check +- name: Ensure hbase keytab works + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: "hbase/{{ ansible_fqdn }}" + keytab: "hbase.service.keytab" + user: "{{ hbase_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure hbase keytab works - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: "hbase/{{ ansible_fqdn }}" - keytab: "hbase.service.keytab" - user: "{{ hbase_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego keytab works - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: "HTTP/{{ ansible_fqdn }}" - keytab: "spnego.service.keytab" - user: "root" - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/hdfs/datanode/tasks/kerberos.yml b/roles/hdfs/datanode/tasks/kerberos.yml index f5b8c56c..8abe07c0 100644 --- a/roles/hdfs/datanode/tasks/kerberos.yml +++ b/roles/hdfs/datanode/tasks/kerberos.yml @@ -12,52 +12,26 @@ name: tosit.tdp.hadoop.common tasks_from: kerberos -- name: HDFS Datanode keytabs creation +- name: Ensure hdfs dn user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: dn/{{ ansible_fqdn }} + keytab: dn.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure hdfs dn user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: dn/{{ ansible_fqdn }} - keytab: dn.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: HDFS Datanode keytabs check +- name: Ensure hdfs dn user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: dn/{{ ansible_fqdn }} + keytab: dn.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure hdfs dn user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: dn/{{ ansible_fqdn }} - keytab: dn.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/hdfs/httpfs/tasks/kerberos.yml b/roles/hdfs/httpfs/tasks/kerberos.yml index 58fc4bad..eb0812dd 100644 --- a/roles/hdfs/httpfs/tasks/kerberos.yml +++ b/roles/hdfs/httpfs/tasks/kerberos.yml @@ -12,50 +12,26 @@ name: tosit.tdp.hadoop.common tasks_from: kerberos -- when: krb_create_principals_keytabs - block: - - name: Ensure httpfs user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: httpfs/{{ ansible_fqdn }} - keytab: httpfs.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: "HTTP/{{ ansible_fqdn }}" - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" - -- when: not krb_create_principals_keytabs - block: - - name: Ensure httpfs user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: httpfs/{{ ansible_fqdn }} - keytab: httpfs.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" +- name: Ensure httpfs user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: httpfs/{{ ansible_fqdn }} + keytab: httpfs.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" + when: krb_create_principals_keytabs - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" +- name: Ensure httpfs user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: httpfs/{{ ansible_fqdn }} + keytab: httpfs.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" + when: not krb_create_principals_keytabs diff --git a/roles/hdfs/journalnode/tasks/kerberos.yml b/roles/hdfs/journalnode/tasks/kerberos.yml index 013cc38e..da31b31e 100644 --- a/roles/hdfs/journalnode/tasks/kerberos.yml +++ b/roles/hdfs/journalnode/tasks/kerberos.yml @@ -7,52 +7,26 @@ name: tosit.tdp.utils.kerberos tasks_from: install -- name: HDFS JournalNode keytabs creation +- name: Ensure hdfs jn user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: jn/{{ ansible_fqdn }} + keytab: jn.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure hdfs jn user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: jn/{{ ansible_fqdn }} - keytab: jn.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: "HTTP/{{ ansible_fqdn }}" - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: HDFS JournalNode keytabs check +- name: Ensure hdfs jn user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: jn/{{ ansible_fqdn }} + keytab: jn.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure hdfs jn user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: jn/{{ ansible_fqdn }} - keytab: jn.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/hdfs/namenode/tasks/kerberos.yml b/roles/hdfs/namenode/tasks/kerberos.yml index 4bc28816..e378194a 100644 --- a/roles/hdfs/namenode/tasks/kerberos.yml +++ b/roles/hdfs/namenode/tasks/kerberos.yml @@ -20,52 +20,26 @@ group: root mode: "644" -- name: HDFS NameNode keytabs creation +- name: Ensure hdfs nn user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: nn/{{ ansible_fqdn }} + keytab: nn.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure hdfs nn user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: nn/{{ ansible_fqdn }} - keytab: nn.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: HDFS NameNode keytabs check +- name: Ensure hdfs nn user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: nn/{{ ansible_fqdn }} + keytab: nn.service.keytab + user: "{{ hdfs_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure hdfs nn user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: nn/{{ ansible_fqdn }} - keytab: nn.service.keytab - user: "{{ hdfs_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/hive/hiveserver2/tasks/kerberos.yml b/roles/hive/hiveserver2/tasks/kerberos.yml index a04fdd26..3dacd915 100644 --- a/roles/hive/hiveserver2/tasks/kerberos.yml +++ b/roles/hive/hiveserver2/tasks/kerberos.yml @@ -7,52 +7,26 @@ name: tosit.tdp.utils.kerberos tasks_from: install -- name: HiveServer2 keytabs creation +- name: Ensure hive user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: hive/{{ ansible_fqdn }} + keytab: hive.service.keytab + user: "{{ hive_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure hive user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: hive/{{ ansible_fqdn }} - keytab: hive.service.keytab - user: "{{ hive_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: HiveServer2 keytabs check +- name: Ensure hive's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: hive/{{ ansible_fqdn }} + keytab: hive.service.keytab + user: "{{ hive_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure hive's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: hive/{{ ansible_fqdn }} - keytab: hive.service.keytab - user: "{{ hive_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/ranger/admin/tasks/kerberos-spnego-ha.yml b/roles/ranger/admin/tasks/kerberos-spnego-ha.yml deleted file mode 100644 index 9f59d3a6..00000000 --- a/roles/ranger/admin/tasks/kerberos-spnego-ha.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright 2022 TOSIT.IO -# SPDX-License-Identifier: Apache-2.0 - ---- -- name: Ensure HTTP HA spnego user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_headless_principal_keytab - vars: - principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }} - keytab: '{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab' - user: root - group: "{{ hadoop_group }}" - mode: "0640" - when: ranger_ha_address is defined - -- name: Ensure HA HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ranger_ha_address | urlsplit("hostname") }} - keytab: '{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab' - user: root - group: "{{ hadoop_group }}" - mode: "0640" - when: ranger_ha_address is defined diff --git a/roles/ranger/admin/tasks/kerberos.yml b/roles/ranger/admin/tasks/kerberos.yml index a2ba8c15..e253a57f 100644 --- a/roles/ranger/admin/tasks/kerberos.yml +++ b/roles/ranger/admin/tasks/kerberos.yml @@ -32,17 +32,6 @@ group: "{{ hadoop_group }}" mode: "0600" - - name: Ensure HTTP spnego user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" - - name: Ranger Admin keytabs check when: not krb_create_principals_keytabs block: @@ -67,15 +56,3 @@ user: "{{ ranger_user }}" group: "{{ hadoop_group }}" mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" - when: not krb_create_principals_keytabs diff --git a/roles/ranger/common/templates/install.properties.j2 b/roles/ranger/common/templates/install.properties.j2 index 6e4bde4e..0b7f38e2 100644 --- a/roles/ranger/common/templates/install.properties.j2 +++ b/roles/ranger/common/templates/install.properties.j2 @@ -195,7 +195,7 @@ xa_ldap_ad_userSearchFilter= #------------ Kerberos Config ----------------- spnego_principal=HTTP/{% if ranger_ha_address is defined %}{{ ranger_ha_address | urlsplit("hostname") }}{% else %}{{ ansible_fqdn }}{% endif %}@{{ realm }} -spnego_keytab=/etc/security/keytabs/{% if ranger_ha_address is defined %}{{ ranger_ha_address | urlsplit("hostname") }}.service.keytab{% else %}spnego.service.keytab{% endif %} +spnego_keytab=/etc/security/keytabs/spnego.service.keytab token_valid=30 cookie_domain= cookie_path=/ diff --git a/roles/ranger/kms/tasks/kerberos.yml b/roles/ranger/kms/tasks/kerberos.yml index 2cc6e693..24bdbd4f 100644 --- a/roles/ranger/kms/tasks/kerberos.yml +++ b/roles/ranger/kms/tasks/kerberos.yml @@ -7,52 +7,26 @@ name: tosit.tdp.utils.kerberos tasks_from: install -- name: Ranger KMS keytabs creation +- name: Ensure keyadmin user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: keyadmin/{{ ansible_fqdn }} + keytab: keyadmin.service.keytab + user: "{{ ranger_kms_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure keyadmin user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: keyadmin/{{ ansible_fqdn }} - keytab: keyadmin.service.keytab - user: "{{ ranger_kms_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: Ranger KMS keytabs check +- name: Ensure keyadmin's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: keyadmin/{{ ansible_fqdn }} + keytab: keyadmin.service.keytab + user: "{{ ranger_kms_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure keyadmin's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: keyadmin/{{ ansible_fqdn }} - keytab: keyadmin.service.keytab - user: "{{ ranger_kms_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/spark/historyserver/tasks/kerberos.yml b/roles/spark/historyserver/tasks/kerberos.yml index e2f3f2e0..566a9efc 100644 --- a/roles/spark/historyserver/tasks/kerberos.yml +++ b/roles/spark/historyserver/tasks/kerberos.yml @@ -12,52 +12,26 @@ name: tosit.tdp.hadoop.common tasks_from: kerberos -- name: Spark HS keytabs creation +- name: Ensure spark user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: spark/{{ ansible_fqdn }} + keytab: spark.service.keytab + user: "{{ spark_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure spark user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: spark/{{ ansible_fqdn }} - keytab: spark.service.keytab - user: "{{ spark_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab exists - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: Spark HS keytabs check +- name: Ensure spark keytab works + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: spark/{{ ansible_fqdn }} + keytab: spark.service.keytab + user: "{{ spark_user }}" + group: "{{ hadoop_group }}" + mode: "600" when: not krb_create_principals_keytabs - block: - - name: Ensure spark keytab works - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: spark/{{ ansible_fqdn }} - keytab: spark.service.keytab - user: "{{ spark_user }}" - group: "{{ hadoop_group }}" - mode: "600" - - - name: Ensure HTTP spnego keytab works - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: "HTTP/{{ ansible_fqdn }}" - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "640" diff --git a/roles/yarn/apptimelineserver/tasks/kerberos.yml b/roles/yarn/apptimelineserver/tasks/kerberos.yml index b5a05fea..c41a2b09 100644 --- a/roles/yarn/apptimelineserver/tasks/kerberos.yml +++ b/roles/yarn/apptimelineserver/tasks/kerberos.yml @@ -12,52 +12,26 @@ name: tosit.tdp.hadoop.common tasks_from: kerberos -- name: YARN ATS keytabs creation +- name: Ensure yarn ats user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: ats/{{ ansible_fqdn }} + keytab: ats.service.keytab + user: "{{ yarn_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure yarn ats user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: ats/{{ ansible_fqdn }} - keytab: ats.service.keytab - user: "{{ yarn_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: YARN ATS keytabs check +- name: Ensure yarn ats user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: ats/{{ ansible_fqdn }} + keytab: ats.service.keytab + user: "{{ yarn_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure yarn ats user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: ats/{{ ansible_fqdn }} - keytab: ats.service.keytab - user: "{{ yarn_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/yarn/jobhistoryserver/tasks/kerberos.yml b/roles/yarn/jobhistoryserver/tasks/kerberos.yml index f6ee423e..e5d7f212 100644 --- a/roles/yarn/jobhistoryserver/tasks/kerberos.yml +++ b/roles/yarn/jobhistoryserver/tasks/kerberos.yml @@ -12,52 +12,26 @@ name: tosit.tdp.hadoop.common tasks_from: kerberos -- name: YARN JHS keytabs creation +- name: Ensure mapred jhs user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: jhs/{{ ansible_fqdn }} + keytab: jhs.service.keytab + user: "{{ mapred_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure mapred jhs user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: jhs/{{ ansible_fqdn }} - keytab: jhs.service.keytab - user: "{{ mapred_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: YARN JHS keytabs check +- name: Ensure mapred jhs user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: jhs/{{ ansible_fqdn }} + keytab: jhs.service.keytab + user: "{{ mapred_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure mapred jhs user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: jhs/{{ ansible_fqdn }} - keytab: jhs.service.keytab - user: "{{ mapred_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/yarn/nodemanager/tasks/kerberos.yml b/roles/yarn/nodemanager/tasks/kerberos.yml index fe604487..9f856644 100644 --- a/roles/yarn/nodemanager/tasks/kerberos.yml +++ b/roles/yarn/nodemanager/tasks/kerberos.yml @@ -12,52 +12,26 @@ name: tosit.tdp.hadoop.common tasks_from: kerberos -- name: YARN RM keytabs creation +- name: Ensure yarn nm user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: nm/{{ ansible_fqdn }} + keytab: nm.service.keytab + user: "{{ yarn_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: krb_create_principals_keytabs - block: - - name: Ensure yarn nm user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: nm/{{ ansible_fqdn }} - keytab: nm.service.keytab - user: "{{ yarn_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" -- name: YARN RM keytabs check +- name: Ensure yarn nm user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: nm/{{ ansible_fqdn }} + keytab: nm.service.keytab + user: "{{ yarn_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure yarn nm user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: nm/{{ ansible_fqdn }} - keytab: nm.service.keytab - user: "{{ yarn_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/roles/yarn/resourcemanager/tasks/kerberos.yml b/roles/yarn/resourcemanager/tasks/kerberos.yml index 963a62ef..7c03c21d 100644 --- a/roles/yarn/resourcemanager/tasks/kerberos.yml +++ b/roles/yarn/resourcemanager/tasks/kerberos.yml @@ -20,51 +20,26 @@ group: root mode: "644" -- when: krb_create_principals_keytabs - block: - - name: Ensure yarn rm user's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: rm/{{ ansible_fqdn }} - keytab: rm.service.keytab - user: "{{ yarn_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's principal and keytab exist - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: create_principal_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" +- name: Ensure yarn rm user's principal and keytab exist + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: create_principal_keytab + vars: + principal: rm/{{ ansible_fqdn }} + keytab: rm.service.keytab + user: "{{ yarn_user }}" + group: "{{ hadoop_group }}" + mode: "0600" + when: krb_create_principals_keytabs -- name: YARN RM keytabs check +- name: Ensure yarn rm user's keytab is working + ansible.builtin.import_role: + name: tosit.tdp.utils.kerberos + tasks_from: check_secure_keytab + vars: + principal: rm/{{ ansible_fqdn }} + keytab: rm.service.keytab + user: "{{ yarn_user }}" + group: "{{ hadoop_group }}" + mode: "0600" when: not krb_create_principals_keytabs - block: - - name: Ensure yarn rm user's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: rm/{{ ansible_fqdn }} - keytab: rm.service.keytab - user: "{{ yarn_user }}" - group: "{{ hadoop_group }}" - mode: "0600" - - - name: Ensure HTTP spnego's keytab is working - ansible.builtin.import_role: - name: tosit.tdp.utils.kerberos - tasks_from: check_secure_keytab - vars: - principal: HTTP/{{ ansible_fqdn }} - keytab: spnego.service.keytab - user: root - group: "{{ hadoop_group }}" - mode: "0640" diff --git a/tdp_lib_dag/hbase.yml b/tdp_lib_dag/hbase.yml index 306c7dac..9f8aaa83 100644 --- a/tdp_lib_dag/hbase.yml +++ b/tdp_lib_dag/hbase.yml @@ -36,6 +36,7 @@ - name: hbase_kerberos_install depends_on: + - kerberos_spnego_install - hbase_client_install - hbase_master_install - hbase_regionserver_install @@ -43,6 +44,7 @@ - name: hbase_phoenix_kerberos_install depends_on: + - kerberos_spnego_install - hbase_phoenix_queryserver_daemon_install - name: hbase_ssl-tls_install diff --git a/tdp_lib_dag/hdfs.yml b/tdp_lib_dag/hdfs.yml index 22c255a1..8a7cc036 100644 --- a/tdp_lib_dag/hdfs.yml +++ b/tdp_lib_dag/hdfs.yml @@ -24,6 +24,7 @@ - name: hdfs_kerberos_install depends_on: + - kerberos_spnego_install - hdfs_namenode_install - hdfs_datanode_install - hdfs_journalnode_install diff --git a/tdp_lib_dag/hive.yml b/tdp_lib_dag/hive.yml index e1800215..1e6e5e00 100644 --- a/tdp_lib_dag/hive.yml +++ b/tdp_lib_dag/hive.yml @@ -15,6 +15,7 @@ - name: hive_kerberos_install depends_on: + - kerberos_spnego_install - hive_client_install - hive_metastore_install - hive_hiveserver2_install diff --git a/tdp_lib_dag/kerberos.yml b/tdp_lib_dag/kerberos.yml new file mode 100644 index 00000000..241125b9 --- /dev/null +++ b/tdp_lib_dag/kerberos.yml @@ -0,0 +1,27 @@ +# Copyright 2022 TOSIT.IO +# SPDX-License-Identifier: Apache-2.0 + +--- +- name: kerberos_spnego_install + depends_on: + - hadoop_client_install + +- name: kerberos_install + noop: yes + depends_on: + - kerberos_spnego_install + +- name: kerberos_config + noop: yes + depends_on: + - kerberos_install + +- name: kerberos_start + noop: yes + depends_on: + - kerberos_config + +- name: kerberos_init + noop: yes + depends_on: + - kerberos_start diff --git a/tdp_lib_dag/ranger.yml b/tdp_lib_dag/ranger.yml index f1fa15e3..d49faa2a 100644 --- a/tdp_lib_dag/ranger.yml +++ b/tdp_lib_dag/ranger.yml @@ -20,6 +20,7 @@ - name: ranger_kerberos_install depends_on: + - kerberos_spnego_install - ranger_admin_install - ranger_kms_install - ranger_usersync_install diff --git a/tdp_lib_dag/spark.yml b/tdp_lib_dag/spark.yml index 6314f48f..0e914319 100644 --- a/tdp_lib_dag/spark.yml +++ b/tdp_lib_dag/spark.yml @@ -10,6 +10,7 @@ - name: spark_kerberos_install depends_on: + - kerberos_spnego_install - spark_client_install - spark_historyserver_install diff --git a/tdp_lib_dag/spark3.yml b/tdp_lib_dag/spark3.yml index 41dc89a2..151fe93a 100644 --- a/tdp_lib_dag/spark3.yml +++ b/tdp_lib_dag/spark3.yml @@ -10,6 +10,7 @@ - name: spark3_kerberos_install depends_on: + - kerberos_spnego_install - spark3_client_install - spark3_historyserver_install diff --git a/tdp_lib_dag/yarn.yml b/tdp_lib_dag/yarn.yml index cc5b555d..1f130832 100644 --- a/tdp_lib_dag/yarn.yml +++ b/tdp_lib_dag/yarn.yml @@ -24,6 +24,7 @@ - name: yarn_kerberos_install depends_on: + - kerberos_spnego_install - yarn_resourcemanager_install - yarn_nodemanager_install - yarn_apptimelineserver_install