database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

branch-2.1: [Opt](external-docker) Modify kerberos network mode to host #47043 (#47095)

Browse Source 
Cherry-picked from #47043

Co-authored-by: zgxme <zhenggaoxiong@selectdb.com>
This commit is contained in:
github-actions[bot]
2025-01-16 23:12:05 +08:00
committed by GitHub
parent adc9e9a161
commit 4bd55b2f8b
22 changed files with 502 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docker/thirdparties/docker-compose/kerberos/two-kerberos-hives/update-location.sh → docker/thirdparties/docker-compose/common/event-hook.sh Executable file → Normal file
View File

@ -16,10 +16,10 @@
# specific language governing permissions and limitations
# under the License.
/usr/bin/mysqld_safe &
while ! mysqladmin ping -proot --silent; do sleep 1; done
hive --service metatool -updateLocation hdfs://hadoop-master-2:9000/user/hive/warehouse hdfs://hadoop-master:9000/user/hive/warehouse
killall mysqld
while pgrep mysqld; do sleep 1; done
function exec_success_hook() {
echo "Executing success hook"
echo "Creating /tmp/success and /tmp/SUCCESS"
touch /tmp/success /tmp/SUCCESS
echo "Do not exit, just tailing /dev/null"
tail -f /dev/null
}

50
docker/thirdparties/docker-compose/common/hive-configure.sh Executable file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Referenced from [docker-hive](https://github.com/big-data-europe/docker-hive)
# Set some sensible defaults
export CORE_CONF_fs_defaultFS=${CORE_CONF_fs_defaultFS:-hdfs://`hostname -f`:8020}
function addProperty() {
local path=$1
local name=$2
local value=$3
local entry="<property><name>$name</name><value>${value}</value></property>"
local escapedEntry=$(echo $entry | sed 's/\//\\\//g')
sed -i "/<\/configuration>/ s/.*/${escapedEntry}\n&/" $path
}
function configure() {
local path=$1
local module=$2
local envPrefix=$3
local var
local value
echo "Configuring $module"
for c in `printenv | perl -sne 'print "$1 " if m/^${envPrefix}_(.+?)=.*/' -- -envPrefix=$envPrefix`; do
name=`echo ${c} | perl -pe 's/___/-/g; s/__/_/g; s/_/./g'`
var="${envPrefix}_${c}"
value=${!var}
echo " - Setting $name=$ "
addProperty $path $name "$value"
done
}

19
docker/thirdparties/docker-compose/kerberos/common/conf/doris-krb5.conf
View File

@ -32,21 +32,18 @@
[realms]
LABS.TERADATA.COM = {
kdc = hadoop-master:88
admin_server = hadoop-master
kdc = hadoop-master:5588
admin_server = hadoop-master:5749
}
OTHERLABS.TERADATA.COM = {
kdc = hadoop-master:89
admin_server = hadoop-master
kdc = hadoop-master:5589
admin_server = hadoop-master:5750
}
OTHERLABS.TERADATA.COM = {
kdc = hadoop-master:89
admin_server = hadoop-master
}
OTHERREALM.COM = {
kdc = hadoop-master-2:88
admin_server = hadoop-master
OTHERREALM.COM = {
kdc = hadoop-master-2:6688
admin_server = hadoop-master-2:6749
}
[domain_realm]
hadoop-master-2 = OTHERREALM.COM
hadoop-master = LABS.TERADATA.COM

2
docker/thirdparties/docker-compose/kerberos/common/hadoop/hadoop-run.sh
View File

@ -38,5 +38,7 @@ fi
trap exit INT
echo "Running services with supervisord"
rm -rf /etc/supervisord.d/socks-proxy.conf
rm -rf /etc/supervisord.d/sshd.conf
supervisord -c /etc/supervisord.conf

50
docker/thirdparties/docker-compose/kerberos/conf/kerberos1/kdc.conf.tpl Normal file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
[kdcdefaults]
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}
[realms]
LABS.TERADATA.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_listen = ${KDC_PORT1}
kdc_tcp_listen = ${KDC_PORT1}
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}
}
OTHERLABS.TERADATA.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5-other.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5-other.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_listen = ${KDC_PORT2}
kdc_tcp_listen = ${KDC_PORT2}
kdc_ports = ${KDC_PORT2}
kdc_tcp_ports = ${KDC_PORT2}
kadmind_port = ${KADMIND_PORT2}
kpasswd_port = ${KPASSWD_PORT2}
}

39
docker/thirdparties/docker-compose/kerberos/conf/kerberos1/krb5.conf.tpl Normal file
View File

@ -0,0 +1,39 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LABS.TERADATA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
allow_weak_crypto = true
[realms]
LABS.TERADATA.COM = {
kdc = ${HOST}:${KDC_PORT1}
admin_server = ${HOST}:${KADMIND_PORT1}
}
OTHERLABS.TERADATA.COM = {
kdc = ${HOST}:${KDC_PORT2}
admin_server = ${HOST}:${KADMIND_PORT2}
}

38
docker/thirdparties/docker-compose/kerberos/conf/kerberos2/kdc.conf.tpl Normal file
View File

@ -0,0 +1,38 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
[kdcdefaults]
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}
[realms]
OTHERREALM.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
kdc_listen = ${KDC_PORT1}
kdc_tcp_listen = ${KDC_PORT1}
kdc_ports = ${KDC_PORT1}
kdc_tcp_ports = ${KDC_PORT1}
kadmind_port = ${KADMIND_PORT1}
kpasswd_port = ${KPASSWD_PORT1}
}

35
docker/thirdparties/docker-compose/kerberos/conf/kerberos2/krb5.conf.tpl Normal file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = OTHERREALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
allow_weak_crypto = true
[realms]
OTHERREALM.COM = {
kdc = ${HOST}:${KDC_PORT1}
admin_server = ${HOST}:${KADMIND_PORT1}
}

29
docker/thirdparties/docker-compose/kerberos/ccache/create_kerberos_credential_cache_files.sh → docker/thirdparties/docker-compose/kerberos/conf/my.cnf.tpl
View File

@ -16,18 +16,23 @@
# specific language governing permissions and limitations
# under the License.
set -exuo pipefail
[mysqld]
port=${MYSQL_PORT}
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
TICKET_LIFETIME='30m'
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid
kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/presto-server-krbcc \
-kt /etc/trino/conf/presto-server.keytab presto-server/$(hostname -f)@LABS.TERADATA.COM
#
# include all files from the config directory
#
!includedir /etc/my.cnf.d
kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/hive-presto-master-krbcc \
-kt /etc/trino/conf/hive-presto-master.keytab hive/$(hostname -f)@LABS.TERADATA.COM
kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/hdfs-krbcc \
-kt /etc/hadoop/conf/hdfs.keytab hdfs/hadoop-master@LABS.TERADATA.COM
kinit -l "$TICKET_LIFETIME" -f -c /etc/trino/conf/hive-krbcc \
-kt /etc/hive/conf/hive.keytab hive/hadoop-master@LABS.TERADATA.COM

50
docker/thirdparties/docker-compose/kerberos/entrypoint-hive-master-2.sh
View File

@ -1,50 +0,0 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
set -euo pipefail
echo "Copying kerberos keytabs to /keytabs/"
mkdir -p /etc/hadoop-init.d/
cp /etc/trino/conf/hive-presto-master.keytab /keytabs/other-hive-presto-master.keytab
cp /etc/trino/conf/presto-server.keytab /keytabs/other-presto-server.keytab
cp /keytabs/update-location.sh /etc/hadoop-init.d/update-location.sh
/usr/local/hadoop-run.sh &
# check healthy hear
echo "Waiting for hadoop to be healthy"
for i in {1..10}; do
if /usr/local/health.sh; then
echo "Hadoop is healthy"
break
fi
echo "Hadoop is not healthy yet. Retrying in 20 seconds..."
sleep 20
done
if [ $i -eq 10 ]; then
echo "Hadoop did not become healthy after 120 attempts. Exiting."
exit 1
fi
echo "Init kerberos test data"
kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master-2@OTHERREALM.COM
hive -f /usr/local/sql/create_kerberos_hive_table.sql
touch /mnt/SUCCESS
tail -f /dev/null

48
docker/thirdparties/docker-compose/kerberos/entrypoint-hive-master.sh
View File

@ -15,34 +15,60 @@
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
set -euo pipefail
source /usr/local/common/hive-configure.sh
source /usr/local/common/event-hook.sh
echo "Configuring hive"
configure /etc/hive/conf/hive-site.xml hive HIVE_SITE_CONF
configure /etc/hive/conf/hiveserver2-site.xml hive HIVE_SITE_CONF
configure /etc/hadoop/conf/core-site.xml core CORE_CONF
configure /etc/hadoop/conf/hdfs-site.xml hdfs HDFS_CONF
configure /etc/hadoop/conf/yarn-site.xml yarn YARN_CONF
configure /etc/hadoop/conf/mapred-site.xml mapred MAPRED_CONF
configure /etc/hive/conf/beeline-site.xml beeline BEELINE_SITE_CONF
echo "Copying kerberos keytabs to keytabs/"
mkdir -p /etc/hadoop-init.d/
cp /etc/trino/conf/* /keytabs/
if [ "$1" == "1" ]; then
cp /etc/trino/conf/* /keytabs/
elif [ "$1" == "2" ]; then
cp /etc/trino/conf/hive-presto-master.keytab /keytabs/other-hive-presto-master.keytab
cp /etc/trino/conf/presto-server.keytab /keytabs/other-presto-server.keytab
else
echo "Invalid index parameter. Exiting."
exit 1
fi
/usr/local/hadoop-run.sh &
# check healthy hear
echo "Waiting for hadoop to be healthy"
for i in {1..10}; do
for i in {1..60}; do
if /usr/local/health.sh; then
echo "Hadoop is healthy"
break
fi
echo "Hadoop is not healthy yet. Retrying in 20 seconds..."
sleep 20
echo "Hadoop is not healthy yet. Retrying in 60 seconds..."
sleep 5
done
if [ $i -eq 10 ]; then
echo "Hadoop did not become healthy after 120 attempts. Exiting."
if [ $i -eq 60 ]; then
echo "Hadoop did not become healthy after 60 attempts. Exiting."
exit 1
fi
echo "Init kerberos test data"
kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master@LABS.TERADATA.COM
hive -f /usr/local/sql/create_kerberos_hive_table.sql
touch /mnt/SUCCESS
tail -f /dev/null
if [ "$1" == "1" ]; then
kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master@LABS.TERADATA.COM
elif [ "$1" == "2" ]; then
kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master-2@OTHERREALM.COM
else
echo "Invalid index parameter. Exiting."
exit 1
fi
hive -f /usr/local/sql/create_kerberos_hive_table.sql
exec_success_hook

65
docker/thirdparties/docker-compose/kerberos/hadoop-hive.env.tpl Normal file
View File

@ -0,0 +1,65 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
HIVE_SITE_CONF_javax_jdo_option_ConnectionURL=jdbc:mysql://127.0.0.1:${MYSQL_PORT}/metastore
HIVE_SITE_CONF_javax_jdo_option_ConnectionDriverName=com.mysql.jdbc.Driver
HIVE_SITE_CONF_javax_jdo_option_ConnectionUserName=root
HIVE_SITE_CONF_javax_jdo_option_ConnectionPassword=root
HIVE_SITE_CONF_datanucleus_autoCreateSchema=false
HIVE_SITE_CONF_hive_metastore_port=${HMS_PORT}
HIVE_SITE_CONF_hive_metastore_uris=thrift://${IP_HOST}:${HMS_PORT}
HIVE_SITE_CONF_hive_server2_thrift_bind_host=0.0.0.0
HIVE_SITE_CONF_hive_server2_thrift_port=${HS_PORT}
HIVE_SITE_CONF_hive_server2_webui_port=0
HIVE_SITE_CONF_hive_compactor_initiator_on=true
HIVE_SITE_CONF_hive_compactor_worker_threads=2
HIVE_SITE_CONF_metastore_storage_schema_reader_impl=org.apache.hadoop.hive.metastore.SerDeStorageSchemaReader
BEELINE_SITE_CONF_beeline_hs2_jdbc_url_tcpUrl=jdbc:hive2://${HOST}:${HS_PORT}/default;user=hdfs;password=hive
BEELINE_SITE_CONF_beeline_hs2_jdbc_url_httpUrl=jdbc:hive2://${HOST}:${HS_PORT}/default;user=hdfs;password=hive
CORE_CONF_fs_defaultFS=hdfs://${HOST}:${FS_PORT}
CORE_CONF_hadoop_http_staticuser_user=root
CORE_CONF_hadoop_proxyuser_hue_hosts=*
CORE_CONF_hadoop_proxyuser_hue_groups=*
HDFS_CONF_dfs_webhdfs_enabled=true
HDFS_CONF_dfs_permissions_enabled=false
HDFS_CONF_dfs_namenode_datanode_registration_ip___hostname___check=false
HDFS_CONF_dfs_datanode_address=${HOST}:${DFS_DN_PORT}
HDFS_CONF_dfs_datanode_http_address=${HOST}:${DFS_DN_HTTP_PORT}
HDFS_CONF_dfs_datanode_ipc_address=${HOST}:${DFS_DN_IPC_PORT}
HDFS_CONF_dfs_namenode_http___address=${HOST}:${DFS_NN_HTTP_PORT}
YARN_CONF_yarn_log___aggregation___enable=true
YARN_CONF_yarn_resourcemanager_recovery_enabled=true
YARN_CONF_yarn_resourcemanager_store_class=org.apache.hadoop.yarn.server.resourcemanager.recovery.FileSystemRMStateStore
YARN_CONF_yarn_resourcemanager_fs_state___store_uri=/rmstate
YARN_CONF_yarn_nodemanager_remote___app___log___dir=/var/log/hadoop-yarn/apps
YARN_CONF_yarn_log_server_url=http://${HOST}:${YARM_LOG_SERVER_PORT}/jobhistory/logs
YARN_CONF_yarn_timeline___service_enabled=false
YARN_CONF_yarn_timeline___service_generic___application___history_enabled=true
YARN_CONF_yarn_resourcemanager_system___metrics___publisher_enabled=true
YARN_CONF_yarn_resourcemanager_hostname=${HOST}
MAPRED_CONF_mapreduce_shuffle_port=${MAPREDUCE_SHUFFLE_PORT}
YARN_CONF_yarn_timeline___service_hostname=${HOST}
YARN_CONF_yarn_resourcemanager_address=${HOST}:${YARN_RM_PORT}
YARN_CONF_yarn_resourcemanager_scheduler_address=${HOST}:${YARN_RM_SCHEDULER_PORT}
YARN_CONF_yarn_resourcemanager_resource___tracker_address=${HOST}:${YARN_RM_TRACKER_PORT}
YARN_CONF_yarn_resourcemanager_admin_address=${HOST}:${YARN_RM_ADMIN_PORT}
YARN_CONF_yarn_resourcemanager_webapp_address=${HOST}:${YARN_RM_WEBAPP_PORT}
YARN_CONF_yarn_nodemanager_localizer_address=${HOST}:${YARN_NM_LOCAL_PORT}
YARN_CONF_yarn_nodemanager_webapp_address=${HOST}:${YARN_NM_WEBAPP_PORT}

1
docker/thirdparties/docker-compose/kerberos/health-checks/health.sh
View File

@ -32,4 +32,3 @@ if test -d "${HEALTH_D}"; then
"${health_script}" &>> /var/log/container-health.log || exit 1
done
fi
exit 0

2
docker/thirdparties/docker-compose/kerberos/health-checks/hive-health-check-2.sh
View File

@ -17,4 +17,4 @@
# under the License.
kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master-2@OTHERREALM.COM
beeline -u "jdbc:hive2://localhost:10000/default;principal=hive/hadoop-master-2@OTHERREALM.COM" -e "show databases;"
beeline -u "jdbc:hive2://localhost:16000/default;principal=hive/hadoop-master-2@OTHERREALM.COM" -e "show databases;"

2
docker/thirdparties/docker-compose/kerberos/health-checks/hive-health-check.sh
View File

@ -17,4 +17,4 @@
# under the License.
kinit -kt /etc/hive/conf/hive.keytab hive/hadoop-master@LABS.TERADATA.COM
beeline -u "jdbc:hive2://localhost:10000/default;principal=hive/hadoop-master@LABS.TERADATA.COM" -e "show databases;"
beeline -u "jdbc:hive2://localhost:15000/default;principal=hive/hadoop-master@LABS.TERADATA.COM" -e "show databases;"

0
docker/thirdparties/docker-compose/kerberos/health-checks/hadoop-health-check.sh → docker/thirdparties/docker-compose/kerberos/health-checks/supervisorctl-check.sh
View File

69
docker/thirdparties/docker-compose/kerberos/kerberos.yaml.tpl
View File

@ -16,68 +16,55 @@
# under the License.
version: "3"
services:
hive-krb:
hive-krb1:
image: doristhirdpartydocker/trinodb:hdp3.1-hive-kerberized_96
container_name: doris--kerberos1
container_name: doris-${CONTAINER_UID}-kerberos1
volumes:
- ../common:/usr/local/common
- ./two-kerberos-hives:/keytabs
- ./sql:/usr/local/sql
- ./common/hadoop/apply-config-overrides.sh:/etc/hadoop-init.d/00-apply-config-overrides.sh
- ./common/hadoop/hadoop-run.sh:/usr/local/hadoop-run.sh
- ./health-checks/health.sh:/usr/local/health.sh
- ./health-checks/hadoop-health-check.sh:/etc/health.d/hadoop-health-check.sh
- ./health-checks/supervisorctl-check.sh:/etc/health.d/supervisorctl-check.sh
- ./health-checks/hive-health-check.sh:/etc/health.d/hive-health-check.sh
- ./entrypoint-hive-master.sh:/usr/local/entrypoint-hive-master.sh
- ./conf/kerberos1/my.cnf:/etc/my.cnf
- ./conf/kerberos1/kdc.conf:/var/kerberos/krb5kdc/kdc.conf
- ./conf/kerberos1/krb5.conf:/etc/krb5.conf
hostname: hadoop-master
entrypoint: /usr/local/entrypoint-hive-master.sh
entrypoint: /usr/local/entrypoint-hive-master.sh 1
healthcheck:
test: ["CMD", "ls", "/mnt/SUCCESS"]
interval: 20s
timeout: 60s
test: ["CMD", "ls", "/tmp/SUCCESS"]
interval: 5s
timeout: 10s
retries: 120
ports:
- "5806:5006"
- "8820:8020"
- "8842:8042"
- "9800:9000"
- "9883:9083"
- "18000:10000"
networks:
doris--krb_net:
ipv4_address: 172.31.71.25
network_mode: "host"
env_file:
- ./hadoop-hive-1.env
hive-krb2:
image: doristhirdpartydocker/trinodb:hdp3.1-hive-kerberized-2_96
container_name: doris--kerberos2
container_name: doris-${CONTAINER_UID}-kerberos2
hostname: hadoop-master-2
volumes:
- ../common:/usr/local/common
- ./two-kerberos-hives:/keytabs
- ./sql:/usr/local/sql
- ./common/hadoop/apply-config-overrides.sh:/etc/hadoop-init.d/00-apply-config-overrides.sh
- ./common/hadoop/hadoop-run.sh:/usr/local/hadoop-run.sh
- ./health-checks/health.sh:/usr/local/health.sh
- ./health-checks/hadoop-health-check.sh:/etc/health.d/hadoop-health-check.sh
- ./health-checks/supervisorctl-check.sh:/etc/health.d/supervisorctl-check.sh
- ./health-checks/hive-health-check-2.sh:/etc/health.d/hive-health-check-2.sh
- ./entrypoint-hive-master-2.sh:/usr/local/entrypoint-hive-master-2.sh
entrypoint: /usr/local/entrypoint-hive-master-2.sh
- ./entrypoint-hive-master.sh:/usr/local/entrypoint-hive-master.sh
- ./conf/kerberos2/my.cnf:/etc/my.cnf
- ./conf/kerberos2/kdc.conf:/var/kerberos/krb5kdc/kdc.conf
- ./conf/kerberos2/krb5.conf:/etc/krb5.conf
entrypoint: /usr/local/entrypoint-hive-master.sh 2
healthcheck:
test: ["CMD", "ls", "/mnt/SUCCESS"]
interval: 20s
timeout: 60s
test: ["CMD", "ls", "/tmp/SUCCESS"]
interval: 5s
timeout: 10s
retries: 120
ports:
- "15806:5006"
- "18820:8020"
- "18842:8042"
- "19800:9000"
- "19883:9083"
- "18800:10000"
networks:
doris--krb_net:
ipv4_address: 172.31.71.26
networks:
doris--krb_net:
ipam:
config:
- subnet: 172.31.71.0/24
network_mode: "host"
env_file:
- ./hadoop-hive-2.env

47
docker/thirdparties/docker-compose/kerberos/kerberos1_settings.env Normal file
View File

@ -0,0 +1,47 @@
#!/bin/bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Change this to a specific string.
# Do not use "_" or other sepcial characters, only number and alphabeta.
# NOTICE: change this uid will modify hive-*.yaml
export HOST="hadoop-master"
export FS_PORT=8520
export HMS_PORT=9583
export HS_PORT=15000
export MYSQL_PORT=3356
export DFS_DN_PORT=9566
export DFS_DN_HTTP_PORT=9564
export DFS_DN_IPC_PORT=9567
export DFS_NN_HTTP_PORT=9570
export YARM_LOG_SERVER_PORT=8588
export YARN_RM_PORT=8532
export YARN_RM_SCHEDULER_PORT=8530
export YARN_RM_TRACKER_PORT=8531
export YARN_RM_ADMIN_PORT=8533
export YARN_RM_WEBAPP_PORT=8589
export YARN_NM_LOCAL_PORT=8540
export YARN_NM_WEBAPP_PORT=8542
export MAPREDUCE_SHUFFLE_PORT=13562
export KADMIND_PORT=5464
export KDC_PORT1=5588
export KDC_PORT2=5589
export KADMIND_PORT1=5749
export KADMIND_PORT2=5750
export KPASSWD_PORT1=5464
export KPASSWD_PORT2=5465

43
docker/thirdparties/docker-compose/kerberos/kerberos2_settings.env Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
# Change this to a specific string.
# Do not use "_" or other sepcial characters, only number and alphabeta.
# NOTICE: change this uid will modify hive-*.yaml
export HOST="hadoop-master-2"
export FS_PORT=8620
export HMS_PORT=9683
export HS_PORT=16000
export MYSQL_PORT=3366
export DFS_DN_PORT=9666
export DFS_DN_HTTP_PORT=9664
export DFS_DN_IPC_PORT=9667
export DFS_NN_HTTP_PORT=9670
export YARM_LOG_SERVER_PORT=8688
export YARN_RM_PORT=8632
export YARN_RM_SCHEDULER_PORT=8630
export YARN_RM_TRACKER_PORT=8631
export YARN_RM_ADMIN_PORT=8633
export YARN_RM_WEBAPP_PORT=8689
export YARN_NM_LOCAL_PORT=8640
export YARN_NM_WEBAPP_PORT=8642
export MAPREDUCE_SHUFFLE_PORT=13662
export KDC_PORT1=6688
export KADMIND_PORT1=6749
export KPASSWD_PORT1=6464

24
docker/thirdparties/run-thirdparties-docker.sh
View File

@ -576,8 +576,22 @@ start_lakesoul() {
start_kerberos() {
echo "RUN_KERBEROS"
cp "${ROOT}"/docker-compose/kerberos/kerberos.yaml.tpl "${ROOT}"/docker-compose/kerberos/kerberos.yaml
sed -i "s/doris--/${CONTAINER_UID}/g" "${ROOT}"/docker-compose/kerberos/kerberos.yaml
eth_name=$(ifconfig -a | grep -E "^eth[0-9]" | sort -k1.4n | awk -F ':' '{print $1}' | head -n 1)
IP_HOST=$(ifconfig "${eth_name}" | grep inet | grep -v 127.0.0.1 | grep -v inet6 | awk '{print $2}' | tr -d "addr:" | head -n 1)
export IP_HOST=${IP_HOST}
export CONTAINER_UID=${CONTAINER_UID}
envsubst <"${ROOT}"/docker-compose/kerberos/kerberos.yaml.tpl >"${ROOT}"/docker-compose/kerberos/kerberos.yaml
for i in {1..2}; do
. "${ROOT}"/docker-compose/kerberos/kerberos${i}_settings.env
envsubst <"${ROOT}"/docker-compose/kerberos/hadoop-hive.env.tpl >"${ROOT}"/docker-compose/kerberos/hadoop-hive-${i}.env
envsubst <"${ROOT}"/docker-compose/kerberos/conf/my.cnf.tpl > "${ROOT}"/docker-compose/kerberos/conf/kerberos${i}/my.cnf
envsubst <"${ROOT}"/docker-compose/kerberos/conf/kerberos${i}/kdc.conf.tpl > "${ROOT}"/docker-compose/kerberos/conf/kerberos${i}/kdc.conf
envsubst <"${ROOT}"/docker-compose/kerberos/conf/kerberos${i}/krb5.conf.tpl > "${ROOT}"/docker-compose/kerberos/conf/kerberos${i}/krb5.conf
done
sudo chmod a+w /etc/hosts
sudo sed -i "1i${IP_HOST} hadoop-master" /etc/hosts
sudo sed -i "1i${IP_HOST} hadoop-master-2" /etc/hosts
sudo cp "${ROOT}"/docker-compose/kerberos/kerberos.yaml.tpl "${ROOT}"/docker-compose/kerberos/kerberos.yaml
sudo docker compose -f "${ROOT}"/docker-compose/kerberos/kerberos.yaml down
sudo rm -rf "${ROOT}"/docker-compose/kerberos/data
if [[ "${STOP}" -ne 1 ]]; then
@ -585,15 +599,11 @@ start_kerberos() {
rm -rf "${ROOT}"/docker-compose/kerberos/two-kerberos-hives/*.keytab
rm -rf "${ROOT}"/docker-compose/kerberos/two-kerberos-hives/*.jks
rm -rf "${ROOT}"/docker-compose/kerberos/two-kerberos-hives/*.conf
sudo docker compose -f "${ROOT}"/docker-compose/kerberos/kerberos.yaml up -d
sudo docker compose -f "${ROOT}"/docker-compose/kerberos/kerberos.yaml up -d --wait
sudo rm -f /keytabs
sudo ln -s "${ROOT}"/docker-compose/kerberos/two-kerberos-hives /keytabs
sudo cp "${ROOT}"/docker-compose/kerberos/common/conf/doris-krb5.conf /keytabs/krb5.conf
sudo cp "${ROOT}"/docker-compose/kerberos/common/conf/doris-krb5.conf /etc/krb5.conf
sudo chmod a+w /etc/hosts
echo '172.31.71.25 hadoop-master' >> /etc/hosts
echo '172.31.71.26 hadoop-master-2' >> /etc/hosts
sleep 2
fi
}

19
regression-test/suites/external_table_p0/kerberos/test_single_hive_kerberos.groovy
View File

@ -17,6 +17,7 @@
suite("test_single_hive_kerberos", "p0,external,kerberos,external_docker,external_docker_kerberos") {
String enabled = context.config.otherConfigs.get("enableKerberosTest")
String externalEnvIp = context.config.otherConfigs.get("externalEnvIp")
if (enabled != null && enabled.equalsIgnoreCase("true")) {
String hms_catalog_name = "test_single_hive_kerberos"
sql """drop catalog if exists hms_kerberos;"""
@ -24,8 +25,8 @@ suite("test_single_hive_kerberos", "p0,external,kerberos,external_docker,externa
CREATE CATALOG IF NOT EXISTS hms_kerberos
PROPERTIES (
"type" = "hms",
"hive.metastore.uris" = "thrift://172.31.71.25:9083",
"fs.defaultFS" = "hdfs://172.31.71.25:8020",
"hive.metastore.uris" = "thrift://${externalEnvIp}:9583",
"fs.defaultFS" = "hdfs://${externalEnvIp}:8520",
"hadoop.security.authentication" = "kerberos",
"hadoop.kerberos.principal"="presto-server/presto-master.docker.cluster@LABS.TERADATA.COM",
"hadoop.kerberos.keytab" = "/keytabs/presto-server.keytab",
@ -34,7 +35,7 @@ suite("test_single_hive_kerberos", "p0,external,kerberos,external_docker,externa
RULE:[2:\$1@\$0](.*@OTHERREALM.COM)s/@.*//
DEFAULT",
"hive.metastore.sasl.enabled " = "true",
"hive.metastore.kerberos.principal" = "hive/_HOST@LABS.TERADATA.COM"
"hive.metastore.kerberos.principal" = "hive/hadoop-master@LABS.TERADATA.COM"
);
"""
sql """ switch hms_kerberos """
@ -48,8 +49,8 @@ suite("test_single_hive_kerberos", "p0,external,kerberos,external_docker,externa
CREATE CATALOG IF NOT EXISTS hms_kerberos_hadoop_err1
PROPERTIES (
"type" = "hms",
"hive.metastore.uris" = "thrift://172.31.71.25:9083",
"fs.defaultFS" = "hdfs://172.31.71.25:8020",
"hive.metastore.uris" = "thrift://${externalEnvIp}:9583",
"fs.defaultFS" = "hdfs://${externalEnvIp}:8520",
"hadoop.security.authentication" = "kerberos",
"hadoop.kerberos.principal"="presto-server/presto-master.docker.cluster@LABS.TERADATA.COM",
"hadoop.kerberos.keytab" = "/keytabs/presto-server.keytab"
@ -71,8 +72,8 @@ suite("test_single_hive_kerberos", "p0,external,kerberos,external_docker,externa
PROPERTIES (
"type" = "hms",
"hive.metastore.sasl.enabled " = "true",
"hive.metastore.uris" = "thrift://172.31.71.25:9083",
"fs.defaultFS" = "hdfs://172.31.71.25:8020"
"hive.metastore.uris" = "thrift://${externalEnvIp}:9583",
"fs.defaultFS" = "hdfs://${externalEnvIp}:8520"
);
"""
sql """ switch hms_kerberos_hadoop_err2 """
@ -87,8 +88,8 @@ suite("test_single_hive_kerberos", "p0,external,kerberos,external_docker,externa
// CREATE CATALOG IF NOT EXISTS hms_keberos_ccache
// PROPERTIES (
// "type" = "hms",
// "hive.metastore.uris" = "thrift://172.31.71.25:9083",
// "fs.defaultFS" = "hdfs://172.31.71.25:8020",
// "hive.metastore.uris" = "thrift://${externalEnvIp}:9583",
// "fs.defaultFS" = "hdfs://${externalEnvIp}:8520",
// "hadoop.security.authentication" = "kerberos",
// "hadoop.kerberos.principal"="presto-server/presto-master.docker.cluster@LABS.TERADATA.COM",
// "hadoop.kerberos.keytab" = "/keytabs/presto-server.keytab",

13
regression-test/suites/external_table_p0/kerberos/test_two_hive_kerberos.groovy
View File

@ -21,6 +21,7 @@ import org.junit.Assert;
suite("test_two_hive_kerberos", "p0,external,kerberos,external_docker,external_docker_kerberos") {
String enabled = context.config.otherConfigs.get("enableKerberosTest")
String externalEnvIp = context.config.otherConfigs.get("externalEnvIp")
if (enabled != null && enabled.equalsIgnoreCase("true")) {
String hms_catalog_name = "test_two_hive_kerberos"
sql """drop catalog if exists ${hms_catalog_name};"""
@ -28,14 +29,14 @@ suite("test_two_hive_kerberos", "p0,external,kerberos,external_docker,external_d
CREATE CATALOG IF NOT EXISTS ${hms_catalog_name}
PROPERTIES (
"type" = "hms",
"hive.metastore.uris" = "thrift://172.31.71.25:9083",
"fs.defaultFS" = "hdfs://172.31.71.25:8020",
"hive.metastore.uris" = "thrift://${externalEnvIp}:9583",
"fs.defaultFS" = "hdfs://${externalEnvIp}:8520",
"hadoop.kerberos.min.seconds.before.relogin" = "5",
"hadoop.security.authentication" = "kerberos",
"hadoop.kerberos.principal"="hive/presto-master.docker.cluster@LABS.TERADATA.COM",
"hadoop.kerberos.keytab" = "/keytabs/hive-presto-master.keytab",
"hive.metastore.sasl.enabled " = "true",
"hive.metastore.kerberos.principal" = "hive/_HOST@LABS.TERADATA.COM"
"hive.metastore.kerberos.principal" = "hive/hadoop-master@LABS.TERADATA.COM"
);
"""
@ -44,14 +45,14 @@ suite("test_two_hive_kerberos", "p0,external,kerberos,external_docker,external_d
CREATE CATALOG IF NOT EXISTS other_${hms_catalog_name}
PROPERTIES (
"type" = "hms",
"hive.metastore.uris" = "thrift://172.31.71.26:9083",
"fs.defaultFS" = "hdfs://172.31.71.26:8020",
"hive.metastore.uris" = "thrift://${externalEnvIp}:9683",
"fs.defaultFS" = "hdfs://${externalEnvIp}:8620",
"hadoop.kerberos.min.seconds.before.relogin" = "5",
"hadoop.security.authentication" = "kerberos",
"hadoop.kerberos.principal"="hive/presto-master.docker.cluster@OTHERREALM.COM",
"hadoop.kerberos.keytab" = "/keytabs/other-hive-presto-master.keytab",
"hive.metastore.sasl.enabled " = "true",
"hive.metastore.kerberos.principal" = "hive/_HOST@OTHERREALM.COM",
"hive.metastore.kerberos.principal" = "hive/hadoop-master-2@OTHERREALM.COM",
"hadoop.security.auth_to_local" ="RULE:[2:\$1@\$0](.*@OTHERREALM.COM)s/@.*//
RULE:[2:\$1@\$0](.*@OTHERLABS.TERADATA.COM)s/@.*//
DEFAULT"