bertof/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Kerberos config

Browse source
This commit is contained in:
Filippo Berto 2022-03-24 09:36:46 +01:00
parent 2bcd4152a9
commit 7ad8a748f1
1 changed files with 160 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

211
nixos/big_data.nix
View file

@ -40,6 +40,17 @@ let sparkConfDir = pkgs.stdenv.mkDerivation {
in in
{ {
networking = {
hosts = {
"127.0.0.1" = [
"ds.my.engine"
"kdc.my.engine"
"my.engine"
];
};
};
services = { services = {
spark = { spark = {
master = { master = {
@ -53,83 +64,181 @@ in
confDir = sparkConfDir; confDir = sparkConfDir;
}; };
hadoop = {
coreSite = {
"fs.defaultFS" = "hdfs://localhost:8020";
};
hdfsSite = {
"dfs.namenode.rpc-bind-host" = "0.0.0.0";
"dfs.permissions" = "false";
"dfs.namenode.name.dir" = "/hdfs/dfs/name";
"dfs.datanode.data.dir" = "/hdfs/dfs/data";
};
hdfs = {
namenode = { hadoop =
enable = true; let
formatOnInit = true; keytab_path = /etc/hadoop.keytab;
restartIfChanged = true; in
{
coreSite = {
# "fs.defaultFS" = "hdfs://0.0.0.0:8020";
# "hadoop.http.authentication.simple.anonymous.allowed" = "false";
# "hadoop.http.authentication.signature.secret.file" = "/var/lib/hadoop/security/http_secret";
# "hadoop.http.authentication.type" = "kerberos";
# "hadoop.http.authentication.kerberos.principal" = "http/my.engine@MY.ENGINE";
# "hadoop.http.authentication.cookie.domain" = "my.engine";
# "hadoop.security.authentication" = "kerberos";
# "hadoop.security.authorization" = "true";
# "hadoop.rpc.protection" = "authentication";
# "hadoop.rpc.protection" = "authentication";
# "hadoop.security.auth_to_local" = ''
# RULE:[2:$1/$2@$0]([ndj]n/.*@MY.ENGINE)s/.*/hdfs/
# RULE:[2:$1/$2@$0]([rn]m/.*@MY.ENGINE)s/.*/yarn/
# RULE:[2:$1/$2@$0](jhs/.*@MY.ENGINE)s/.*/mapred/
# DEFAULT
# '';
# "hadoop.proxyuser.superuser.hosts" = "*"; # TODO: restrict
# "hadoop.proxyuser.superuser.groups" = "*"; # TODO: restrict
"fs.defaultFS" = "hdfs://my.engine:8020";
# HDFS IMPERSONATION
"hadoop.proxyuser.hdfs.hosts" = "*";
"hadoop.proxyuser.hdfs.groups" = "*";
# HIVE IMPERSONATION
"hadoop.proxyuser.hive.hosts" = "*";
"hadoop.proxyuser.hive.groups" = "*";
# ENABLE AUTHENTICATION
"hadoop.security.authentication" = "kerberos";
"hadoop.security.authorization" = "true";
"hadoop.rpc.protection" = "privacy";
"hadoop.security.auth_to_local" = ''
RULE:[2:$1/$2@$0]([ndj]n/.*@MY\.ENGINE)s/.*/hdfs/
RULE:[2:$1/$2@$0]([rn]m/.*@MY\.ENGINE)s/.*/yarn/
RULE:[2:$1/$2@$0](jhs/.*@MY\.ENGINE)s/.*/mapred/
DEFAULT
'';
}; };
datanode = { hdfsSite = {
enable = true; # DATA
restartIfChanged = true; "dfs.namenode.name.dir" = "/hdfs/dfs/name";
"dfs.datanode.data.dir" = "/hdfs/dfs/data";
# HDFS SECURITY
"dfs.block.access.token.enable" = "true";
# NAME NODE SECURITY
"dfs.namenode.keytab.file" = keytab_path;
"dfs.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
"dfs.namenode.kerberos.internal.spnego.principal" = "HTTP/my.engine@MY.ENGINE";
# SECONDARY NAME NODE SECURITY
"dfs.secondary.namenode.keytab.file" = keytab_path;
"dfs.secondary.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
"dfs.secondary.namenode.kerberos.internal.spnego.principal" = "HTTP/my.engine@MY.ENGINE";
# DATA NODE SECURITY
"dfs.datanode.keytab.file" = keytab_path;
"dfs.datanode.kerberos.principal" = "dn/my.engine@MY.ENGINE";
# WEBHDFS SECURITY
"dfs.webhdfs.enabled" = "true";
# WEB AUTHENTICATION CONFIG
"dfs.web.authentication.kerberos.principal" = "HTTP/my.engine@MY.ENGINE";
"dfs.web.authentication.kerberos.keytab" = keytab_path;
"ignore.secure.ports.for.testing" = "true";
"dfs.http.policy" = "HTTP_ONLY";
"dfs.data.transfer.protection" = "privacy";
# ## MULTIHOMED
# "dfs.namenode.rpc-bind-host" = "0.0.0.0";
# "dfs.namenode.servicerpc-bind-host" = "0.0.0.0";
# "dfs.namenode.http-bind-host" = "0.0.0.0";
# "dfs.namenode.https-bind-host" = "0.0.0.0";
# "dfs.client.use.datanode.hostname" = "true"; # force connection by hostname
# "dfs.datanode.use.datanode.hostname" = "true"; # force connection by hostname
# "dfs.data.transfer.protection" = "privacy";
# "hadoop.rpc.protection" = "privacy";
# "dfs.http.policy" = "HTTP_ONLY";
# "dfs.datanode.address" = "0.0.0.0:10019";
# "dfs.datanode.http.address" = "0.0.0.0:10022";
# "dfs.datanode.https.address" = "0.0.0.0:10023";
# "dfs.datanode.kerberos.principal" = "dn/my.engine@MY.ENGINE";
# "dfs.datanode.keytab.file" = keytab_path;
# "dfs.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
# "dfs.namenode.keytab.file" = keytab_path;
# "dfs.block.access.token.enable" = "true";
}; };
journalnode = { yarnSite = {
enable = true; # "yarn.acl.enable" = "true";
restartIfChanged = true; # "yarn.admin.acl" = "*"; # TODO: restrict
}; };
zkfc = { extraConfDirs = [ ];
enable = true;
restartIfChanged = true; hdfs = {
}; namenode = { enable = true; formatOnInit = true; restartIfChanged = true; };
httpfs = { datanode = { enable = true; restartIfChanged = true; };
enable = true; journalnode = { enable = true; restartIfChanged = true; };
restartIfChanged = true; zkfc = { enable = true; restartIfChanged = true; };
httpfs = { enable = true; restartIfChanged = true; };
}; };
yarn = { resourcemanager.enable = true; nodemanager.enable = true; };
}; };
yarn = {
resourcemanager.enable = true;
nodemanager.enable = true;
};
};
kerberos_server = { kerberos_server = {
enable = true; enable = true;
realms."ATHENA.MIT.EDU" = { realms."MY.ENGINE".acl = [
acl = [ { principal = "*/admin"; access = "all"; }
{ access = "all"; principal = "*/admin"; } { principal = "admin"; access = "all"; }
{ access = "all"; principal = "admin"; } { principal = "*/localhost"; access = "all"; }
]; { principal = "*/my.engine"; access = "all"; }
}; { principal = "nn/my.engine"; access = "all"; }
{ principal = "hdfs"; access = "all"; }
];
}; };
}; };
krb5 = { krb5 = {
enable = true; enable = true;
realms."ATHENA.MIT.EDU" = { realms = {
admin_server = "localhost"; "MY.ENGINE" = {
kdc = [ admin_server = "kdc.my.engine";
"localhost" kdc = "kdc.my.engine";
]; # default_domain = "my.engine";
kpasswd_server = "localhost"; # kpasswd_server = "odin";
};
}; };
domain_realm = { domain_realm = {
".athena.mit.edu" = "ATHENA.MIT.EDU"; # ".my.engine" = "MY.ENGINE";
"athena.mit.edu" = "ATHENA.MIT.EDU"; "my.engine" = "MY.ENGINE";
}; };
libdefaults = { libdefaults = {
default_realm = "ATHENA.MIT.EDU"; default_realm = "MY.ENGINE";
dns_lookup_realm = false; dns_lookup_realm = true;
dns_lookup_kdc = false; dns_lookup_kdc = true;
ticket_lifetime = "24h";
renew_lifetime = "7d";
forwardable = true;
}; };
extraConfig = '' extraConfig = ''
[logging] [logging]
default = FILE:/var/log/krb5.log default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
''; '';
}; };
systemd.services.spark-history = { systemd.services.spark-history = {
path = with pkgs; [ procps openssh nettools ]; path = with pkgs; [ procps openssh nettools ];
description = "spark history service."; description = "spark history service.";