-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathkerberos.rs
More file actions
116 lines (105 loc) · 3.78 KB
/
kerberos.rs
File metadata and controls
116 lines (105 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
use indoc::formatdoc;
use snafu::{ResultExt, Snafu};
use stackable_hive_crd::{HiveCluster, HiveRole, HIVE_SITE_XML, STACKABLE_CONFIG_DIR};
use stackable_operator::builder::pod::{
container::ContainerBuilder,
volume::{
SecretOperatorVolumeSourceBuilder, SecretOperatorVolumeSourceBuilderError, VolumeBuilder,
},
PodBuilder,
};
use stackable_operator::kube::ResourceExt;
use std::collections::BTreeMap;
#[derive(Snafu, Debug)]
pub enum Error {
#[snafu(display("failed to add Kerberos secret volume"))]
AddKerberosSecretVolume {
source: SecretOperatorVolumeSourceBuilderError,
},
}
pub fn add_kerberos_pod_config(
hive: &HiveCluster,
role: &HiveRole,
cb: &mut ContainerBuilder,
pb: &mut PodBuilder,
) -> Result<(), Error> {
if let Some(kerberos_secret_class) = hive.kerberos_secret_class() {
// Mount keytab
let kerberos_secret_operator_volume =
SecretOperatorVolumeSourceBuilder::new(kerberos_secret_class)
.with_service_scope(hive.name_any())
.with_kerberos_service_name(role.kerberos_service_name())
.build()
.context(AddKerberosSecretVolumeSnafu)?;
pb.add_volume(
VolumeBuilder::new("kerberos")
.ephemeral(kerberos_secret_operator_volume)
.build(),
);
cb.add_volume_mount("kerberos", "/stackable/kerberos");
// Needed env vars
cb.add_env_var("KRB5_CONFIG", "/stackable/kerberos/krb5.conf");
}
Ok(())
}
pub fn kerberos_config_properties(
hive: &HiveCluster,
hive_namespace: &str,
) -> BTreeMap<String, String> {
if !hive.has_kerberos_enabled() {
return BTreeMap::new();
}
let hive_name = hive.name_any();
// As opposed to HDFS, Hive doesn't support env var interpolation in config files
// so we used to run `sed -i ...` on the string set here and just kept the string
// at `${env.KERBEROS_REALM}` because this was what worked for HDFS and we wanted it
// to be the same.
// As part of https://github.com/stackabletech/hive-operator/issues/470 this was
// moved over to the new notation which is supported by Stackable's config-util:
// ${env:KERBEROS_REALM}
let principal_host_part =
format!("{hive_name}.{hive_namespace}.svc.cluster.local@${{env:KERBEROS_REALM}}");
BTreeMap::from([
// Kerberos settings
(
"hive.metastore.kerberos.principal".to_string(),
format!(
"{service_name}/{principal_host_part}",
service_name = HiveRole::MetaStore.kerberos_service_name()
),
),
(
"hive.metastore.client.kerberos.principal".to_string(),
format!(
"{service_name}/{principal_host_part}",
service_name = HiveRole::MetaStore.kerberos_service_name()
),
),
(
"hive.metastore.kerberos.keytab.file".to_string(),
"/stackable/kerberos/keytab".to_string(),
),
(
"hive.metastore.sasl.enabled".to_string(),
"true".to_string(),
),
])
}
pub fn kerberos_container_start_commands(hive: &HiveCluster) -> String {
if !hive.has_kerberos_enabled() {
return String::new();
}
let mut args = vec![formatdoc! {"
export KERBEROS_REALM=$(grep -oP 'default_realm = \\K.*' /stackable/kerberos/krb5.conf)
config-utils template {STACKABLE_CONFIG_DIR}/{HIVE_SITE_XML}",
}];
if hive.spec.cluster_config.hdfs.is_some() {
args.extend([
formatdoc! {"
config-utils template {STACKABLE_CONFIG_DIR}/core-site.xml
config-utils template {STACKABLE_CONFIG_DIR}/hdfs-site.xml",
}
]);
}
args.join("\n")
}