Kerberos, TLS and Database updates (#177)

Author: tristan

nifi_workaround.yml

@@ -0,0 +1,66 @@
+# Copyright 2021 Cloudera, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+
+- name: Setup symlinks for NiFi TLS keystore and truststore
+  hosts: cluster
+  become: yes
+  gather_facts: no
+  tasks:
+    - name: Perform the NiFi workaround for explicit TLS
+      block:
+
+        - name: Ensure the NiFi home directory exists
+          file:
+            path: /var/lib/nifi
+            owner: nifi
+            group: nifi
+            state: directory
+
+        - name: Ensure the link for the NiFi keystore exists
+          file:
+            src: "{{ tls_keystore_path }}"
+            dest: /var/lib/nifi/cm-auto-host_keystore.jks
+            state: link
+
+        - name: Ensure the link for the NiFi truststore exists
+          file:
+            src: "{{ tls_truststore_path }}"
+            dest: /var/lib/nifi/cm-auto-in_cluster_truststore.jks
+            state: link
+
+        - name: Ensure the NiFi Registry home directory exists
+          file:
+            path: /var/lib/nifiregistry
+            owner: nifiregistry
+            group: nifiregistry
+            state: directory
+
+        - name: Ensure the link for the NiFi Registry keystore exists
+          file:
+            src: "{{ tls_keystore_path }}"
+            dest: /var/lib/nifiregistry/cm-auto-host_keystore.jks
+            state: link
+
+        - name: Ensure the link for the NiFi Registry truststore exists
+          file:
+            src: "{{ tls_truststore_path }}"
+            dest: /var/lib/nifiregistry/cm-auto-in_cluster_truststore.jks
+            state: link
+
+      when: >
+        (tls | default(False)
+        or manual_tls_cert_distribution | default(False))
+        and not (autotls | default(False))

roles/cloudera_manager/common/defaults/main.yml

@@ -23,5 +23,6 @@ cloudera_manager_database_type: "{{ database_type }}"
 cloudera_manager_database_name: scm
 cloudera_manager_database_user: scm
 cloudera_manager_database_password: changeme
+cloudera_manager_database_port: "{{ database_type | default_database_port }}"
 cloudera_manager_agent_lib_directory: /var/lib/cloudera-scm-agent
 cloudera_manager_cmf_java_opts_default: "-Xmx4G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp"

roles/cloudera_manager/database/tasks/external.yml

@@ -66,7 +66,7 @@
 
 - name: Prepare Cloudera Manager Server external database
   command: |
-    {{ cloudera_manager_database_prepare_script }}  -f --host {{ cloudera_manager_database_host }}
+    {{ cloudera_manager_database_prepare_script }}  -f --host {{ cloudera_manager_database_host }} --port {{ cloudera_manager_database_port }}
     {{ cloudera_manager_database_type | regex_replace('mariadb', 'mysql') }}
     {{ cloudera_manager_database_name }}
     {{ cloudera_manager_database_user }}

roles/cloudera_manager/kerberos/templates/kerberos_configs.j2

@@ -8,5 +8,3 @@ AD_DELETE_ON_REGENERATE: {{ krb5_kdc_active_directory_delete_on_regenerate | def
 KDC_ACCOUNT_CREATION_HOST_OVERRIDE: {{ krb5_kdc_account_creation_host_override | default(None) }}
 AD_SET_ENCRYPTION_TYPES: {{ krb5_kdc_active_directory_set_encryption_types | default('false') }}
 GEN_KEYTAB_SCRIPT:  {{ krb5_keytab_retrieval_script | default(None) }}
-KRB_AUTH_ENABLE:    {{ krb5_cm_auth_enable | default('false') }}
-

roles/config/cluster/base/templates/configs/ldap.j2

@@ -70,7 +70,7 @@ HUE:
     group_filter: "(objectClass={{ auth_provider.ldap_object_class.group }})"
     group_member_attr: "{{ auth_provider.ldap_attribute.member }}"
     group_name_attr: "{{ auth_provider.ldap_attribute.group }}"
-    ldap_cert: "{{ auth_provider.ldap_cert | default('') }}"
+    ldap_cert: "{{ auth_provider.ldap_cert | default(tls_chain_path) }}"
     ldap_url: "{{ auth_provider.ldap_url }}"
     search_bind_authentication: true
     use_start_tls: true
@@ -90,6 +90,31 @@ HUE:
 #  SERVICEWIDE:
 #    ldap.auth.url: 
 #    ldap.auth.user.dn.template: 
+NIFI:
+  NIFI_NODE:
+    nifi.ldap.authentication.strategy: LDAPS
+    nifi.ldap.enabled: true
+    nifi.ldap.manager.dn: "{{ auth_provider.ldap_bind_user_dn }}"
+    nifi.ldap.manager.password: "{{ auth_provider.ldap_bind_password }}"
+    nifi.ldap.tls.client.auth: NONE
+    nifi.ldap.tls.truststore: "{{ tls_truststore_path }}"
+    nifi.ldap.tls.truststore.password: "{{ tls_truststore_password }}"
+    nifi.ldap.tls.truststore.type: jks
+    nifi.ldap.url: "{{ auth_provider.ldap_url }}"
+    nifi.ldap.user.search.base: "{{ auth_provider.ldap_search_base.user }}"
+    nifi.ldap.tls.protocol: TLS
+    xml.authorizers.userGroupProvider.file-user-group-provider.enabled: false
+    xml.authorizers.authorizer.ranger-provider.property.User Group Provider: composite-user-group-provider
+    xml.authorizers.userGroupProvider.composite-configurable-user-group-provider.enabled: false
+    xml.authorizers.userGroupProvider.composite-user-group-provider.enabled: true
+    xml.authorizers.userGroupProvider.composite-user-group-provider.property.User Group Provider 1: ldap-user-group-provider
+    xml.authorizers.userGroupProvider.composite-user-group-provider.property.User Group Provider 2: cm-user-group-provider
+    xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Member Attribute: "{{ auth_provider.ldap_attribute.member }}"
+    xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Name Attribute: "{{ auth_provider.ldap_attribute.group }}"
+    xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Object Class: "{{ auth_provider.ldap_object_class.group }}"
+    xml.authorizers.userGroupProvider.ldap-user-group-provider.property.Group Search Base: "{{ auth_provider.ldap_search_base.group }}"
+    xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Group Name Attribute: "{{ auth_provider.ldap_attribute.user_member }}"
+    xml.authorizers.userGroupProvider.ldap-user-group-provider.property.User Identity Attribute: "{{ auth_provider.ldap_attribute.user }}"
 #RANGER:
 #  RANGER_ADMIN:
 #    ranger.ldap.ad.base.dn:

roles/config/cluster/base/templates/configs/tls.j2

@@ -123,6 +123,8 @@ KS_INDEXER:
     keystore_indexer_truststore_password: {{ tls_truststore_password }}
 KUDU:
   KUDU_MASTER:
+    ssl_client_truststore_location: {{ tls_truststore_path }}
+    ssl_client_truststore_password: {{ tls_truststore_password }}
     ssl_enabled: True
     ssl_server_ca_certificate_location: {{ tls_chain_path }}
     ssl_server_certificate_location: {{ tls_cert_path_generic }}

roles/config/cluster/base/templates/configs/trusted-realms.j2

@@ -0,0 +1,12 @@
+---
+{% set additional_realms = auth_providers | default({}) | dict2items | json_query('[?value.type == `KERBEROS`].value.krb5_realm') %}
+CORE_SETTINGS:
+  SERVICEWIDE:
+    trusted_realms: "{{ ','.join([krb5_realm] + additional_realms) }}"
+HDFS:
+  SERVICEWIDE:
+    trusted_realms: "{{ ','.join([krb5_realm] + additional_realms) }}"
+KAFKA:
+  KAFKA_BROKER:
+    kafka.properties_role_safety_valve: |
+      sasl.kerberos.principal.to.local.rules={% for trusted_realm in additional_realms %}RULE:[1:$1@$0](.*@{{ trusted_realm|upper }})s/@{{ trusted_realm|upper }}// , RULE:[2:$1@$0](.*@{{ trusted_realm|upper }})s/@{{ trusted_realm|upper }}// , {% endfor %}DEFAULT

roles/config/cluster/base/vars/main.yml

@@ -41,6 +41,8 @@ custom_config_templates:
     condition: "{{ cluster.security.kerberos | default(False) and (cloudera_manager_version is version('6.0.0','<') or cluster.type | default('base') == 'compute') }}"
   - template: configs/kerberos-6.x-7.x.j2
     condition: "{{ cluster.security.kerberos | default(False) and cloudera_manager_version is version('6.0.0','>=') }}"
+  - template: configs/trusted-realms.j2
+    condition: "{{ cluster.security.kerberos | default(False) and auth_providers | default({}) | dict2items | json_query('[?value.type == `KERBEROS`]') | length > 0 }}"
 # Custom configurations for TLS
   - template: configs/tls.j2
     condition: "{{ cluster.security.tls | default(False) }}"

roles/prereqs/oracle_connector/tasks/main.yml

@@ -14,29 +14,37 @@
 
 ---
 
-- name: Download Oracle Connector
-  maven_artifact:
-    group_id: "{{ oracle_connector_group_id }}"
-    artifact_id: "{{ oracle_connector_artifact_id }}"
-    version: "{{ oracle_connector_version }}"
-    dest: "{{ local_temp_dir }}/{{ oracle_connector_artifact_id }}-connector-java-{{ oracle_connector_version }}.jar"
-    repository_url: "{{ oracle_connector_maven_url }}"
-  become: no
-  run_once: true
-  connection: local
-  delegate_to: localhost
+- name: Setup the Oracle JDBC Driver
+  block:
 
-- name: Create /usr/share/java directory
-  file:
-    path: /usr/share/java
-    state: directory
-    mode: 0755
+    - name: Download Oracle Connector
+      maven_artifact:
+        group_id: "{{ oracle_connector_group_id }}"
+        artifact_id: "{{ oracle_connector_artifact_id }}"
+        version: "{{ oracle_connector_version }}"
+        dest: "{{ local_temp_dir }}/{{ oracle_connector_artifact_id }}-connector-java-{{ oracle_connector_version }}.jar"
+        repository_url: "{{ oracle_connector_maven_url }}"
+      become: no
+      run_once: true
+      connection: local
+      delegate_to: localhost
 
-- name: Copy Oracle Connector jar file to correct location
-  copy:
-    src: "{{ local_temp_dir }}/{{ oracle_connector_artifact_id }}-connector-java-{{ oracle_connector_version }}.jar"
-    dest: /usr/share/java/oracle-connector-java.jar
-    mode: 0644
+    - name: Create /usr/share/java directory
+      file:
+        path: /usr/share/java
+        state: directory
+        mode: 0755
+
+    - name: Copy Oracle Connector jar file to correct location
+      copy:
+        src: "{{ local_temp_dir }}/{{ oracle_connector_artifact_id }}-connector-java-{{ oracle_connector_version }}.jar"
+        dest: /usr/share/java/oracle-connector-java.jar
+        mode: 0644
+
+  when:
+    - not (skip_oracle_jdbc_driver_distribution | default(False))
+    - oracle_connector_maven_url is defined
+    - oracle_connector_maven_url != ''
 
 - name: Ensure directory for the instantclient
   file:

roles/prereqs/os/tasks/main.yml

@@ -34,7 +34,7 @@
   loop: "{{ kernel_flags }}"
   loop_control:
     loop_var: flag
-  when: "'root.hwx.site' not in ansible_domain"
+  when: not(ansible_virtualization_type == "docker" and ansible_virtualization_role == "guest")
 
 - name: Populate service facts
   service_facts:
@@ -100,4 +100,4 @@
 - name: Apply OS-specific configurations
   include_tasks:
     file: "main-{{ ansible_os_family }}.yml"
-  when: "'root.hwx.site' not in ansible_domain"
+  when: not(ansible_virtualization_type == "docker" and ansible_virtualization_role == "guest")