add kerberos and override static mapping

adwk67 · adwk67 · commit b952af984040 · 2024-01-29T16:50:17.000+01:00
diff --git a/Tiltfile b/Tiltfile
@@ -1,3 +1,5 @@
+k8s_yaml('test/stack/01-install-krb5-kdc.yaml')
+k8s_yaml('test/stack/02-create-kerberos-secretclass.yaml')
 k8s_yaml('test/stack/05-opa.yaml')
 k8s_yaml('test/stack/10-hdfs.yaml')
 
diff --git a/src/main/java/tech/stackable/hadoop/StackableGroupMapper.java b/src/main/java/tech/stackable/hadoop/StackableGroupMapper.java
@@ -95,6 +95,6 @@ public void cacheGroupsRefresh() {
     @Override
     public void cacheGroupsAdd(List<String> groups) {
         // does nothing in this provider of user to groups mapping
-        LOG.info("ignoring cacheGroupsAdd: caching should be provided by the policy provider");
+        LOG.info("ignoring cacheGroupsAdd for groups [{}]: caching should be provided by the policy provider", groups);
     }
 }
diff --git a/test/stack/01-install-krb5-kdc.yaml b/test/stack/01-install-krb5-kdc.yaml
@@ -0,0 +1,135 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: krb5-kdc
+spec:
+  selector:
+    app: krb5-kdc
+  ports:
+    - name: kadmin
+      port: 749
+    - name: kdc
+      port: 88
+    - name: kdc-udp
+      port: 88
+      protocol: UDP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: krb5-kdc
+spec:
+  serviceName: krb5-kdc
+  selector:
+    matchLabels:
+      app: krb5-kdc
+  template:
+    metadata:
+      labels:
+        app: krb5-kdc
+    spec:
+      initContainers:
+        - name: init
+          image: docker.stackable.tech/stackable/krb5:1.18.2-stackable0.0.0-dev
+          args:
+            - sh
+            - -euo
+            - pipefail
+            - -c
+            - |
+              test -e /var/kerberos/krb5kdc/principal || kdb5_util create -s -P asdf
+              kadmin.local get_principal -terse root/admin || kadmin.local add_principal -pw asdf root/admin
+              # stackable-secret-operator principal must match the keytab specified in the SecretClass
+              kadmin.local get_principal -terse stackable-secret-operator || kadmin.local add_principal -e aes256-cts-hmac-sha384-192:normal -pw asdf stackable-secret-operator
+          env:
+            - name: KRB5_CONFIG
+              value: /stackable/config/krb5.conf
+          volumeMounts:
+            - mountPath: /stackable/config
+              name: config
+            - mountPath: /var/kerberos/krb5kdc
+              name: data
+      containers:
+        - name: kdc
+          image: docker.stackable.tech/stackable/krb5:1.18.2-stackable0.0.0-dev
+          args:
+            - krb5kdc
+            - -n
+          env:
+            - name: KRB5_CONFIG
+              value: /stackable/config/krb5.conf
+          volumeMounts:
+            - mountPath: /stackable/config
+              name: config
+            - mountPath: /var/kerberos/krb5kdc
+              name: data
+        - name: kadmind
+          image: docker.stackable.tech/stackable/krb5:1.18.2-stackable0.0.0-dev
+          args:
+            - kadmind
+            - -nofork
+          env:
+            - name: KRB5_CONFIG
+              value: /stackable/config/krb5.conf
+          volumeMounts:
+            - mountPath: /stackable/config
+              name: config
+            - mountPath: /var/kerberos/krb5kdc
+              name: data
+        - name: client
+          image: docker.stackable.tech/stackable/krb5:1.18.2-stackable0.0.0-dev
+          tty: true
+          stdin: true
+          env:
+            - name: KRB5_CONFIG
+              value: /stackable/config/krb5.conf
+          volumeMounts:
+            - mountPath: /stackable/config
+              name: config
+      volumes:
+        - name: config
+          configMap:
+            name: krb5-kdc
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: krb5-kdc
+data:
+  krb5.conf: |
+    [logging]
+    default = STDERR
+    kdc = STDERR
+    admin_server = STDERR
+    # default = FILE:/var/log/krb5libs.log
+    # kdc = FILE:/var/log/krb5kdc.log
+    # admin_server = FILE:/vaggr/log/kadmind.log
+    [libdefaults]
+    dns_lookup_realm = false
+    ticket_lifetime = 24h
+    renew_lifetime = 7d
+    forwardable = true
+    rdns = false
+    default_realm = CLUSTER.LOCAL
+    spake_preauth_groups = edwards25519
+    [realms]
+    CLUSTER.LOCAL = {
+     acl_file = /stackable/config/kadm5.acl
+     disable_encrypted_timestamp = false
+    }
+    [domain_realm]
+    .cluster.local = CLUSTER.LOCAL
+    cluster.local = CLUSTER.LOCAL
+  kadm5.acl: |
+    root/admin *e
+    stackable-secret-operator *e
diff --git a/test/stack/02-create-kerberos-secretclass.yaml b/test/stack/02-create-kerberos-secretclass.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+    name: kerberos-default
+spec:
+    backend:
+      kerberosKeytab:
+        realmName: CLUSTER.LOCAL
+        kdc: krb5-kdc.default.svc.cluster.local
+        admin:
+          mit:
+            kadminServer: krb5-kdc.default.svc.cluster.local
+        adminKeytabSecret:
+          namespace: default
+          name: secret-operator-keytab
+        adminPrincipal: stackable-secret-operator
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secret-operator-keytab
+data:
+  # To create keytab. When promted enter password asdf
+  # cat | ktutil << 'EOF'
+  # list
+  # add_entry -password -p stackable-secret-operator@CLUSTER.LOCAL -k 1 -e aes256-cts-hmac-sha384-192
+  # wkt /tmp/keytab
+  # EOF
+  keytab: BQIAAABdAAEADUNMVVNURVIuTE9DQUwAGXN0YWNrYWJsZS1zZWNyZXQtb3BlcmF0b3IAAAABZAYWIgEAFAAgm8MCZ8B//XF1tH92GciD6/usWUNAmBTZnZQxLua2TkgAAAAB
diff --git a/test/stack/05-opa.yaml b/test/stack/05-opa.yaml
@@ -31,6 +31,13 @@ data:
             "groups": ["/admin", "/superuser"],
             "customAttributes": {},
         },
+    # Hadoop will use the short-name for group mappings
+        "nn": {
+            "id": "af07f12c-7890-40a7-93e0-874537bdf3f5",
+            "username": "nn",
+            "groups": ["/admin", "/superuser"],
+            "customAttributes": {},
+        },
     }
 
 ---
diff --git a/test/stack/10-hdfs.yaml b/test/stack/10-hdfs.yaml
@@ -28,9 +28,12 @@ spec:
     productVersion: 3.3.6
     custom: hdfs
   clusterConfig:
-    listenerClass: external-unstable
     dfsReplication: 1
     zookeeperConfigMapName: simple-hdfs-znode
+    authentication:
+      tlsSecretClass: tls
+      kerberos:
+        secretClass: kerberos-default
   nameNodes:
     roleGroups:
       default:
@@ -40,6 +43,7 @@ spec:
           core-site.xml:
             hadoop.security.group.mapping: "tech.stackable.hadoop.StackableGroupMapper"
             hadoop.security.group.mapping.opa.url: "http://test-opa.default.svc.cluster.local:8081/v1/data/hdfs"
+            hadoop.user.group.static.mapping.overrides: ""
         replicas: 2
   dataNodes:
     roleGroups:
diff --git a/test/stack/15-rolebinding.yaml b/test/stack/15-rolebinding.yaml

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+k8s_yaml('test/stack/01-install-krb5-kdc.yaml')`
	`2`	`+k8s_yaml('test/stack/02-create-kerberos-secretclass.yaml')`
`1`	`3`	`k8s_yaml('test/stack/05-opa.yaml')`
`2`	`4`	`k8s_yaml('test/stack/10-hdfs.yaml')`
`3`	`5`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,6 @@ public void cacheGroupsRefresh() {`
`95`	`95`	`@Override`
`96`	`96`	`public void cacheGroupsAdd(List<String> groups) {`
`97`	`97`	`// does nothing in this provider of user to groups mapping`
`98`		`- LOG.info("ignoring cacheGroupsAdd: caching should be provided by the policy provider");`
	`98`	`+ LOG.info("ignoring cacheGroupsAdd for groups [{}]: caching should be provided by the policy provider", groups);`
`99`	`99`	`}`
`100`	`100`	`}`