kdc_distribute.sh
#!/bin/bash
# ***********************************************************************
# Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
# script for building kdc distribute
# version: 1.0.0
# change log:
# ***********************************************************************
set -e
set +x
set +o history
LOCAL_DIR=$(cd $(dirname $0); pwd)
SSH_LOGIN_RUN="ssh_and_run_cmd"
EXPECT=/usr/bin/expect
REALM=""
NODE_LIST="node_list"
export OPS_PWD=""
export OPS_USER=""
RUN_USER=""
SPARK_USER=""
ZK_USER=""
OCK_HOME=""
HFAIL=1
HOK=0
GREP=/bin/grep
function ssh_and_run_cmd() {
local targetip=$1
local username=$2
read -s password
local command=$4
local expect_res=""
local res_code=""
expect_res=$(expect <<-EOF
set timeout 300
spawn ssh -l $username $targetip
expect {
"(yes/no*)?" {
send "yes\n";exp_continue
}
"*assword:" {
send "${password}\n";exp_continue
}
"Permission denied, please try again.*" {
exit 1;
}
"]*" {
send "export HISTFILE=/dev/null\r"
}
}
expect "]*"
send "${command}\r"
expect "]*"
send "echo return:\$?\r"
expect "]*"
send "exit\r"
expect eof
EOF
)
res_code=$(echo "${expect_res}" | grep -c "return:0")
if [ ${res_code} -eq 1 ];then
return ${HOK}
else
echo "[err] node($targetip) cmd(${command})"
exit ${HFAIL}
fi
}
function copy_file_to_remote() {
if [[ $# -ne 5 ]]; then
echo "Params Error. Usage: copy_file_to_remote <local_file> <remote_ip> <remote_user> <remote_password> <remote_path>"
return ${HFAIL}
fi
local local_file=$1
local remote_ip=$2
local remote_user=$3
read -s remote_password
local remote_path=$5
expect <<-EOF >/dev/null 2>&1
set timeout 300
spawn scp -p ${local_file} ${remote_user}@${remote_ip}:${remote_path}
expect {
"(yes/no*)?" {
send "yes\n";exp_continue
}
"*assword:" {
send "${remote_password}\n";exp_continue
}
"Permission denied, please try again.*" {
exit 1;
}
"100%" {
exit 0;
}
}
exit 1
close
expect eof
EOF
if [ $? -ne 0 ]; then
echo "scp file ${local_file} to ${remote_ip} failed."
exit ${HFAIL}
fi
return ${HOK}
}
function gen_meta_whitelist() {
echo "{" >> ./whitelist/meta_whitelist
echo " \"ock\":" >> ./whitelist/meta_whitelist
echo " [" >> ./whitelist/meta_whitelist
cat ${NODE_LIST} | while read subline || [[ -n "${subline}" ]]
do
local params_arr=(${subline})
local node_ip=${params_arr[0]}
local node_user=${params_arr[1]}
local node_meta=${params_arr[2]}
local server_principal="ock_server/${node_user}@${REALM}"
local client_principal="ock_client/${node_user}@${REALM}"
echo " {" >> ./whitelist/meta_whitelist
echo " \"user\": \"${server_principal}\"," >> ./whitelist/meta_whitelist
echo " \"allow\": true" >> ./whitelist/meta_whitelist
echo " }," >> ./whitelist/meta_whitelist
echo " {" >> ./whitelist/meta_whitelist
echo " \"user\": \"${client_principal}\"," >> ./whitelist/meta_whitelist
echo " \"allow\": true" >> ./whitelist/meta_whitelist
echo " }," >> ./whitelist/meta_whitelist
done
return ${HOK}
}
function gen_server_whitelist() {
echo "{" >> ./whitelist/server_whitelist
echo " \"ock\":" >> ./whitelist/server_whitelist
echo " [" >> ./whitelist/server_whitelist
cat ${NODE_LIST} | while read subline || [[ -n "${subline}" ]]
do
local params_arr=(${subline})
local node_ip=${params_arr[0]}
local node_user=${params_arr[1]}
local node_meta=${params_arr[2]}
local server_principal="ock_server/${node_user}@${REALM}"
echo "server_principal="${server_principal}
if [ ${node_meta:0:1} == "1" ]; then
echo " {" >> ./whitelist/server_whitelist
echo " \"user\": \"ock_client/${node_user}@${REALM}\"," >> ./whitelist/server_whitelist
echo " \"allow\": true" >> ./whitelist/server_whitelist
echo " }," >> ./whitelist/server_whitelist
fi
echo " {" >> ./whitelist/server_whitelist
echo " \"user\": \"${server_principal}\"," >> ./whitelist/server_whitelist
echo " \"allow\": true" >> ./whitelist/server_whitelist
echo " }," >> ./whitelist/server_whitelist
done
return ${HOK}
}
function gen_and_distribute() {
KEYTABDSTPATH="${OCK_HOME}/security/kdc/"
WHITELISTDSTPATH="${OCK_HOME}/security/authorization/"
local remote_home=""
local spark_home=""
local zk_home=""
if [[ "${SPARK_USER}" == "root" ]];then
spark_home="/root"
else
spark_home="/home/${SPARK_USER}"
fi
if [[ "${RUN_USER}" == "root" ]];then
remote_home="/root"
else
remote_home="/home/${RUN_USER}"
fi
if [[ "${ZK_USER}" == "root" ]];then
zk_home="/root"
else
zk_home="/home/${ZK_USER}"
fi
local spark_kmc_dir=${spark_home}/huawei/ock/security/pmt
local spark_kdc_dir=${spark_home}/huawei/ock/security/kdc
local zk_kmc_dir=${zk_home}/huawei/ock/security/pmt
local zk_kdc_dir=${zk_home}/huawei/ock/security/kdc
cat ${NODE_LIST} | while read line || [[ -n "${line}" ]]
do
local params_arr=(${line})
local node_ip=${params_arr[0]}
local node_user=${params_arr[1]}
local node_meta=${params_arr[2]}
echo "node_ip="${node_ip}
echo "node_user="${node_user}
echo "node_meta="${node_meta}
########### generate whitelist ###########
if [ ${node_meta:0:1} == "0" ]; then
echo "copy server"
cp ${LOCAL_DIR}/whitelist/server_whitelist ${LOCAL_DIR}/whitelist/whitelist
else
echo "copy meta"
cp ${LOCAL_DIR}/whitelist/meta_whitelist ${LOCAL_DIR}/whitelist/whitelist
fi
local principal_sdk="ock_client/${node_user}@${REALM}"
echo "principal_sdk="${principal_sdk}
echo " {" >> ./whitelist/whitelist
echo " \"user\": \"${principal_sdk}\"," >> ./whitelist/whitelist
echo " \"allow\": true" >> ./whitelist/whitelist
echo " }" >> ./whitelist/whitelist
echo " ]" >> ./whitelist/whitelist
echo "}" >> ./whitelist/whitelist
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${spark_kmc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'mkdir -p ${spark_kmc_dir}/master && chmod -R 700 ${spark_kmc_dir}/master'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'mkdir -p ${spark_kmc_dir}/standby && chmod -R 700 ${spark_kmc_dir}/standby'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${spark_kdc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'mkdir -p ${spark_kdc_dir} && chmod 700 ${spark_kdc_dir}'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${zk_kmc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'mkdir -p ${zk_kmc_dir}/master && chmod -R 700 ${zk_kmc_dir}/master'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'mkdir -p ${zk_kmc_dir}/standby && chmod -R 700 ${zk_kmc_dir}/standby'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${zk_kdc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'mkdir -p ${zk_kdc_dir} && chmod 700 ${zk_kdc_dir}'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${WHITELISTDSTPATH}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${KEYTABDSTPATH}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${WHITELISTDSTPATH} && chmod 700 ${WHITELISTDSTPATH}'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${KEYTABDSTPATH} && chmod 700 ${KEYTABDSTPATH}'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${OCK_HOME}/security/pmt" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${OCK_HOME}/security/pmt/master && chmod 700 ${OCK_HOME}/security/pmt/master'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${OCK_HOME}/security/pmt/standby && chmod 700 ${OCK_HOME}/security/pmt/standby'" <<<"${OPS_PWD}"
copy_file_to_remote "${LOCAL_DIR}/whitelist/whitelist" ${node_ip:1} ${OPS_USER} stdin ${WHITELISTDSTPATH} <<<"${OPS_PWD}"
rm -rf "${LOCAL_DIR}/whitelist/whitelist"
#zookeeper security#
if /usr/local/sbin/kadmin.local listprincs | grep "zookeeper/${node_user}@${REALM}";then
echo "principal:zookeeper/${node_user}@${REALM} already exists, no need to add"
else
/usr/local/sbin/kadmin.local addprinc -randkey "zookeeper/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "addprinc failed"
fi
fi
if /usr/local/sbin/kadmin.local listprincs | grep "zkcli/${node_user}@${REALM}";then
echo "principal:zkcli/${node_user}@${REALM} already exists, no need to add"
else
/usr/local/sbin/kadmin.local addprinc -randkey "zkcli/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "addprinc failed"
fi
fi
/usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/zookeeper.keytab" -norandkey "zookeeper/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "ktadd failed"
return ${HFAIL}
fi
/usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-client.keytab" -norandkey "zkcli/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "ktadd failed"
return ${HFAIL}
fi
/usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-server.keytab" -norandkey "zkcli/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "ktadd failed"
return ${HFAIL}
fi
if /usr/local/sbin/kadmin.local listprincs | grep "ock_client/${node_user}@${REALM}";then
echo "principal:ock_client/${node_user}@${REALM} already exists, no need to add"
else
/usr/local/sbin/kadmin.local addprinc -randkey "ock_client/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "addprinc failed"
fi
fi
if /usr/local/sbin/kadmin.local listprincs | grep "ock_server/${node_user}@${REALM}";then
echo "principal:ock_server/${node_user}@${REALM} already exists, no need to add"
else
/usr/local/sbin/kadmin.local addprinc -randkey "ock_server/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "addprinc failed"
fi
fi
/usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-client.keytab" -norandkey "ock_client/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "ktadd failed"
return ${HFAIL}
fi
/usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-server.keytab" -norandkey "ock_server/${node_user}@${REALM}"
if [ $? -ne 0 ]; then
echo "ktadd failed"
return ${HFAIL}
fi
copy_file_to_remote "${LOCAL_DIR}/keytab/krb5-client.keytab" ${node_ip:1} ${OPS_USER} stdin ${spark_kdc_dir} <<<"${OPS_PWD}"
copy_file_to_remote "${LOCAL_DIR}/keytab/krb5-server.keytab" ${node_ip:1} ${OPS_USER} stdin ${KEYTABDSTPATH} <<<"${OPS_PWD}"
copy_file_to_remote "${LOCAL_DIR}/keytab/zookeeper.keytab" ${node_ip:1} ${OPS_USER} stdin ${zk_kdc_dir} <<<"${OPS_PWD}"
rm -rf "${LOCAL_DIR}/keytab/krb5-client.keytab"
rm -rf "${LOCAL_DIR}/keytab/krb5-server.keytab"
copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_kt_client.sh" ${node_ip:1} ${OPS_USER} stdin ${spark_kdc_dir} <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${SPARK_USER}:${RUN_GROUP} ${spark_kdc_dir}/kdc_kmc_encrypt_kt_client.sh" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${SPARK_USER}:${RUN_GROUP} ${spark_kdc_dir}/krb5-client.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${spark_home}/en_keytab_client" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'sh ${spark_kdc_dir}/kdc_kmc_encrypt_kt_client.sh'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${spark_home}/en_keytab_client ${spark_kdc_dir}/krb5-client_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'cp ${spark_home}/tools/pmt/master/ksf* ${spark_kmc_dir}/master/'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'cp ${spark_home}/tools/pmt/standby/ksf* ${spark_kmc_dir}/standby/'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${SPARK_USER}:${RUN_GROUP} ${spark_kdc_dir}/krb5-client_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${spark_kdc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${spark_kmc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${spark_kmc_dir}/master" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${spark_kmc_dir}/standby" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${spark_kdc_dir}/krb5-client_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${spark_kmc_dir}/master/ksf*" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${spark_kmc_dir}/standby/ksf*" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${spark_kdc_dir}/kdc_kmc_encrypt_kt_client.sh" <<<"${OPS_PWD}"
copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_kt_server.sh" ${node_ip:1} ${OPS_USER} stdin ${KEYTABDSTPATH} <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${KEYTABDSTPATH}kdc_kmc_encrypt_kt_server.sh" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${KEYTABDSTPATH}krb5-server.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${remote_home}/en_keytab_server" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'sh ${KEYTABDSTPATH}kdc_kmc_encrypt_kt_server.sh'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${remote_home}/en_keytab_server ${KEYTABDSTPATH}krb5-server_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'cp ${remote_home}/tools/pmt/master/ksf* ${OCK_HOME}/security/pmt/master/'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'cp ${remote_home}/tools/pmt/standby/ksf* ${OCK_HOME}/security/pmt/standby/'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${KEYTABDSTPATH}/krb5-server_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${KEYTABDSTPATH}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${OCK_HOME}/security/pmt" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${KEYTABDSTPATH}krb5-server_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${OCK_HOME}/security/pmt/master/ksf*" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${OCK_HOME}/security/pmt/standby/ksf*" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${KEYTABDSTPATH}kdc_kmc_encrypt_kt_server.sh" <<<"${OPS_PWD}"
copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_zookeeper_kt.sh" ${node_ip:1} ${OPS_USER} stdin ${zk_kdc_dir} <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${ZK_USER}:${RUN_GROUP} ${zk_kdc_dir}/kdc_kmc_encrypt_zookeeper_kt.sh" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${ZK_USER}:${RUN_GROUP} ${zk_kdc_dir}/zookeeper.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${zk_home}/en_keytab_server" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'sh ${zk_kdc_dir}/kdc_kmc_encrypt_zookeeper_kt.sh'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${zk_home}/en_keytab_server ${zk_kdc_dir}/zookeeper_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'cp ${zk_home}/tools/pmt/master/ksf* ${zk_kmc_dir}/master/'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'cp ${zk_home}/tools/pmt/standby/ksf* ${zk_kmc_dir}/standby/'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${ZK_USER}:${RUN_GROUP} ${zk_kdc_dir}/zookeeper_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 700 ${zk_kdc_dir}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${zk_kmc_dir}/master" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${zk_kmc_dir}/standby" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${zk_kmc_dir}/master/ksf*" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${zk_kmc_dir}/standby/ksf*" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 600 ${zk_kdc_dir}/zookeeper_en.keytab" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${zk_kdc_dir}/kdc_kmc_encrypt_zookeeper_kt.sh" <<<"${OPS_PWD}"
copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_wt.sh" ${node_ip:1} ${OPS_USER} stdin ${WHITELISTDSTPATH} <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown -R ${RUN_USER}:${RUN_GROUP} ${WHITELISTDSTPATH}" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${remote_home}/en_whitelist" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'sh ${WHITELISTDSTPATH}kdc_kmc_encrypt_wt.sh'" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${remote_home}/en_whitelist ${WHITELISTDSTPATH}whitelist_en" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${WHITELISTDSTPATH}whitelist_en" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${WHITELISTDSTPATH}whitelist_en" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${WHITELISTDSTPATH}kdc_kmc_encrypt_wt.sh" <<<"${OPS_PWD}"
${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${WHITELISTDSTPATH}" <<<"${OPS_PWD}"
done
return ${HOK}
}
function main() {
echo "Enter OPS_USER:"
read OPS_USER
echo "Enter OPS_PWD:"
read -s OPS_PWD
echo "Enter RUN_USER:"
read RUN_USER
echo "Enter RUN_GROUP:"
read RUN_GROUP
echo "Enter SPARK_USER:"
read SPARK_USER
echo "Enter ZK_USER:"
read ZK_USER
echo "OCK_HOME:"
read OCK_HOME
echo "Enter REALM:"
read REALM
rm -rf whitelist
rm -rf keytab
mkdir -p whitelist
mkdir -p keytab
gen_meta_whitelist
gen_server_whitelist
gen_and_distribute
/usr/local/sbin/krb5kdc
/usr/local/sbin/kadmind
rm -rf whitelist
rm -rf keytab
return $?
}
main $@ 2>&1
ret_code=$?
if [[ $ret_code -eq 0 ]]
then
echo "SUCCESS"
else
echo "FAILED"
fi
exit $ret_code
kdc_kmc_encrypt_kt_client.sh
#!/bin/bash
# ***********************************************************************
# Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
# script for building kdc kmc encrypt keytab
# version: 1.0.0
# change log:
# ***********************************************************************
set -e
set +x
LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径
HFAIL=1
HOK=0
GREP=/bin/grep
set +e
source ~/.bashrc
set -e
KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common"
KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool"
KEYTAB_SERVER_ENCRYPT="2 --fileEncrypt"
KEYTAB_CLIENT_ENCRYPT="3 --fileEncrypt"
function kmc_encrypt_keytab() {
export ${KMC_LIB_PATH}
${KMC_TOOL} ${KEYTAB_CLIENT_ENCRYPT} "${LOCAL_DIR}/krb5-client.keytab"
if [ $? -ne 0 ]; then
echo "kmc encrypt failed"
rm -rf "${LOCAL_DIR}/krb5-client.keytab"
return ${HFAIL}
fi
rm -rf "${LOCAL_DIR}/krb5-client.keytab"
if [ $? -ne 0 ]; then
echo "rm krb5-client.keytab failed"
return ${HFAIL}
fi
return ${HOK}
}
function main() {
kmc_encrypt_keytab
return $?
}
main $@ 2>&1
ret_code=$?
if [[ $ret_code -eq 0 ]]
then
echo "SUCCESS"
else
echo "FAILED"
fi
exit $ret_code
kdc_kmc_encrypt_kt_server.sh
#!/bin/bash
# ***********************************************************************
# Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
# script for building kdc kmc encrypt keytab
# version: 1.0.0
# change log:
# ***********************************************************************
set -e
set +x
LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径
HFAIL=1
HOK=0
GREP=/bin/grep
set +e
source ~/.bashrc
set -e
KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common"
KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool"
KEYTAB_SERVER_ENCRYPT="2 --fileEncrypt"
KEYTAB_CLIENT_ENCRYPT="3 --fileEncrypt"
function kmc_encrypt_keytab() {
export ${KMC_LIB_PATH}
${KMC_TOOL} ${KEYTAB_SERVER_ENCRYPT} "${LOCAL_DIR}/krb5-server.keytab"
if [ $? -ne 0 ]; then
echo "kmc encrypt failed"
rm -rf "${LOCAL_DIR}/krb5-server.keytab"
return ${HFAIL}
fi
rm -rf "${LOCAL_DIR}/krb5-server.keytab"
if [ $? -ne 0 ]; then
echo "rm krb5-server.keytab failed"
return ${HFAIL}
fi
return ${HOK}
}
function main() {
kmc_encrypt_keytab
return $?
}
main $@ 2>&1
ret_code=$?
if [[ $ret_code -eq 0 ]]
then
echo "SUCCESS"
else
echo "FAILED"
fi
exit $ret_code
kdc_kmc_encrypt_wt.sh
#!/bin/bash
# ***********************************************************************
# Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
# script for building kdc kmc encrypt whitelist
# version: 1.0.0
# change log:
# ***********************************************************************
set -e
set +x
LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径
HFAIL=1
HOK=0
GREP=/bin/grep
set +e
source ~/.bashrc
set -e
KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common"
KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool"
WHITELIST_ENCRYPT="1 --fileEncrypt"
function kmc_encrypt_whitelist() {
export ${KMC_LIB_PATH}
${KMC_TOOL} ${WHITELIST_ENCRYPT} "${LOCAL_DIR}/whitelist"
if [ $? -ne 0 ]; then
echo "kmc encrypt failed"
rm -rf "${LOCAL_DIR}/whitelist"
return ${HFAIL}
fi
rm -rf "${LOCAL_DIR}/whitelist"
if [ $? -ne 0 ]; then
echo "rm whitelist failed"
return ${HFAIL}
fi
return ${HOK}
}
function main() {
kmc_encrypt_whitelist
return $?
}
main $@ 2>&1
ret_code=$?
if [[ $ret_code -eq 0 ]]
then
echo "SUCCESS"
else
echo "FAILED"
fi
exit $ret_code
kdc_kmc_encrypt_zookeeper_kt.sh
#!/bin/bash
# ***********************************************************************
# Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved.
# script for building kdc kmc encrypt zookeeper keytab
# version: 1.0.0
# change log:
# ***********************************************************************
set -e
set +x
LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径
HFAIL=1
HOK=0
GREP=/bin/grep
set +e
source ~/.bashrc
set -e
KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common"
KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool"
KEYTAB_SERVER_ENCRYPT="2 --fileEncrypt"
KEYTAB_CLIENT_ENCRYPT="3 --fileEncrypt"
function kmc_encrypt_keytab() {
export ${KMC_LIB_PATH}
${KMC_TOOL} ${KEYTAB_SERVER_ENCRYPT} "${LOCAL_DIR}/zookeeper.keytab"
if [ $? -ne 0 ]; then
echo "kmc encrypt failed"
rm -rf "${LOCAL_DIR}/zookeeper.keytab"
return ${HFAIL}
fi
rm -rf "${LOCAL_DIR}/zookeeper.keytab"
if [ $? -ne 0 ]; then
echo "rm zookeeper.keytab failed"
return ${HFAIL}
fi
return ${HOK}
}
function main() {
kmc_encrypt_keytab
return $?
}
main $@ 2>&1
ret_code=$?
if [[ $ret_code -eq 0 ]]
then
echo "SUCCESS"
else
echo "FAILED"
fi
exit $ret_code