KDC配置脚本文件
kdc_distribute.sh
#!/bin/bash # *********************************************************************** # Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. # script for building kdc distribute # version: 1.0.0 # change log: # *********************************************************************** set -e set +x set +o history LOCAL_DIR=$(cd $(dirname $0); pwd) SSH_LOGIN_RUN="ssh_and_run_cmd" EXPECT=/usr/bin/expect REALM="" NODE_LIST="node_list" export OPS_PWD="" export OPS_USER="" RUN_USER="" SPARK_USER="" ZK_USER="" OCK_HOME="" HFAIL=1 HOK=0 GREP=/bin/grep function ssh_and_run_cmd() { local targetip=$1 local username=$2 read -s password local command=$4 local expect_res="" local res_code="" expect_res=$(expect <<-EOF set timeout 300 spawn ssh -l $username $targetip expect { "(yes/no*)?" { send "yes\n";exp_continue } "*assword:" { send "${password}\n";exp_continue } "Permission denied, please try again.*" { exit 1; } "]*" { send "export HISTFILE=/dev/null\r" } } expect "]*" send "${command}\r" expect "]*" send "echo return:\$?\r" expect "]*" send "exit\r" expect eof EOF ) res_code=$(echo "${expect_res}" | grep -c "return:0") if [ ${res_code} -eq 1 ];then return ${HOK} else echo "[err] node($targetip) cmd(${command})" exit ${HFAIL} fi } function copy_file_to_remote() { if [[ $# -ne 5 ]]; then echo "Params Error. Usage: copy_file_to_remote <local_file> <remote_ip> <remote_user> <remote_password> <remote_path>" return ${HFAIL} fi local local_file=$1 local remote_ip=$2 local remote_user=$3 read -s remote_password local remote_path=$5 expect <<-EOF >/dev/null 2>&1 set timeout 300 spawn scp -p ${local_file} ${remote_user}@${remote_ip}:${remote_path} expect { "(yes/no*)?" { send "yes\n";exp_continue } "*assword:" { send "${remote_password}\n";exp_continue } "Permission denied, please try again.*" { exit 1; } "100%" { exit 0; } } exit 1 close expect eof EOF if [ $? -ne 0 ]; then echo "scp file ${local_file} to ${remote_ip} failed." exit ${HFAIL} fi return ${HOK} } function gen_meta_whitelist() { echo "{" >> ./whitelist/meta_whitelist echo " \"ock\":" >> ./whitelist/meta_whitelist echo " [" >> ./whitelist/meta_whitelist cat ${NODE_LIST} | while read subline || [[ -n "${subline}" ]] do local params_arr=(${subline}) local node_ip=${params_arr[0]} local node_user=${params_arr[1]} local node_meta=${params_arr[2]} local server_principal="ock_server/${node_user}@${REALM}" local client_principal="ock_client/${node_user}@${REALM}" echo " {" >> ./whitelist/meta_whitelist echo " \"user\": \"${server_principal}\"," >> ./whitelist/meta_whitelist echo " \"allow\": true" >> ./whitelist/meta_whitelist echo " }," >> ./whitelist/meta_whitelist echo " {" >> ./whitelist/meta_whitelist echo " \"user\": \"${client_principal}\"," >> ./whitelist/meta_whitelist echo " \"allow\": true" >> ./whitelist/meta_whitelist echo " }," >> ./whitelist/meta_whitelist done return ${HOK} } function gen_server_whitelist() { echo "{" >> ./whitelist/server_whitelist echo " \"ock\":" >> ./whitelist/server_whitelist echo " [" >> ./whitelist/server_whitelist cat ${NODE_LIST} | while read subline || [[ -n "${subline}" ]] do local params_arr=(${subline}) local node_ip=${params_arr[0]} local node_user=${params_arr[1]} local node_meta=${params_arr[2]} local server_principal="ock_server/${node_user}@${REALM}" echo "server_principal="${server_principal} if [ ${node_meta:0:1} == "1" ]; then echo " {" >> ./whitelist/server_whitelist echo " \"user\": \"ock_client/${node_user}@${REALM}\"," >> ./whitelist/server_whitelist echo " \"allow\": true" >> ./whitelist/server_whitelist echo " }," >> ./whitelist/server_whitelist fi echo " {" >> ./whitelist/server_whitelist echo " \"user\": \"${server_principal}\"," >> ./whitelist/server_whitelist echo " \"allow\": true" >> ./whitelist/server_whitelist echo " }," >> ./whitelist/server_whitelist done return ${HOK} } function gen_and_distribute() { KEYTABDSTPATH="${OCK_HOME}/security/kdc/" WHITELISTDSTPATH="${OCK_HOME}/security/authorization/" local remote_home="" local spark_home="" local zk_home="" if [[ "${SPARK_USER}" == "root" ]];then spark_home="/root" else spark_home="/home/${SPARK_USER}" fi if [[ "${RUN_USER}" == "root" ]];then remote_home="/root" else remote_home="/home/${RUN_USER}" fi if [[ "${ZK_USER}" == "root" ]];then zk_home="/root" else zk_home="/home/${ZK_USER}" fi local spark_kmc_dir=${spark_home}/huawei/ock/security/pmt local spark_kdc_dir=${spark_home}/huawei/ock/security/kdc local zk_kmc_dir=${zk_home}/huawei/ock/security/pmt local zk_kdc_dir=${zk_home}/huawei/ock/security/kdc cat ${NODE_LIST} | while read line || [[ -n "${line}" ]] do local params_arr=(${line}) local node_ip=${params_arr[0]} local node_user=${params_arr[1]} local node_meta=${params_arr[2]} echo "node_ip="${node_ip} echo "node_user="${node_user} echo "node_meta="${node_meta} ########### generate whitelist ########### if [ ${node_meta:0:1} == "0" ]; then echo "copy server" cp ${LOCAL_DIR}/whitelist/server_whitelist ${LOCAL_DIR}/whitelist/whitelist else echo "copy meta" cp ${LOCAL_DIR}/whitelist/meta_whitelist ${LOCAL_DIR}/whitelist/whitelist fi local principal_sdk="ock_client/${node_user}@${REALM}" echo "principal_sdk="${principal_sdk} echo " {" >> ./whitelist/whitelist echo " \"user\": \"${principal_sdk}\"," >> ./whitelist/whitelist echo " \"allow\": true" >> ./whitelist/whitelist echo " }" >> ./whitelist/whitelist echo " ]" >> ./whitelist/whitelist echo "}" >> ./whitelist/whitelist ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${spark_kmc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'mkdir -p ${spark_kmc_dir}/master && chmod -R 700 ${spark_kmc_dir}/master'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'mkdir -p ${spark_kmc_dir}/standby && chmod -R 700 ${spark_kmc_dir}/standby'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${spark_kdc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'mkdir -p ${spark_kdc_dir} && chmod 700 ${spark_kdc_dir}'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${zk_kmc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'mkdir -p ${zk_kmc_dir}/master && chmod -R 700 ${zk_kmc_dir}/master'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'mkdir -p ${zk_kmc_dir}/standby && chmod -R 700 ${zk_kmc_dir}/standby'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${zk_kdc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'mkdir -p ${zk_kdc_dir} && chmod 700 ${zk_kdc_dir}'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${WHITELISTDSTPATH}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${KEYTABDSTPATH}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${WHITELISTDSTPATH} && chmod 700 ${WHITELISTDSTPATH}'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${KEYTABDSTPATH} && chmod 700 ${KEYTABDSTPATH}'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -rf ${OCK_HOME}/security/pmt" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${OCK_HOME}/security/pmt/master && chmod 700 ${OCK_HOME}/security/pmt/master'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'mkdir -p ${OCK_HOME}/security/pmt/standby && chmod 700 ${OCK_HOME}/security/pmt/standby'" <<<"${OPS_PWD}" copy_file_to_remote "${LOCAL_DIR}/whitelist/whitelist" ${node_ip:1} ${OPS_USER} stdin ${WHITELISTDSTPATH} <<<"${OPS_PWD}" rm -rf "${LOCAL_DIR}/whitelist/whitelist" #zookeeper security# if /usr/local/sbin/kadmin.local listprincs | grep "zookeeper/${node_user}@${REALM}";then echo "principal:zookeeper/${node_user}@${REALM} already exists, no need to add" else /usr/local/sbin/kadmin.local addprinc -randkey "zookeeper/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "addprinc failed" fi fi if /usr/local/sbin/kadmin.local listprincs | grep "zkcli/${node_user}@${REALM}";then echo "principal:zkcli/${node_user}@${REALM} already exists, no need to add" else /usr/local/sbin/kadmin.local addprinc -randkey "zkcli/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "addprinc failed" fi fi /usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/zookeeper.keytab" -norandkey "zookeeper/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "ktadd failed" return ${HFAIL} fi /usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-client.keytab" -norandkey "zkcli/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "ktadd failed" return ${HFAIL} fi /usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-server.keytab" -norandkey "zkcli/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "ktadd failed" return ${HFAIL} fi if /usr/local/sbin/kadmin.local listprincs | grep "ock_client/${node_user}@${REALM}";then echo "principal:ock_client/${node_user}@${REALM} already exists, no need to add" else /usr/local/sbin/kadmin.local addprinc -randkey "ock_client/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "addprinc failed" fi fi if /usr/local/sbin/kadmin.local listprincs | grep "ock_server/${node_user}@${REALM}";then echo "principal:ock_server/${node_user}@${REALM} already exists, no need to add" else /usr/local/sbin/kadmin.local addprinc -randkey "ock_server/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "addprinc failed" fi fi /usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-client.keytab" -norandkey "ock_client/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "ktadd failed" return ${HFAIL} fi /usr/local/sbin/kadmin.local ktadd -k "${LOCAL_DIR}/keytab/krb5-server.keytab" -norandkey "ock_server/${node_user}@${REALM}" if [ $? -ne 0 ]; then echo "ktadd failed" return ${HFAIL} fi copy_file_to_remote "${LOCAL_DIR}/keytab/krb5-client.keytab" ${node_ip:1} ${OPS_USER} stdin ${spark_kdc_dir} <<<"${OPS_PWD}" copy_file_to_remote "${LOCAL_DIR}/keytab/krb5-server.keytab" ${node_ip:1} ${OPS_USER} stdin ${KEYTABDSTPATH} <<<"${OPS_PWD}" copy_file_to_remote "${LOCAL_DIR}/keytab/zookeeper.keytab" ${node_ip:1} ${OPS_USER} stdin ${zk_kdc_dir} <<<"${OPS_PWD}" rm -rf "${LOCAL_DIR}/keytab/krb5-client.keytab" rm -rf "${LOCAL_DIR}/keytab/krb5-server.keytab" copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_kt_client.sh" ${node_ip:1} ${OPS_USER} stdin ${spark_kdc_dir} <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${SPARK_USER}:${RUN_GROUP} ${spark_kdc_dir}/kdc_kmc_encrypt_kt_client.sh" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${SPARK_USER}:${RUN_GROUP} ${spark_kdc_dir}/krb5-client.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${spark_home}/en_keytab_client" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'sh ${spark_kdc_dir}/kdc_kmc_encrypt_kt_client.sh'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${spark_home}/en_keytab_client ${spark_kdc_dir}/krb5-client_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'cp ${spark_home}/tools/pmt/master/ksf* ${spark_kmc_dir}/master/'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${SPARK_USER} -c 'cp ${spark_home}/tools/pmt/standby/ksf* ${spark_kmc_dir}/standby/'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${SPARK_USER}:${RUN_GROUP} ${spark_kdc_dir}/krb5-client_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${spark_kdc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${spark_kmc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${spark_kmc_dir}/master" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${spark_kmc_dir}/standby" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${spark_kdc_dir}/krb5-client_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${spark_kmc_dir}/master/ksf*" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${spark_kmc_dir}/standby/ksf*" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${spark_kdc_dir}/kdc_kmc_encrypt_kt_client.sh" <<<"${OPS_PWD}" copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_kt_server.sh" ${node_ip:1} ${OPS_USER} stdin ${KEYTABDSTPATH} <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${KEYTABDSTPATH}kdc_kmc_encrypt_kt_server.sh" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${KEYTABDSTPATH}krb5-server.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${remote_home}/en_keytab_server" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'sh ${KEYTABDSTPATH}kdc_kmc_encrypt_kt_server.sh'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${remote_home}/en_keytab_server ${KEYTABDSTPATH}krb5-server_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'cp ${remote_home}/tools/pmt/master/ksf* ${OCK_HOME}/security/pmt/master/'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'cp ${remote_home}/tools/pmt/standby/ksf* ${OCK_HOME}/security/pmt/standby/'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${KEYTABDSTPATH}/krb5-server_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${KEYTABDSTPATH}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${OCK_HOME}/security/pmt" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${KEYTABDSTPATH}krb5-server_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${OCK_HOME}/security/pmt/master/ksf*" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${OCK_HOME}/security/pmt/standby/ksf*" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${KEYTABDSTPATH}kdc_kmc_encrypt_kt_server.sh" <<<"${OPS_PWD}" copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_zookeeper_kt.sh" ${node_ip:1} ${OPS_USER} stdin ${zk_kdc_dir} <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${ZK_USER}:${RUN_GROUP} ${zk_kdc_dir}/kdc_kmc_encrypt_zookeeper_kt.sh" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${ZK_USER}:${RUN_GROUP} ${zk_kdc_dir}/zookeeper.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${zk_home}/en_keytab_server" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'sh ${zk_kdc_dir}/kdc_kmc_encrypt_zookeeper_kt.sh'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${zk_home}/en_keytab_server ${zk_kdc_dir}/zookeeper_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'cp ${zk_home}/tools/pmt/master/ksf* ${zk_kmc_dir}/master/'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${ZK_USER} -c 'cp ${zk_home}/tools/pmt/standby/ksf* ${zk_kmc_dir}/standby/'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${ZK_USER}:${RUN_GROUP} ${zk_kdc_dir}/zookeeper_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 700 ${zk_kdc_dir}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${zk_kmc_dir}/master" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod -R 500 ${zk_kmc_dir}/standby" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${zk_kmc_dir}/master/ksf*" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${zk_kmc_dir}/standby/ksf*" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 600 ${zk_kdc_dir}/zookeeper_en.keytab" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${zk_kdc_dir}/kdc_kmc_encrypt_zookeeper_kt.sh" <<<"${OPS_PWD}" copy_file_to_remote "${LOCAL_DIR}/kdc_kmc_encrypt_wt.sh" ${node_ip:1} ${OPS_USER} stdin ${WHITELISTDSTPATH} <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown -R ${RUN_USER}:${RUN_GROUP} ${WHITELISTDSTPATH}" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${remote_home}/en_whitelist" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "su - ${RUN_USER} -c 'sh ${WHITELISTDSTPATH}kdc_kmc_encrypt_wt.sh'" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "mv ${remote_home}/en_whitelist ${WHITELISTDSTPATH}whitelist_en" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chown ${RUN_USER}:${RUN_GROUP} ${WHITELISTDSTPATH}whitelist_en" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 400 ${WHITELISTDSTPATH}whitelist_en" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "rm -f ${WHITELISTDSTPATH}kdc_kmc_encrypt_wt.sh" <<<"${OPS_PWD}" ${SSH_LOGIN_RUN} ${node_ip:1} ${OPS_USER} stdin "chmod 500 ${WHITELISTDSTPATH}" <<<"${OPS_PWD}" done return ${HOK} } function main() { echo "Enter OPS_USER:" read OPS_USER echo "Enter OPS_PWD:" read -s OPS_PWD echo "Enter RUN_USER:" read RUN_USER echo "Enter RUN_GROUP:" read RUN_GROUP echo "Enter SPARK_USER:" read SPARK_USER echo "Enter ZK_USER:" read ZK_USER echo "OCK_HOME:" read OCK_HOME echo "Enter REALM:" read REALM rm -rf whitelist rm -rf keytab mkdir -p whitelist mkdir -p keytab gen_meta_whitelist gen_server_whitelist gen_and_distribute /usr/local/sbin/krb5kdc /usr/local/sbin/kadmind rm -rf whitelist rm -rf keytab return $? } main $@ 2>&1 ret_code=$? if [[ $ret_code -eq 0 ]] then echo "SUCCESS" else echo "FAILED" fi exit $ret_code
kdc_kmc_encrypt_kt_client.sh
#!/bin/bash # *********************************************************************** # Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. # script for building kdc kmc encrypt keytab # version: 1.0.0 # change log: # *********************************************************************** set -e set +x LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径 HFAIL=1 HOK=0 GREP=/bin/grep set +e source ~/.bashrc set -e KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common" KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool" KEYTAB_SERVER_ENCRYPT="2 --fileEncrypt" KEYTAB_CLIENT_ENCRYPT="3 --fileEncrypt" function kmc_encrypt_keytab() { export ${KMC_LIB_PATH} ${KMC_TOOL} ${KEYTAB_CLIENT_ENCRYPT} "${LOCAL_DIR}/krb5-client.keytab" if [ $? -ne 0 ]; then echo "kmc encrypt failed" rm -rf "${LOCAL_DIR}/krb5-client.keytab" return ${HFAIL} fi rm -rf "${LOCAL_DIR}/krb5-client.keytab" if [ $? -ne 0 ]; then echo "rm krb5-client.keytab failed" return ${HFAIL} fi return ${HOK} } function main() { kmc_encrypt_keytab return $? } main $@ 2>&1 ret_code=$? if [[ $ret_code -eq 0 ]] then echo "SUCCESS" else echo "FAILED" fi exit $ret_code
kdc_kmc_encrypt_kt_server.sh
#!/bin/bash # *********************************************************************** # Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. # script for building kdc kmc encrypt keytab # version: 1.0.0 # change log: # *********************************************************************** set -e set +x LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径 HFAIL=1 HOK=0 GREP=/bin/grep set +e source ~/.bashrc set -e KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common" KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool" KEYTAB_SERVER_ENCRYPT="2 --fileEncrypt" KEYTAB_CLIENT_ENCRYPT="3 --fileEncrypt" function kmc_encrypt_keytab() { export ${KMC_LIB_PATH} ${KMC_TOOL} ${KEYTAB_SERVER_ENCRYPT} "${LOCAL_DIR}/krb5-server.keytab" if [ $? -ne 0 ]; then echo "kmc encrypt failed" rm -rf "${LOCAL_DIR}/krb5-server.keytab" return ${HFAIL} fi rm -rf "${LOCAL_DIR}/krb5-server.keytab" if [ $? -ne 0 ]; then echo "rm krb5-server.keytab failed" return ${HFAIL} fi return ${HOK} } function main() { kmc_encrypt_keytab return $? } main $@ 2>&1 ret_code=$? if [[ $ret_code -eq 0 ]] then echo "SUCCESS" else echo "FAILED" fi exit $ret_code
kdc_kmc_encrypt_wt.sh
#!/bin/bash # *********************************************************************** # Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. # script for building kdc kmc encrypt whitelist # version: 1.0.0 # change log: # *********************************************************************** set -e set +x LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径 HFAIL=1 HOK=0 GREP=/bin/grep set +e source ~/.bashrc set -e KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common" KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool" WHITELIST_ENCRYPT="1 --fileEncrypt" function kmc_encrypt_whitelist() { export ${KMC_LIB_PATH} ${KMC_TOOL} ${WHITELIST_ENCRYPT} "${LOCAL_DIR}/whitelist" if [ $? -ne 0 ]; then echo "kmc encrypt failed" rm -rf "${LOCAL_DIR}/whitelist" return ${HFAIL} fi rm -rf "${LOCAL_DIR}/whitelist" if [ $? -ne 0 ]; then echo "rm whitelist failed" return ${HFAIL} fi return ${HOK} } function main() { kmc_encrypt_whitelist return $? } main $@ 2>&1 ret_code=$? if [[ $ret_code -eq 0 ]] then echo "SUCCESS" else echo "FAILED" fi exit $ret_code
kdc_kmc_encrypt_zookeeper_kt.sh
#!/bin/bash # *********************************************************************** # Copyright: (c) Huawei Technologies Co., Ltd. 2021. All rights reserved. # script for building kdc kmc encrypt zookeeper keytab # version: 1.0.0 # change log: # *********************************************************************** set -e set +x LOCAL_DIR=$(cd $(dirname $0); pwd) # 获取脚本的当前路径 HFAIL=1 HOK=0 GREP=/bin/grep set +e source ~/.bashrc set -e KMC_LIB_PATH="LD_LIBRARY_PATH=${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/lib/common" KMC_TOOL="${OCK_HOME}/ucache/${OCK_VERSION}/linux-$(arch)/bin/kmc_tool" KEYTAB_SERVER_ENCRYPT="2 --fileEncrypt" KEYTAB_CLIENT_ENCRYPT="3 --fileEncrypt" function kmc_encrypt_keytab() { export ${KMC_LIB_PATH} ${KMC_TOOL} ${KEYTAB_SERVER_ENCRYPT} "${LOCAL_DIR}/zookeeper.keytab" if [ $? -ne 0 ]; then echo "kmc encrypt failed" rm -rf "${LOCAL_DIR}/zookeeper.keytab" return ${HFAIL} fi rm -rf "${LOCAL_DIR}/zookeeper.keytab" if [ $? -ne 0 ]; then echo "rm zookeeper.keytab failed" return ${HFAIL} fi return ${HOK} } function main() { kmc_encrypt_keytab return $? } main $@ 2>&1 ret_code=$? if [[ $ret_code -eq 0 ]] then echo "SUCCESS" else echo "FAILED" fi exit $ret_code
父主题: 相关参考