Virtual box specific fixes.

README.md

@@ -1,4 +1,54 @@
-storm-vagrant
-=============
+# Storm Security Vagrant setup
 
-Vagrant config to create a virtualized Storm cluster
+This project contains vagrant and additional configs to run storm security cluster.
+It will spin up 4 vms with kerberos and storm cluster running.
+
+### requirements
++ Vagrant 
++ Virtual box
++ wget 
+
+### Install
++ git clone git@github.com:harshach/storm-vagrant.git; git checkout -b security origin/security
++ vagrant up
+
+### SSH
++ vagrant ssh hostname (nimbus,zookeeper, supervisor1 etcc..)
+
+### VM Hosts
++ zookeeper (zookeeper.withend.com, kdc.witzend.com)  
+	This host runs both zookeeper and kerberos. 
++ nimbus ( nimbus.witzend.com )  
+	This host runs nimbus , ui, drpc-server. 
+	To start or stop services run sudo supervisorctl.
++ supervisor1( supervisor1.witzend.com )  
+    This host runs supervisor dameon. use supervisorctl to start/stop.
++ supervisor2 (supervisor2.witzend.com)  
+	 This host runs supervisor daemon. use supervisorctl to start/stop.
+
+### Kerberos Keytabs
++ all the keytabs generated during the install are stored /vagrant/keytabs(storm-vagrant/keytabs)
++ nimbus runs with /vagrant/storm_jaas.conf
++ There are testuser1, testuser2 users created for submitting topologies
++ To submit a topology  
+	+ vagrant ssh nimbus
+	+ sudo su testuser1
+	+ storm jar topology
+
+### Storm UI
++ Storm UI is configured to run with hadoop-auth authentication filter
++ To access storm UI from your host
++ copy storm-vagrant/kerberos/krb5.conf /etc/krb5.conf
++ Add nimbus ip to your /etc/hosts . In this case it would be  
+   192.168.202.4 nimbus.witzend.com
++ Open firefox goto about:config 
+  search for network.negotiate-auth.allow-proxies and set it true  
+  network.negotiate-auth.allow-non-fqdn set it true  
+  network.negotiate-auth.trusted-uris set it to http://nimbus.witzend.com:8080 
++ run kinit -k -t storm-vagrant/keytabs/testuser1.keytab testuser1/nimbus.witzend.com
++ you'll be logged into nimbus as testuser1
+
+### wordcount topology
++ vagrant ssh nimbus
++ sudo su testuser1
++ storm jar /usr/share/storm/examples/storm-starter/storm-starter-topologies-0.9.3-incubating-SNAPSHOT.jar storm.starter.WordCountTopology wordcount

Vagrantfile

@@ -8,7 +8,7 @@ require 'uri'
 # if the file is not already in the same directory as the Vagrantfile.
 # to supply a custom build, drop it next to the Vagrantfile and make sure the file name
 # matches the file in the URL.
-STORM_DIST_URL = "https://people.apache.org/~ptgoetz/storm/security/apache-storm-0.9.2-incubating-SNAPSHOT.zip"
+STORM_DIST_URL = "https://people.apache.org/~ptgoetz/storm/security/apache-storm-0.9.3-incubating-SNAPSHOT.zip"
 
 STORM_SUPERVISOR_COUNT = 2
 STORM_BOX_TYPE = "hashicorp/precise64"
@@ -22,11 +22,10 @@ VAGRANTFILE_API_VERSION = "2"
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
   config.vm.box = STORM_BOX_TYPE
-
   if(!File.exist?(STORM_ARCHIVE))
     `wget -N #{STORM_DIST_URL}`
   end
-  
+
   config.vm.define "zookeeper" do |node|
     ip = "192.168.202.3"
     node.vm.network "private_network", ip: ip
@@ -35,7 +34,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     node.vm.provision "shell", path: "bind/install-bind.sh"
     node.vm.provision "shell", path: "kerberos/install-kdc.sh"
     node.vm.provision "shell", path: "zookeeper/install-zookeeper.sh"
-
     node.vm.provider "vmware_fusion" do |v|
       v.vmx["memsize"] = "1024"
       #v.vmx["numvcpus"] = "2"
@@ -47,12 +45,11 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     node.vm.network "private_network", ip: ip
     node.vm.hostname = "nimbus"
     node.vm.provision "shell", inline: "apt-get update"
-    node.vm.provision "shell", path: "install-storm.sh", args: [STORM_VERSION, "localhost"]
+    node.vm.provision "shell", path: "install-storm.sh", args: [STORM_VERSION, "localhost", "nimbus.witzend.com", "nimbus"]
     node.vm.provision "shell", path: "config-supervisord.sh", args: "nimbus"
     node.vm.provision "shell", path: "config-supervisord.sh", args: "ui"
     node.vm.provision "shell", path: "config-supervisord.sh", args: "drpc"
     node.vm.provision "shell", path: "start-supervisord.sh"
-
   end
 
   (1..STORM_SUPERVISOR_COUNT).each do |n|
@@ -61,11 +58,15 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
       node.vm.network "private_network", ip: ip
       node.vm.hostname = "supervisor#{n}"
       node.vm.provision "shell", inline: "apt-get update"
-      node.vm.provision "shell", path: "install-storm.sh", args: [STORM_VERSION, "localhost"]
+      node.vm.provision "shell", path: "install-storm.sh", args: [STORM_VERSION, "localhost", "supervisor#{n}.witzend.com", "supervisor#{n}"]
       node.vm.provision "shell", path: "config-supervisord.sh", args: "supervisor"
       node.vm.provision "shell", path: "config-supervisord.sh", args: "logviewer"
       node.vm.provision "shell", path: "start-supervisord.sh"
-
     end
-  end  
+  end
+  # on virutalbox /vagrant/keytabs doesn't have permissions for the respective users
+  config.vm.synced_folder ".", "/vagrant", :mount_options => ["dmode=777","fmode=664"]
+  config.vm.provider :virtualbox do |v|
+      v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
+  end
 end

bind/bind9_default

@@ -0,0 +1,5 @@
+# run resolvconf?
+RESOLVCONF=yes
+
+# startup options for the server
+OPTIONS="-4 -u bind"

bind/install-bind.sh

@@ -5,4 +5,7 @@ cp /vagrant/bind/rev.202.168.192.in-addr.arpa /etc/bind/rev.202.168.192.in-addr.
 cp /vagrant/bind/named.conf.local /etc/bind/named.conf.local
 cp /vagrant/bind/named.conf.options /etc/bind/named.conf.options
 
-/etc/init.d/bind9 restart
+cp /vagrant/bind/sysctl.conf /etc/sysctl.conf
+sysctl -p
+
+/etc/init.d/bind9 restart

bind/sysctl.conf

@@ -0,0 +1,63 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additional system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+#net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#
+
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1

dhclient.conf

@@ -0,0 +1,55 @@
+# Configuration file for /sbin/dhclient, which is included in Debian's
+#	dhcp3-client package.
+#
+# This is a sample configuration file for dhclient. See dhclient.conf's
+#	man page for more information about the syntax of this file
+#	and a more comprehensive list of the parameters understood by
+#	dhclient.
+#
+# Normally, if the DHCP server provides reasonable information and does
+#	not leave anything out (like the domain name, for example), then
+#	few changes must be made to this file, if any.
+#
+
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+
+send host-name "<hostname>";
+#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
+#send dhcp-lease-time 3600;
+supersede domain-name "witzend.com";
+prepend domain-name-servers 192.168.202.3;
+request subnet-mask, broadcast-address, time-offset, routers,
+	domain-name, domain-name-servers, domain-search, host-name,
+	netbios-name-servers, netbios-scope, interface-mtu,
+	rfc3442-classless-static-routes, ntp-servers,
+	dhcp6.domain-search, dhcp6.fqdn,
+	dhcp6.name-servers, dhcp6.sntp-servers;
+#require subnet-mask, domain-name-servers;
+#timeout 60;
+#retry 60;
+#reboot 10;
+#select-timeout 5;
+#initial-interval 2;
+#script "/etc/dhcp3/dhclient-script";
+#media "-link0 -link1 -link2", "link0 link1";
+#reject 192.33.137.209;
+
+#alias {
+#  interface "eth0";
+#  fixed-address 192.5.5.213;
+#  option subnet-mask 255.255.255.255;
+#}
+
+#lease {
+#  interface "eth0";
+#  fixed-address 192.33.137.200;
+#  medium "link0 link1";
+#  option host-name "andare.swiftmedia.com";
+#  option subnet-mask 255.255.255.0;
+#  option broadcast-address 192.33.137.255;
+#  option routers 192.33.137.250;
+#  option domain-name-servers 127.0.0.1;
+#  renew 2 2000/1/12 00:00:01;
+#  rebind 2 2000/1/12 00:00:01;
+#  expire 2 2000/1/12 00:00:01;
+#}

install-storm.sh

@@ -1,15 +1,26 @@
 echo "127.0.0.1	localhost" > /etc/hosts
+echo "127.0.1.1	$3 $4" >> /etc/hosts
 cp /vagrant/krb5.conf /etc/
 
 cp /vagrant/resolvconf_base.txt /etc/resolvconf/resolv.conf.d/base
+cp /vagrant/dhclient.conf /etc/dhcp/
 resolvconf -u
+/etc/init.d/networking restart
 
 apt-get install -y supervisor unzip openjdk-7-jdk krb5-user
 
 /etc/init.d/supervisor stop
 
 groupadd storm
 useradd --gid storm --home-dir /home/storm --create-home --shell /bin/bash storm
+useradd --gid storm --home-dir /home/testuser1 --create-home --shell /bin/bash testuser1
+useradd --gid storm --home-dir /home/testuser2 --create-home --shell /bin/bash testuser2
+
+mkdir /home/testuser1/.storm
+cp /vagrant/testuser1_storm.yaml /home/testuser1/.storm/storm.yaml
+
+mkdir /home/testuser2/.storm
+cp /vagrant/testuser2_storm.yaml /home/testuser2/.storm/storm.yaml
 
 unzip -o /vagrant/$1.zip -d /usr/share/
 chown -R storm:storm /usr/share/$1
@@ -22,7 +33,7 @@ chown storm:storm /etc/storm
 rm /usr/share/storm/conf/storm.yaml
 cp /vagrant/storm.yaml /usr/share/storm/conf/
 cp /vagrant/cluster.xml /usr/share/storm/logback/
-ln -s /usr/share/storm/conf/storm.yaml /etc/storm/storm.yaml 
+ln -s /usr/share/storm/conf/storm.yaml /etc/storm/storm.yaml
 
 mkdir /var/log/storm
 chown storm:storm /var/log/storm

kerberos/install-kdc.sh

@@ -18,11 +18,25 @@ sudo /usr/sbin/kadmin.local -q "ktadd -k /tmp/zk.keytab  zookeeper/zookeeper.wit
 # Nimbus
 sudo /usr/sbin/kadmin.local -q 'addprinc -randkey nimbus/nimbus.witzend.com@WITZEND.COM'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /tmp/storm.keytab nimbus/nimbus.witzend.com@WITZEND.COM"
+# UI
+sudo /usr/sbin/kadmin.local -q 'addprinc -randkey HTTP/nimbus.witzend.com@WITZEND.COM'
+sudo /usr/sbin/kadmin.local -q "ktadd -k /tmp/http.keytab HTTP/nimbus.witzend.com@WITZEND.COM"
+
 # All UI and Supervisors
 sudo /usr/sbin/kadmin.local -q 'addprinc -pw storm storm@WITZEND.COM'
 sudo /usr/sbin/kadmin.local -q 'change_password -pw storm storm@WITZEND.COM'
 sudo /usr/sbin/kadmin.local -q "ktadd -k /tmp/storm.keytab storm@WITZEND.COM"
 
+# user to submit topologies
+sudo /usr/sbin/kadmin.local -q 'addprinc -randkey testuser1/nimbus.witzend.com@WITZEND.COM'
+sudo /usr/sbin/kadmin.local -q "ktadd -k /tmp/testuser1.keytab testuser1/nimbus.witzend.com@WITZEND.COM"
+
+sudo /usr/sbin/kadmin.local -q 'addprinc -randkey testuser2/nimbus.witzend.com@WITZEND.COM'
+sudo /usr/sbin/kadmin.local -q "ktadd -k /tmp/testuser2.keytab testuser2/nimbus.witzend.com@WITZEND.COM"
+
 mkdir /vagrant/keytabs
 cp /tmp/storm.keytab /vagrant/keytabs/
-cp /tmp/zk.keytab /vagrant/keytabs/
+cp /tmp/zk.keytab /vagrant/keytabs/
+cp /tmp/http.keytab /vagrant/keytabs/
+cp /tmp/testuser1.keytab /vagrant/keytabs/
+cp /tmp/testuser2.keytab /vagrant/keytabs/

kerberos/kdc.conf

@@ -15,7 +15,6 @@
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
-        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
+        #supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
         default_principal_flags = +preauth
     }
-

kerberos/krb5.conf

@@ -9,7 +9,9 @@
 	forwardable = true
 	proxiable = true
 	udp_preference_limit = 1
-
+        default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts-hmac-sha1-96
+        default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts-hmac-sha1-96
+        permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc aes256-cts-hmac-sha1-96
 # The following encryption type specification will be used by MIT Kerberos
 # if uncommented.  In general, the defaults in the MIT Kerberos code are
 # correct and overriding these specifications only serves to disable new

storm.yaml

@@ -7,11 +7,26 @@ nimbus.host: "nimbus"
 drpc.servers:
   - "nimbus"
 
+#supervisor.run.worker.as.user: true
+#topology.storm.user: "storm"
+nimbus.authorizer: "backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"
 storm.thrift.transport: "backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin"
 java.security.auth.login.config: "/vagrant/storm_jaas.conf"
 storm.principal.tolocal: "backtype.storm.security.auth.KerberosPrincipalToLocal"
 storm.zookeeper.superACL: "sasl:storm"
 
+nimbus.admins:
+  - "storm"
+nimbus.supervisor.users:
+  - "storm"
+
 nimbus.childopts: "-Xmx1024m -Djavax.net.debug=ssl -Dsun.security.krb5.debug=true -Djava.security.auth.login.config=/vagrant/storm_jaas.conf -Djava.security.krb5.realm=WITZEND.COM -Djava.security.krb5.kdc=kdc.witzend.com"
 ui.childopts: "-Xmx768m -Djavax.net.debug=ssl -Dsun.security.krb5.debug=true -Djava.security.auth.login.config=/vagrant/storm_jaas.conf -Djava.security.krb5.realm=WITZEND.COM -Djava.security.krb5.kdc=kdc.witzend.com"
 supervisor.childopts: "-Xmx256m -Djavax.net.debug=ssl -Dsun.security.krb5.debug=true -Djava.security.auth.login.config=/vagrant/storm_jaas.conf -Djava.security.krb5.realm=WITZEND.COM -Djava.security.krb5.kdc=kdc.witzend.com"
+
+ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter"
+ui.filter.params:
+   "type": "kerberos"
+   "kerberos.principal": "HTTP/nimbus.witzend.com"
+   "kerberos.keytab": "/vagrant/keytabs/http.keytab"
+   "kerberos.name.rules": "RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"

storm_jaas.conf

@@ -34,4 +34,4 @@ Server {
    useTicketCache=false
    serviceName="zookeeper"
    principal="zookeeper/zookeeper.witzend.com@WITZEND.COM";
-};
+};

testuser1_jaas.conf

@@ -0,0 +1,10 @@
+StormClient {
+   com.sun.security.auth.module.Krb5LoginModule required
+   useKeyTab=true
+   keyTab="/vagrant/keytabs/testuser1.keytab"
+   storeKey=true
+   useTicketCache=false
+   serviceName="nimbus"
+   debug=true
+   principal="testuser1/nimbus.witzend.com@WITZEND.COM";
+};