From aad4bdb38ae12682c521011c97277efd5b51f848 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Wed, 5 Apr 2023 01:14:24 -0400 Subject: [PATCH 01/10] ECS changes add ecs_accounts to be distinct from default_accounts no longer import rpm package postgresxx-devel to avoid dependency on epel repo rpm perl-IPC-Run in rhel8 remove ecs db schemas from general list of default db's..as external db is deprecated in ecs process ecs tls acls separately from base support Postgresql 12 & higher support MySQL8 Signed-off-by: Chuck Levesque Signed-off-by: Chuck Levesque --- .../cloudera_manager/common/defaults/main.yml | 2 +- roles/config/services/mgmt/tasks/main.yml | 6 +- roles/deployment/databases/tasks/mysql.yml | 44 ++++ roles/deployment/definition/defaults/main.yml | 197 +++++++++--------- .../rdbms/tasks/mysql-RedHat.yml | 36 ++++ .../rdbms/templates/cloudera.cnf | 7 +- .../rdbms/vars/mysql-RedHat.yml | 19 ++ roles/infrastructure/rdbms/vars/mysql.yml | 23 ++ .../rdbms/vars/postgresql-RedHat.yml | 5 +- .../local_accounts_common/defaults/main.yml | 11 +- .../prereqs/mysql_connector/defaults/main.yml | 8 +- roles/prereqs/mysql_connector/tasks/main.yml | 11 +- roles/prereqs/pvc_ecs/tasks/main.yml | 65 +++--- .../pvc_ecs/templates/networkmanager-conf.j2 | 2 + .../tls_generate_csr/tasks/acls-ecs.yml | 158 ++++++++++++++ .../security/tls_generate_csr/tasks/main.yml | 7 +- roles/teardown/tasks/teardown_ecs.yml | 13 +- 17 files changed, 467 insertions(+), 147 deletions(-) create mode 100644 roles/deployment/databases/tasks/mysql.yml create mode 100644 roles/infrastructure/rdbms/tasks/mysql-RedHat.yml create mode 100644 roles/infrastructure/rdbms/vars/mysql-RedHat.yml create mode 100644 roles/infrastructure/rdbms/vars/mysql.yml create mode 100644 roles/prereqs/pvc_ecs/templates/networkmanager-conf.j2 create mode 100644 roles/security/tls_generate_csr/tasks/acls-ecs.yml diff --git a/roles/cloudera_manager/common/defaults/main.yml b/roles/cloudera_manager/common/defaults/main.yml index c2afd83d..798636d8 100644 --- a/roles/cloudera_manager/common/defaults/main.yml +++ b/roles/cloudera_manager/common/defaults/main.yml @@ -27,6 +27,6 @@ cloudera_manager_database_type: "{{ database_type }}" cloudera_manager_database_name: scm cloudera_manager_database_user: scm cloudera_manager_database_password: changeme -cloudera_manager_database_port: "{{ database_port | cloudera.cluster.default_database_port }}" +cloudera_manager_database_port: "{{ database_type | cloudera.cluster.default_database_port }}" cloudera_manager_agent_lib_directory: /var/lib/cloudera-scm-agent cloudera_manager_cmf_java_opts_default: "-Xmx4G -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp" diff --git a/roles/config/services/mgmt/tasks/main.yml b/roles/config/services/mgmt/tasks/main.yml index 327e1f75..0d4ee67a 100644 --- a/roles/config/services/mgmt/tasks/main.yml +++ b/roles/config/services/mgmt/tasks/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +17,7 @@ # This variable is used by other roles # please take care when changing it - set_fact: - databases: "{{ database_defaults | combine(definition.mgmt.databases | default({}), recursive=True) }}" + databases: "{{ databases_cm_svcs | combine(definition.mgmt.databases | default({}), recursive=True) }}" - name: Reset custom configuration dictionary set_fact: @@ -35,4 +35,4 @@ # please take care when changing it - name: Merge custom configurations set_fact: - merged_configs: "{{ custom_configs | combine(definition.mgmt.configs | default({}), recursive=True) }}" + merged_configs: "{{ custom_configs | combine(definition.mgmt.configs | default({}), recursive=True) }}" \ No newline at end of file diff --git a/roles/deployment/databases/tasks/mysql.yml b/roles/deployment/databases/tasks/mysql.yml new file mode 100644 index 00000000..8e789cf8 --- /dev/null +++ b/roles/deployment/databases/tasks/mysql.yml @@ -0,0 +1,44 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- + +- name: Create databases + mysql_db: + name: "{{ databases[service].name }}" + encoding: "{{ service | cloudera.cluster.get_database_encoding_mysql }}" + collation: "{{ service | cloudera.cluster.get_database_collation_mysql }}" + become: yes + loop: "{{ databases }}" + loop_control: + loop_var: service + delegate_to: "{{ databases[service].host }}" + connection: ssh + when: databases[service].host in groups.db_server + +- name: Create database users + mysql_user: + name: "{{ databases[service].user }}" + password: "{{ databases[service].password }}" + update_password: always + host: '%' + priv: "{{ databases[service].name }}.*:ALL" + no_log: yes + become: yes + loop: "{{ databases }}" + loop_control: + loop_var: service + delegate_to: "{{ databases[service].host }}" + connection: ssh + when: databases[service].host in groups.db_server diff --git a/roles/deployment/definition/defaults/main.yml b/roles/deployment/definition/defaults/main.yml index 34587fa2..57715363 100644 --- a/roles/deployment/definition/defaults/main.yml +++ b/roles/deployment/definition/defaults/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +27,9 @@ default_database_versions: mariadb: '7': 10.2 '8': 10.2 + mysql: + '7': 5.7 + '8': 8.0 # Located in cloudera.cluster.infrastructure.krb5_common #krb5_realm: CLOUDERA.LOCAL @@ -39,196 +42,202 @@ manual_tls_cert_distribution: false local_temp_dir: '/tmp' database_defaults: - ACTIVITYMONITOR: + DAS: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: amon - user: amon + name: das + user: das password: "{{ database_default_password }}" - ALERTS: + HIVE: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-alerts - user: db-alerts + name: metastore + user: hive password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - CLASSIC_CLUSTERS: + HUE: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: classic-clusters - user: classic-clusters + name: hue + user: hue password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - CLUSTER_ACCESS_MANAGER: + OOZIE: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-clusteraccessmanager - user: db-clusteraccessmanager + name: oozie + user: oozie password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - CLUSTER_PROXY: + RANGER: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: cluster-proxy - user: cluster-proxy + name: ranger + user: rangeradmin password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - DAS: + SCHEMAREGISTRY: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: das - user: das + name: schemaregistry + user: schemaregistry password: "{{ database_default_password }}" - DEX: + SQL_STREAM_BUILDER: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-dex - user: db-dex + name: ssb_admin + user: ssb_admin password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - DWX: + SQL_STREAM_BUILDER_MVE: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-dwx - user: db-dwx + name: ssb_mve + user: ssb_mve password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - ENV: + STREAMS_MESSAGING_MANAGER: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-env - user: db-env + name: streamsmsgmgr + user: streamsmsgmgr password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - HIVE: + SENTRY: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: metastore - user: hive + name: sentry + user: sentry password: "{{ database_default_password }}" - HUE: + + QUERY_PROCESSOR: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: hue - user: hue + name: queryprocessor + user: queryprocessor password: "{{ database_default_password }}" - LIFTIE: + +databases_cm_svcs: + ACTIVITYMONITOR: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-liftie - user: db-liftie + name: amon + user: amon password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" NAVIGATOR: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" name: nav user: nav password: "{{ database_default_password }}" NAVIGATORMETASERVER: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" name: navms user: navms password: "{{ database_default_password }}" - MLX: + REPORTSMANAGER: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-mlx - user: db-mlx + name: rman + user: rman password: "{{ database_default_password }}" - mode: "{{ cluster.ecs_database_mode | default('existing') }}" - OOZIE: + +# Deprecated in ecs 1.5.0 + +databases_ecs: + ALERTS: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: oozie - user: oozie + name: db-alerts + user: db-alerts password: "{{ database_default_password }}" - RANGER: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + CLASSIC_CLUSTERS: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: ranger - user: rangeradmin + name: classic-clusters + user: classic-clusters password: "{{ database_default_password }}" - REPORTSMANAGER: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + CLUSTER_ACCESS_MANAGER: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: rman - user: rman + name: db-clusteraccessmanager + user: db-clusteraccessmanager password: "{{ database_default_password }}" - RESOURCEPOOL_MANAGER: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + CLUSTER_PROXY: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-resourcepoolmanager - user: db-resourcepoolmanager + name: cluster-proxy + user: cluster-proxy password: "{{ database_default_password }}" mode: "{{ cluster.ecs_database_mode | default('existing') }}" - SCHEMAREGISTRY: + DEX: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: schemaregistry - user: schemaregistry + name: db-dex + user: db-dex password: "{{ database_default_password }}" - SQL_STREAM_BUILDER: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + DWX: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: ssb_admin - user: ssb_admin + name: db-dwx + user: db-dwx password: "{{ database_default_password }}" - SQL_STREAM_BUILDER_MVE: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + ENV: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: ssb_mve - user: ssb_mve + name: db-env + user: db-env password: "{{ database_default_password }}" - STREAMS_MESSAGING_MANAGER: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + LIFTIE: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: streamsmsgmgr - user: streamsmsgmgr + name: db-liftie + user: db-liftie password: "{{ database_default_password }}" - SENTRY: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + MLX: host: "{{ database_host }}" - port: "{{ database_port | cloudera.cluster.default_database_port }}" + port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: sentry - user: sentry + name: db-mlx + user: db-mlx password: "{{ database_default_password }}" - UMS: + mode: "{{ cluster.ecs_database_mode | default('existing') }}" + RESOURCEPOOL_MANAGER: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: db-ums - user: db-ums + name: db-resourcepoolmanager + user: db-resourcepoolmanager password: "{{ database_default_password }}" mode: "{{ cluster.ecs_database_mode | default('existing') }}" - QUERY_PROCESSOR: + UMS: host: "{{ database_host }}" port: "{{ database_type | cloudera.cluster.default_database_port }}" type: "{{ database_type }}" - name: queryprocessor - user: queryprocessor + name: db-ums + user: db-ums password: "{{ database_default_password }}" + mode: "{{ cluster.ecs_database_mode | default('existing') }}" diff --git a/roles/infrastructure/rdbms/tasks/mysql-RedHat.yml b/roles/infrastructure/rdbms/tasks/mysql-RedHat.yml new file mode 100644 index 00000000..4d775fb3 --- /dev/null +++ b/roles/infrastructure/rdbms/tasks/mysql-RedHat.yml @@ -0,0 +1,36 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- + +- name: Import GPG Key + rpm_key: + key: https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 + state: present + when: + - not (skip_rdbms_repo_setup | default(False)) + +- name: Install MySQL Community repository + yum: + name: https://repo.mysql.com/mysql{{ database_version | replace('.','') }}-community-release-el{{ ansible_distribution_major_version }}.rpm + update_cache: true + lock_timeout: 180 + state: present + when: + - not (skip_rdbms_repo_setup | default(False)) + + +- name: Install MySQL + include_role: + name: ansible-role-mysql \ No newline at end of file diff --git a/roles/infrastructure/rdbms/templates/cloudera.cnf b/roles/infrastructure/rdbms/templates/cloudera.cnf index 0beb587c..6468f195 100644 --- a/roles/infrastructure/rdbms/templates/cloudera.cnf +++ b/roles/infrastructure/rdbms/templates/cloudera.cnf @@ -1,10 +1,13 @@ [mysqld] log_bin_trust_function_creators = 1 -{% if database_tls and database_version is version('10.2','>=') %} +{% if database_tls %} # SSL configuration ssl_ca = {{ tls_chain_path }} ssl_cert = {{ tls_cert_path_generic }} ssl_key = {{ tls_key_path_plaintext_generic }} +{% if database_version is version('8.0','>=') %} +require_secure_transport = {{ mysql_require_secure_transport | default('OFF') }} +{% endif %} {% if database_version is version('10.5.2','>=') %} require_secure_transport = {{ mysql_require_secure_transport | default('OFF') }} {% endif %} @@ -20,4 +23,4 @@ ssl_crlpath = {{ mysql_ssl_crlpath }} {% if mysql_tls_version is defined %} tls_version = {{ mysql_tls_version }} {% endif %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/roles/infrastructure/rdbms/vars/mysql-RedHat.yml b/roles/infrastructure/rdbms/vars/mysql-RedHat.yml new file mode 100644 index 00000000..22d6eb17 --- /dev/null +++ b/roles/infrastructure/rdbms/vars/mysql-RedHat.yml @@ -0,0 +1,19 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- + +mysql_packages: + - mysql + - mysql-server \ No newline at end of file diff --git a/roles/infrastructure/rdbms/vars/mysql.yml b/roles/infrastructure/rdbms/vars/mysql.yml new file mode 100644 index 00000000..2f3af74b --- /dev/null +++ b/roles/infrastructure/rdbms/vars/mysql.yml @@ -0,0 +1,23 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +mysql_daemon: mysqld +mysql_log_error: /var/log/mysql.log +mysql_syslog_tag: mysql +mysql_pid_file: /var/run/mysql/mysql.pid +mysql_innodb_large_prefix: 0 +mysql_config_include_files: + - src: "cloudera.cnf" + force: true \ No newline at end of file diff --git a/roles/infrastructure/rdbms/vars/postgresql-RedHat.yml b/roles/infrastructure/rdbms/vars/postgresql-RedHat.yml index 9f9fbf6e..142816e7 100644 --- a/roles/infrastructure/rdbms/vars/postgresql-RedHat.yml +++ b/roles/infrastructure/rdbms/vars/postgresql-RedHat.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,10 +18,11 @@ postgresql_data_dir: /var/lib/pgsql/{{ postgresql_version }}/data postgresql_bin_path: /usr/pgsql-{{ postgresql_version }}/bin postgresql_config_path: /var/lib/pgsql/{{ postgresql_version }}/data postgresql_daemon: postgresql-{{ postgresql_version }}.service +# Removed devel package as avoids dependency on perl-IPC-run in pg 12+ postgresql_packages: - postgresql{{ postgresql_version | regex_replace('\.','') }} - postgresql{{ postgresql_version | regex_replace('\.','') }}-server - postgresql{{ postgresql_version | regex_replace('\.','') }}-libs - postgresql{{ postgresql_version | regex_replace('\.','') }}-contrib - - postgresql{{ postgresql_version | regex_replace('\.','') }}-devel +# - postgresql{{ postgresql_version | regex_replace('\.','') }}-devel postgresql_python_library: python-psycopg2 diff --git a/roles/prereqs/local_accounts_common/defaults/main.yml b/roles/prereqs/local_accounts_common/defaults/main.yml index eb8c90c3..8b4bb4cb 100644 --- a/roles/prereqs/local_accounts_common/defaults/main.yml +++ b/roles/prereqs/local_accounts_common/defaults/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -253,3 +253,12 @@ mariadb_accounts: mode: '770' shell: /bin/bash unencrypted_key_acl: "{{ database_tls }}" + +ecs_accounts: + - user: cloudera-scm + home: /var/lib/cloudera-scm-server + comment: Cloudera Manager + mode: '770' + keystore_acl: True + key_acl: True + key_password_acl: True diff --git a/roles/prereqs/mysql_connector/defaults/main.yml b/roles/prereqs/mysql_connector/defaults/main.yml index dc22f192..d9e82ff0 100644 --- a/roles/prereqs/mysql_connector/defaults/main.yml +++ b/roles/prereqs/mysql_connector/defaults/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,8 +14,8 @@ --- -mysql_connector_url: https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.48.zip -mysql_connector_checksum: md5:5da24facd99964f296ecde32abcd2384 +mysql_connector_url: https://cdn.mysql.com//Downloads/Connector-J/mysql-connector-java-5.1.49.zip +mysql_connector_checksum: md5:5ecd588e13f14de07faa5c67f5caf3f1 mysql_connector_download_dir: "{{ local_temp_dir }}" mysql_connector_extract_dir: "{{ local_temp_dir }}" -mysql_connector_local_path: "{{ mysql_connector_extract_dir }}/mysql-connector-java-5.1.48/mysql-connector-java-5.1.48-bin.jar" +mysql_connector_local_path: "{{ mysql_connector_extract_dir }}/mysql-connector-java-5.1.49/mysql-connector-java-5.1.49-bin.jar" \ No newline at end of file diff --git a/roles/prereqs/mysql_connector/tasks/main.yml b/roles/prereqs/mysql_connector/tasks/main.yml index 3fa9d14a..b176cc3d 100644 --- a/roles/prereqs/mysql_connector/tasks/main.yml +++ b/roles/prereqs/mysql_connector/tasks/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -71,10 +71,9 @@ src: my_config.h dest: /usr/include/mysql/my_config.h - - name: Install Mysql packages for python - shell: pip install MySQL-python --force-reinstall --ignore-installed +## TODO Fix for RHEL8 + - name: Install Mysql packages for python - PyMySQL + shell: /usr/local/bin/pip install PyMySQL --force-reinstall --ignore-installed ignore_errors: true - - name: Chmod on mysql python files - shell: chmod -R 755 /usr/lib64/python2.7/site-packages/MySQLdb /usr/lib64/python2.7/site-packages/MySQL_python* /usr/lib64/python2.7/site-packages/_mysql* - ignore_errors: true \ No newline at end of file + diff --git a/roles/prereqs/pvc_ecs/tasks/main.yml b/roles/prereqs/pvc_ecs/tasks/main.yml index da15484f..a888f067 100644 --- a/roles/prereqs/pvc_ecs/tasks/main.yml +++ b/roles/prereqs/pvc_ecs/tasks/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,16 +13,23 @@ # limitations under the License. --- + +- name: Fail Fast if ECS OS is not RH family + fail: + msg: ECS is not supported on this OS, should be Centos or RHEL + when: ansible_os_family != 'RedHat' + - name: Install necessary additional packages ansible.builtin.package: name: "{{ __package_item }}" state: latest loop: - nfs-utils + - iscsi-initiator-utils loop_control: loop_var: __package_item -- name: Setup iptables on rhel7 +- name: Setup iptables for rhel7 when: ansible_distribution_major_version | int == 7 block: - name: Install iptables for rhel7 @@ -33,39 +40,17 @@ state: present loop: - iptables - - iptables-services loop_control: loop_var: __iptables_item - - name: start iptables on rhel7 - systemd: - name: iptables - enabled: yes - state: started - daemon-reload: yes - -- name: Setup nftables on rhel8 +- name: Setup iptables for rhel8 when: ansible_distribution_major_version | int >= 8 block: - - name: Install iptables for rhel8 - ansible.builtin.package: - lock_timeout: 180 - name: "{{ __iptables_install_item }}" - update_cache: yes - state: present - loop: - - iptables-services - loop_control: - loop_var: __iptables_install_item + - name: Install iptables for rhel8, using rpm option tsflags=noscripts + command: dnf install -y iptables --setopt=tsflags=noscripts - - name: start nftables on rhel8 - systemd: - name: iptables - enabled: yes - state: started - daemon-reload: yes -- name: Flush IPTables +- name: Flush iptables ansible.builtin.iptables: flush: yes table: "{{ __iptables_flush_item }}" @@ -76,4 +61,26 @@ - raw - security loop_control: - loop_var: __iptables_flush_item \ No newline at end of file + loop_var: __iptables_flush_item + + ## see https://docs.rke2.io/known_issues +- name: Set NetworkManager to ignore any ECS calico & flannel interfaces + template: + src: networkmanager-conf.j2 + dest: /etc/NetworkManager/conf.d/rke2-canal.config + owner: root + group: root + mode: 0644 + when: + - ansible_distribution_major_version|int >= 7 + - ansible_facts.services['NetworkManager.service'] is defined + +- name: Reload NetworkManager daemon + systemd: + state: restarted + daemon_reload: true + name: NetworkManager.service + when: + - ansible_distribution_major_version|int >= 7 + - ansible_facts.services['NetworkManager.service'] is defined + diff --git a/roles/prereqs/pvc_ecs/templates/networkmanager-conf.j2 b/roles/prereqs/pvc_ecs/templates/networkmanager-conf.j2 new file mode 100644 index 00000000..13d2a834 --- /dev/null +++ b/roles/prereqs/pvc_ecs/templates/networkmanager-conf.j2 @@ -0,0 +1,2 @@ +[keyfile] +unmanaged-devices=interface-name:cali*;interface-name:flannel* \ No newline at end of file diff --git a/roles/security/tls_generate_csr/tasks/acls-ecs.yml b/roles/security/tls_generate_csr/tasks/acls-ecs.yml new file mode 100644 index 00000000..72d7b47f --- /dev/null +++ b/roles/security/tls_generate_csr/tasks/acls-ecs.yml @@ -0,0 +1,158 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- + +- name: Install acls package + ansible.builtin.package: + lock_timeout: "{{ (ansible_os_family == 'RedHat') | ternary(60, omit) }}" + name: acl + state: present + +- name: Change permissions on keystore + file: + state: file + path: "{{ tls_keystore_path }}" + mode: 0640 + owner: root + group: hadoop + +- name: Add ACLs to keystore + acl: + path: "{{ tls_keystore_path }}" + entity: "{{ account.user }}" + etype: group + permissions: r + state: present + loop: "{{ ecs_accounts | json_query('[?@.keystore_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) + +- name: Change permissions on keystore hard link + file: + state: file + path: "{{ tls_keystore_path_generic }}" + mode: 0640 + owner: root + group: hadoop + +- name: Add ACLs to keystore hard link + acl: + path: "{{ tls_keystore_path_generic }}" + entity: "{{ account.user }}" + etype: group + permissions: r + state: present + loop: "{{ ecs_accounts | json_query('[?@.keystore_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) + +- name: Change permissions on private key + file: + state: file + path: "{{ item }}" + mode: 0440 + owner: root + group: root + loop: + - "{{ tls_key_path }}" + - "{{ tls_key_path_generic }}" + +- name: Add ACLs to private key + acl: + path: "{{ tls_key_path }}" + entity: "{{ account.user }}" + etype: group + permissions: r + state: present + loop: "{{ ecs_accounts | json_query('[?@.key_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) + +- name: Add ACLs to private key hard link + acl: + path: "{{ tls_key_path_generic }}" + entity: "{{ account.user }}" + etype: group + permissions: r + state: present + loop: "{{ ecs_accounts | json_query('[?@.key_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) + +- name: Change permissions on key password file + file: + state: file + path: "{{ tls_key_password_file }}" + mode: 0440 + owner: root + group: root + +- name: Add ACLs to key password file + acl: + path: "{{ tls_key_password_file }}" + entity: "{{ account.user }}" + etype: user + permissions: r + state: present + loop: "{{ ecs_accounts | json_query('[?@.key_password_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) + +- name: Change permissions on unencrypted key + file: + state: file + path: "{{ item }}" + mode: 0440 + owner: root + group: root + loop: + - "{{ tls_key_path_plaintext }}" + - "{{ tls_key_path_plaintext_generic }}" + +- name: Add ACLs to unencrypted key + acl: + path: "{{ tls_key_path_plaintext }}" + entity: "{{ account.user }}" + etype: group + permissions: r + state: present + loop: "{{ local_accounts | json_query('[?@.unencrypted_key_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) + +- name: Add ACLs to unencrypted key hard link + acl: + path: "{{ tls_key_path_plaintext_generic }}" + entity: "{{ account.user }}" + etype: group + permissions: r + state: present + loop: "{{ ecs_accounts | json_query('[?@.unencrypted_key_acl]') }}" + loop_control: + loop_var: account + label: "{{ account.user }}" + when: account.when | default(True) diff --git a/roles/security/tls_generate_csr/tasks/main.yml b/roles/security/tls_generate_csr/tasks/main.yml index a2434eec..19e4f957 100644 --- a/roles/security/tls_generate_csr/tasks/main.yml +++ b/roles/security/tls_generate_csr/tasks/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -117,6 +117,11 @@ - name: Set file permissions include_tasks: acls.yml + when: inventory_hostname not in groups['ecs_nodes'] + +- name: Set file permissions for ECS + include_tasks: acls-ecs.yml + when: inventory_hostname in groups['ecs_nodes'] - name: Create openssl.cnf for CSR generation template: diff --git a/roles/teardown/tasks/teardown_ecs.yml b/roles/teardown/tasks/teardown_ecs.yml index 1c41c31e..c7de1e23 100644 --- a/roles/teardown/tasks/teardown_ecs.yml +++ b/roles/teardown/tasks/teardown_ecs.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -54,6 +54,10 @@ - _rke2_killall.failed - "'No such file or directory' not in _rke2_killall.stderr" +#TODO emove all remaing kubelet or k3s mounts, address global ro mounts left over from nfs +#- name: Remove all remaing kubelet or k3s mounts +# shell: mount | awk '/on \/var\/lib\/(kubelet|k3s)/{print \$3}' | xargs -r sudo umount -l" + - name: Run rke2 Uninstall register: _rke2_uninstall shell: /opt/cloudera/parcels/ECS/bin/rke2-uninstall.sh; @@ -63,11 +67,12 @@ - name: Delete misc shell: | - rm -rf /ecs/docker/docker-store/ - rm -rf /ecs/local/* - rm -rf /ecs/longhorn/* + rm -rf /mnt/docker/* + rm -rf /mnt/ecs/local-storage/* + rm -rf /mnt2/ecs/longhorn-storage/* rm -rf /var/lib/docker_server rm -rf /etc/docker/certs.d + rm -rf /var/lib/ecs systemctl stop iscsid yum -y erase iscsi-initiator-utils rm -rf /var/lib/iscsi From 6d8517bf21f0ac0a0e696579c179b089f4d9d238 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Sat, 15 Apr 2023 11:33:45 -0400 Subject: [PATCH 02/10] Default ecs_nodes to empty [] when not specified Signed-off-by: Chuck Levesque --- roles/security/tls_generate_csr/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/security/tls_generate_csr/tasks/main.yml b/roles/security/tls_generate_csr/tasks/main.yml index 19e4f957..af6fb93c 100644 --- a/roles/security/tls_generate_csr/tasks/main.yml +++ b/roles/security/tls_generate_csr/tasks/main.yml @@ -117,11 +117,11 @@ - name: Set file permissions include_tasks: acls.yml - when: inventory_hostname not in groups['ecs_nodes'] + when: inventory_hostname not in groups['ecs_nodes'] | default([]) - name: Set file permissions for ECS include_tasks: acls-ecs.yml - when: inventory_hostname in groups['ecs_nodes'] + when: inventory_hostname in groups['ecs_nodes'] | default([]) - name: Create openssl.cnf for CSR generation template: From 04498b3e70f9c45e1c75d412ea5c9c513c37a49c Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Sat, 15 Apr 2023 12:18:59 -0400 Subject: [PATCH 03/10] Default ecs_nodes to empty [] when not specified Signed-off-by: Chuck Levesque --- .gitignore | 1 + roles/security/tls_generate_csr/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 0fd389f8..15e31e64 100644 --- a/.gitignore +++ b/.gitignore @@ -162,3 +162,4 @@ dmypy.json # Cython debug symbols cython_debug/ +.DS_Store diff --git a/roles/security/tls_generate_csr/tasks/main.yml b/roles/security/tls_generate_csr/tasks/main.yml index af6fb93c..4ba231a6 100644 --- a/roles/security/tls_generate_csr/tasks/main.yml +++ b/roles/security/tls_generate_csr/tasks/main.yml @@ -117,11 +117,11 @@ - name: Set file permissions include_tasks: acls.yml - when: inventory_hostname not in groups['ecs_nodes'] | default([]) + when: "inventory_hostname not in groups['ecs_nodes'] | default([])" - name: Set file permissions for ECS include_tasks: acls-ecs.yml - when: inventory_hostname in groups['ecs_nodes'] | default([]) + when: "inventory_hostname in groups['ecs_nodes'] | default([])" - name: Create openssl.cnf for CSR generation template: From 1bd4f3eb32c45651499c8c08da5897ea277fb1d8 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Sat, 15 Apr 2023 13:17:38 -0400 Subject: [PATCH 04/10] Fix for external auth when none desired Signed-off-by: Chuck Levesque --- .../external_auth/defaults/main.yml | 30 +------------ .../tasks/initialize_for_ipa.yml | 43 +++++++++++++++++++ .../external_auth/tasks/main.yml | 5 +++ 3 files changed, 50 insertions(+), 28 deletions(-) create mode 100644 roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml diff --git a/roles/cloudera_manager/external_auth/defaults/main.yml b/roles/cloudera_manager/external_auth/defaults/main.yml index 877b72aa..7ec57551 100644 --- a/roles/cloudera_manager/external_auth/defaults/main.yml +++ b/roles/cloudera_manager/external_auth/defaults/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,31 +13,5 @@ # limitations under the License. --- -cloudera_manager_external_auth: - provider: "{{ 'FreeIPA' if freeipa_activated == true else omit }}" - external_first: no - external_only: no - external_set: "{{ 'yes' if freeipa_activated == true else 'no' }}" - role_mappings: "{{ default_free_ipa_role_mappings if freeipa_activated == true else omit }}" -default_free_ipa_role_mappings: - - group: admins - roles: [ ROLE_ADMIN ] - - group: auditors - roles: [ ROLE_AUDITOR ] - - group: users - roles: [ ROLE_USER ] - -auth_providers: - FreeIPA: - type: LDAP - ldap_url: "{{ ipa_ldap_url }}" - ldap_base_dn: - ldap_bind_user_dn: "{{ ipa_ldap_user_bind_dn }}" - ldap_bind_password: "{{ ipa_ldap_user_bind_password }}" - ldap_search_base: - user: "{{ ipa_ldap_user_search_base }}" - group: "{{ ipa_ldap_group_search_base }}" - ldap_search_filter: - user: "{{ ipa_ldap_user_search_filter }}" - group: "{{ ipa_ldap_user_group_filter }}" \ No newline at end of file +freeipa_activated: False \ No newline at end of file diff --git a/roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml b/roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml new file mode 100644 index 00000000..5c227f89 --- /dev/null +++ b/roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml @@ -0,0 +1,43 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +default_free_ipa_role_mappings: + - group: admins + roles: [ ROLE_ADMIN ] + - group: auditors + roles: [ ROLE_AUDITOR ] + - group: users + roles: [ ROLE_USER ] + +cloudera_manager_external_auth: + provider: "FreeIPA" + external_first: no + external_only: no + external_set: yes + role_mappings: "{{ default_free_ipa_role_mappings }}" + +auth_providers: + FreeIPA: + type: LDAP + ldap_url: "{{ ipa_ldap_url }}" + ldap_base_dn: + ldap_bind_user_dn: "{{ ipa_ldap_user_bind_dn }}" + ldap_bind_password: "{{ ipa_ldap_user_bind_password }}" + ldap_search_base: + user: "{{ ipa_ldap_user_search_base }}" + group: "{{ ipa_ldap_group_search_base }}" + ldap_search_filter: + user: "{{ ipa_ldap_user_search_filter }}" + group: "{{ ipa_ldap_user_group_filter }}" \ No newline at end of file diff --git a/roles/cloudera_manager/external_auth/tasks/main.yml b/roles/cloudera_manager/external_auth/tasks/main.yml index 2f48076d..e548f6e9 100644 --- a/roles/cloudera_manager/external_auth/tasks/main.yml +++ b/roles/cloudera_manager/external_auth/tasks/main.yml @@ -14,6 +14,11 @@ --- +- name: Initialize for IPA + include_role: + name: initialize_for_ipa + when: freeipa_activated + - name: Select external auth provider details set_fact: auth_provider: "{{ auth_providers[cloudera_manager_external_auth.provider] }}" From e016efc6c126421547b58ec90e36d1b28878b3e5 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Sat, 15 Apr 2023 14:38:10 -0400 Subject: [PATCH 05/10] autotls pk any path Signed-off-by: Chuck Levesque --- roles/cloudera_manager/autotls/defaults/main.yml | 1 + roles/cloudera_manager/autotls/tasks/main.yml | 2 +- roles/cloudera_manager/autotls/templates/auto-tls-key.json | 3 ++- roles/cloudera_manager/external_auth/tasks/main.yml | 5 ++++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/roles/cloudera_manager/autotls/defaults/main.yml b/roles/cloudera_manager/autotls/defaults/main.yml index ef22c48f..c2aae2f3 100644 --- a/roles/cloudera_manager/autotls/defaults/main.yml +++ b/roles/cloudera_manager/autotls/defaults/main.yml @@ -16,3 +16,4 @@ host_ssh_username: root host_ssh_password: cloudera +private_key_path: '~/node_key' diff --git a/roles/cloudera_manager/autotls/tasks/main.yml b/roles/cloudera_manager/autotls/tasks/main.yml index 736f6eb7..3a18255e 100644 --- a/roles/cloudera_manager/autotls/tasks/main.yml +++ b/roles/cloudera_manager/autotls/tasks/main.yml @@ -48,7 +48,7 @@ - name: Set node_key on one line set_fact: - node_key_one_line: "{{ lookup('file', '~/node_key' ) | replace('\n', '\\n') | replace('\"', '\\\"' ) }}" + node_key_one_line: "{{ lookup('file', private_key_path ) | replace('\n', '\\n') | replace('\"', '\\\"' ) }}" when: not use_password - name: DEBUG Auto-TLS using key diff --git a/roles/cloudera_manager/autotls/templates/auto-tls-key.json b/roles/cloudera_manager/autotls/templates/auto-tls-key.json index 356adb7d..78db7264 100644 --- a/roles/cloudera_manager/autotls/templates/auto-tls-key.json +++ b/roles/cloudera_manager/autotls/templates/auto-tls-key.json @@ -3,7 +3,8 @@ "configureAllServices" : "true", "sshPort" : 22, {% if freeipa_activated %}"trustedCaCerts" : "/etc/ipa/ca.crt",{% endif %} - "userName" : "root", + "userName" : "{{ sudoerUser|default("root") }}", "privateKey": "{{ node_key_one_line }}" + "passphrase": "{{ passphrase|default("") }}" } \ No newline at end of file diff --git a/roles/cloudera_manager/external_auth/tasks/main.yml b/roles/cloudera_manager/external_auth/tasks/main.yml index e548f6e9..39dc3e65 100644 --- a/roles/cloudera_manager/external_auth/tasks/main.yml +++ b/roles/cloudera_manager/external_auth/tasks/main.yml @@ -17,7 +17,10 @@ - name: Initialize for IPA include_role: name: initialize_for_ipa - when: freeipa_activated + when: + - freeipa_activated + - cloudera_manager_external_auth is undefined + - cloudera_manager_version is version('6.0.0','>=') - name: Select external auth provider details set_fact: From 98a2dcd1a62f5df3acab7edbf5c07f91eba46ec6 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Tue, 18 Apr 2023 02:39:25 -0400 Subject: [PATCH 06/10] refactor vars in external_auth Signed-off-by: Chuck Levesque --- .../tasks/initialize_for_ipa.yml | 43 ------------------- .../external_auth/tasks/main.yml | 8 ---- .../external_auth/vars/main.yml | 41 ++++++++++++++++++ 3 files changed, 41 insertions(+), 51 deletions(-) delete mode 100644 roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml diff --git a/roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml b/roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml deleted file mode 100644 index 5c227f89..00000000 --- a/roles/cloudera_manager/external_auth/tasks/initialize_for_ipa.yml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2023 Cloudera, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -default_free_ipa_role_mappings: - - group: admins - roles: [ ROLE_ADMIN ] - - group: auditors - roles: [ ROLE_AUDITOR ] - - group: users - roles: [ ROLE_USER ] - -cloudera_manager_external_auth: - provider: "FreeIPA" - external_first: no - external_only: no - external_set: yes - role_mappings: "{{ default_free_ipa_role_mappings }}" - -auth_providers: - FreeIPA: - type: LDAP - ldap_url: "{{ ipa_ldap_url }}" - ldap_base_dn: - ldap_bind_user_dn: "{{ ipa_ldap_user_bind_dn }}" - ldap_bind_password: "{{ ipa_ldap_user_bind_password }}" - ldap_search_base: - user: "{{ ipa_ldap_user_search_base }}" - group: "{{ ipa_ldap_group_search_base }}" - ldap_search_filter: - user: "{{ ipa_ldap_user_search_filter }}" - group: "{{ ipa_ldap_user_group_filter }}" \ No newline at end of file diff --git a/roles/cloudera_manager/external_auth/tasks/main.yml b/roles/cloudera_manager/external_auth/tasks/main.yml index 39dc3e65..2f48076d 100644 --- a/roles/cloudera_manager/external_auth/tasks/main.yml +++ b/roles/cloudera_manager/external_auth/tasks/main.yml @@ -14,14 +14,6 @@ --- -- name: Initialize for IPA - include_role: - name: initialize_for_ipa - when: - - freeipa_activated - - cloudera_manager_external_auth is undefined - - cloudera_manager_version is version('6.0.0','>=') - - name: Select external auth provider details set_fact: auth_provider: "{{ auth_providers[cloudera_manager_external_auth.provider] }}" diff --git a/roles/cloudera_manager/external_auth/vars/main.yml b/roles/cloudera_manager/external_auth/vars/main.yml index 0351c258..37823b1f 100644 --- a/roles/cloudera_manager/external_auth/vars/main.yml +++ b/roles/cloudera_manager/external_auth/vars/main.yml @@ -29,3 +29,44 @@ auth_role_display_names: ROLE_OPERATOR: Operator ROLE_USER: Read-Only ROLE_USER_ADMIN: User Administrator + +default_free_ipa_role_mappings: + - group: admins + roles: [ ROLE_ADMIN ] + - group: auditors + roles: [ ROLE_AUDITOR ] + - group: users + roles: [ ROLE_USER ] +when: + - freeipa_activated + - cloudera_manager_external_auth is undefined + - cloudera_manager_version is version('6.0.0','>=') + +cloudera_manager_external_auth: + provider: "FreeIPA" + external_first: no + external_only: no + external_set: yes + role_mappings: "{{ default_free_ipa_role_mappings }}" +when: + - freeipa_activated + - cloudera_manager_external_auth is undefined + - cloudera_manager_version is version('6.0.0','>=') + +auth_providers: + FreeIPA: + type: LDAP + ldap_url: "{{ ipa_ldap_url }}" + ldap_base_dn: + ldap_bind_user_dn: "{{ ipa_ldap_user_bind_dn }}" + ldap_bind_password: "{{ ipa_ldap_user_bind_password }}" + ldap_search_base: + user: "{{ ipa_ldap_user_search_base }}" + group: "{{ ipa_ldap_group_search_base }}" + ldap_search_filter: + user: "{{ ipa_ldap_user_search_filter }}" + group: "{{ ipa_ldap_user_group_filter }}" +when: + - freeipa_activated + - cloudera_manager_external_auth is undefined + - cloudera_manager_version is version('6.0.0','>=') From 5297a9432a18351e836e357c68068714ef0ebde9 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Tue, 18 Apr 2023 23:26:07 -0400 Subject: [PATCH 07/10] fixes ext_auth, pvc_ecs preq Signed-off-by: Chuck Levesque --- .../autotls/templates/auto-tls-key.json | 5 +-- .../external_auth/tasks/main.yml | 11 ++++- .../external_auth/vars/freeipa.yml | 44 +++++++++++++++++++ .../networkmanager.conf} | 0 roles/prereqs/pvc_ecs/tasks/main.yml | 4 +- 5 files changed, 58 insertions(+), 6 deletions(-) create mode 100644 roles/cloudera_manager/external_auth/vars/freeipa.yml rename roles/prereqs/pvc_ecs/{templates/networkmanager-conf.j2 => files/networkmanager.conf} (100%) diff --git a/roles/cloudera_manager/autotls/templates/auto-tls-key.json b/roles/cloudera_manager/autotls/templates/auto-tls-key.json index 78db7264..f49c1cbb 100644 --- a/roles/cloudera_manager/autotls/templates/auto-tls-key.json +++ b/roles/cloudera_manager/autotls/templates/auto-tls-key.json @@ -4,7 +4,6 @@ "sshPort" : 22, {% if freeipa_activated %}"trustedCaCerts" : "/etc/ipa/ca.crt",{% endif %} "userName" : "{{ sudoerUser|default("root") }}", - "privateKey": "{{ node_key_one_line }}" + "privateKey": "{{ node_key_one_line|default('~/node_key') }}" "passphrase": "{{ passphrase|default("") }}" -} - \ No newline at end of file +} \ No newline at end of file diff --git a/roles/cloudera_manager/external_auth/tasks/main.yml b/roles/cloudera_manager/external_auth/tasks/main.yml index 2f48076d..082c6a87 100644 --- a/roles/cloudera_manager/external_auth/tasks/main.yml +++ b/roles/cloudera_manager/external_auth/tasks/main.yml @@ -1,4 +1,4 @@ -# Copyright 2021 Cloudera, Inc. +# Copyright 2023 Cloudera, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,6 +14,15 @@ --- +- name: Conditionally load in variables for initializing IPA + ansible.builtin.include_vars: + file: freeipa.yml + when: + - freeipa_activated + - cloudera_manager_external_auth is undefined + - cloudera_manager_version is version('6.0.0','>=') + + - name: Select external auth provider details set_fact: auth_provider: "{{ auth_providers[cloudera_manager_external_auth.provider] }}" diff --git a/roles/cloudera_manager/external_auth/vars/freeipa.yml b/roles/cloudera_manager/external_auth/vars/freeipa.yml new file mode 100644 index 00000000..d3fa4026 --- /dev/null +++ b/roles/cloudera_manager/external_auth/vars/freeipa.yml @@ -0,0 +1,44 @@ +# Copyright 2023 Cloudera, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- + +default_free_ipa_role_mappings: + - group: admins + roles: [ ROLE_ADMIN ] + - group: auditors + roles: [ ROLE_AUDITOR ] + - group: users + roles: [ ROLE_USER ] + +cloudera_manager_external_auth: + provider: "FreeIPA" + external_first: no + external_only: no + external_set: yes + role_mappings: "{{ default_free_ipa_role_mappings }}" + +auth_providers: + FreeIPA: + type: LDAP + ldap_url: "{{ ipa_ldap_url }}" + ldap_base_dn: + ldap_bind_user_dn: "{{ ipa_ldap_user_bind_dn }}" + ldap_bind_password: "{{ ipa_ldap_user_bind_password }}" + ldap_search_base: + user: "{{ ipa_ldap_user_search_base }}" + group: "{{ ipa_ldap_group_search_base }}" + ldap_search_filter: + user: "{{ ipa_ldap_user_search_filter }}" + group: "{{ ipa_ldap_user_group_filter }}" \ No newline at end of file diff --git a/roles/prereqs/pvc_ecs/templates/networkmanager-conf.j2 b/roles/prereqs/pvc_ecs/files/networkmanager.conf similarity index 100% rename from roles/prereqs/pvc_ecs/templates/networkmanager-conf.j2 rename to roles/prereqs/pvc_ecs/files/networkmanager.conf diff --git a/roles/prereqs/pvc_ecs/tasks/main.yml b/roles/prereqs/pvc_ecs/tasks/main.yml index a888f067..86280a39 100644 --- a/roles/prereqs/pvc_ecs/tasks/main.yml +++ b/roles/prereqs/pvc_ecs/tasks/main.yml @@ -65,8 +65,8 @@ ## see https://docs.rke2.io/known_issues - name: Set NetworkManager to ignore any ECS calico & flannel interfaces - template: - src: networkmanager-conf.j2 + copy: + src: networkmanager.conf dest: /etc/NetworkManager/conf.d/rke2-canal.config owner: root group: root From c4392a15ac4cbadce9ee94fd7f6684883474f2ee Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Wed, 19 Apr 2023 00:21:49 -0400 Subject: [PATCH 08/10] TODO auto tls not working Signed-off-by: Chuck Levesque --- roles/cloudera_manager/autotls/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloudera_manager/autotls/defaults/main.yml b/roles/cloudera_manager/autotls/defaults/main.yml index c2aae2f3..384085af 100644 --- a/roles/cloudera_manager/autotls/defaults/main.yml +++ b/roles/cloudera_manager/autotls/defaults/main.yml @@ -16,4 +16,4 @@ host_ssh_username: root host_ssh_password: cloudera -private_key_path: '~/node_key' +sudoerUser: centos From 98c62497e0ab6e91bc3eabea6582aa497c140697 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Sun, 23 Apr 2023 17:35:29 -0400 Subject: [PATCH 09/10] Fix IPA verfiy when ecs Signed-off-by: Chuck Levesque --- roles/verify/inventory/tasks/main.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/roles/verify/inventory/tasks/main.yml b/roles/verify/inventory/tasks/main.yml index cb579c60..66b149a6 100644 --- a/roles/verify/inventory/tasks/main.yml +++ b/roles/verify/inventory/tasks/main.yml @@ -35,9 +35,15 @@ - block: - set_fact: - cluster_hosts: >- + cluster_hosts: >- {{ groups.cluster | default([]) - | union(groups.cloudera_manager | default([])) + | union( + (groups.cloudera_manager | default([]) + | union( + groups.ecs_nodes | default([]) + ) + ) + ) }} - name: Ensure that all hosts requiring TLS certificates have a FreeIPA client From 17f9d80004b6a99860d55c225462e9fbb0f89e21 Mon Sep 17 00:00:00 2001 From: Chuck Levesque Date: Sun, 23 Apr 2023 18:02:12 -0400 Subject: [PATCH 10/10] Fix for ECS 1.5.0 and higher Signed-off-by: Chuck Levesque --- roles/infrastructure/krb5_common/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/infrastructure/krb5_common/defaults/main.yml b/roles/infrastructure/krb5_common/defaults/main.yml index c8378fbf..bfaa386f 100644 --- a/roles/infrastructure/krb5_common/defaults/main.yml +++ b/roles/infrastructure/krb5_common/defaults/main.yml @@ -34,6 +34,6 @@ ipa_ldap_dc_suffix: "{% for i in krb5_realm.split('.') %}dc={{ i | lower }}{% if ipa_ldap_user_bind_dn: "uid=admin,cn=users,cn=accounts,{{ ipa_ldap_dc_suffix }}" ipa_ldap_user_bind_password: "{{ cloudera_manager_admin_password }}" ipa_ldap_user_search_base: "cn=users,cn=accounts,{{ ipa_ldap_dc_suffix }}" -ipa_ldap_user_search_filter: "(&(uid={0})(objectClass=person))" +ipa_ldap_user_search_filter: "(uid={0})" ipa_ldap_group_search_base: "cn=groups,cn=accounts,{{ ipa_ldap_dc_suffix }}" -ipa_ldap_user_group_filter: "(&(member={1})(objectClass=posixgroup))" +ipa_ldap_user_group_filter: "(&(member={0})(objectClass=posixgroup)(!(cn=admin)))"