Add HDP3 image with KMS

testing/hdp3.1-hive-kerberized-kms/Dockerfile

@@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM testing/hdp3.1-hive-kerberized:unlabelled
+ARG ADDPRINC_ARGS="-maxrenewlife \"10 days\" +allow_renewable"
+
+# Install KMS
+ARG HADOOP_VERSION=3.1.4
+ARG HADOOP_BINARY_PATH=https://archive.apache.org/dist/hadoop/common/hadoop-$HADOOP_VERSION/hadoop-$HADOOP_VERSION.tar.gz
+RUN curl -fLsS -o /tmp/hadoop.tar.gz --url $HADOOP_BINARY_PATH && \
+    tar xzf /tmp/hadoop.tar.gz --directory /opt && mv /opt/hadoop-$HADOOP_VERSION /opt/hadoop
+
+# COPY CONFIGURATION
+COPY ./files /
+COPY ./files/etc/hadoop-kms/conf /opt/hadoop/etc/hadoop/
+
+# add users and group for testing purposes
+RUN set -xeu && \
+    for username in alice bob charlie; do \
+        groupadd "${username}_group" && \
+        useradd -g "${username}_group" "${username}" && \
+        /usr/sbin/kadmin.local -q "addprinc ${ADDPRINC_ARGS} -randkey ${username}/hadoop-master@LABS.TERADATA.COM" && \
+        /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/hive/conf/${username}.keytab ${username}/hadoop-master"; \
+    done && \
+    echo OK
+
+RUN /root/setup_kms.sh
+
+CMD supervisord -c /etc/supervisord.conf

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/core-site.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>fs.defaultFS</name>
+        <value>hdfs://hadoop-master:9000</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-acls.xml

@@ -0,0 +1,35 @@
+<configuration>
+     <!--
+    org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType from hadoop-kms-2.6.0-cdh5.13.1-classes.jar
+        ALL,
+        READ,
+        MANAGEMENT,
+        GENERATE_EEK,
+        DECRYPT_EEK;
+        -->
+     <property>
+        <name>default.key.acl.ALL</name> <!-- not sure this is valid for default ACL -->
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.MANAGEMENT</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.READ</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.GENERATE_EEK</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>default.key.acl.DECRYPT_EEK</name>
+        <value>*</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/kms-site.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>hadoop.kms.key.provider.uri</name>
+        <value>jceks://file@/${user.home}/kms.keystore</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.type</name>
+        <value>kerberos</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.kerberos.keytab</name>
+        <value>/etc/hadoop/conf/HTTP.keytab</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.kerberos.principal</name>
+        <value>HTTP/hadoop-master</value>
+    </property>
+
+    <property>
+        <name>hadoop.kms.authentication.kerberos.name.rules</name>
+        <value>DEFAULT</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop-kms/conf/passwordfile

@@ -0,0 +1 @@
+abc1234

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/core-site.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0"?>
+<configuration>
+
+    <property>
+        <name>fs.defaultFS</name>
+        <value>hdfs://hadoop-master:9000</value>
+    </property>
+
+    <property>
+        <name>fs.permissions.umask-mode</name>
+        <value>000</value>
+    </property>
+
+    <!-- HTTPFS proxy user setting -->
+    <property>
+        <name>hadoop.proxyuser.httpfs.hosts</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.httpfs.groups</name>
+        <value>*</value>
+    </property>
+
+    <!-- Hive impersonation -->
+    <property>
+        <name>hadoop.proxyuser.hive.hosts</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.hive.groups</name>
+        <value>*</value>
+    </property>
+
+    <!-- Hdfs impersonation -->
+    <property>
+        <name>hadoop.proxyuser.hdfs.groups</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.hdfs.hosts</name>
+        <value>*</value>
+    </property>
+
+    <!-- Trino impersonation -->
+    <property>
+        <name>hadoop.proxyuser.presto-server.groups</name>
+        <value>*</value>
+    </property>
+
+    <property>
+        <name>hadoop.proxyuser.presto-server.hosts</name>
+        <value>*</value>
+    </property>
+
+    <!-- Enable authentication -->
+    <property>
+        <name>hadoop.security.authentication</name>
+        <value>kerberos</value>
+    </property>
+
+    <property>
+        <name>hadoop.security.authorization</name>
+        <value>true</value>
+    </property>
+
+    <!-- KMS -->
+    <property>
+        <name>hadoop.security.key.provider.path</name>
+        <value>kms://http@hadoop-master:9600/kms</value>
+    </property>
+
+    <property>
+        <name>dfs.encryption.key.provider.uri</name>
+        <value>kms://http@hadoop-master:9600/kms</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/hdfs-site.xml

@@ -0,0 +1,123 @@
+<?xml version="1.0"?>
+<!--
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  ~
+  -->
+<configuration>
+
+    <property>
+        <name>dfs.namenode.name.dir</name>
+        <value>/var/lib/hadoop-hdfs/cache/name/</value>
+    </property>
+
+    <property>
+        <name>dfs.datanode.data.dir</name>
+        <value>/var/lib/hadoop-hdfs/cache/data/</value>
+    </property>
+
+    <property>
+        <name>fs.viewfs.mounttable.hadoop-viewfs.link./default</name>
+        <value>hdfs://hadoop-master:9000/user/hive/warehouse</value>
+    </property>
+
+    <!-- General HDFS security config -->
+    <property>
+        <name>dfs.block.access.token.enable</name>
+        <value>true</value>
+    </property>
+
+    <!-- NameNode security config -->
+    <property>
+        <name>dfs.namenode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value>
+        <!-- path to the HDFS keytab -->
+    </property>
+
+    <property>
+        <name>dfs.namenode.kerberos.principal</name>
+        <value>hdfs/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.namenode.kerberos.internal.spnego.principal</name>
+        <value>HTTP/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <!-- Secondary NameNode security config -->
+    <property>
+        <name>dfs.secondary.namenode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value>
+        <!-- path to the HDFS keytab -->
+    </property>
+
+    <property>
+        <name>dfs.secondary.namenode.kerberos.principal</name>
+        <value>hdfs/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>
+        <value>HTTP/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <!-- DataNode security config -->
+    <property>
+        <name>dfs.datanode.keytab.file</name>
+        <value>/etc/hadoop/conf/hdfs.keytab</value>
+        <!-- path to the HDFS keytab -->
+    </property>
+
+    <property>
+        <name>dfs.datanode.kerberos.principal</name>
+        <value>hdfs/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <!-- WebHDFS security config -->
+    <property>
+        <name>dfs.webhdfs.enabled</name>
+        <value>true</value>
+    </property>
+
+    <!-- Web Authentication config -->
+    <property>
+        <name>dfs.web.authentication.kerberos.principal</name>
+        <value>HTTP/hadoop-master@LABS.TERADATA.COM</value>
+    </property>
+
+    <property>
+        <name>dfs.web.authentication.kerberos.keytab</name>
+        <value>/etc/hadoop/conf/HTTP.keytab</value>
+        <!-- path to the HTTP keytab -->
+    </property>
+
+    <property>
+        <name>ignore.secure.ports.for.testing</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>dfs.http.policy</name>
+        <value>HTTP_ONLY</value>
+    </property>
+
+    <property>
+        <name>dfs.namenode.acls.enabled</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>dfs.permissions</name>
+        <value>true</value>
+    </property>
+
+</configuration>

testing/hdp3.1-hive-kerberized-kms/files/etc/hadoop/conf/taskcontroller.cfg

@@ -0,0 +1,5 @@
+hadoop.log.dir=/var/log/hadoop-mapreduce
+mapreduce.tasktracker.group=mapred
+banned.users=mapred,bin
+min.user.id=0
+allowed.system.users=nobody,hive