METRON-1738: Pcap directories should have correct permissions

[merrimanr]

Contributor Comments

This PR corrects the Pcap HDFS directory permissions. When a cluster is not Kerberized, the Pcap topology runs as the Storm user. In this case the Pcap directories should have write permission for the hadoop group. When a cluster is Kerberized, the directories should have write permission for the metron user.

This PR duplicates the effort in #1134 and borrows code from there. The difference is that the changes were applied to the Ambari REST component instead. Credit for this should be given to @MohanDV.

I have not tested this in full dev yet. To test in full dev, follow the steps for running the pcap topology and generating pcap data with pycapa. Data should be written to the input directory without error.

Pull Request Checklist

Thank you for submitting a contribution to Apache Metron.
Please refer to our Development Guidelines for the complete guide to follow for contributions.
Please refer also to our Build Verification Guidelines for complete smoke testing guides.

In order to streamline the review of the contribution we ask you follow these guidelines and ask you to double check the following:

For all changes:

• Is there a JIRA ticket associated with this PR? If not one needs to be created at Metron Jira.
• Does your PR title start with METRON-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
• Has your PR been rebased against the latest commit within the target branch (typically master)?

For code changes:

• Have you included steps to reproduce the behavior or problem that is being changed or addressed?

• Have you included steps or a guide to how the change may be verified and tested manually?

• Have you ensured that the full suite of tests and checks have been executed in the root metron folder via:

  mvn -q clean integration-test install && dev-utilities/build-utils/verify_licenses.sh 
  

• Have you written or updated unit tests and or integration tests to verify your changes?

• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

• Have you verified the basic functionality of the build by building and running locally with Vagrant full-dev environment or the equivalent?

For documentation related changes:

• Have you ensured that format looks appropriate for the output in which it is rendered by building and verifying the site-book? If not then run the following commands and the verify changes via site-book/target/site/index.html:

  cd site-book
  mvn site
  

Note:

Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
It is also recommended that travis-ci is set up for your personal repository such that your branches are built there before submitting a pull request.

[mmiklavc]

@merrimanr - just for clarification on the directory permissions:

Non-Kerberized

• storm:hadoop, 0775
• Storm impersonation does not work
• Storm runs the topology, so it has rwx (7)
• Metron needs to read/write for the input dir and writing out the results (cli query, rest/ui query). It's a member of the hadoop group, so using that group with 0775 enables the required access.

groups metron
metron : hadoop

Kerberized

• metron:hadoop, 0755
• Impersonation works for Storm here
• metron runs the topology and has rwx (7) access
• hadoop no longer needs write access bc of impersonation

I compared this to what we do with indexing and I think we have 1 small gap. When starting from non-kerberized, and then adding kerberization, the perms will be looser than desired because any member of hadoop will still be able to write.

https://github.com/apache/metron/blob/master/metron-deployment/packaging/ambari/metron-mpack/src/main/resources/common-services/METRON/CURRENT/package/scripts/indexing_master.py#L78

[merrimanr]

Good catch. The latest commit should address that.

[merrimanr]

I validated this in full dev. After full finishes building these are the HDFS permissions:

[root@node1 vagrant]# hdfs dfs -ls /apps/metron/pcap
Found 3 items
drwxrwxr-x   - metron hadoop          0 2018-08-15 18:34 /apps/metron/pcap/input
drwxrwxr-x   - metron hadoop          0 2018-08-15 18:34 /apps/metron/pcap/interim
drwxrwxr-x   - metron hadoop          0 2018-08-15 18:34 /apps/metron/pcap/output

After Kerberos is enabled and REST is restarted, the permissions are:

[root@node1 vagrant]# hdfs dfs -ls /apps/metron/pcap
Found 3 items
drwxr-xr-x   - metron hadoop          0 2018-08-15 18:34 /apps/metron/pcap/input
drwxr-xr-x   - metron hadoop          0 2018-08-15 18:34 /apps/metron/pcap/interim
drwxr-xr-x   - metron hadoop          0 2018-08-15 18:34 /apps/metron/pcap/output

[mmiklavc]

I validated this in full dev. After full finishes building these are the HDFS permissions:

I was literally about to tear down my full dev and duplicate exactly this effort. I'm happy to continue doing so if you think it's warranted, but I suspect the path here is pretty direct, and your synopsis is exactly what I was about to do.

This looks good to me now. +1 via inspection.

[mmiklavc]

@merrimanr - this has been merged into the feature branch, please close.