vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/mrs/component-operation-guide/mrs_01_1047.html
Yang, Tong 6182f91ba8 MRS component operation guide_normal 2.0.38.SP20 version 
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2022-12-09 14:55:21 +00:00

56 lines
9.5 KiB
HTML
Raw Blame History

<a name="mrs_01_1047"></a><a name="mrs_01_1047"></a>
<h1 class="topictitle1">Configuring a Storm Service User Password Policy</h1>
<div id="body1590370637036"><div class="section" id="mrs_01_1047__s5ac411fb264544bfb87f63db3895ef1b"><h4 class="sectiontitle">Scenario</h4><p id="mrs_01_1047__p545492183920">This section applies to MRS 3.<em id="mrs_01_1047__i274793765016">x</em> or later.</p>
<p id="mrs_01_1047__acf2d7cd623794587bdb32bc24e21a677">After submitting a topology task, a Storm service user must ensure that the task continuously runs. During topology running, the worker process may need to restart to ensure continuous topology work. If the password of a service user is changed or the number of days that a password is used exceeds the maximum number specified in a password policy, topology running may be affected. A system administrator must configure a separate password policy for Storm service users based on enterprise security requirements.</p>
<div class="note" id="mrs_01_1047__n02e1f01833dc4c5db796efd35c291ea6"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="mrs_01_1047__a6547888d445c4086921c154edab6ebc3">If a separate password policy is not configured for Storm service users, an old topology can be deleted and then submitted again after a service user password is changed so that the topology can continuous run.</p>
</div></div>
</div>
<div class="section" id="mrs_01_1047__s725ab2ff6281428ba65ceb8a99b32d79"><h4 class="sectiontitle">Impact on the System</h4><ul id="mrs_01_1047__u24eede23aaa84a53972ccacbe8b146c5"><li id="mrs_01_1047__la67b1037d7a348ea828c8326d10894eb">After a separate password policy is configured for a Storm service user, the user is not affected by <strong id="mrs_01_1047__b16954171382612">Password Policy</strong> on the Manager page.</li><li id="mrs_01_1047__l857d90454624410fbdd8c3c54f568dd7">If a separate password policy is configured for a Storm service user and cross-cluster entrusted relationships are configured, a password must be reset for the Storm service user on Manager based on the password policy.</li></ul>
</div>
<div class="section" id="mrs_01_1047__s677d4943025044f2b0675396c0f19012"><h4 class="sectiontitle">Prerequisites</h4><p id="mrs_01_1047__a7b153b8ec25d46c9bbe59b358b7df108">A system administrator has understood service requirements and created a <strong id="mrs_01_1047__b8071010549">Human-Machine</strong> user, for example, <strong id="mrs_01_1047__b1165113147544">testpol</strong>.</p>
</div>
<div class="section" id="mrs_01_1047__s47daa6293b5a43539c965bcd4cce9b03"><h4 class="sectiontitle">Procedure</h4><ol id="mrs_01_1047__o11491cb0cd1f4482a55e3a6c39439a4b"><li id="mrs_01_1047__l9c293f9a4f1e4ce6997ff90ac1602958"><span>Log in to any node in the cluster as user <strong id="mrs_01_1047__b58401441205420">omm</strong>.</span></li><li id="mrs_01_1047__l13c3dc83dd7f4a0aa69756f6c21e08b3"><span>Run the following command to disable logout upon timeout:</span><p><p id="mrs_01_1047__af9bcf5d3d3ab46dc896835aac6af6eb3"><strong id="mrs_01_1047__a0143d2572721413f9bd18993f87f23a7">TMOUT=0</strong></p>
<div class="note" id="mrs_01_1047__note12497171716409"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="mrs_01_1047__p1614684417440">After the operations in this section are complete, run the <strong id="mrs_01_1047__b13988193413428">TMOUT=</strong><em id="mrs_01_1047__i898813410424">Timeout interval</em> command to restore the timeout interval in a timely manner. For example, <strong id="mrs_01_1047__b57841838124210">TMOUT=600</strong> indicates that a user is logged out if the user does not perform any operation within 600 seconds.</p>
</div></div>
</p></li><li id="mrs_01_1047__li49336222165658"><span>Run the following commands to export the environment variables:</span><p><p id="mrs_01_1047__p35055948165741"><strong id="mrs_01_1047__b20545211184932">EXECUTABLE_HOME="${CONTROLLER_HOME}/kerberos_user_specific_binay/kerberos"</strong></p>
<p id="mrs_01_1047__p20959544165741"><strong id="mrs_01_1047__b53549391184932">LD_LIBRARY_PATH=${EXECUTABLE_HOME}/lib:$LD_LIBRARY_PATH</strong></p>
<p id="mrs_01_1047__p20001500165741"><strong id="mrs_01_1047__b42533444184932">PATH=${EXECUTABLE_HOME}/bin:$PATH</strong></p>
</p></li><li id="mrs_01_1047__l1f5ab087617748c9adcf910134e5c096"><span>Run the following command and enter the Kerberos administrator password to log in to the Kerberos console:</span><p><p id="mrs_01_1047__a1e1f0328561442838ca4960119375651"><strong id="mrs_01_1047__ad63cc07758d6442e9d9ff2951bd01fb3">kadmin -p kadmin/admin</strong></p>
<div class="note" id="mrs_01_1047__nb6efb05e81db4ca3a2dfb62d7790bbfd"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p class="text" id="mrs_01_1047__acbd5665414f54757a07470ad7313a73c">For initial use, the <strong id="mrs_01_1047__b83831836205719">kadmin/admin</strong> password must be changed for the <strong id="mrs_01_1047__b366264185711">kadmin/admin</strong> user.</p>
</div></div>
<p id="mrs_01_1047__a8439ca511b73441487e3873628b844d0">If the following information is displayed, you have successfully logged in to the Kerberos console.</p>
<pre class="screen" id="mrs_01_1047__s2d44e9f6777740488ead793f6e90ec20">kadmin:</pre>
</p></li><li id="mrs_01_1047__l80a3bf3a676446198a5b19d584d430d5"><span>Run the following command to check details about the created <strong id="mrs_01_1047__b312016216134">Human-Machine</strong> user:</span><p><p id="mrs_01_1047__aa6a3131abb604827b5b56bd889089ffa"><strong id="mrs_01_1047__b1049155418126">getprinc</strong><em id="mrs_01_1047__i15492195411125">Username</em></p>
<p id="mrs_01_1047__af406442f64a14ffaacee99e206b143ab">Sample command for viewing details about the <strong id="mrs_01_1047__b20483145311173">testpol</strong> user:</p>
<p id="mrs_01_1047__a4262f67c45be49b5abe25eb4978c1714"><strong id="mrs_01_1047__ab41a42711f734d68aa0354f37553338f">getprinc testpol</strong></p>
<p id="mrs_01_1047__aa0f65df51cfd4e5daa7231bf3e2e60e4">If the following information is displayed, the specified user has used the default password policy:</p>
<pre class="screen" id="mrs_01_1047__sd8f9284b3f7242878eb28575a6900f16">Principal: testpol@<em id="mrs_01_1047__i285003320117">&lt;System domain name&gt;</em>
......
Policy: default</pre>
</p></li><li id="mrs_01_1047__ld1316e03f1b64624a245cc98837c074c"><span>Run the following command to create a separate password policy, such as <strong id="mrs_01_1047__b20930116112018">streampol</strong>, for the Storm service user:</span><p><p id="mrs_01_1047__ab036ac5c6fb3482abc8d35c21abb1783"><strong id="mrs_01_1047__afd87f7a831b346b0bf299f073d8b7124">addpol -maxlife 0day -minlife 0sec -history 1 -maxfailure 5 -failurecountinterval 5min -lockoutduration 5min -minlength 8 -minclasses 4 streampol</strong></p>
<p id="mrs_01_1047__aabe9543abc0e479cb1c4c1105aa7dfbd">In the command, <strong id="mrs_01_1047__b1219724052110">-maxlife</strong> indicates the maximum validity period of a password, and <strong id="mrs_01_1047__b431153513220">0day</strong> indicates that a password will never expire.</p>
</p></li><li id="mrs_01_1047__la89c73dd12d041e7a4bc2849e7f2151a"><span>Run the following command to view the newly created policy <strong id="mrs_01_1047__b12893518237">streampol</strong>:</span><p><p id="mrs_01_1047__ab321b825720d4e79be2a65380e7da4d1"><strong id="mrs_01_1047__a30642dc6076745349616e5ee39d303a4">getpol streampol</strong></p>
<p id="mrs_01_1047__a5f076e66e6e84375b92a830d8f960443">If the following information is displayed, the new policy specifies that the password will never expire:</p>
<pre class="screen" id="mrs_01_1047__se1f4a27dd32c496086fb06f67d882426">Policy: streampol
Maximum password life: 0 days 00:00:00
......</pre>
</p></li><li id="mrs_01_1047__l2e1c9bc684c14b8387e60894d0277324"><span>Run the following command to apply the new policy <strong id="mrs_01_1047__b15175144411233">streampol</strong> to the <strong id="mrs_01_1047__b026512062410">testpol</strong> Storm user:</span><p><p id="mrs_01_1047__a6921a7402fc543b383bfc3f8b129e964"><strong id="mrs_01_1047__a7e79a9697835463ab9da9882937ec627">modprinc -policy streampol testpol</strong></p>
<p id="mrs_01_1047__ab3f47d92fa46487aa30b854b03064398">In the command, <strong id="mrs_01_1047__b1678311711246">streampol</strong> indicates a policy name, and <strong id="mrs_01_1047__b4650727172415">testpol</strong> indicates a username.</p>
<p id="mrs_01_1047__aaa6267f02c17409486e4b3d412c3a9d5">If the following information is displayed, the properties of the specified user have been modified:</p>
<pre class="screen" id="mrs_01_1047__s32feda9fa99c44649992fdb92f90dcb9">Principal "testpol@<em id="mrs_01_1047__i106994551317">&lt;System domain name&gt;</em>" modified.</pre>
</p></li><li id="mrs_01_1047__l1bc7dd5e7eb14ee18102e4fd8091ec6f"><span>Run the following command to view current information about the <strong id="mrs_01_1047__b1553393916254">testpol</strong> Storm user:</span><p><p id="mrs_01_1047__abd966599bbce4a87bef3174bc991cab1"><strong id="mrs_01_1047__a13bbb2cc8938483fb404eee1cc202079">getprinc testpol</strong></p>
<p id="mrs_01_1047__a05ebf2b87afc41df8d3e0e0b49232797">If the following information is displayed, the specified user has used the new password policy:</p>
<pre class="screen" id="mrs_01_1047__se98fd662c03c4581b5d224d73e87e7b5">Principal: testpol@<em id="mrs_01_1047__i52911011152618">&lt;System domain name&gt;</em>
......
Policy: streampol</pre>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="mrs_01_0380.html">Using Storm</a></div>
</div>
</div>
View Git Blame Copy Permalink