RANGER-5373: Docker setup updated to run KDC and create keytabs for service accounts

dev-support/ranger-docker/.env

@@ -12,6 +12,14 @@ RANGER_BASE_VERSION=20250707-1-8
 # Java version used to build Apache Ranger is present as suffix: -8, valid values for suffix: -8, -11, -17
 RANGER_BASE_BUILD_VERSION=20250707-1-8
 
+# Kerberos
+KERBEROS_ENABLED=true
+KERBEROS_REALM=EXAMPLE.COM
+KERBEROS_KDC_HOST=ranger-kdc.example.com
+KERBEROS_MASTER_PASSWORD=rangerR0cks!
+KERBEROS_ADMIN_PRINCIPAL=admin/admin
+KERBEROS_ADMIN_PASSWORD=rangerR0cks!
+
 # third party image versions
 MARIADB_VERSION=10.7.3
 POSTGRES_VERSION=12

dev-support/ranger-docker/Dockerfile.ranger

@@ -29,6 +29,7 @@ COPY ./dist/ranger-${RANGER_VERSION}-admin.tar.gz /home/ranger/dist/
 COPY ./scripts/ranger.sh                                         ${RANGER_SCRIPTS}/
 COPY ./scripts/ranger-admin-install-${RANGER_DB_TYPE}.properties ${RANGER_SCRIPTS}/ranger-admin-install.properties
 COPY ./scripts/create-ranger-services.py                         ${RANGER_SCRIPTS}/
+COPY ./scripts/core-site.xml                                     ${RANGER_SCRIPTS}/
 
 RUN    tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --directory=${RANGER_HOME} \
     && ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-admin ${RANGER_HOME}/admin \
@@ -38,8 +39,13 @@ RUN    tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --direct
     && mkdir -p /var/log/ranger \
     && chown -R ranger:ranger ${RANGER_HOME}/admin/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ \
     && chmod 755 ${RANGER_SCRIPTS}/ranger.sh \
+    && apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs \
     && mkdir -p /usr/share/java/
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 FROM ranger AS ranger_postgres
 COPY ./downloads/postgresql-42.2.16.jre7.jar      /home/ranger/dist/
 RUN mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar

dev-support/ranger-docker/Dockerfile.ranger-hadoop

@@ -31,8 +31,12 @@ COPY ./downloads/hadoop-${HADOOP_VERSION}.tar.gz             /home/ranger/dist/
 COPY ./scripts/ranger-hadoop-setup.sh                   /home/ranger/scripts/
 COPY ./scripts/ranger-hadoop.sh                         /home/ranger/scripts/
 COPY ./scripts/ranger-hadoop-mkdir.sh                   /home/ranger/scripts/
+COPY ./scripts/ranger-hadoop-healthcheck.sh             /home/ranger/scripts/
 COPY ./scripts/ranger-hdfs-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/ranger-yarn-plugin-install.properties    /home/ranger/scripts/
+COPY ./scripts/core-site.xml                            /home/ranger/scripts/
+COPY ./scripts/hdfs-site.xml                            /home/ranger/scripts/
+COPY ./scripts/yarn-site.xml                            /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/hadoop-${HADOOP_VERSION}.tar.gz --directory=/opt/ && \
     ln -s /opt/hadoop-${HADOOP_VERSION} /opt/hadoop && \
@@ -46,8 +50,16 @@ RUN tar xvfz /home/ranger/dist/hadoop-${HADOOP_VERSION}.tar.gz --directory=/opt/
     rm -f /home/ranger/dist/ranger-${YARN_PLUGIN_VERSION}-yarn-plugin.tar.gz && \
     cp -f /home/ranger/scripts/ranger-yarn-plugin-install.properties /opt/ranger/ranger-yarn-plugin/install.properties && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-setup.sh ${RANGER_SCRIPTS}/ranger-hadoop.sh ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh && \
+    useradd -g hadoop -ms /bin/bash healthcheck && \
+    chmod 744 ${RANGER_SCRIPTS}/ranger-hadoop-healthcheck.sh && \
+    chown healthcheck:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-healthcheck.sh && \
+    apt-get update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chown hdfs:hadoop ${RANGER_SCRIPTS}/ranger-hadoop-mkdir.sh
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 RUN apt-get update && \
     apt-get install -y --no-install-recommends openssh-server && \
     mkdir -p /var/run/sshd && \

dev-support/ranger-docker/Dockerfile.ranger-hbase

@@ -30,6 +30,7 @@ COPY ./scripts/ranger-hbase-setup.sh                     /home/ranger/scripts/
 COPY ./scripts/ranger-hbase.sh                           /home/ranger/scripts/
 COPY ./scripts/ranger-hbase-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/hbase-site.xml                            /home/ranger/scripts/
+COPY ./scripts/core-site.xml                             /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/hbase-${HBASE_VERSION}-bin.tar.gz --directory=/opt/ && \
     ln -s /opt/hbase-${HBASE_VERSION} /opt/hbase && \
@@ -42,9 +43,14 @@ RUN tar xvfz /home/ranger/dist/hbase-${HBASE_VERSION}-bin.tar.gz --directory=/op
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends openssh-server && \
+    DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     mkdir -p /var/run/sshd && \
     rm -rf /var/lib/apt/lists/*
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 ENV HBASE_HOME=/opt/hbase
 ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hbase/bin
 

dev-support/ranger-docker/Dockerfile.ranger-hive

@@ -37,6 +37,7 @@ COPY ./scripts/ranger-hive-setup.sh                     /home/ranger/scripts/
 COPY ./scripts/ranger-hive.sh                           /home/ranger/scripts/
 COPY ./scripts/ranger-hive-plugin-install.properties    /home/ranger/scripts/
 COPY ./scripts/hive-site-${RANGER_DB_TYPE}.xml          /home/ranger/scripts/hive-site.xml
+COPY ./scripts/core-site.xml                            /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/apache-hive-${HIVE_VERSION}-bin.tar.gz --directory=/opt/ && \
     ln -s /opt/apache-hive-${HIVE_VERSION}-bin /opt/hive && \
@@ -51,8 +52,13 @@ RUN tar xvfz /home/ranger/dist/apache-hive-${HIVE_VERSION}-bin.tar.gz --director
     ln -s /opt/ranger/ranger-${HIVE_PLUGIN_VERSION}-hive-plugin /opt/ranger/ranger-hive-plugin && \
     rm -f /home/ranger/dist/ranger-${HIVE_PLUGIN_VERSION}-hive-plugin.tar.gz && \
     cp -f /home/ranger/scripts/ranger-hive-plugin-install.properties /opt/ranger/ranger-hive-plugin/install.properties && \
+    apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-hive-setup.sh ${RANGER_SCRIPTS}/ranger-hive.sh
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 ENV HIVE_HOME=/opt/hive
 ENV HADOOP_HOME=/opt/hadoop
 ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/hive/bin:/opt/hadoop/bin

dev-support/ranger-docker/Dockerfile.ranger-kafka

@@ -29,6 +29,8 @@ COPY ./downloads/kafka_2.12-${KAFKA_VERSION}.tgz               /home/ranger/dist
 COPY ./scripts/ranger-kafka-setup.sh                     /home/ranger/scripts/
 COPY ./scripts/ranger-kafka.sh                           /home/ranger/scripts/
 COPY ./scripts/ranger-kafka-plugin-install.properties    /home/ranger/scripts/
+COPY ./scripts/kafka-server-jaas.conf                    /home/ranger/scripts/
+COPY ./scripts/core-site.xml                             /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/kafka_2.12-${KAFKA_VERSION}.tgz --directory=/opt/ && \
     ln -s /opt/kafka_2.12-${KAFKA_VERSION} /opt/kafka && \
@@ -37,8 +39,13 @@ RUN tar xvfz /home/ranger/dist/kafka_2.12-${KAFKA_VERSION}.tgz --directory=/opt/
     ln -s /opt/ranger/ranger-${KAFKA_PLUGIN_VERSION}-kafka-plugin /opt/ranger/ranger-kafka-plugin && \
     rm -f /home/ranger/dist/ranger-${KAFKA_PLUGIN_VERSION}-kafka-plugin.tar.gz && \
     cp -f /home/ranger/scripts/ranger-kafka-plugin-install.properties /opt/ranger/ranger-kafka-plugin/install.properties && \
+    apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-kafka-setup.sh ${RANGER_SCRIPTS}/ranger-kafka.sh
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 ENV KAFKA_HOME=/opt/kafka
 ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kafka/bin
 

dev-support/ranger-docker/Dockerfile.ranger-kdc

@@ -0,0 +1,42 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG RANGER_BASE_JAVA_VERSION=8
+
+FROM eclipse-temurin:${RANGER_BASE_JAVA_VERSION}-jdk-jammy
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV REALM=EXAMPLE.COM
+ENV KDC_HOST=kdc.example.com
+ENV ADMIN_PRINCIPAL=admin/admin
+ENV ADMIN_PASSWORD=rangerR0cks!
+ENV MASTER_PASSWORD=rangerR0cks!
+
+# Install Kerberos components
+RUN apt-get update && \
+    apt-get install -y krb5-kdc krb5-admin-server krb5-user && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy configuration files
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/kdc.conf /etc/krb5kdc/kdc.conf
+COPY config/kdc/kadm5.acl /etc/krb5kdc/kadm5.acl
+COPY config/kdc/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 88/tcp 88/udp 749/tcp
+
+ENTRYPOINT ["/entrypoint.sh"]

dev-support/ranger-docker/Dockerfile.ranger-kms

@@ -26,6 +26,7 @@ COPY ./dist/ranger-${KMS_VERSION}-kms.tar.gz                   /home/ranger/dist
 
 COPY ./scripts/ranger-kms.sh                                   ${RANGER_SCRIPTS}/
 COPY ./scripts/ranger-kms-install-${RANGER_DB_TYPE}.properties ${RANGER_SCRIPTS}/ranger-kms-install.properties
+COPY ./scripts/core-site.xml                                   ${RANGER_SCRIPTS}/
 
 RUN tar xvfz /home/ranger/dist/ranger-${KMS_VERSION}-kms.tar.gz --directory=${RANGER_HOME} && \
     ln -s ${RANGER_HOME}/ranger-${KMS_VERSION}-kms ${RANGER_HOME}/kms && \
@@ -39,8 +40,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${KMS_VERSION}-kms.tar.gz --directory=${RA
     ln -s /etc/init.d/ranger-kms /etc/rc3.d/K90ranger-kms && \
     ln -s ${RANGER_HOME}/kms/ranger-kms-services.sh /usr/bin/ranger-kms-services.sh && \
     chown -R rangerkms:ranger ${RANGER_HOME}/kms/ ${RANGER_SCRIPTS}/ /var/run/ranger_kms/ /var/log/ranger/ && \
+    apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-kms.sh
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 FROM ranger-kms AS ranger_postgres
 COPY ./downloads/postgresql-42.2.16.jre7.jar          /home/ranger/dist/
 RUN  mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar

dev-support/ranger-docker/Dockerfile.ranger-knox

@@ -40,8 +40,13 @@ RUN tar xvfz /home/ranger/dist/knox-${KNOX_VERSION}.tar.gz --directory=/opt/ &&
     rm -f /home/ranger/dist/ranger-${KNOX_PLUGIN_VERSION}-knox-plugin.tar.gz && \
     cp -f /home/ranger/scripts/ranger-knox-plugin-install.properties /opt/ranger/ranger-knox-plugin/install.properties && \
     cp -f /home/ranger/scripts/ranger-knox-sandbox.xml /opt/knox/conf/topologies/sandbox.xml && \
+    apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-knox-setup.sh ${RANGER_SCRIPTS}/ranger-knox.sh ${RANGER_SCRIPTS}/ranger-knox-expect.py
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 ENV KNOX_HOME=/opt/knox
 ENV PATH=/usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/knox/bin
 

dev-support/ranger-docker/Dockerfile.ranger-solr

@@ -23,4 +23,10 @@ RUN  mkdir -p /opt/solr/server/solr/configsets/ranger_audits/conf
 COPY config/solr-ranger_audits/* /opt/solr/server/solr/configsets/ranger_audits/conf/
 RUN chown -R solr:solr /opt/solr/server/solr/configsets/ranger_audits/
 
+RUN apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs
+
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 USER solr

dev-support/ranger-docker/Dockerfile.ranger-tagsync

@@ -26,6 +26,7 @@ COPY ./dist/ranger-${TAGSYNC_VERSION}-tagsync.tar.gz /home/ranger/dist/
 COPY ./scripts/ranger-tagsync.sh                     ${RANGER_SCRIPTS}/
 COPY ./scripts/ranger-tagsync-install.properties     ${RANGER_SCRIPTS}/
 COPY ./scripts/ranger-tagsync-tags.json              ${RANGER_SCRIPTS}/
+COPY ./scripts/core-site.xml                         ${RANGER_SCRIPTS}/
 
 RUN tar xvfz /home/ranger/dist/ranger-${TAGSYNC_VERSION}-tagsync.tar.gz --directory=${RANGER_HOME} && \
     ln -s ${RANGER_HOME}/ranger-${TAGSYNC_VERSION}-tagsync ${RANGER_HOME}/tagsync && \
@@ -43,8 +44,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${TAGSYNC_VERSION}-tagsync.tar.gz --direct
     ln -s /etc/init.d/ranger-tagsync /etc/rc3.d/K00ranger-tagsync && \
     ln -s ${RANGER_HOME}/tagsync/ranger-tagsync-services.sh /usr/bin/ranger-tagsync-services.sh && \
     chown -R ranger:ranger ${RANGER_HOME}/tagsync/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ /etc/ranger /etc/init.d/ranger-tagsync && \
+    apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-tagsync.sh
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 USER ranger
 
 ENTRYPOINT [ "/home/ranger/scripts/ranger-tagsync.sh" ]

dev-support/ranger-docker/Dockerfile.ranger-usersync

@@ -26,6 +26,7 @@ COPY ./dist/ranger-${USERSYNC_VERSION}-usersync.tar.gz /home/ranger/dist/
 COPY ./scripts/ranger-usersync.sh                 ${RANGER_SCRIPTS}/
 COPY ./scripts/ranger-usersync-install.properties ${RANGER_SCRIPTS}/
 COPY ./scripts/ugsync-file-source.csv             ${RANGER_SCRIPTS}/
+COPY ./scripts/core-site.xml                      ${RANGER_SCRIPTS}/
 
 RUN tar xvfz /home/ranger/dist/ranger-${USERSYNC_VERSION}-usersync.tar.gz --directory=${RANGER_HOME} && \
     ln -s ${RANGER_HOME}/ranger-${USERSYNC_VERSION}-usersync ${RANGER_HOME}/usersync && \
@@ -42,8 +43,13 @@ RUN tar xvfz /home/ranger/dist/ranger-${USERSYNC_VERSION}-usersync.tar.gz --dire
     ln -s /etc/init.d/ranger-usersync /etc/rc3.d/K00ranger-usersync && \
     ln -s ${RANGER_HOME}/usersync/ranger-usersync-services.sh /usr/bin/ranger-usersync && \
     chown -R ranger:ranger ${RANGER_HOME}/usersync/ ${RANGER_SCRIPTS}/ /var/run/ranger/ /var/log/ranger/ /etc/ranger /etc/init.d/ranger-usersync && \
+    apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user && mkdir -p /etc/keytabs && \
     chmod 744 ${RANGER_SCRIPTS}/ranger-usersync.sh
 
+COPY config/kdc/krb5.conf /etc/krb5.conf
+COPY config/kdc/create_keytab.sh /etc/keytabs/create_keytab.sh
+RUN chmod +x /etc/keytabs/create_keytab.sh
+
 USER ranger
 
 ENTRYPOINT [ "/home/ranger/scripts/ranger-usersync.sh" ]

dev-support/ranger-docker/config/kdc/create_keytab.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ADMIN_PRINCIPAL=admin/admin
+ADMIN_PASSWORD=rangerR0cks!
+
+PRINCIPAL_NAME=$1
+KEYTAB_DIR=$2
+KEYTAB_OWNER=$3
+
+PRINCIPAL=${PRINCIPAL_NAME}/`hostname -f`
+KEYTAB=${KEYTAB_DIR}/${PRINCIPAL_NAME}.keytab
+
+echo "Creating Kerberos principal ${PRINCIPAL} .."
+echo ${ADMIN_PASSWORD} | kadmin -p ${ADMIN_PRINCIPAL} -q "addprinc -randkey ${PRINCIPAL}"
+
+mkdir -p ${KEYTAB_DIR}
+
+echo "Creating keytab for principal ${PRINCIPAL} .."
+echo ${ADMIN_PASSWORD} | kadmin -p ${ADMIN_PRINCIPAL} -q "ktadd -k ${KEYTAB} ${PRINCIPAL}"
+
+if [ "${KEYTAB_OWNER}" != "" ]
+then
+    chmod 440 ${KEYTAB}
+    chown ${KEYTAB_OWNER} ${KEYTAB}
+fi

dev-support/ranger-docker/config/kdc/entrypoint.sh

@@ -0,0 +1,61 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+REALM="${REALM:-EXAMPLE.COM}"
+KDC_HOST="${KDC_HOST:-ranger-kdc.rangernw}"
+MASTER_PASSWORD="${MASTER_PASSWORD:-masterpassword}"
+ADMIN_PRINC="${ADMIN_PRINCIPAL:-admin/admin}"
+ADMIN_PASSWORD="${ADMIN_PASSWORD:-adminpassword}"
+
+DB_DIR=/var/kerberos/krb5kdc
+
+# ensure directories
+mkdir -p $DB_DIR
+chown -R root.root /etc/krb5kdc || true
+chown -R root.root $DB_DIR || true
+
+if [ ! -f $DB_DIR/principal ]; then
+  echo "=== Creating KDC database for realm $REALM ==="
+  # create DB noninteractive
+  echo "$MASTER_PASSWORD" | kdb5_util create -s -r $REALM -P "$MASTER_PASSWORD"
+  # create admin principal
+  kadmin.local -q "addprinc -pw $ADMIN_PASSWORD $ADMIN_PRINC@${REALM}"
+  # add kadmind keytab
+  kadmin.local -q "ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin@$REALM"
+  echo "Database initialized"
+else
+  echo "KDC DB already exists; skipping create"
+fi
+
+# Ensure ownership and perms
+chown -R root:root /var/kerberos
+chmod 700 /var/kerberos/krb5kdc
+
+# start krb5kdc in foreground and then kadmind
+echo "Starting krb5kdc..."
+/usr/sbin/krb5kdc -n &
+KDC_PID=$!
+
+echo "Starting kadmind..."
+/usr/sbin/kadmind -nofork
+# if kadmind exits, bring down krb5kdc
+kill $KDC_PID || true
+wait $KDC_PID || true
+

dev-support/ranger-docker/config/kdc/kadm5.acl

@@ -0,0 +1 @@
+*/[email protected] *

dev-support/ranger-docker/config/kdc/kdc.conf

@@ -0,0 +1,16 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+
+[realms]
+ EXAMPLE.COM = {
+  # where the DB will be stored
+  database_name = /var/kerberos/krb5kdc/principal
+  admin_keytab = /etc/krb5kdc/kadm5.keytab
+  acl_file = /etc/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  key_stash_file = /var/kerberos/krb5kdc/.k5.EXAMPLE.COM
+  max_life = 24h 0m 0s
+  max_renewable_life = 7d 0h 0m 0s
+ }
+