Return-Path: X-Original-To: apmail-ambari-commits-archive@www.apache.org Delivered-To: apmail-ambari-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E8E9918464 for ; Thu, 8 Oct 2015 06:21:01 +0000 (UTC) Received: (qmail 82204 invoked by uid 500); 8 Oct 2015 06:21:01 -0000 Delivered-To: apmail-ambari-commits-archive@ambari.apache.org Received: (qmail 82175 invoked by uid 500); 8 Oct 2015 06:21:01 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 82164 invoked by uid 99); 8 Oct 2015 06:21:01 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Oct 2015 06:21:01 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id AA74EE01FC; Thu, 8 Oct 2015 06:21:01 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: gautam@apache.org To: commits@ambari.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: ambari git commit: AMBARI-13316. Stack Advisor for hive.security.authorization.manager with Ranger enabled is not specific enough (gautam) Date: Thu, 8 Oct 2015 06:21:01 +0000 (UTC) Repository: ambari Updated Branches: refs/heads/trunk 7d6b2d74d -> e9389246d AMBARI-13316. Stack Advisor for hive.security.authorization.manager with Ranger enabled is not specific enough (gautam) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e9389246 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e9389246 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e9389246 Branch: refs/heads/trunk Commit: e9389246dc3dbe98eccf32e8ad89eca808e6438f Parents: 7d6b2d7 Author: Gautam Borad Authored: Mon Oct 5 18:54:12 2015 +0530 Committer: Gautam Borad Committed: Thu Oct 8 11:50:43 2015 +0530 ---------------------------------------------------------------------- .../stacks/HDP/2.2/services/stack_advisor.py | 49 ++++---------------- .../RANGER/configuration/ranger-ugsync-site.xml | 7 ++- .../stacks/HDP/2.3/services/stack_advisor.py | 11 ++++- .../stacks/2.2/common/test_stack_advisor.py | 2 +- 4 files changed, 24 insertions(+), 45 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/e9389246/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py index 6ccd7eb..71fa5ab 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py @@ -1006,14 +1006,21 @@ class HDP22StackAdvisor(HDP21StackAdvisor): validationItems.append({"config-name": prop_name, "item": self.getWarnItem( "If Ranger Hive Plugin is enabled."\ - " {0} needs to be set to {1}".format(prop_name,prop_val))}) + " {0} under hiveserver2-site needs to be set to {1}".format(prop_name,prop_val))}) prop_name = 'hive.security.authenticator.manager' prop_val = "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator" if prop_name not in hive_server2 or hive_server2[prop_name] != prop_val: validationItems.append({"config-name": prop_name, "item": self.getWarnItem( "If Ranger Hive Plugin is enabled."\ - " {0} needs to be set to {1}".format(prop_name,prop_val))}) + " {0} under hiveserver2-site needs to be set to {1}".format(prop_name,prop_val))}) + prop_name = 'hive.security.authorization.enabled' + prop_val = 'true' + if prop_name in hive_server2 and hive_server2[prop_name] != prop_val: + validationItems.append({"config-name": prop_name, + "item": self.getWarnItem( + "If Ranger Hive Plugin is enabled."\ + " {0} under hiveserver2-site needs to be set to {1}".format(prop_name, prop_val))}) ##Add stack validations for Ranger plugin disabled. elif not ranger_plugin_enabled: prop_name = 'hive.security.authorization.manager' @@ -1049,44 +1056,6 @@ class HDP22StackAdvisor(HDP21StackAdvisor): parentValidationProblems = super(HDP22StackAdvisor, self).validateHiveConfigurations(properties, recommendedDefaults, configurations, services, hosts) hive_site = properties validationItems = [] - #Adding Ranger Plugin logic here - ranger_plugin_properties = getSiteProperties(configurations, "ranger-hive-plugin-properties") - hive_env_properties = getSiteProperties(configurations, "hive-env") - ranger_plugin_enabled = hive_env_properties \ - and 'hive_security_authorization' in hive_env_properties \ - and hive_env_properties['hive_security_authorization'].lower() == 'ranger' - servicesList = [service["StackServices"]["service_name"] for service in services["services"]] - ##Add stack validations only if Ranger is enabled. - if ("RANGER" in servicesList): - ##Add stack validations for Ranger plugin enabled. - if ranger_plugin_enabled: - prop_name = 'hive.security.authorization.enabled' - prop_val = 'true' - if hive_site and \ - prop_name in hive_site and \ - hive_site[prop_name] != prop_val: - validationItems.append({"config-name": prop_name, - "item": self.getWarnItem( - "If Ranger Hive Plugin is enabled." \ - " {0} needs to be set to {1}".format(prop_name,prop_val))}) - - prop_name = 'hive.conf.restricted.list' - prop_vals = 'hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager'.split(',') - current_vals = [] - if hive_site and prop_name in hive_site: - current_vals = hive_site[prop_name].split(',') - - missing_vals = [] - - for val in prop_vals: - if not val in current_vals: - missing_vals.append(val) - - if missing_vals: - validationItems.append({"config-name": prop_name, - "item": self.getWarnItem( - "If Ranger Hive Plugin is enabled." \ - " {0} needs to contain {1}".format(prop_name, ','.join(missing_vals)))}) stripe_size_values = [8388608, 16777216, 33554432, 67108864, 134217728, 268435456] stripe_size_property = "hive.exec.orc.default.stripe.size" if stripe_size_property in properties and \ http://git-wip-us.apache.org/repos/asf/ambari/blob/e9389246/ambari-server/src/main/resources/stacks/HDP/2.3/services/RANGER/configuration/ranger-ugsync-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/RANGER/configuration/ranger-ugsync-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/services/RANGER/configuration/ranger-ugsync-site.xml index 39dfe43..4c12322 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/RANGER/configuration/ranger-ugsync-site.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/RANGER/configuration/ranger-ugsync-site.xml @@ -130,7 +130,7 @@ ranger.usersync.sleeptimeinmillisbetweensynccycle - 5 + 60 Sleeptime interval in milliseconds, if < 1000 then default to 30 sec @@ -250,11 +250,14 @@ ranger.usersync.ldap.user.searchfilter ​User Search Filter - empty + "optional additional filter constraining the users selected for syncing # a sample value would be (dept=eng) # please customize the value to suit your deployment # default value is empty" + + true + http://git-wip-us.apache.org/repos/asf/ambari/blob/e9389246/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py index cfae4d4..a2bae0f 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py @@ -377,14 +377,21 @@ class HDP23StackAdvisor(HDP22StackAdvisor): validationItems.append({"config-name": prop_name, "item": self.getWarnItem( "If Ranger Hive Plugin is enabled."\ - " {0} needs to be set to {1}".format(prop_name,prop_val))}) + " {0} under hiveserver2-site needs to be set to {1}".format(prop_name,prop_val))}) prop_name = 'hive.security.authenticator.manager' prop_val = "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator" if prop_name in hive_server2 and hive_server2[prop_name] != prop_val: validationItems.append({"config-name": prop_name, "item": self.getWarnItem( "If Ranger Hive Plugin is enabled."\ - " {0} needs to be set to {1}".format(prop_name,prop_val))}) + " {0} under hiveserver2-site needs to be set to {1}".format(prop_name,prop_val))}) + prop_name = 'hive.security.authorization.enabled' + prop_val = 'true' + if prop_name in hive_server2 and hive_server2[prop_name] != prop_val: + validationItems.append({"config-name": prop_name, + "item": self.getWarnItem( + "If Ranger Hive Plugin is enabled."\ + " {0} under hiveserver2-site needs to be set to {1}".format(prop_name, prop_val))}) ##Add stack validations for Ranger plugin disabled. elif not ranger_plugin_enabled: prop_name = 'hive.security.authorization.manager' http://git-wip-us.apache.org/repos/asf/ambari/blob/e9389246/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py index 6424bb5..3362c94 100644 --- a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py @@ -2974,7 +2974,7 @@ class TestHDP22StackAdvisor(TestCase): } # Test with ranger plugin enabled, validation fails - res_expected = [{'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authorization.manager needs to be set to com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory', 'type': 'configuration', 'config-name': 'hive.security.authorization.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authenticator.manager needs to be set to org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator', 'type': 'configuration', 'config-name': 'hive.security.authenticator.manager', 'level': 'WARN'}] + res_expected = [{'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authorization.manager under hiveserver2-site needs to be set to com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory', 'type': 'configuration', 'config-name': 'hive.security.authorization.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authenticator.manager under hiveserver2-site needs to be set to org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator', 'type': 'configuration', 'config-name': 'hive.security.authenticator.manager', 'level': 'WARN'}] res = self.stackAdvisor.validateHiveServer2Configurations(properties, recommendedDefaults, configurations, services, {}) self.assertEquals(res, res_expected)