Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id D4E52200B48 for ; Mon, 18 Jul 2016 18:43:59 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id D37DA160A65; Mon, 18 Jul 2016 16:43:59 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 019EB160A5D for ; Mon, 18 Jul 2016 18:43:58 +0200 (CEST) Received: (qmail 99327 invoked by uid 500); 18 Jul 2016 16:43:58 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 99314 invoked by uid 99); 18 Jul 2016 16:43:58 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Jul 2016 16:43:58 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 17620DFAF5; Mon, 18 Jul 2016 16:43:58 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: jaimin@apache.org To: commits@ambari.apache.org Message-Id: <3405c00e851747b8b2d1525d3c3aac6f@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: ambari git commit: AMBARI-17763 Populating Ranger Tagsync principal/keytab using stack advisor. (Mugdha via Jaimin) Date: Mon, 18 Jul 2016 16:43:58 +0000 (UTC) archived-at: Mon, 18 Jul 2016 16:44:00 -0000 Repository: ambari Updated Branches: refs/heads/branch-2.4 eed73ae35 -> b2f422f40 AMBARI-17763 Populating Ranger Tagsync principal/keytab using stack advisor. (Mugdha via Jaimin) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b2f422f4 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b2f422f4 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b2f422f4 Branch: refs/heads/branch-2.4 Commit: b2f422f40892ee08b2e7ef0cac86e8da01f6b16b Parents: eed73ae Author: Jaimin Jetly Authored: Mon Jul 18 09:47:50 2016 -0700 Committer: Jaimin Jetly Committed: Mon Jul 18 09:47:50 2016 -0700 ---------------------------------------------------------------------- .../common-services/RANGER/0.6.0/kerberos.json | 4 +- .../stacks/HDP/2.5/services/stack_advisor.py | 39 ++++++++++++++++++-- 2 files changed, 37 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/b2f422f4/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json index 91a0032..564c57b 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json @@ -116,8 +116,8 @@ "atlas.jaas.KafkaClient.option.useKeyTab": "true", "atlas.jaas.KafkaClient.option.storeKey": "true", "atlas.jaas.KafkaClient.option.serviceName": "kafka", - "atlas.jaas.KafkaClient.option.keyTab": "{{tagsync_keytab_path}}", - "atlas.jaas.KafkaClient.option.principal": "{{tagsync_jaas_principal}}", + "atlas.jaas.KafkaClient.option.keyTab": "${ranger-tagsync-site/ranger.tagsync.kerberos.keytab}", + "atlas.jaas.KafkaClient.option.principal": "${ranger-tagsync-site/ranger.tagsync.kerberos.principal}", "atlas.kafka.sasl.kerberos.service.name": "kafka", "atlas.kafka.security.protocol": "PLAINTEXTSASL" } http://git-wip-us.apache.org/repos/asf/ambari/blob/b2f422f4/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py index b84910a..db3614f 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/stack_advisor.py @@ -1507,16 +1507,47 @@ class HDP25StackAdvisor(HDP24StackAdvisor): def recommendRangerConfigurations(self, configurations, clusterData, services, hosts): super(HDP25StackAdvisor, self).recommendRangerConfigurations(configurations, clusterData, services, hosts) servicesList = [service["StackServices"]["service_name"] for service in services["services"]] + has_ranger_tagsync = False + security_enabled = self.isSecurityEnabled(services) + ranger_tagsync_site = getServicesSiteProperties(services, "ranger-tagsync-site") putTagsyncAppProperty = self.putProperty(configurations, "tagsync-application-properties", services) + putTagsyncAppPropertyAttributes = self.putPropertyAttribute(configurations, "tagsync-application-properties") putTagsyncSiteProperty = self.putProperty(configurations, "ranger-tagsync-site", services) putRangerAdminProperty = self.putProperty(configurations, "ranger-admin-site", services) putRangerEnvProperty = self.putProperty(configurations, "ranger-env", services) - has_ranger_tagsync = False - if 'RANGER' in servicesList: - ranger_tagsync_host = self.__getHostsForComponent(services, "RANGER", "RANGER_TAGSYNC") - has_ranger_tagsync = len(ranger_tagsync_host) > 0 + ranger_tagsync_host = self.__getHostsForComponent(services, "RANGER", "RANGER_TAGSYNC") + has_ranger_tagsync = len(ranger_tagsync_host) > 0 + + if has_ranger_tagsync: + tagsync_keytab_path = '' + tagsync_principal = '' + if ranger_tagsync_site is not None: + tagsync_keytab_path = ranger_tagsync_site.get('ranger.tagsync.kerberos.keytab') + tagsync_principal = ranger_tagsync_site.get('ranger.tagsync.kerberos.principal') + tagsync_principal = tagsync_principal.replace('_HOST', ranger_tagsync_host[0].lower()) + + if security_enabled: + putTagsyncAppProperty('atlas.jaas.KafkaClient.loginModuleName', 'com.sun.security.auth.module.Krb5LoginModule') + putTagsyncAppProperty('atlas.jaas.KafkaClient.loginModuleControlFlag', 'required') + putTagsyncAppProperty('atlas.jaas.KafkaClient.option.useKeyTab', 'true') + putTagsyncAppProperty('atlas.jaas.KafkaClient.option.storeKey', 'true') + putTagsyncAppProperty('atlas.jaas.KafkaClient.option.serviceName', 'kafka') + putTagsyncAppProperty('atlas.jaas.KafkaClient.option.keyTab', tagsync_keytab_path) + putTagsyncAppProperty('atlas.jaas.KafkaClient.option.principal', tagsync_principal) + putTagsyncAppProperty('atlas.kafka.sasl.kerberos.service.name', 'kafka') + putTagsyncAppProperty('atlas.kafka.security.protocol', 'PLAINTEXTSASL') + else: + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.loginModuleName', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.loginModuleControlFlag', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.option.useKeyTab', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.option.storeKey', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.option.serviceName', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.option.keyTab', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.jaas.KafkaClient.option.principal', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.kafka.sasl.kerberos.service.name', 'delete', 'true') + putTagsyncAppPropertyAttributes('atlas.kafka.security.protocol', 'delete', 'true') if 'ATLAS' in servicesList and has_ranger_tagsync: atlas_hosts = self.getHostNamesWithComponent("ATLAS", "ATLAS_SERVER", services)