ambari-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From oleew...@apache.org
Subject ambari git commit: AMBARI-20013. Add Solr authorization settings during LogSearch/Atlas/Ranger startup (oleewere)
Date Thu, 16 Feb 2017 19:29:27 GMT
Repository: ambari
Updated Branches:
  refs/heads/trunk bfaaba2fa -> 347ba2a99


AMBARI-20013. Add Solr authorization settings during LogSearch/Atlas/Ranger startup (oleewere)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/347ba2a9
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/347ba2a9
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/347ba2a9

Branch: refs/heads/trunk
Commit: 347ba2a9983d400cddf4d888e7f8c15d72b71d5a
Parents: bfaaba2
Author: oleewere <oleewere@gmail.com>
Authored: Mon Feb 13 18:34:50 2017 +0100
Committer: oleewere <oleewere@gmail.com>
Committed: Thu Feb 16 20:18:59 2017 +0100

----------------------------------------------------------------------
 .../libraries/functions/solr_cloud_util.py      | 110 ++++++++++++++++++-
 .../configuration/infra-solr-security-json.xml  |  82 +++++++++++---
 .../0.1.0/package/scripts/params.py             |   9 +-
 .../0.1.0/package/scripts/setup_infra_solr.py   |  17 ++-
 .../templates/infra-solr-security.json.j2       |  68 ++++++++++++
 .../properties/infra-solr-security.json.j2      |  68 ------------
 .../ATLAS/0.1.0.2.3/package/scripts/metadata.py |  20 ++++
 .../ATLAS/0.1.0.2.3/package/scripts/params.py   |   3 +
 .../ATLAS/0.7.0.2.5/kerberos.json               |   3 +
 .../LOGSEARCH/0.5.0/kerberos.json               |  39 ++++---
 .../LOGSEARCH/0.5.0/package/scripts/params.py   |   5 +
 .../0.5.0/package/scripts/setup_logsearch.py    |  22 +++-
 .../RANGER/0.4.0/package/scripts/params.py      |   3 +
 .../0.4.0/package/scripts/setup_ranger_xml.py   |  41 +++++++
 .../common-services/RANGER/0.6.0/kerberos.json  |   3 +
 .../stacks/2.3/ATLAS/test_metadata_server.py    |   8 ++
 .../test/python/stacks/2.3/configs/secure.json  |   7 +-
 .../stacks/2.4/AMBARI_INFRA/test_infra_solr.py  |   4 +-
 .../stacks/2.4/LOGSEARCH/test_logsearch.py      |   3 +-
 .../stacks/2.5/RANGER/test_ranger_admin.py      |  11 ++
 .../stacks/2.6/RANGER/test_ranger_admin.py      |   9 ++
 21 files changed, 418 insertions(+), 117 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
index 4628211..1eeb86b 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
@@ -17,12 +17,17 @@ limitations under the License.
 
 """
 import random
+import json
+from random import randrange
 from ambari_commons.constants import AMBARI_SUDO_BINARY
 from ambari_jinja2 import Environment as JinjaEnvironment
+from resource_management.libraries.functions import get_kinit_path
 from resource_management.libraries.functions.default import default
 from resource_management.libraries.functions.format import format
 from resource_management.core.resources.system import Directory, Execute, File
 from resource_management.core.source import StaticFile
+from resource_management.core.shell import as_sudo
+from resource_management.core.logger import Logger
 
 __all__ = ["upload_configuration_to_zk", "create_collection", "setup_kerberos", "set_cluster_prop",
            "setup_kerberos_plugin", "create_znode", "check_znode", "secure_solr_znode", "secure_znode"]
@@ -163,13 +168,16 @@ def set_cluster_prop(zookeeper_quorum, solr_znode, prop_name, prop_value, java64
     set_cluster_prop_cmd+=format(' --jaas-file {jaas_file}')
   Execute(set_cluster_prop_cmd)
 
-def secure_znode(zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[]):
+def secure_znode(config, zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[], retry = 5 , interval = 10):
   """
-  Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world. 
+  Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world.
+  Add infra-solr user by default if its available.
   """
   solr_cli_prefix = __create_solr_cloud_cli_prefix(zookeeper_quorum, solr_znode, java64_home, True)
-  sasl_users_str = ",".join(str(x) for x in sasl_users)
-  secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str}')
+  if "infra-solr-env" in config['configurations']:
+    sasl_users.append(__get_name_from_principal(config['configurations']['infra-solr-env']['infra_solr_kerberos_principal']))
+  sasl_users_str = ",".join(str(__get_name_from_principal(x)) for x in sasl_users)
+  secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str} --retry {retry} --interval {interval}')
   Execute(secure_znode_cmd)
 
 
@@ -243,3 +251,97 @@ def setup_solr_client(config, custom_log4j = True, custom_log_location = None, l
          mode=0664,
          content=''
          )
+
+def __get_name_from_principal(principal):
+  if not principal:  # return if empty
+    return principal
+  slash_split = principal.split('/')
+  if len(slash_split) == 2:
+    return slash_split[0]
+  else:
+    at_split = principal.split('@')
+    return at_split[0]
+
+def __remove_host_from_principal(principal, realm):
+  if not realm:
+    raise Exception("Realm parameter is missing.")
+  if not principal:
+    raise Exception("Principal parameter is missing.")
+  username=__get_name_from_principal(principal)
+  at_split = principal.split('@')
+  if len(at_split) == 2:
+    realm = at_split[1]
+  return format('{username}@{realm}')
+
+def __get_random_solr_host(actual_host, solr_hosts = []):
+  """
+  Get a random solr host, use the actual one, if there is an installed infra solr there (helps blueprint installs)
+  If there is only one solr host on the cluster, use that.
+  """
+  if not solr_hosts:
+    raise Exception("Solr hosts parameter is empty.")
+  if len(solr_hosts) == 1:
+    return solr_hosts[0]
+  if actual_host in solr_hosts:
+    return actual_host
+  else:
+    random_index = randrange(0, len(solr_hosts))
+    return solr_hosts[random_index]
+
+def add_solr_roles(config, roles = [], new_service_principals = [], tries = 30, try_sleep = 10):
+  """
+  Set user-role mappings based on roles and principal users for secured cluster. Use solr REST API to check is there any authoirzation enabled,
+  if it is then update the user-roles mapping for Solr (this will upgrade the solr_znode/security.json file).
+  In case of custom security.json is used for infra-solr, this step will be skipped.
+  """
+  sudo = AMBARI_SUDO_BINARY
+  solr_hosts = default_config(config, "/clusterHostInfo/infra_solr_hosts", [])
+  security_enabled = config['configurations']['cluster-env']['security_enabled']
+  solr_ssl_enabled = default_config(config, 'configurations/infra-solr-env/infra_solr_ssl_enabled', False)
+  solr_port = default_config(config, 'configurations/infra-solr-env/infra_solr_port', '8886')
+  kinit_path_local = get_kinit_path(default_config(config, '/configurations/kerberos-env/executable_search_paths', None))
+  infra_solr_custom_security_json_content = None
+
+  if 'infra-solr-security-json' in config['configurations']:
+    infra_solr_custom_security_json_content = config['configurations']['infra-solr-security-json']['content']
+
+  Logger.info(format("Adding {roles} roles to {new_service_principals} if infra-solr is installed."))
+  if infra_solr_custom_security_json_content and str(infra_solr_custom_security_json_content).strip():
+    Logger.info("Custom security.json is not empty for infra-solr, skip adding roles...")
+  elif security_enabled \
+    and "infra-solr-env" in config['configurations'] \
+    and solr_hosts is not None \
+    and len(solr_hosts) > 0:
+    solr_protocol = "https" if solr_ssl_enabled else "http"
+    hostname = config['hostname'].lower()
+    solr_host = __get_random_solr_host(hostname, solr_hosts)
+    solr_url = format("{solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization")
+    solr_user_keytab = config['configurations']['infra-solr-env']['infra_solr_kerberos_keytab']
+    solr_user_principal = config['configurations']['infra-solr-env']['infra_solr_kerberos_principal'].replace('_HOST', hostname)
+    solr_user_kinit_cmd = format("{kinit_path_local} -kt {solr_user_keytab} {solr_user_principal};")
+    solr_authorization_enabled_cmd=format("{sudo} {solr_user_kinit_cmd} {sudo} curl -k -s --negotiate -u : {solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization | grep authorization.enabled")
+
+    if len(new_service_principals) > 0:
+      new_service_users = []
+
+      kerberos_realm = config['configurations']['kerberos-env']['realm']
+      for new_service_user in new_service_principals:
+        new_service_users.append(__remove_host_from_principal(new_service_user, kerberos_realm))
+      user_role_map = {}
+
+      for new_service_user in new_service_users:
+        user_role_map[new_service_user] = roles
+
+      Logger.info(format("New service users after removing fully qualified names: {new_service_users}"))
+
+      set_user_role_map = {}
+      set_user_role_map['set-user-role'] = user_role_map
+      set_user_role_json = json.dumps(set_user_role_map)
+
+      add_solr_role_cmd = format("{sudo} {solr_user_kinit_cmd} {sudo} curl -H 'Content-type:application/json' -d '{set_user_role_json}' -s -o /dev/null -w'%{{http_code}}' --negotiate -u: -k {solr_url} | grep 200")
+
+      Logger.info(format("Check authorization enabled command: {solr_authorization_enabled_cmd} \nSet user-role settings command: {add_solr_role_cmd}"))
+      Execute(solr_authorization_enabled_cmd + " && "+ add_solr_role_cmd,
+              tries=tries,
+              try_sleep=try_sleep,
+              logoutput=True)

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
index e193a8c..e99d961 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
@@ -26,9 +26,12 @@
     <display-name>Ranger audit service users</display-name>
     <value>{default_ranger_audit_users}</value>
     <description>
-      List of comma separated kerberos service users who can write into ranger audit collections if the cluster is secure. (atlas and rangeradmin supported by default)
-      Change values in that case of custom values are used for kerberos principals. (default_ranger_audit_users is resolved ranger-*-audit/xasecure.audit.jaas.Client.option.principal,
-      by default namenode, hbase, hive knox, kafka, ranger kms and nifi are supported, to change it you can edit the security content,
+      List of comma separated kerberos service users who can write into ranger audit collections if the cluster is
+      secure. (atlas and rangeradmin supported by default)
+      Change values in that case of custom values are used for kerberos principals. (default_ranger_audit_users is
+      resolved ranger-*-audit/xasecure.audit.jaas.Client.option.principal,
+      by default namenode, hbase, hive knox, kafka, ranger kms and nifi are supported, to change it you can edit the
+      security content,
       or add a new username next to the default value, e.g.: {default_ranger_audit_users},customuser)
     </description>
     <depends-on>
@@ -68,20 +71,6 @@
         <type>ranger-nifi-audit</type>
         <name>xasecure.audit.jaas.Client.option.principal</name>
       </property>
-    </depends-on>
-    <on-ambari-upgrade add="true"/>
-  </property>
-  <property>
-    <name>content</name>
-    <display-name>security.json template</display-name>
-    <description>This is the jinja template for security.json file on the solr znode (only used if the cluster is secure)</description>
-    <value/>
-    <property-type>VALUE_FROM_PROPERTY_FILE</property-type>
-    <value-attributes>
-      <property-file-name>infra-solr-security.json.j2</property-file-name>
-      <property-file-type>text</property-file-type>
-    </value-attributes>
-    <depends-on>
       <property>
         <type>application-properties</type>
         <name>atlas.authentication.principal</name>
@@ -93,4 +82,63 @@
     </depends-on>
     <on-ambari-upgrade add="true"/>
   </property>
+  <property>
+    <name>infra_solr_role_ranger_admin</name>
+    <display-name>Ranger admin role</display-name>
+    <value>ranger_admin_user</value>
+    <description>Ranger admin role, it allows users to create collection, and perform any action on ranger audit collection.</description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>infra_solr_role_ranger_audit</name>
+    <display-name>Ranger audit role</display-name>
+    <value>ranger_audit_user</value>
+    <description>Ranger audit role, it allows users to perform any action on ranger audit collection.</description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>infra_solr_role_atlas</name>
+    <display-name>Atlas role</display-name>
+    <value>atlas_user</value>
+    <description>Atlas role, it allows users to create collection, and perform any action on atlas collections.</description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>infra_solr_role_logsearch</name>
+    <display-name>Log Search role</display-name>
+    <value>logsearch_user</value>
+    <description>Log Search role, it allows users to create collection, and perform any action on Log Search collections.</description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>infra_solr_role_logfeeder</name>
+    <display-name>Log Feeder role</display-name>
+    <value>logfeeder_user</value>
+    <description>Log Feeder role, it allows users to perform any action on Log Search collections.</description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>infra_solr_role_dev</name>
+    <display-name>Dev role</display-name>
+    <value>dev</value>
+    <description>Dev role, it allows to perform any read action on any collection.</description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>content</name>
+    <display-name>Custom security.json template</display-name>
+    <description>
+      This is the jinja template for custom security.json file on the solr znode
+      (only used if the cluster is secure and this property overrides the security.json which generated during solr
+      start).
+    </description>
+    <value>
+    </value>
+    <value-attributes>
+      <type>content</type>
+      <show-property-name>false</show-property-name>
+      <empty-value-valid>true</empty-value-valid>
+    </value-attributes>
+    <on-ambari-upgrade add="true"/>
+  </property>
 </configuration>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
index ab9aa61..acf420e 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
@@ -129,7 +129,7 @@ if security_enabled:
   ranger_audit_principals.append(default('configurations/ranger-hive-audit/' + ranger_audit_principal_conf_key, 'hive'))
   ranger_audit_principals.append(default('configurations/ranger-knox-audit/' + ranger_audit_principal_conf_key, 'knox'))
   ranger_audit_principals.append(default('configurations/ranger-kafka-audit/' + ranger_audit_principal_conf_key, 'kafka'))
-  ranger_audit_principals.append(default('configurations/ranger-kms-audit/' + ranger_audit_principal_conf_key, 'kms'))
+  ranger_audit_principals.append(default('configurations/ranger-kms-audit/' + ranger_audit_principal_conf_key, 'rangerkms'))
   ranger_audit_principals.append(default('configurations/ranger-storm-audit/' + ranger_audit_principal_conf_key, 'storm'))
   ranger_audit_principals.append(default('configurations/ranger-yarn-audit/' + ranger_audit_principal_conf_key, 'yarn'))
   ranger_audit_principals.append(default('configurations/ranger-nifi-audit/' + ranger_audit_principal_conf_key, 'nifi'))
@@ -160,3 +160,10 @@ logsearch_kerberos_service_user = get_name_from_principal(default('configuration
 logfeeder_kerberos_service_user = get_name_from_principal(default('configurations/logfeeder-env/logfeeder_kerberos_principal', 'logfeeder'))
 infra_solr_kerberos_service_user = get_name_from_principal(default('configurations/infra-solr-env/infra_solr_kerberos_principal', 'infra-solr'))
 
+infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user')
+infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user')
+infra_solr_role_atlas = default('configurations/infra-solr-security-json/infra_solr_role_atlas', 'atlas_user')
+infra_solr_role_logsearch = default('configurations/infra-solr-security-json/infra_solr_role_logsearch', 'logsearch_user')
+infra_solr_role_logfeeder = default('configurations/infra-solr-security-json/infra_solr_role_logfeeder', 'logfeeder_user')
+infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
+

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
index 8d72f42..f3dbcf3 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
@@ -72,13 +72,12 @@ def setup_infra_solr(name = None):
          group=params.user_group
          )
 
-    security_json_file_location = format("{infra_solr_conf}/security.json")
-
-    File(security_json_file_location,
+    custom_security_json_location = format("{infra_solr_conf}/custom-security.json")
+    File(custom_security_json_location,
          content=InlineTemplate(params.infra_solr_security_json_content),
          owner=params.infra_solr_user,
          group=params.user_group,
-         mode=0644
+         mode=0640
          )
 
     jaas_file = params.infra_solr_jaas_file if params.security_enabled else None
@@ -86,11 +85,21 @@ def setup_infra_solr(name = None):
 
     create_ambari_solr_znode()
 
+    security_json_file_location = custom_security_json_location \
+      if params.infra_solr_security_json_content and str(params.infra_solr_security_json_content).strip() \
+      else format("{infra_solr_conf}/security.json") # security.json file to upload
+
     if params.security_enabled:
       File(format("{infra_solr_jaas_file}"),
            content=Template("infra_solr_jaas.conf.j2"),
            owner=params.infra_solr_user)
 
+      File(format("{infra_solr_conf}/security.json"),
+           content=Template("infra-solr-security.json.j2"),
+           owner=params.infra_solr_user,
+           group=params.user_group,
+           mode=0640)
+
     solr_cloud_util.set_cluster_prop(
       zookeeper_quorum=params.zookeeper_quorum,
       solr_znode=params.infra_solr_znode,

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
new file mode 100644
index 0000000..65d38e9
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
@@ -0,0 +1,68 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+{
+  "authentication": {
+    "class": "org.apache.solr.security.KerberosPlugin"
+  },
+  "authorization": {
+    "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin",
+    "user-role": {
+      "{{infra_solr_kerberos_service_user}}@{{kerberos_realm}}": "admin",
+      "{{logsearch_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_logsearch}}", "{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_dev}}"],
+      "{{logfeeder_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_logfeeder}}", "{{infra_solr_role_dev}}"],
+      "{{atlas_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_atlas}}", "{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"],
+{% if infra_solr_ranger_audit_service_users %}
+{%   for ranger_audit_service_user in infra_solr_ranger_audit_service_users %}
+      "{{ranger_audit_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"],
+{%   endfor %}
+{% endif %}
+      "{{ranger_admin_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"]
+    },
+    "permissions": [
+    {
+      "name" : "collection-admin-read",
+      "role" :null
+    },
+    {
+      "name" : "collection-admin-edit",
+      "role" : ["admin", "{{infra_solr_role_logsearch}}", "{{infra_solr_role_logfeeder}}", "{{infra_solr_role_atlas}}", "{{infra_solr_role_ranger_admin}}"]
+    },
+    {
+      "name":"read",
+      "role": "{{infra_solr_role_dev}}"
+    },
+    {
+      "collection": ["{{logsearch_service_logs_collection}}", "{{logsearch_audit_logs_collection}}", "history"],
+      "role": ["admin", "{{infra_solr_role_logsearch}}", "{{infra_solr_role_logfeeder}}"],
+      "name": "logsearch-manager",
+      "path": "/*"
+    },
+    {
+       "collection": ["vertex_index", "edge_index", "fulltext_index"],
+       "role": ["admin", "{{infra_solr_role_atlas}}"],
+       "name": "atlas-manager",
+       "path": "/*"
+    },
+    {
+       "collection": "{{ranger_solr_collection_name}}",
+       "role": ["admin", "{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_ranger_audit}}"],
+       "name": "ranger-manager",
+       "path": "/*"
+    }]
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
deleted file mode 100644
index ed764f0..0000000
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
+++ /dev/null
@@ -1,68 +0,0 @@
-{#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#}
-{
-  "authentication": {
-    "class": "org.apache.solr.security.KerberosPlugin"
-  },
-  "authorization": {
-    "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin",
-    "user-role": {
-      "{{infra_solr_kerberos_service_user}}@{{kerberos_realm}}": "admin",
-      "{{logsearch_kerberos_service_user}}@{{kerberos_realm}}": ["logsearch_user", "ranger_user", "dev"],
-      "{{logfeeder_kerberos_service_user}}@{{kerberos_realm}}": ["logfeeder_user", "dev"],
-      "{{atlas_kerberos_service_user}}@{{kerberos_realm}}": ["atlas_user", "ranger_audit_user", "dev"],
-{% if infra_solr_ranger_audit_service_users %}
-{%   for ranger_audit_service_user in infra_solr_ranger_audit_service_users %}
-      "{{ranger_audit_service_user}}@{{kerberos_realm}}": ["ranger_audit_user", "dev"],
-{%   endfor %}
-{% endif %}
-      "{{ranger_admin_kerberos_service_user}}@{{kerberos_realm}}": ["ranger_user", "ranger_audit_user", "dev"]
-    },
-    "permissions": [
-    {
-      "name" : "collection-admin-read",
-      "role" :null
-    },
-    {
-      "name" : "collection-admin-edit",
-      "role" : ["admin", "logsearch_user", "logfeeder_user", "atlas_user", "ranger_user"]
-    },
-    {
-      "name":"read",
-      "role": "dev"
-    },
-    {
-      "collection": ["{{logsearch_service_logs_collection}}", "{{logsearch_audit_logs_collection}}", "history"],
-      "role": ["admin", "logsearch_user", "logfeeder_user"],
-      "name": "logsearch-manager",
-      "path": "/*"
-    },
-    {
-       "collection": ["vertex_index", "edge_index", "fulltext_index"],
-       "role": ["admin", "atlas_user"],
-       "name": "atlas-manager",
-       "path": "/*"
-    },
-    {
-       "collection": "{{ranger_solr_collection_name}}",
-       "role": ["admin", "ranger_user", "ranger_audit_user"],
-       "name": "ranger-manager",
-       "path": "/*"
-    }]
-  }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
index 2232bb2..c25445c 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
@@ -134,10 +134,21 @@ def metadata(type='server'):
       jaasFile=params.atlas_jaas_file if params.security_enabled else None
       upload_conf_set('atlas_configs', jaasFile)
 
+      if params.security_enabled: # update permissions before creating the collections
+        solr_cloud_util.add_solr_roles(params.config,
+                                       roles = [params.infra_solr_role_atlas, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
+                                       new_service_principals = [params.atlas_jaas_principal])
+
       create_collection('vertex_index', 'atlas_configs', jaasFile)
       create_collection('edge_index', 'atlas_configs', jaasFile)
       create_collection('fulltext_index', 'atlas_configs', jaasFile)
 
+      if params.security_enabled:
+        secure_znode(format('{infra_solr_znode}/configs/atlas_configs'), jaasFile)
+        secure_znode(format('{infra_solr_znode}/collections/vertex_index'), jaasFile)
+        secure_znode(format('{infra_solr_znode}/collections/edge_index'), jaasFile)
+        secure_znode(format('{infra_solr_znode}/collections/fulltext_index'), jaasFile)
+
     File(params.atlas_hbase_setup,
          group=params.user_group,
          owner=params.hbase_user,
@@ -204,6 +215,15 @@ def create_collection(collection, config_set, jaasFile):
       shards=params.atlas_solr_shards,
       replication_factor = params.infra_solr_replication_factor)
 
+def secure_znode(znode, jaasFile):
+  import params
+  solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum,
+                               solr_znode=znode,
+                               jaas_file=jaasFile,
+                               java64_home=params.java64_home, sasl_users=[params.atlas_jaas_principal])
+
+
+
 @retry(times=10, sleep_time=5, err_class=Fail)
 def check_znode():
   import params

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
index 682fc9f..e270733 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
@@ -205,6 +205,9 @@ infra_solr_hosts = default("/clusterHostInfo/infra_solr_hosts", [])
 infra_solr_replication_factor = 2 if len(infra_solr_hosts) > 1 else 1
 atlas_solr_shards = default("/configurations/atlas-env/atlas_solr-shards", 1)
 has_infra_solr = len(infra_solr_hosts) > 0
+infra_solr_role_atlas = default('configurations/infra-solr-security-json/infra_solr_role_atlas', 'atlas_user')
+infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
+infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user')
 
 # zookeeper
 zookeeper_hosts = config['clusterHostInfo']['zookeeper_hosts']

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
index bc8e351..d024146 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
@@ -87,6 +87,9 @@
             },
             {
               "name": "/KAFKA/KAFKA_BROKER/kafka_broker"
+            },
+            {
+              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
             }
           ]
         }

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
index 49d1b10..60c8afb 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
@@ -11,26 +11,29 @@
         {
           "name": "LOGSEARCH_SERVER",
           "identities": [
-          {
-            "name": "logsearch",
-            "principal": {
-              "value": "logsearch/_HOST@${realm}",
-              "type": "service",
-              "configuration": "logsearch-env/logsearch_kerberos_principal"
-            },
-            "keytab": {
-              "file": "${keytab_dir}/logsearch.service.keytab",
-              "owner": {
-                "name": "${logsearch-env/logsearch_user}",
-                "access": "r"
-              },
-              "group": {
-                "name": "${cluster-env/user_group}",
-                "access": ""
+            {
+              "name": "logsearch",
+              "principal": {
+                "value": "logsearch/_HOST@${realm}",
+                "type": "service",
+                "configuration": "logsearch-env/logsearch_kerberos_principal"
               },
-              "configuration": "logsearch-env/logsearch_kerberos_keytab"
+              "keytab": {
+                "file": "${keytab_dir}/logsearch.service.keytab",
+                "owner": {
+                  "name": "${logsearch-env/logsearch_user}",
+                  "access": "r"
+                },
+                "group": {
+                  "name": "${cluster-env/user_group}",
+                  "access": ""
+                },
+                "configuration": "logsearch-env/logsearch_kerberos_keytab"
+              }
+            },
+            {
+              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
             }
-          }
           ]
         },
         {

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
index fecd802..a023f2f 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
@@ -106,6 +106,11 @@ if 'infra-solr-env' in config['configurations']:
   infra_solr_ssl_enabled = default('configurations/infra-solr-env/infra_solr_ssl_enabled', False)
   infra_solr_jmx_port = config['configurations']['infra-solr-env']['infra_solr_jmx_port']
 
+infra_solr_role_logsearch = default('configurations/infra-solr-security-json/infra_solr_role_logsearch', 'logsearch_user')
+infra_solr_role_logfeeder = default('configurations/infra-solr-security-json/infra_solr_role_logfeeder', 'logfeeder_user')
+infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
+infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user')
+
 _hostname_lowercase = config['hostname'].lower()
 if security_enabled:
   kinit_path_local = status_params.kinit_path_local

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
index ba91e20..f96bfd0 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
@@ -17,9 +17,12 @@ limitations under the License.
 
 """
 
+from resource_management.core.exceptions import Fail
 from resource_management.core.resources.system import Directory, Execute, File
 from resource_management.libraries.functions.format import format
 from resource_management.core.source import InlineTemplate, Template
+from resource_management.libraries.functions import solr_cloud_util
+from resource_management.libraries.functions.decorator import retry
 from resource_management.libraries.resources.properties_file import PropertiesFile
 from resource_management.libraries.functions.security_commons import update_credential_provider_path, HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME
 
@@ -110,7 +113,24 @@ def setup_logsearch():
          content=Template("logsearch_jaas.conf.j2"),
          owner=params.logsearch_user
          )
-
   Execute(("chmod", "-R", "ugo+r", format("{logsearch_server_conf}/solr_configsets")),
           sudo=True
           )
+  check_znode()
+
+  if params.security_enabled and not params.logsearch_use_external_solr:
+    solr_cloud_util.add_solr_roles(params.config,
+                                   roles = [params.infra_solr_role_logsearch, params.infra_solr_role_ranger_admin, params.infra_solr_role_dev],
+                                   new_service_principals = [params.logsearch_kerberos_principal])
+    solr_cloud_util.add_solr_roles(params.config,
+                                   roles = [params.infra_solr_role_logfeeder, params.infra_solr_role_dev],
+                                   new_service_principals = [params.logfeeder_kerberos_principal])
+
+@retry(times=30, sleep_time=5, err_class=Fail)
+def check_znode():
+  import params
+  solr_cloud_util.check_znode(
+    zookeeper_quorum=params.logsearch_solr_zk_quorum,
+    solr_znode=params.logsearch_solr_zk_znode,
+    java64_home=params.java64_home,
+    retry=30, interval=5)
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
index 0b4532b..49cd98b 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
@@ -309,6 +309,9 @@ if stack_supports_infra_client and is_solrCloud_enabled:
 solr_user = unix_user
 if has_infra_solr and not is_external_solrCloud_enabled:
   solr_user = default('/configurations/infra-solr-env/infra_solr_user', unix_user)
+  infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user')
+  infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user')
+  infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
 custom_log4j = has_infra_solr and not is_external_solrCloud_enabled
 
 ranger_audit_max_retention_days = config['configurations']['ranger-solr-configuration']['ranger_audit_max_retention_days']

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index ae49c4f..acb5385 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -19,6 +19,7 @@ limitations under the License.
 """
 import os
 import re
+from collections import OrderedDict
 from resource_management.libraries.script import Script
 from resource_management.libraries.functions.default import default
 from resource_management.core.logger import Logger
@@ -669,6 +670,20 @@ def setup_ranger_audit_solr():
       jaas_file=params.solr_jaas_file,
       retry=30, interval=5)
 
+  if params.security_enabled and params.has_infra_solr \
+    and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
+
+    solr_cloud_util.add_solr_roles(params.config,
+                                   roles = [params.infra_solr_role_ranger_admin, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
+                                   new_service_principals = [params.ranger_admin_jaas_principal])
+    service_default_principals_map = OrderedDict([('hdfs', 'nn'), ('hbase', 'hbase'), ('hive', 'hive'), ('kafka', 'kafka'), ('kms', 'rangerkms'),
+                                                  ('knox', 'knox'), ('nifi', 'nifi'), ('storm', 'storm'), ('yanr', 'yarn')])
+    service_principals = get_ranger_plugin_principals(service_default_principals_map)
+    solr_cloud_util.add_solr_roles(params.config,
+                                   roles = [params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
+                                   new_service_principals = service_principals)
+
+
   solr_cloud_util.create_collection(
     zookeeper_quorum = params.zookeeper_quorum,
     solr_znode = params.solr_znode,
@@ -679,6 +694,11 @@ def setup_ranger_audit_solr():
     replication_factor = int(params.replication_factor),
     jaas_file = params.solr_jaas_file)
 
+  if params.security_enabled and params.has_infra_solr \
+    and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
+    secure_znode(format('{solr_znode}/configs/{ranger_solr_config_set}'), params.solr_jaas_file)
+    secure_znode(format('{solr_znode}/collections/{ranger_solr_collection_name}'), params.solr_jaas_file)
+
 def setup_ranger_admin_passwd_change():
   import params
 
@@ -695,6 +715,27 @@ def check_znode():
     solr_znode=params.solr_znode,
     java64_home=params.java_home)
 
+def secure_znode(znode, jaasFile):
+  import params
+  solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum,
+                               solr_znode=znode,
+                               jaas_file=jaasFile,
+                               java64_home=params.java_home, sasl_users=[params.ranger_admin_jaas_principal])
+
+def get_ranger_plugin_principals(services_defaults_map):
+  """
+  Get ranger plugin user principals from service-default value maps using ranger-*-audit configurations
+  """
+  import params
+  user_principals = []
+  if len(services_defaults_map) < 1:
+    raise Exception("Services - defaults map parameter is missing.")
+
+  for key, default_value in services_defaults_map.iteritems():
+    user_principal = default(format("configurations/ranger-{key}-audit/xasecure.audit.jaas.Client.option.principal"), default_value)
+    user_principals.append(user_principal)
+  return user_principals
+
 
 def setup_tagsync_ssl_configs():
   import params

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
index 253e32e..c5b3201 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
@@ -72,6 +72,9 @@
               "keytab": {
                 "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.keyTab"
               }
+            },
+            {
+              "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
             }
           ]
         },

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py b/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
index 1bbf75e..12f8412 100644
--- a/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
+++ b/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
@@ -303,10 +303,18 @@ class TestMetadataServer(RMFTestCase):
                                     action=['delete'],
                                     create_parents=True)
 
+    self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/ambari-infra-solr.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/ambari-infra-solr.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"atlas@EXAMPLE.COM\": [\"atlas_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+                              logoutput = True, tries = 30, try_sleep = 10)
+
     self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection vertex_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
     self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection edge_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
     self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection fulltext_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
 
+    self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/configs/atlas_configs --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+    self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/vertex_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+    self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/edge_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+    self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/fulltext_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+
   def test_configure_default(self):
     self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/metadata_server.py",
                        classname = "MetadataServer",

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.3/configs/secure.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.3/configs/secure.json b/ambari-server/src/test/python/stacks/2.3/configs/secure.json
index 4501b81..e2a3d1d 100644
--- a/ambari-server/src/test/python/stacks/2.3/configs/secure.json
+++ b/ambari-server/src/test/python/stacks/2.3/configs/secure.json
@@ -169,7 +169,9 @@
       "infra_solr_znode": "/infra-solr",
       "infra_solr_user": "solr",
       "infra_solr_group": "solr",
-      "infra_solr_client_log_dir" :"/var/log/ambari-infra-solr-client"
+      "infra_solr_client_log_dir" :"/var/log/ambari-infra-solr-client",
+      "infra_solr_kerberos_principal" : "infra-solr/c6401.ambari.apache.org@EXAMPLE.COM",
+      "infra_solr_kerberos_keytab" : "/etc/security/keytabs/ambari-infra-solr.keytab"
     },
     "infra-solr-client-log4j" : {
       "infra_solr_client_log_dir" : "/var/log/ambari-infra-solr-client",
@@ -236,6 +238,9 @@
     },
     "ranger-env": {
       "xml_configurations_supported" : "true"
+    },
+    "kerberos-env" : {
+      "realm" : "EXAMPLE.COM"
     }
   },
   "configuration_attributes": {

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py b/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
index cd88fec..2de3fba 100644
--- a/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
+++ b/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
@@ -95,11 +95,11 @@ class TestInfraSolr(RMFTestCase):
                                 content = InlineTemplate(self.getConfig()['configurations']['infra-solr-log4j']['content'])
       )
 
-      self.assertResourceCalled('File', '/etc/ambari-infra-solr/conf/security.json',
+      self.assertResourceCalled('File', '/etc/ambari-infra-solr/conf/custom-security.json',
                                 owner = 'solr',
                                 group='hadoop',
                                 content = InlineTemplate(self.getConfig()['configurations']['infra-solr-security-json']['content']),
-                                mode = 0644
+                                mode = 0640
                                 )
 
       self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr --create-znode --retry 30 --interval 5')

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
index db9cbb9..587561a 100644
--- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
+++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
@@ -139,7 +139,8 @@ class TestLogSearch(RMFTestCase):
     self.assertResourceCalled('Execute', ('chmod', '-R', 'ugo+r', '/etc/ambari-logsearch-portal/conf/solr_configsets'),
                               sudo = True
     )
-    
+    self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr --check-znode --retry 30 --interval 5')
+
 
 
   def test_configure_default(self):

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
index b01e7da..1b5d7ae 100644
--- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
+++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
@@ -80,6 +80,7 @@ class TestRangerAdmin(RMFTestCase):
     self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*',
                                     action=['delete'],
                                     create_parents=True)
+
     self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
 
     self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start',
@@ -165,8 +166,18 @@ class TestRangerAdmin(RMFTestCase):
     self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*',
                                     action=['delete'],
                                     create_parents=True)
+
+    self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"rangeradmin@EXAMPLE.COM\": [\"ranger_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+                              logoutput = True, tries = 30, try_sleep = 10)
+    self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H \'Content-type:application/json\' -d "
+                                         "\'{\"set-user-role\": {\"hbase@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"knox@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"rangerkms@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"kafka@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"hive@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nifi@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"storm@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"yarn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"]}}\' -s -o /dev/null -w\'%{http_code}\' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+                              logoutput = True, tries = 30, try_sleep = 10)
+
     self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/ambari-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
 
+    self.assertResourceCalled('Execute','ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /ambari-solr/configs/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+    self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /ambari-solr/collections/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+
     self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start',
       environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
       not_if = 'ps -ef | grep proc_rangeradmin | grep -v grep',

http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
index 8dda363..fb1dd0e 100644
--- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
+++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
@@ -156,8 +156,17 @@ class TestRangerAdmin(RMFTestCase):
     self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*',
                                     action=['delete'],
                                     create_parents=True)
+    self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"rangeradmin@EXAMPLE.COM\": [\"ranger_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+                              logoutput = True, tries = 30, try_sleep = 10)
+    self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H \'Content-type:application/json\' -d "
+                                         "\'{\"set-user-role\": {\"hbase@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"knox@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"rangerkms@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"kafka@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"hive@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nifi@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"storm@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"yarn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"]}}\' -s -o /dev/null -w\'%{http_code}\' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+                              logoutput = True, tries = 30, try_sleep = 10)
+
     self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
 
+    self.assertResourceCalled('Execute','ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/configs/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+    self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+
     self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start',
       environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
       not_if = 'ps -ef | grep proc_rangeradmin | grep -v grep',


Mime
View raw message