Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 70EC7200CA7 for ; Tue, 30 May 2017 20:29:29 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6F9DB160BE1; Tue, 30 May 2017 18:29:29 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 57E9F160BB1 for ; Tue, 30 May 2017 20:29:25 +0200 (CEST) Received: (qmail 9350 invoked by uid 500); 30 May 2017 18:29:24 -0000 Mailing-List: contact commits-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-dev@ambari.apache.org Delivered-To: mailing list commits@ambari.apache.org Received: (qmail 8375 invoked by uid 99); 30 May 2017 18:29:23 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 May 2017 18:29:23 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id A76E5E029E; Tue, 30 May 2017 18:29:23 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: rlevas@apache.org To: commits@ambari.apache.org Date: Tue, 30 May 2017 18:29:33 -0000 Message-Id: <23b869736ffc4638a5aa5553b36987a6@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [11/50] [abbrv] ambari git commit: AMBARI-20985. HDP 3.0 TP - create service definition for Ranger with configs, kerberos, widgets, etc.(vbrodetskyi) archived-at: Tue, 30 May 2017 18:29:29 -0000 http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_admin.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_admin.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_admin.py new file mode 100644 index 0000000..b849d58 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_admin.py @@ -0,0 +1,217 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.core.exceptions import Fail +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.libraries.functions import stack_select +from resource_management.libraries.functions import conf_select +from resource_management.libraries.functions.constants import Direction +from resource_management.libraries.script import Script +from resource_management.core.resources.system import Execute, File +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +from resource_management.core import shell +from ranger_service import ranger_service +from setup_ranger_xml import setup_ranger_audit_solr, setup_ranger_admin_passwd_change +from resource_management.libraries.functions import solr_cloud_util +from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING +from resource_management.libraries.functions.constants import Direction +import upgrade +import os, errno + +class RangerAdmin(Script): + + def get_component_name(self): + return "ranger-admin" + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + # call config and setup db only in case of HDP version < 2.6 + if not params.stack_supports_ranger_setup_db_on_start: + self.configure(env, setup_db=True) + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + + if upgrade_type == UPGRADE_TYPE_NON_ROLLING and params.upgrade_direction == Direction.UPGRADE: + if params.stack_supports_rolling_upgrade and not params.stack_supports_config_versioning and os.path.isfile(format('{ranger_home}/ews/stop-ranger-admin.sh')): + File(format('{ranger_home}/ews/stop-ranger-admin.sh'), + owner=params.unix_user, + group = params.unix_group + ) + + Execute(format('{params.ranger_stop}'), environment={'JAVA_HOME': params.java_home}, user=params.unix_user) + if params.stack_supports_pid: + File(params.ranger_admin_pid_file, + action = "delete" + ) + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + + upgrade.prestart(env, "ranger-admin") + + self.set_ru_rangeradmin_in_progress(params.upgrade_marker_file) + + def post_upgrade_restart(self,env, upgrade_type=None): + import params + env.set_params(params) + + if os.path.isfile(params.upgrade_marker_file): + os.remove(params.upgrade_marker_file) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + + # setup db only if in case HDP version is > 2.6 + self.configure(env, upgrade_type=upgrade_type, setup_db=params.stack_supports_ranger_setup_db_on_start) + + if params.stack_supports_infra_client and params.audit_solr_enabled and params.is_solrCloud_enabled: + solr_cloud_util.setup_solr_client(params.config, custom_log4j = params.custom_log4j) + setup_ranger_audit_solr() + + ranger_service('ranger_admin') + + + def status(self, env): + import status_params + + env.set_params(status_params) + + if status_params.stack_supports_pid: + check_process_status(status_params.ranger_admin_pid_file) + return + + cmd = 'ps -ef | grep proc_rangeradmin | grep -v grep' + code, output = shell.call(cmd, timeout=20) + + if code != 0: + if self.is_ru_rangeradmin_in_progress(status_params.upgrade_marker_file): + Logger.info('Ranger admin process not running - skipping as stack upgrade is in progress') + else: + Logger.debug('Ranger admin process not running') + raise ComponentIsNotRunning() + pass + + def configure(self, env, upgrade_type=None, setup_db=False): + import params + env.set_params(params) + if params.xml_configurations_supported: + from setup_ranger_xml import ranger + else: + from setup_ranger import ranger + + # set up db if we are not upgrading and setup_db is true + if setup_db and upgrade_type is None: + if params.xml_configurations_supported: + from setup_ranger_xml import setup_ranger_db + setup_ranger_db() + + ranger('ranger_admin', upgrade_type=upgrade_type) + + # set up java patches if we are not upgrading and setup_db is true + if setup_db and upgrade_type is None: + if params.xml_configurations_supported: + from setup_ranger_xml import setup_java_patch + setup_java_patch() + + if params.stack_supports_ranger_admin_password_change: + setup_ranger_admin_passwd_change() + + def set_ru_rangeradmin_in_progress(self, upgrade_marker_file): + config_dir = os.path.dirname(upgrade_marker_file) + try: + msg = "Starting Upgrade" + if (not os.path.exists(config_dir)): + os.makedirs(config_dir) + ofp = open(upgrade_marker_file, 'w') + ofp.write(msg) + ofp.close() + except OSError as exc: + if exc.errno == errno.EEXIST and os.path.isdir(config_dir): + pass + else: + raise + + def is_ru_rangeradmin_in_progress(self, upgrade_marker_file): + return os.path.isfile(upgrade_marker_file) + + def setup_ranger_database(self, env): + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_version = upgrade_stack[1] + + if params.xml_configurations_supported and params.upgrade_direction == Direction.UPGRADE: + Logger.info(format('Setting Ranger database schema, using version {stack_version}')) + + from setup_ranger_xml import setup_ranger_db + setup_ranger_db(stack_version=stack_version) + + def setup_ranger_java_patches(self, env): + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_version = upgrade_stack[1] + + if params.xml_configurations_supported and params.upgrade_direction == Direction.UPGRADE: + Logger.info(format('Applying Ranger java patches, using version {stack_version}')) + + from setup_ranger_xml import setup_java_patch + setup_java_patch(stack_version=stack_version) + + def set_pre_start(self, env): + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_name = upgrade_stack[0] + stack_version = upgrade_stack[1] + + stack_select.select("ranger-admin", stack_version) + conf_select.select(stack_name, "ranger-admin", stack_version) + + def get_log_folder(self): + import params + return params.admin_log_dir + + def get_user(self): + import params + return params.unix_user + +if __name__ == "__main__": + RangerAdmin().execute() + http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_service.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_service.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_service.py new file mode 100644 index 0000000..0355049 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_service.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions.show_logs import show_logs +from resource_management.core.resources.system import Execute + +def ranger_service(name, action=None): + import params + + env_dict = {'JAVA_HOME': params.java_home} + if params.db_flavor.lower() == 'sqla': + env_dict = {'JAVA_HOME': params.java_home, 'LD_LIBRARY_PATH': params.ld_lib_path} + + if name == 'ranger_admin': + no_op_test = format('ps -ef | grep proc_rangeradmin | grep -v grep') + try: + Execute(params.ranger_start, environment=env_dict, user=params.unix_user, not_if=no_op_test) + except: + show_logs(params.admin_log_dir, params.unix_user) + raise + elif name == 'ranger_usersync': + no_op_test = format('ps -ef | grep proc_rangerusersync | grep -v grep') + if params.stack_supports_usersync_non_root: + try: + Execute(params.usersync_start, + environment=env_dict, + not_if=no_op_test, + user=params.unix_user + ) + except: + show_logs(params.usersync_log_dir, params.unix_user) + raise + else: + # Usersync requires to be run as root for 2.2 + Execute((params.usersync_start,), + environment={'JAVA_HOME': params.java_home}, + not_if=no_op_test, + sudo=True + ) + elif name == 'ranger_tagsync' and params.stack_supports_ranger_tagsync: + no_op_test = format('ps -ef | grep proc_rangertagsync | grep -v grep') + cmd = format('{tagsync_services_file} start') + try: + Execute(cmd, + environment=env_dict, + user=params.unix_user, + not_if=no_op_test + ) + except: + show_logs(params.tagsync_log_dir, params.unix_user) + raise \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_tagsync.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_tagsync.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_tagsync.py new file mode 100644 index 0000000..008fb99 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_tagsync.py @@ -0,0 +1,139 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.libraries.script import Script +from resource_management.libraries.functions import conf_select +from resource_management.libraries.functions import stack_select +from resource_management.core.resources.system import Execute, File +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +from resource_management.core import shell +from ranger_service import ranger_service +from setup_ranger_xml import ranger, ranger_credential_helper +from resource_management.core.exceptions import Fail +import upgrade + +class RangerTagsync(Script): + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + + ranger_credential_helper(params.tagsync_cred_lib, 'tagadmin.user.password', 'rangertagsync', params.tagsync_jceks_path) + File(params.tagsync_jceks_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + if params.stack_supports_ranger_tagsync_ssl_xml_support: + Logger.info("Stack support Atlas user for Tagsync, creating keystore for same.") + self.create_atlas_user_keystore(env) + else: + Logger.info("Stack does not support Atlas user for Tagsync, skipping keystore creation for same.") + + self.configure(env) + + def configure(self, env, upgrade_type=None): + import params + env.set_params(params) + ranger('ranger_tagsync', upgrade_type=upgrade_type) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + + self.configure(env, upgrade_type=upgrade_type) + ranger_service('ranger_tagsync') + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + + Execute(format('{tagsync_services_file} stop'), environment={'JAVA_HOME': params.java_home}, user=params.unix_user) + File(params.tagsync_pid_file, + action = "delete" + ) + + def status(self, env): + import status_params + env.set_params(status_params) + + check_process_status(status_params.tagsync_pid_file) + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + + if params.stack_supports_ranger_tagsync: + Logger.info("Executing Ranger Tagsync Stack Upgrade pre-restart") + conf_select.select(params.stack_name, "ranger-tagsync", params.version) + stack_select.select("ranger-tagsync", params.version) + + def get_component_name(self): + return "ranger-tagsync" + + def get_log_folder(self): + import params + return params.tagsync_log_dir + + def get_user(self): + import params + return params.unix_user + + def get_pid_files(self): + import status_params + return [status_params.tagsync_pid_file] + + def configure_atlas_user_for_tagsync(self, env): + Logger.info("Configuring Atlas user for Tagsync service.") + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_name = upgrade_stack[0] + stack_version = upgrade_stack[1] + + stack_select.select("ranger-tagsync", stack_version) + conf_select.select(stack_name, "ranger-tagsync", stack_version) + if params.stack_supports_ranger_tagsync_ssl_xml_support: + Logger.info("Upgrading Tagsync, stack support Atlas user for Tagsync, creating keystore for same.") + self.create_atlas_user_keystore(env) + else: + Logger.info("Upgrading Tagsync, stack does not support Atlas user for Tagsync, skipping keystore creation for same.") + + Logger.info("Configuring Atlas user for Tagsync service done.") + + def create_atlas_user_keystore(self,env): + import params + env.set_params(params) + ranger_credential_helper(params.tagsync_cred_lib, 'atlas.user.password', 'admin', params.atlas_tagsync_jceks_path) + File(params.atlas_tagsync_jceks_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + +if __name__ == "__main__": + RangerTagsync().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_usersync.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_usersync.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_usersync.py new file mode 100644 index 0000000..b9366f6 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/ranger_usersync.py @@ -0,0 +1,124 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.libraries.script import Script +from resource_management.core.resources.system import Execute, File +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +from resource_management.core import shell +from ranger_service import ranger_service +from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING +from resource_management.libraries.functions.constants import Direction +import upgrade +import os + +class RangerUsersync(Script): + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + + if params.stack_supports_usersync_passwd: + from setup_ranger_xml import ranger_credential_helper + ranger_credential_helper(params.ugsync_cred_lib, params.ugsync_policymgr_alias, 'rangerusersync', params.ugsync_policymgr_keystore) + + File(params.ugsync_policymgr_keystore, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + self.configure(env) + + def configure(self, env, upgrade_type=None): + import params + env.set_params(params) + + if params.xml_configurations_supported: + from setup_ranger_xml import ranger + else: + from setup_ranger import ranger + + ranger('ranger_usersync', upgrade_type=upgrade_type) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + + self.configure(env, upgrade_type=upgrade_type) + ranger_service('ranger_usersync') + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + + if upgrade_type == UPGRADE_TYPE_NON_ROLLING and params.upgrade_direction == Direction.UPGRADE: + if params.stack_supports_usersync_non_root and os.path.isfile(params.usersync_services_file): + File(params.usersync_services_file, + mode = 0755 + ) + Execute(('ln','-sf', format('{usersync_services_file}'),'/usr/bin/ranger-usersync'), + not_if=format("ls /usr/bin/ranger-usersync"), + only_if=format("ls {usersync_services_file}"), + sudo=True + ) + + Execute((params.usersync_stop,), environment={'JAVA_HOME': params.java_home}, sudo=True) + if params.stack_supports_pid: + File(params.ranger_usersync_pid_file, + action = "delete" + ) + + def status(self, env): + import status_params + env.set_params(status_params) + + if status_params.stack_supports_pid: + check_process_status(status_params.ranger_usersync_pid_file) + return + + cmd = 'ps -ef | grep proc_rangerusersync | grep -v grep' + code, output = shell.call(cmd, timeout=20) + + if code != 0: + Logger.debug('Ranger usersync process not running') + raise ComponentIsNotRunning() + pass + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + upgrade.prestart(env, "ranger-usersync") + + def get_component_name(self): + return "ranger-usersync" + + def get_log_folder(self): + import params + return params.usersync_log_dir + + def get_user(self): + import params + return params.unix_user + +if __name__ == "__main__": + RangerUsersync().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/service_check.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/service_check.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/service_check.py new file mode 100644 index 0000000..fb6af95 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/service_check.py @@ -0,0 +1,49 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management.libraries.script import Script +from resource_management.core.resources.system import Execute +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +import os + + +class RangerServiceCheck(Script): + + def service_check(self, env): + import params + + env.set_params(params) + self.check_ranger_admin_service(params.ranger_external_url, params.upgrade_marker_file) + + def check_ranger_admin_service(self, ranger_external_url, upgrade_marker_file): + if (self.is_ru_rangeradmin_in_progress(upgrade_marker_file)): + Logger.info('Ranger admin process not running - skipping as stack upgrade is in progress') + else: + Execute(format("curl -s -o /dev/null -w'%{{http_code}}' --negotiate -u: -k {ranger_external_url}/login.jsp | grep 200"), + tries = 10, + try_sleep=3, + logoutput=True) + + def is_ru_rangeradmin_in_progress(self, upgrade_marker_file): + return os.path.isfile(upgrade_marker_file) + +if __name__ == "__main__": + RangerServiceCheck().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger.py new file mode 100644 index 0000000..b0e8bad --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger.py @@ -0,0 +1,153 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +import sys +import fileinput +import os +from resource_management.libraries.functions.format import format +from resource_management.libraries.resources.properties_file import PropertiesFile +from resource_management.libraries.resources.modify_properties_file import ModifyPropertiesFile +from resource_management.core.source import DownloadSource +from resource_management.core.logger import Logger +from resource_management.core.shell import as_sudo +from resource_management.core.exceptions import Fail +from resource_management.core.resources.system import Directory, Execute, File + + +def ranger(name=None, upgrade_type=None): + if name == 'ranger_admin': + setup_ranger_admin(upgrade_type=upgrade_type) + + if name == 'ranger_usersync': + setup_usersync(upgrade_type=upgrade_type) + +def setup_ranger_admin(upgrade_type=None): + import params + + check_db_connnection() + + if params.driver_curl_source and not params.driver_curl_source.endswith("/None"): + if params.previous_jdbc_jar and os.path.isfile(params.previous_jdbc_jar): + File(params.previous_jdbc_jar, action='delete') + + File(params.downloaded_custom_connector, + content = DownloadSource(params.driver_curl_source), + mode = 0644 + ) + + Execute(('cp', '--remove-destination', params.downloaded_custom_connector, params.driver_curl_target), + path=["/bin", "/usr/bin/"], + sudo=True) + + File(params.driver_curl_target, mode=0644) + + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties = params.config['configurations']['admin-properties'] + ) + + custom_config = dict() + custom_config['unix_user'] = params.unix_user + custom_config['unix_group'] = params.unix_group + + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties=custom_config + ) + + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties = {'SQL_CONNECTOR_JAR': format('{driver_curl_target}')} + ) + + ##if db flavor == oracle - set oracle home env variable + if params.db_flavor.lower() == 'oracle' and params.oracle_home: + env_dict = {'JAVA_HOME': params.java_home, 'ORACLE_HOME':params.oracle_home, 'LD_LIBRARY_PATH':params.oracle_home} + else: + env_dict = {'JAVA_HOME': params.java_home} + + setup_sh = format("cd {ranger_home} && ") + as_sudo([format('{ranger_home}/setup.sh')]) + Execute(setup_sh, + environment=env_dict, + logoutput=True, + ) + + ModifyPropertiesFile(format("{ranger_conf}/xa_system.properties"), + properties = params.config['configurations']['ranger-site'], + ) + + ModifyPropertiesFile(format("{ranger_conf}/ranger_webserver.properties"), + properties = params.config['configurations']['ranger-site'], + mode=0744 + ) + + Directory(params.admin_log_dir, + owner = params.unix_user, + group = params.unix_group + ) + +def setup_usersync(upgrade_type=None): + import params + + PropertiesFile(format("{usersync_home}/install.properties"), + properties = params.config['configurations']['usersync-properties'], + ) + + custom_config = dict() + custom_config['unix_user'] = params.unix_user + custom_config['unix_group'] = params.unix_group + + ModifyPropertiesFile(format("{usersync_home}/install.properties"), + properties=custom_config + ) + + cmd = format("cd {usersync_home} && ") + as_sudo([format('{usersync_home}/setup.sh')]) + Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True) + + File([params.usersync_start, params.usersync_stop], + owner = params.unix_user + ) + File(params.usersync_services_file, + mode = 0755, + ) + + Directory(params.usersync_log_dir, + owner = params.unix_user, + group = params.unix_group + ) + +def check_db_connnection(): + import params + + Logger.info('Checking DB connection') + env_dict = {} + if params.db_flavor.lower() == 'mysql': + cmd = format('{sql_command_invoker} -u {db_root_user} --password={db_root_password!p} -h {db_host} -s -e "select version();"') + elif params.db_flavor.lower() == 'oracle': + cmd = format("{sql_command_invoker} '{db_root_user}/\"{db_root_password}\"@{db_host}' AS SYSDBA") + env_dict = {'ORACLE_HOME':params.oracle_home, 'LD_LIBRARY_PATH':params.oracle_home} + elif params.db_flavor.lower() == 'postgres': + cmd = 'true' + elif params.db_flavor.lower() == 'mssql': + cmd = 'true' + + try: + Execute(cmd, + environment=env_dict, + logoutput=True) + except Fail as ex: + Logger.error(str(ex)) + raise Fail('Ranger Database connection check failed') http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger_xml.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger_xml.py new file mode 100644 index 0000000..26e6578 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/setup_ranger_xml.py @@ -0,0 +1,853 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +import os +import re +from resource_management.libraries.script import Script +from resource_management.libraries.functions.default import default +from resource_management.core.logger import Logger +from resource_management.core.resources.system import File, Directory, Execute, Link +from resource_management.core.source import DownloadSource, InlineTemplate, Template +from resource_management.libraries.resources.xml_config import XmlConfig +from resource_management.libraries.resources.modify_properties_file import ModifyPropertiesFile +from resource_management.libraries.resources.properties_file import PropertiesFile +from resource_management.core.exceptions import Fail +from resource_management.libraries.functions.decorator import retry +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions.is_empty import is_empty +from resource_management.core.utils import PasswordString +from resource_management.core.shell import as_sudo +from resource_management.libraries.functions import solr_cloud_util +from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING +from resource_management.core.exceptions import ExecutionFailed + +# This file contains functions used for setup/configure of Ranger Admin and Ranger Usersync. +# The design is to mimic what is done by the setup.sh script bundled by Ranger component currently. + +def ranger(name=None, upgrade_type=None): + """ + parameter name: name of ranger service component + """ + if name == 'ranger_admin': + setup_ranger_admin(upgrade_type=upgrade_type) + + if name == 'ranger_usersync': + setup_usersync(upgrade_type=upgrade_type) + + if name == 'ranger_tagsync': + setup_tagsync(upgrade_type=upgrade_type) + +def setup_ranger_admin(upgrade_type=None): + import params + + if upgrade_type is None: + upgrade_type = Script.get_upgrade_type(default("/commandParams/upgrade_type", "")) + + ranger_home = params.ranger_home + ranger_conf = params.ranger_conf + + Directory(ranger_conf, + owner = params.unix_user, + group = params.unix_group, + create_parents = True + ) + + copy_jdbc_connector() + + File(format("/usr/lib/ambari-agent/{check_db_connection_jar_name}"), + content = DownloadSource(format("{jdk_location}{check_db_connection_jar_name}")), + mode = 0644, + ) + + cp = format("{check_db_connection_jar}") + if params.db_flavor.lower() == 'sqla': + cp = cp + os.pathsep + format("{ranger_home}/ews/lib/sajdbc4.jar") + else: + cp = cp + os.pathsep + format("{driver_curl_target}") + cp = cp + os.pathsep + format("{ranger_home}/ews/lib/*") + + db_connection_check_command = format( + "{java_home}/bin/java -cp {cp} org.apache.ambari.server.DBConnectionVerification '{ranger_jdbc_connection_url}' {ranger_db_user} {ranger_db_password!p} {ranger_jdbc_driver}") + + env_dict = {} + if params.db_flavor.lower() == 'sqla': + env_dict = {'LD_LIBRARY_PATH':params.ld_lib_path} + + Execute(db_connection_check_command, path='/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin', tries=5, try_sleep=10, environment=env_dict) + + Execute(('ln','-sf', format('{ranger_home}/ews/webapp/WEB-INF/classes/conf'), format('{ranger_home}/conf')), + not_if=format("ls {ranger_home}/conf"), + only_if=format("ls {ranger_home}/ews/webapp/WEB-INF/classes/conf"), + sudo=True) + + if upgrade_type is not None: + src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/ranger-admin-default-site.xml') + dst_file = format('{ranger_home}/conf/ranger-admin-default-site.xml') + Execute(('cp', '-f', src_file, dst_file), sudo=True) + + src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/security-applicationContext.xml') + dst_file = format('{ranger_home}/conf/security-applicationContext.xml') + + Execute(('cp', '-f', src_file, dst_file), sudo=True) + + Directory(format('{ranger_home}/'), + owner = params.unix_user, + group = params.unix_group, + recursive_ownership = True, + ) + + Directory(params.ranger_pid_dir, + mode=0755, + owner = params.unix_user, + group = params.user_group, + cd_access = "a", + create_parents=True + ) + + if params.stack_supports_pid: + File(format('{ranger_conf}/ranger-admin-env-piddir.sh'), + content = format("export RANGER_PID_DIR_PATH={ranger_pid_dir}\nexport RANGER_USER={unix_user}"), + owner = params.unix_user, + group = params.unix_group, + mode=0755 + ) + + Directory(params.admin_log_dir, + owner = params.unix_user, + group = params.unix_group, + create_parents = True, + cd_access='a', + mode=0755 + ) + + File(format('{ranger_conf}/ranger-admin-env-logdir.sh'), + content = format("export RANGER_ADMIN_LOG_DIR={admin_log_dir}"), + owner = params.unix_user, + group = params.unix_group, + mode=0755 + ) + + if os.path.isfile(params.ranger_admin_default_file): + File(params.ranger_admin_default_file, owner=params.unix_user, group=params.unix_group) + else: + Logger.warning('Required file {0} does not exist, copying the file to {1} path'.format(params.ranger_admin_default_file, ranger_conf)) + src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/ranger-admin-default-site.xml') + dst_file = format('{ranger_home}/conf/ranger-admin-default-site.xml') + Execute(('cp', '-f', src_file, dst_file), sudo=True) + File(params.ranger_admin_default_file, owner=params.unix_user, group=params.unix_group) + + if os.path.isfile(params.security_app_context_file): + File(params.security_app_context_file, owner=params.unix_user, group=params.unix_group) + else: + Logger.warning('Required file {0} does not exist, copying the file to {1} path'.format(params.security_app_context_file, ranger_conf)) + src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/security-applicationContext.xml') + dst_file = format('{ranger_home}/conf/security-applicationContext.xml') + Execute(('cp', '-f', src_file, dst_file), sudo=True) + File(params.security_app_context_file, owner=params.unix_user, group=params.unix_group) + + if upgrade_type is not None and params.stack_supports_config_versioning: + if os.path.islink('/usr/bin/ranger-admin'): + Link('/usr/bin/ranger-admin', action="delete") + + Link('/usr/bin/ranger-admin', + to=format('{ranger_home}/ews/ranger-admin-services.sh')) + + if default("/configurations/ranger-admin-site/ranger.authentication.method", "") == 'PAM': + d = '/etc/pam.d' + if os.path.isdir(d): + if os.path.isfile(os.path.join(d, 'ranger-admin')): + Logger.info('ranger-admin PAM file already exists.') + else: + File(format('{d}/ranger-admin'), + content=Template('ranger_admin_pam.j2'), + owner = params.unix_user, + group = params.unix_group, + mode=0644 + ) + if os.path.isfile(os.path.join(d, 'ranger-remote')): + Logger.info('ranger-remote PAM file already exists.') + else: + File(format('{d}/ranger-remote'), + content=Template('ranger_remote_pam.j2'), + owner = params.unix_user, + group = params.unix_group, + mode=0644 + ) + else: + Logger.error("Unable to use PAM authentication, /etc/pam.d/ directory does not exist.") + + Execute(('ln','-sf', format('{ranger_home}/ews/ranger-admin-services.sh'),'/usr/bin/ranger-admin'), + not_if=format("ls /usr/bin/ranger-admin"), + only_if=format("ls {ranger_home}/ews/ranger-admin-services.sh"), + sudo=True) + + # remove plain-text password from xml configs + + ranger_admin_site_copy = {} + ranger_admin_site_copy.update(params.config['configurations']['ranger-admin-site']) + for prop in params.ranger_admin_password_properties: + if prop in ranger_admin_site_copy: + ranger_admin_site_copy[prop] = "_" + + XmlConfig("ranger-admin-site.xml", + conf_dir=ranger_conf, + configurations=ranger_admin_site_copy, + configuration_attributes=params.config['configuration_attributes']['ranger-admin-site'], + owner=params.unix_user, + group=params.unix_group, + mode=0644) + + Directory(os.path.join(ranger_conf,'ranger_jaas'), + mode=0700, + owner=params.unix_user, + group=params.unix_group, + ) + + if params.stack_supports_ranger_log4j: + File(format('{ranger_home}/ews/webapp/WEB-INF/log4j.properties'), + owner=params.unix_user, + group=params.unix_group, + content=InlineTemplate(params.admin_log4j), + mode=0644 + ) + + do_keystore_setup(upgrade_type=upgrade_type) + + create_core_site_xml(ranger_conf) + + if params.stack_supports_ranger_kerberos and params.security_enabled: + if params.is_hbase_ha_enabled and params.ranger_hbase_plugin_enabled: + XmlConfig("hbase-site.xml", + conf_dir=ranger_conf, + configurations=params.config['configurations']['hbase-site'], + configuration_attributes=params.config['configuration_attributes']['hbase-site'], + owner=params.unix_user, + group=params.unix_group, + mode=0644 + ) + + if params.is_namenode_ha_enabled and params.ranger_hdfs_plugin_enabled: + XmlConfig("hdfs-site.xml", + conf_dir=ranger_conf, + configurations=params.config['configurations']['hdfs-site'], + configuration_attributes=params.config['configuration_attributes']['hdfs-site'], + owner=params.unix_user, + group=params.unix_group, + mode=0644 + ) + +def setup_ranger_db(stack_version=None): + import params + + ranger_home = params.ranger_home + version = params.version + if stack_version is not None: + ranger_home = format("{stack_root}/{stack_version}/ranger-admin") + version = stack_version + + copy_jdbc_connector(stack_version=version) + + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties = {'audit_store': params.ranger_audit_source_type}, + owner = params.unix_user, + ) + + env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home} + if params.db_flavor.lower() == 'sqla': + env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home, 'LD_LIBRARY_PATH':params.ld_lib_path} + + # User wants us to setup the DB user and DB? + if params.create_db_dbuser: + Logger.info('Setting up Ranger DB and DB User') + dba_setup = format('ambari-python-wrap {ranger_home}/dba_script.py -q') + Execute(dba_setup, + environment=env_dict, + logoutput=True, + user=params.unix_user, + ) + else: + Logger.info('Separate DBA property not set. Assuming Ranger DB and DB User exists!') + + db_setup = format('ambari-python-wrap {ranger_home}/db_setup.py') + Execute(db_setup, + environment=env_dict, + logoutput=True, + user=params.unix_user, + ) + + +def setup_java_patch(stack_version=None): + import params + + ranger_home = params.ranger_home + if stack_version is not None: + ranger_home = format("{stack_root}/{stack_version}/ranger-admin") + + env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home} + if params.db_flavor.lower() == 'sqla': + env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home, 'LD_LIBRARY_PATH':params.ld_lib_path} + + setup_java_patch = format('ambari-python-wrap {ranger_home}/db_setup.py -javapatch') + Execute(setup_java_patch, + environment=env_dict, + logoutput=True, + user=params.unix_user, + ) + + +def do_keystore_setup(upgrade_type=None): + import params + + ranger_home = params.ranger_home + cred_lib_path = params.cred_lib_path + + if not is_empty(params.ranger_credential_provider_path): + ranger_credential_helper(cred_lib_path, params.ranger_jpa_jdbc_credential_alias, params.ranger_ambari_db_password, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + if not is_empty(params.ranger_credential_provider_path) and (params.ranger_audit_source_type).lower() == 'db' and not is_empty(params.ranger_ambari_audit_db_password): + ranger_credential_helper(cred_lib_path, params.ranger_jpa_audit_jdbc_credential_alias, params.ranger_ambari_audit_db_password, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + if params.ranger_auth_method.upper() == "LDAP": + ranger_credential_helper(params.cred_lib_path, params.ranger_ldap_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + if params.ranger_auth_method.upper() == "ACTIVE_DIRECTORY": + ranger_credential_helper(params.cred_lib_path, params.ranger_ad_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + if params.stack_supports_secure_ssl_password: + ranger_credential_helper(params.cred_lib_path, params.ranger_truststore_alias, params.truststore_password, params.ranger_credential_provider_path) + + if params.https_enabled and not params.http_enabled: + ranger_credential_helper(params.cred_lib_path, params.ranger_https_keystore_alias, params.https_keystore_password, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + +def password_validation(password): + import params + if password.strip() == "": + raise Fail("Blank password is not allowed for Bind user. Please enter valid password.") + if re.search("[\\\`'\"]",password): + raise Fail("LDAP/AD bind password contains one of the unsupported special characters like \" ' \ `") + else: + Logger.info("password validated") + +def copy_jdbc_connector(stack_version=None): + import params + + if params.jdbc_jar_name is None and params.driver_curl_source.endswith("/None"): + error_message = format("{db_flavor} jdbc driver cannot be downloaded from {jdk_location}\nPlease run 'ambari-server setup --jdbc-db={db_flavor} --jdbc-driver={{path_to_jdbc}}' on ambari-server host.") + raise Fail(error_message) + + if params.driver_curl_source and not params.driver_curl_source.endswith("/None"): + if params.previous_jdbc_jar and os.path.isfile(params.previous_jdbc_jar): + File(params.previous_jdbc_jar, action='delete') + + File(params.downloaded_custom_connector, + content = DownloadSource(params.driver_curl_source), + mode = 0644 + ) + + ranger_home = params.ranger_home + if stack_version is not None: + ranger_home = format("{stack_root}/{stack_version}/ranger-admin") + + driver_curl_target = format("{ranger_home}/ews/lib/{jdbc_jar_name}") + + if params.db_flavor.lower() == 'sqla': + Execute(('tar', '-xvf', params.downloaded_custom_connector, '-C', params.tmp_dir), sudo = True) + + Execute(('cp', '--remove-destination', params.jar_path_in_archive, os.path.join(ranger_home, 'ews', 'lib')), + path=["/bin", "/usr/bin/"], + sudo=True) + + File(os.path.join(ranger_home, 'ews', 'lib', 'sajdbc4.jar'), mode=0644) + + Directory(params.jdbc_libs_dir, + cd_access="a", + create_parents=True) + + Execute(as_sudo(['yes', '|', 'cp', params.libs_path_in_archive, params.jdbc_libs_dir], auto_escape=False), + path=["/bin", "/usr/bin/"]) + else: + Execute(('cp', '--remove-destination', params.downloaded_custom_connector, os.path.join(ranger_home, 'ews', 'lib')), + path=["/bin", "/usr/bin/"], + sudo=True) + + File(os.path.join(ranger_home, 'ews', 'lib',params.jdbc_jar_name), mode=0644) + + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties = params.config['configurations']['admin-properties'], + owner = params.unix_user, + ) + + if params.db_flavor.lower() == 'sqla': + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties = {'SQL_CONNECTOR_JAR': format('{ranger_home}/ews/lib/sajdbc4.jar')}, + owner = params.unix_user, + ) + else: + ModifyPropertiesFile(format("{ranger_home}/install.properties"), + properties = {'SQL_CONNECTOR_JAR': format('{driver_curl_target}')}, + owner = params.unix_user, + ) + +def setup_usersync(upgrade_type=None): + import params + + usersync_home = params.usersync_home + ranger_home = params.ranger_home + ranger_ugsync_conf = params.ranger_ugsync_conf + + if not is_empty(params.ranger_usersync_ldap_ldapbindpassword) and params.ug_sync_source == 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder': + password_validation(params.ranger_usersync_ldap_ldapbindpassword) + + Directory(params.ranger_pid_dir, + mode=0755, + owner = params.unix_user, + group = params.user_group, + cd_access = "a", + create_parents=True + ) + + if params.stack_supports_pid: + File(format('{ranger_ugsync_conf}/ranger-usersync-env-piddir.sh'), + content = format("export USERSYNC_PID_DIR_PATH={ranger_pid_dir}\nexport UNIX_USERSYNC_USER={unix_user}"), + owner = params.unix_user, + group = params.unix_group, + mode=0755 + ) + + Directory(params.usersync_log_dir, + owner = params.unix_user, + group = params.unix_group, + cd_access = 'a', + create_parents=True, + mode=0755, + recursive_ownership = True + ) + + File(format('{ranger_ugsync_conf}/ranger-usersync-env-logdir.sh'), + content = format("export logdir={usersync_log_dir}"), + owner = params.unix_user, + group = params.unix_group, + mode=0755 + ) + + Directory(format("{ranger_ugsync_conf}/"), + owner = params.unix_user + ) + + if upgrade_type is not None: + src_file = format('{usersync_home}/conf.dist/ranger-ugsync-default.xml') + dst_file = format('{usersync_home}/conf/ranger-ugsync-default.xml') + Execute(('cp', '-f', src_file, dst_file), sudo=True) + + if params.stack_supports_ranger_log4j: + File(format('{usersync_home}/conf/log4j.properties'), + owner=params.unix_user, + group=params.unix_group, + content=InlineTemplate(params.usersync_log4j), + mode=0644 + ) + elif upgrade_type is not None and not params.stack_supports_ranger_log4j: + src_file = format('{usersync_home}/conf.dist/log4j.xml') + dst_file = format('{usersync_home}/conf/log4j.xml') + Execute(('cp', '-f', src_file, dst_file), sudo=True) + + # remove plain-text password from xml configs + ranger_ugsync_site_copy = {} + ranger_ugsync_site_copy.update(params.config['configurations']['ranger-ugsync-site']) + for prop in params.ranger_usersync_password_properties: + if prop in ranger_ugsync_site_copy: + ranger_ugsync_site_copy[prop] = "_" + + XmlConfig("ranger-ugsync-site.xml", + conf_dir=ranger_ugsync_conf, + configurations=ranger_ugsync_site_copy, + configuration_attributes=params.config['configuration_attributes']['ranger-ugsync-site'], + owner=params.unix_user, + group=params.unix_group, + mode=0644) + + if os.path.isfile(params.ranger_ugsync_default_file): + File(params.ranger_ugsync_default_file, owner=params.unix_user, group=params.unix_group) + + if os.path.isfile(params.usgsync_log4j_file): + File(params.usgsync_log4j_file, owner=params.unix_user, group=params.unix_group) + + if os.path.isfile(params.cred_validator_file): + File(params.cred_validator_file, group=params.unix_group, mode=04555) + + ranger_credential_helper(params.ugsync_cred_lib, 'usersync.ssl.key.password', params.ranger_usersync_keystore_password, params.ugsync_jceks_path) + + if not is_empty(params.ranger_usersync_ldap_ldapbindpassword) and params.ug_sync_source == 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder': + ranger_credential_helper(params.ugsync_cred_lib, 'ranger.usersync.ldap.bindalias', params.ranger_usersync_ldap_ldapbindpassword, params.ugsync_jceks_path) + + ranger_credential_helper(params.ugsync_cred_lib, 'usersync.ssl.truststore.password', params.ranger_usersync_truststore_password, params.ugsync_jceks_path) + + File(params.ugsync_jceks_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + File([params.usersync_start, params.usersync_stop], + owner = params.unix_user, + group = params.unix_group + ) + + File(params.usersync_services_file, + mode = 0755, + ) + + Execute(('ln','-sf', format('{usersync_services_file}'),'/usr/bin/ranger-usersync'), + not_if=format("ls /usr/bin/ranger-usersync"), + only_if=format("ls {usersync_services_file}"), + sudo=True) + + if not os.path.isfile(params.ranger_usersync_keystore_file): + cmd = format("{java_home}/bin/keytool -genkeypair -keyalg RSA -alias selfsigned -keystore '{ranger_usersync_keystore_file}' -keypass {ranger_usersync_keystore_password!p} -storepass {ranger_usersync_keystore_password!p} -validity 3600 -keysize 2048 -dname '{default_dn_name}'") + + Execute(cmd, logoutput=True, user = params.unix_user) + + File(params.ranger_usersync_keystore_file, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + create_core_site_xml(ranger_ugsync_conf) + +def setup_tagsync(upgrade_type=None): + import params + + ranger_tagsync_home = params.ranger_tagsync_home + ranger_home = params.ranger_home + ranger_tagsync_conf = params.ranger_tagsync_conf + + Directory(format("{ranger_tagsync_conf}"), + owner = params.unix_user, + group = params.unix_group, + create_parents = True + ) + + Directory(params.ranger_pid_dir, + mode=0755, + create_parents=True, + owner = params.unix_user, + group = params.user_group, + cd_access = "a", + ) + + if params.stack_supports_pid: + File(format('{ranger_tagsync_conf}/ranger-tagsync-env-piddir.sh'), + content = format("export TAGSYNC_PID_DIR_PATH={ranger_pid_dir}\nexport UNIX_TAGSYNC_USER={unix_user}"), + owner = params.unix_user, + group = params.unix_group, + mode=0755 + ) + + Directory(params.tagsync_log_dir, + create_parents = True, + owner = params.unix_user, + group = params.unix_group, + cd_access = "a", + mode=0755 + ) + + File(format('{ranger_tagsync_conf}/ranger-tagsync-env-logdir.sh'), + content = format("export RANGER_TAGSYNC_LOG_DIR={tagsync_log_dir}"), + owner = params.unix_user, + group = params.unix_group, + mode=0755 + ) + + XmlConfig("ranger-tagsync-site.xml", + conf_dir=ranger_tagsync_conf, + configurations=params.config['configurations']['ranger-tagsync-site'], + configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-site'], + owner=params.unix_user, + group=params.unix_group, + mode=0644) + if params.stack_supports_ranger_tagsync_ssl_xml_support: + Logger.info("Stack supports tagsync-ssl configurations, performing the same.") + setup_tagsync_ssl_configs() + else: + Logger.info("Stack doesnt support tagsync-ssl configurations, skipping the same.") + + PropertiesFile(format('{ranger_tagsync_conf}/atlas-application.properties'), + properties = params.tagsync_application_properties, + mode=0755, + owner=params.unix_user, + group=params.unix_group + ) + + File(format('{ranger_tagsync_conf}/log4j.properties'), + owner=params.unix_user, + group=params.unix_group, + content=InlineTemplate(params.tagsync_log4j), + mode=0644 + ) + + File(params.tagsync_services_file, + mode = 0755, + ) + + Execute(('ln','-sf', format('{tagsync_services_file}'),'/usr/bin/ranger-tagsync'), + not_if=format("ls /usr/bin/ranger-tagsync"), + only_if=format("ls {tagsync_services_file}"), + sudo=True) + + create_core_site_xml(ranger_tagsync_conf) + +def ranger_credential_helper(lib_path, alias_key, alias_value, file_path): + import params + + java_bin = format('{java_home}/bin/java') + file_path = format('jceks://file{file_path}') + cmd = (java_bin, '-cp', lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', alias_key, '-value', PasswordString(alias_value), '-provider', file_path) + Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True) + +def create_core_site_xml(conf_dir): + import params + + if params.stack_supports_ranger_kerberos: + if params.has_namenode: + XmlConfig("core-site.xml", + conf_dir=conf_dir, + configurations=params.config['configurations']['core-site'], + configuration_attributes=params.config['configuration_attributes']['core-site'], + owner=params.unix_user, + group=params.unix_group, + mode=0644 + ) + else: + Logger.warning('HDFS service not installed. Creating core-site.xml file.') + XmlConfig("core-site.xml", + conf_dir=conf_dir, + configurations=params.core_site_property, + configuration_attributes={}, + owner=params.unix_user, + group=params.unix_group, + mode=0644 + ) + +def setup_ranger_audit_solr(): + import params + + if params.security_enabled and params.stack_supports_ranger_kerberos: + + if params.solr_jaas_file is not None: + File(format("{solr_jaas_file}"), + content=Template("ranger_solr_jaas_conf.j2"), + owner=params.unix_user + ) + try: + check_znode() + + if params.stack_supports_ranger_solr_configs: + Logger.info('Solr configrations supported,creating solr-configurations.') + File(format("{ranger_solr_conf}/solrconfig.xml"), + content=InlineTemplate(params.ranger_solr_config_content), + owner=params.unix_user, + group=params.unix_group, + mode=0644 + ) + + solr_cloud_util.upload_configuration_to_zk( + zookeeper_quorum = params.zookeeper_quorum, + solr_znode = params.solr_znode, + config_set = params.ranger_solr_config_set, + config_set_dir = params.ranger_solr_conf, + tmp_dir = params.tmp_dir, + java64_home = params.java_home, + solrconfig_content = InlineTemplate(params.ranger_solr_config_content), + jaas_file=params.solr_jaas_file, + retry=30, interval=5 + ) + + else: + Logger.info('Solr configrations not supported, skipping solr-configurations.') + solr_cloud_util.upload_configuration_to_zk( + zookeeper_quorum = params.zookeeper_quorum, + solr_znode = params.solr_znode, + config_set = params.ranger_solr_config_set, + config_set_dir = params.ranger_solr_conf, + tmp_dir = params.tmp_dir, + java64_home = params.java_home, + jaas_file=params.solr_jaas_file, + retry=30, interval=5) + + if params.security_enabled and params.has_infra_solr \ + and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos: + + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_ranger_admin, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev], + new_service_principals = [params.ranger_admin_jaas_principal]) + service_default_principals_map = [('hdfs', 'nn'), ('hbase', 'hbase'), ('hive', 'hive'), ('kafka', 'kafka'), ('kms', 'rangerkms'), + ('knox', 'knox'), ('nifi', 'nifi'), ('storm', 'storm'), ('yanr', 'yarn')] + service_principals = get_ranger_plugin_principals(service_default_principals_map) + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_ranger_audit, params.infra_solr_role_dev], + new_service_principals = service_principals) + + + solr_cloud_util.create_collection( + zookeeper_quorum = params.zookeeper_quorum, + solr_znode = params.solr_znode, + collection = params.ranger_solr_collection_name, + config_set = params.ranger_solr_config_set, + java64_home = params.java_home, + shards = params.ranger_solr_shards, + replication_factor = int(params.replication_factor), + jaas_file = params.solr_jaas_file) + + if params.security_enabled and params.has_infra_solr \ + and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos: + secure_znode(format('{solr_znode}/configs/{ranger_solr_config_set}'), params.solr_jaas_file) + secure_znode(format('{solr_znode}/collections/{ranger_solr_collection_name}'), params.solr_jaas_file) + except ExecutionFailed as execution_exception: + Logger.error('Error when configuring Solr for Ranger, Kindly check Solr/Zookeeper services to be up and running:\n {0}'.format(execution_exception)) + +def setup_ranger_admin_passwd_change(): + import params + + if params.admin_password != params.default_admin_password: + cmd = format('ambari-python-wrap {ranger_home}/db_setup.py -changepassword {admin_username} {default_admin_password!p} {admin_password!p}') + Logger.info('Updating admin password') + Execute(cmd, environment={'JAVA_HOME': params.java_home, 'RANGER_ADMIN_HOME': params.ranger_home}, user=params.unix_user) + +@retry(times=10, sleep_time=5, err_class=Fail) +def check_znode(): + import params + solr_cloud_util.check_znode( + zookeeper_quorum=params.zookeeper_quorum, + solr_znode=params.solr_znode, + java64_home=params.java_home) + +def secure_znode(znode, jaasFile): + import params + solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum, + solr_znode=znode, + jaas_file=jaasFile, + java64_home=params.java_home, sasl_users=[params.ranger_admin_jaas_principal]) + +def get_ranger_plugin_principals(services_defaults_tuple_list): + """ + Get ranger plugin user principals from service-default value maps using ranger-*-audit configurations + """ + import params + user_principals = [] + if len(services_defaults_tuple_list) < 1: + raise Exception("Services - defaults map parameter is missing.") + + for (service, default_value) in services_defaults_tuple_list: + user_principal = default(format("configurations/ranger-{service}-audit/xasecure.audit.jaas.Client.option.principal"), default_value) + user_principals.append(user_principal) + return user_principals + + +def setup_tagsync_ssl_configs(): + import params + Directory(params.security_store_path, + cd_access="a", + create_parents=True) + + Directory(params.tagsync_etc_path, + cd_access="a", + owner=params.unix_user, + group=params.unix_group, + mode=0775, + create_parents=True) + + # remove plain-text password from xml configs + ranger_tagsync_policymgr_ssl_copy = {} + ranger_tagsync_policymgr_ssl_copy.update(params.config['configurations']['ranger-tagsync-policymgr-ssl']) + for prop in params.ranger_tagsync_password_properties: + if prop in ranger_tagsync_policymgr_ssl_copy: + ranger_tagsync_policymgr_ssl_copy[prop] = "_" + + XmlConfig("ranger-policymgr-ssl.xml", + conf_dir=params.ranger_tagsync_conf, + configurations=ranger_tagsync_policymgr_ssl_copy, + configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-policymgr-ssl'], + owner=params.unix_user, + group=params.unix_group, + mode=0644) + + ranger_credential_helper(params.tagsync_cred_lib, 'sslKeyStore', params.ranger_tagsync_keystore_password, params.ranger_tagsync_credential_file) + ranger_credential_helper(params.tagsync_cred_lib, 'sslTrustStore', params.ranger_tagsync_truststore_password, params.ranger_tagsync_credential_file) + + File(params.ranger_tagsync_credential_file, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + # remove plain-text password from xml configs + atlas_tagsync_ssl_copy = {} + atlas_tagsync_ssl_copy.update(params.config['configurations']['atlas-tagsync-ssl']) + for prop in params.ranger_tagsync_password_properties: + if prop in atlas_tagsync_ssl_copy: + atlas_tagsync_ssl_copy[prop] = "_" + + XmlConfig("atlas-tagsync-ssl.xml", + conf_dir=params.ranger_tagsync_conf, + configurations=atlas_tagsync_ssl_copy, + configuration_attributes=params.config['configuration_attributes']['atlas-tagsync-ssl'], + owner=params.unix_user, + group=params.unix_group, + mode=0644) + + ranger_credential_helper(params.tagsync_cred_lib, 'sslKeyStore', params.atlas_tagsync_keystore_password, params.atlas_tagsync_credential_file) + ranger_credential_helper(params.tagsync_cred_lib, 'sslTrustStore', params.atlas_tagsync_truststore_password, params.atlas_tagsync_credential_file) + + File(params.atlas_tagsync_credential_file, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + Logger.info("Configuring tagsync-ssl configurations done successfully.") http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/status_params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/status_params.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/status_params.py new file mode 100644 index 0000000..842430b --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/status_params.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management.libraries.script import Script +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions.default import default +from resource_management.libraries.functions.version import format_stack_version +from resource_management.libraries.functions.stack_features import check_stack_feature +from resource_management.libraries.functions import StackFeature + +config = Script.get_config() +tmp_dir = Script.get_tmp_dir() + +upgrade_marker_file = format("{tmp_dir}/rangeradmin_ru.inprogress") +ranger_pid_dir = config['configurations']['ranger-env']['ranger_pid_dir'] +tagsync_pid_file = format('{ranger_pid_dir}/tagsync.pid') +stack_name = default("/hostLevelParams/stack_name", None) +stack_version_unformatted = config['hostLevelParams']['stack_version'] +stack_version_formatted = format_stack_version(stack_version_unformatted) +ranger_admin_pid_file = format('{ranger_pid_dir}/rangeradmin.pid') +ranger_usersync_pid_file = format('{ranger_pid_dir}/usersync.pid') +stack_supports_pid = stack_version_formatted and check_stack_feature(StackFeature.RANGER_PID_SUPPORT, stack_version_formatted) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/upgrade.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/upgrade.py b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/upgrade.py new file mode 100644 index 0000000..a07a1fd --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/scripts/upgrade.py @@ -0,0 +1,31 @@ + +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.core.resources.system import Execute +from resource_management.libraries.functions import conf_select +from resource_management.libraries.functions import stack_select +from resource_management.libraries.functions.format import format + +def prestart(env, stack_component): + import params + + if params.version and params.stack_supports_rolling_upgrade: + conf_select.select(params.stack_name, stack_component, params.version) + stack_select.select(stack_component, params.version) http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/input.config-ranger.json.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/input.config-ranger.json.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/input.config-ranger.json.j2 new file mode 100644 index 0000000..6c5bb1f --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/input.config-ranger.json.j2 @@ -0,0 +1,79 @@ +{# + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + #} +{ + "input":[ + { + "type":"ranger_admin", + "rowtype":"service", + "path":"{{default('/configurations/ranger-env/ranger_admin_log_dir', '/var/log/ranger/admin')}}/xa_portal.log" + }, + { + "type":"ranger_dbpatch", + "is_enabled":"true", + "path":"{{default('/configurations/ranger-env/ranger_admin_log_dir', '/var/log/ranger/admin')}}/ranger_db_patch.log" + }, + { + "type":"ranger_usersync", + "rowtype":"service", + "path":"{{default('/configurations/ranger-env/ranger_usersync_log_dir', '/var/log/ranger/usersync')}}/usersync.log" + } + ], + "filter":[ + { + "filter":"grok", + "conditions":{ + "fields":{ + "type":[ + "ranger_admin", + "ranger_dbpatch" + ] + } + }, + "log4j_format":"%d [%t] %-5p %C{6} (%F:%L) - %m%n", + "multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})", + "message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\(%{JAVAFILE:file}:%{INT:line_number}\\)%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}", + "post_map_values":{ + "logtime":{ + "map_date":{ + "target_date_pattern":"yyyy-MM-dd HH:mm:ss,SSS" + } + } + } + }, + { + "filter":"grok", + "conditions":{ + "fields":{ + "type":[ + "ranger_usersync" + ] + } + }, + "log4j_format":"%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] - %m%n", + "multiline_pattern":"^(%{USER_SYNC_DATE:logtime})", + "message_pattern":"(?m)^%{USER_SYNC_DATE:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}\\[%{DATA:thread_name}\\]%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}", + "post_map_values":{ + "logtime":{ + "map_date":{ + "target_date_pattern":"dd MMM yyyy HH:mm:ss" + } + } + } + } + ] +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_admin_pam.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_admin_pam.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_admin_pam.j2 new file mode 100644 index 0000000..d69ad6c --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_admin_pam.j2 @@ -0,0 +1,22 @@ +{# + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + #} +#%PAM-1.0 +auth sufficient pam_unix.so +auth sufficient pam_sss.so +account sufficient pam_unix.so +account sufficient pam_sss.so http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_remote_pam.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_remote_pam.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_remote_pam.j2 new file mode 100644 index 0000000..d69ad6c --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_remote_pam.j2 @@ -0,0 +1,22 @@ +{# + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + #} +#%PAM-1.0 +auth sufficient pam_unix.so +auth sufficient pam_sss.so +account sufficient pam_unix.so +account sufficient pam_sss.so http://git-wip-us.apache.org/repos/asf/ambari/blob/260ee2ef/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_solr_jaas_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_solr_jaas_conf.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_solr_jaas_conf.j2 new file mode 100644 index 0000000..a456688 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0.3.0/package/templates/ranger_solr_jaas_conf.j2 @@ -0,0 +1,26 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +Client { + com.sun.security.auth.module.Krb5LoginModule required + useKeyTab=true + storeKey=true + useTicketCache=false + keyTab="{{solr_kerberos_keytab}}" + principal="{{solr_kerberos_principal}}"; +}; \ No newline at end of file