hawq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From esp...@apache.org
Subject [06/35] incubator-hawq git commit: HAWQ-1298. Updated RPS properties and scripts (closes #1109)
Date Sun, 19 Feb 2017 23:07:41 GMT
HAWQ-1298. Updated RPS properties and scripts
(closes #1109)


Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/8c9b45a4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/8c9b45a4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/8c9b45a4

Branch: refs/heads/2.1.0.0-incubating
Commit: 8c9b45a40ec55bd7ad1589de894962aaf1540f3a
Parents: 23c45c7
Author: Alexander Denissov <adenissov@pivotal.io>
Authored: Tue Jan 31 14:31:06 2017 -0800
Committer: Alexander Denissov <adenissov@pivotal.io>
Committed: Thu Feb 9 11:13:54 2017 -0800

----------------------------------------------------------------------
 ranger-plugin/conf/catalina.properties          |  83 +++
 ranger-plugin/conf/log4j.properties             |  58 +++
 ranger-plugin/conf/ranger-hawq-audit.xml        |  47 ++
 ranger-plugin/conf/ranger-hawq-security.xml     |  85 ++++
 ranger-plugin/conf/rps.properties               |  32 ++
 ranger-plugin/conf/server.xml                   |  38 ++
 ranger-plugin/conf/tomcat-server.xml            |  60 ---
 .../service/tests/common/ServiceTestBase.java   |   5 +-
 ranger-plugin/pom.xml                           |  67 ++-
 ranger-plugin/scripts/catalina.sh               | 507 +++++++++++++++++++
 ranger-plugin/scripts/enable-ranger-plugin.sh   | 225 ++++++++
 ranger-plugin/scripts/register_hawq.sh          | 217 --------
 ranger-plugin/scripts/rps.sh                    |  82 ++-
 ranger-plugin/scripts/rps_env.sh                |  30 --
 ranger-plugin/scripts/setenv.sh                 |  23 +
 ranger-plugin/service/pom.xml                   |  42 +-
 .../authorization/RangerHawqAuthorizer.java     |   6 +-
 .../apache/hawq/ranger/authorization/Utils.java |  17 +-
 .../service/src/main/resources/log4j.properties |  42 --
 .../src/main/resources/ranger-hawq-security.xml |  92 ----
 .../service/src/main/resources/rps.properties   |  17 -
 .../service/src/main/webapp/WEB-INF/web.xml     |  20 +-
 .../hawq/ranger/authorization/UtilsTest.java    |  20 +-
 .../src/test/resources/ranger-hawq-security.xml |  85 ++++
 .../service/src/test/resources/rps.properties   |   4 +-
 25 files changed, 1363 insertions(+), 541 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/catalina.properties
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/catalina.properties b/ranger-plugin/conf/catalina.properties
new file mode 100644
index 0000000..7e10ef5
--- /dev/null
+++ b/ranger-plugin/conf/catalina.properties
@@ -0,0 +1,83 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageAccess unless the
+# corresponding RuntimePermission ("accessClassInPackage."+package) has
+# been granted.
+package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,\
+org.apache.naming.resources.,org.apache.tomcat.,sun.beans.
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageDefinition unless the
+# corresponding RuntimePermission ("defineClassInPackage."+package) has
+# been granted.
+#
+# by default, no packages are restricted for definition, and none of
+# the class loaders supplied with the JDK call checkPackageDefinition.
+#
+package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,\
+org.apache.jasper.,org.apache.naming.,org.apache.tomcat.
+
+#
+#
+# List of comma-separated paths defining the contents of the "common"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank,the JVM system loader will be used as Catalina's "common"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar
+
+#
+# List of comma-separated paths defining the contents of the "server"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank, the "common" loader will be used as Catalina's "server"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+server.loader=
+
+#
+# List of comma-separated paths defining the contents of the "shared"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
+# the "common" loader will be used as Catalina's "shared" loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+# Please note that for single jars, e.g. bar.jar, you need the URL form
+# starting with file:.
+shared.loader=
+
+#
+# String cache configuration.
+tomcat.util.buf.StringCache.byte.enabled=true
+#tomcat.util.buf.StringCache.char.enabled=true
+#tomcat.util.buf.StringCache.trainThreshold=500000
+#tomcat.util.buf.StringCache.cacheSize=5000

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/log4j.properties b/ranger-plugin/conf/log4j.properties
new file mode 100644
index 0000000..ca7cfcd
--- /dev/null
+++ b/ranger-plugin/conf/log4j.properties
@@ -0,0 +1,58 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# log only messages at INFO level and higher
+root.logger=INFO,rps
+audit.logger=INFO,audit
+
+#
+# Loggers
+#
+
+log4j.rootLogger=${root.logger}
+
+log4j.logger.ranger_audit_logger=${audit.logger}
+log4j.additivity.ranger_audit_logger=false
+
+# fine tune verbosity of Hadoop and Ranger libraries logging, if needed
+#log4j.logger.org.apache.ranger=WARN
+#log4j.logger.org.apache.hadoop=WARN
+#log4j.logger.org.apache.hawq.ranger=DEBUG
+
+#
+# Appenders
+#
+
+# console
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
+
+# RPS log file
+log4j.appender.rps=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.rps.file=/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs/rps.log
+log4j.appender.rps.datePattern='.'yyyy-MM-dd
+log4j.appender.rps.append=true
+log4j.appender.rps.layout=org.apache.log4j.PatternLayout
+log4j.appender.rps.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %C{6}: %m%n
+
+# Ranger Audit log file
+log4j.appender.audit=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.audit.file=/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs/audit.log
+log4j.appender.audit.datePattern='.'yyyy-MM-dd
+log4j.appender.audit.append=true
+log4j.appender.audit.layout=org.apache.log4j.PatternLayout
+log4j.appender.audit.layout.ConversionPattern=%m%n
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/ranger-hawq-audit.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/ranger-hawq-audit.xml b/ranger-plugin/conf/ranger-hawq-audit.xml
new file mode 100644
index 0000000..01fe5ab
--- /dev/null
+++ b/ranger-plugin/conf/ranger-hawq-audit.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+    <!-- HDFS audit provider configuration -->
+    <property>
+        <name>xasecure.audit.destination.hdfs</name>
+        <value>false</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.hdfs.dir</name>
+        <value>hdfs://localhost:8020/ranger/audit</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
+        <value>/tmp/audit/hdfs/spool</value>
+    </property>
+
+
+    <!-- Log4j audit provider configuration -->
+    <property>
+        <name>xasecure.audit.destination.log4j</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.log4j.logger</name>
+        <value>ranger_audit_logger</value>
+    </property>
+</configuration>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/ranger-hawq-security.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/ranger-hawq-security.xml b/ranger-plugin/conf/ranger-hawq-security.xml
new file mode 100644
index 0000000..0cdc160
--- /dev/null
+++ b/ranger-plugin/conf/ranger-hawq-security.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+    <property>
+        <name>ranger.plugin.hawq.service.name</name>
+        <value>hawq</value>
+        <description>
+            Name of the Ranger service containing policies for this HAWQ instance
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.source.impl</name>
+        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+        <description>
+            Class to retrieve policies from the source
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.rest.url</name>
+        <value>${policy.manager.url}</value>
+        <description>
+            URL to Ranger Admin
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.rest.ssl.config.file</name>
+        <value>ranger-policymgr-ssl.xml</value>
+        <description>
+            Path to the file containing SSL details to contact Ranger Admin
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.pollIntervalMs</name>
+        <value>30000</value>
+        <description>
+            How often to poll for changes in policies?
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.cache.dir</name>
+        <value>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/work/policycache</value>
+        <description>
+            Directory where Ranger policies are cached after successful retrieval from the source
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.rest.client.connection.timeoutMs</name>
+        <value>120000</value>
+        <description>
+            RangerRESTClient Connection Timeout in Milliseconds
+        </description>
+    </property>
+
+    <property>
+        <name>ranger.plugin.hawq.policy.rest.client.read.timeoutMs</name>
+        <value>30000</value>
+        <description>
+            RangerRESTClient read Timeout in Milliseconds
+        </description>
+    </property>
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/rps.properties
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/rps.properties b/ranger-plugin/conf/rps.properties
new file mode 100644
index 0000000..60545c1
--- /dev/null
+++ b/ranger-plugin/conf/rps.properties
@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# URL for Ranger Admin policy manager, e.g. http://host:port
+POLICY_MGR_URL=
+
+# port where Ranger Plugin Service should listen for HTTP requests
+RPS_HTTP_PORT=8432
+
+# port where Ranger Plugin Service should listen for HTTPS requests
+RPS_HTTPS_PORT=8333
+
+# port where Ranger Plugin Service should listen for shutdown requests
+RPS_SHUTDOWN_PORT=8405
+
+# name of the instance of HAWQ service in Ranger Policy Manager
+RANGER_HAWQ_INSTANCE=hawq
+
+# version of the software
+RPS_VERSION=${project.version}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/server.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/server.xml b/ranger-plugin/conf/server.xml
new file mode 100644
index 0000000..7a2ae69
--- /dev/null
+++ b/ranger-plugin/conf/server.xml
@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Server port="${rps.shutdown.port}" shutdown="7d558327-ef81-48fa-bed2-fc1aaa5bb634">
+
+    <!--APR library loader. Documentation at /docs/apr.html -->
+    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+
+    <Service name="Catalina">
+        <Connector port="${rps.http.port}" redirectPort="${rps.https.port}" protocol="HTTP/1.1"
+                   maxHttpHeaderSize="8192" enableLookups="false"
+                   acceptCount="100" maxThreads="50" minSpareThreads="5"
+                   connectionTimeout="20000" server="Apache Tomcat" xpoweredBy="false" />
+        <!--
+        <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+                   maxThreads="150" scheme="https" secure="true"
+                   clientAuth="false" sslProtocol="TLS" />
+        -->
+        <Engine name="Catalina" defaultHost="localhost">
+            <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"
+                  deployOnStartup="true" xmlValidation="false" xmlNamespaceAware="false" />
+        </Engine>
+    </Service>
+</Server>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/conf/tomcat-server.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/tomcat-server.xml b/ranger-plugin/conf/tomcat-server.xml
deleted file mode 100644
index 09f9088..0000000
--- a/ranger-plugin/conf/tomcat-server.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<!-- Note:  A "Server" is not itself a "Container", so you may not
-     define subcomponents such as "Valves" at this level.
-     Documentation at /docs/config/server.html
- -->
-<Server port="8005" shutdown="SHUTDOWN">
-
-  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
-  <Listener className="org.apache.catalina.core.JasperListener" />
-  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
-  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
-
-  <GlobalNamingResources>
-    <Resource name="UserDatabase" auth="Container"
-              type="org.apache.catalina.UserDatabase"
-              description="User database that can be updated and saved"
-              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
-              pathname="conf/tomcat-users.xml" />
-  </GlobalNamingResources>
-
-  <Service name="Catalina">
-
-    <Connector port="${http.port}" protocol="HTTP/1.1"
-               connectionTimeout="20000"
-               redirectPort="8443" />
-
-    <Engine name="Catalina" defaultHost="localhost">
-
-      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
-             resourceName="UserDatabase"/>
-
-      <Host name="${http.host}"  appBase="webapps"
-            unpackWARs="true" autoDeploy="true"
-            xmlValidation="false" xmlNamespaceAware="false">
-
-        <Context path="/rps"
-                 docBase="/usr/local/hawq/ranger/plugin-service/webapps/rps"
-                 reloadable="false" debug="0" cookies="false"></Context>
-
-      </Host>
-    </Engine>
-  </Service>
-</Server>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/integration/service/src/test/java/org/apache/hawq/ranger/integration/service/tests/common/ServiceTestBase.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/integration/service/src/test/java/org/apache/hawq/ranger/integration/service/tests/common/ServiceTestBase.java b/ranger-plugin/integration/service/src/test/java/org/apache/hawq/ranger/integration/service/tests/common/ServiceTestBase.java
index 0b3be56..21c654c 100644
--- a/ranger-plugin/integration/service/src/test/java/org/apache/hawq/ranger/integration/service/tests/common/ServiceTestBase.java
+++ b/ranger-plugin/integration/service/src/test/java/org/apache/hawq/ranger/integration/service/tests/common/ServiceTestBase.java
@@ -67,7 +67,8 @@ public abstract class ServiceTestBase {
     private static final String RANGER_URL = String.format("http://%s:%s/service/public/v2/api", RANGER_HOST, RANGER_PORT);
     private static final String RANGER_POLICY_URL = RANGER_URL + "/policy";
 
-    private static final int POLICY_REFRESH_INTERVAL = 6000;
+    private static final String POLICY_WAIT_INTERVAL_PROP_NAME = "policy.wait.interval.ms";
+    private static final int POLICY_WAIT_INTERVAL = Integer.parseInt(System.getProperty(POLICY_WAIT_INTERVAL_PROP_NAME, "6000"));
     private static final TypeReference<HashMap<String,Object>> typeMSO = new TypeReference<HashMap<String,Object>>() {};
 
     private RESTClient rest = new RESTClient();
@@ -132,7 +133,7 @@ public abstract class ServiceTestBase {
 
     private void waitForPolicyRefresh() {
         try {
-            Thread.sleep(POLICY_REFRESH_INTERVAL);
+            Thread.sleep(POLICY_WAIT_INTERVAL);
         }
         catch (InterruptedException e) {
             LOG.error(e);

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/pom.xml b/ranger-plugin/pom.xml
index 20d3112..d8ab6b0 100644
--- a/ranger-plugin/pom.xml
+++ b/ranger-plugin/pom.xml
@@ -81,10 +81,37 @@
                     <mappings>
                         <mapping>
                             <directory>/usr/local/hawq_${hawq.name.version}/ranger/bin</directory>
-                            <filemode>755</filemode>
+                            <filemode>750</filemode>
                             <sources>
                                 <source>
-                                    <location>scripts</location>
+                                    <location>scripts/enable-ranger-plugin.sh</location>
+                                </source>
+                                <source>
+                                    <location>scripts/rps.sh</location>
+                                </source>
+                                <source>
+                                    <location>scripts/catalina.sh</location>
+                                </source>
+                            </sources>
+                        </mapping>
+                        <mapping>
+                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/etc</directory>
+                            <sources>
+                                <source>
+                                    <location>conf/ranger-servicedef-hawq.json</location>
+                                </source>
+                                <!-- filtered resources include version number and come from target/conf directory -->
+                                <source>
+                                    <location>service/target/conf/ranger-hawq-security.xml</location>
+                                </source>
+                                <source>
+                                    <location>service/target/conf/ranger-hawq-audit.xml</location>
+                                </source>
+                                <source>
+                                    <location>service/target/conf/rps.properties</location>
+                                </source>
+                                <source>
+                                    <location>service/target/conf/log4j.properties</location>
                                 </source>
                             </sources>
                         </mapping>
@@ -100,18 +127,34 @@
                             </sources>
                         </mapping>
                         <mapping>
-                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/etc</directory>
+                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service</directory>
+                        </mapping>
+                        <mapping>
+                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/bin</directory>
                             <sources>
                                 <source>
-                                    <location>conf/ranger-servicedef-hawq.json</location>
+                                    <location>scripts/setenv.sh</location>
                                 </source>
                             </sources>
                         </mapping>
                         <mapping>
-                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service</directory>
+                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/conf</directory>
+                            <sources>
+                                <source>
+                                    <location>conf/server.xml</location>
+                                </source>
+                                <source>
+                                    <location>conf/catalina.properties</location>
+                                </source>
+                            </sources>
                         </mapping>
                         <mapping>
-                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/bin</directory>
+                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/lib</directory>
+                            <sources>
+                                <source>
+                                    <location>service/target/ranger-plugin-service-${project.version}/WEB-INF/lib</location>
+                                </source>
+                            </sources>
                         </mapping>
                         <mapping>
                             <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/logs</directory>
@@ -123,6 +166,9 @@
                             <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/work</directory>
                         </mapping>
                         <mapping>
+                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/work/policycache</directory>
+                        </mapping>
+                        <mapping>
                             <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/webapps</directory>
                             <sources>
                                 <source>
@@ -131,14 +177,7 @@
                                 </source>
                             </sources>
                         </mapping>
-                        <mapping>
-                            <directory>/usr/local/hawq_${hawq.name.version}/ranger/plugin-service/conf</directory>
-                            <sources>
-                                <source>
-                                    <location>conf/tomcat-server.xml</location>
-                                </source>
-                            </sources>
-                        </mapping>
+
                     </mappings>
                 </configuration>
             </plugin>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/scripts/catalina.sh
----------------------------------------------------------------------
diff --git a/ranger-plugin/scripts/catalina.sh b/ranger-plugin/scripts/catalina.sh
new file mode 100755
index 0000000..26f7601
--- /dev/null
+++ b/ranger-plugin/scripts/catalina.sh
@@ -0,0 +1,507 @@
+#!/bin/sh
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# -----------------------------------------------------------------------------
+# Start/Stop Script for the CATALINA Server
+#
+# Environment Variable Prerequisites
+#
+#   CATALINA_HOME   May point at your Catalina "build" directory.
+#
+#   CATALINA_BASE   (Optional) Base directory for resolving dynamic portions
+#                   of a Catalina installation.  If not present, resolves to
+#                   the same directory that CATALINA_HOME points to.
+#
+#   CATALINA_OUT    (Optional) Full path to a file where stdout and stderr
+#                   will be redirected.
+#                   Default is $CATALINA_BASE/logs/catalina.out
+#
+#   CATALINA_OPTS   (Optional) Java runtime options used when the "start",
+#                   or "run" command is executed.
+#
+#   CATALINA_TMPDIR (Optional) Directory path location of temporary directory
+#                   the JVM should use (java.io.tmpdir).  Defaults to
+#                   $CATALINA_BASE/temp.
+#
+#   JAVA_HOME       Must point at your Java Development Kit installation.
+#                   Required to run the with the "debug" argument.
+#
+#   JRE_HOME        Must point at your Java Development Kit installation.
+#                   Defaults to JAVA_HOME if empty.
+#
+#   JAVA_OPTS       (Optional) Java runtime options used when the "start",
+#                   "stop", or "run" command is executed.
+#
+#   JAVA_ENDORSED_DIRS (Optional) Lists of of colon separated directories
+#                   containing some jars in order to allow replacement of APIs
+#                   created outside of the JCP (i.e. DOM and SAX from W3C).
+#                   It can also be used to update the XML parser implementation.
+#                   Defaults to $CATALINA_HOME/endorsed.
+#
+#   JPDA_TRANSPORT  (Optional) JPDA transport used when the "jpda start"
+#                   command is executed. The default is "dt_socket".
+#
+#   JPDA_ADDRESS    (Optional) Java runtime options used when the "jpda start"
+#                   command is executed. The default is 8000.
+#
+#   JPDA_SUSPEND    (Optional) Java runtime options used when the "jpda start"
+#                   command is executed. Specifies whether JVM should suspend
+#                   execution immediately after startup. Default is "n".
+#
+#   JPDA_OPTS       (Optional) Java runtime options used when the "jpda start"
+#                   command is executed. If used, JPDA_TRANSPORT, JPDA_ADDRESS,
+#                   and JPDA_SUSPEND are ignored. Thus, all required jpda
+#                   options MUST be specified. The default is:
+#
+#                   -agentlib:jdwp=transport=$JPDA_TRANSPORT,
+#                       address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND
+#
+#   CATALINA_PID    (Optional) Path of the file which should contains the pid
+#                   of catalina startup java process, when start (fork) is used
+#
+#   LOGGING_CONFIG  (Optional) Override Tomcat's logging config file
+#                   Example (all one line)
+#                   LOGGING_CONFIG="-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"
+#
+#   LOGGING_MANAGER (Optional) Override Tomcat's logging manager
+#                   Example (all one line)
+#                   LOGGING_MANAGER="-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
+# -----------------------------------------------------------------------------
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false
+os400=false
+darwin=false
+case "`uname`" in
+CYGWIN*) cygwin=true;;
+OS400*) os400=true;;
+Darwin*) darwin=true;;
+esac
+
+# resolve links - $0 may be a softlink
+PRG="$0"
+
+while [ -h "$PRG" ]; do
+  ls=`ls -ld "$PRG"`
+  link=`expr "$ls" : '.*-> \(.*\)$'`
+  if expr "$link" : '/.*' > /dev/null; then
+    PRG="$link"
+  else
+    PRG=`dirname "$PRG"`/"$link"
+  fi
+done
+
+# Get standard environment variables
+PRGDIR=`dirname "$PRG"`
+
+# Only set CATALINA_HOME if not already set
+[ -z "$CATALINA_HOME" ] && CATALINA_HOME=`cd "$PRGDIR/.." >/dev/null; pwd`
+
+# Copy CATALINA_BASE from CATALINA_HOME if not already set
+[ -z "$CATALINA_BASE" ] && CATALINA_BASE="$CATALINA_HOME"
+
+# Ensure that any user defined CLASSPATH variables are not used on startup,
+# but allow them to be specified in setenv.sh, in rare case when it is needed.
+CLASSPATH=
+
+if [ -r "$CATALINA_BASE/bin/setenv.sh" ]; then
+  . "$CATALINA_BASE/bin/setenv.sh"
+elif [ -r "$CATALINA_HOME/bin/setenv.sh" ]; then
+  . "$CATALINA_HOME/bin/setenv.sh"
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin; then
+  [ -n "$JAVA_HOME" ] && JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$JRE_HOME" ] && JRE_HOME=`cygpath --unix "$JRE_HOME"`
+  [ -n "$CATALINA_HOME" ] && CATALINA_HOME=`cygpath --unix "$CATALINA_HOME"`
+  [ -n "$CATALINA_BASE" ] && CATALINA_BASE=`cygpath --unix "$CATALINA_BASE"`
+  [ -n "$CLASSPATH" ] && CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For OS400
+if $os400; then
+  # Set job priority to standard for interactive (interactive - 6) by using
+  # the interactive priority - 6, the helper threads that respond to requests
+  # will be running at the same priority as interactive jobs.
+  COMMAND='chgjob job('$JOBNAME') runpty(6)'
+  system $COMMAND
+
+  # Enable multi threading
+  export QIBM_MULTI_THREADED=Y
+fi
+
+# Get standard Java environment variables
+if $os400; then
+  # -r will Only work on the os400 if the files are:
+  # 1. owned by the user
+  # 2. owned by the PRIMARY group of the user
+  # this will not work if the user belongs in secondary groups
+  BASEDIR="$CATALINA_HOME"
+  . "$CATALINA_HOME"/bin/setclasspath.sh
+else
+  if [ -r "$CATALINA_HOME"/bin/setclasspath.sh ]; then
+    BASEDIR="$CATALINA_HOME"
+    . "$CATALINA_HOME"/bin/setclasspath.sh
+  else
+    echo "Cannot find $CATALINA_HOME/bin/setclasspath.sh"
+    echo "This file is needed to run this program"
+    exit 1
+  fi
+fi
+
+if [ -z "$CATALINA_BASE" ] ; then
+  CATALINA_BASE="$CATALINA_HOME"
+fi
+
+# Add tomcat-juli.jar and bootstrap.jar to classpath
+# tomcat-juli.jar can be over-ridden per instance
+if [ ! -z "$CLASSPATH" ] ; then
+  CLASSPATH="$CLASSPATH":
+fi
+if [ "$CATALINA_BASE" != "$CATALINA_HOME" ] && [ -r "$CATALINA_BASE/bin/tomcat-juli.jar" ] ; then
+  CLASSPATH="$CLASSPATH""$CATALINA_BASE"/bin/tomcat-juli.jar:"$CATALINA_HOME"/bin/bootstrap.jar
+else
+  CLASSPATH="$CLASSPATH""$CATALINA_HOME"/bin/bootstrap.jar
+fi
+
+if [ -z "$CATALINA_OUT" ] ; then
+  CATALINA_OUT="$CATALINA_BASE"/logs/catalina.out
+fi
+
+if [ -z "$CATALINA_TMPDIR" ] ; then
+  # Define the java.io.tmpdir to use for Catalina
+  CATALINA_TMPDIR="$CATALINA_BASE"/temp
+fi
+
+# Bugzilla 37848: When no TTY is available, don't output to console
+have_tty=0
+if [ "`tty`" != "not a tty" ]; then
+    have_tty=1
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  JAVA_HOME=`cygpath --absolute --windows "$JAVA_HOME"`
+  JRE_HOME=`cygpath --absolute --windows "$JRE_HOME"`
+  CATALINA_HOME=`cygpath --absolute --windows "$CATALINA_HOME"`
+  CATALINA_BASE=`cygpath --absolute --windows "$CATALINA_BASE"`
+  CATALINA_TMPDIR=`cygpath --absolute --windows "$CATALINA_TMPDIR"`
+  CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  JAVA_ENDORSED_DIRS=`cygpath --path --windows "$JAVA_ENDORSED_DIRS"`
+fi
+
+# Set juli LogManager config file if it is present and an override has not been issued
+if [ -z "$LOGGING_CONFIG" ]; then
+  if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then
+    LOGGING_CONFIG="-Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"
+  else
+    # Bugzilla 45585
+    LOGGING_CONFIG="-Dnop"
+  fi
+fi
+
+if [ -z "$LOGGING_MANAGER" ]; then
+  LOGGING_MANAGER="-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
+fi
+
+# ----- Execute The Requested Command -----------------------------------------
+
+# Bugzilla 37848: only output this if we have a TTY
+if [ $have_tty -eq 1 ]; then
+  echo "Using CATALINA_BASE:   $CATALINA_BASE"
+  echo "Using CATALINA_HOME:   $CATALINA_HOME"
+  echo "Using CATALINA_TMPDIR: $CATALINA_TMPDIR"
+  if [ "$1" = "debug" ] ; then
+    echo "Using JAVA_HOME:       $JAVA_HOME"
+  else
+    echo "Using JRE_HOME:        $JRE_HOME"
+  fi
+  echo "Using CLASSPATH:       $CLASSPATH"
+  if [ ! -z "$CATALINA_PID" ]; then
+    echo "Using CATALINA_PID:    $CATALINA_PID"
+  fi
+fi
+
+if [ "$1" = "jpda" ] ; then
+  if [ -z "$JPDA_TRANSPORT" ]; then
+    JPDA_TRANSPORT="dt_socket"
+  fi
+  if [ -z "$JPDA_ADDRESS" ]; then
+    JPDA_ADDRESS="8000"
+  fi
+  if [ -z "$JPDA_SUSPEND" ]; then
+    JPDA_SUSPEND="n"
+  fi
+  if [ -z "$JPDA_OPTS" ]; then
+    JPDA_OPTS="-agentlib:jdwp=transport=$JPDA_TRANSPORT,address=$JPDA_ADDRESS,server=y,suspend=$JPDA_SUSPEND"
+  fi
+  CATALINA_OPTS="$CATALINA_OPTS $JPDA_OPTS"
+  shift
+fi
+
+if [ "$1" = "debug" ] ; then
+  if $os400; then
+    echo "Debug command not available on OS400"
+    exit 1
+  else
+    shift
+    if [ "$1" = "-security" ] ; then
+      if [ $have_tty -eq 1 ]; then
+        echo "Using Security Manager"
+      fi
+      shift
+      exec "$_RUNJDB" "$LOGGING_CONFIG" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
+        -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+        -sourcepath "$CATALINA_HOME"/../../java \
+        -Djava.security.manager \
+        -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
+        -Dcatalina.base="$CATALINA_BASE" \
+        -Dcatalina.home="$CATALINA_HOME" \
+        -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+        org.apache.catalina.startup.Bootstrap "$@" start
+    else
+      exec "$_RUNJDB" "$LOGGING_CONFIG" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
+        -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+        -sourcepath "$CATALINA_HOME"/../../java \
+        -Dcatalina.base="$CATALINA_BASE" \
+        -Dcatalina.home="$CATALINA_HOME" \
+        -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+        org.apache.catalina.startup.Bootstrap "$@" start
+    fi
+  fi
+
+elif [ "$1" = "run" ]; then
+
+  shift
+  if [ "$1" = "-security" ] ; then
+    if [ $have_tty -eq 1 ]; then
+      echo "Using Security Manager"
+    fi
+    shift
+    exec "$_RUNJAVA" "$LOGGING_CONFIG" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
+      -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+      -Djava.security.manager \
+      -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
+      -Dcatalina.base="$CATALINA_BASE" \
+      -Dcatalina.home="$CATALINA_HOME" \
+      -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+      org.apache.catalina.startup.Bootstrap "$@" start
+  else
+    exec "$_RUNJAVA" "$LOGGING_CONFIG" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
+      -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+      -Dcatalina.base="$CATALINA_BASE" \
+      -Dcatalina.home="$CATALINA_HOME" \
+      -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+      org.apache.catalina.startup.Bootstrap "$@" start
+  fi
+
+elif [ "$1" = "start" ] ; then
+
+  if [ ! -z "$CATALINA_PID" ]; then
+    if [ -f "$CATALINA_PID" ]; then
+      if [ -s "$CATALINA_PID" ]; then
+        echo "Existing PID file found during start."
+        if [ -r "$CATALINA_PID" ]; then
+          PID=`cat "$CATALINA_PID"`
+          ps -p $PID >/dev/null 2>&1
+          if [ $? -eq 0 ] ; then
+            echo "Tomcat appears to still be running with PID $PID. Start aborted."
+            echo "If the following process is not a Tomcat process, remove the PID file and try again:"
+            ps -f -p $PID
+            # RPS treats repeated start as non-error condition, assuming running process is RPS; originally was: exit 1
+            exit 0
+          else
+            echo "Removing/clearing stale PID file."
+            rm -f "$CATALINA_PID" >/dev/null 2>&1
+            if [ $? != 0 ]; then
+              if [ -w "$CATALINA_PID" ]; then
+                cat /dev/null > "$CATALINA_PID"
+              else
+                echo "Unable to remove or clear stale PID file. Start aborted."
+                exit 1
+              fi
+            fi
+          fi
+        else
+          echo "Unable to read PID file. Start aborted."
+          exit 1
+        fi
+      else
+        rm -f "$CATALINA_PID" >/dev/null 2>&1
+        if [ $? != 0 ]; then
+          if [ ! -w "$CATALINA_PID" ]; then
+            echo "Unable to remove or write to empty PID file. Start aborted."
+            exit 1
+          fi
+        fi
+      fi
+    fi
+  fi
+
+  shift
+  touch "$CATALINA_OUT"
+  if [ "$1" = "-security" ] ; then
+    if [ $have_tty -eq 1 ]; then
+      echo "Using Security Manager"
+    fi
+    shift
+    "$_RUNJAVA" "$LOGGING_CONFIG" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
+      -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+      -Djava.security.manager \
+      -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
+      -Dcatalina.base="$CATALINA_BASE" \
+      -Dcatalina.home="$CATALINA_HOME" \
+      -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+      org.apache.catalina.startup.Bootstrap "$@" start \
+      >> "$CATALINA_OUT" 2>&1 &
+
+  else
+    "$_RUNJAVA" "$LOGGING_CONFIG" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \
+      -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+      -Dcatalina.base="$CATALINA_BASE" \
+      -Dcatalina.home="$CATALINA_HOME" \
+      -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+      org.apache.catalina.startup.Bootstrap "$@" start \
+      >> "$CATALINA_OUT" 2>&1 &
+
+  fi
+
+  if [ ! -z "$CATALINA_PID" ]; then
+    echo $! > "$CATALINA_PID"
+  fi
+
+elif [ "$1" = "stop" ] ; then
+
+  shift
+
+  SLEEP=5
+  if [ ! -z "$1" ]; then
+    echo $1 | grep "[^0-9]" >/dev/null 2>&1
+    if [ $? -gt 0 ]; then
+      SLEEP=$1
+      shift
+    fi
+  fi
+
+  FORCE=0
+  if [ "$1" = "-force" ]; then
+    shift
+    FORCE=1
+  fi
+
+  if [ ! -z "$CATALINA_PID" ]; then
+    if [ -f "$CATALINA_PID" ]; then
+      if [ -s "$CATALINA_PID" ]; then
+        kill -0 `cat "$CATALINA_PID"` >/dev/null 2>&1
+        if [ $? -gt 0 ]; then
+          echo "PID file found but no matching process was found. Stop aborted."
+          # RPS treats stop of non-running process as non-error condition, PID file will be cleaned on start; originally was: exit 1
+          exit 0
+        fi
+      else
+        echo "PID file is empty and has been ignored."
+      fi
+    else
+      echo "\$CATALINA_PID was set but the specified file does not exist. Is Tomcat running? Stop aborted."
+      # RPS treats stop when PID file is missing as non-error condition, assuming RPS has already been stopped; originally was: exit 1
+      exit 0
+    fi
+  fi
+  
+  "$_RUNJAVA" $LOGGING_MANAGER $JAVA_OPTS \
+    -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \
+    -Dcatalina.base="$CATALINA_BASE" \
+    -Dcatalina.home="$CATALINA_HOME" \
+    -Djava.io.tmpdir="$CATALINA_TMPDIR" \
+    org.apache.catalina.startup.Bootstrap "$@" stop
+
+  if [ ! -z "$CATALINA_PID" ]; then
+    if [ -f "$CATALINA_PID" ]; then
+      while [ $SLEEP -ge 0 ]; do
+        kill -0 `cat "$CATALINA_PID"` >/dev/null 2>&1
+        if [ $? -gt 0 ]; then
+          rm -f "$CATALINA_PID" >/dev/null 2>&1
+          if [ $? != 0 ]; then
+            if [ -w "$CATALINA_PID" ]; then
+              cat /dev/null > "$CATALINA_PID"
+            else
+              echo "Tomcat stopped but the PID file could not be removed or cleared."
+            fi
+          fi
+          break
+        fi
+        if [ $SLEEP -gt 0 ]; then
+          sleep 1
+        fi
+        if [ $SLEEP -eq 0 ]; then
+          if [ $FORCE -eq 0 ]; then
+            echo "Tomcat did not stop in time. PID file was not removed."
+          fi
+        fi
+        SLEEP=`expr $SLEEP - 1 `
+      done
+    fi
+  fi
+
+  if [ $FORCE -eq 1 ]; then
+    if [ -z "$CATALINA_PID" ]; then
+      echo "Kill failed: \$CATALINA_PID not set"
+    else
+      if [ -f "$CATALINA_PID" ]; then
+        PID=`cat "$CATALINA_PID"`
+        echo "Killing Tomcat with the PID: $PID"
+        kill -9 $PID
+        rm -f "$CATALINA_PID" >/dev/null 2>&1
+        if [ $? != 0 ]; then
+          echo "Tomcat was killed but the PID file could not be removed."
+        fi
+      fi
+    fi
+  fi
+
+elif [ "$1" = "version" ] ; then
+
+    "$_RUNJAVA"   \
+      -classpath "$CATALINA_HOME/lib/catalina.jar" \
+      org.apache.catalina.util.ServerInfo
+
+else
+
+  echo "Usage: catalina.sh ( commands ... )"
+  echo "commands:"
+  if $os400; then
+    echo "  debug             Start Catalina in a debugger (not available on OS400)"
+    echo "  debug -security   Debug Catalina with a security manager (not available on OS400)"
+  else
+    echo "  debug             Start Catalina in a debugger"
+    echo "  debug -security   Debug Catalina with a security manager"
+  fi
+  echo "  jpda start        Start Catalina under JPDA debugger"
+  echo "  run               Start Catalina in the current window"
+  echo "  run -security     Start in the current window with security manager"
+  echo "  start             Start Catalina in a separate window"
+  echo "  start -security   Start in a separate window with security manager"
+  echo "  stop              Stop Catalina, waiting up to 5 seconds for the process to end"
+  echo "  stop n            Stop Catalina, waiting up to n seconds for the process to end"
+  echo "  stop -force       Stop Catalina, wait up to 5 seconds and then use kill -KILL if still running"
+  echo "  stop n -force     Stop Catalina, wait up to n seconds and then use kill -KILL if still running"
+  echo "  version           What version of tomcat are you running?"
+  echo "Note: Waiting for the process to end and use of the -force option require that \$CATALINA_PID is defined"
+  exit 1
+
+fi

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/scripts/enable-ranger-plugin.sh
----------------------------------------------------------------------
diff --git a/ranger-plugin/scripts/enable-ranger-plugin.sh b/ranger-plugin/scripts/enable-ranger-plugin.sh
new file mode 100755
index 0000000..05a0b1d
--- /dev/null
+++ b/ranger-plugin/scripts/enable-ranger-plugin.sh
@@ -0,0 +1,225 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+function usage() {
+  echo "USAGE: enable-ranger-plugin.sh -r ranger_host:ranger_port -u ranger_user -p ranger_password -h hawq_host:hawq_port -w hawq_user -q hawq_password"
+  exit 1
+}
+
+function fail() {
+  echo "ERROR: $1"
+  exit 1
+}
+
+function mask() {
+  printf -v stars '%*s' ${#1} ''
+  echo "[${stars// /*}]"
+}
+
+function read_value() {
+  local input
+  read -p "Enter value for $1 : " input
+  echo $input
+}
+
+function read_password() {
+  local input
+  read -s -p "Enter value for $1 : " input
+  echo $input
+}
+
+function get_ranger_url() {
+  while [[ -z "$RANGER_URL" ]]
+  do
+    RANGER_URL=$(read_value "Ranger Admin host and port (e.g. abc.com:6080)")
+  done
+  local prefix="http://"
+  RANGER_URL=${RANGER_URL#$prefix}
+}
+
+function get_ranger_user() {
+  while [[ -z "$RANGER_USER" ]]
+  do
+    RANGER_USER=$(read_value "Ranger Admin user name")
+  done
+}
+
+function get_ranger_password() {
+  while [[ -z "$RANGER_PASSWORD" ]]
+  do
+    RANGER_PASSWORD=$(read_password "Ranger Admin password")
+    echo
+  done
+}
+
+function get_hawq_url() {
+  #todo read hawq-site.xml ?
+  local default=`hostname -f`
+  default="${default}:5432"
+  while [[ -z "$HAWQ_URL" ]]
+  do
+    HAWQ_URL=$(read_value "HAWQ Master host and port [${default}]")
+  done
+  local prefix="http://"
+  HAWQ_URL=${HAWQ_URL#$prefix}
+  local parts=(${HAWQ_URL//:/ })
+  if [ ${#parts[@]} != 2 ]; then
+    fail "Incorrect value for HAWQ Master host and port."
+  fi
+  HAWQ_HOST=${parts[0]}
+  HAWQ_PORT=${parts[1]}
+}
+
+function get_hawq_user() {
+  local default="gpadmin"
+  while [[ -z "$HAWQ_USER" ]]
+  do
+    HAWQ_USER=$(read_value "HAWQ user name [${default}]")
+  done
+}
+
+function get_hawq_password() {
+  while [[ -z "$HAWQ_PASSWORD" ]]
+  do
+    HAWQ_PASSWORD=$(read_password "HAWQ password")
+    echo
+  done
+}
+
+function parse_params() {
+  while [[ $# -gt 0 ]] 
+  do
+    key="$1"
+    case $key in
+      -r)
+        RANGER_URL="$2"
+        shift
+        ;;
+      -u)
+        RANGER_USER="$2"
+        shift
+        ;;
+      -p)
+        RANGER_PASSWORD="$2"
+        shift
+        ;;
+      -h)
+        HAWQ_URL="$2"
+        shift
+        ;;
+      -w)
+        HAWQ_USER="$2"
+        shift
+        ;;
+      -q)
+        HAWQ_PASSWORD="$2"
+        shift
+        ;;
+      *)
+        usage
+        ;;
+    esac
+    shift
+  done
+}
+
+function validate_params() {
+  get_ranger_url
+  get_ranger_user
+  get_ranger_password
+  get_hawq_url
+  get_hawq_user
+  get_hawq_password
+  echo "RANGER URL  = ${RANGER_URL}" 
+  echo "RANGER User = ${RANGER_USER}" 
+  echo "RANGER Password = $(mask ${RANGER_PASSWORD})" 
+  echo "HAWQ HOST = ${HAWQ_HOST}"
+  echo "HAWQ PORT = ${HAWQ_PORT}"  
+  echo "HAWQ User = ${HAWQ_USER}" 
+  echo "HAWQ Password = $(mask ${HAWQ_PASSWORD})" 
+}
+
+function check_hawq_service_definition() {
+  echo $(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} http://${RANGER_URL}/service/public/v2/api/servicedef/name/hawq | grep hawq | wc -l)
+}
+
+function create_hawq_service_definition() {
+  if [ $(check_hawq_service_definition) == 0 ]; then
+    local json_file="$(dirname ${SCRIPT_DIR})/etc/ranger-servicedef-hawq.json"
+    if [ ! -f ${json_file} ]; then
+      fail "File ${json_file} not found."
+    fi
+    echo "HAWQ service definition was not found in Ranger Admin, creating it by uploading ${json_file}"
+    local output=$(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} -H "Content-Type: application/json" -X POST http://${RANGER_URL}/service/plugins/definitions -d @${json_file})
+    local created=$(echo ${output} | grep created | wc -l)
+    if [ ${created} == 0 ] || [ $(check_hawq_service_definition) == 0 ]; then
+      fail "Creation of HAWQ service definition from ${json_file} in Ranger Admin at ${RANGER_URL} failed. ${output}"
+    fi
+  else
+    echo "HAWQ service definition already exists in Ranger Admin, nothing to do." 
+  fi
+}
+
+function check_hawq_service_instance() {
+  echo $(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} http://${RANGER_URL}/service/public/v2/api/service/name/hawq | grep hawq | wc -l)
+}
+
+function create_hawq_service_instance() {
+  if [ $(check_hawq_service_instance) == 0 ]; then
+    local payload="{\"name\":\"hawq\",
+                    \"type\":\"hawq\",
+                    \"description\":\"HAWQ Master\",
+                    \"isEnabled\":true,
+                    \"configs\":{\"username\":\"${HAWQ_USER}\",
+                               \"password\":\"${HAWQ_PASSWORD}\",
+                               \"hostname\":\"${HAWQ_HOST}\",
+                               \"port\":\"${HAWQ_PORT}\"}}"
+
+    echo "HAWQ service instance was not found in Ranger Admin, creating it."
+    local output=$(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} -H "Content-Type: application/json" -X POST http://${RANGER_URL}/service/public/v2/api/service -d "${payload}")
+    local created=$(echo ${output} | grep created | wc -l)
+    if [ ${created} == 0 ] || [ $(check_hawq_service_instance) == 0 ]; then
+      fail "Creation of HAWQ service instance in Ranger Admin at ${RANGER_URL} failed. ${output}"
+    fi
+  else
+    echo "HAWQ service instance already exists in Ranger Admin, nothing to do."
+  fi
+}
+
+function update_ranger_url() {
+  local policy_mgr_url="http://${RANGER_URL}"
+  local prop_file=$(dirname ${SCRIPT_DIR})/etc/rps.properties
+  sed -i -e "s|^POLICY_MGR_URL=.*|POLICY_MGR_URL=${policy_mgr_url}|g" ${prop_file}
+  echo "Updated POLICY_MGR_URL to ${policy_mgr_url} in ${prop_file}"
+}
+
+main() {
+  if [[ $# -lt 1 ]]; then
+    usage
+  fi
+  SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd -P)"
+  parse_params "$@"
+  validate_params
+  create_hawq_service_definition
+  create_hawq_service_instance
+  update_ranger_url
+}
+main "$@"

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/scripts/register_hawq.sh
----------------------------------------------------------------------
diff --git a/ranger-plugin/scripts/register_hawq.sh b/ranger-plugin/scripts/register_hawq.sh
deleted file mode 100755
index 11e2df8..0000000
--- a/ranger-plugin/scripts/register_hawq.sh
+++ /dev/null
@@ -1,217 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-function usage() {
-  echo "USAGE: register_hawq.sh -r ranger_host:ranger_port -u ranger_user -p ranger_password -h hawq_host:hawq_port -w hawq_user -q hawq_password"
-  exit 1
-}
-
-function fail() {
-  echo "ERROR: $1"
-  exit 1
-}
-
-function mask() {
-  printf -v stars '%*s' ${#1} ''
-  echo "[${stars// /*}]"
-}
-
-function read_value() {
-  local input
-  read -p "Enter value for $1 : " input
-  echo $input
-}
-
-function read_password() {
-  local input
-  read -s -p "Enter value for $1 : " input
-  echo $input
-}
-
-function get_ranger_url() {
-  while [[ -z "$RANGER_URL" ]]
-  do
-    RANGER_URL=$(read_value "Ranger Admin host and port (e.g. abc.com:6080)")
-  done
-  local prefix="http://"
-  RANGER_URL=${RANGER_URL#$prefix}
-}
-
-function get_ranger_user() {
-  while [[ -z "$RANGER_USER" ]]
-  do
-    RANGER_USER=$(read_value "Ranger Admin user name")
-  done
-}
-
-function get_ranger_password() {
-  while [[ -z "$RANGER_PASSWORD" ]]
-  do
-    RANGER_PASSWORD=$(read_password "Ranger Admin password")
-    echo
-  done
-}
-
-function get_hawq_url() {
-  #todo read hawq-site.xml ?
-  local default=`hostname -f`
-  default="${default}:5432"
-  while [[ -z "$HAWQ_URL" ]]
-  do
-    HAWQ_URL=$(read_value "HAWQ Master host and port [${default}]")
-  done
-  local prefix="http://"
-  HAWQ_URL=${HAWQ_URL#$prefix}
-  local parts=(${HAWQ_URL//:/ })
-  if [ ${#parts[@]} != 2 ]; then
-    fail "Incorrect value for HAWQ Master host and port."
-  fi
-  HAWQ_HOST=${parts[0]}
-  HAWQ_PORT=${parts[1]}
-}
-
-function get_hawq_user() {
-  local default="gpadmin"
-  while [[ -z "$HAWQ_USER" ]]
-  do
-    HAWQ_USER=$(read_value "HAWQ user name [${default}]")
-  done
-}
-
-function get_hawq_password() {
-  while [[ -z "$HAWQ_PASSWORD" ]]
-  do
-    HAWQ_PASSWORD=$(read_password "HAWQ password")
-    echo
-  done
-}
-
-function parse_params() {
-  while [[ $# -gt 0 ]] 
-  do
-    key="$1"
-    case $key in
-      -r)
-        RANGER_URL="$2"
-        shift
-        ;;
-      -u)
-        RANGER_USER="$2"
-        shift
-        ;;
-      -p)
-        RANGER_PASSWORD="$2"
-        shift
-        ;;
-      -h)
-        HAWQ_URL="$2"
-        shift
-        ;;
-      -w)
-        HAWQ_USER="$2"
-        shift
-        ;;
-      -q)
-        HAWQ_PASSWORD="$2"
-        shift
-        ;;
-      *)
-        usage
-        ;;
-    esac
-    shift
-  done
-}
-
-function validate_params() {
-  get_ranger_url
-  get_ranger_user
-  get_ranger_password
-  get_hawq_url
-  get_hawq_user
-  get_hawq_password
-  echo "RANGER URL  = ${RANGER_URL}" 
-  echo "RANGER User = ${RANGER_USER}" 
-  echo "RANGER Password = $(mask ${RANGER_PASSWORD})" 
-  echo "HAWQ HOST = ${HAWQ_HOST}"
-  echo "HAWQ PORT = ${HAWQ_PORT}"  
-  echo "HAWQ User = ${HAWQ_USER}" 
-  echo "HAWQ Password = $(mask ${HAWQ_PASSWORD})" 
-}
-
-function check_hawq_service_definition() {
-  echo $(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} http://${RANGER_URL}/service/public/v2/api/servicedef/name/hawq | grep hawq | wc -l)
-}
-
-function create_hawq_service_definition() {
-  if [ $(check_hawq_service_definition) == 0 ]; then
-    local json_file="$(dirname ${SCRIPT_DIR})/etc/ranger-servicedef-hawq.json"
-    if [ ! -f ${json_file} ]; then
-      fail "File ${json_file} not found."
-    fi
-    echo "HAWQ service definition was not found in Ranger Admin, creating it by uploading ${json_file}"
-    local output=$(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} -H "Content-Type: application/json" -X POST http://${RANGER_URL}/service/plugins/definitions -d @${json_file})
-    local created=$(echo ${output} | grep created | wc -l)
-    if [ ${created} == 0 ] || [ $(check_hawq_service_definition) == 0 ]; then
-      fail "Creation of HAWQ service definition from ${json_file} in Ranger Admin at ${RANGER_URL} failed. ${output}"
-    fi
-  else
-    echo "HAWQ service definition already exists in Ranger Admin, nothing to do." 
-  fi
-}
-
-function check_hawq_service_instance() {
-  echo $(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} http://${RANGER_URL}/service/public/v2/api/service/name/hawq | grep hawq | wc -l)
-}
-
-function create_hawq_service_instance() {
-  if [ $(check_hawq_service_instance) == 0 ]; then
-    local payload="{\"name\":\"hawq\",
-                    \"type\":\"hawq\",
-                    \"description\":\"HAWQ Master\",
-                    \"isEnabled\":true,
-                    \"configs\":{\"username\":\"${HAWQ_USER}\",
-                               \"password\":\"${HAWQ_PASSWORD}\",
-                               \"hostname\":\"${HAWQ_HOST}\",
-                               \"port\":\"${HAWQ_PORT}\"}}"
-
-    echo "HAWQ service instance was not found in Ranger Admin, creating it."
-    local output=$(curl -sS -u ${RANGER_USER}:${RANGER_PASSWORD} -H "Content-Type: application/json" -X POST http://${RANGER_URL}/service/public/v2/api/service -d "${payload}")
-    local created=$(echo ${output} | grep created | wc -l)
-    if [ ${created} == 0 ] || [ $(check_hawq_service_instance) == 0 ]; then
-      fail "Creation of HAWQ service instance in Ranger Admin at ${RANGER_URL} failed. ${output}"
-    fi
-  else
-    echo "HAWQ service instance already exists in Ranger Admin, nothing to do."
-  fi
-}
-
-main() {
-  if [[ $# -lt 1 ]]; then
-    usage
-  fi
-  SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-  parse_params "$@"
-  validate_params
-  create_hawq_service_definition
-  create_hawq_service_instance
-}
-main "$@"

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/scripts/rps.sh
----------------------------------------------------------------------
diff --git a/ranger-plugin/scripts/rps.sh b/ranger-plugin/scripts/rps.sh
index e8ccf3a..476d0d6 100755
--- a/ranger-plugin/scripts/rps.sh
+++ b/ranger-plugin/scripts/rps.sh
@@ -20,41 +20,71 @@
 #
 
 if [ $# -le 0 ]; then
-  echo "Usage: rps (start|stop|init) [<catalina-args...>]"
+  echo "Usage: rps.sh (start|stop)"
   exit 1
 fi
 
-actionCmd=$1
+action=$1
 shift
 
-CWDIR=$( cd $( dirname ${BASH_SOURCE[0]} ) && pwd )
-source $CWDIR/rps_env.sh
-
-setup_rps() {
-  echo "Initializing Hawq Ranger Plugin Service..."
-  cp $CATALINA_HOME/conf.template/* $CATALINA_BASE/conf
-  cp $CATALINA_BASE/conf/tomcat-server.xml $CATALINA_BASE/conf/server.xml
-  pushd $CATALINA_BASE/webapps >/dev/null
-  unzip -d rps rps.war >/dev/null
-  find . -name ranger-hawq-security.xml | xargs sed -i \
-    "s/localhost:6080/$RANGER_ADMIN_HOST:$RANGER_ADMIN_PORT/g"
-  popd >/dev/null
-  echo "Hawq Ranger Plugin Service installed on http://$RPS_HOST:$RPS_PORT/rps"
-  echo "Please use 'rps.sh start' to start the service"
+CWDIR=$( cd $( dirname ${BASH_SOURCE[0]} ) && pwd -P)
+BASEDIR=$( dirname ${CWDIR} )
+# read properties from the file
+source ${BASEDIR}/etc/rps.properties
+
+export CATALINA_HOME=/usr/lib/bigtop-tomcat
+export CATALINA_BASE=${BASEDIR}/plugin-service
+export CATALINA_PID=${CATALINA_BASE}/work/rps.pid
+
+# options used to start the RPS process
+export CATALINA_OPTS="-server -Xms512m -Xmx512m -XX:MaxPermSize=128m
+                     -Dproc_rps -Dversion=${RPS_VERSION}
+                     -Dranger.hawq.instance=${RANGER_HAWQ_INSTANCE}
+                     -Drps.http.port=${RPS_HTTP_PORT} -Drps.https.port=${RPS_HTTPS_PORT}
+                     -Dpolicy.manager.url=${POLICY_MGR_URL}"
+
+# options used to stop the RPS process
+export JAVA_OPTS="-Drps.shutdown.port=${RPS_SHUTDOWN_PORT}"
+
+RPS_URL="http://localhost:${RPS_HTTP_PORT}/rps"
+RPS_LOG="${CATALINA_BASE}/logs/catalina.out"
+
+function fail() {
+    echo "FATAL: Failed to ${1} HAWQ Ranger Plugin Service. Check ${RPS_LOG} for details."
+    exit 2
 }
 
-case $actionCmd in
-  (init)
-    setup_rps
-    ;;
+function tomcat_command() {
+    ${CWDIR}/catalina.sh ${1} ${2}
+    if [ $? -ne 0 ]; then
+      fail ${1}
+    fi
+}
+
+function wait_until_server_started() {
+    echo -n "Waiting for Hawq Ranger Plugin Service to start ."
+    local retries="20"
+    local n=0
+    until $(curl -s --output /dev/null --fail ${RPS_URL}/version); do
+      n=$[${n}+1]
+      if [ ${n} -ge ${retries} ]; then
+        echo
+        fail "start"
+      fi
+      printf '.'
+      sleep 3
+    done
+    echo -e "\nHawq Ranger Plugin Service is available at ${RPS_URL}"
+}
+
+case ${action} in
   (start)
-    $CATALINA_HOME/bin/catalina.sh start "$@"
-    echo "Waiting for RPS service to start..."
-    sleep 15
+    tomcat_command "start"
+    wait_until_server_started
     ;;
   (stop)
-    $CATALINA_HOME/bin/catalina.sh stop "$@"
-    echo "Waiting for RPS service to stop..."
-    sleep 10
+    # allow the server 10 seconds after shutdown command before force killing it
+    tomcat_command "stop" "10 -force"
+    echo "Hawq Ranger Plugin Service is stopped."
     ;;
 esac

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/scripts/rps_env.sh
----------------------------------------------------------------------
diff --git a/ranger-plugin/scripts/rps_env.sh b/ranger-plugin/scripts/rps_env.sh
deleted file mode 100755
index ae36e8f..0000000
--- a/ranger-plugin/scripts/rps_env.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-export CATALINA_HOME=/usr/lib/bigtop-tomcat
-export CATALINA_BASE=/usr/local/hawq/ranger/plugin-service
-
-export RANGER_ADMIN_HOST=${RANGER_ADMIN_HOST:-localhost}
-export RANGER_ADMIN_PORT=${RANGER_ADMIN_PORT:-6080}
-
-export RPS_HOST=${RPS_HOST:-localhost}
-export RPS_PORT=${RPS_PORT:-8432}
-export CATALINA_OPTS="-Dhttp.host=$RPS_HOST -Dhttp.port=$RPS_PORT"

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/scripts/setenv.sh
----------------------------------------------------------------------
diff --git a/ranger-plugin/scripts/setenv.sh b/ranger-plugin/scripts/setenv.sh
new file mode 100755
index 0000000..6124d83
--- /dev/null
+++ b/ranger-plugin/scripts/setenv.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# allow the webapp to see config files in this directory from its classpath
+export CLASSPATH=$(dirname ${CATALINA_BASE})/etc

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/pom.xml b/ranger-plugin/service/pom.xml
index 3f2f9f8..f29817c 100644
--- a/ranger-plugin/service/pom.xml
+++ b/ranger-plugin/service/pom.xml
@@ -32,14 +32,44 @@
         <relativePath>..</relativePath>
     </parent>
     <build>
-        <resources>
-            <resource>
-                <directory>src/main/resources</directory>
-                <filtering>true</filtering>
-            </resource>
-        </resources>
         <plugins>
             <plugin>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>3.0.2</version>
+                <executions>
+                    <execution>
+                        <id>copy-resources</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <escapeString>\</escapeString>
+                            <outputDirectory>${basedir}/target/conf</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../conf</directory>
+                                    <excludes>
+                                        <exclude>ranger-servicedef-hawq.json</exclude>
+                                        <exclude>server.xml</exclude>
+                                    </excludes>
+                                    <filtering>true</filtering>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-war-plugin</artifactId>
+                <version>3.0.0</version>
+                <configuration>
+                    <!-- Due to Hadoop library using system-level JVM hook, all dependent classes must be loaded by
+                         Tomcat's server classloader, so they are shipped in RPM and not with the webapp -->
+                    <packagingExcludes>WEB-INF/lib/*.jar</packagingExcludes>
+                </configuration>
+            </plugin>
+            <plugin>
                 <!-- use mvn tomcat6:run-war to run the appserver with the app deployed -->
                 <groupId>org.apache.tomcat.maven</groupId>
                 <artifactId>tomcat6-maven-plugin</artifactId>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
index 04d6f99..0d97e21 100644
--- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
+++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqAuthorizer.java
@@ -29,6 +29,7 @@ import org.apache.hawq.ranger.authorization.model.AuthorizationResponse;
 import org.apache.hawq.ranger.authorization.model.HawqPrivilege;
 import org.apache.hawq.ranger.authorization.model.HawqResource;
 import org.apache.hawq.ranger.authorization.model.ResourceAccess;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResource;
@@ -67,14 +68,15 @@ public class RangerHawqAuthorizer implements HawqAuthorizer {
      */
     private RangerHawqAuthorizer() {
 
-        LOG.info("Initializing RangerHawqAuthorizer");
+        LOG.info("********** Initializing RangerHawqAuthorizer **********");
 
         String appId = Utils.getAppId();
 
         LOG.info(String.format("Initializing RangerBasePlugin for service %s:%s", HAWQ, appId));
         rangerPlugin = new RangerBasePlugin(HAWQ, appId);
+        rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
         rangerPlugin.init();
-        LOG.info(String.format("Initialized RangerBasePlugin for service %s:%s", HAWQ, appId));
+        LOG.info(String.format("********** Initialized RangerBasePlugin for service %s:%s **********", HAWQ, appId));
     }
 
     @Override

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
index 86f7fc4..5f99b9d 100644
--- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
+++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
@@ -27,14 +27,16 @@ import java.io.InputStream;
 import java.util.Properties;
 
 /**
- * Utility class for reading values from the property file.
+ * Utility class for reading values from the environment with falling back to reading them from the property file.
  */
 public abstract class Utils {
 
     public static final String HAWQ = "hawq";
     public static final String UNKNOWN = "unknown";
-    public static final String APP_ID_PROPERTY = "ranger.hawq.instance";
-    public static final String VERSION_PROPERTY = "version";
+    public static final String APP_ID_PROPERTY_ENV = "ranger.hawq.instance";
+    public static final String APP_ID_PROPERTY_FILE = "RANGER_HAWQ_INSTANCE";
+    public static final String VERSION_PROPERTY_ENV = "version";
+    public static final String VERSION_PROPERTY_FILE = "RPS_VERSION";
     public static final String RANGER_SERVICE_PROPERTY_FILE = "rps.properties";
 
     private static final Log LOG = LogFactory.getLog(Utils.class);
@@ -42,25 +44,26 @@ public abstract class Utils {
 
     /**
      * Retrieves the app id from the environment variable with the key ranger.hawq.instance
-     * or from the rps.properties file with the key ranger.hawq.instance
+     * or from the rps.properties file with the key RANGER_HAWQ_INSTANCE
      *
      * If none exist, hawq is used as the default
      *
      * @return String id of the app
      */
     public static String getAppId() {
-        return System.getProperty(APP_ID_PROPERTY, properties.getProperty(APP_ID_PROPERTY, HAWQ));
+        return System.getProperty(APP_ID_PROPERTY_ENV, properties.getProperty(APP_ID_PROPERTY_FILE, HAWQ));
     }
 
     /**
-     * Retrieves the version read from the property file.
+     * Retrieves the version from the environment variable with the key version
+     * or from the rps.properties file with the key RPS_VERSION
      *
      * If none exist, unknown is used as the default
      *
      * @return version of the service
      */
     public static String getVersion() {
-        return properties.getProperty(VERSION_PROPERTY, UNKNOWN);
+        return System.getProperty(VERSION_PROPERTY_ENV, properties.getProperty(VERSION_PROPERTY_FILE, UNKNOWN));
     }
 
     /**

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/main/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/resources/log4j.properties b/ranger-plugin/service/src/main/resources/log4j.properties
deleted file mode 100644
index 6bbdaed..0000000
--- a/ranger-plugin/service/src/main/resources/log4j.properties
+++ /dev/null
@@ -1,42 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# see debug messages during unit tests
-project.root.logger=DEBUG,console
-
-# suppress all logging output during unit tests
-#project.root.logger=FATAL,devnull
-
-#
-# Loggers
-#
-log4j.rootLogger=${project.root.logger}
-
-# ignore most errors from the Apache Ranger and Hadoop for unit tests
-log4j.logger.org.apache.ranger=FATAL
-log4j.logger.org.apache.hadoop=FATAL
-
-#
-# Appenders
-#
-
-# nothing
-log4j.appender.devnull=org.apache.log4j.varia.NullAppender
-
-# console
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/main/resources/ranger-hawq-security.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/resources/ranger-hawq-security.xml b/ranger-plugin/service/src/main/resources/ranger-hawq-security.xml
deleted file mode 100644
index 46dd75d..0000000
--- a/ranger-plugin/service/src/main/resources/ranger-hawq-security.xml
+++ /dev/null
@@ -1,92 +0,0 @@
-<?xml version="1.0"?>
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-    <property>
-        <name>ranger.plugin.hawq.service.name</name>
-        <value>hawq</value>
-        <description>
-            Name of the Ranger service containing policies for this HAWQ instance
-        </description>
-    </property>
-
-    <property>
-        <name>ranger.plugin.hawq.policy.source.impl</name>
-        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
-        <description>
-            Class to retrieve policies from the source
-        </description>
-    </property>
-
-    <property>
-        <name>ranger.plugin.hawq.policy.rest.url</name>
-        <value>http://localhost:6080</value>
-        <description>
-            URL to Ranger Admin
-        </description>
-    </property>
-
-    <property>
-        <name>ranger.plugin.hawq.policy.rest.ssl.config.file</name>
-        <value>/usr/local/hawq/ranger/etc/ranger-policymgr-ssl.xml</value>
-        <description>
-            Path to the file containing SSL details to contact Ranger Admin
-        </description>
-    </property>
-
-    <property>
-        <name>ranger.plugin.hawq.policy.pollIntervalMs</name>
-        <value>30000</value>
-        <description>
-            How often to poll for changes in policies?
-        </description>
-    </property>
-
-    <property>
-        <name>ranger.plugin.hawq.policy.cache.dir</name>
-        <value>/usr/local/hawq/ranger/policycache</value>
-        <description>
-            Directory where Ranger policies are cached after successful retrieval from the source
-        </description>
-    </property>
-
-    <!--
-    <property>
-        <name>xasecure.hive.update.xapolicies.on.grant.revoke</name>
-        <value>true</value>
-        <description>Should Hive plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description>
-    </property>
-    -->
-    <property>
-        <name>ranger.plugin.hawq.policy.rest.client.connection.timeoutMs</name>
-        <value>120000</value>
-        <description>
-            RangerRESTClient Connection Timeout in Milliseconds
-        </description>
-    </property>
-
-    <property>
-        <name>ranger.plugin.hawq.policy.rest.client.read.timeoutMs</name>
-        <value>30000</value>
-        <description>
-            RangerRESTClient read Timeout in Milliseconds
-        </description>
-    </property>
-</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/main/resources/rps.properties
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/resources/rps.properties b/ranger-plugin/service/src/main/resources/rps.properties
deleted file mode 100644
index 9e2b1f4..0000000
--- a/ranger-plugin/service/src/main/resources/rps.properties
+++ /dev/null
@@ -1,17 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-ranger.hawq.instance=hawq
-version=${project.version}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/webapp/WEB-INF/web.xml b/ranger-plugin/service/src/main/webapp/WEB-INF/web.xml
index 36c976f..d8ae121 100644
--- a/ranger-plugin/service/src/main/webapp/WEB-INF/web.xml
+++ b/ranger-plugin/service/src/main/webapp/WEB-INF/web.xml
@@ -31,10 +31,9 @@ under the License.
         init-param		com.sun.jersey.config.property.packages
                             Tells Jersey where are the REST components of this webapp
                         jersey.config.server.provider.scanning.recursive
-                            Tells Jersey to recusively scan package for REST resources
+                            Tells Jersey to scan package for REST resources recursively
         load-on-startup	Initialize the webapp on app server startup
-        servlet-mapping	Maps the path of the servlet (ranger-plugin/*)
-        listener		A class called after the webapp was initialized and before it's about to go down
+        servlet-mapping	Maps the path of the servlet under the context (/*)
     -->
 
     <servlet>
@@ -54,19 +53,4 @@ under the License.
         <servlet-name>HAWQ_Ranger_Plugin_Service</servlet-name>
         <url-pattern>/*</url-pattern>
     </servlet-mapping>
-
-    <!--
-    <listener>
-        <listener-class>org.apache.hawq.pxf.service.rest.ServletLifecycleListener</listener-class>
-    </listener>
-    -->
-    <!-- log4j configuration
-         Log4jConfigListener looks for a file under log4jConfigLocation.
-         When not using absolute path, the path starts from the webapp root directory.
-         If this file cannot be read, log4j will revert to using the default
-         pxf-log4j.properties inside the webapp. -->
-    <context-param>
-        <param-name>log4jConfigLocation</param-name>
-        <param-value>/etc/pxf/conf/pxf-log4j.properties</param-value>
-    </context-param>
 </web-app>

http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/8c9b45a4/ranger-plugin/service/src/test/java/org/apache/hawq/ranger/authorization/UtilsTest.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/test/java/org/apache/hawq/ranger/authorization/UtilsTest.java b/ranger-plugin/service/src/test/java/org/apache/hawq/ranger/authorization/UtilsTest.java
index bf62785..5b94df0 100644
--- a/ranger-plugin/service/src/test/java/org/apache/hawq/ranger/authorization/UtilsTest.java
+++ b/ranger-plugin/service/src/test/java/org/apache/hawq/ranger/authorization/UtilsTest.java
@@ -21,7 +21,8 @@ package org.apache.hawq.ranger.authorization;
 
 import org.junit.Test;
 
-import static org.apache.hawq.ranger.authorization.Utils.APP_ID_PROPERTY;
+import static org.apache.hawq.ranger.authorization.Utils.APP_ID_PROPERTY_ENV;
+import static org.apache.hawq.ranger.authorization.Utils.VERSION_PROPERTY_ENV;
 import static org.junit.Assert.assertEquals;
 
 /**
@@ -30,19 +31,26 @@ import static org.junit.Assert.assertEquals;
 public class UtilsTest {
 
     @Test
-    public void testCustomAppId_SystemEnv() throws Exception {
-        System.setProperty(APP_ID_PROPERTY, "app-id");
+    public void testAppId_SystemEnv() throws Exception {
+        System.setProperty(APP_ID_PROPERTY_ENV, "app-id");
         assertEquals("app-id", Utils.getAppId());
-        System.clearProperty(APP_ID_PROPERTY);
+        System.clearProperty(APP_ID_PROPERTY_ENV);
     }
 
     @Test
-    public void testCustomAppId_PropertyFile() throws Exception {
+    public void testAppId_PropertyFile() throws Exception {
         assertEquals("instance-test", Utils.getAppId());
     }
 
     @Test
-    public void testGetVersion() throws Exception {
+    public void testGetVersion_SystemEnv() throws Exception {
+        System.setProperty(VERSION_PROPERTY_ENV, "1.2.3");
+        assertEquals("1.2.3", Utils.getVersion());
+        System.clearProperty(VERSION_PROPERTY_ENV);
+    }
+
+    @Test
+    public void testGetVersion_PropertyFile() throws Exception {
         assertEquals("version-test", Utils.getVersion());
     }
 }
\ No newline at end of file



Mime
View raw message