ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From omal...@apache.org
Subject [01/44] ARGUS-1. Initial code commit (Selvamohan Neethiraj via omalley)
Date Thu, 14 Aug 2014 20:50:12 GMT
Repository: incubator-argus
Updated Branches:
  refs/heads/master [created] 7defc061d


http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/conf/unixauthservice.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/conf/unixauthservice.properties b/unixauthservice/conf/unixauthservice.properties
new file mode 100644
index 0000000..d37c340
--- /dev/null
+++ b/unixauthservice/conf/unixauthservice.properties
@@ -0,0 +1,129 @@
+
+authServicePort = 5151
+
+useSSL = true
+
+#
+# SSL Parameters
+#
+
+keyStore 			= 	./cert/authserver.jks
+keyStorePassword	=	aNtHSrV086
+trustStore			=	./cert/mytruststore.jks
+trustStorePassword  =   changeit
+passwordValidatorPath = ./native/credValidator
+
+#
+# Admin Groups
+#
+#admin.users   = 
+
+#
+# Admin ROLE to be added
+#
+#admin.roleNames = ROLE_ADMIN
+
+#
+# User Group Synchronization
+#
+usergroupSync.enabled = true
+
+usergroupSync.source.impl.class=com.xasecure.unixusersync.process.UnixUserGroupBuilder
+
+usergroupSync.sink.impl.class=com.xasecure.unixusersync.process.PolicyMgrUserGroupBuilder
+
+
+#
+# UserGroupSink: policy manager
+#
+usergroupSync.policymanager.baseURL = 
+
+usergroupSync.policymanager.MaxRecordsPerAPICall = 1000
+
+usergroupSync.policymanager.mockRun = false
+
+#
+# Relevant only if sync source is unix
+usergroupSync.unix.minUserId = 500
+
+# sync interval in milli seconds
+# user, groups would be synced again at the end of each sync interval
+#
+# default value is 300000(5min)
+# if value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.UnixUserGroupBuilder
+#
+# default value is 21600000(360min)
+# if value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+usergroupSync.sleepTimeInMillisBetweenSyncCycle = 
+
+# sync source class
+# we provide 2 classes out of box
+# com.xasecure.unixusersync.process.UnixUserGroupBuilder
+# com.xasecure.ldapusersync.process.LdapUserGroupBuilder
+# default value:  com.xasecure.unixusersync.process.UnixUserGroupBuilder
+usergroupSync.source.impl.class =
+
+
+# ---------------------------------------------------------------
+# The following properties are relevant 
+# only if value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+# ---------------------------------------------------------------
+
+# URL of source ldap 
+# a sample value would be:  ldap://ldap.example.com:389
+# Must specify a value if  value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+ldapGroupSync.ldapUrl =
+
+# ldap bind dn used to connect to ldap and query for users and groups
+# a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc-org
+# must specify a value if  value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+# Must specify a value if  value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+ldapGroupSync.ldapBindDn =
+
+# ldap bind password for the bind dn specified above
+# please ensure read access to this file  is limited to root, to protect the password
+# Must specify a value if  value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+# unless anonymous search is allowed by the directory on users and groups
+ldapGroupSync.ldapBindPassword =
+ldapGroupSync.ldapBindAlias =
+ldapGroupSync.ldapBindKeystore =
+# search base for users
+# sample value would be ou=users,dc=hadoop,dc=apache,dc=org
+# Must specify a value if  value of usergroupSync.source.impl.class is 
+# com.xasecure.unixusersync.process.LdapUserGroupBuilder
+ldapGroupSync.userSearchBase =
+
+# search scope for the users, only base, one and sub are supported values
+# please customize the value to suit your deployment
+# default value: sub
+ldapGroupSync.userSearchScope =
+
+# objectclass to identify user entries
+# please customize the value to suit your deployment
+# default value: person
+ldapGroupSync.userObjectClass = person
+
+# optional additional filter constraining the users selected for syncing
+# a sample value would be (dept=eng)
+# please customize the value to suit your deployment
+# default value is empty
+ldapGroupSync.userSearchFilter =
+
+# attribute from user entry that would be treated as user name
+# please customize the value to suit your deployment
+# default value: cn
+ldapGroupSync.userNameAttribute = cn
+
+# attribute from user entry whose values would be treated as 
+# group values to be pushed into Policy Manager database
+# You could provide multiple attribute names separated by comma
+# default value: memberof, ismemberof
+ldapGroupSync.userGroupNameAttribute =  memberof, ismemberof
+

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/pom.xml
----------------------------------------------------------------------
diff --git a/unixauthservice/pom.xml b/unixauthservice/pom.xml
new file mode 100644
index 0000000..f03aaee
--- /dev/null
+++ b/unixauthservice/pom.xml
@@ -0,0 +1,88 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+      <groupId>com.hortonworks.hadoop.security</groupId>
+      <artifactId>argus</artifactId>
+      <version>3.5.000</version>
+      <relativePath>..</relativePath>
+    </parent>
+
+    <artifactId>unixauthservice</artifactId>
+
+    <packaging>jar</packaging>
+
+    <name>unixauthservice</name>
+    <description>HDP Advanced Security - Unix authentication service</description>
+    <url>http:/hortonworks.com/</url>
+
+    <dependencies>
+        <dependency>
+          <groupId>com.hortonworks.hadoop.security</groupId>
+          <artifactId>unixusersync</artifactId>
+          <version>3.5.000</version>
+        </dependency>
+
+      <dependency>
+        <groupId>log4j</groupId>
+        <artifactId>log4j</artifactId>
+        <version>${log4j.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.google.code.gson</groupId>
+        <artifactId>gson</artifactId>
+        <version>${gson.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>com.sun.jersey</groupId>
+        <artifactId>jersey-bundle</artifactId>
+        <version>${jersey-bundle.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>commons-cli</groupId>
+      	<artifactId>commons-cli</artifactId>
+      	<version>${commons.cli.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>commons-collections</groupId>
+      	<artifactId>commons-collections</artifactId>
+      	<version>${commons.collections.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>commons-configuration</groupId>
+      	<artifactId>commons-configuration</artifactId>
+      	<version>${commons.configuration.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>commons-lang</groupId>
+      	<artifactId>commons-lang</artifactId>
+      	<version>${commons.lang.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>commons-logging</groupId>
+      	<artifactId>commons-logging</artifactId>
+      	<version>${commons.logging.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>com.google.guava</groupId>
+      	<artifactId>guava</artifactId>
+      	<version>${guava.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>org.apache.hadoop</groupId>
+      	<artifactId>hadoop-auth</artifactId>
+      	<version>${hadoop-auth.version}</version>
+      </dependency>
+      <dependency>
+      	<groupId>org.slf4j</groupId>
+      	<artifactId>slf4j-api</artifactId>
+      	<version>${slf4j-api.version}</version>
+      </dependency>   
+    </dependencies>
+
+
+
+</project>
+

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/scripts/initd
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/initd b/unixauthservice/scripts/initd
new file mode 100644
index 0000000..11f6c36
--- /dev/null
+++ b/unixauthservice/scripts/initd
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+MOD_NAME=uxugsync
+
+MOD_DIR=/etc/${MOD_NAME}
+
+if [ -L ${MOD_DIR} ]
+then
+	case $1 in
+	start)
+		cd ${MOD_DIR} ; ./start.sh
+		;;
+	stop)
+		cd ${MOD_DIR} ; ./stop.sh
+		;;
+	*)
+		echo "Invalid argument [$1]; Only start|stop are supported."
+		exit 1
+	esac
+fi
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/scripts/install.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties
new file mode 100644
index 0000000..5c361c7
--- /dev/null
+++ b/unixauthservice/scripts/install.properties
@@ -0,0 +1,77 @@
+#
+# The following URL should be the base URL for connecting to the policy manager web application
+# For example:
+#
+#  POLICY_MGR_URL = http://policymanager.xasecure.net:6080
+#
+POLICY_MGR_URL = 
+
+# sync source,  only unix and ldap are supported at present
+# defaults to unix
+SYNC_SOURCE = 
+
+
+#
+# Minumum Unix User-id to start SYNC.
+# This should avoid creating UNIX system-level users in the Policy Manager
+#
+MIN_UNIX_USER_ID_TO_SYNC = 1000
+
+# sync interval in minutes
+# user, groups would be synced again at the end of each sync interval
+# defaults to 5   if SYNC_SOURCE is unix
+# defaults to 360 if SYNC_SOURCE is ldap
+SYNC_INTERVAL = 
+
+
+# ---------------------------------------------------------------
+# The following properties are relevant only if SYNC_SOURCE = ldap
+# ---------------------------------------------------------------
+
+# URL of source ldap 
+# a sample value would be:  ldap://ldap.example.com:389
+# Must specify a value if SYNC_SOURCE is ldap
+SYNC_LDAP_URL = 
+
+# ldap bind dn used to connect to ldap and query for users and groups
+# a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc-org
+# Must specify a value if SYNC_SOURCE is ldap
+SYNC_LDAP_BIND_DN = 
+
+# ldap bind password for the bind dn specified above
+# please ensure read access to this file  is limited to root, to protect the password
+# Must specify a value if SYNC_SOURCE is ldap
+# unless anonymous search is allowed by the directory on users and group
+SYNC_LDAP_BIND_PASSWORD = 
+CRED_KEYSTORE_FILENAME=/usr/lib/xausersync/.jceks/xausersync.jceks
+# search base for users
+# sample value would be ou=users,dc=hadoop,dc=apache,dc=org
+SYNC_LDAP_USER_SEARCH_BASE = 
+
+# search scope for the users, only base, one and sub are supported values
+# please customize the value to suit your deployment
+# default value: sub
+SYNC_LDAP_USER_SEARCH_SCOPE = sub
+
+# objectclass to identify user entries
+# please customize the value to suit your deployment
+# default value: person
+SYNC_LDAP_USER_OBJECT_CLASS = person
+
+# optional additional filter constraining the users selected for syncing
+# a sample value would be (dept=eng)
+# please customize the value to suit your deployment
+# default value is empty
+SYNC_LDAP_USER_SEARCH_FILTER =
+
+# attribute from user entry that would be treated as user name
+# please customize the value to suit your deployment
+# default value: cn
+SYNC_LDAP_USER_NAME_ATTRIBUTE = cn
+
+# attribute from user entry whose values would be treated as 
+# group values to be pushed into Policy Manager database
+# You could provide multiple attribute names separated by comma
+# default value: memberof, ismemberof
+SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE = memberof,ismemberof
+

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/scripts/install.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/install.sh b/unixauthservice/scripts/install.sh
new file mode 100755
index 0000000..6e11afc
--- /dev/null
+++ b/unixauthservice/scripts/install.sh
@@ -0,0 +1,249 @@
+#!/bin/bash
+
+#
+# Ensure that the user is root
+#
+
+MOD_NAME="uxugsync"
+
+MY_ID=`id -u`
+
+if [ "${MY_ID}" -ne 0 ]
+then
+	echo "ERROR: You must run the installation as root user."
+	exit 1
+fi
+
+if [ "${JAVA_HOME}" == "" ]
+then
+	echo "ERROR: JAVA_HOME environment property not defined, aborting installation"
+	exit 1
+fi
+
+
+#
+# Embed the configuration from install.properties to conf/unixauthservice.properties
+#
+
+cdir=`dirname $0`
+
+POLICY_MGR_URL=`grep '^[ \t]*POLICY_MGR_URL[ \t]*=' ${cdir}/install.properties | awk -F=
'{ print $2 }' | sed -e 's:[ \t]*::g'`
+MIN_UNIX_USER_ID_TO_SYNC=`grep '^[ \t]*MIN_UNIX_USER_ID_TO_SYNC[ \t]*=' ${cdir}/install.properties
| awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_SOURCE=`grep '^[ \t]*SYNC_SOURCE[ \t]*=' ${cdir}/install.properties | awk -F= '{ print
$2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_INTERVAL=`grep '^[ \t]*SYNC_INTERVAL[ \t]*=' ${cdir}/install.properties | awk -F= '{
print $2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_LDAP_URL=`grep '^[ \t]*SYNC_LDAP_URL[ \t]*=' ${cdir}/install.properties | sed -e 's:^[
\t]*SYNC_LDAP_URL[ \t]*=[ \t]*::'`
+
+SYNC_LDAP_BIND_DN=`grep '^[ \t]*SYNC_LDAP_BIND_DN[ \t]*=' ${cdir}/install.properties | sed
-e 's:^[ \t]*SYNC_LDAP_BIND_DN[ \t]*=[ \t]*::'`
+
+SYNC_LDAP_BIND_PASSWORD=`grep '^[ \t]*SYNC_LDAP_BIND_PASSWORD[ \t]*=' ${cdir}/install.properties
| sed -e 's:^[ \t]*SYNC_LDAP_BIND_PASSWORD[ \t]*=[ \t]*::'`
+
+SYNC_LDAP_USER_SEARCH_BASE=`grep '^[ \t]*SYNC_LDAP_USER_SEARCH_BASE[ \t]*=' ${cdir}/install.properties
| sed -e 's:^[ \t]*SYNC_LDAP_USER_SEARCH_BASE[ \t]*=[ \t]*::'`
+
+SYNC_LDAP_USER_SEARCH_SCOPE=`grep '^[ \t]*SYNC_LDAP_USER_SEARCH_SCOPE[ \t]*=' ${cdir}/install.properties
| awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_LDAP_USER_OBJECT_CLASS=`grep '^[ \t]*SYNC_LDAP_USER_OBJECT_CLASS[ \t]*=' ${cdir}/install.properties
| awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_LDAP_USER_SEARCH_FILTER=`grep '^[ \t]*SYNC_LDAP_USER_SEARCH_FILTER[ \t]*=' ${cdir}/install.properties
| sed -e 's:^[ \t]*SYNC_LDAP_SEARCH_FILTER[ \t]*=[ \t]*::'`
+
+SYNC_LDAP_USER_NAME_ATTRIBUTE=`grep '^[ \t]*SYNC_LDAP_USER_NAME_ATTRIBUTE[ \t]*=' ${cdir}/install.properties
| awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE=`grep '^[ \t]*SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE[ \t]*='
${cdir}/install.properties | awk -F= '{ print $2 }' | sed -e 's:[ \t]*::g'`
+
+SYNC_LDAP_BIND_KEYSTOREPATH=`grep '^[ \t]*CRED_KEYSTORE_FILENAME[ \t]*=' ${cdir}/install.properties
| sed -e 's:^[ \t]*CRED_KEYSTORE_FILENAME[ \t]*=[ \t]*::'`
+SYNC_LDAP_BIND_ALIAS=ldap.bind.password
+
+if [ "${SYNC_INTERVAL}" != "" ]
+then 
+    SYNC_INTERVAL=$((${SYNC_INTERVAL}*60*1000))
+else
+    SYNC_INTERVAL=$((5*60*1000))
+fi
+
+if [ "${SYNC_SOURCE}" == "" ]
+then
+  SYNC_SOURCE="com.xasecure.unixusersync.process.UnixUserGroupBuilder"
+elif [ "${SYNC_SOURCE}" == "unix" ]
+then
+  SYNC_SOURCE="com.xasecure.unixusersync.process.UnixUserGroupBuilder"
+elif [ "${SYNC_SOURCE}" == "ldap" ]
+then
+  SYNC_SOURCE="com.xasecure.ldapusersync.process.LdapUserGroupBuilder"
+else
+  echo "Unsupported value for SYNC_SOURCE: ${SYNC_SOURCE}, supported values: ldap, unix,
default: unix"
+  exit 2
+fi
+
+
+if [ "${SYNC_SOURCE}" == "com.xasecure.ldapusersync.process.LdapUserGroupBuilder" ]
+then
+
+  if [ "${SYNC_INTERVAL}" == "" ]
+  then
+    SYNC_INTERVAL=$((360*60*1000))
+  fi
+
+  if [ "${SYNC_LDAP_URL}" == "" ]
+  then
+    echo "SYNC_LDAP_URL must be specified when SYNC_SOURCE is ldap"
+    exit 3
+  fi
+
+  if [ "${SYNC_LDAP_BIND_DN}" == "" ]
+  then
+    echo "SYNC_LDAP_BIND_DN must be specified when SYNC_SOURCE is ldap"
+    exit 4
+  fi
+
+  if [ "${SYNC_LDAP_USER_SEARCH_BASE}" == "" ]
+  then
+    echo "SYNC_LDAP_USER_SEARCH_BASE must be specified when SYNC_SOURCE is ldap"
+    exit 5
+  fi
+
+  if [ "${SYNC_LDAP_USER_SEARCH_SCOPE}" == "" ]
+  then
+    SYNC_LDAP_USER_SEARCH_SCOPE="sub"
+  fi
+
+  if [ "${SYNC_LDAP_USER_SEARCH_SCOPE}" != "base" ] && [ "${SYNC_LDAP_USER_SEARCH_SCOPE}"
!= "one" ] && [ "${SYNC_LDAP_USER_SEARCH_SCOPE}" != "sub" ]
+  then
+    echo "Unsupported value for SYNC_LDAP_USER_SEARCH_SCOPE: ${SYNC_LDAP_USER_SEARCH_SCOPE},
supported values: base, one, sub"
+    exit 6
+  fi
+
+  if [ "${SYNC_LDAP_USER_OBJECT_CLASS}" == "" ]
+  then
+    SYNC_LDAP_USER_OBJECT_CLASS="person"
+  fi
+
+  if [ "${SYNC_LDAP_USER_NAME_ATTRIBUTE}" == "" ]
+  then
+    SYNC_LDAP_USER_NAME_ATTRIBUTE="cn"
+  fi
+
+  if [ "${SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE}" == "" ]
+  then
+    SYNC_LDAP_USER_NAME_ATTRIBUTE="memberof,ismemberof"
+  fi
+
+#ldap credential keystore creation  
+	echo "Starting configuration for LDAP credentials:"		
+   	if [[ "${SYNC_LDAP_BIND_ALIAS}" != ""  && "${SYNC_LDAP_BIND_KEYSTOREPATH}" !=
"" ]]
+   	then
+		mkdir -p `dirname "${SYNC_LDAP_BIND_KEYSTOREPATH}"`
+		java -cp "lib/*" com.hortonworks.credentialapi.buildks create $SYNC_LDAP_BIND_ALIAS -value
$SYNC_LDAP_BIND_PASSWORD -provider jceks://file$SYNC_LDAP_BIND_KEYSTOREPATH
+    	#java -cp "lib/commons-cli-1.2.jar:lib/commons-collections-3.2.1.jar:lib/commons-configuration-1.6.jar:lib/commons-lang-2.6.jar:lib/commons-logging-1.1.1.jar:lib/guava-11.0.2.jar:lib/hadoop-auth-2.2.0.jar:lib/hadoop-common-plus-3.0.0-SNAPSHOT.jar:lib/slf4j-api-1.7.5.jar:lib/local-jks-builder.jar"
com.hortonworks.credentialapi.buildks create $SYNC_LDAP_BIND_ALIAS -value $SYNC_LDAP_BIND_PASSWORD
-provider jceks://file$SYNC_LDAP_BIND_KEYSTOREPATH
+    	SYNC_LDAP_BIND_PASSWORD="_"
+    fi
+#
+fi
+
+CFG_FILE="${cdir}/conf/unixauthservice.properties"
+NEW_CFG_FILE=${CFG_FILE}_`date '+%s'`
+
+if [ -f  ${CFG_FILE}  ]
+then
+  sed \
+    -e "s|^\( *usergroupSync.policymanager.baseURL *=\).*|\1 ${POLICY_MGR_URL}|" \
+    -e "s|^\( *usergroupSync.unix.minUserId *=\).*|\1 ${MIN_UNIX_USER_ID_TO_SYNC}|" \
+    -e "s|^\( *usergroupSync.sleepTimeInMillisBetweenSyncCycle *=\).*|\1 ${SYNC_INTERVAL}|"
\
+    -e "s|^\( *usergroupSync.source.impl.class *=\).*|\1 ${SYNC_SOURCE}|" \
+    -e "s|^\( *ldapGroupSync.ldapUrl *=\).*|\1 ${SYNC_LDAP_URL}|" \
+    -e "s|^\( *ldapGroupSync.ldapBindDn *=\).*|\1 ${SYNC_LDAP_BIND_DN}|" \
+    -e "s|^\( *ldapGroupSync.ldapBindPassword *=\).*|\1 ${SYNC_LDAP_BIND_PASSWORD}|" \
+    -e "s|^\( *ldapGroupSync.ldapBindKeystore *=\).*|\1 ${SYNC_LDAP_BIND_KEYSTOREPATH}|"
\
+    -e "s|^\( *ldapGroupSync.ldapBindAlias *=\).*|\1 ${SYNC_LDAP_BIND_ALIAS}|" \
+    -e "s|^\( *ldapGroupSync.userSearchBase *=\).*|\1 ${SYNC_LDAP_USER_SEARCH_BASE}|" \
+    -e "s|^\( *ldapGroupSync.userSearchScope *=\).*|\1 ${SYNC_LDAP_USER_SEARCH_SCOPE}|" \
+    -e "s|^\( *ldapGroupSync.userObjectClass *=\).*|\1 ${SYNC_LDAP_USER_OBJECT_CLASS}|" \
+    -e "s|^\( *ldapGroupSync.userSearchFilter *=\).*-|1 ${SYNC_LDAP_USER_SEARCH_FILTER}|"
\
+    -e "s|^\( *ldapGroupSync.userNameAttribute *=\).*|\1 ${SYNC_LDAP_USER_NAME_ATTRIBUTE}|"
\
+    -e "s|^\( *ldapGroupSync.userGroupNameAttribute *=\).*|\1 ${SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE}|"
\
+    ${CFG_FILE} > ${NEW_CFG_FILE}
+	mv ${CFG_FILE}  ${CFG_FILE}_archive_`date '+%s'`
+	mv ${NEW_CFG_FILE}  ${CFG_FILE}
+fi
+
+#
+# get current directory name
+#
+
+if [ "${cdir}" = "." ]
+then
+	cdir=`pwd`
+fi
+
+cdirname=`basename ${cdir}`
+
+if [ "${cdirname}" != "" ]
+then
+
+	dstdir=/etc/${cdirname}
+
+	if [ -d ${dstdir} ]
+	then
+		ctime=`date '+%s'`
+		mkdir -p /etc/xasecure/archive/${ctime}
+		mv ${dstdir} /etc/xasecure/archive/${ctime}/
+	fi
+
+	mkdir ${dstdir}
+	
+	if [ -L /etc/${MOD_NAME} ]
+    then
+        rm -f /etc/${MOD_NAME}
+    fi
+
+	ln -s  ${dstdir} /etc/${MOD_NAME}
+
+	(cd ${cdir} ; find . -print | cpio -pdm ${dstdir}) 
+	(cd ${cdir} ; cat start.sh | sed -e "s|[ \t]*JAVA_HOME=| JAVA_HOME=${JAVA_HOME}|" > ${dstdir}/start.sh)
+
+fi
+
+#
+# Install the init.d process in /etc/init.d and create appropriate link to /etc/rc2.d folder
+#
+
+if [ -d /etc/init.d ]
+then
+	cp ${cdir}/initd  /etc/init.d/${MOD_NAME}
+	chmod +x /etc/init.d/${MOD_NAME}
+	
+	if [ -d /etc/rc2.d ] 
+	then
+		echo "Creating boot script S99${MOD_NAME} in rc2.d directory .... "
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc2.d/S99${MOD_NAME}
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc2.d/K00${MOD_NAME}
+	fi
+	if [ -d /etc/rc3.d ]
+	then
+		echo "Creating boot script S99${MOD_NAME} in rc3.d directory .... "
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc3.d/S99${MOD_NAME}
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc3.d/K00${MOD_NAME}
+	fi
+
+  # SUSE has rc2.d and rc3.d under /etc/rc.d
+	if [ -d /etc/rc.d/rc2.d ] 
+	then
+		echo "Creating boot script S99${MOD_NAME} in rc2.d directory .... "
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc.d/rc2.d/S99${MOD_NAME}
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc.d/rc2.d/K00${MOD_NAME}
+	fi
+	if [ -d /etc/rc.d/rc3.d ]
+	then
+		echo "Creating boot script S99${MOD_NAME} in rc3.d directory .... "
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc.d/rc3.d/S99${MOD_NAME}
+		ln -sf /etc/init.d/${MOD_NAME}  /etc/rc.d/rc3.d/K00${MOD_NAME}
+	fi
+
+fi
+
+#
+# Start the service
+#
+
+service ${MOD_NAME} start

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/scripts/start.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/start.sh b/unixauthservice/scripts/start.sh
new file mode 100755
index 0000000..34bfcc8
--- /dev/null
+++ b/unixauthservice/scripts/start.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+export JAVA_HOME=
+export PATH=$JAVA_HOME/bin:$PATH
+
+cdir=`dirname $0`
+
+if [ "${cdir}" = "." ]
+then
+	cdir=`pwd`
+fi
+
+pidf=${cdir}/.mypid
+
+logdir=/var/log/uxugsync
+
+cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf"
+[ ! -d ${logdir} ] && mkdir -p ${logdir}
+${cdir}/stop.sh
+cd ${cdir}
+umask 0077
+nohup java -cp "${cp}" com.xasecure.authentication.UnixAuthenticationService > ${logdir}/auth.log
2>&1 &
+echo $! >  ${pidf}
+sleep 5
+port=`grep  '^[ ]*authServicePort' ${cdir}/conf/unixauthservice.properties | awk -F= '{ print
$2 }' | awk '{ print $1 }'`
+pid=`netstat -antp | grep LISTEN | grep  ${port} | awk '{ print $NF }' | awk -F/ '{ if ($2
== "java") { print $1 } }'`
+if [ "${pid}" != "" ]
+then
+	echo "UnixAuthenticationService has started successfully."
+else
+	echo "UnixAuthenticationService failed to start. Please refer to log files under ${logdir}
for further details."
+fi

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/scripts/stop.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/stop.sh b/unixauthservice/scripts/stop.sh
new file mode 100755
index 0000000..67cbd28
--- /dev/null
+++ b/unixauthservice/scripts/stop.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+cdir=`dirname $0`
+pidf=${cdir}/.mypid
+port=`grep  '^[ ]*authServicePort' ${cdir}/conf/unixauthservice.properties | awk -F= '{ print
$2 }' | awk '{ print $1 }'`
+pid=`netstat -antp | grep LISTEN | grep  ${port} | awk '{ print $NF }' | awk -F/ '{ if ($2
== "java") { print $1 } }'`
+if [ "${pid}" != "" ]
+then
+        kill -9 ${pid} 
+        echo "AuthenticationService [pid = ${pid}] has been stopped."
+fi
+if [ -f ${pidf} ]
+then
+        npid=`cat ${pidf}`
+        if [ "${npid}" != "" ]
+        then
+                if [ "${pid}" != "${npid}" ]
+                then
+                        if [ -a /proc/${npid} ]
+                        then
+                                echo "AuthenticationService [pid = ${npid}] has been stopped."
+                                kill -9 ${npid} > /dev/null 2>&1
+                                echo > ${pidf}
+                        fi
+                fi
+        fi
+fi
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/src/main/java/com/xasecure/authentication/PasswordValidator.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/com/xasecure/authentication/PasswordValidator.java
b/unixauthservice/src/main/java/com/xasecure/authentication/PasswordValidator.java
new file mode 100644
index 0000000..35a06da
--- /dev/null
+++ b/unixauthservice/src/main/java/com/xasecure/authentication/PasswordValidator.java
@@ -0,0 +1,142 @@
+package com.xasecure.authentication;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStreamWriter;
+import java.io.PrintWriter;
+import java.net.Socket;
+import java.util.List;
+
+import org.apache.log4j.Logger;
+
+public class PasswordValidator implements Runnable {
+
+	private static final Logger LOG = Logger.getLogger(PasswordValidator.class) ;
+	
+	private static String validatorProgram = null ;
+
+	private static List<String> adminUserList ;
+
+	private static String adminRoleNames ;
+
+	private Socket client ;
+	
+	public PasswordValidator(Socket client) {
+		this.client = client ;
+	}
+
+	@Override
+	public void run() {
+		BufferedReader reader = null ;
+		PrintWriter writer = null;
+
+		String userName = null ;
+
+		try {
+			reader = new BufferedReader(new InputStreamReader(client.getInputStream())) ;
+			writer = new PrintWriter(new OutputStreamWriter(client.getOutputStream())) ;
+			String request = reader.readLine() ;
+			
+			if (request.startsWith("LOGIN:")) {
+				String line = request.substring(6).trim() ;
+				int passwordAt = line.indexOf(' ') ;
+				if (passwordAt != -1) {
+					userName = line.substring(0,passwordAt).trim() ;
+				}
+			}
+
+			if (validatorProgram == null) {
+				String res = "FAILED: Unable to validate credentials." ;
+				writer.println(res) ;
+				writer.flush(); 
+				LOG.error("Response [" + res + "] for user: " + userName + " as ValidatorProgram is not
defined in configuration.") ;
+
+			}
+			else {
+				
+				BufferedReader pReader = null ;
+				PrintWriter pWriter = null;
+				Process p =  null;
+				
+				try {
+					p = Runtime.getRuntime().exec(validatorProgram) ;
+					
+					pReader = new BufferedReader(new InputStreamReader(p.getInputStream())) ;
+					
+					pWriter = new PrintWriter(new OutputStreamWriter(p.getOutputStream())) ;
+					
+					pWriter.println(request) ; pWriter.flush(); 
+	
+					String res = pReader.readLine() ;
+
+
+					if (res != null && res.startsWith("OK")) {
+						if (adminRoleNames != null && adminUserList != null) {
+							if (adminUserList.contains(userName)) {
+								res = res + " " + adminRoleNames ;
+							}
+						}
+					}
+
+					LOG.info("Response [" + res + "] for user: " + userName);
+					
+					writer.println(res) ; writer.flush(); 
+				}
+				finally {
+					if (p != null) {
+						p.destroy();
+					}
+				}
+			}
+			
+		}
+		catch(Throwable t) {
+			if (writer != null){
+				String res = "FAILED: unable to validate due to error " + t ;
+				writer.println(res) ;
+				LOG.error("Response [" + res + "] for user: " + userName, t);
+
+			}
+		}
+		finally {
+			try {
+				if (client != null) {
+					client.close(); 
+				}
+			}
+			catch(IOException ioe){
+				// Ignore exception
+			}
+			finally {
+				client = null;
+			}
+		}
+	}
+	
+	
+	public static String getValidatorProgram() {
+		return validatorProgram;
+	}
+
+	public static void setValidatorProgram(String validatorProgram) {
+		PasswordValidator.validatorProgram = validatorProgram;
+	}
+
+	public static List<String> getAdminUserList() {
+		return adminUserList;
+	}
+
+	public static void setAdminUserList(List<String> adminUserList) {
+		PasswordValidator.adminUserList = adminUserList;
+	}
+
+	public static String getAdminRoleNames() {
+		return adminRoleNames;
+	}
+
+	public static void setAdminRoleNames(String adminRoleNames) {
+		PasswordValidator.adminRoleNames = adminRoleNames;
+	}
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-argus/blob/7defc061/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
b/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
new file mode 100644
index 0000000..5fa0ff5
--- /dev/null
+++ b/unixauthservice/src/main/java/com/xasecure/authentication/UnixAuthenticationService.java
@@ -0,0 +1,230 @@
+package com.xasecure.authentication;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Properties;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.log4j.Logger;
+
+import com.xasecure.usergroupsync.UserGroupSync;
+
+public class UnixAuthenticationService {
+
+	private static final Logger LOG = Logger.getLogger(UnixAuthenticationService.class) ;
+	
+	private static final String serviceName = "UnixAuthenticationService" ;
+	
+	private static final String SSL_ALGORITHM = "SSLv3" ;
+	private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "authServicePort" ;
+	private static final String SSL_KEYSTORE_PATH_PARAM = "keyStore" ;
+	private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM = "keyStorePassword" ;
+	private static final String SSL_TRUSTSTORE_PATH_PARAM = "trustStore" ;
+	private static final String SSL_TRUSTSTORE_PATH_PASSWORD_PARAM = "trustStorePassword" ;
+	private static final String CRED_VALIDATOR_PROG = "passwordValidatorPath" ;
+	private static final String ADMIN_USER_LIST_PARAM = "admin.users" ;
+	private static final String ADMIN_ROLE_LIST_PARAM = "admin.roleNames" ;
+	private static final String SSL_ENABLED_PARAM = "useSSL" ;
+	
+	
+
+
+	private String keyStorePath ;
+	private String keyStorePathPassword ;
+	private String trustStorePath ;
+	private String trustStorePathPassword ;
+	private List<String>  adminUserList = new ArrayList<String>() ;
+	private String adminRoleNames ;
+	
+	private int  portNum ;
+	
+	private boolean SSLEnabled = false ;
+	
+
+	public static void main(String[] args) {
+		UnixAuthenticationService service = new UnixAuthenticationService() ;
+		service.run() ;
+	}
+
+	public UnixAuthenticationService() {
+	}
+
+	
+	public void run() {
+		try {
+			startUnixUserGroupSyncProcess() ;
+			init() ;
+			startService() ;
+		}
+		catch(Throwable t) {
+			LOG.error("ERROR: Service: " + serviceName , t);
+		}
+		finally {
+			LOG.info("Service: " + serviceName + " - STOPPED.");
+		}
+	}
+	
+	private void startUnixUserGroupSyncProcess() {
+		//
+		//  Start the synchronization service ...
+		//
+		UserGroupSync syncProc = new UserGroupSync() ;
+		Thread newSyncProcThread = new Thread(syncProc) ;
+		newSyncProcThread.setName("UnixUserSyncThread");
+		newSyncProcThread.setDaemon(false);
+		newSyncProcThread.start(); 
+	}
+	
+
+	//TODO: add more validation code
+	private void init() throws Throwable {
+		InputStream in = getFileInputStream("unixauthservice.properties") ;
+		Properties prop = new Properties() ;
+		prop.load(in);
+		keyStorePath = prop.getProperty(SSL_KEYSTORE_PATH_PARAM) ;
+		keyStorePathPassword = prop.getProperty(SSL_KEYSTORE_PATH_PASSWORD_PARAM) ;
+		trustStorePath  = prop.getProperty(SSL_TRUSTSTORE_PATH_PARAM) ;
+		trustStorePathPassword = prop.getProperty(SSL_TRUSTSTORE_PATH_PASSWORD_PARAM) ;
+		portNum = Integer.parseInt(prop.getProperty(REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM)) ;
+		String validatorProg = prop.getProperty(CRED_VALIDATOR_PROG) ;
+		if (validatorProg != null) {
+			PasswordValidator.setValidatorProgram(validatorProg);
+		}
+		
+		String adminUsers = prop.getProperty(ADMIN_USER_LIST_PARAM) ; 
+		
+		if (adminUsers != null && adminUsers.trim().length() > 0) {
+			for(String u : adminUsers.split(",")) {
+				LOG.info("Adding Admin User:"  + u.trim());
+				adminUserList.add(u.trim()) ;
+			}
+			PasswordValidator.setAdminUserList(adminUserList);
+		}
+		
+		
+		adminRoleNames = prop.getProperty(ADMIN_ROLE_LIST_PARAM) ;
+		
+		if (adminRoleNames != null) {
+			LOG.info("Adding Admin Group:" + adminRoleNames);
+			PasswordValidator.setAdminRoleNames(adminRoleNames) ;
+		}
+		
+		String SSLEnabledProp = prop.getProperty(SSL_ENABLED_PARAM) ;
+		
+		SSLEnabled = (SSLEnabledProp != null &&  (SSLEnabledProp.equalsIgnoreCase("true")))
;
+		
+//		LOG.info("Key:" + keyStorePath);
+//		LOG.info("KeyPassword:" + keyStorePathPassword);
+//		LOG.info("TrustStore:" + trustStorePath);
+//		LOG.info("TrustStorePassword:" + trustStorePathPassword);
+//		LOG.info("PortNum:" + portNum);
+//		LOG.info("ValidatorProg:" + validatorProg);
+		
+	}
+	
+	
+	public void startService() throws Throwable {
+		
+		SSLContext context =  SSLContext.getInstance(SSL_ALGORITHM) ;
+		
+		KeyManager[] km = null ;
+
+		if (keyStorePath != null) {
+			KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()) ;
+			
+			InputStream in = null ;
+			
+			in = getFileInputStream(keyStorePath) ;
+			
+			try {
+				ks.load(in, keyStorePathPassword.toCharArray());
+			}
+			finally {
+				if (in != null) {
+					in.close(); 
+				}
+			}
+			
+			KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
;
+			kmf.init(ks, keyStorePathPassword.toCharArray());
+			km = kmf.getKeyManagers() ;
+		}
+		
+		
+		TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 
+		
+		KeyStore trustStoreKeyStore = null ;
+		
+		if (trustStorePath != null) {
+			trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()) ;
+			
+			InputStream in = null ;
+			
+			in = getFileInputStream(trustStorePath) ;
+			
+			try {
+				trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray());
+			}
+			finally {
+				if (in != null) {
+					in.close(); 
+				}
+			}
+		}
+		
+		trustManagerFactory.init(trustStoreKeyStore);  
+		
+		TrustManager[] tm = trustManagerFactory.getTrustManagers() ;
+				
+		SecureRandom random = new SecureRandom() ;
+		
+		context.init(km, tm, random);
+		
+		SSLServerSocketFactory sf = context.getServerSocketFactory() ; 
+
+		ServerSocket socket = (SSLEnabled ? sf.createServerSocket(portNum) :  new ServerSocket(portNum)
) ;
+				
+		Socket client = null ;
+		
+		while ( (client = socket.accept()) != null ) {
+			Thread clientValidatorThread = new Thread(new PasswordValidator(client)) ;
+			clientValidatorThread.start(); 
+		}
+
+	}
+	
+	private InputStream getFileInputStream(String path) throws FileNotFoundException {
+		
+		InputStream ret = null;
+		
+		File f = new File(path) ;
+		
+		if (f.exists()) {
+			ret = new FileInputStream(f) ;
+		}
+		else {
+			ret = getClass().getResourceAsStream(path) ;
+			if (ret == null) {
+				ret = getClass().getResourceAsStream("/" + path) ;
+			}
+		}
+		
+		return ret ;
+	}
+
+
+}


Mime
View raw message