ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [1/2] incubator-ranger git commit: RANGER-203: 1. Config file renamed to support new service-types: xasecure-audit.xml ==> ranger-type-audit.xml (type: hdfs/hive/hbase/knox/storm/yarn/…) xasecure-security.xml ==> ranger-type-security.xml (type:
Date Wed, 04 Feb 2015 00:23:12 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/stack 447658578 -> 2e486daa4


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
index d8f2556..58c1102 100644
--- a/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
+++ b/hdfs-agent/src/main/java/org/apache/hadoop/hdfs/server/namenode/RangerFSPermissionChecker.java
@@ -66,9 +66,6 @@ public class RangerFSPermissionChecker {
 		access2ActionListMapper.put(FsAction.EXECUTE,       Sets.newHashSet(EXECUTE_ACCCESS_TYPE));
 	}
 
-	private static final boolean addHadoopAuth = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP,
RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT) ;
-
-
 	private static RangerHdfsPlugin                    rangerPlugin        = null;
 	private static ThreadLocal<RangerHdfsAuditHandler> currentAuditHandler = new ThreadLocal<RangerHdfsAuditHandler>();
 
@@ -85,7 +82,7 @@ public class RangerFSPermissionChecker {
 
 		boolean accessGranted =  AuthorizeAccessForUser(path, pathOwner, access, user, groups);
 
-		if (!accessGranted &&  !addHadoopAuth ) {
+		if (!accessGranted &&  !RangerHdfsPlugin.isHadoopAuthEnabled()) {
 			String inodeInfo = (inode.isDirectory() ? "directory" : "file") +  "="  + "\"" + path
+ "\""  ;
 		    throw new RangerAccessControlException("Permission denied: principal{user=" + user
+ ",groups: " + groups + "}, access=" + access + ", " + inodeInfo ) ; 
 		}
@@ -175,12 +172,20 @@ public class RangerFSPermissionChecker {
 }
 
 class RangerHdfsPlugin extends RangerBasePlugin {
+	private static boolean hadoopAuthEnabled = false;
+
 	public RangerHdfsPlugin() {
-		super("hdfs");
+		super("hdfs", "hdfs");
 	}
 	
 	public void init() {
 		super.init();
+		
+		RangerHdfsPlugin.hadoopAuthEnabled = RangerConfiguration.getInstance().getBoolean(RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_PROP,
RangerHadoopConstants.RANGER_ADD_HDFS_PERMISSION_DEFAULT);
+	}
+
+	public static boolean isHadoopAuthEnabled() {
+		return RangerHdfsPlugin.hadoopAuthEnabled;
 	}
 }
 
@@ -265,8 +270,6 @@ class RangerHdfsAuditHandler extends RangerDefaultAuditHandler {
 				excludeUsers.add(excludeUser) ;
 				}
 		}
-
-		RangerConfiguration.getInstance().initAudit("hdfs");	
 	}
 
 	public RangerHdfsAuditHandler(String pathToBeValidated) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-audit-changes.cfg b/hive-agent/conf/ranger-hive-audit-changes.cfg
new file mode 100644
index 0000000..83a1dff
--- /dev/null
+++ b/hive-agent/conf/ranger-hive-audit-changes.cfg
@@ -0,0 +1,34 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+xasecure.audit.db.is.enabled                        %XAAUDIT.DB.IS_ENABLED%             
                           mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.url		%XAAUDIT_DB_JDBC_URL%											mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.user		%XAAUDIT.DB.USER_NAME% 											mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.password	crypted 														mod create-if-not-exists
+xasecure.audit.repository.name						%REPOSITORY_NAME% 												mod create-if-not-exists
+xasecure.audit.credential.provider.file     		jceks://file%CREDENTIAL_PROVIDER_FILE% 			
			mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.driver	%XAAUDIT_DB_JDBC_DRIVER% 										mod create-if-not-exists
+
+xasecure.audit.hdfs.is.enabled                                     %XAAUDIT.HDFS.IS_ENABLED%
                              mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.directory                   %XAAUDIT.HDFS.DESTINATION_DIRECTORY%
                   mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.file                        %XAAUDIT.HDFS.DESTINTATION_FILE%
                       mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.flush.interval.seconds      %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS%
     mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.rollover.interval.seconds   %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS%
  mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS%
mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.directory                  %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY%
                  mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.file                       %XAAUDIT.HDFS.LOCAL_BUFFER_FILE%
                       mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds     %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS%
     mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds  %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS%
  mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.directory                 %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY%
                 mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.max.file.count            %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT%
            mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-audit.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-audit.xml b/hive-agent/conf/ranger-hive-audit.xml
new file mode 100644
index 0000000..047cd96
--- /dev/null
+++ b/hive-agent/conf/ranger-hive-audit.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<property>
+		<name>xasecure.audit.is.enabled</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.repository.name</name>
+		<value>hivedev</value>
+	</property>	
+	
+
+	<!-- DB audit provider configuration -->
+	<property>
+		<name>xasecure.audit.db.is.enabled</name>
+		<value>false</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.db.is.async</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.db.async.max.queue.size</name>
+		<value>10240</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.batch.size</name>
+		<value>100</value>
+	</property>	
+
+	<!--  Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA
-->
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
+		<value>jdbc:mysql://localhost:3306/ranger_audit</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
+		<value>rangerlogger</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
+		<value>none</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
+		<value>com.mysql.jdbc.Driver</value>
+	</property>
+
+    <property>
+		<name>xasecure.audit.credential.provider.file</name>
+		<value>jceks://file/etc/ranger/hivedev/auditcred.jceks</value>
+	</property>
+
+
+	<!-- HDFS audit provider configuration -->
+	<property>
+		<name>xasecure.audit.hdfs.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.is.async</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.hdfs.async.max.queue.size</name>
+		<value>1048576</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.encoding</name>
+		<value></value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.directory</name>
+		<value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.file</name>
+		<value>%hostname%-audit.log</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
+		<value>900</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
+		<value>86400</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
+		<value>60</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.directory</name>
+		<value>/var/log/hive/audit/%app-type%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.file</name>
+		<value>%time:yyyyMMdd-HHmm.ss%.log</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
+		<value>8192</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
+		<value>60</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
+		<value>600</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.archive.directory</name>
+		<value>/var/log/hive/audit/archive/%app-type%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
+		<value>10</value>
+	</property>	
+	
+
+	<!-- Log4j audit provider configuration -->
+	<property>
+		<name>xasecure.audit.log4j.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.is.async</name>
+		<value>false</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.log4j.async.max.queue.size</name>
+		<value>10240</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-security-changes.cfg b/hive-agent/conf/ranger-hive-security-changes.cfg
new file mode 100644
index 0000000..399f424
--- /dev/null
+++ b/hive-agent/conf/ranger-hive-security-changes.cfg
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Change the original policy parameter to work with policy manager based.
+# 
+#
+ranger.plugin.hive.service.name					%REPOSITORY_NAME% 										mod create-if-not-exists
+
+ranger.plugin.hive.service.store.class			org.apache.ranger.plugin.store.rest.ServiceRESTStore
mod create-if-not-exists
+ranger.plugin.hive.service.store.cache.dir		%POLICY_CACHE_FILE_PATH% 								mod create-if-not-exists
+ranger.plugin.hive.service.store.pollIntervalMs	30000 													mod create-if-not-exists
+
+ranger.service.store.rest.url					%POLICY_MGR_URL% 										mod create-if-not-exists
+ranger.service.store.rest.ssl.config.file		/etc/hive/conf/ranger-policymgr-ssl.xml					mod
create-if-not-exists
+
+xasecure.hive.update.xapolicies.on.grant.revoke     %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% 
                                   mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/ranger-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-security.xml b/hive-agent/conf/ranger-hive-security.xml
new file mode 100644
index 0000000..86526c6
--- /dev/null
+++ b/hive-agent/conf/ranger-hive-security.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<property>
+		<name>ranger.plugin.hive.service.name</name>
+		<value>hivedev</value>
+		<description>
+			Name of the Ranger service containing policies for this YARN instance
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hive.service.store.class</name>
+		<value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value>
+		<description>
+			Service storage implementation class to use to retrieve policies
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hive.service.store.pollIntervalMs</name>
+		<value>30000</value>
+		<description>
+			How often to poll for changes in policies?
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hive.service.store.cache.dir</name>
+		<value>/etc/ranger/hivedev/policycache</value>
+		<description>
+			Directory where Ranger policies are cached after successful retrieval from the store
+		</description>
+	</property>
+
+	<!-- The following properties are used only when Ranger Admin REST interface is used
to retrieve the policies -->
+	<property>
+		<name>ranger.service.store.rest.url</name>
+		<value>http://policymanagerhost:port</value>
+		<description>
+			URL to Ranger Admin
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.service.store.rest.ssl.config.file</name>
+		<value>/etc/hive/conf/ranger-policymgr-ssl.xml</value>
+		<description>Path to the file containing SSL details to contact Ranger Admin</description>
+	</property>
+
+
+	<property>
+		<name>xasecure.hive.update.xapolicies.on.grant.revoke</name>
+		<value>true</value>
+		<description>Should Hive plugin update Ranger policies for updates to permissions
done using GRANT/REVOKE?</description>
+	</property>
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-audit-changes.cfg b/hive-agent/conf/xasecure-audit-changes.cfg
deleted file mode 100644
index 83a1dff..0000000
--- a/hive-agent/conf/xasecure-audit-changes.cfg
+++ /dev/null
@@ -1,34 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-xasecure.audit.db.is.enabled                        %XAAUDIT.DB.IS_ENABLED%             
                           mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.url		%XAAUDIT_DB_JDBC_URL%											mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.user		%XAAUDIT.DB.USER_NAME% 											mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.password	crypted 														mod create-if-not-exists
-xasecure.audit.repository.name						%REPOSITORY_NAME% 												mod create-if-not-exists
-xasecure.audit.credential.provider.file     		jceks://file%CREDENTIAL_PROVIDER_FILE% 			
			mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.driver	%XAAUDIT_DB_JDBC_DRIVER% 										mod create-if-not-exists
-
-xasecure.audit.hdfs.is.enabled                                     %XAAUDIT.HDFS.IS_ENABLED%
                              mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.directory                   %XAAUDIT.HDFS.DESTINATION_DIRECTORY%
                   mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.file                        %XAAUDIT.HDFS.DESTINTATION_FILE%
                       mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.flush.interval.seconds      %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS%
     mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.rollover.interval.seconds   %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS%
  mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS%
mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.directory                  %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY%
                  mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.file                       %XAAUDIT.HDFS.LOCAL_BUFFER_FILE%
                       mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds     %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS%
     mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds  %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS%
  mod create-if-not-exists
-xasecure.audit.hdfs.config.local.archive.directory                 %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY%
                 mod create-if-not-exists
-xasecure.audit.hdfs.config.local.archive.max.file.count            %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT%
            mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-audit.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-audit.xml b/hive-agent/conf/xasecure-audit.xml
deleted file mode 100644
index 047cd96..0000000
--- a/hive-agent/conf/xasecure-audit.xml
+++ /dev/null
@@ -1,191 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-	<property>
-		<name>xasecure.audit.is.enabled</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.repository.name</name>
-		<value>hivedev</value>
-	</property>	
-	
-
-	<!-- DB audit provider configuration -->
-	<property>
-		<name>xasecure.audit.db.is.enabled</name>
-		<value>false</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.db.is.async</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.db.async.max.queue.size</name>
-		<value>10240</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.batch.size</name>
-		<value>100</value>
-	</property>	
-
-	<!--  Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA
-->
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
-		<value>jdbc:mysql://localhost:3306/ranger_audit</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
-		<value>rangerlogger</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
-		<value>none</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
-		<value>com.mysql.jdbc.Driver</value>
-	</property>
-
-    <property>
-		<name>xasecure.audit.credential.provider.file</name>
-		<value>jceks://file/etc/ranger/hivedev/auditcred.jceks</value>
-	</property>
-
-
-	<!-- HDFS audit provider configuration -->
-	<property>
-		<name>xasecure.audit.hdfs.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.is.async</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.hdfs.async.max.queue.size</name>
-		<value>1048576</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.encoding</name>
-		<value></value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.directory</name>
-		<value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.file</name>
-		<value>%hostname%-audit.log</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
-		<value>900</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
-		<value>86400</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
-		<value>60</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.directory</name>
-		<value>/var/log/hive/audit/%app-type%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.file</name>
-		<value>%time:yyyyMMdd-HHmm.ss%.log</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
-		<value>8192</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
-		<value>60</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
-		<value>600</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.archive.directory</name>
-		<value>/var/log/hive/audit/archive/%app-type%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
-		<value>10</value>
-	</property>	
-	
-
-	<!-- Log4j audit provider configuration -->
-	<property>
-		<name>xasecure.audit.log4j.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.is.async</name>
-		<value>false</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.log4j.async.max.queue.size</name>
-		<value>10240</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-hive-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-hive-security-changes.cfg b/hive-agent/conf/xasecure-hive-security-changes.cfg
deleted file mode 100644
index 75fbdea..0000000
--- a/hive-agent/conf/xasecure-hive-security-changes.cfg
+++ /dev/null
@@ -1,27 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Change the original policy parameter to work with policy manager based.
-# 
-#
-hive.authorization.verifier.classname				org.apache.ranger.pdp.hive.RangerAuthorizer				
			mod	create-if-not-exists
-xasecure.hive.policymgr.url							%POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME%
			mod create-if-not-exists
-xasecure.hive.policymgr.url.saveAsFile				/tmp/hive_%REPOSITORY_NAME%_json  									   
mod create-if-not-exists
-xasecure.hive.policymgr.url.laststoredfile			%POLICY_CACHE_FILE_PATH%/hive_%REPOSITORY_NAME%_json
					mod create-if-not-exists
-xasecure.hive.policymgr.url.reloadIntervalInMillis 	30000 																	mod create-if-not-exists
-xasecure.hive.policymgr.ssl.config					/etc/hive/conf/xasecure-policymgr-ssl.xml								mod
create-if-not-exists
-xasecure.hive.update.xapolicies.on.grant.revoke     %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% 
                                   mod create-if-not-exists
-xasecure.policymgr.url							    %POLICY_MGR_URL% 														mod create-if-not-exists
-xasecure.policymgr.sslconfig.filename				/etc/hive/conf/xasecure-policymgr-ssl.xml						
	mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/conf/xasecure-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/xasecure-hive-security.xml b/hive-agent/conf/xasecure-hive-security.xml
deleted file mode 100644
index ebc0b92..0000000
--- a/hive-agent/conf/xasecure-hive-security.xml
+++ /dev/null
@@ -1,84 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-
-
-	<!--  The following property is used to select appropriate XASecure Authorizer Module
(filebased, policymanager based) -->
-	<property>
-		<name>hive.authorization.verifier.classname</name>
-		<value>org.apache.ranger.pdp.hive.RangerAuthorizer</value>
-		<description>
-			Class Name of the authorization Module 
-		</description>
-	</property>
-
-
-	<!-- The following properties are used only when PolicyManager is used as 
-		main storage for all policy -->
-	<property>
-		<name>xasecure.hive.policymgr.url</name>
-		<value>http://policymanagerhost:port/service/assets/dev-hive</value>
-		<description>
-			Location where XASecure Role Based Authorization Info is
-			located.
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hive.policymgr.url.saveAsFile</name>
-		<value>/tmp/xasecure-hive-policy.json</value>
-		<description>
-			Location where XASecure Role Based Authorization Info is
-			saved after successful retrieval from policymanager
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hive.policymgr.url.laststoredfile</name>
-		<value>/home/hive/last_xasecure-hive-policy.json</value>
-		<description>
-			Location and file where last XASecure Role Based Authorization Info
-		    is saved after successful retrieval from policymanager.
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hive.policymgr.url.reloadIntervalInMillis</name>
-		<value>30000</value>
-		<description>
-			How often do we need to verify the changes tothe
-			authorization url,
-			to reload to memory (reloaded only if there are
-			changes)
-		</description>
-	</property>
-	<property>
-		<name>xasecure.policymgr.url</name>
-		<value>http://policymanagerhost:port</value>
-		<description>Base URL for XASecure PolicyManager</description>
-	</property>
-	<property>
-		<name>xasecure.policymgr.sslconfig.filename</name>
-		<value>/etc/hive/conf/xasecure-policymgr-ssl.xml</value>
-		<description>Path to the file containing SSL details to contact XASecure PolicyManager</description>
-	</property>
-	<property>
-		<name>xasecure.hive.update.xapolicies.on.grant.revoke</name>
-		<value>true</value>
-		<description>Should Hive agent update XASecure policies for updates to permissions
done using GRANT/REVOKE?</description>
-	</property>
-
-</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
----------------------------------------------------------------------
diff --git a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
index b3d8055..980c56c 100644
--- a/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
+++ b/hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
@@ -78,27 +78,23 @@ public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
 		if(hivePlugin == null) {
 			synchronized(RangerHiveAuthorizer.class) {
 				if(hivePlugin == null) {
-					RangerHivePlugin temp = new RangerHivePlugin();
-					temp.init();
-					
-					if(!RangerConfiguration.getInstance().isAuditInitDone()) {
-						if(sessionContext != null) {
-							String appType = "unknown";
-
-							switch(sessionContext.getClientType()) {
-								case HIVECLI:
-									appType = "hiveCLI";
-								break;
-
-								case HIVESERVER2:
-									appType = "hiveServer2";
-								break;
-							}
-
-							RangerConfiguration.getInstance().initAudit(appType);
+					String appType = "unknown";
+
+					if(sessionContext != null) {
+						switch(sessionContext.getClientType()) {
+							case HIVECLI:
+								appType = "hiveCLI";
+							break;
+
+							case HIVESERVER2:
+								appType = "hiveServer2";
+							break;
 						}
 					}
 
+					RangerHivePlugin temp = new RangerHivePlugin(appType);
+					temp.init();
+
 					hivePlugin = temp;
 				}
 			}
@@ -834,8 +830,8 @@ enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN,
FUN
 enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, ALL, ADMIN
};
 
 class RangerHivePlugin extends RangerBasePlugin {
-	public RangerHivePlugin() {
-		super("hive");
+	public RangerHivePlugin(String appType) {
+		super("hive", appType);
 	}
 }
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index a98f8e4..e4ee9d0 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -645,9 +645,9 @@ public class ServiceREST {
 	}
 
 	@GET
-	@Path("/policies/service/name/{name}/{lastKnownVersion}")
+	@Path("/policies/download/{serviceName}/{lastKnownVersion}")
 	@Produces({ "application/json", "application/xml" })
-	public ServicePolicies getServicePoliciesIfUpdated(@PathParam("name") String serviceName,
@PathParam("lastKnownVersion") Long lastKnownVersion) throws Exception {
+	public ServicePolicies getServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName,
@PathParam("lastKnownVersion") Long lastKnownVersion) throws Exception {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> ServiceREST.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion
+ ")");
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 5a210db..3214591 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -56,6 +56,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
 	<security:http pattern="/loadInit.html" security="none" />
 	<security:http pattern="/service/documents/result/**" security="none" />
 	<security:http pattern="/service/assets/policyList/*" security="none"/>
+	<security:http pattern="/service/plugins/policies/download/*/*" security="none"/>
 	<security:http pattern="/service/assets/resources/grant" security="none"/>
 	<security:http pattern="/service/assets/resources/revoke" security="none"/>
 	<security:http pattern="/service/users/default" security="none"/>


Mime
View raw message