ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mad...@apache.org
Subject [2/2] incubator-ranger git commit: RANGER-203: 1. Config file renamed to support new service-types: xasecure-audit.xml ==> ranger-type-audit.xml (type: hdfs/hive/hbase/knox/storm/yarn/…) xasecure-security.xml ==> ranger-type-security.xml (type:
Date Wed, 04 Feb 2015 00:23:13 GMT
RANGER-203:
1. Config file renamed to support new service-types:
   xasecure-audit.xml    ==> ranger-type-audit.xml (type: hdfs/hive/hbase/knox/storm/yarn/…)
   xasecure-security.xml ==> ranger-type-security.xml (type: hdfs/hive/hbase/knox/storm/yarn/…)

2. Plugin installation script (enable-agent.sh) updated to support plugins whose
   installation directory is different from the plugin name
   (for example: yarn plugin needs to be installed under hadoop directory)

3. Replaced old/unused properties in ranger-type-security.xml with new properties.

4. RangerBasePlugin.init() updated to initialize Audit Framework

5. PolicyRefresher updated to store/use policies in local cache.


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2e486daa
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2e486daa
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2e486daa

Branch: refs/heads/stack
Commit: 2e486daa43bc219b430ccf73463d5fd65d3a0c79
Parents: 4476585
Author: Madhan Neethiraj <madhan@apache.org>
Authored: Tue Feb 3 15:57:00 2015 -0800
Committer: Madhan Neethiraj <madhan@apache.org>
Committed: Tue Feb 3 15:57:00 2015 -0800

----------------------------------------------------------------------
 agents-common/scripts/enable-agent.sh           |   9 +-
 .../hadoop/config/RangerConfiguration.java      |  82 +++-----
 .../hadoop/constants/RangerHadoopConstants.java |   8 -
 .../plugin/policyengine/RangerResourceImpl.java |   6 +-
 .../ranger/plugin/service/RangerBasePlugin.java |  12 +-
 .../plugin/store/rest/ServiceRESTStore.java     |   5 +-
 .../ranger/plugin/util/PolicyRefresher.java     | 143 ++++++++++++--
 hbase-agent/conf/ranger-hbase-audit-changes.cfg |  34 ++++
 hbase-agent/conf/ranger-hbase-audit.xml         | 191 +++++++++++++++++++
 .../conf/ranger-hbase-security-changes.cfg      |  28 +++
 hbase-agent/conf/ranger-hbase-security.xml      |  72 +++++++
 hbase-agent/conf/xasecure-audit-changes.cfg     |  34 ----
 hbase-agent/conf/xasecure-audit.xml             | 191 -------------------
 .../conf/xasecure-hbase-security-changes.cfg    |  26 ---
 hbase-agent/conf/xasecure-hbase-security.xml    |  85 ---------
 .../hbase/RangerAuthorizationCoprocessor.java   |   4 +-
 hdfs-agent/conf/ranger-hdfs-audit-changes.cfg   |  34 ++++
 hdfs-agent/conf/ranger-hdfs-audit.xml           | 191 +++++++++++++++++++
 .../conf/ranger-hdfs-security-changes.cfg       |  26 +++
 hdfs-agent/conf/ranger-hdfs-security.xml        | 100 ++++++++++
 hdfs-agent/conf/xasecure-audit-changes.cfg      |  34 ----
 hdfs-agent/conf/xasecure-audit.xml              | 191 -------------------
 .../conf/xasecure-hdfs-security-changes.cfg     |  24 ---
 hdfs-agent/conf/xasecure-hdfs-security.xml      | 125 ------------
 .../namenode/RangerFSPermissionChecker.java     |  17 +-
 hive-agent/conf/ranger-hive-audit-changes.cfg   |  34 ++++
 hive-agent/conf/ranger-hive-audit.xml           | 191 +++++++++++++++++++
 .../conf/ranger-hive-security-changes.cfg       |  28 +++
 hive-agent/conf/ranger-hive-security.xml        |  73 +++++++
 hive-agent/conf/xasecure-audit-changes.cfg      |  34 ----
 hive-agent/conf/xasecure-audit.xml              | 191 -------------------
 .../conf/xasecure-hive-security-changes.cfg     |  27 ---
 hive-agent/conf/xasecure-hive-security.xml      |  84 --------
 .../hive/authorizer/RangerHiveAuthorizer.java   |  36 ++--
 .../org/apache/ranger/rest/ServiceREST.java     |   4 +-
 .../conf.dist/security-applicationContext.xml   |   1 +
 36 files changed, 1215 insertions(+), 1160 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/scripts/enable-agent.sh
----------------------------------------------------------------------
diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh
index f8d90ad..ebaca12 100755
--- a/agents-common/scripts/enable-agent.sh
+++ b/agents-common/scripts/enable-agent.sh
@@ -105,7 +105,14 @@ PROJ_INSTALL_LIB_DIR="${PROJ_INSTALL_DIR}/install/lib"
 INSTALL_ARGS="${PROJ_INSTALL_DIR}/install.properties"
 JAVA=$JAVA_HOME/bin/java
 
-hdir=${PROJ_INSTALL_DIR}/../${HCOMPONENT_NAME}
+HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME')
+
+if [ "${HCOMPONENT_INSTALL_DIR_NAME}" = "" ]
+then
+	HCOMPONENT_INSTALL_DIR_NAME=${HCOMPONENT_NAME}
+fi
+
+hdir=${PROJ_INSTALL_DIR}/../${HCOMPONENT_INSTALL_DIR_NAME}
 
 #
 # TEST - START

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
index 796776a..7c81d09 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
@@ -28,7 +28,6 @@ import java.util.Properties;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.log4j.Logger;
 import org.apache.ranger.audit.provider.AuditProviderFactory;
-import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
 
 public class RangerConfiguration extends Configuration {
 	
@@ -38,36 +37,28 @@ public class RangerConfiguration extends Configuration {
 	
 	private RangerConfiguration() {
 		super(false) ;
+	}
+
+	public void addResourcesForServiceType(String serviceType) {
+		String auditCfg    = "ranger-" + serviceType + "-audit.xml";
+		String securityCfg = "ranger-" + serviceType + "-security.xml";
 		
-		//
-		// WorkAround for having all Hadoop Configuration in the CLASSPATH first, even if it is invoked by Hive Engine.
-		// 
-		//   So, we look for "hive-site.xml", if it is available, take the xasecure-audit.xml file from the same location.
-		//   If we do not see "hive-site.xml", we look for "hbase-site.xml", if found, take the xasecure-audit.xml file from the same location.
-		//   If we do not see "hbase-site.xml", we look for "hdfs-site.xml", if found, take the xasecure-audit.xml file from the same location.
-		//   If we do not see, we let the CLASSPATH based search to find xasecure-audit.xml file.
-		
-		
-		URL auditFileLocation = getRangerAuditXMLFileLocation() ;
-		
-		if (auditFileLocation != null) {
-			addResource(auditFileLocation) ;
-		}
-		else {
-			addResourceIfReadable(RangerHadoopConstants.RANGER_AUDIT_FILE) ;
-		}
-		addResourceIfReadable(RangerHadoopConstants.RANGER_HDFS_SECURITY_FILE);
-		addResourceIfReadable(RangerHadoopConstants.RANGER_KNOX_SECURITY_FILE);
-		addResourceIfReadable(RangerHadoopConstants.RANGER_HBASE_SECURITY_FILE) ;
-		addResourceIfReadable(RangerHadoopConstants.RANGER_HIVE_SECURITY_FILE) ;
-		addResourceIfReadable(RangerHadoopConstants.RANGER_STORM_SECURITY_FILE);
-		
+		addResourceIfReadable(auditCfg);
+		addResourceIfReadable(securityCfg);
 	}
-	
+
 	@SuppressWarnings("deprecation")
 	private void addResourceIfReadable(String aResourceName) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> addResourceIfReadable(" + aResourceName + ")");
+		}
+
 		String fName = getFileLocation(aResourceName) ;
 		if (fName != null) {
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("<== addResourceIfReadable(" + aResourceName + "): resource file is " + fName);
+			}
+
 			File f = new File(fName) ;
 			if (f.exists() && f.canRead()) {
 				URL fUrl = null ;
@@ -75,10 +66,24 @@ public class RangerConfiguration extends Configuration {
 					fUrl = f.toURL() ;
 					addResource(fUrl) ;
 				} catch (MalformedURLException e) {
-					LOG.debug("Unable to find URL for the resource name [" + aResourceName +"]. Ignoring the resource:" + aResourceName);
+					if(LOG.isDebugEnabled()) {
+						LOG.debug("Unable to find URL for the resource name [" + aResourceName +"]. Ignoring the resource:" + aResourceName);
+					}
 				}
+			} else {
+				if(LOG.isDebugEnabled()) {
+					LOG.debug("<== addResourceIfReadable(" + aResourceName + "): resource not readable");
+				}
+			}
+		} else {
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("<== addResourceIfReadable(" + aResourceName + "): couldn't find resource file location");
 			}
 		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== addResourceIfReadable(" + aResourceName + ")");
+		}
 	}
 	
 
@@ -118,31 +123,6 @@ public class RangerConfiguration extends Configuration {
 
 		return auditFactory != null && auditFactory.isInitDone();
 	}
-
-	
-	@SuppressWarnings("deprecation")
-	public  URL getRangerAuditXMLFileLocation() {
-		URL ret = null ;
-
-		try {
-			for(String  cfgFile : 	new String[] {  "hive-site.xml",  "hbase-site.xml",  "hdfs-site.xml" } ) {
-				String loc = getFileLocation(cfgFile) ;
-				if (loc != null) {
-					if (new File(loc).canRead()) {
-						File parentFile = new File(loc).getParentFile() ;
-						ret = new File(parentFile, RangerHadoopConstants.RANGER_AUDIT_FILE).toURL() ;
-						break ;
-					}
-				}
-			}
-		}
-		catch(Throwable t) {
-			LOG.error("Unable to locate audit file location." , t) ;
-			ret = null ;
-		}
-		
-		return ret ;
-	}
 	
 	private String getFileLocation(String fileName) {
 		

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
index 906e941..652d105 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java
@@ -20,14 +20,6 @@ package org.apache.ranger.authorization.hadoop.constants;
 
 public class RangerHadoopConstants {
 	
-	public static final String RANGER_AUDIT_FILE          = "xasecure-audit.xml" ; 
-	public static final String RANGER_HDFS_SECURITY_FILE  = "xasecure-hdfs-security.xml" ; 
-	public static final String RANGER_KNOX_SECURITY_FILE  = "xasecure-knox-security.xml" ; 
-	public static final String RANGER_HBASE_SECURITY_FILE = "xasecure-hbase-security.xml" ; 
-	public static final String RANGER_HIVE_SECURITY_FILE  = "xasecure-hive-security.xml" ; 
-	public static final String RANGER_POLICYMGR_SSL_FILE  = "xasecure-policymgr-ssl.xml"  ;
-	public static final String RANGER_STORM_SECURITY_FILE = "xasecure-storm-security.xml" ;
-	
 	public static final String RANGER_ADD_HDFS_PERMISSION_PROP = "xasecure.add-hadoop-authorization" ;
 	public static final boolean RANGER_ADD_HDFS_PERMISSION_DEFAULT = false ;
 	public static final String READ_ACCCESS_TYPE = "read";

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
index 86f7ea4..740a427 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java
@@ -75,7 +75,11 @@ public class RangerResourceImpl implements RangerMutableResource {
 			elements = new HashMap<String, String>();
 		}
 
-		elements.put(name, value);
+		if(value == null) {
+			elements.remove(name);
+		} else {
+			elements.put(name, value);
+		}
 	}
 
 	@Override

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 8f1fa5f..f442b9a 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -35,19 +35,25 @@ import org.apache.ranger.plugin.util.PolicyRefresher;
 
 public class RangerBasePlugin {
 	private String             serviceType  = null;
+	private String             auditAppType = null;
 	private String             serviceName  = null;
 	private RangerPolicyEngine policyEngine = null;
 	private PolicyRefresher    refresher    = null;
 
 
-	public RangerBasePlugin(String serviceType) {
-		this.serviceType = serviceType;
+	public RangerBasePlugin(String serviceType, String auditAppType) {
+		this.serviceType  = serviceType;
+		this.auditAppType = auditAppType;
 	}
 
 	public String getServiceType() {
 		return serviceType;
 	}
 
+	public String getAuditAppType() {
+		return auditAppType;
+	}
+
 	public String getServiceName() {
 		return serviceName;
 	}
@@ -65,6 +71,8 @@ public class RangerBasePlugin {
 	public synchronized void init(RangerPolicyEngine policyEngine) {
 		cleanup();
 
+		RangerConfiguration.getInstance().addResourcesForServiceType(serviceType);
+		RangerConfiguration.getInstance().initAudit(auditAppType);
 
 		String serviceName       = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name");
 		String serviceStoreClass = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.store.class", "org.apache.ranger.plugin.store.rest.ServiceRESTStore");

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
index dd3624b..2318f76 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
@@ -64,7 +64,7 @@ public class ServiceRESTStore implements ServiceStore {
 	public final String REST_URL_POLICY_GET_ALL     = "/service/plugins/policies";
 	public final String REST_URL_POLICY_GET_FOR_SERVICE         = "/service/plugins/policies/service/";
 	public final String REST_URL_POLICY_GET_FOR_SERVICE_BY_NAME = "/service/plugins/policies/service/name/";
-	public final String REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED = "/service/plugins/policies/service/name/";
+	public final String REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED = "/service/plugins/policies/download/";
 
 	public static final String REST_MIME_TYPE_JSON = "application/json" ;
 
@@ -83,12 +83,9 @@ public class ServiceRESTStore implements ServiceStore {
 	@Override
 	public void init() throws Exception {
 		String restUrl       = RangerConfiguration.getInstance().get("ranger.service.store.rest.url", "http://localhost:6080");
-		String restUsername  = RangerConfiguration.getInstance().get("ranger.service.store.rest.username", "admin");
-		String restPassword  = RangerConfiguration.getInstance().get("ranger.service.store.rest.password", "admin");
 		String sslConfigFile = RangerConfiguration.getInstance().get("ranger.service.store.rest.ssl.config.file", "");
 
 		restClient = new RangerRESTClient(restUrl, sslConfigFile);
-		restClient.setBasicAuthInfo(restUsername, restPassword);
 	}
 
 	@Override

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index 7112562..152309d 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -19,11 +19,21 @@
 
 package org.apache.ranger.plugin.util;
 
+import java.io.File;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.Reader;
+import java.io.Writer;
+
+import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
 import org.apache.ranger.plugin.store.ServiceStore;
 
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+
 
 public class PolicyRefresher extends Thread {
 	private static final Log LOG = LogFactory.getLog(PolicyRefresher.class);
@@ -33,14 +43,17 @@ public class PolicyRefresher extends Thread {
 	private String             serviceName       = null;
 	private ServiceStore       serviceStore      = null;
 	private long               pollingIntervalMs = 30 * 1000;
+	private String             cacheFile         = null;
+
+	private boolean shutdownFlag     = false;
+	private long    lastKnownVersion = -1;
+	private Gson    gson             = null;
 
-	private boolean         shutdownFlag      = false;
-	private ServicePolicies lastKnownPolicies = null;
 
 
 	public PolicyRefresher(RangerPolicyEngine policyEngine, String serviceType, String serviceName, ServiceStore serviceStore, long pollingIntervalMs, String cacheDir) {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> PolicyRefresher.PolicyRefresher(serviceName=" + serviceName + ")");
+			LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()");
 		}
 
 		this.policyEngine      = policyEngine;
@@ -48,9 +61,16 @@ public class PolicyRefresher extends Thread {
 		this.serviceName       = serviceName;
 		this.serviceStore      = serviceStore;
 		this.pollingIntervalMs = pollingIntervalMs;
+		this.cacheFile         = cacheDir == null ? null : (cacheDir + File.separator + String.format("%s_%s.json", serviceType, serviceName));
+
+        try {
+        	this.gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create();
+		} catch(Throwable excp) {
+			LOG.fatal("PolicyRefresher(): failed to create GsonBuilder object", excp);
+		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== PolicyRefresher.PolicyRefresher(serviceName=" + serviceName + ")");
+			LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()");
 		}
 	}
 
@@ -96,7 +116,10 @@ public class PolicyRefresher extends Thread {
 		this.pollingIntervalMs = pollingIntervalMilliSeconds;
 	}
 
+
 	public void startRefresher() {
+		loadFromCache();
+
 		shutdownFlag = false;
 
 		super.start();
@@ -108,34 +131,38 @@ public class PolicyRefresher extends Thread {
 
 	public void run() {
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("==> PolicyRefresher.run()");
+			LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").run()");
 		}
 
 		while(! shutdownFlag) {
 			try {
-				long lastKnownVersion = (lastKnownPolicies == null || lastKnownPolicies.getPolicyVersion() == null) ? 0 : lastKnownPolicies.getPolicyVersion().longValue();
-
 				ServicePolicies svcPolicies = serviceStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion);
 
-				long newVersion = (svcPolicies == null || svcPolicies.getPolicyVersion() == null) ? 0 : svcPolicies.getPolicyVersion().longValue();
+				long newVersion = (svcPolicies == null || svcPolicies.getPolicyVersion() == null) ? -1 : svcPolicies.getPolicyVersion().longValue();
 
-				boolean isUpdated = newVersion != 0 && lastKnownVersion != newVersion;
+				boolean isUpdated = newVersion != -1 && lastKnownVersion != newVersion;
 
 				if(isUpdated) {
-					if(LOG.isDebugEnabled()) {
-						LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): found updated version. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion);
+		        	if(!StringUtils.equals(serviceName, svcPolicies.getServiceName())) {
+		        		LOG.warn("PolicyRefresher(serviceName=" + serviceName + "): ignoring unexpected serviceName '" + svcPolicies.getServiceName() + "' in service-store");
+		        	}
+
+		        	if(LOG.isDebugEnabled()) {
+						LOG.debug("PolicyRefresher(serviceName=" + serviceName + "): found updated version. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion);
 					}
 
+					saveToCache(svcPolicies);
+
+		        	lastKnownVersion = svcPolicies.getPolicyVersion() == null ? -1 : svcPolicies.getPolicyVersion().longValue();
+
 					policyEngine.setPolicies(serviceName, svcPolicies.getServiceDef(), svcPolicies.getPolicies());
-					
-					lastKnownPolicies = svcPolicies;
 				} else {
 					if(LOG.isDebugEnabled()) {
 						LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion);
 					}
 				}
 			} catch(Exception excp) {
-				LOG.error("PolicyRefresher(serviceName=" + serviceName + ").run(): ", excp);
+				LOG.error("PolicyRefresher(serviceName=" + serviceName + "): failed to refresh policies. Will continue to use last known version of policies (" + lastKnownVersion + ")", excp);
 			}
 
 			try {
@@ -148,7 +175,93 @@ public class PolicyRefresher extends Thread {
 		}
 
 		if(LOG.isDebugEnabled()) {
-			LOG.debug("<== PolicyRefresher.run()");
+			LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").run()");
+		}
+	}
+
+	private void loadFromCache() {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").loadFromCache()");
+		}
+
+		RangerPolicyEngine policyEngine = this.policyEngine;
+
+		if(policyEngine != null) {
+	    	File cacheFile = StringUtils.isEmpty(this.cacheFile) ? null : new File(this.cacheFile);
+
+	    	if(cacheFile != null && cacheFile.isFile() && cacheFile.canRead()) {
+	    		Reader reader = null;
+
+	    		try {
+		        	reader = new FileReader(cacheFile);
+
+			        ServicePolicies policies = gson.fromJson(reader, ServicePolicies.class);
+
+			        if(policies != null) {
+			        	if(!StringUtils.equals(serviceName, policies.getServiceName())) {
+			        		LOG.warn("ignoring unexpected serviceName '" + policies.getServiceName() + "' in cache file '" + cacheFile.getAbsolutePath() + "'");
+			        	}
+
+			        	lastKnownVersion = policies.getPolicyVersion() == null ? -1 : policies.getPolicyVersion().longValue();
+
+			        	policyEngine.setPolicies(serviceName, policies.getServiceDef(), policies.getPolicies());
+			        }
+		        } catch (Exception excp) {
+		        	LOG.error("failed to load policies from cache file " + cacheFile.getAbsolutePath(), excp);
+		        } finally {
+		        	if(reader != null) {
+		        		try {
+		        			reader.close();
+		        		} catch(Exception excp) {
+		        			LOG.error("error while closing opened cache file " + cacheFile.getAbsolutePath(), excp);
+		        		}
+		        	}
+		        }
+			} else {
+				LOG.warn("cache file does not exist or not readble '" + (cacheFile == null ? null : cacheFile.getAbsolutePath()) + "'");
+			}
+		} else {
+			LOG.warn("policyEngine is null");
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").loadFromCache()");
+		}
+	}
+
+	private void saveToCache(ServicePolicies policies) {
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").saveToCache()");
+		}
+
+		if(policies != null) {
+	    	File cacheFile = StringUtils.isEmpty(this.cacheFile) ? null : new File(this.cacheFile);
+
+	    	if(cacheFile != null) {
+				Writer writer = null;
+	
+				try {
+					writer = new FileWriter(cacheFile);
+	
+			        gson.toJson(policies, writer);
+		        } catch (Exception excp) {
+		        	LOG.error("failed to save policies to cache file '" + cacheFile.getAbsolutePath() + "'", excp);
+		        } finally {
+		        	if(writer != null) {
+		        		try {
+		        			writer.close();
+		        		} catch(Exception excp) {
+		        			LOG.error("error while closing opened cache file '" + cacheFile.getAbsolutePath() + "'", excp);
+		        		}
+		        	}
+		        }
+	    	}
+		} else {
+			LOG.info("policies is null. Nothing to save in cache");
+		}
+
+		if(LOG.isDebugEnabled()) {
+			LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").saveToCache()");
 		}
 	}
 }

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-audit-changes.cfg b/hbase-agent/conf/ranger-hbase-audit-changes.cfg
new file mode 100644
index 0000000..cbaf227
--- /dev/null
+++ b/hbase-agent/conf/ranger-hbase-audit-changes.cfg
@@ -0,0 +1,34 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+xasecure.audit.db.is.enabled                        %XAAUDIT.DB.IS_ENABLED%                                         mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.url		%XAAUDIT_DB_JDBC_URL%											mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.user		%XAAUDIT.DB.USER_NAME% 											mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.password	crypted 											mod create-if-not-exists
+xasecure.audit.repository.name						%REPOSITORY_NAME% 												mod create-if-not-exists
+xasecure.audit.credential.provider.file     		jceks://file%CREDENTIAL_PROVIDER_FILE% 							mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.driver	%XAAUDIT_DB_JDBC_DRIVER% 										mod create-if-not-exists
+
+xasecure.audit.hdfs.is.enabled                                     %XAAUDIT.HDFS.IS_ENABLED%                               mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.directory                   %XAAUDIT.HDFS.DESTINATION_DIRECTORY%                    mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.file                        %XAAUDIT.HDFS.DESTINTATION_FILE%                        mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.flush.interval.seconds      %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.rollover.interval.seconds   %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.directory                  %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY%                   mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.file                       %XAAUDIT.HDFS.LOCAL_BUFFER_FILE%                        mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds     %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds  %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.directory                 %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY%                  mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.max.file.count            %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT%             mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-audit.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-audit.xml b/hbase-agent/conf/ranger-hbase-audit.xml
new file mode 100644
index 0000000..be2661a
--- /dev/null
+++ b/hbase-agent/conf/ranger-hbase-audit.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<property>
+		<name>xasecure.audit.is.enabled</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.repository.name</name>
+		<value>hbasedev</value>
+	</property>	
+	
+
+	<!-- DB audit provider configuration -->
+	<property>
+		<name>xasecure.audit.db.is.enabled</name>
+		<value>false</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.db.is.async</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.db.async.max.queue.size</name>
+		<value>10240</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.batch.size</name>
+		<value>100</value>
+	</property>	
+
+	<!--  Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA -->
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
+		<value>jdbc:mysql://localhost:3306/ranger_audit</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
+		<value>rangerlogger</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
+		<value>none</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
+		<value>com.mysql.jdbc.Driver</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.credential.provider.file</name>
+		<value>jceks://file/etc/ranger/hbasedev/auditcred.jceks</value>
+	</property>
+
+
+	<!-- HDFS audit provider configuration -->
+	<property>
+		<name>xasecure.audit.hdfs.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.is.async</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.hdfs.async.max.queue.size</name>
+		<value>1048576</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.encoding</name>
+		<value></value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.directory</name>
+		<value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.file</name>
+		<value>%hostname%-audit.log</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
+		<value>900</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
+		<value>86400</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
+		<value>60</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.directory</name>
+		<value>/var/log/hbase/audit/%app-type%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.file</name>
+		<value>%time:yyyyMMdd-HHmm.ss%.log</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
+		<value>8192</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
+		<value>60</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
+		<value>600</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.archive.directory</name>
+		<value>/var/log/hbase/audit/archive/%app-type%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
+		<value>10</value>
+	</property>	
+	
+
+	<!-- Log4j audit provider configuration -->
+	<property>
+		<name>xasecure.audit.log4j.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.is.async</name>
+		<value>false</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.log4j.async.max.queue.size</name>
+		<value>10240</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-security-changes.cfg b/hbase-agent/conf/ranger-hbase-security-changes.cfg
new file mode 100644
index 0000000..28f84e7
--- /dev/null
+++ b/hbase-agent/conf/ranger-hbase-security-changes.cfg
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Change the original policy parameter to work with policy manager based.
+# 
+#
+ranger.plugin.hbase.service.name					%REPOSITORY_NAME% 										mod create-if-not-exists
+
+ranger.plugin.hbase.service.store.class				org.apache.ranger.plugin.store.rest.ServiceRESTStore	mod create-if-not-exists
+ranger.plugin.hbase.service.store.cache.dir			%POLICY_CACHE_FILE_PATH% 								mod create-if-not-exists
+ranger.plugin.hbase.service.store.pollIntervalMs	30000 													mod create-if-not-exists
+
+ranger.service.store.rest.url						%POLICY_MGR_URL% 										mod create-if-not-exists
+ranger.service.store.rest.ssl.config.file			/etc/hbase/conf/ranger-policymgr-ssl.xml				mod create-if-not-exists
+
+xasecure.hbase.update.xapolicies.on.grant.revoke	%UPDATE_XAPOLICIES_ON_GRANT_REVOKE%						mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-security.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-security.xml b/hbase-agent/conf/ranger-hbase-security.xml
new file mode 100644
index 0000000..697ab86
--- /dev/null
+++ b/hbase-agent/conf/ranger-hbase-security.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<property>
+		<name>ranger.plugin.hbase.service.name</name>
+		<value>hbasedev</value>
+		<description>
+			Name of the Ranger service containing policies for this YARN instance
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hbase.service.store.class</name>
+		<value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value>
+		<description>
+			Service storage implementation class to use to retrieve policies
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hbase.service.store.pollIntervalMs</name>
+		<value>30000</value>
+		<description>
+			How often to poll for changes in policies?
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hbase.service.store.cache.dir</name>
+		<value>/etc/ranger/hbasedev/policycache</value>
+		<description>
+			Directory where Ranger policies are cached after successful retrieval from the store
+		</description>
+	</property>
+
+	<!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies -->
+	<property>
+		<name>ranger.service.store.rest.url</name>
+		<value>http://policymanagerhost:port</value>
+		<description>
+			URL to Ranger Admin
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.service.store.rest.ssl.config.file</name>
+		<value>/etc/hbase/conf/ranger-policymgr-ssl.xml</value>
+		<description>Path to the file containing SSL details to contact Ranger Admin</description>
+	</property>
+
+	<property>
+		<name>xasecure.hbase.update.xapolicies.on.grant.revoke</name>
+		<value>true</value>
+		<description>Should Hbase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description>
+	</property>
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/xasecure-audit-changes.cfg b/hbase-agent/conf/xasecure-audit-changes.cfg
deleted file mode 100644
index cbaf227..0000000
--- a/hbase-agent/conf/xasecure-audit-changes.cfg
+++ /dev/null
@@ -1,34 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-xasecure.audit.db.is.enabled                        %XAAUDIT.DB.IS_ENABLED%                                         mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.url		%XAAUDIT_DB_JDBC_URL%											mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.user		%XAAUDIT.DB.USER_NAME% 											mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.password	crypted 											mod create-if-not-exists
-xasecure.audit.repository.name						%REPOSITORY_NAME% 												mod create-if-not-exists
-xasecure.audit.credential.provider.file     		jceks://file%CREDENTIAL_PROVIDER_FILE% 							mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.driver	%XAAUDIT_DB_JDBC_DRIVER% 										mod create-if-not-exists
-
-xasecure.audit.hdfs.is.enabled                                     %XAAUDIT.HDFS.IS_ENABLED%                               mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.directory                   %XAAUDIT.HDFS.DESTINATION_DIRECTORY%                    mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.file                        %XAAUDIT.HDFS.DESTINTATION_FILE%                        mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.flush.interval.seconds      %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.rollover.interval.seconds   %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.directory                  %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY%                   mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.file                       %XAAUDIT.HDFS.LOCAL_BUFFER_FILE%                        mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds     %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds  %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
-xasecure.audit.hdfs.config.local.archive.directory                 %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY%                  mod create-if-not-exists
-xasecure.audit.hdfs.config.local.archive.max.file.count            %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT%             mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-audit.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/xasecure-audit.xml b/hbase-agent/conf/xasecure-audit.xml
deleted file mode 100644
index be2661a..0000000
--- a/hbase-agent/conf/xasecure-audit.xml
+++ /dev/null
@@ -1,191 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-	<property>
-		<name>xasecure.audit.is.enabled</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.repository.name</name>
-		<value>hbasedev</value>
-	</property>	
-	
-
-	<!-- DB audit provider configuration -->
-	<property>
-		<name>xasecure.audit.db.is.enabled</name>
-		<value>false</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.db.is.async</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.db.async.max.queue.size</name>
-		<value>10240</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.batch.size</name>
-		<value>100</value>
-	</property>	
-
-	<!--  Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA -->
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
-		<value>jdbc:mysql://localhost:3306/ranger_audit</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
-		<value>rangerlogger</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
-		<value>none</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
-		<value>com.mysql.jdbc.Driver</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.credential.provider.file</name>
-		<value>jceks://file/etc/ranger/hbasedev/auditcred.jceks</value>
-	</property>
-
-
-	<!-- HDFS audit provider configuration -->
-	<property>
-		<name>xasecure.audit.hdfs.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.is.async</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.hdfs.async.max.queue.size</name>
-		<value>1048576</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.encoding</name>
-		<value></value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.directory</name>
-		<value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.file</name>
-		<value>%hostname%-audit.log</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
-		<value>900</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
-		<value>86400</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
-		<value>60</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.directory</name>
-		<value>/var/log/hbase/audit/%app-type%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.file</name>
-		<value>%time:yyyyMMdd-HHmm.ss%.log</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
-		<value>8192</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
-		<value>60</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
-		<value>600</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.archive.directory</name>
-		<value>/var/log/hbase/audit/archive/%app-type%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
-		<value>10</value>
-	</property>	
-	
-
-	<!-- Log4j audit provider configuration -->
-	<property>
-		<name>xasecure.audit.log4j.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.is.async</name>
-		<value>false</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.log4j.async.max.queue.size</name>
-		<value>10240</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-hbase-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/xasecure-hbase-security-changes.cfg b/hbase-agent/conf/xasecure-hbase-security-changes.cfg
deleted file mode 100644
index 86354ff..0000000
--- a/hbase-agent/conf/xasecure-hbase-security-changes.cfg
+++ /dev/null
@@ -1,26 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Change the original policy parameter to work with policy manager based.
-# 
-#
-xasecure.hbase.policymgr.url							%POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% 	    mod create-if-not-exists
-xasecure.hbase.policymgr.url.saveAsFile				   	/tmp/hbase_%REPOSITORY_NAME%_json  									mod create-if-not-exists
-xasecure.hbase.policymgr.url.laststoredfile				%POLICY_CACHE_FILE_PATH%/hbase_%REPOSITORY_NAME%_json 				mod create-if-not-exists
-xasecure.hbase.policymgr.url.reloadIntervalInMillis 	30000 																mod create-if-not-exists
-xasecure.hbase.policymgr.ssl.config						/etc/hbase/conf/xasecure-policymgr-ssl.xml							mod create-if-not-exists
-xasecure.hbase.update.xapolicies.on.grant.revoke        %UPDATE_XAPOLICIES_ON_GRANT_REVOKE%                                 mod create-if-not-exists
-xasecure.policymgr.url							        %POLICY_MGR_URL% 													mod create-if-not-exists
-xasecure.policymgr.sslconfig.filename				    /etc/hbase/conf/xasecure-policymgr-ssl.xml							mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-hbase-security.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/xasecure-hbase-security.xml b/hbase-agent/conf/xasecure-hbase-security.xml
deleted file mode 100644
index 8ea2665..0000000
--- a/hbase-agent/conf/xasecure-hbase-security.xml
+++ /dev/null
@@ -1,85 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-
-	<!-- The following properties are used only when PolicyManager is used as 
-		main storage for all policy -->
-	<property>
-		<name>xasecure.hbase.policymgr.url</name>
-		<value>http://policymanagerhost:port/service/assets/dev-hbase</value>
-		<description>
-			Location where XASecure Role Based Authorization Info is
-			located.
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hbase.policymgr.url.saveAsFile</name>
-		<value>/tmp/xasecure-hbase-policy.json</value>
-		<description>
-			Location where XASecure Role Based Authorization Info is
-			saved after successful retrieval from policymanager
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hbase.policymgr.url.laststoredfile</name>
-		<value>/home/hbase/last_xasecure-hbase-policy.json</value>
-		<description>
-			Location and file where last XASecure Role Based Authorization Info
-		    is saved after successful retrieval from policymanager.
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hbase.policymgr.url.reloadIntervalInMillis</name>
-		<value>30000</value>
-		<description>
-			How often do we need to verify the changes tothe
-			authorization url,
-			to reload to memory (reloaded only if there are
-			changes)
-		</description>
-	</property>
-	<property>
-		<name>xasecure.policymgr.url</name>
-		<value>http://policymanagerhost:port</value>
-		<description>Base URL for XASecure PolicyManager</description>
-	</property>
-	<property>
-		<name>xasecure.policymgr.sslconfig.filename</name>
-		<value>/etc/hbase/conf/xasecure-policymgr-ssl.xml</value>
-		<description>Path to the file containing SSL details to contact XASecure PolicyManager</description>
-	</property>
-
-
-	<!-- the following properties are used by PEP to show/hide audit information 
-		about each field being read and/or written -->
-	<property>
-		<name>xasecure.auditlog.fieldInfoVisible</name>
-		<value>false</value>
-		<description>
-			Flag to indicate if the read/written values to be written in the audit
-			log file
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hbase.update.xapolicies.on.grant.revoke</name>
-		<value>true</value>
-		<description>Should Hbase agent update XASecure policies for updates to permissions done using GRANT/REVOKE?</description>
-	</property>
-
-</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
----------------------------------------------------------------------
diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
index 68bd7ac..1a956d3 100644
--- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
+++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java
@@ -875,8 +875,6 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 			appType = "hbseRegional";
 		}
 
-		RangerConfiguration.getInstance().initAudit(appType);
-
 		if (superUserList == null) {
 			superUserList = new ArrayList<String>();
 			Configuration conf = env.getConfiguration();
@@ -890,7 +888,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess
 			}
 		}
 		// create and initialize the plugin class
-		new RangerBasePlugin("hbase") {}.init(_authorizer);
+		new RangerBasePlugin("hbase", appType) {}.init(_authorizer);
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("Start of Coprocessor: [" + coprocessorType + "] with superUserList [" + superUserList + "]");
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
new file mode 100644
index 0000000..cbaf227
--- /dev/null
+++ b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
@@ -0,0 +1,34 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+xasecure.audit.db.is.enabled                        %XAAUDIT.DB.IS_ENABLED%                                         mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.url		%XAAUDIT_DB_JDBC_URL%											mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.user		%XAAUDIT.DB.USER_NAME% 											mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.password	crypted 											mod create-if-not-exists
+xasecure.audit.repository.name						%REPOSITORY_NAME% 												mod create-if-not-exists
+xasecure.audit.credential.provider.file     		jceks://file%CREDENTIAL_PROVIDER_FILE% 							mod create-if-not-exists
+xasecure.audit.jpa.javax.persistence.jdbc.driver	%XAAUDIT_DB_JDBC_DRIVER% 										mod create-if-not-exists
+
+xasecure.audit.hdfs.is.enabled                                     %XAAUDIT.HDFS.IS_ENABLED%                               mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.directory                   %XAAUDIT.HDFS.DESTINATION_DIRECTORY%                    mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.file                        %XAAUDIT.HDFS.DESTINTATION_FILE%                        mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.flush.interval.seconds      %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.rollover.interval.seconds   %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.directory                  %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY%                   mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.file                       %XAAUDIT.HDFS.LOCAL_BUFFER_FILE%                        mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds     %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds  %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.directory                 %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY%                  mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.max.file.count            %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT%             mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-audit.xml
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-audit.xml b/hdfs-agent/conf/ranger-hdfs-audit.xml
new file mode 100644
index 0000000..28261ec
--- /dev/null
+++ b/hdfs-agent/conf/ranger-hdfs-audit.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<property>
+		<name>xasecure.audit.is.enabled</name>
+		<value>true</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.repository.name</name>
+		<value>hadoopdev</value>
+	</property>	
+
+
+	<!-- DB audit provider configuration -->
+	<property>
+		<name>xasecure.audit.db.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.is.async</name>
+		<value>true</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.async.max.queue.size</name>
+		<value>10240</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.db.batch.size</name>
+		<value>100</value>
+	</property>	
+
+	<!--  Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA -->
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
+		<value>jdbc:mysql://localhost:3306/ranger_audit</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
+		<value>rangerlogger</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
+		<value>none</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
+		<value>com.mysql.jdbc.Driver</value>
+	</property>
+	
+	<property>
+		<name>xasecure.audit.credential.provider.file</name>
+		<value>jceks://file/etc/ranger/hadoopdev/auditcred.jceks</value>
+	</property>
+
+
+	<!-- HDFS audit provider configuration -->
+	<property>
+		<name>xasecure.audit.hdfs.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.is.async</name>
+		<value>true</value>
+	</property>	
+	
+	<property>
+		<name>xasecure.audit.hdfs.async.max.queue.size</name>
+		<value>1048576</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.encoding</name>
+		<value></value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.directory</name>
+		<value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.file</name>
+		<value>%hostname%-audit.log</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
+		<value>900</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
+		<value>86400</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
+		<value>60</value>
+	</property>
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.directory</name>
+		<value>/var/log/hadoop/%app-type%/audit</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.file</name>
+		<value>%time:yyyyMMdd-HHmm.ss%.log</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
+		<value>8192</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
+		<value>60</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
+		<value>600</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.archive.directory</name>
+		<value>/var/log/hadoop/%app-type%/audit/archive</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
+		<value>10</value>
+	</property>	
+
+
+	<!-- Log4j audit provider configuration -->
+	<property>
+		<name>xasecure.audit.log4j.is.enabled</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.is.async</name>
+		<value>false</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.async.max.queue.size</name>
+		<value>10240</value>
+	</property>	
+
+	<property>
+		<name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
+		<value>30000</value>
+	</property>	
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
new file mode 100644
index 0000000..210247f
--- /dev/null
+++ b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
@@ -0,0 +1,26 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Change the original policy parameter to work with policy manager based.
+# 
+#
+ranger.plugin.hdfs.service.name					%REPOSITORY_NAME% 										mod create-if-not-exists
+
+ranger.plugin.hdfs.service.store.class			org.apache.ranger.plugin.store.rest.ServiceRESTStore	mod create-if-not-exists
+ranger.plugin.hdfs.service.store.cache.dir		%POLICY_CACHE_FILE_PATH%								mod create-if-not-exists
+ranger.plugin.hdfs.service.store.pollIntervalMs	30000 													mod create-if-not-exists
+
+ranger.service.store.rest.url					%POLICY_MGR_URL% 										mod create-if-not-exists
+ranger.service.store.rest.ssl.config.file		/etc/hadoop/conf/ranger-policymgr-ssl.xml				mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-security.xml
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-security.xml b/hdfs-agent/conf/ranger-hdfs-security.xml
new file mode 100644
index 0000000..4e84232
--- /dev/null
+++ b/hdfs-agent/conf/ranger-hdfs-security.xml
@@ -0,0 +1,100 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<property>
+		<name>ranger.plugin.hdfs.service.name</name>
+		<value>hadoopdev</value>
+		<description>
+			Name of the Ranger service containing policies for this YARN instance
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hdfs.service.store.class</name>
+		<value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value>
+		<description>
+			Service storage implementation class to use to retrieve policies
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hdfs.service.store.pollIntervalMs</name>
+		<value>30000</value>
+		<description>
+			How often to poll for changes in policies?
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.plugin.hdfs.service.store.cache.dir</name>
+		<value>/etc/ranger/hadoopdev/policycache</value>
+		<description>
+			Directory where Ranger policies are cached after successful retrieval from the store
+		</description>
+	</property>
+
+	<!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies -->
+	<property>
+		<name>ranger.service.store.rest.url</name>
+		<value>http://policymanagerhost:port</value>
+		<description>
+			URL to Ranger Admin
+		</description>
+	</property>
+
+	<property>
+		<name>ranger.service.store.rest.ssl.config.file</name>
+		<value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value>
+		<description>Path to the file containing SSL details to contact Ranger Admin</description>
+	</property>
+
+	<!--  The following fields are used to customize the audit logging feature -->
+	<!-- 
+	<property>
+		<name>xasecure.auditlog.xasecureAcl.name</name>
+		<value>xasecure-acl</value>
+		<description> The module name listed in the auditlog when the
+			permission check is done by RangerACL
+		</description>
+	</property>
+	<property>
+		<name>xasecure.auditlog.hadoopAcl.name</name>
+		<value>hadoop-acl</value>
+		<description> The module name listed in the auditlog
+			when the permission check is done by HadoopACL
+		</description>
+	</property>
+	<property>
+		<name>xasecure.auditlog.hdfs.excludeusers</name>
+		<value>hbase,hive</value>
+		<description> List of comma separated users for
+			whom the audit log is not written
+		</description>
+	</property>
+	-->
+	
+	<property>
+		<name>xasecure.add-hadoop-authorization</name>
+		<value>true</value>
+		<description>
+			Enable/Disable the default hadoop authorization (based on
+			rwxrwxrwx permission on the resource) if Ranger Authorization fails.
+		</description>
+	</property>
+</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/xasecure-audit-changes.cfg b/hdfs-agent/conf/xasecure-audit-changes.cfg
deleted file mode 100644
index cbaf227..0000000
--- a/hdfs-agent/conf/xasecure-audit-changes.cfg
+++ /dev/null
@@ -1,34 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-xasecure.audit.db.is.enabled                        %XAAUDIT.DB.IS_ENABLED%                                         mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.url		%XAAUDIT_DB_JDBC_URL%											mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.user		%XAAUDIT.DB.USER_NAME% 											mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.password	crypted 											mod create-if-not-exists
-xasecure.audit.repository.name						%REPOSITORY_NAME% 												mod create-if-not-exists
-xasecure.audit.credential.provider.file     		jceks://file%CREDENTIAL_PROVIDER_FILE% 							mod create-if-not-exists
-xasecure.audit.jpa.javax.persistence.jdbc.driver	%XAAUDIT_DB_JDBC_DRIVER% 										mod create-if-not-exists
-
-xasecure.audit.hdfs.is.enabled                                     %XAAUDIT.HDFS.IS_ENABLED%                               mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.directory                   %XAAUDIT.HDFS.DESTINATION_DIRECTORY%                    mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.file                        %XAAUDIT.HDFS.DESTINTATION_FILE%                        mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.flush.interval.seconds      %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.rollover.interval.seconds   %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
-xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.directory                  %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY%                   mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.file                       %XAAUDIT.HDFS.LOCAL_BUFFER_FILE%                        mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds     %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS%      mod create-if-not-exists
-xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds  %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS%   mod create-if-not-exists
-xasecure.audit.hdfs.config.local.archive.directory                 %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY%                  mod create-if-not-exists
-xasecure.audit.hdfs.config.local.archive.max.file.count            %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT%             mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-audit.xml
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/xasecure-audit.xml b/hdfs-agent/conf/xasecure-audit.xml
deleted file mode 100644
index 28261ec..0000000
--- a/hdfs-agent/conf/xasecure-audit.xml
+++ /dev/null
@@ -1,191 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-	<property>
-		<name>xasecure.audit.is.enabled</name>
-		<value>true</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.repository.name</name>
-		<value>hadoopdev</value>
-	</property>	
-
-
-	<!-- DB audit provider configuration -->
-	<property>
-		<name>xasecure.audit.db.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.is.async</name>
-		<value>true</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.async.max.queue.size</name>
-		<value>10240</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.db.batch.size</name>
-		<value>100</value>
-	</property>	
-
-	<!--  Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA -->
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
-		<value>jdbc:mysql://localhost:3306/ranger_audit</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
-		<value>rangerlogger</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
-		<value>none</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
-		<value>com.mysql.jdbc.Driver</value>
-	</property>
-	
-	<property>
-		<name>xasecure.audit.credential.provider.file</name>
-		<value>jceks://file/etc/ranger/hadoopdev/auditcred.jceks</value>
-	</property>
-
-
-	<!-- HDFS audit provider configuration -->
-	<property>
-		<name>xasecure.audit.hdfs.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.is.async</name>
-		<value>true</value>
-	</property>	
-	
-	<property>
-		<name>xasecure.audit.hdfs.async.max.queue.size</name>
-		<value>1048576</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.encoding</name>
-		<value></value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.directory</name>
-		<value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.file</name>
-		<value>%hostname%-audit.log</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
-		<value>900</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
-		<value>86400</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
-		<value>60</value>
-	</property>
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.directory</name>
-		<value>/var/log/hadoop/%app-type%/audit</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.file</name>
-		<value>%time:yyyyMMdd-HHmm.ss%.log</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
-		<value>8192</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
-		<value>60</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
-		<value>600</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.archive.directory</name>
-		<value>/var/log/hadoop/%app-type%/audit/archive</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
-		<value>10</value>
-	</property>	
-
-
-	<!-- Log4j audit provider configuration -->
-	<property>
-		<name>xasecure.audit.log4j.is.enabled</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.is.async</name>
-		<value>false</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.async.max.queue.size</name>
-		<value>10240</value>
-	</property>	
-
-	<property>
-		<name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
-		<value>30000</value>
-	</property>	
-</configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg b/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg
deleted file mode 100644
index 97e631a5..0000000
--- a/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg
+++ /dev/null
@@ -1,24 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-# Change the original policy parameter to work with policy manager based.
-# 
-#
-hdfs.authorization.verifier.classname				org.apache.ranger.pdp.hdfs.RangerAuthorizer								mod	create-if-not-exists
-xasecure.hdfs.policymgr.url							%POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% 			mod create-if-not-exists
-xasecure.hdfs.policymgr.url.saveAsFile				/tmp/hadoop_%REPOSITORY_NAME%_json  									mod create-if-not-exists
-xasecure.hdfs.policymgr.url.laststoredfile			%POLICY_CACHE_FILE_PATH%/hadoop_%REPOSITORY_NAME%_json 					mod create-if-not-exists
-xasecure.hdfs.policymgr.url.reloadIntervalInMillis 	30000 																	mod create-if-not-exists
-xasecure.hdfs.policymgr.ssl.config					/etc/hadoop/conf/xasecure-policymgr-ssl.xml								mod create-if-not-exists

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-hdfs-security.xml
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/xasecure-hdfs-security.xml b/hdfs-agent/conf/xasecure-hdfs-security.xml
deleted file mode 100644
index 9cf5b69..0000000
--- a/hdfs-agent/conf/xasecure-hdfs-security.xml
+++ /dev/null
@@ -1,125 +0,0 @@
-<?xml version="1.0"?>
-<!--
-  Licensed to the Apache Software Foundation (ASF) under one or more
-  contributor license agreements.  See the NOTICE file distributed with
-  this work for additional information regarding copyright ownership.
-  The ASF licenses this file to You under the Apache License, Version 2.0
-  (the "License"); you may not use this file except in compliance with
-  the License.  You may obtain a copy of the License at
-
-      http://www.apache.org/licenses/LICENSE-2.0
-
-  Unless required by applicable law or agreed to in writing, software
-  distributed under the License is distributed on an "AS IS" BASIS,
-  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  See the License for the specific language governing permissions and
-  limitations under the License.
--->
-<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
-<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
-
-	<!--  The following property is used to select appropriate XASecure Authorizer Module (filebased, policymanager based) -->
-	<property>
-		<name>hdfs.authorization.verifier.classname</name>
-		<value>org.apache.ranger.pdp.hdfs.RangerAuthorizer</value>
-		<description>
-			Class Name of the authorization Module 
-		</description>
-	</property>
-
-	<!-- The following properties are used only when PolicyManager is used as 
-		main storage for all policy -->
-	<property>
-		<name>xasecure.hdfs.policymgr.url</name>
-		<value>http://policymanagerhost:port/service/assets/hadoopdev</value>
-		<description>
-			Location where XASecure Role Based Authorization Info is
-			located.
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hdfs.policymgr.url.saveAsFile</name>
-		<value>/tmp/xasecure-hdfs-policy.json</value>
-		<description>
-			Location where XASecure Role Based Authorization Info is
-			saved after successful retrieval from policymanager
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hdfs.policymgr.url.laststoredfile</name>
-		<value>/home/hdfs/last_xasecure-hdfs-policy.json</value>
-		<description>
-			Location and file where last XASecure Role Based Authorization Info
-		    is saved after successful retrieval from policymanager.
-		</description>
-	</property>
-	<property>
-		<name>xasecure.hdfs.policymgr.url.reloadIntervalInMillis</name>
-		<value>30000</value>
-		<description>
-			How often do we need to verify the changes tothe
-			authorization url,
-			to reload to memory (reloaded only if there are
-			changes)
-		</description>
-	</property>
-	
-	<property>
-		<name>xasecure.add-hadoop-authorization</name>
-		<value>true</value>
-		<description>
-			Enable/Disable the default hadoop authorization (based on
-			rwxrwxrwx permission on
-			the resource) if the XASecure Authorization
-			fails.
-		</description>
-	</property>
-
-	<!--  The following field are used to customize the audit logging feature -->
-
-	<!-- 
-	<property>
-		<name>xasecure.auditlog.fieldDelimiterString</name>
-		<value>@</value>
-		<description> Audit Log field delimiters </description>
-	</property>
-	<property>
-		<name>xasecure.auditlog.xasecureAcl.name</name>
-		<value>xasecure-acl</value>
-		<description> The module name listed in the auditlog when the
-			permission
-			check is done by XASecureACL
-		</description>
-	</property>
-	<property>
-		<name>xasecure.auditlog.hadoopAcl.name</name>
-		<value>hadoop-acl</value>
-		<description> The module name listed in the auditlog
-			when the permission check is done by HadoopACL
-		</description>
-	</property>
-	<property>
-		<name>xasecure.auditlog.accessgranted.text</name>
-		<value>granted</value>
-		<description> The text to be written in audit log when access is
-			granted
-		</description>
-	</property>
-	<property>
-		<name>xasecure.auditlog.accessdenied.text</name>
-		<value>denied</value>
-		<description> The text to be written in audit log when
-			access is denied
-		</description>
-	</property>
-	<property>
-		<name>xasecure.auditlog.hdfs.excludeusers</name>
-		<value>hbase,hive</value>
-		<description> List of comma separated users for
-			whom the audit log is not written
-		</description>
-	</property>
-	-->
-	
-
-</configuration>


Mime
View raw message