AMBARI-11238. When Kerberizing a cluster with Ranger HBase plugin enabled, HBase coprocessor properties in hbase-site are overwritten (and breaks Ranger HBase plugin) (Emil Anca via rlevas)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/91c628da Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/91c628da Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/91c628da Branch: refs/heads/trunk Commit: 91c628dade3f96d5a45567def9df6b6acb07d8a5 Parents: 990193e Author: Emil Anca <[email protected]> Authored: Wed May 20 10:45:18 2015 -0400 Committer: Robert Levas <[email protected]> Committed: Wed May 20 10:45:18 2015 -0400 ---------------------------------------------------------------------- .../common-services/HBASE/0.96.0.2.0/kerberos.json | 4 ++-- .../HBASE/0.96.0.2.0/package/scripts/params_linux.py | 15 +++++++++++++-- .../test/python/stacks/2.0.6/configs/default.json | 3 +++ .../test/python/stacks/2.0.6/configs/secured.json | 6 +++++- 4 files changed, 23 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/91c628da/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json index 125a9c9..5da0846 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/kerberos.json @@ -40,8 +40,8 @@ "hbase.security.authentication": "kerberos", "hbase.security.authorization": "true", "zookeeper.znode.parent": "/hbase-secure", - "hbase.coprocessor.master.classes": "org.apache.hadoop.hbase.security.access.AccessController", - "hbase.coprocessor.region.classes": "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController", + "hbase.coprocessor.master.classes": "{{hbase_coprocessor_master_classes}}", + "hbase.coprocessor.region.classes": "{{hbase_coprocessor_region_classes}}", "hbase.bulkload.staging.dir": "/apps/hbase/staging" } } http://git-wip-us.apache.org/repos/asf/ambari/blob/91c628da/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py index 410a690..7d83550 100644 --- a/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/HBASE/0.96.0.2.0/package/scripts/params_linux.py @@ -215,9 +215,8 @@ policy_user = config['configurations']['ranger-hbase-plugin-properties']['policy #For curl command in ranger plugin to get db connector jdk_location = config['hostLevelParams']['jdk_location'] java_share_dir = '/usr/share/java' - +enable_ranger_hbase = (config['configurations']['ranger-hbase-plugin-properties']['ranger-hbase-plugin-enabled'].lower() == 'yes') if has_ranger_admin: - enable_ranger_hbase = (config['configurations']['ranger-hbase-plugin-properties']['ranger-hbase-plugin-enabled'].lower() == 'yes') xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password']) repo_config_password = unicode(config['configurations']['ranger-hbase-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']) xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower() @@ -275,3 +274,15 @@ if has_ranger_admin: ssl_keystore_password = unicode(config['configurations']['ranger-hbase-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) ssl_truststore_password = unicode(config['configurations']['ranger-hbase-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) credential_file = format('/etc/ranger/{repo_name}/cred.jceks') + +# Used to dynamically set the hbase-site props that are referenced during Kerbenization +if security_enabled: + if not enable_ranger_hbase: # Default props, no ranger plugin + hbase_coprocessor_master_classes = "org.apache.hadoop.hbase.security.access.AccessController" + hbase_coprocessor_region_classes = "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.hadoop.hbase.security.access.AccessController" + elif xml_configurations_supported: # HDP stack 2.3+ ranger plugin enabled + hbase_coprocessor_master_classes = "org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor " + hbase_coprocessor_region_classes = "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor" + else: # HDP Stack 2.2 and less / ranger plugin enabled + hbase_coprocessor_master_classes = "com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor" + hbase_coprocessor_region_classes = "org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint,com.xasecure.authorization.hbase.XaSecureAuthorizationCoprocessor" http://git-wip-us.apache.org/repos/asf/ambari/blob/91c628da/ambari-server/src/test/python/stacks/2.0.6/configs/default.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.0.6/configs/default.json b/ambari-server/src/test/python/stacks/2.0.6/configs/default.json index 485e882..d0c164e 100644 --- a/ambari-server/src/test/python/stacks/2.0.6/configs/default.json +++ b/ambari-server/src/test/python/stacks/2.0.6/configs/default.json @@ -524,6 +524,9 @@ "hcat_log_dir": "/var/log/webhcat", "hive_database": "New MySQL Database" }, + "ranger-env": { + "xml_configurations_supported" : "false" + }, "cluster-env": { "security_enabled": "false", "hdfs_user_principal" : "", http://git-wip-us.apache.org/repos/asf/ambari/blob/91c628da/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json b/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json index 8616f3d..097097d 100644 --- a/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json +++ b/ambari-server/src/test/python/stacks/2.0.6/configs/secured.json @@ -655,7 +655,11 @@ "oozie_data_dir": "/hadoop/oozie/data", "oozie_log_dir": "/var/log/oozie", "oozie_keytab": "/etc/security/keytabs/oozie.service.keytab" - }, + }, + "ranger-env": { + "xml_configurations_supported" : "false" + }, + "webhcat-env": { "content": "\n# The file containing the running pid\nPID_FILE={{pid_file}}\n\nTEMPLETON_LOG_DIR={{templeton_log_dir}}/\n\n\nWEBHCAT_LOG_DIR={{templeton_log_dir}}/\n\n# The console error log\nERROR_LOG={{templeton_log_dir}}/webhcat-console-error.log\n\n# The console log\nCONSOLE_LOG={{templeton_log_dir}}/webhcat-console.log\n\n#TEMPLETON_JAR=templeton_jar_name\n\n#HADOOP_PREFIX=hadoop_prefix\n\n#HCAT_PREFIX=hive_prefix\n\n# Set HADOOP_HOME to point to a specific hadoop install directory\nexport HADOOP_HOME=/usr/lib/hadoop" },
