Repository: ambari Updated Branches: refs/heads/trunk 91122e4fc -> 6c192789f
AMBARI-15878. Update code for creating jceks credential for Ranger and Ranger Kms services (Mugdha Varadkar via gautam) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/6c192789 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/6c192789 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/6c192789 Branch: refs/heads/trunk Commit: 6c192789fe8b6d99c97df35da36dbf70bb3f3144 Parents: 91122e4 Author: Gautam Borad <[email protected]> Authored: Thu Apr 14 14:20:38 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Tue Apr 19 12:49:54 2016 +0530 ---------------------------------------------------------------------- .../0.4.0/package/scripts/setup_ranger_xml.py | 51 ++++++-------------- .../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py | 6 ++- 2 files changed, 20 insertions(+), 37 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/6c192789/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py index f3f9c7e..9f31983 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py @@ -230,17 +230,10 @@ def do_keystore_setup(upgrade_type=None): ranger_home = params.ranger_home cred_lib_path = params.cred_lib_path - cred_setup_prefix = params.cred_setup_prefix - if not is_empty(params.ranger_credential_provider_path): - jceks_path = params.ranger_credential_provider_path - cred_setup = cred_setup_prefix + ('-f', jceks_path, '-k', params.ranger_jpa_jdbc_credential_alias, '-v', PasswordString(params.ranger_ambari_db_password), '-c', '1') + if not is_empty(params.ranger_credential_provider_path): + ranger_credential_helper(cred_lib_path, params.ranger_jpa_jdbc_credential_alias, params.ranger_ambari_db_password, params.ranger_credential_provider_path) - Execute(cred_setup, - environment={'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME': params.java_home}, - logoutput=True, - sudo=True - ) File(params.ranger_credential_provider_path, owner = params.unix_user, group = params.unix_group, @@ -248,13 +241,7 @@ def do_keystore_setup(upgrade_type=None): ) if not is_empty(params.ranger_credential_provider_path) and (params.ranger_audit_source_type).lower() == 'db' and not is_empty(params.ranger_ambari_audit_db_password): - jceks_path = params.ranger_credential_provider_path - cred_setup = cred_setup_prefix + ('-f', jceks_path, '-k', params.ranger_jpa_audit_jdbc_credential_alias, '-v', PasswordString(params.ranger_ambari_audit_db_password), '-c', '1') - Execute(cred_setup, - environment={'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME': params.java_home}, - logoutput=True, - sudo=True - ) + ranger_credential_helper(cred_lib_path, params.ranger_jpa_audit_jdbc_credential_alias, params.ranger_ambari_audit_db_password, params.ranger_credential_provider_path) File(params.ranger_credential_provider_path, owner = params.unix_user, @@ -382,21 +369,14 @@ def setup_usersync(upgrade_type=None): if os.path.isfile(params.cred_validator_file): File(params.cred_validator_file, group=params.unix_group, mode=04555) - cred_file = format('{ranger_home}/ranger_credential_helper.py') - if os.path.isfile(format('{usersync_home}/ranger_credential_helper.py')): - cred_file = format('{usersync_home}/ranger_credential_helper.py') - cred_lib = os.path.join(usersync_home,"lib","*") - cred_setup_prefix = (cred_file, '-l', cred_lib) - cred_setup = cred_setup_prefix + ('-f', params.ugsync_jceks_path, '-k', 'usersync.ssl.key.password', '-v', PasswordString(params.ranger_usersync_keystore_password), '-c', '1') - Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True) + ranger_credential_helper(cred_lib, 'usersync.ssl.key.password', params.ranger_usersync_keystore_password, params.ugsync_jceks_path) - cred_setup = cred_setup_prefix + ('-f', params.ugsync_jceks_path, '-k', 'ranger.usersync.ldap.bindalias', '-v', PasswordString(params.ranger_usersync_ldap_ldapbindpassword), '-c', '1') - Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True) + if not is_empty(params.ranger_usersync_ldap_ldapbindpassword) and params.ug_sync_source == 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder': + ranger_credential_helper(cred_lib, 'ranger.usersync.ldap.bindalias', params.ranger_usersync_ldap_ldapbindpassword, params.ugsync_jceks_path) - cred_setup = cred_setup_prefix + ('-f', params.ugsync_jceks_path, '-k', 'usersync.ssl.truststore.password', '-v', PasswordString(params.ranger_usersync_truststore_password), '-c', '1') - Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True) + ranger_credential_helper(cred_lib, 'usersync.ssl.truststore.password', params.ranger_usersync_truststore_password, params.ugsync_jceks_path) File(params.ugsync_jceks_path, owner = params.unix_user, @@ -497,17 +477,10 @@ def setup_tagsync(upgrade_type=None): Execute(('cp', '-f', src_file, dst_file), sudo=True) File(tagsync_log4j_file, owner=params.unix_user, group=params.unix_group) - cred_file = format('{ranger_home}/ranger_credential_helper.py') - if os.path.isfile(format('{ranger_tagsync_home}/ranger_credential_helper.py')): - cred_file = format('{ranger_tagsync_home}/ranger_credential_helper.py') - cred_lib = os.path.join(ranger_tagsync_home,"lib","*") - cred_setup_prefix = (cred_file, '-l', cred_lib) if not is_empty(params.tagsync_jceks_path) and not is_empty(params.ranger_tagsync_tagadmin_password) and params.tagsync_enabled: - cred_setup = cred_setup_prefix + ('-f', params.tagsync_jceks_path, '-k', 'tagadmin.user.password', '-v', PasswordString(params.ranger_tagsync_tagadmin_password), '-c', '1') - Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True) - + ranger_credential_helper(cred_lib, 'tagadmin.user.password', params.ranger_tagsync_tagadmin_password, params.tagsync_jceks_path) File(params.tagsync_jceks_path, owner = params.unix_user, group = params.unix_group, @@ -522,3 +495,11 @@ def setup_tagsync(upgrade_type=None): not_if=format("ls /usr/bin/ranger-tagsync"), only_if=format("ls {tagsync_services_file}"), sudo=True) + +def ranger_credential_helper(lib_path, alias_key, alias_value, file_path): + import params + + java_bin = format('{java_home}/bin/java') + file_path = format('jceks://file{file_path}') + cmd = (java_bin, '-cp', lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', alias_key, '-value', PasswordString(alias_value), '-provider', file_path) + Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/6c192789/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py index dd91acf..f63d660 100755 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py @@ -111,8 +111,10 @@ def do_keystore_setup(cred_provider_path, credential_alias, credential_password) import params if cred_provider_path is not None: - cred_setup = params.cred_setup_prefix + ('-f', cred_provider_path, '-k', credential_alias, '-v', PasswordString(credential_password), '-c', '1') - Execute(cred_setup, + java_bin = format('{java_home}/bin/java') + file_path = format('jceks://file{cred_provider_path}') + cmd = (java_bin, '-cp', params.cred_lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', credential_alias, '-value', PasswordString(credential_password), '-provider', file_path) + Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True,
