AMBARI-17902: Config changes to support external solr and internal solr for Ranger (Mugdha Varadkar via jluniya)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/417fb113 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/417fb113 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/417fb113 Branch: refs/heads/branch-2.4 Commit: 417fb113e2882da6aac0cb8567e10b2fdb8272db Parents: f466ad9 Author: Jayush Luniya <[email protected]> Authored: Wed Jul 27 13:20:56 2016 -0700 Committer: Jayush Luniya <[email protected]> Committed: Wed Jul 27 13:22:55 2016 -0700 ---------------------------------------------------------------------- .../HDFS/2.1.0.2.0/kerberos.json | 2 +- .../RANGER/0.4.0/package/scripts/params.py | 32 ++- .../0.4.0/package/scripts/setup_ranger_xml.py | 5 +- .../package/templates/ranger_solr_jaas_conf.j2 | 26 ++ .../package/templates/ranger_solr_jass_conf.j2 | 26 -- .../0.6.0/configuration/ranger-admin-site.xml | 77 +----- .../RANGER/0.6.0/configuration/ranger-env.xml | 47 ++++ .../common-services/RANGER/0.6.0/kerberos.json | 15 +- .../RANGER/0.6.0/themes/theme_version_3.json | 273 ++++++++++++++++++- .../1.0.1/configuration/ranger-storm-audit.xml | 136 --------- .../common-services/STORM/1.0.1/kerberos.json | 19 ++ .../stacks/HDP/2.3/upgrades/config-upgrade.xml | 9 + .../HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml | 4 + .../stacks/HDP/2.3/upgrades/upgrade-2.5.xml | 1 + .../stacks/HDP/2.4/upgrades/config-upgrade.xml | 9 + .../HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml | 4 + .../stacks/HDP/2.4/upgrades/upgrade-2.5.xml | 1 + .../ATLAS/configuration/ranger-atlas-audit.xml | 135 --------- .../HBASE/configuration/ranger-hbase-audit.xml | 136 --------- .../stacks/HDP/2.5/services/HBASE/kerberos.json | 19 ++ .../HDFS/configuration/ranger-hdfs-audit.xml | 135 --------- .../stacks/HDP/2.5/services/HDFS/kerberos.json | 246 +++++++++++++++++ .../HIVE/configuration/ranger-hive-audit.xml | 136 --------- .../stacks/HDP/2.5/services/HIVE/kerberos.json | 19 ++ .../KAFKA/configuration/ranger-kafka-audit.xml | 135 --------- .../stacks/HDP/2.5/services/KAFKA/kerberos.json | 69 +++++ .../KNOX/configuration/ranger-knox-audit.xml | 135 --------- .../stacks/HDP/2.5/services/KNOX/kerberos.json | 81 ++++++ .../configuration/ranger-kms-audit.xml | 135 --------- .../HDP/2.5/services/RANGER_KMS/kerberos.json | 19 ++ .../YARN/configuration/ranger-yarn-audit.xml | 135 --------- .../stacks/HDP/2.5/services/YARN/kerberos.json | 19 ++ .../stacks/HDP/2.5/services/stack_advisor.py | 67 +---- .../stacks/2.5/RANGER/test_ranger_admin.py | 4 +- 34 files changed, 924 insertions(+), 1387 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json index 3d6e25c..e8c96cb 100644 --- a/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/HDFS/2.1.0.2.0/kerberos.json @@ -186,7 +186,7 @@ }, "configuration": "hdfs-site/nfs.keytab.file" } - }, + } ] }, { http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py index 3ec4b53..3db3256 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py @@ -275,6 +275,7 @@ ranger_solr_conf = format('{ranger_home}/contrib/solr_for_audit_setup/conf') logsearch_solr_hosts = default("/clusterHostInfo/logsearch_solr_hosts", []) has_logsearch = len(logsearch_solr_hosts) > 0 is_solrCloud_enabled = default('/configurations/ranger-env/is_solrCloud_enabled', False) +is_external_solrCloud_enabled = default('/configurations/ranger-env/is_external_solrCloud_enabled', False) solr_znode = '/ranger_audits' if stack_supports_logsearch_client and is_solrCloud_enabled: solr_znode = default('/configurations/ranger-admin-site/ranger.audit.solr.zookeepers', 'NONE') @@ -283,10 +284,12 @@ if stack_supports_logsearch_client and is_solrCloud_enabled: if len(solr_znode) > 1 and len(solr_znode) == 2: solr_znode = solr_znode[1] solr_znode = format('/{solr_znode}') - if has_logsearch: + if has_logsearch and not is_external_solrCloud_enabled: solr_znode = config['configurations']['logsearch-solr-env']['logsearch_solr_znode'] -solr_user = default('/configurations/logsearch-solr-env/logsearch_solr_user', unix_user) -custom_log4j = has_logsearch +solr_user = unix_user +if has_logsearch and not is_external_solrCloud_enabled: + solr_user = default('/configurations/logsearch-solr-env/logsearch_solr_user', unix_user) +custom_log4j = has_logsearch and not is_external_solrCloud_enabled # get comma separated list of zookeeper hosts zookeeper_port = default('/configurations/zoo.cfg/clientPort', None) @@ -301,7 +304,7 @@ for host in zookeeper_hosts: # solr kerberised solr_jaas_file = None -is_solr_kerberos_enabled = default('/configurations/ranger-admin-site/ranger.is.solr.kerberised', False) +is_external_solrCloud_kerberos = default('/configurations/ranger-env/is_external_solrCloud_kerberos', False) if security_enabled: if has_ranger_tagsync: @@ -315,12 +318,14 @@ if security_enabled: ranger_admin_principal = config['configurations']['ranger-admin-site']['ranger.admin.kerberos.principal'] if not is_empty(ranger_admin_principal) and ranger_admin_principal != '': ranger_admin_jaas_principal = ranger_admin_principal.replace('_HOST', ranger_host.lower()) - if stack_supports_logsearch_client and is_solrCloud_enabled and is_solr_kerberos_enabled: - solr_jaas_file = format('{ranger_home}/conf/ranger_solr_jass.conf') + if stack_supports_logsearch_client and is_solrCloud_enabled and is_external_solrCloud_enabled and is_external_solrCloud_kerberos: + solr_jaas_file = format('{ranger_home}/conf/ranger_solr_jaas.conf') + solr_kerberos_principal = ranger_admin_jaas_principal + solr_kerberos_keytab = ranger_admin_keytab + if stack_supports_logsearch_client and is_solrCloud_enabled and not is_external_solrCloud_enabled and not is_external_solrCloud_kerberos: + solr_jaas_file = format('{ranger_home}/conf/ranger_solr_jaas.conf') solr_kerberos_principal = ranger_admin_jaas_principal solr_kerberos_keytab = ranger_admin_keytab - else: - solr_jaas_file = None # logic to create core-site.xml if hdfs not installed if stack_supports_ranger_kerberos and not has_namenode: @@ -369,4 +374,13 @@ ranger_usersync_pid_file = format('{ranger_pid_dir}/usersync.pid') # admin credential admin_username = config['configurations']['ranger-env']['admin_username'] admin_password = config['configurations']['ranger-env']['admin_password'] -default_admin_password = 'admin' \ No newline at end of file +default_admin_password = 'admin' + +ranger_is_solr_kerberised = "false" +if audit_solr_enabled and is_solrCloud_enabled: + # Check internal solrCloud + if security_enabled and not is_external_solrCloud_enabled: + ranger_is_solr_kerberised = "true" + # Check external solrCloud + if is_external_solrCloud_enabled and is_external_solrCloud_kerberos: + ranger_is_solr_kerberised = "true" http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py index 1670d69..24ac487 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py @@ -559,10 +559,11 @@ def create_core_site_xml(conf_dir): def setup_ranger_audit_solr(): import params - if params.security_enabled and params.stack_supports_ranger_kerberos and params.is_solr_kerberos_enabled: + if params.security_enabled and params.stack_supports_ranger_kerberos: + if params.solr_jaas_file is not None: File(format("{solr_jaas_file}"), - content=Template("ranger_solr_jass_conf.j2"), + content=Template("ranger_solr_jaas_conf.j2"), owner=params.unix_user ) http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jaas_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jaas_conf.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jaas_conf.j2 new file mode 100644 index 0000000..a456688 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jaas_conf.j2 @@ -0,0 +1,26 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} + +Client { + com.sun.security.auth.module.Krb5LoginModule required + useKeyTab=true + storeKey=true + useTicketCache=false + keyTab="{{solr_kerberos_keytab}}" + principal="{{solr_kerberos_principal}}"; +}; \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jass_conf.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jass_conf.j2 b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jass_conf.j2 deleted file mode 100644 index a456688..0000000 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/templates/ranger_solr_jass_conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ -{# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -#} - -Client { - com.sun.security.auth.module.Krb5LoginModule required - useKeyTab=true - storeKey=true - useTicketCache=false - keyTab="{{solr_kerberos_keytab}}" - principal="{{solr_kerberos_principal}}"; -}; \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-admin-site.xml index eacf541..c75f2fd 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-admin-site.xml +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-admin-site.xml @@ -54,7 +54,7 @@ </property> <property> <name>ranger.admin.kerberos.cookie.domain</name> - <value/> + <value>{{ranger_host}}</value> <description/> <value-attributes> <empty-value-valid>true</empty-value-valid> @@ -152,6 +152,10 @@ <type>ranger-env</type> <name>is_solrCloud_enabled</name> </property> + <property> + <type>ranger-env</type> + <name>is_external_solrCloud_enabled</name> + </property> </depends-on> <on-ambari-upgrade add="true"/> </property> @@ -325,79 +329,12 @@ <property> <name>ranger.is.solr.kerberised</name> - <display-name>Kerberos Solr</display-name> - <value>false</value> - <description/> + <value>{{ranger_is_solr_kerberised}}</value> <value-attributes> - <overridable>false</overridable> - <type>value-list</type> - <entries> - <entry> - <value>true</value> - <label>ON</label> - </entry> - <entry> - <value>false</value> - <label>OFF</label> - </entry> - </entries> - <selection-cardinality>1</selection-cardinality> + <visible>false</visible> </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{ranger_admin_jaas_principal}}</value> - <description/> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{ranger_admin_keytab}}</value> <description/> <on-ambari-upgrade add="true"/> </property> - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value>com.sun.security.auth.module.Krb5LoginModule</value> - <description/> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value>required</value> - <description/> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>true</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value>solr</value> - <description/> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-env.xml b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-env.xml index 2cf3539..83a8096 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-env.xml +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-env.xml @@ -67,4 +67,51 @@ </value-attributes> <on-ambari-upgrade add="true"/> </property> + + <property> + <name>is_external_solrCloud_enabled</name> + <display-name>External SolrCloud</display-name> + <value>false</value> + <description>Using Externally managed solr cloud ?</description> + <value-attributes> + <overridable>false</overridable> + <type>value-list</type> + <entries> + <entry> + <value>true</value> + <label>ON</label> + </entry> + <entry> + <value>false</value> + <label>OFF</label> + </entry> + </entries> + <selection-cardinality>1</selection-cardinality> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + + <property> + <name>is_external_solrCloud_kerberos</name> + <display-name>External SolrCloud kerberos</display-name> + <value>false</value> + <description>Is Externally managed solr cloud kerberos ?</description> + <value-attributes> + <overridable>false</overridable> + <type>value-list</type> + <entries> + <entry> + <value>true</value> + <label>ON</label> + </entry> + <entry> + <value>false</value> + <label>OFF</label> + </entry> + </entries> + <selection-cardinality>1</selection-cardinality> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json index ffebb11..253e32e 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json @@ -13,7 +13,11 @@ "configurations": [ { "ranger-admin-site": { - "ranger.admin.kerberos.cookie.domain": "{{ranger_host}}" + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr" } } ], @@ -59,6 +63,15 @@ "keytab": { "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab" } + }, + { + "name": "/RANGER/RANGER_ADMIN/rangeradmin", + "principal": { + "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.keyTab" + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/RANGER/0.6.0/themes/theme_version_3.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/themes/theme_version_3.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/themes/theme_version_3.json index e65c9b2..cbe28a3 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/themes/theme_version_3.json +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/themes/theme_version_3.json @@ -5,6 +5,54 @@ "name": "default", "tabs": [ { + "name": "ranger_audit_settings", + "display-name": "Ranger Audit", + "layout": { + "tab-columns": "2", + "tab-rows": "2", + "sections": [ + { + "name": "section-ranger-audit-solr", + "display-name": "Audit to Solr", + "row-index": "0", + "column-index": "0", + "row-span": "1", + "column-span": "1", + "section-columns": "1", + "section-rows": "1", + "subsections": [ + { + "name": "subsection-ranger-solr-row1-col1", + "row-index": "0", + "column-index": "0", + "row-span": "1", + "column-span": "1" + } + ] + }, + { + "name": "section-ranger-audit-hdfs", + "display-name": "Audit to HDFS", + "row-index": "0", + "column-index": "1", + "row-span": "1", + "column-span": "1", + "section-columns": "1", + "section-rows": "1", + "subsections": [ + { + "name": "subsection-ranger-hdfs-row1-col2", + "row-index": "0", + "column-index": "0", + "row-span": "1", + "column-span": "1" + } + ] + } + ] + } + }, + { "name": "ranger_tagsync", "display-name": "Ranger Tagsync", "layout": { @@ -310,7 +358,11 @@ ] }, { - "config": "ranger-admin-site/ranger.is.solr.kerberised", + "config": "ranger-env/xasecure.audit.destination.solr", + "subsection-name": "subsection-ranger-solr-row1-col1" + }, + { + "config": "ranger-env/is_solrCloud_enabled", "subsection-name": "subsection-ranger-solr-row1-col1", "depends-on": [ { @@ -330,6 +382,169 @@ } } ] + }, + { + "config": "ranger-env/is_external_solrCloud_enabled", + "subsection-name": "subsection-ranger-solr-row1-col1", + "depends-on": [ + { + "configs":[ + "ranger-env/xasecure.audit.destination.solr", + "ranger-env/is_solrCloud_enabled" + ], + "if": "${ranger-env/xasecure.audit.destination.solr} && ${ranger-env/is_solrCloud_enabled}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] + }, + { + "config": "ranger-env/is_external_solrCloud_kerberos", + "subsection-name": "subsection-ranger-solr-row1-col1", + "depends-on": [ + { + "configs":[ + "ranger-env/xasecure.audit.destination.solr", + "ranger-env/is_solrCloud_enabled", + "ranger-env/is_external_solrCloud_enabled" + ], + "if": "${ranger-env/xasecure.audit.destination.solr} && ${ranger-env/is_solrCloud_enabled} && ${ranger-env/is_external_solrCloud_enabled}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] + }, + { + "config": "ranger-admin-site/ranger.audit.solr.urls", + "subsection-name": "subsection-ranger-solr-row1-col1", + "depends-on": [ + { + "configs":[ + "ranger-env/is_solrCloud_enabled", + "ranger-env/xasecure.audit.destination.solr" + ], + "if": "${ranger-env/is_solrCloud_enabled} === false && ${ranger-env/xasecure.audit.destination.solr}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] + }, + { + "config": "ranger-admin-site/ranger.audit.solr.zookeepers", + "subsection-name": "subsection-ranger-solr-row1-col1", + "depends-on": [ + { + "configs":[ + "ranger-env/is_solrCloud_enabled", + "ranger-env/xasecure.audit.destination.solr" + ], + "if": "${ranger-env/is_solrCloud_enabled} && ${ranger-env/xasecure.audit.destination.solr}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] + }, + { + "config": "ranger-admin-site/ranger.audit.solr.username", + "subsection-name": "subsection-ranger-solr-row1-col1", + "depends-on": [ + { + "configs":[ + "ranger-env/xasecure.audit.destination.solr" + ], + "if": "${ranger-env/xasecure.audit.destination.solr}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] + }, + { + "config": "ranger-admin-site/ranger.audit.solr.password", + "subsection-name": "subsection-ranger-solr-row1-col1", + "depends-on": [ + { + "configs":[ + "ranger-env/xasecure.audit.destination.solr" + ], + "if": "${ranger-env/xasecure.audit.destination.solr}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] + }, + { + "config": "ranger-env/xasecure.audit.destination.hdfs", + "subsection-name": "subsection-ranger-hdfs-row1-col2" + }, + { + "config": "ranger-env/xasecure.audit.destination.hdfs.dir", + "subsection-name": "subsection-ranger-hdfs-row1-col2", + "depends-on": [ + { + "configs":[ + "ranger-env/xasecure.audit.destination.hdfs" + ], + "if": "${ranger-env/xasecure.audit.destination.hdfs}", + "then": { + "property_value_attributes": { + "visible": true + } + }, + "else": { + "property_value_attributes": { + "visible": false + } + } + } + ] } ] }, @@ -413,10 +628,64 @@ } }, { - "config": "ranger-admin-site/ranger.is.solr.kerberised", + "config": "ranger-env/xasecure.audit.destination.solr", + "widget": { + "type": "toggle" + } + }, + { + "config": "ranger-env/is_solrCloud_enabled", + "widget": { + "type": "toggle" + } + }, + { + "config": "ranger-env/is_external_solrCloud_enabled", + "widget": { + "type": "toggle" + } + }, + { + "config": "ranger-env/is_external_solrCloud_kerberos", + "widget": { + "type": "toggle" + } + }, + { + "config": "ranger-admin-site/ranger.audit.solr.urls", + "widget": { + "type": "text-field" + } + }, + { + "config": "ranger-admin-site/ranger.audit.solr.zookeepers", + "widget": { + "type": "text-field" + } + }, + { + "config": "ranger-admin-site/ranger.audit.solr.username", + "widget": { + "type": "text-field" + } + }, + { + "config": "ranger-admin-site/ranger.audit.solr.password", + "widget": { + "type": "password" + } + }, + { + "config": "ranger-env/xasecure.audit.destination.hdfs", "widget": { "type": "toggle" } + }, + { + "config": "ranger-env/xasecure.audit.destination.hdfs.dir", + "widget": { + "type": "text-field" + } } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-audit.xml b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-audit.xml index 1c869ed..d3f9143 100644 --- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-audit.xml +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-audit.xml @@ -54,140 +54,4 @@ <deleted>true</deleted> <on-ambari-upgrade add="false"/> </property> - - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{storm_jaas_principal}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{storm_keytab_path}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json index f9fa30d..3068226 100644 --- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json @@ -55,6 +55,16 @@ "nimbus.supervisor.users": "['{{storm_bare_jaas_principal}}']", "ui.filter.params": "{'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab': '{{storm_ui_keytab_path}}', 'kerberos.name.rules': 'DEFAULT'}" } + }, + { + "ranger-storm-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } } ], "components": [ @@ -94,6 +104,15 @@ }, "configuration": "storm-env/nimbus_keytab" } + }, + { + "name": "/STORM/NIMBUS/nimbus_server", + "principal": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml index c49e18e..b295cc9 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml @@ -303,6 +303,15 @@ <transfer operation="delete" delete-key="ranger.sso.cookiename" /> <transfer operation="delete" delete-key="ranger.sso.query.param.originalurl" /> </definition> + + <definition xsi:type="configure" id="hdp_2_5_0_0_set_external_solrCloud_flag"> + <condition type="ranger-env" key="is_solrCloud_enabled" value="true"> + <type>ranger-env</type> + <key>is_external_solrCloud_enabled</key> + <value>true</value> + </condition> + </definition> + </changes> </component> </service> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml index 133db26..7197e29 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml @@ -383,6 +383,10 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_sso_property"/> </execute-stage> + <execute-stage service="RANGER" component="RANGER_ADMIN" title="Apply config changes for Ranger Admin"> + <task xsi:type="configure" id="hdp_2_5_0_0_set_external_solrCloud_flag"/> + </execute-stage> + <execute-stage service="RANGER" component="RANGER_ADMIN" title="Calculating Ranger Properties"> <task xsi:type="server_action" summary="Calculating Ranger Properties" class="org.apache.ambari.server.serveraction.upgrades.RangerKerberosConfigCalculation"/> </execute-stage> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml index ff5d4d9..7a3a19e 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml @@ -547,6 +547,7 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_audit_db_admin_properties" /> <task xsi:type="configure" id="hdp_2_5_0_0_remove_audit_db_ranger_admin_site" /> <task xsi:type="configure" id="hdp_2_5_0_0_remove_sso_property" /> + <task xsi:type="configure" id="hdp_2_5_0_0_set_external_solrCloud_flag"/> <task xsi:type="server_action" summary="Calculating Ranger Properties" class="org.apache.ambari.server.serveraction.upgrades.RangerKerberosConfigCalculation"/> <task xsi:type="server_action" summary="Configuring Ranger Alerts" class="org.apache.ambari.server.serveraction.upgrades.RangerWebAlertConfigAction"/> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml index 473d8a0..d230a68 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml @@ -159,6 +159,15 @@ <transfer operation="delete" delete-key="ranger.sso.cookiename" /> <transfer operation="delete" delete-key="ranger.sso.query.param.originalurl" /> </definition> + + <definition xsi:type="configure" id="hdp_2_5_0_0_set_external_solrCloud_flag"> + <condition type="ranger-env" key="is_solrCloud_enabled" value="true"> + <type>ranger-env</type> + <key>is_external_solrCloud_enabled</key> + <value>true</value> + </condition> + </definition> + </changes> </component> </service> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml index d648638..902c421 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml @@ -313,6 +313,10 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_sso_property"/> </execute-stage> + <execute-stage service="RANGER" component="RANGER_ADMIN" title="Apply config changes for Ranger Admin"> + <task xsi:type="configure" id="hdp_2_5_0_0_set_external_solrCloud_flag"/> + </execute-stage> + <execute-stage service="RANGER" component="RANGER_ADMIN" title="Calculating Ranger Properties"> <task xsi:type="server_action" summary="Calculating Ranger Properties" class="org.apache.ambari.server.serveraction.upgrades.RangerKerberosConfigCalculation"/> </execute-stage> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml index e67aebb..2168868 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml @@ -542,6 +542,7 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_audit_db_admin_properties" /> <task xsi:type="configure" id="hdp_2_5_0_0_remove_audit_db_ranger_admin_site" /> <task xsi:type="configure" id="hdp_2_5_0_0_remove_sso_property" /> + <task xsi:type="configure" id="hdp_2_5_0_0_set_external_solrCloud_flag"/> <task xsi:type="server_action" summary="Calculating Ranger Properties" class="org.apache.ambari.server.serveraction.upgrades.RangerKerberosConfigCalculation"/> <task xsi:type="server_action" summary="Configuring Ranger Alerts" class="org.apache.ambari.server.serveraction.upgrades.RangerWebAlertConfigAction"/> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/ATLAS/configuration/ranger-atlas-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/ATLAS/configuration/ranger-atlas-audit.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/ATLAS/configuration/ranger-atlas-audit.xml index ac22729..efeea5f 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/ATLAS/configuration/ranger-atlas-audit.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/ATLAS/configuration/ranger-atlas-audit.xml @@ -128,139 +128,4 @@ <on-ambari-upgrade add="true"/> </property> - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{atlas_jaas_principal}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{atlas_keytab_path}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/configuration/ranger-hbase-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/configuration/ranger-hbase-audit.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/configuration/ranger-hbase-audit.xml index cc9f0d2..d3f9143 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/configuration/ranger-hbase-audit.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/configuration/ranger-hbase-audit.xml @@ -54,140 +54,4 @@ <deleted>true</deleted> <on-ambari-upgrade add="false"/> </property> - - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{master_jaas_princ}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{master_keytab_path}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json index ada02ad..501bcd3 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HBASE/kerberos.json @@ -43,6 +43,16 @@ "hbase.bulkload.staging.dir": "/apps/hbase/staging", "hbase.master.ui.readonly": "true" } + }, + { + "ranger-hbase-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } } ], "components": [ @@ -81,6 +91,15 @@ "keytab": { "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.keytab" } + }, + { + "name": "/HBASE/HBASE_MASTER/hbase_master_hbase", + "principal": { + "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab" + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/configuration/ranger-hdfs-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/configuration/ranger-hdfs-audit.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/configuration/ranger-hdfs-audit.xml index 0a04953..fad3da7 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/configuration/ranger-hdfs-audit.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/configuration/ranger-hdfs-audit.xml @@ -56,139 +56,4 @@ <on-ambari-upgrade add="false"/> </property> - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{nn_principal_name}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{nn_keytab}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json new file mode 100644 index 0000000..974a69c --- /dev/null +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HDFS/kerberos.json @@ -0,0 +1,246 @@ +{ + "services": [ + { + "name": "HDFS", + "identities": [ + { + "name": "/spnego", + "principal": { + "configuration": "hdfs-site/dfs.web.authentication.kerberos.principal" + }, + "keytab": { + "configuration": "hdfs-site/dfs.web.authentication.kerberos.keytab" + } + }, + { + "name": "/smokeuser" + } + ], + "auth_to_local_properties" : [ + "core-site/hadoop.security.auth_to_local" + ], + "configurations": [ + { + "core-site": { + "hadoop.security.authentication": "kerberos", + "hadoop.security.authorization": "true", + "hadoop.proxyuser.HTTP.groups": "${hadoop-env/proxyuser_group}" + } + }, + { + "ranger-hdfs-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ], + "components": [ + { + "name": "HDFS_CLIENT", + "identities": [ + { + "name": "/HDFS/NAMENODE/hdfs" + } + ] + }, + { + "name": "NAMENODE", + "identities": [ + { + "name": "hdfs", + "principal": { + "value": "${hadoop-env/hdfs_user}-${cluster_name|toLower()}@${realm}", + "type" : "user" , + "configuration": "hadoop-env/hdfs_principal_name", + "local_username" : "${hadoop-env/hdfs_user}" + }, + "keytab": { + "file": "${keytab_dir}/hdfs.headless.keytab", + "owner": { + "name": "${hadoop-env/hdfs_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + }, + "configuration": "hadoop-env/hdfs_user_keytab" + } + }, + { + "name": "namenode_nn", + "principal": { + "value": "nn/_HOST@${realm}", + "type" : "service", + "configuration": "hdfs-site/dfs.namenode.kerberos.principal", + "local_username" : "${hadoop-env/hdfs_user}" + }, + "keytab": { + "file": "${keytab_dir}/nn.service.keytab", + "owner": { + "name": "${hadoop-env/hdfs_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hdfs-site/dfs.namenode.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "hdfs-site/dfs.namenode.kerberos.internal.spnego.principal" + } + }, + { + "name": "/HDFS/NAMENODE/namenode_nn", + "principal": { + "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-hdfs-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ], + "configurations": [ + { + "hdfs-site": { + "dfs.block.access.token.enable": "true" + } + } + ] + }, + { + "name": "DATANODE", + "identities": [ + { + "name": "datanode_dn", + "principal": { + "value": "dn/_HOST@${realm}", + "type" : "service", + "configuration": "hdfs-site/dfs.datanode.kerberos.principal", + "local_username" : "${hadoop-env/hdfs_user}" + }, + "keytab": { + "file": "${keytab_dir}/dn.service.keytab", + "owner": { + "name": "${hadoop-env/hdfs_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hdfs-site/dfs.datanode.keytab.file" + } + } + ], + "configurations" : [ + { + "hdfs-site" : { + "dfs.datanode.address" : "0.0.0.0:1019", + "dfs.datanode.http.address": "0.0.0.0:1022" + } + } + ] + }, + { + "name": "SECONDARY_NAMENODE", + "identities": [ + { + "name": "secondary_namenode_nn", + "principal": { + "value": "nn/_HOST@${realm}", + "type" : "service", + "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.principal", + "local_username" : "${hadoop-env/hdfs_user}" + }, + "keytab": { + "file": "${keytab_dir}/nn.service.keytab", + "owner": { + "name": "${hadoop-env/hdfs_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hdfs-site/dfs.secondary.namenode.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "hdfs-site/dfs.secondary.namenode.kerberos.internal.spnego.principal" + } + } + ] + }, + { + "name": "NFS_GATEWAY", + "identities": [ + { + "name": "nfsgateway", + "principal": { + "value": "nfs/_HOST@${realm}", + "type" : "service", + "configuration": "hdfs-site/nfs.kerberos.principal", + "local_username" : "${hadoop-env/hdfs_user}" + }, + "keytab": { + "file": "${keytab_dir}/nfs.service.keytab", + "owner": { + "name": "${hadoop-env/hdfs_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hdfs-site/nfs.keytab.file" + } + } + ] + }, + { + "name": "JOURNALNODE", + "identities": [ + { + "name": "journalnode_jn", + "principal": { + "value": "jn/_HOST@${realm}", + "type" : "service", + "configuration": "hdfs-site/dfs.journalnode.kerberos.principal", + "local_username" : "${hadoop-env/hdfs_user}" + }, + "keytab": { + "file": "${keytab_dir}/jn.service.keytab", + "owner": { + "name": "${hadoop-env/hdfs_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hdfs-site/dfs.journalnode.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "hdfs-site/dfs.journalnode.kerberos.internal.spnego.principal" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/configuration/ranger-hive-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/configuration/ranger-hive-audit.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/configuration/ranger-hive-audit.xml index 671c08e..d3f9143 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/configuration/ranger-hive-audit.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/configuration/ranger-hive-audit.xml @@ -54,140 +54,4 @@ <deleted>true</deleted> <on-ambari-upgrade add="false"/> </property> - - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{hive_principal}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{hive_keytab}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/kerberos.json index f9a0caf..499aa32 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/kerberos.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/HIVE/kerberos.json @@ -34,6 +34,16 @@ "hadoop.security.authorization": "true", "hive.llap.daemon.work.dirs": "/hadoop/llap/local" } + }, + { + "ranger-hive-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } } ], "components": [ @@ -95,6 +105,15 @@ "keytab": { "configuration": "hive-site/hive.server2.authentication.spnego.keytab" } + }, + { + "name": "/HIVE/HIVE_SERVER/hive_server_hive", + "principal": { + "configuration": "ranger-hive-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-hive-audit/xasecure.audit.jaas.Client.option.keyTab" + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/configuration/ranger-kafka-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/configuration/ranger-kafka-audit.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/configuration/ranger-kafka-audit.xml index 6aca7e7..fff9132 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/configuration/ranger-kafka-audit.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/configuration/ranger-kafka-audit.xml @@ -55,139 +55,4 @@ <on-ambari-upgrade add="false"/> </property> - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{kafka_jaas_principal}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{kafka_keytab_path}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/kerberos.json new file mode 100644 index 0000000..e1e6461 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/KAFKA/kerberos.json @@ -0,0 +1,69 @@ +{ + "services": [ + { + "name": "KAFKA", + "identities": [ + { + "name": "/smokeuser" + } + ], + "configurations": [ + { + "kafka-broker": { + "authorizer.class.name": "kafka.security.auth.SimpleAclAuthorizer", + "principal.to.local.class":"kafka.security.auth.KerberosPrincipalToLocal", + "super.users": "user:${kafka-env/kafka_user}", + "security.inter.broker.protocol": "PLAINTEXTSASL", + "zookeeper.set.acl": "true" + } + }, + { + "ranger-kafka-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ], + "components": [ + { + "name": "KAFKA_BROKER", + "identities": [ + { + "name": "kafka_broker", + "principal": { + "value": "${kafka-env/kafka_user}/_HOST@${realm}", + "type": "service", + "configuration": "kafka-env/kafka_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/kafka.service.keytab", + "owner": { + "name": "${kafka-env/kafka_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "kafka-env/kafka_keytab" + } + }, + { + "name": "/KAFKA/KAFKA_BROKER/kafka_broker", + "principal": { + "configuration": "ranger-kafka-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-kafka-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/417fb113/ambari-server/src/main/resources/stacks/HDP/2.5/services/KNOX/configuration/ranger-knox-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/KNOX/configuration/ranger-knox-audit.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/KNOX/configuration/ranger-knox-audit.xml index bdd1994..fff9132 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/KNOX/configuration/ranger-knox-audit.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/KNOX/configuration/ranger-knox-audit.xml @@ -55,139 +55,4 @@ <on-ambari-upgrade add="false"/> </property> - <property> - <name>xasecure.audit.jaas.Client.option.principal</name> - <value>{{knox_principal_name}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.keyTab</name> - <value>{{knox_keytab_path}}</value> - <description/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.useKeyTab</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.storeKey</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - - <property> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - <value></value> - <description/> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>xasecure.audit.jaas.Client.option.serviceName</name> - </property> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - <value-attributes> - <empty-value-valid>true</empty-value-valid> - </value-attributes> - </property> - - <property> - <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name> - <value>false</value> - <description/> - <value-attributes> - <type>boolean</type> - </value-attributes> - <depends-on> - <property> - <type>ranger-admin-site</type> - <name>ranger.is.solr.kerberised</name> - </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> </configuration>
