http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml index b4c0790..5257549 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml @@ -23,7 +23,7 @@ <name>xasecure.audit.is.enabled</name> <value>true</value> <description>Is Audit enabled?</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db</name> @@ -39,19 +39,19 @@ <name>xasecure.audit.destination.db</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.jdbc.url</name> <value>{{audit_jdbc_url}}</value> <description>Audit DB JDBC URL</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.user</name> <value>{{xa_audit_db_user}}</value> <description>Audit DB JDBC User</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.password</name> @@ -61,25 +61,25 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.jdbc.driver</name> <value>{{jdbc_driver}}</value> <description>Audit DB JDBC Driver</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.credential.provider.file</name> <value>jceks://file{{credential_file}}</value> <description>Credential file store</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.batch.filespool.dir</name> <value>/var/log/kafka/audit/db/spool</value> <description>/var/log/kafka/audit/db/spool</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.hdfs</name> @@ -95,7 +95,7 @@ <name>xasecure.audit.destination.hdfs</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.hdfs.dir</name> @@ -107,13 +107,13 @@ <name>xasecure.audit.destination.hdfs.dir</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> <value>/var/log/kafka/audit/hdfs/spool</value> <description>/var/log/kafka/audit/hdfs/spool</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr</name> @@ -129,7 +129,7 @@ <name>xasecure.audit.destination.solr</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr.urls</name> @@ -144,7 +144,7 @@ <name>ranger.audit.solr.urls</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr.zookeepers</name> @@ -156,13 +156,13 @@ <name>ranger.audit.solr.zookeepers</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr.batch.filespool.dir</name> <value>/var/log/kafka/audit/solr/spool</value> <description>/var/log/kafka/audit/solr/spool</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.provider.summary.enabled</name> @@ -172,6 +172,6 @@ <value-attributes> <type>boolean</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml index 3949402..7f594a0 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml @@ -24,7 +24,7 @@ <value>ambari-qa</value> <display-name>Policy user for KAFKA</display-name> <description>This user must be system user and also present at Ranger admin portal</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>hadoop.rpc.protection</name> @@ -33,7 +33,7 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>common.name.for.certificate</name> @@ -42,13 +42,13 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>zookeeper.connect</name> <value>localhost:2181</value> <description>Used for repository creation on ranger admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger-kafka-plugin-enabled</name> @@ -65,14 +65,14 @@ <type>boolean</type> <overridable>false</overridable> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_USERNAME</name> <value>kafka</value> <display-name>Ranger repository config user</display-name> <description>Used for repository creation on ranger admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_PASSWORD</name> @@ -83,6 +83,6 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml index cf4a82e..f0fc160 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml @@ -23,7 +23,7 @@ <name>xasecure.policymgr.clientssl.keystore</name> <value>kafkadev-clientcert.jks</value> <description>Java Keystore files</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.keystore.password</name> @@ -33,13 +33,13 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.truststore</name> <value>cacerts-xasecure.jks</value> <description>java truststore file</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.truststore.password</name> @@ -49,18 +49,18 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.keystore.credential.file</name> <value>jceks://file/{{credential_file}}</value> <description>java keystore credential file</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.truststore.credential.file</name> <value>jceks://file/{{credential_file}}</value> <description>java truststore credential file</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml index 91061d1..a9f84a4 100644 --- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml +++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml @@ -23,36 +23,42 @@ <name>ranger.plugin.kafka.service.name</name> <value>{{repo_name}}</value> <description>Name of the Ranger service containing policies for this Kafka instance</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.kafka.policy.source.impl</name> <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description>Class to retrieve policies from the source</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.kafka.policy.rest.url</name> <value>{{policymgr_mgr_url}}</value> <description>URL to Ranger Admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> + <depends-on> + <property> + <type>admin-properties</type> + <name>policymgr_external_url</name> + </property> + </depends-on> </property> <property> <name>ranger.plugin.kafka.policy.rest.ssl.config.file</name> <value>/etc/kafka/conf/ranger-policymgr-ssl.xml</value> <description>Path to the file containing SSL details to contact Ranger Admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.kafka.policy.pollIntervalMs</name> <value>30000</value> <description>How often to poll for changes in policies?</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.kafka.policy.cache.dir</name> <value>/etc/ranger/{{repo_name}}/policycache</value> <description>Directory where Ranger policies are cached after successful retrieval from the source</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml index ae9314b..7f85667 100644 --- a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml @@ -24,7 +24,7 @@ <value>ambari-qa</value> <display-name>Policy user for KNOX</display-name> <description>This user must be system user and also present at Ranger admin portal</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>common.name.for.certificate</name> @@ -33,7 +33,7 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger-knox-plugin-enabled</name> @@ -50,14 +50,14 @@ <type>boolean</type> <overridable>false</overridable> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_USERNAME</name> <value>admin</value> <display-name>Ranger repository config user</display-name> <description>Used for repository creation on ranger admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_PASSWORD</name> @@ -68,14 +68,14 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>KNOX_HOME</name> <value>/usr/local/knox-server</value> <display-name>Knox Home</display-name> <description>Knox home folder</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>XAAUDIT.DB.IS_ENABLED</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py index dd5fc3a..9b61a5f 100644 --- a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py @@ -38,6 +38,7 @@ from resource_management.libraries.functions.stack_features import check_stack_f from resource_management.libraries.functions.stack_features import get_stack_feature_version from resource_management.libraries.functions.constants import StackFeature from resource_management.libraries.functions import is_empty +from resource_management.libraries.functions.setup_ranger_plugin_xml import get_audit_configs # server configurations config = Script.get_config() @@ -260,82 +261,86 @@ if security_enabled: _hostname_lowercase = config['hostname'].lower() knox_principal_name = config['configurations']['knox-env']['knox_principal_name'].replace('_HOST',_hostname_lowercase) +# for curl command in ranger plugin to get db connector +jdk_location = config['hostLevelParams']['jdk_location'] + +# ranger knox plugin start section + # ranger host ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", []) has_ranger_admin = not len(ranger_admin_hosts) == 0 -xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported'] +# ranger support xml_configuration flag, instead of depending on ranger xml_configurations_supported/ranger-env, using stack feature +xml_configurations_supported = check_stack_feature(StackFeature.RANGER_XML_CONFIGURATION, version_for_stack_feature_checks) + +# ambari-server hostname ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0] -# ranger knox properties -policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url'] -if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'): - policymgr_mgr_url = policymgr_mgr_url.rstrip('/') -xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits') -xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') -xa_db_host = config['configurations']['admin-properties']['db_host'] -repo_name = str(config['clusterName']) + '_knox' -repo_name_value = config['configurations']['ranger-knox-security']['ranger.plugin.knox.service.name'] -if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}": - repo_name = repo_name_value +# ranger knox plugin enabled property +enable_ranger_knox = default("/configurations/ranger-knox-plugin-properties/ranger-knox-plugin-enabled", "No") +enable_ranger_knox = True if enable_ranger_knox.lower() == 'yes' else False + +# get ranger knox properties if enable_ranger_knox is True +if enable_ranger_knox: + # get ranger policy url + policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url'] + if xml_configurations_supported: + policymgr_mgr_url = config['configurations']['ranger-knox-security']['ranger.plugin.knox.policy.rest.url'] + + if not is_empty(policymgr_mgr_url) and policymgr_mgr_url.endswith('/'): + policymgr_mgr_url = policymgr_mgr_url.rstrip('/') + + # ranger audit db user + xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') + + # ranger knox service/repositry name + repo_name = str(config['clusterName']) + '_knox' + repo_name_value = config['configurations']['ranger-knox-security']['ranger.plugin.knox.service.name'] + if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}": + repo_name = repo_name_value + + knox_home = config['configurations']['ranger-knox-plugin-properties']['KNOX_HOME'] + common_name_for_certificate = config['configurations']['ranger-knox-plugin-properties']['common.name.for.certificate'] + repo_config_username = config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_USERNAME'] + + # ranger-env config + ranger_env = config['configurations']['ranger-env'] + + # create ranger-env config having external ranger credential properties + if not has_ranger_admin and enable_ranger_knox: + external_admin_username = default('/configurations/ranger-knox-plugin-properties/external_admin_username', 'admin') + external_admin_password = default('/configurations/ranger-knox-plugin-properties/external_admin_password', 'admin') + external_ranger_admin_username = default('/configurations/ranger-knox-plugin-properties/external_ranger_admin_username', 'amb_ranger_admin') + external_ranger_admin_password = default('/configurations/ranger-knox-plugin-properties/external_ranger_admin_password', 'amb_ranger_admin') + ranger_env = {} + ranger_env['admin_username'] = external_admin_username + ranger_env['admin_password'] = external_admin_password + ranger_env['ranger_admin_username'] = external_ranger_admin_username + ranger_env['ranger_admin_password'] = external_ranger_admin_password + + ranger_plugin_properties = config['configurations']['ranger-knox-plugin-properties'] + policy_user = config['configurations']['ranger-knox-plugin-properties']['policy_user'] + repo_config_password = config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_PASSWORD'] -knox_home = config['configurations']['ranger-knox-plugin-properties']['KNOX_HOME'] -common_name_for_certificate = config['configurations']['ranger-knox-plugin-properties']['common.name.for.certificate'] + xa_audit_db_password = '' + if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db and has_ranger_admin: + xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password'] -repo_config_username = config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_USERNAME'] + downloaded_custom_connector = None + previous_jdbc_jar_name = None + driver_curl_source = None + driver_curl_target = None + previous_jdbc_jar = None -ranger_env = config['configurations']['ranger-env'] -ranger_plugin_properties = config['configurations']['ranger-knox-plugin-properties'] -policy_user = config['configurations']['ranger-knox-plugin-properties']['policy_user'] + if has_ranger_admin and stack_supports_ranger_audit_db: + xa_audit_db_flavor = config['configurations']['admin-properties']['DB_FLAVOR'] + jdbc_jar_name, previous_jdbc_jar_name, audit_jdbc_url, jdbc_driver = get_audit_configs(config) -#For curl command in ranger plugin to get db connector -jdk_location = config['hostLevelParams']['jdk_location'] -java_share_dir = '/usr/share/java' -if has_ranger_admin: - enable_ranger_knox = (config['configurations']['ranger-knox-plugin-properties']['ranger-knox-plugin-enabled'].lower() == 'yes') - xa_audit_db_password = '' - if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db: - xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password']) - repo_config_password = unicode(config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']) - xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower() - previous_jdbc_jar_name= None - - if stack_supports_ranger_audit_db: - if xa_audit_db_flavor == 'mysql': - jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None) - audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}') - jdbc_driver = "com.mysql.jdbc.Driver" - elif xa_audit_db_flavor == 'oracle': - jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None) - colon_count = xa_db_host.count(':') - if colon_count == 2 or colon_count == 0: - audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}') - else: - audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}') - jdbc_driver = "oracle.jdbc.OracleDriver" - elif xa_audit_db_flavor == 'postgres': - jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None) - audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}') - jdbc_driver = "org.postgresql.Driver" - elif xa_audit_db_flavor == 'mssql': - jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None) - audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}') - jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver" - elif xa_audit_db_flavor == 'sqla': - jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None) - audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}') - jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver" - - downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None - driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None - driver_curl_target = format("{stack_root}/current/knox-server/ext/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None - previous_jdbc_jar = format("{stack_root}/current/knox-server/ext/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None - sql_connector_jar = '' + downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None + driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None + driver_curl_target = format("{stack_root}/current/knox-server/ext/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None + previous_jdbc_jar = format("{stack_root}/current/knox-server/ext/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None + sql_connector_jar = '' knox_ranger_plugin_config = { 'username': repo_config_username, @@ -368,21 +373,21 @@ if has_ranger_admin: 'type': 'knox' } - - xa_audit_db_is_enabled = False - ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls'] if xml_configurations_supported and stack_supports_ranger_audit_db: xa_audit_db_is_enabled = config['configurations']['ranger-knox-audit']['xasecure.audit.destination.db'] - xa_audit_hdfs_is_enabled = config['configurations']['ranger-knox-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else None - ssl_keystore_password = unicode(config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) if xml_configurations_supported else None - ssl_truststore_password = unicode(config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) if xml_configurations_supported else None - credential_file = format('/etc/ranger/{repo_name}/cred.jceks') if xml_configurations_supported else None - #For SQLA explicitly disable audit to DB for Ranger - if xa_audit_db_flavor == 'sqla': + xa_audit_hdfs_is_enabled = config['configurations']['ranger-knox-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else False + ssl_keystore_password = config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] if xml_configurations_supported else None + ssl_truststore_password = config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] if xml_configurations_supported else None + credential_file = format('/etc/ranger/{repo_name}/cred.jceks') + + # for SQLA explicitly disable audit to DB for Ranger + if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor == 'sqla': xa_audit_db_is_enabled = False +# ranger knox plugin end section + hdfs_user = config['configurations']['hadoop-env']['hdfs_user'] if has_namenode else None hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab'] if has_namenode else None hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name'] if has_namenode else None http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py index 7601dfa..67a1670 100644 --- a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py @@ -25,8 +25,7 @@ from resource_management.libraries.functions.setup_ranger_plugin_xml import setu def setup_ranger_knox(upgrade_type=None): import params - if params.has_ranger_admin: - + if params.enable_ranger_knox: stack_version = None if upgrade_type is not None: @@ -105,4 +104,4 @@ def setup_ranger_knox(upgrade_type=None): Logger.info("Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations") else: - Logger.info('Ranger admin not installed') + Logger.info('Ranger Knox plugin is not enabled') http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml index 95e653c..b0efb6d 100644 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml @@ -36,6 +36,12 @@ <value>{{policymgr_mgr_url}}</value> <description>URL to Ranger Admin</description> <on-ambari-upgrade add="true"/> + <depends-on> + <property> + <type>admin-properties</type> + <name>policymgr_external_url</name> + </property> + </depends-on> </property> <property> <name>ranger.plugin.kms.policy.rest.ssl.config.file</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml index 4dc51eb..b7cf4c5 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml +++ b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml @@ -23,7 +23,7 @@ <name>xasecure.audit.is.enabled</name> <value>true</value> <description>Is Audit enabled?</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db</name> @@ -39,19 +39,19 @@ <name>xasecure.audit.destination.db</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.jdbc.url</name> <value>{{audit_jdbc_url}}</value> <description>Audit DB JDBC URL</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.user</name> <value>{{xa_audit_db_user}}</value> <description>Audit DB JDBC User</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.password</name> @@ -61,25 +61,25 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.jdbc.driver</name> <value>{{jdbc_driver}}</value> <description>Audit DB JDBC Driver</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.credential.provider.file</name> <value>jceks://file{{credential_file}}</value> <description>Credential file store</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.db.batch.filespool.dir</name> <value>/var/log/storm/audit/db/spool</value> <description>/var/log/storm/audit/db/spool</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.hdfs</name> @@ -95,7 +95,7 @@ <name>xasecure.audit.destination.hdfs</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.hdfs.dir</name> @@ -107,13 +107,13 @@ <name>xasecure.audit.destination.hdfs.dir</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> <value>/var/log/storm/audit/hdfs/spool</value> <description>/var/log/storm/audit/hdfs/spool</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr</name> @@ -129,7 +129,7 @@ <name>xasecure.audit.destination.solr</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr.urls</name> @@ -144,7 +144,7 @@ <name>ranger.audit.solr.urls</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr.zookeepers</name> @@ -156,13 +156,13 @@ <name>ranger.audit.solr.zookeepers</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.destination.solr.batch.filespool.dir</name> <value>/var/log/storm/audit/solr/spool</value> <description>/var/log/storm/audit/solr/spool</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.audit.provider.summary.enabled</name> @@ -172,6 +172,6 @@ <value-attributes> <type>boolean</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml index b1f6e1e..9592914 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml +++ b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml @@ -23,7 +23,7 @@ <name>xasecure.policymgr.clientssl.keystore</name> <value>hadoopdev-clientcert.jks</value> <description>Java Keystore files</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.keystore.password</name> @@ -33,13 +33,13 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.truststore</name> <value>cacerts-xasecure.jks</value> <description>java truststore file</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.truststore.password</name> @@ -49,18 +49,18 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.keystore.credential.file</name> <value>jceks://file{{credential_file}}</value> <description>java keystore credential file</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>xasecure.policymgr.clientssl.truststore.credential.file</name> <value>jceks://file{{credential_file}}</value> <description>java truststore credential file</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml index 983702f..84e394b4 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml +++ b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml @@ -23,36 +23,42 @@ <name>ranger.plugin.storm.service.name</name> <value>{{repo_name}}</value> <description>Name of the Ranger service containing policies for this Storm instance</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.storm.policy.source.impl</name> <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description>Class to retrieve policies from the source</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.storm.policy.rest.url</name> <value>{{policymgr_mgr_url}}</value> <description>URL to Ranger Admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> + <depends-on> + <property> + <type>admin-properties</type> + <name>policymgr_external_url</name> + </property> + </depends-on> </property> <property> <name>ranger.plugin.storm.policy.rest.ssl.config.file</name> <value>/etc/storm/conf/ranger-policymgr-ssl.xml</value> <description>Path to the file containing SSL details to contact Ranger Admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.storm.policy.pollIntervalMs</name> <value>30000</value> <description>How often to poll for changes in policies?</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger.plugin.storm.policy.cache.dir</name> <value>/etc/ranger/{{repo_name}}/policycache</value> <description>Directory where Ranger policies are cached after successful retrieval from the source</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py index dbb26f6..137f29a 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py @@ -41,6 +41,7 @@ from resource_management.libraries.functions.expect import expect from resource_management.libraries.functions.setup_atlas_hook import has_atlas_in_cluster from resource_management.libraries.functions import is_empty from ambari_commons.ambari_metrics_helper import select_metric_collector_hosts_from_hostnames +from resource_management.libraries.functions.setup_ranger_plugin_xml import get_audit_configs # server configurations config = Script.get_config() @@ -225,34 +226,8 @@ if enable_atlas_hook: jar_jvm_opts += '-Datlas.conf=' + atlas_conf_dir #endregion - -# ranger host -ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", []) -has_ranger_admin = not len(ranger_admin_hosts) == 0 -xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported'] -ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0] - -#ranger storm properties -policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url'] -if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'): - policymgr_mgr_url = policymgr_mgr_url.rstrip('/') -xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits') -xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') -xa_db_host = config['configurations']['admin-properties']['db_host'] -repo_name = str(config['clusterName']) + '_storm' -repo_name_value = config['configurations']['ranger-storm-security']['ranger.plugin.storm.service.name'] -if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}": - repo_name = repo_name_value - -common_name_for_certificate = config['configurations']['ranger-storm-plugin-properties']['common.name.for.certificate'] - storm_ui_port = config['configurations']['storm-site']['ui.port'] -repo_config_username = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_USERNAME'] -ranger_env = config['configurations']['ranger-env'] -ranger_plugin_properties = config['configurations']['ranger-storm-plugin-properties'] -policy_user = storm_user - #Storm log4j properties storm_a1_maxfilesize = default('/configurations/storm-cluster-log4j/storm_a1_maxfilesize', 100) storm_a1_maxbackupindex = default('/configurations/storm-cluster-log4j/storm_a1_maxbackupindex', 9) @@ -269,55 +244,87 @@ storm_worker_log4j_content = config['configurations']['storm-worker-log4j']['con # some commands may need to supply the JAAS location when running as storm storm_jaas_file = format("{conf_dir}/storm_jaas.conf") -# For curl command in ranger plugin to get db connector +# for curl command in ranger plugin to get db connector jdk_location = config['hostLevelParams']['jdk_location'] -java_share_dir = '/usr/share/java' -if has_ranger_admin: - enable_ranger_storm = (config['configurations']['ranger-storm-plugin-properties']['ranger-storm-plugin-enabled'].lower() == 'yes') +# ranger storm plugin start section + +# ranger host +ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", []) +has_ranger_admin = not len(ranger_admin_hosts) == 0 + +# ranger support xml_configuration flag, instead of depending on ranger xml_configurations_supported/ranger-env, using stack feature +xml_configurations_supported = check_stack_feature(StackFeature.RANGER_XML_CONFIGURATION, version_for_stack_feature_checks) + +# ambari-server hostname +ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0] + +# ranger storm plugin enabled property +enable_ranger_storm = default("/configurations/ranger-storm-plugin-properties/ranger-storm-plugin-enabled", "No") +enable_ranger_storm = True if enable_ranger_storm.lower() == 'yes' else False + +# ranger storm properties +if enable_ranger_storm: + # get ranger policy url + policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url'] + if xml_configurations_supported: + policymgr_mgr_url = config['configurations']['ranger-storm-security']['ranger.plugin.storm.policy.rest.url'] + + if not is_empty(policymgr_mgr_url) and policymgr_mgr_url.endswith('/'): + policymgr_mgr_url = policymgr_mgr_url.rstrip('/') + + # ranger audit db user + xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') + + # ranger storm service name + repo_name = str(config['clusterName']) + '_storm' + repo_name_value = config['configurations']['ranger-storm-security']['ranger.plugin.storm.service.name'] + if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}": + repo_name = repo_name_value + + common_name_for_certificate = config['configurations']['ranger-storm-plugin-properties']['common.name.for.certificate'] + repo_config_username = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_USERNAME'] + + # ranger-env config + ranger_env = config['configurations']['ranger-env'] + + # create ranger-env config having external ranger credential properties + if not has_ranger_admin and enable_ranger_storm: + external_admin_username = default('/configurations/ranger-storm-plugin-properties/external_admin_username', 'admin') + external_admin_password = default('/configurations/ranger-storm-plugin-properties/external_admin_password', 'admin') + external_ranger_admin_username = default('/configurations/ranger-storm-plugin-properties/external_ranger_admin_username', 'amb_ranger_admin') + external_ranger_admin_password = default('/configurations/ranger-storm-plugin-properties/external_ranger_admin_password', 'amb_ranger_admin') + ranger_env = {} + ranger_env['admin_username'] = external_admin_username + ranger_env['admin_password'] = external_admin_password + ranger_env['ranger_admin_username'] = external_ranger_admin_username + ranger_env['ranger_admin_password'] = external_ranger_admin_password + + ranger_plugin_properties = config['configurations']['ranger-storm-plugin-properties'] + policy_user = storm_user + repo_config_password = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_PASSWORD'] + xa_audit_db_password = '' - if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db: - xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password']) - repo_config_password = unicode(config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']) - xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower() + if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db and has_ranger_admin: + xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password'] + + repo_config_password = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_PASSWORD'] + + downloaded_custom_connector = None previous_jdbc_jar_name = None + driver_curl_source = None + driver_curl_target = None + previous_jdbc_jar = None + + if has_ranger_admin and stack_supports_ranger_audit_db: + xa_audit_db_flavor = config['configurations']['admin-properties']['DB_FLAVOR'] + jdbc_jar_name, previous_jdbc_jar_name, audit_jdbc_url, jdbc_driver = get_audit_configs(config) - if stack_supports_ranger_audit_db: - if xa_audit_db_flavor == 'mysql': - jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None) - audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}') - jdbc_driver = "com.mysql.jdbc.Driver" - elif xa_audit_db_flavor == 'oracle': - jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None) - colon_count = xa_db_host.count(':') - if colon_count == 2 or colon_count == 0: - audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}') - else: - audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}') - jdbc_driver = "oracle.jdbc.OracleDriver" - elif xa_audit_db_flavor == 'postgres': - jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None) - audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}') - jdbc_driver = "org.postgresql.Driver" - elif xa_audit_db_flavor == 'mssql': - jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None) - audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}') - jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver" - elif xa_audit_db_flavor == 'sqla': - jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None) - audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}') - jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver" - - downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None - driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None - driver_curl_target = format("{storm_component_home_dir}/lib/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None - previous_jdbc_jar = format("{storm_component_home_dir}/lib/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None - sql_connector_jar = '' + downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None + driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None + driver_curl_target = format("{storm_component_home_dir}/lib/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None + previous_jdbc_jar = format("{storm_component_home_dir}/lib/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None + sql_connector_jar = '' storm_ranger_plugin_config = { 'username': repo_config_username, @@ -356,18 +363,20 @@ if has_ranger_admin: ranger_storm_keytab = storm_keytab_path xa_audit_db_is_enabled = False - ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls'] if xml_configurations_supported and stack_supports_ranger_audit_db: xa_audit_db_is_enabled = config['configurations']['ranger-storm-audit']['xasecure.audit.destination.db'] + xa_audit_hdfs_is_enabled = default('/configurations/ranger-storm-audit/xasecure.audit.destination.hdfs', False) - ssl_keystore_password = unicode(config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) if xml_configurations_supported else None - ssl_truststore_password = unicode(config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) if xml_configurations_supported else None - credential_file = format('/etc/ranger/{repo_name}/cred.jceks') if xml_configurations_supported else None + ssl_keystore_password = config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] if xml_configurations_supported else None + ssl_truststore_password = config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] if xml_configurations_supported else None + credential_file = format('/etc/ranger/{repo_name}/cred.jceks') - #For SQLA explicitly disable audit to DB for Ranger - if xa_audit_db_flavor == 'sqla': + # for SQLA explicitly disable audit to DB for Ranger + if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor.lower() == 'sqla': xa_audit_db_is_enabled = False +# ranger storm plugin end section + namenode_hosts = default("/clusterHostInfo/namenode_host", []) has_namenode = not len(namenode_hosts) == 0 http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py index e81d62a..c04496e 100644 --- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py +++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py @@ -28,7 +28,7 @@ def setup_ranger_storm(upgrade_type=None): :param upgrade_type: Upgrade Type such as "rolling" or "nonrolling" """ import params - if params.has_ranger_admin and params.security_enabled: + if params.enable_ranger_storm and params.security_enabled: stack_version = None if upgrade_type is not None: @@ -130,4 +130,4 @@ def setup_ranger_storm(upgrade_type=None): else: Logger.info("Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations") else: - Logger.info('Ranger admin not installed') + Logger.info('Ranger Storm plugin is not enabled') http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml new file mode 100644 index 0000000..3450970 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + + <property> + <name>external_admin_username</name> + <value></value> + <display-name>External Ranger admin username</display-name> + <description>Add ranger default admin username if want to communicate to external ranger</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + + <property> + <name>external_admin_password</name> + <value></value> + <display-name>External Ranger admin password</display-name> + <property-type>PASSWORD</property-type> + <description>Add ranger default admin password if want to communicate to external ranger</description> + <value-attributes> + <type>password</type> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + + <property> + <name>external_ranger_admin_username</name> + <value></value> + <display-name>External Ranger Ambari admin username</display-name> + <description>Add ranger default ambari admin username if want to communicate to external ranger</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + + <property> + <name>external_ranger_admin_password</name> + <value></value> + <display-name>External Ranger Ambari admin password</display-name> + <property-type>PASSWORD</property-type> + <description>Add ranger default ambari admin password if want to communicate to external ranger</description> + <value-attributes> + <type>password</type> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> + +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py index 177e0e0..653fa0a 100644 --- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py @@ -35,6 +35,7 @@ from resource_management.libraries.functions.default import default from resource_management.libraries import functions from resource_management.libraries.functions import is_empty from resource_management.libraries.functions.get_architecture import get_architecture +from resource_management.libraries.functions.setup_ranger_plugin_xml import get_audit_configs import status_params @@ -303,9 +304,6 @@ tez_lib_uris = default("/configurations/tez-site/tez.lib.uris", None) #for create_hdfs_directory hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab'] hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name'] - - - hdfs_site = config['configurations']['hdfs-site'] default_fs = config['configurations']['core-site']['fs.defaultFS'] is_webhdfs_enabled = hdfs_site['dfs.webhdfs.enabled'] @@ -350,12 +348,6 @@ node_label_enable = config['configurations']['yarn-site']['yarn.node-labels.enab cgroups_dir = "/cgroups_test/cpu" -# *********************** RANGER PLUGIN CHANGES *********************** -# ranger host -ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", []) -has_ranger_admin = not len(ranger_admin_hosts) == 0 -xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported'] -ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0] # hostname of the active HDFS HA Namenode (only used when HA is enabled) dfs_ha_namenode_active = default("/configurations/hadoop-env/dfs_ha_initial_namenode_active", None) if dfs_ha_namenode_active is not None: @@ -386,106 +378,119 @@ if rm_ha_enabled: rm_webapp_address = config['configurations']['yarn-site'][rm_webapp_address_property] rm_webapp_addresses_list.append(rm_webapp_address) -#ranger yarn properties -if has_ranger_admin: - is_supported_yarn_ranger = config['configurations']['yarn-env']['is_supported_yarn_ranger'] - - if is_supported_yarn_ranger: - enable_ranger_yarn = (config['configurations']['ranger-yarn-plugin-properties']['ranger-yarn-plugin-enabled'].lower() == 'yes') - policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url'] - if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'): - policymgr_mgr_url = policymgr_mgr_url.rstrip('/') - xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower() - xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits') - xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') - xa_audit_db_password = '' - if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db: - xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password']) - xa_db_host = config['configurations']['admin-properties']['db_host'] - repo_name = str(config['clusterName']) + '_yarn' - repo_name_value = config['configurations']['ranger-yarn-security']['ranger.plugin.yarn.service.name'] - if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}": - repo_name = repo_name_value - - ranger_env = config['configurations']['ranger-env'] - ranger_plugin_properties = config['configurations']['ranger-yarn-plugin-properties'] - policy_user = config['configurations']['ranger-yarn-plugin-properties']['policy_user'] - yarn_rest_url = config['configurations']['yarn-site']['yarn.resourcemanager.webapp.address'] - - ranger_plugin_config = { - 'username' : config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_USERNAME'], - 'password' : unicode(config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']), - 'yarn.url' : format('{scheme}://{yarn_rest_url}'), - 'commonNameForCertificate' : config['configurations']['ranger-yarn-plugin-properties']['common.name.for.certificate'] - } - - yarn_ranger_plugin_repo = { - 'isEnabled': 'true', - 'configs': ranger_plugin_config, - 'description': 'yarn repo', - 'name': repo_name, - 'repositoryType': 'yarn', - 'type': 'yarn', - 'assetType': '1' - } - - if stack_supports_ranger_kerberos: - ranger_plugin_config['ambari.service.check.user'] = policy_user - ranger_plugin_config['hadoop.security.authentication'] = 'kerberos' if security_enabled else 'simple' - - if stack_supports_ranger_kerberos and security_enabled: - ranger_plugin_config['policy.download.auth.users'] = yarn_user - ranger_plugin_config['tag.download.auth.users'] = yarn_user - - #For curl command in ranger plugin to get db connector - jdk_location = config['hostLevelParams']['jdk_location'] - java_share_dir = '/usr/share/java' - previous_jdbc_jar_name = None - if stack_supports_ranger_audit_db: - if xa_audit_db_flavor and xa_audit_db_flavor == 'mysql': - jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None) - audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}') - jdbc_driver = "com.mysql.jdbc.Driver" - elif xa_audit_db_flavor and xa_audit_db_flavor == 'oracle': - jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None) - colon_count = xa_db_host.count(':') - if colon_count == 2 or colon_count == 0: - audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}') - else: - audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}') - jdbc_driver = "oracle.jdbc.OracleDriver" - elif xa_audit_db_flavor and xa_audit_db_flavor == 'postgres': - jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None) - audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}') - jdbc_driver = "org.postgresql.Driver" - elif xa_audit_db_flavor and xa_audit_db_flavor == 'mssql': - jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None) - audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}') - jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver" - elif xa_audit_db_flavor and xa_audit_db_flavor == 'sqla': - jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None) - previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None) - audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}') - jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver" +# for curl command in ranger plugin to get db connector +jdk_location = config['hostLevelParams']['jdk_location'] + +# ranger yarn plugin section start + +# ranger host +ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", []) +has_ranger_admin = not len(ranger_admin_hosts) == 0 + +# ranger support xml_configuration flag, instead of depending on ranger xml_configurations_supported/ranger-env, using stack feature +xml_configurations_supported = check_stack_feature(StackFeature.RANGER_XML_CONFIGURATION, version_for_stack_feature_checks) + +# ambari-server hostname +ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0] + +# ranger yarn plugin enabled property +enable_ranger_yarn = default("/configurations/ranger-yarn-plugin-properties/ranger-yarn-plugin-enabled", "No") +enable_ranger_yarn = True if enable_ranger_yarn.lower() == 'yes' else False + +# ranger yarn-plugin supported flag, instead of using is_supported_yarn_ranger/yarn-env, using stack feature +is_supported_yarn_ranger = check_stack_feature(StackFeature.YARN_RANGER_PLUGIN_SUPPORT, version_for_stack_feature_checks) + +# get ranger yarn properties if enable_ranger_yarn is True +if enable_ranger_yarn and is_supported_yarn_ranger: + # get ranger policy url + policymgr_mgr_url = config['configurations']['ranger-yarn-security']['ranger.plugin.yarn.policy.rest.url'] + + if not is_empty(policymgr_mgr_url) and policymgr_mgr_url.endswith('/'): + policymgr_mgr_url = policymgr_mgr_url.rstrip('/') + + # ranger audit db user + xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') + + xa_audit_db_password = '' + if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db and has_ranger_admin: + xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password'] + + # ranger yarn service/repository name + repo_name = str(config['clusterName']) + '_yarn' + repo_name_value = config['configurations']['ranger-yarn-security']['ranger.plugin.yarn.service.name'] + if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}": + repo_name = repo_name_value + + # ranger-env config + ranger_env = config['configurations']['ranger-env'] + + # create ranger-env config having external ranger credential properties + if not has_ranger_admin and enable_ranger_yarn: + external_admin_username = default('/configurations/ranger-yarn-plugin-properties/external_admin_username', 'admin') + external_admin_password = default('/configurations/ranger-yarn-plugin-properties/external_admin_password', 'admin') + external_ranger_admin_username = default('/configurations/ranger-yarn-plugin-properties/external_ranger_admin_username', 'amb_ranger_admin') + external_ranger_admin_password = default('/configurations/ranger-yarn-plugin-properties/external_ranger_admin_password', 'amb_ranger_admin') + ranger_env = {} + ranger_env['admin_username'] = external_admin_username + ranger_env['admin_password'] = external_admin_password + ranger_env['ranger_admin_username'] = external_ranger_admin_username + ranger_env['ranger_admin_password'] = external_ranger_admin_password + + ranger_plugin_properties = config['configurations']['ranger-yarn-plugin-properties'] + policy_user = config['configurations']['ranger-yarn-plugin-properties']['policy_user'] + yarn_rest_url = config['configurations']['yarn-site']['yarn.resourcemanager.webapp.address'] + + ranger_plugin_config = { + 'username' : config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_USERNAME'], + 'password' : unicode(config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']), + 'yarn.url' : format('{scheme}://{yarn_rest_url}'), + 'commonNameForCertificate' : config['configurations']['ranger-yarn-plugin-properties']['common.name.for.certificate'] + } + + yarn_ranger_plugin_repo = { + 'isEnabled': 'true', + 'configs': ranger_plugin_config, + 'description': 'yarn repo', + 'name': repo_name, + 'repositoryType': 'yarn', + 'type': 'yarn', + 'assetType': '1' + } + + if stack_supports_ranger_kerberos: + ranger_plugin_config['ambari.service.check.user'] = policy_user + ranger_plugin_config['hadoop.security.authentication'] = 'kerberos' if security_enabled else 'simple' + + if stack_supports_ranger_kerberos and security_enabled: + ranger_plugin_config['policy.download.auth.users'] = yarn_user + ranger_plugin_config['tag.download.auth.users'] = yarn_user + + downloaded_custom_connector = None + previous_jdbc_jar_name = None + driver_curl_source = None + driver_curl_target = None + previous_jdbc_jar = None + + if has_ranger_admin and stack_supports_ranger_audit_db: + xa_audit_db_flavor = config['configurations']['admin-properties']['DB_FLAVOR'] + jdbc_jar_name, previous_jdbc_jar_name, audit_jdbc_url, jdbc_driver = get_audit_configs(config) downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None driver_curl_target = format("{hadoop_yarn_home}/lib/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None previous_jdbc_jar = format("{hadoop_yarn_home}/lib/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None + xa_audit_db_is_enabled = False + if xml_configurations_supported and stack_supports_ranger_audit_db: + xa_audit_db_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.db'] + + xa_audit_hdfs_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else False + ssl_keystore_password = config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] if xml_configurations_supported else None + ssl_truststore_password = config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] if xml_configurations_supported else None + credential_file = format('/etc/ranger/{repo_name}/cred.jceks') + + # for SQLA explicitly disable audit to DB for Ranger + if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor == 'sqla': xa_audit_db_is_enabled = False - ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls'] - if xml_configurations_supported and stack_supports_ranger_audit_db: - xa_audit_db_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.db'] - xa_audit_hdfs_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else None - ssl_keystore_password = unicode(config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) if xml_configurations_supported else None - ssl_truststore_password = unicode(config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) if xml_configurations_supported else None - credential_file = format('/etc/ranger/{repo_name}/cred.jceks') if xml_configurations_supported else None - - #For SQLA explicitly disable audit to DB for Ranger - if xa_audit_db_flavor == 'sqla': - xa_audit_db_is_enabled = False + +# ranger yarn plugin end section http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py index 3207f27..f2e6660 100644 --- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py @@ -115,7 +115,7 @@ class ResourcemanagerDefault(Resourcemanager): env.set_params(params) self.configure(env) # FOR SECURITY - if params.has_ranger_admin and params.is_supported_yarn_ranger: + if params.enable_ranger_yarn and params.is_supported_yarn_ranger: setup_ranger_yarn() #Ranger Yarn Plugin related calls # wait for active-dir and done-dir to be created by ATS if needed http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py index 6ea7f82..d29e4dc 100644 --- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py +++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py @@ -19,7 +19,7 @@ from resource_management.core.logger import Logger def setup_ranger_yarn(): import params - if params.has_ranger_admin: + if params.enable_ranger_yarn: from resource_management.libraries.functions.setup_ranger_plugin_xml import setup_ranger_plugin @@ -68,4 +68,4 @@ def setup_ranger_yarn(): component_user_keytab=params.rm_keytab if params.security_enabled else None ) else: - Logger.info('Ranger admin not installed') + Logger.info('Ranger Yarn plugin is not enabled') http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json index a64af73..6801d5a 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json @@ -122,7 +122,7 @@ "name": "ranger_audit_db_support", "description": "Ranger Audit to DB support", "min_version": "2.2.0.0", - "max_version": "2.5.0.0" + "max_version": "2.4.99.99" }, { "name": "accumulo_kerberos_user_auth", @@ -334,6 +334,21 @@ "min_version": "2.6.0.0" }, { + "name": "ranger_xml_configuration", + "description": "Ranger code base support xml configurations", + "min_version": "2.3.0.0" + }, + { + "name": "kafka_ranger_plugin_support", + "description": "Ambari stack changes for Ranger Kafka Plugin (AMBARI-11299)", + "min_version": "2.3.0.0" + }, + { + "name": "yarn_ranger_plugin_support", + "description": "Implement Stack changes for Ranger Yarn Plugin integration (AMBARI-10866)", + "min_version": "2.3.0.0" + }, + { "name": "ranger_solr_config_support", "description": "Showing Ranger solrconfig.xml on UI", "min_version": "2.6.0.0" http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml index 960c751..0de538d 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml @@ -26,7 +26,7 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>policy_user</name> @@ -39,7 +39,7 @@ </property> </depends-on> <description>This user must be system user and also present at Ranger admin portal</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger-hbase-plugin-enabled</name> @@ -56,14 +56,14 @@ <name>ranger-hbase-plugin-enabled</name> </property> </depends-on> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_USERNAME</name> <value>hbase</value> <display-name>Ranger repository config user</display-name> <description>Used for repository creation on ranger admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_PASSWORD</name> @@ -74,7 +74,7 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>XAAUDIT.DB.IS_ENABLED</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml index c57c5f0..7460d26 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml @@ -17,7 +17,7 @@ <display-name>Policy user for HDFS</display-name> <description>This user must be system user and also present at Ranger admin portal</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>hadoop.rpc.protection</name> @@ -27,7 +27,7 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>common.name.for.certificate</name> @@ -36,7 +36,7 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>ranger-hdfs-plugin-enabled</name> @@ -53,7 +53,7 @@ <type>boolean</type> <overridable>false</overridable> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_USERNAME</name> @@ -61,7 +61,7 @@ <display-name>Ranger repository config user</display-name> <description>Used for repository creation on ranger admin </description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_PASSWORD</name> @@ -73,7 +73,7 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>XAAUDIT.DB.IS_ENABLED</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml index 830c539..0db5565 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml @@ -24,13 +24,13 @@ <value>ambari-qa</value> <display-name>Policy user for HIVE</display-name> <description>This user must be system user and also present at Ranger admin portal</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>jdbc.driverClassName</name> <value>org.apache.hive.jdbc.HiveDriver</value> <description>Used for repository creation on ranger admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>common.name.for.certificate</name> @@ -39,14 +39,14 @@ <value-attributes> <empty-value-valid>true</empty-value-valid> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_USERNAME</name> <value>hive</value> <display-name>Ranger repository config user</display-name> <description>Used for repository creation on ranger admin</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>REPOSITORY_CONFIG_PASSWORD</name> @@ -57,7 +57,7 @@ <value-attributes> <type>password</type> </value-attributes> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> <property> <name>XAAUDIT.DB.IS_ENABLED</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml index d5880dd..ad2b1e4 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml @@ -24,6 +24,6 @@ <value>/usr/hdp/current/knox-server</value> <display-name>Knox Home</display-name> <description>Knox home folder</description> - <on-ambari-upgrade add="false"/> + <on-ambari-upgrade add="true"/> </property> </configuration>
