http://git-wip-us.apache.org/repos/asf/ambari/blob/984d4605/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-audit.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-audit.xml new file mode 100644 index 0000000..598b11c --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-audit.xml @@ -0,0 +1,122 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <!-- These properties exist in HDP 2.5 and higher. --> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + <description>Is Audit enabled?</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.hdfs</name> + <value>true</value> + <display-name>Audit to FAKEHDFS</display-name> + <description>Is Audit to FAKEHDFS enabled?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <depends-on> + <property> + <type>ranger-env</type> + <name>xasecure.audit.destination.hdfs</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.hdfs.dir</name> + <value>hdfs://FAKENAMENODE_HOSTNAME:8020/ranger/audit</value> + <description>FAKEHDFS folder to write audit to, make sure the service user has requried permissions</description> + <depends-on> + <property> + <type>ranger-env</type> + <name>xasecure.audit.destination.hdfs.dir</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> + <value>/var/log/hbase/audit/hdfs/spool</value> + <description>/var/log/hbase/audit/hdfs/spool</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr</name> + <value>false</value> + <display-name>Audit to SOLR</display-name> + <description>Is Solr audit enabled?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <depends-on> + <property> + <type>ranger-env</type> + <name>xasecure.audit.destination.solr</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr.urls</name> + <value/> + <description>Solr URL</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <depends-on> + <property> + <type>ranger-admin-site</type> + <name>ranger.audit.solr.urls</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr.zookeepers</name> + <value>NONE</value> + <description>Solr Zookeeper string</description> + <depends-on> + <property> + <type>ranger-admin-site</type> + <name>ranger.audit.solr.zookeepers</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr.batch.filespool.dir</name> + <value>/var/log/hbase/audit/solr/spool</value> + <description>/var/log/hbase/audit/solr/spool</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.provider.summary.enabled</name> + <value>true</value> + <display-name>Audit provider summary enabled</display-name> + <description>Enable Summary audit?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/984d4605/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-policymgr-ssl.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-policymgr-ssl.xml new file mode 100644 index 0000000..c761b26 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-policymgr-ssl.xml @@ -0,0 +1,66 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>xasecure.policymgr.clientssl.keystore</name> + <value>/usr/hdp/current/hbase-client/conf/ranger-plugin-keystore.jks</value> + <description>Java Keystore files</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.password</name> + <value>myKeyFilePassword</value> + <property-type>PASSWORD</property-type> + <description>password for keystore</description> + <value-attributes> + <type>password</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore</name> + <value>/usr/hdp/current/hbase-client/conf/ranger-plugin-truststore.jks</value> + <description>java truststore file</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.password</name> + <value>changeit</value> + <property-type>PASSWORD</property-type> + <description>java truststore password</description> + <value-attributes> + <type>password</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.credential.file</name> + <value>jceks://file{{credential_file}}</value> + <description>java keystore credential file</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.credential.file</name> + <value>jceks://file{{credential_file}}</value> + <description>java truststore credential file</description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/984d4605/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-security.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-security.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-security.xml new file mode 100644 index 0000000..1deb9e5 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/configuration/ranger-hbase-security.xml @@ -0,0 +1,68 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>ranger.plugin.hbase.service.name</name> + <value>{{repo_name}}</value> + <description>Name of the Ranger service containing HBase policies</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.hbase.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> + <description>Class to retrieve policies from the source</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.hbase.policy.rest.url</name> + <value>{{policymgr_mgr_url}}</value> + <description>URL to Ranger Admin</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.hbase.policy.rest.ssl.config.file</name> + <value>/etc/hbase/conf/ranger-policymgr-ssl.xml</value> + <description>Path to the file containing SSL details to contact Ranger Admin</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.hbase.policy.pollIntervalMs</name> + <value>30000</value> + <description>How often to poll for changes in policies?</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.hbase.policy.cache.dir</name> + <value>/etc/ranger/{{repo_name}}/policycache</value> + <description>Directory where Ranger policies are cached after successful retrieval from the source</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.hbase.update.xapolicies.on.grant.revoke</name> + <value>true</value> + <display-name>Should HBase GRANT/REVOKE update XA policies</display-name> + <description>Should HBase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/984d4605/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json new file mode 100644 index 0000000..b053779 --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/kerberos.json @@ -0,0 +1,159 @@ +{ + "services": [ + { + "name": "FAKEHBASE", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "hbase", + "principal": { + "value": "${hbase-env/hbase_user}${principal_suffix}@${realm}", + "type" : "user", + "configuration": "hbase-env/hbase_principal_name", + "local_username": "${hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/hbase.headless.keytab", + "owner": { + "name": "${hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + }, + "configuration": "hbase-env/hbase_user_keytab" + } + }, + { + "name": "/smokeuser" + } + ], + "configurations": [ + { + "hbase-site": { + "hbase.security.authentication": "kerberos", + "hbase.security.authorization": "true", + "zookeeper.znode.parent": "/hbase-secure", + "hbase.coprocessor.master.classes": "{{hbase_coprocessor_master_classes}}", + "hbase.coprocessor.region.classes": "{{hbase_coprocessor_region_classes}}", + "hbase.coprocessor.regionserver.classes": "{{hbase_coprocessor_regionserver_classes}}", + "hbase.bulkload.staging.dir": "/apps/hbase/staging", + "hbase.master.ui.readonly": "true" + } + }, + { + "ranger-hbase-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ], + "components": [ + { + "name": "FAKEHBASE_MASTER", + "identities": [ + { + "name": "/FAKEHDFS/FAKENAMENODE/hdfs" + }, + { + "name": "hbase_master_hbase", + "principal": { + "value": "hbase/_HOST@${realm}", + "type" : "service", + "configuration": "hbase-site/hbase.master.kerberos.principal", + "local_username": "${hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/hbase.service.keytab", + "owner": { + "name": "${hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hbase-site/hbase.master.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal" + }, + "keytab": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.keytab" + } + }, + { + "name": "/FAKEHBASE/FAKEHBASE_MASTER/hbase_master_hbase", + "principal": { + "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-hbase-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + }, + { + "name": "FAKEHBASE_REGIONSERVER", + "identities": [ + { + "name": "hbase_regionserver_hbase", + "principal": { + "value": "hbase/_HOST@${realm}", + "type" : "service", + "configuration": "hbase-site/hbase.regionserver.kerberos.principal", + "local_username": "${hbase-env/hbase_user}" + }, + "keytab": { + "file": "${keytab_dir}/hbase.service.keytab", + "owner": { + "name": "${hbase-env/hbase_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "hbase-site/hbase.regionserver.keytab.file" + } + }, + { + "name": "/spnego", + "principal": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.principal" + }, + "keytab": { + "configuration": "hbase-site/hbase.security.authentication.spnego.kerberos.keytab" + } + } + ] + }, + { + "name": "FAKEPHOENIX_QUERY_SERVER", + "identities": [ + { + "name": "phoenix_spnego", + "reference": "/spnego", + "principal": { + "configuration": "hbase-site/phoenix.queryserver.kerberos.principal" + }, + "keytab": { + "configuration": "hbase-site/phoenix.queryserver.keytab.file" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/984d4605/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/metainfo.xml b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/metainfo.xml new file mode 100644 index 0000000..4dbd2bb --- /dev/null +++ b/ambari-server/src/main/resources/stacks/PERF/1.0/services/FAKEHBASE/metainfo.xml @@ -0,0 +1,197 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<metainfo> + <schemaVersion>2.0</schemaVersion> + <services> + <service> + <name>FAKEHBASE</name> + <displayName>FAKEHBASE</displayName> + <version>1.1.1.2.3</version> + <comment>A Non-relational distributed database, plus Phoenix, a high performance SQL layer for low latency applications.</comment> + + <components> + <component> + <name>FAKEHBASE_MASTER</name> + <displayName>FAKEHBase Master</displayName> + <category>MASTER</category> + <cardinality>1+</cardinality> + <versionAdvertised>false</versionAdvertised> + <timelineAppid>FAKEHBASE</timelineAppid> + <dependencies> + <dependency> + <name>FAKEHDFS/FAKEHDFS_CLIENT</name> + <scope>host</scope> + <auto-deploy> + <enabled>true</enabled> + </auto-deploy> + </dependency> + <dependency> + <name>FAKEZOOKEEPER/FAKEZOOKEEPER_SERVER</name> + <scope>cluster</scope> + <auto-deploy> + <enabled>true</enabled> + <co-locate>FAKEHBASE/FAKEHBASE_MASTER</co-locate> + </auto-deploy> + </dependency> + </dependencies> + <commandScript> + <script>scripts/hbase_master.py</script> + <scriptType>PYTHON</scriptType> + <timeout>1200</timeout> + </commandScript> + <logs> + <log> + <logId>hbase_master</logId> + <primary>true</primary> + </log> + </logs> + <customCommands> + <customCommand> + <name>DECOMMISSION</name> + <commandScript> + <script>scripts/hbase_master.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + </customCommand> + </customCommands> + </component> + + <component> + <name>FAKEPHOENIX_QUERY_SERVER</name> + <displayName>FAKEPhoenix Query Server</displayName> + <category>SLAVE</category> + <cardinality>0+</cardinality> + <versionAdvertised>false</versionAdvertised> + <commandScript> + <script>scripts/phoenix_queryserver.py</script> + <scriptType>PYTHON</scriptType> + </commandScript> + <logs> + <log> + <logId>hbase_phoenix_server</logId> + <primary>true</primary> + </log> + </logs> + </component> + + <component> + <name>FAKEHBASE_REGIONSERVER</name> + <displayName>FAKERegionServer</displayName> + <category>SLAVE</category> + <cardinality>1+</cardinality> + <versionAdvertised>false</versionAdvertised> + <decommissionAllowed>true</decommissionAllowed> + <timelineAppid>FAKEHBASE</timelineAppid> + <commandScript> + <script>scripts/hbase_regionserver.py</script> + <scriptType>PYTHON</scriptType> + </commandScript> + <bulkCommands> + <displayName>FAKEFAKERegionServers</displayName> + <!-- Used by decommission and recommission --> + <masterComponent>FAKEHBASE_MASTER</masterComponent> + </bulkCommands> + <logs> + <log> + <logId>hbase_regionserver</logId> + <primary>true</primary> + </log> + </logs> + </component> + + <component> + <name>FAKEHBASE_CLIENT</name> + <displayName>FAKEHBase Client</displayName> + <category>CLIENT</category> + <cardinality>1+</cardinality> + <versionAdvertised>false</versionAdvertised> + <commandScript> + <script>scripts/hbase_client.py</script> + <scriptType>PYTHON</scriptType> + </commandScript> + <configFiles> + <configFile> + <type>xml</type> + <fileName>hbase-site.xml</fileName> + <dictionaryName>hbase-site</dictionaryName> + </configFile> + <configFile> + <type>env</type> + <fileName>hbase-env.sh</fileName> + <dictionaryName>hbase-env</dictionaryName> + </configFile> + <configFile> + <type>xml</type> + <fileName>hbase-policy.xml</fileName> + <dictionaryName>hbase-policy</dictionaryName> + </configFile> + <configFile> + <type>env</type> + <fileName>log4j.properties</fileName> + <dictionaryName>hbase-log4j</dictionaryName> + </configFile> + </configFiles> + </component> + </components> + + <themes> + <theme> + <fileName>theme.json</fileName> + <default>true</default> + </theme> + </themes> + + <quickLinksConfigurations> + <quickLinksConfiguration> + <fileName>quicklinks.json</fileName> + <default>true</default> + </quickLinksConfiguration> + </quickLinksConfigurations> + + <!-- No packages to install. --> + <osSpecifics></osSpecifics> + + <configuration-dependencies> + <config-type>hbase-alert-config</config-type> + <config-type>core-site</config-type> <!-- hbase puts core-site in it's folder --> + <config-type>hbase-policy</config-type> + <config-type>hbase-site</config-type> + <config-type>hbase-env</config-type> + <config-type>hbase-log4j</config-type> + <config-type>ranger-hbase-plugin-properties</config-type> + <config-type>ranger-hbase-audit</config-type> + <config-type>ranger-hbase-policymgr-ssl</config-type> + <config-type>ranger-hbase-security</config-type> + <config-type>ams-ssl-client</config-type> + </configuration-dependencies> + + <commandScript> + <script>scripts/service_check.py</script> + <scriptType>PYTHON</scriptType> + <timeout>300</timeout> + </commandScript> + + <requiredServices> + <service>FAKEZOOKEEPER</service> + <service>FAKEHDFS</service> + </requiredServices> + + </service> + </services> +</metainfo>
