Repository: ambari Updated Branches: refs/heads/branch-2.5 0d9d31fe3 -> 481cfe56e
AMBARI-19915 Add Ranger KMS SSL properties in ambari stack (mugdha) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/481cfe56 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/481cfe56 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/481cfe56 Branch: refs/heads/branch-2.5 Commit: 481cfe56ec839d2225ecdaf2f778f13d031223ad Parents: 0d9d31f Author: Mugdha Varadkar <[email protected]> Authored: Fri Feb 17 16:13:49 2017 +0530 Committer: Mugdha Varadkar <[email protected]> Committed: Fri Feb 17 16:27:30 2017 +0530 ---------------------------------------------------------------------- .../libraries/functions/constants.py | 1 + .../0.5.0.2.3/configuration/kms-env.xml | 10 +++ .../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py | 22 ++++++- .../0.5.0.2.3/package/scripts/params.py | 8 ++- .../HDP/2.0.6/properties/stack_features.json | 5 ++ .../stacks/HDP/2.3/upgrades/config-upgrade.xml | 7 ++ .../HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml | 4 ++ .../stacks/HDP/2.3/upgrades/upgrade-2.6.xml | 1 + .../stacks/HDP/2.4/upgrades/config-upgrade.xml | 7 ++ .../HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml | 4 ++ .../stacks/HDP/2.4/upgrades/upgrade-2.6.xml | 1 + .../stacks/HDP/2.5/upgrades/config-upgrade.xml | 7 ++ .../HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml | 4 ++ .../stacks/HDP/2.5/upgrades/upgrade-2.6.xml | 1 + .../configuration/ranger-kms-site.xml | 68 +++++++++++++++++++ .../stacks/HDP/2.6/services/stack_advisor.py | 20 +++++- .../stacks/2.5/RANGER_KMS/test_kms_server.py | 20 ++++++ .../stacks/2.6/common/test_stack_advisor.py | 69 ++++++++++++++++++++ 18 files changed, 256 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-common/src/main/python/resource_management/libraries/functions/constants.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py index c31b883..f553ad2 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py @@ -117,3 +117,4 @@ class StackFeature: ATLAS_HDFS_SITE_ON_NAMENODE_HA='atlas_hdfs_site_on_namenode_ha' HIVE_INTERACTIVE_GA_SUPPORT='hive_interactive_ga' SECURE_RANGER_SSL_PASSWORD = "secure_ranger_ssl_password" + RANGER_KMS_SSL = "ranger_kms_ssl" http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml index 7dea07f..e5c0673 100644 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml @@ -58,6 +58,16 @@ <value>9292</value> <description/> <on-ambari-upgrade add="true"/> + <depends-on> + <property> + <type>ranger-kms-site</type> + <name>ranger.service.https.port</name> + </property> + <property> + <type>ranger-kms-site</type> + <name>ranger.service.https.attrib.ssl.enabled</name> + </property> + </depends-on> </property> <property> <name>create_db_user</name> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py index 536ba76..1afe136 100755 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py @@ -140,6 +140,16 @@ def kms(upgrade_type=None): create_parents = True ) + Directory("/etc/security/serverKeys", + create_parents = True, + cd_access = "a" + ) + + Directory("/etc/ranger/kms", + create_parents = True, + cd_access = "a" + ) + copy_jdbc_connector() File(format("/usr/lib/ambari-agent/{check_db_connection_jar_name}"), @@ -270,6 +280,8 @@ def kms(upgrade_type=None): do_keystore_setup(params.credential_provider_path, params.masterkey_alias, params.kms_master_key_password) if params.stack_support_kms_hsm and params.enable_kms_hsm: do_keystore_setup(params.credential_provider_path, params.hms_partition_alias, unicode(params.hms_partition_passwd)) + if params.stack_supports_ranger_kms_ssl and params.ranger_kms_ssl_enabled: + do_keystore_setup(params.ranger_kms_cred_ssl_path, params.ranger_kms_ssl_keystore_alias, params.ranger_kms_ssl_passwd) # remove plain-text password from xml configs dbks_site_copy = {} @@ -288,9 +300,17 @@ def kms(upgrade_type=None): mode=0644 ) + ranger_kms_site_copy = {} + ranger_kms_site_copy.update(params.config['configurations']['ranger-kms-site']) + if params.stack_supports_ranger_kms_ssl: + # remove plain-text password from xml configs + for prop in params.ranger_kms_site_password_properties: + if prop in ranger_kms_site_copy: + ranger_kms_site_copy[prop] = "_" + XmlConfig("ranger-kms-site.xml", conf_dir=params.kms_conf_dir, - configurations=params.config['configurations']['ranger-kms-site'], + configurations=ranger_kms_site_copy, configuration_attributes=params.config['configuration_attributes']['ranger-kms-site'], owner=params.kms_user, group=params.kms_group, http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py index 8473160..dc830d5 100755 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py @@ -48,6 +48,7 @@ stack_support_kms_hsm = check_stack_feature(StackFeature.RANGER_KMS_HSM_SUPPORT, stack_supports_ranger_kerberos = check_stack_feature(StackFeature.RANGER_KERBEROS_SUPPORT, version_for_stack_feature_checks) stack_supports_pid = check_stack_feature(StackFeature.RANGER_KMS_PID_SUPPORT, version_for_stack_feature_checks) stack_supports_ranger_audit_db = check_stack_feature(StackFeature.RANGER_AUDIT_DB_SUPPORT, version_for_stack_feature_checks) +stack_supports_ranger_kms_ssl = check_stack_feature(StackFeature.RANGER_KMS_SSL, version_for_stack_feature_checks) hadoop_conf_dir = conf_select.get_hadoop_conf_dir() security_enabled = config['configurations']['cluster-env']['security_enabled'] @@ -279,4 +280,9 @@ if security_enabled: plugin_audit_password_property = 'xasecure.audit.destination.db.password' kms_plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password'] -dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password'] \ No newline at end of file +dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password'] +ranger_kms_site_password_properties = ['ranger.service.https.attrib.keystore.pass'] +ranger_kms_cred_ssl_path = config['configurations']['ranger-kms-site']['ranger.credential.provider.path'] +ranger_kms_ssl_keystore_alias = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.keystore.credential.alias'] +ranger_kms_ssl_passwd = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.keystore.pass'] +ranger_kms_ssl_enabled = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.ssl.enabled'] \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json index 5e173b7..bc2e7a7 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json @@ -387,6 +387,11 @@ "name": "secure_ranger_ssl_password", "description": "Securing Ranger Admin and Usersync SSL and Trustore related passwords in jceks", "min_version": "2.6.0.0" + }, + { + "name": "ranger_kms_ssl", + "description": "Ranger KMS SSL properties in ambari stack", + "min_version": "2.6.0.0" } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml index 54072ad..0e48fdf 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml @@ -338,6 +338,13 @@ <replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxFileSize = {{ranger_kms_audit_log_maxfilesize}}MB"/> <replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxBackupIndex = {{ranger_kms_audit_log_maxbackupindex}}"/> </definition> + <definition xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"> + <type>ranger-kms-site</type> + <transfer operation="delete" delete-key="ranger.https.attrib.keystore.file" + if-type="ranger-kms-site" if-key="ranger.service.https.attrib.keystore.file" if-key-state="present"/> + <transfer operation="delete" delete-key="ranger.service.https.attrib.clientAuth" + if-type="ranger-kms-site" if-key="ranger.service.https.attrib.client.auth" if-key-state="present"/> + </definition> </changes> </component> </service> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml index 31b20cf..b4205d9 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml @@ -556,6 +556,10 @@ </task> </execute-stage> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS"> + <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"/> + </execute-stage> + <!-- KNOX --> <execute-stage service="KNOX" component="KNOX_GATEWAY" title="Apply config changes for Knox Gateway"> <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_knox_audit_db"/> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml index 88486e6..7d8438f 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml @@ -654,6 +654,7 @@ <pre-upgrade> <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db" /> <task xsi:type="configure" id="kms_log4j_parameterize" /> + <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl" /> <task xsi:type="execute" hosts="any" sequential="true"> <summary>Upgrading Ranger KMS database schema</summary> <script>scripts/kms_server.py</script> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml index 44a9b7c..6da6c22 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml @@ -229,6 +229,13 @@ <replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxFileSize = {{ranger_kms_audit_log_maxfilesize}}MB"/> <replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxBackupIndex = {{ranger_kms_audit_log_maxbackupindex}}"/> </definition> + <definition xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"> + <type>ranger-kms-site</type> + <transfer operation="delete" delete-key="ranger.https.attrib.keystore.file" + if-type="ranger-kms-site" if-key="ranger.service.https.attrib.keystore.file" if-key-state="present"/> + <transfer operation="delete" delete-key="ranger.service.https.attrib.clientAuth" + if-type="ranger-kms-site" if-key="ranger.service.https.attrib.client.auth" if-key-state="present"/> + </definition> </changes> </component> </service> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml index 4d70156..437ca42 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml @@ -563,6 +563,10 @@ </task> </execute-stage> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS"> + <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"/> + </execute-stage> + <!--ATLAS--> <execute-stage service="ATLAS" component="ATLAS_SERVER" title="Parameterizing Atlas Log4J Properties"> <task xsi:type="configure" id="atlas_log4j_parameterize"> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml index 5b92e5f..3abaee3 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml @@ -643,6 +643,7 @@ <pre-upgrade> <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db" /> <task xsi:type="configure" id="kms_log4j_parameterize" /> + <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl" /> <task xsi:type="execute" hosts="any" sequential="true"> <summary>Upgrading Ranger KMS database schema</summary> <script>scripts/kms_server.py</script> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml index 23564ad..be97d10 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml @@ -263,6 +263,13 @@ <replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxFileSize = {{ranger_kms_audit_log_maxfilesize}}MB"/> <replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxBackupIndex = {{ranger_kms_audit_log_maxbackupindex}}"/> </definition> + <definition xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"> + <type>ranger-kms-site</type> + <transfer operation="delete" delete-key="ranger.https.attrib.keystore.file" + if-type="ranger-kms-site" if-key="ranger.service.https.attrib.keystore.file" if-key-state="present"/> + <transfer operation="delete" delete-key="ranger.service.https.attrib.clientAuth" + if-type="ranger-kms-site" if-key="ranger.service.https.attrib.client.auth" if-key-state="present"/> + </definition> </changes> </component> </service> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml index 2cc9bb0..ca7f133 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml @@ -399,6 +399,10 @@ </task> </execute-stage> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS"> + <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"/> + </execute-stage> + <!--ATLAS--> <execute-stage service="ATLAS" component="ATLAS_SERVER" title="Parameterizing Atlas Log4J Properties"> <task xsi:type="configure" id="atlas_log4j_parameterize"> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml index 818a6c0..0a02734 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml @@ -553,6 +553,7 @@ <component name="RANGER_KMS_SERVER"> <pre-upgrade> <task xsi:type="configure" id="kms_log4j_parameterize" /> + <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl" /> <task xsi:type="execute" hosts="any" sequential="true"> <summary>Upgrading Ranger KMS database schema</summary> <script>scripts/kms_server.py</script> http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml new file mode 100644 index 0000000..cd63e6e --- /dev/null +++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>ranger.service.https.attrib.keystore.file</name> + <value>/etc/security/serverKeys/ranger-kms-keystore.jks</value> + <on-ambari-upgrade add="false"/> + <description/> + </property> + <property> + <name>ranger.service.https.attrib.client.auth</name> + <value>want</value> + <on-ambari-upgrade add="false"/> + <description/> + </property> + <property> + <name>ranger.service.https.attrib.keystore.keyalias</name> + <value>rangerkms</value> + <on-ambari-upgrade add="false"/> + <description/> + </property> + <property> + <name>ranger.service.https.attrib.keystore.pass</name> + <value>rangerkms</value> + <property-type>PASSWORD</property-type> + <value-attributes> + <type>password</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + <description/> + </property> + <property> + <name>ranger.credential.provider.path</name> + <value>/etc/ranger/kms/rangerkms.jceks</value> + <on-ambari-upgrade add="false"/> + <description/> + </property> + <property> + <name>ranger.service.https.attrib.keystore.credential.alias</name> + <value>keyStoreCredentialAlias</value> + <on-ambari-upgrade add="false"/> + <description/> + </property> + <property> + <name>ajp.enabled</name> + <value>false</value> + <on-ambari-upgrade add="false"/> + <description/> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py index 969c3dd..d8413b6 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py @@ -33,7 +33,8 @@ class HDP26StackAdvisor(HDP25StackAdvisor): "DRUID": self.recommendDruidConfigurations, "ATLAS": self.recommendAtlasConfigurations, "TEZ": self.recommendTezConfigurations, - "RANGER": self.recommendRangerConfigurations + "RANGER": self.recommendRangerConfigurations, + "RANGER_KMS": self.recommendRangerKMSConfigurations } parentRecommendConfDict.update(childRecommendConfDict) return parentRecommendConfDict @@ -301,3 +302,20 @@ class HDP26StackAdvisor(HDP25StackAdvisor): "Need to set ranger.usersync.group.searchenabled as true, as ranger.usersync.ldap.deltasync is enabled")}) return self.toConfigurationValidationProblems(validationItems, "ranger-ugsync-site") + + def recommendRangerKMSConfigurations(self, configurations, clusterData, services, hosts): + super(HDP26StackAdvisor, self).recommendRangerKMSConfigurations(configurations, clusterData, services, hosts) + putRangerKmsEnvProperty = self.putProperty(configurations, "kms-env", services) + + ranger_kms_ssl_enabled = False + ranger_kms_ssl_port = "9393" + if 'ranger-kms-site' in services['configurations'] and 'ranger.service.https.attrib.ssl.enabled' in services['configurations']['ranger-kms-site']['properties']: + ranger_kms_ssl_enabled = services['configurations']['ranger-kms-site']['properties']['ranger.service.https.attrib.ssl.enabled'].lower() == "true" + + if 'ranger-kms-site' in services['configurations'] and 'ranger.service.https.port' in services['configurations']['ranger-kms-site']['properties']: + ranger_kms_ssl_port = services['configurations']['ranger-kms-site']['properties']['ranger.service.https.port'] + + if ranger_kms_ssl_enabled: + putRangerKmsEnvProperty("kms_port", ranger_kms_ssl_port) + else: + putRangerKmsEnvProperty("kms_port", "9292") \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py index c2fc270..6f41b6d 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py @@ -208,6 +208,16 @@ class TestRangerKMS(RMFTestCase): create_parents = True ) + self.assertResourceCalled('Directory', '/etc/security/serverKeys', + create_parents = True, + cd_access = "a", + ) + + self.assertResourceCalled('Directory', '/etc/ranger/kms', + create_parents = True, + cd_access = "a", + ) + self.assertResourceCalled('File', '/usr/hdp/current/ranger-kms/ews/webapp/lib/mysql-connector-java-old.jar', action = ['delete'], ) @@ -559,6 +569,16 @@ class TestRangerKMS(RMFTestCase): create_parents = True ) + self.assertResourceCalled('Directory', '/etc/security/serverKeys', + create_parents = True, + cd_access = "a", + ) + + self.assertResourceCalled('Directory', '/etc/ranger/kms', + create_parents = True, + cd_access = "a", + ) + self.assertResourceCalled('File', '/usr/hdp/current/ranger-kms/ews/webapp/lib/mysql-connector-java-old.jar', action = ['delete'], ) http://git-wip-us.apache.org/repos/asf/ambari/blob/481cfe56/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py index b7f8cbb..c15eaf1 100644 --- a/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py @@ -780,6 +780,75 @@ class TestHDP26StackAdvisor(TestCase): self.stackAdvisor.recommendRangerConfigurations(recommendedConfigurations, clusterData, services, None) self.assertEquals(recommendedConfigurations, expected) + def test_recommendRangerKMSConfigurations(self): + clusterData = {} + services = { + "ambari-server-properties": { + "ambari-server.user": "root" + }, + "Versions": { + "stack_version" : "2.6", + }, + "services": [ + { + "StackServices": { + "service_name": "RANGER_KMS", + "service_version": "0.7.0.2.6" + }, + "components": [ + { + "StackServiceComponents": { + "component_name": "RANGER_KMS_SERVER", + "hostnames": ["host1"] + } + } + ] + } + ], + "configurations": { + 'ranger-kms-site': { + 'properties': { + "ranger.service.https.attrib.ssl.enabled": "true", + "ranger.service.https.port": "9393" + } + } + } + } + + expected = { + 'kms-site': { + 'properties': {}, + 'property_attributes': { + 'hadoop.kms.proxyuser.HTTP.users': {'delete': 'true'}, + 'hadoop.kms.proxyuser.root.hosts': {'delete': 'true'}, + 'hadoop.kms.proxyuser.root.users': {'delete': 'true'}, + 'hadoop.kms.proxyuser.HTTP.hosts': {'delete': 'true'} + } + }, + 'core-site': { + 'properties': {} + }, + 'kms-properties': { + 'properties': {} + }, + 'ranger-kms-audit': { + 'properties': {} + }, + 'kms-env': { + 'properties': { + 'kms_port': '9393' + } + }, + 'dbks-site': { + 'properties': {} + } + } + + recommendedConfigurations = {} + + self.stackAdvisor.recommendRangerKMSConfigurations(recommendedConfigurations, clusterData, services, None) + self.assertEquals(recommendedConfigurations, expected) + def load_json(self, filename): file = os.path.join(self.testDirectory, filename) with open(file, 'rb') as f:
