AMBARI-19845 Secure Ranger passwords in Ambari Stacks (mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/c395f694 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/c395f694 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/c395f694 Branch: refs/heads/branch-feature-AMBARI-20053 Commit: c395f6948a1aa8bb62f65b3b7a1fe4c72f662762 Parents: 05c76ed Author: Mugdha Varadkar <[email protected]> Authored: Fri Feb 17 15:53:43 2017 +0530 Committer: Mugdha Varadkar <[email protected]> Committed: Fri Feb 17 16:19:13 2017 +0530 ---------------------------------------------------------------------- .../libraries/functions/constants.py | 1 + .../functions/setup_ranger_plugin_xml.py | 23 ++++++- .../RANGER/0.4.0/package/scripts/params.py | 18 ++++++ .../0.4.0/package/scripts/setup_ranger_xml.py | 67 ++++++++++++++++++-- .../0.5.0/configuration/ranger-admin-site.xml | 12 ++++ .../0.7.0/configuration/ranger-admin-site.xml | 31 +++++++++ .../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py | 29 ++++++++- .../0.5.0.2.3/package/scripts/params.py | 4 ++ .../HDP/2.0.6/properties/stack_features.json | 5 ++ .../stacks/2.5/RANGER/test_ranger_admin.py | 16 ++++- .../stacks/2.5/RANGER/test_ranger_usersync.py | 8 ++- .../stacks/2.5/RANGER_KMS/test_kms_server.py | 50 +++++++++++++-- .../stacks/2.6/RANGER/test_ranger_admin.py | 40 +++++++++++- .../stacks/2.6/RANGER/test_ranger_tagsync.py | 19 ++++-- .../2.6/configs/ranger-admin-default.json | 6 +- 15 files changed, 302 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-common/src/main/python/resource_management/libraries/functions/constants.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py index 8fd5c8d..c31b883 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py @@ -116,3 +116,4 @@ class StackFeature: ATLAS_INSTALL_HOOK_PACKAGE_SUPPORT="atlas_install_hook_package_support" ATLAS_HDFS_SITE_ON_NAMENODE_HA='atlas_hdfs_site_on_namenode_ha' HIVE_INTERACTIVE_GA_SUPPORT='hive_interactive_ga' + SECURE_RANGER_SSL_PASSWORD = "secure_ranger_ssl_password" http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py b/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py index a12116d..56c46dd 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py @@ -131,9 +131,17 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar, mode = 0644 ) + # remove plain-text password from xml configs + plugin_audit_password_property = 'xasecure.audit.destination.db.password' + plugin_audit_properties_copy = {} + plugin_audit_properties_copy.update(plugin_audit_properties) + + if plugin_audit_password_property in plugin_audit_properties_copy: + plugin_audit_properties_copy[plugin_audit_password_property] = "crypted" + XmlConfig(format('ranger-{service_name}-audit.xml'), conf_dir=component_conf_dir, - configurations=plugin_audit_properties, + configurations=plugin_audit_properties_copy, configuration_attributes=plugin_audit_attributes, owner = component_user, group = component_group, @@ -147,10 +155,19 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar, group = component_group, mode=0744) + # remove plain-text password from xml configs + plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password'] + plugin_policymgr_ssl_properties_copy = {} + plugin_policymgr_ssl_properties_copy.update(plugin_policymgr_ssl_properties) + + for prop in plugin_password_properties: + if prop in plugin_policymgr_ssl_properties_copy: + plugin_policymgr_ssl_properties_copy[prop] = "crypted" + if str(service_name).lower() == 'yarn' : XmlConfig("ranger-policymgr-ssl-yarn.xml", conf_dir=component_conf_dir, - configurations=plugin_policymgr_ssl_properties, + configurations=plugin_policymgr_ssl_properties_copy, configuration_attributes=plugin_policymgr_ssl_attributes, owner = component_user, group = component_group, @@ -158,7 +175,7 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar, else: XmlConfig("ranger-policymgr-ssl.xml", conf_dir=component_conf_dir, - configurations=plugin_policymgr_ssl_properties, + configurations=plugin_policymgr_ssl_properties_copy, configuration_attributes=plugin_policymgr_ssl_attributes, owner = component_user, group = component_group, http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py index 49cd98b..0fae23e 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py @@ -73,6 +73,7 @@ stack_supports_ranger_admin_password_change = check_stack_feature(StackFeature.R stack_supports_ranger_setup_db_on_start = check_stack_feature(StackFeature.RANGER_SETUP_DB_ON_START, version_for_stack_feature_checks) stack_supports_ranger_tagsync_ssl_xml_support = check_stack_feature(StackFeature.RANGER_TAGSYNC_SSL_XML_SUPPORT, version_for_stack_feature_checks) stack_supports_ranger_solr_configs = check_stack_feature(StackFeature.RANGER_SOLR_CONFIG_SUPPORT, version_for_stack_feature_checks) +stack_supports_secure_ssl_password = check_stack_feature(StackFeature.SECURE_RANGER_SSL_PASSWORD, version_for_stack_feature_checks) downgrade_from_version = default("/commandParams/downgrade_from_version", None) upgrade_direction = default("/commandParams/upgrade_direction", None) @@ -425,3 +426,20 @@ if is_hbase_ha_enabled: if is_namenode_ha_enabled: if not is_empty(config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled']): ranger_hdfs_plugin_enabled = config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled'].lower() == 'yes' + +ranger_admin_password_properties = ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password'] +ranger_usersync_password_properties = ['ranger.usersync.ldap.ldapbindpassword'] +ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password'] +if stack_supports_secure_ssl_password: + ranger_admin_password_properties.extend(['ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']) + ranger_usersync_password_properties.extend(['ranger.usersync.keystore.password', 'ranger.usersync.truststore.password']) + +ranger_auth_method = config['configurations']['ranger-admin-site']['ranger.authentication.method'] +ranger_ldap_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.binddn.credential.alias', 'ranger.ldap.bind.password') +ranger_ad_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.ad.binddn.credential.alias', 'ranger.ldap.ad.bind.password') +ranger_https_keystore_alias = default('/configurations/ranger-admin-site/ranger.service.https.attrib.keystore.credential.alias', 'keyStoreCredentialAlias') +ranger_truststore_alias = default('/configurations/ranger-admin-site/ranger.truststore.alias', 'trustStoreAlias') +https_enabled = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.ssl.enabled'] +http_enabled = config['configurations']['ranger-admin-site']['ranger.service.http.enabled'] +https_keystore_password = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.keystore.pass'] +truststore_password = config['configurations']['ranger-admin-site']['ranger.truststore.password'] \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py index acb5385..b3eb919 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py @@ -191,9 +191,17 @@ def setup_ranger_admin(upgrade_type=None): only_if=format("ls {ranger_home}/ews/ranger-admin-services.sh"), sudo=True) + # remove plain-text password from xml configs + + ranger_admin_site_copy = {} + ranger_admin_site_copy.update(params.config['configurations']['ranger-admin-site']) + for prop in params.ranger_admin_password_properties: + if prop in ranger_admin_site_copy: + ranger_admin_site_copy[prop] = "_" + XmlConfig("ranger-admin-site.xml", conf_dir=ranger_conf, - configurations=params.config['configurations']['ranger-admin-site'], + configurations=ranger_admin_site_copy, configuration_attributes=params.config['configuration_attributes']['ranger-admin-site'], owner=params.unix_user, group=params.unix_group, @@ -321,6 +329,36 @@ def do_keystore_setup(upgrade_type=None): mode = 0640 ) + if params.ranger_auth_method.upper() == "LDAP": + ranger_credential_helper(params.cred_lib_path, params.ranger_ldap_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + if params.ranger_auth_method.upper() == "ACTIVE_DIRECTORY": + ranger_credential_helper(params.cred_lib_path, params.ranger_ad_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + if params.stack_supports_secure_ssl_password: + ranger_credential_helper(params.cred_lib_path, params.ranger_truststore_alias, params.truststore_password, params.ranger_credential_provider_path) + + if params.https_enabled and not params.http_enabled: + ranger_credential_helper(params.cred_lib_path, params.ranger_https_keystore_alias, params.https_keystore_password, params.ranger_credential_provider_path) + + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + def password_validation(password): import params if password.strip() == "": @@ -453,9 +491,16 @@ def setup_usersync(upgrade_type=None): dst_file = format('{usersync_home}/conf/log4j.xml') Execute(('cp', '-f', src_file, dst_file), sudo=True) + # remove plain-text password from xml configs + ranger_ugsync_site_copy = {} + ranger_ugsync_site_copy.update(params.config['configurations']['ranger-ugsync-site']) + for prop in params.ranger_usersync_password_properties: + if prop in ranger_ugsync_site_copy: + ranger_ugsync_site_copy[prop] = "_" + XmlConfig("ranger-ugsync-site.xml", conf_dir=ranger_ugsync_conf, - configurations=params.config['configurations']['ranger-ugsync-site'], + configurations=ranger_ugsync_site_copy, configuration_attributes=params.config['configuration_attributes']['ranger-ugsync-site'], owner=params.unix_user, group=params.unix_group, @@ -750,9 +795,16 @@ def setup_tagsync_ssl_configs(): mode=0775, create_parents=True) + # remove plain-text password from xml configs + ranger_tagsync_policymgr_ssl_copy = {} + ranger_tagsync_policymgr_ssl_copy.update(params.config['configurations']['ranger-tagsync-policymgr-ssl']) + for prop in params.ranger_tagsync_password_properties: + if prop in ranger_tagsync_policymgr_ssl_copy: + ranger_tagsync_policymgr_ssl_copy[prop] = "_" + XmlConfig("ranger-policymgr-ssl.xml", conf_dir=params.ranger_tagsync_conf, - configurations=params.config['configurations']['ranger-tagsync-policymgr-ssl'], + configurations=ranger_tagsync_policymgr_ssl_copy, configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-policymgr-ssl'], owner=params.unix_user, group=params.unix_group, @@ -767,9 +819,16 @@ def setup_tagsync_ssl_configs(): mode = 0640 ) + # remove plain-text password from xml configs + atlas_tagsync_ssl_copy = {} + atlas_tagsync_ssl_copy.update(params.config['configurations']['atlas-tagsync-ssl']) + for prop in params.ranger_tagsync_password_properties: + if prop in atlas_tagsync_ssl_copy: + atlas_tagsync_ssl_copy[prop] = "_" + XmlConfig("atlas-tagsync-ssl.xml", conf_dir=params.ranger_tagsync_conf, - configurations=params.config['configurations']['atlas-tagsync-ssl'], + configurations=atlas_tagsync_ssl_copy, configuration_attributes=params.config['configuration_attributes']['atlas-tagsync-ssl'], owner=params.unix_user, group=params.unix_group, http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml index c52924c..f2e23ce 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml +++ b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml @@ -548,4 +548,16 @@ </value-attributes> <on-ambari-upgrade add="true"/> </property> + <property> + <name>ranger.ldap.binddn.credential.alias</name> + <value>ranger.ldap.bind.password</value> + <description></description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>ranger.ldap.ad.binddn.credential.alias</name> + <value>ranger.ldap.ad.bind.password</value> + <description></description> + <on-ambari-upgrade add="true"/> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml new file mode 100644 index 0000000..ebf8517 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration> + <property> + <name>ranger.truststore.alias</name> + <value>trustStoreAlias</value> + <description></description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.service.https.attrib.keystore.credential.alias</name> + <value>keyStoreCredentialAlias</value> + <description></description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py index 742cb93..536ba76 100755 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py @@ -271,9 +271,17 @@ def kms(upgrade_type=None): if params.stack_support_kms_hsm and params.enable_kms_hsm: do_keystore_setup(params.credential_provider_path, params.hms_partition_alias, unicode(params.hms_partition_passwd)) + # remove plain-text password from xml configs + dbks_site_copy = {} + dbks_site_copy.update(params.config['configurations']['dbks-site']) + + for prop in params.dbks_site_password_properties: + if prop in dbks_site_copy: + dbks_site_copy[prop] = "_" + XmlConfig("dbks-site.xml", conf_dir=params.kms_conf_dir, - configurations=params.config['configurations']['dbks-site'], + configurations=dbks_site_copy, configuration_attributes=params.config['configuration_attributes']['dbks-site'], owner=params.kms_user, group=params.kms_group, @@ -421,9 +429,16 @@ def enable_kms_plugin(): mode = 0644 ) + # remove plain-text password from xml configs + plugin_audit_properties_copy = {} + plugin_audit_properties_copy.update(params.config['configurations']['ranger-kms-audit']) + + if params.plugin_audit_password_property in plugin_audit_properties_copy: + plugin_audit_properties_copy[params.plugin_audit_password_property] = "crypted" + XmlConfig("ranger-kms-audit.xml", conf_dir=params.kms_conf_dir, - configurations=params.config['configurations']['ranger-kms-audit'], + configurations=plugin_audit_properties_copy, configuration_attributes=params.config['configuration_attributes']['ranger-kms-audit'], owner=params.kms_user, group=params.kms_group, @@ -437,9 +452,17 @@ def enable_kms_plugin(): group=params.kms_group, mode=0744) + # remove plain-text password from xml configs + ranger_kms_policymgr_ssl_copy = {} + ranger_kms_policymgr_ssl_copy.update(params.config['configurations']['ranger-kms-policymgr-ssl']) + + for prop in params.kms_plugin_password_properties: + if prop in ranger_kms_policymgr_ssl_copy: + ranger_kms_policymgr_ssl_copy[prop] = "crypted" + XmlConfig("ranger-policymgr-ssl.xml", conf_dir=params.kms_conf_dir, - configurations=params.config['configurations']['ranger-kms-policymgr-ssl'], + configurations=ranger_kms_policymgr_ssl_copy, configuration_attributes=params.config['configuration_attributes']['ranger-kms-policymgr-ssl'], owner=params.kms_user, group=params.kms_group, http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py index 05e8881..8473160 100755 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py @@ -276,3 +276,7 @@ if security_enabled: spengo_keytab = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab'] spnego_principal = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal'] spnego_principal = spnego_principal.replace('_HOST', current_host.lower()) + +plugin_audit_password_property = 'xasecure.audit.destination.db.password' +kms_plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password'] +dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password'] \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json index 0fd1766..5e173b7 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json +++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json @@ -382,6 +382,11 @@ "name": "hive_interactive_ga", "description": "Hive Interactive GA support", "min_version": "2.6.0.0" + }, + { + "name": "secure_ranger_ssl_password", + "description": "Securing Ranger Admin and Usersync SSL and Trustore related passwords in jceks", + "min_version": "2.6.0.0" } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py index 1b5d7ae..0d38876 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py @@ -293,11 +293,17 @@ class TestRangerAdmin(RMFTestCase): sudo = True ) + ranger_admin_site_copy = {} + ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site']) + for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']: + if prop in ranger_admin_site_copy: + ranger_admin_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml', owner = 'ranger', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-admin/conf', - configurations = self.getConfig()['configurations']['ranger-admin-site'], + configurations = ranger_admin_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'], mode = 0644 ) @@ -443,11 +449,17 @@ class TestRangerAdmin(RMFTestCase): sudo = True ) + ranger_admin_site_copy = {} + ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site']) + for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']: + if prop in ranger_admin_site_copy: + ranger_admin_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml', owner = 'ranger', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-admin/conf', - configurations = self.getConfig()['configurations']['ranger-admin-site'], + configurations = ranger_admin_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'], mode = 0644 ) http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py index 22e84fc..3f0d21b 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py @@ -132,11 +132,17 @@ class TestRangerUsersync(RMFTestCase): mode = 0644 ) + ranger_ugsync_site_copy = {} + ranger_ugsync_site_copy.update(self.getConfig()['configurations']['ranger-ugsync-site']) + for prop in ['ranger.usersync.ldap.ldapbindpassword']: + if prop in ranger_ugsync_site_copy: + ranger_ugsync_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'ranger-ugsync-site.xml', owner = 'ranger', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-usersync/conf', - configurations = self.getConfig()['configurations']['ranger-ugsync-site'], + configurations = ranger_ugsync_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-ugsync-site'], mode = 0644 ) http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py index 57f9f34..c2fc270 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py @@ -93,12 +93,18 @@ class TestRangerKMS(RMFTestCase): mode = 0644 ) + plugin_audit_properties_copy = {} + plugin_audit_properties_copy.update(self.getConfig()['configurations']['ranger-kms-audit']) + + if 'xasecure.audit.destination.db.password' in plugin_audit_properties_copy: + plugin_audit_properties_copy['xasecure.audit.destination.db.password'] = "crypted" + self.assertResourceCalled('XmlConfig', 'ranger-kms-audit.xml', mode = 0744, owner = 'kms', group = 'kms', conf_dir = '/usr/hdp/current/ranger-kms/conf', - configurations = self.getConfig()['configurations']['ranger-kms-audit'], + configurations = plugin_audit_properties_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-audit'] ) @@ -111,12 +117,19 @@ class TestRangerKMS(RMFTestCase): configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-security'] ) + ranger_kms_policymgr_ssl_copy = {} + ranger_kms_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-kms-policymgr-ssl']) + + for prop in ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']: + if prop in ranger_kms_policymgr_ssl_copy: + ranger_kms_policymgr_ssl_copy[prop] = "crypted" + self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml', mode = 0744, owner = 'kms', group = 'kms', conf_dir = '/usr/hdp/current/ranger-kms/conf', - configurations = self.getConfig()['configurations']['ranger-kms-policymgr-ssl'], + configurations = ranger_kms_policymgr_ssl_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-policymgr-ssl'] ) @@ -349,12 +362,18 @@ class TestRangerKMS(RMFTestCase): mode = 0640 ) + dbks_site_copy = {} + dbks_site_copy.update(self.getConfig()['configurations']['dbks-site']) + for prop in ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']: + if prop in dbks_site_copy: + dbks_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'dbks-site.xml', mode=0644, owner = 'kms', group = 'kms', conf_dir = '/usr/hdp/current/ranger-kms/conf', - configurations = self.getConfig()['configurations']['dbks-site'], + configurations = dbks_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['dbks-site'] ) @@ -442,12 +461,18 @@ class TestRangerKMS(RMFTestCase): mode = 0644 ) + plugin_audit_properties_copy = {} + plugin_audit_properties_copy.update(self.getConfig()['configurations']['ranger-kms-audit']) + + if 'xasecure.audit.destination.db.password' in plugin_audit_properties_copy: + plugin_audit_properties_copy['xasecure.audit.destination.db.password'] = "crypted" + self.assertResourceCalled('XmlConfig', 'ranger-kms-audit.xml', mode = 0744, owner = 'kms', group = 'kms', conf_dir = '/usr/hdp/current/ranger-kms/conf', - configurations = self.getConfig()['configurations']['ranger-kms-audit'], + configurations = plugin_audit_properties_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-audit'] ) @@ -460,12 +485,19 @@ class TestRangerKMS(RMFTestCase): configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-security'] ) + ranger_kms_policymgr_ssl_copy = {} + ranger_kms_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-kms-policymgr-ssl']) + + for prop in ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']: + if prop in ranger_kms_policymgr_ssl_copy: + ranger_kms_policymgr_ssl_copy[prop] = "crypted" + self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml', mode = 0744, owner = 'kms', group = 'kms', conf_dir = '/usr/hdp/current/ranger-kms/conf', - configurations = self.getConfig()['configurations']['ranger-kms-policymgr-ssl'], + configurations = ranger_kms_policymgr_ssl_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-policymgr-ssl'] ) @@ -681,12 +713,18 @@ class TestRangerKMS(RMFTestCase): mode = 0640 ) + dbks_site_copy = {} + dbks_site_copy.update(self.getConfig()['configurations']['dbks-site']) + for prop in ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']: + if prop in dbks_site_copy: + dbks_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'dbks-site.xml', mode=0644, owner = 'kms', group = 'kms', conf_dir = '/usr/hdp/current/ranger-kms/conf', - configurations = self.getConfig()['configurations']['dbks-site'], + configurations = dbks_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['dbks-site'] ) http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py index fb1dd0e..ea3829e 100644 --- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py +++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py @@ -336,11 +336,17 @@ class TestRangerAdmin(RMFTestCase): sudo = True ) + ranger_admin_site_copy = {} + ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site']) + for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password', 'ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']: + if prop in ranger_admin_site_copy: + ranger_admin_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml', owner = 'ranger', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-admin/conf', - configurations = self.getConfig()['configurations']['ranger-admin-site'], + configurations = ranger_admin_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'], mode = 0644 ) @@ -370,6 +376,18 @@ class TestRangerAdmin(RMFTestCase): mode = 0640 ) + self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'), + environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'}, + logoutput=True, + sudo = True + ) + + self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', + owner = 'ranger', + group = 'ranger', + mode = 0640 + ) + self.assertResourceCalled('XmlConfig', 'core-site.xml', owner = 'ranger', group = 'ranger', @@ -496,11 +514,17 @@ class TestRangerAdmin(RMFTestCase): sudo = True ) + ranger_admin_site_copy = {} + ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site']) + for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password', 'ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']: + if prop in ranger_admin_site_copy: + ranger_admin_site_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml', owner = 'ranger', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-admin/conf', - configurations = self.getConfig()['configurations']['ranger-admin-site'], + configurations = ranger_admin_site_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'], mode = 0644 ) @@ -530,6 +554,18 @@ class TestRangerAdmin(RMFTestCase): mode = 0640 ) + self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'), + environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'}, + logoutput=True, + sudo = True + ) + + self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', + owner = 'ranger', + group = 'ranger', + mode = 0640 + ) + self.assertResourceCalled('XmlConfig', 'core-site.xml', owner = 'ranger', group = 'ranger', http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py index bf5128e..0642428 100644 --- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py +++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py @@ -143,11 +143,18 @@ class TestRangerTagsync(RMFTestCase): cd_access = 'a', ) + ranger_tagsync_policymgr_ssl_copy = {} + ranger_tagsync_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-tagsync-policymgr-ssl']) + ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password'] + for prop in ranger_tagsync_password_properties: + if prop in ranger_tagsync_policymgr_ssl_copy: + ranger_tagsync_policymgr_ssl_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml', owner = 'ranger', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-tagsync/conf', - configurations = self.getConfig()['configurations']['ranger-tagsync-policymgr-ssl'], + configurations = ranger_tagsync_policymgr_ssl_copy, configuration_attributes = self.getConfig()['configuration_attributes']['ranger-tagsync-policymgr-ssl'], mode = 0644, ) @@ -188,17 +195,21 @@ class TestRangerTagsync(RMFTestCase): mode = 0640, ) + atlas_tagsync_ssl_copy = {} + atlas_tagsync_ssl_copy.update(self.getConfig()['configurations']['atlas-tagsync-ssl']) + for prop in ranger_tagsync_password_properties: + if prop in atlas_tagsync_ssl_copy: + atlas_tagsync_ssl_copy[prop] = "_" + self.assertResourceCalled('XmlConfig', 'atlas-tagsync-ssl.xml', group = 'ranger', conf_dir = '/usr/hdp/current/ranger-tagsync/conf', mode = 0644, configuration_attributes = UnknownConfigurationMock(), owner = 'ranger', - configurations = self.getConfig()['configurations']['atlas-tagsync-ssl'] + configurations = atlas_tagsync_ssl_copy ) - - self.assertResourceCalled('Execute', (u'/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', u'/usr/hdp/current/ranger-tagsync/lib/*', http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json b/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json index 2c4815b..abe84ab 100644 --- a/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json +++ b/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json @@ -326,7 +326,8 @@ "ranger.service.http.port": "6080", "ranger.ldap.user.searchfilter": "(uid={0})", "ranger.plugins.atlas.serviceuser": "atlas", - "ranger.truststore.password": "changeit", + "ranger.truststore.password": "changeit", + "ranger.truststore.alias": "trustStoreAlias", "ranger.ldap.bind.password": "{{ranger_usersync_ldap_ldapbindpassword}}", "ranger.audit.solr.password": "NONE", "ranger.audit.solr.zookeepers": "c6401.ambari.apache.org:2181/infra-solr", @@ -364,7 +365,8 @@ "ranger.admin.kerberos.keytab": "", "ranger.admin.kerberos.token.valid.seconds": "30", "ranger.jpa.jdbc.driver": "com.mysql.jdbc.Driver", - "ranger.unixauth.service.port": "5151" + "ranger.unixauth.service.port": "5151", + "ranger.service.https.attrib.keystore.credential.alias": "keyStoreCredentialAlias" }, "ranger-hdfs-policymgr-ssl": { "xasecure.policymgr.clientssl.keystore": "/usr/hdp/current/hadoop-client/conf/ranger-plugin-keystore.jks",
