AMBARI-21032. HDP 3.0 TP - create service definition for Knox with configs, kerberos, widgets, etc.(vbrodetsky)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9adffcf7 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9adffcf7 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9adffcf7 Branch: refs/heads/branch-feature-AMBARI-20859 Commit: 9adffcf7a93d40ad727796a8a1686da0e6408893 Parents: 8141665 Author: Vitaly Brodetskyi <vbrodets...@hortonworks.com> Authored: Wed May 17 00:16:45 2017 +0300 Committer: Vitaly Brodetskyi <vbrodets...@hortonworks.com> Committed: Wed May 17 00:16:45 2017 +0300 ---------------------------------------------------------------------- .../common-services/KNOX/0.5.0.3.0/alerts.json | 32 ++ .../0.5.0.3.0/configuration/admin-topology.xml | 97 ++++ .../0.5.0.3.0/configuration/gateway-log4j.xml | 110 +++++ .../0.5.0.3.0/configuration/gateway-site.xml | 71 +++ .../KNOX/0.5.0.3.0/configuration/knox-env.xml | 83 ++++ .../configuration/knoxsso-topology.xml | 126 +++++ .../KNOX/0.5.0.3.0/configuration/ldap-log4j.xml | 93 ++++ .../configuration/ranger-knox-audit.xml | 132 ++++++ .../ranger-knox-plugin-properties.xml | 132 ++++++ .../configuration/ranger-knox-policymgr-ssl.xml | 66 +++ .../configuration/ranger-knox-security.xml | 64 +++ .../KNOX/0.5.0.3.0/configuration/topology.xml | 174 +++++++ .../KNOX/0.5.0.3.0/configuration/users-ldif.xml | 140 ++++++ .../KNOX/0.5.0.3.0/kerberos.json | 81 ++++ .../common-services/KNOX/0.5.0.3.0/metainfo.xml | 109 +++++ .../package/files/validateKnoxStatus.py | 43 ++ .../KNOX/0.5.0.3.0/package/scripts/knox.py | 192 ++++++++ .../0.5.0.3.0/package/scripts/knox_gateway.py | 220 +++++++++ .../KNOX/0.5.0.3.0/package/scripts/knox_ldap.py | 59 +++ .../KNOX/0.5.0.3.0/package/scripts/params.py | 29 ++ .../0.5.0.3.0/package/scripts/params_linux.py | 457 +++++++++++++++++++ .../0.5.0.3.0/package/scripts/params_windows.py | 71 +++ .../0.5.0.3.0/package/scripts/service_check.py | 96 ++++ .../package/scripts/setup_ranger_knox.py | 121 +++++ .../0.5.0.3.0/package/scripts/status_params.py | 59 +++ .../KNOX/0.5.0.3.0/package/scripts/upgrade.py | 118 +++++ .../package/templates/input.config-knox.json.j2 | 60 +++ .../package/templates/krb5JAASLogin.conf.j2 | 30 ++ .../KNOX/0.5.0.3.0/role_command_order.json | 7 + .../stacks/HDP/3.0/services/KNOX/metainfo.xml | 27 ++ 30 files changed, 3099 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json new file mode 100644 index 0000000..4986e04 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json @@ -0,0 +1,32 @@ +{ + "KNOX": { + "service": [], + "KNOX_GATEWAY": [ + { + "name": "knox_gateway_process", + "label": "Knox Gateway Process", + "description": "This host-level alert is triggered if the Knox Gateway cannot be determined to be up.", + "interval": 1, + "scope": "HOST", + "source": { + "type": "PORT", + "uri": "{{gateway-site/gateway.port}}", + "default_port": 8443, + "reporting": { + "ok": { + "text": "TCP OK - {0:.3f}s response on port {1}" + }, + "warning": { + "text": "TCP OK - {0:.3f}s response on port {1}", + "value": 1.5 + }, + "critical": { + "text": "Connection failed: {0} to {1}:{2}", + "value": 5.0 + } + } + } + } + ] + } +} http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml new file mode 100644 index 0000000..3030364 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml @@ -0,0 +1,97 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="true"> + <!-- topology file --> + <property> + <name>content</name> + <display-name>admin-topology template</display-name> + <value> + <topology> + + <gateway> + + <provider> + <role>authentication</role> + <name>ShiroProvider</name> + <enabled>true</enabled> + <param> + <name>sessionTimeout</name> + <value>30</value> + </param> + <param> + <name>main.ldapRealm</name> + <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> + </param> + <param> + <name>main.ldapRealm.userDnTemplate</name> + <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.url</name> + <value>ldap://{{knox_host_name}}:33389</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.authenticationMechanism</name> + <value>simple</value> + </param> + <param> + <name>urls./**</name> + <value>authcBasic</value> + </param> + </provider> + + <provider> + <role>authorization</role> + <name>AclsAuthz</name> + <enabled>true</enabled> + <param> + <name>knox.acl</name> + <value>admin;*;*</value> + </param> + </provider> + + <provider> + <role>identity-assertion</role> + <name>Default</name> + <enabled>true</enabled> + </provider> + + </gateway> + + <service> + <role>KNOX</role> + </service> + + </topology> + + </value> + <description> + The configuration specifies the Knox admin API configuration and access details. The authentication provider should be configured to match your deployment details. + </description> + <value-attributes> + <type>content</type> + <empty-value-valid>true</empty-value-valid> + <show-property-name>false</show-property-name> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml new file mode 100644 index 0000000..6408f99 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml @@ -0,0 +1,110 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="false"> + <property> + <name>knox_gateway_log_maxfilesize</name> + <value>256</value> + <description>The maximum size of backup file before the log is rotated</description> + <display-name>Knox Gateway Log: backup file size</display-name> + <value-attributes> + <unit>MB</unit> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_gateway_log_maxbackupindex</name> + <value>20</value> + <description>The number of backup files</description> + <display-name>Knox Gateway Log: # of backup files</display-name> + <value-attributes> + <type>int</type> + <minimum>0</minimum> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>content</name> + <display-name>gateway-log4j template</display-name> + <value> + + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + app.log.dir=${launcher.dir}/../logs + app.log.file=${launcher.name}.log + app.audit.file=${launcher.name}-audit.log + + log4j.rootLogger=ERROR, drfa + + log4j.logger.org.apache.hadoop.gateway=INFO + #log4j.logger.org.apache.hadoop.gateway=DEBUG + + #log4j.logger.org.eclipse.jetty=DEBUG + #log4j.logger.org.apache.shiro=DEBUG + #log4j.logger.org.apache.http=DEBUG + #log4j.logger.org.apache.http.client=DEBUG + #log4j.logger.org.apache.http.headers=DEBUG + #log4j.logger.org.apache.http.wire=DEBUG + + log4j.appender.stdout=org.apache.log4j.ConsoleAppender + log4j.appender.stdout.layout=org.apache.log4j.PatternLayout + log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n + + log4j.appender.drfa=org.apache.log4j.DailyRollingFileAppender + log4j.appender.drfa.File=${app.log.dir}/${app.log.file} + log4j.appender.drfa.DatePattern=.yyyy-MM-dd + log4j.appender.drfa.layout=org.apache.log4j.PatternLayout + log4j.appender.drfa.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n + log4j.appender.drfa.MaxFileSize = {{knox_gateway_log_maxfilesize}}MB + log4j.appender.drfa.MaxBackupIndex = {{knox_gateway_log_maxbackupindex}} + + log4j.logger.audit=INFO, auditfile + log4j.appender.auditfile=org.apache.log4j.DailyRollingFileAppender + log4j.appender.auditfile.File=${app.log.dir}/${app.audit.file} + log4j.appender.auditfile.Append = true + log4j.appender.auditfile.DatePattern = '.'yyyy-MM-dd + log4j.appender.auditfile.layout = org.apache.hadoop.gateway.audit.log4j.layout.AuditLayout + + </value> + <description> + content for log4j.properties file for Knox. + </description> + <value-attributes> + <type>content</type> + <show-property-name>false</show-property-name> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml new file mode 100644 index 0000000..2686dff --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml @@ -0,0 +1,71 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<!-- The default settings for Knox. --> +<!-- Edit gateway-site.xml to change settings for your local --> +<!-- install. --> +<configuration supports_final="false"> + <property> + <name>gateway.port</name> + <value>8443</value> + <description>The HTTP port for the Gateway.</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>gateway.path</name> + <value>gateway</value> + <description>The default context path for the gateway.</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>gateway.gateway.conf.dir</name> + <value>deployments</value> + <description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>gateway.hadoop.kerberos.secured</name> + <value>false</value> + <description>Boolean flag indicating whether the Hadoop cluster protected by Gateway is secured with Kerberos</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>java.security.krb5.conf</name> + <value>/etc/knox/conf/krb5.conf</value> + <description>Absolute path to krb5.conf file</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>java.security.auth.login.config</name> + <value>/etc/knox/conf/krb5JAASLogin.conf</value> + <description>Absolute path to JASS login config file</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>sun.security.krb5.debug</name> + <value>false</value> + <description>Boolean flag indicating whether to enable debug messages for krb5 authentication</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>gateway.websocket.feature.enabled</name> + <value>{{websocket_support}}</value> + <description>Enable this if you want websocket support</description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml new file mode 100644 index 0000000..e1ca45a --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml @@ -0,0 +1,83 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="true"> + <!-- knox-env.sh --> + <property require-input="true"> + <name>knox_master_secret</name> + <value/> + <display-name>Knox Master Secret</display-name> + <property-type>PASSWORD</property-type> + <description>password to use as the master secret</description> + <value-attributes> + <type>password</type> + <editable-only-at-install>true</editable-only-at-install> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_user</name> + <display-name>Knox User</display-name> + <value>knox</value> + <property-type>USER</property-type> + <description>Knox Username.</description> + <value-attributes> + <type>user</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_group</name> + <display-name>Knox Group</display-name> + <value>knox</value> + <property-type>GROUP</property-type> + <description>Knox Group.</description> + <value-attributes> + <type>user</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_pid_dir</name> + <value>/var/run/knox</value> + <display-name>Knox PID dir</display-name> + <description>Knox PID dir.</description> + <value-attributes> + <type>directory</type> + <editable-only-at-install>true</editable-only-at-install> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_principal_name</name> + <description>Knox principal name</description> + <property-type>KERBEROS_PRINCIPAL</property-type> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_keytab_path</name> + <description>Knox keytab path</description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml new file mode 100644 index 0000000..1ea8601 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml @@ -0,0 +1,126 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="true"> + <!-- topology file --> + <property> + <name>content</name> + <display-name>knoxsso-topology template</display-name> + <value> + <topology> + <gateway> + <provider> + <role>webappsec</role> + <name>WebAppSec</name> + <enabled>true</enabled> + <param><name>xframe.options.enabled</name><value>true</value></param> + </provider> + + <provider> + <role>authentication</role> + <name>ShiroProvider</name> + <enabled>true</enabled> + <param> + <name>sessionTimeout</name> + <value>30</value> + </param> + <param> + <name>redirectToUrl</name> + <value>/gateway/knoxsso/knoxauth/login.html</value> + </param> + <param> + <name>restrictedCookies</name> + <value>rememberme,WWW-Authenticate</value> + </param> + <param> + <name>main.ldapRealm</name> + <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> + </param> + <param> + <name>main.ldapContextFactory</name> + <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value> + </param> + <param> + <name>main.ldapRealm.contextFactory</name> + <value>$ldapContextFactory</value> + </param> + <param> + <name>main.ldapRealm.userDnTemplate</name> + <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.url</name> + <value>ldap://localhost:33389</value> + </param> + <param> + <name>main.ldapRealm.authenticationCachingEnabled</name> + <value>false</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.authenticationMechanism</name> + <value>simple</value> + </param> + <param> + <name>urls./**</name> + <value>authcBasic</value> + </param> + </provider> + + <provider> + <role>identity-assertion</role> + <name>Default</name> + <enabled>true</enabled> + </provider> + </gateway> + + <application> + <name>knoxauth</name> + </application> + + <service> + <role>KNOXSSO</role> + <param> + <name>knoxsso.cookie.secure.only</name> + <value>false</value> + </param> + <param> + <name>knoxsso.token.ttl</name> + <value>30000</value> + </param> + <param> + <name>knoxsso.redirect.whitelist.regex</name> + <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> + </param> + </service> + + </topology> + </value> + <description> + The configuration specifies the KnoxSSO provider integration, cookie and token management details. + </description> + <value-attributes> + <type>content</type> + <empty-value-valid>true</empty-value-valid> + <show-property-name>false</show-property-name> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml new file mode 100644 index 0000000..57e156c --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml @@ -0,0 +1,93 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software<display-name> template</display-name> + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="false"> + <property> + <name>knox_ldap_log_maxfilesize</name> + <value>256</value> + <description>The maximum size of backup file before the log is rotated</description> + <display-name>Knox LDAP Log: backup file size</display-name> +<value-attributes> + <unit>MB</unit> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>knox_ldap_log_maxbackupindex</name> + <value>20</value> + <description>The number of backup files</description> + <display-name>Knox LDAP Log: # of backup files</display-name> + <value-attributes> + <type>int</type> + <minimum>0</minimum> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>content</name> + <display-name>ldap-log4j template</display-name> + <value> + # Licensed to the Apache Software Foundation (ASF) under one + # or more contributor license agreements. See the NOTICE file + # distributed with this work for additional information + # regarding copyright ownership. The ASF licenses this file + # to you under the Apache License, Version 2.0 (the + # "License"); you may not use this file except in compliance + # with the License. You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + + app.log.dir=${launcher.dir}/../logs + app.log.file=${launcher.name}.log + + log4j.rootLogger=ERROR, drfa + log4j.logger.org.apache.directory.server.ldap.LdapServer=INFO + log4j.logger.org.apache.directory=WARN + + log4j.appender.stdout=org.apache.log4j.ConsoleAppender + log4j.appender.stdout.layout=org.apache.log4j.PatternLayout + log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n + + log4j.appender.drfa=org.apache.log4j.DailyRollingFileAppender + log4j.appender.drfa.File=${app.log.dir}/${app.log.file} + log4j.appender.drfa.DatePattern=.yyyy-MM-dd + log4j.appender.drfa.layout=org.apache.log4j.PatternLayout + log4j.appender.drfa.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n + log4j.appender.drfa.MaxFileSize = {{knox_ldap_log_maxfilesize}}MB + log4j.appender.drfa.MaxBackupIndex = {{knox_ldap_log_maxbackupindex}} + + </value> + <description> + content for log4j.properties file for the demo LDAP that comes with Knox. + </description> + <value-attributes> + <type>content</type> + <show-property-name>false</show-property-name> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml new file mode 100644 index 0000000..f3a0f99 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml @@ -0,0 +1,132 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + <description>Is Audit enabled?</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.hdfs</name> + <value>true</value> + <display-name>Audit to HDFS</display-name> + <description>Is Audit to HDFS enabled?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <depends-on> + <property> + <type>ranger-env</type> + <name>xasecure.audit.destination.hdfs</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.hdfs.dir</name> + <value>hdfs://NAMENODE_HOSTNAME:8020/ranger/audit</value> + <description>HDFS folder to write audit to, make sure the service user has requried permissions</description> + <depends-on> + <property> + <type>ranger-env</type> + <name>xasecure.audit.destination.hdfs.dir</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name> + <value>/var/log/knox/audit/hdfs/spool</value> + <description>/var/log/knox/audit/hdfs/spool</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr</name> + <value>false</value> + <display-name>Audit to SOLR</display-name> + <description>Is Solr audit enabled?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <depends-on> + <property> + <type>ranger-env</type> + <name>xasecure.audit.destination.solr</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr.urls</name> + <value/> + <description>Solr URL</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <depends-on> + <property> + <type>ranger-admin-site</type> + <name>ranger.audit.solr.urls</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr.zookeepers</name> + <value>NONE</value> + <description>Solr Zookeeper string</description> + <depends-on> + <property> + <type>ranger-admin-site</type> + <name>ranger.audit.solr.zookeepers</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.destination.solr.batch.filespool.dir</name> + <value>/var/log/knox/audit/solr/spool</value> + <description>/var/log/knox/audit/solr/spool</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.audit.provider.summary.enabled</name> + <value>false</value> + <display-name>Audit provider summary enabled</display-name> + <description>Enable Summary audit?</description> + <value-attributes> + <type>boolean</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + + <property> + <name>ranger.plugin.knox.ambari.cluster.name</name> + <value>{{cluster_name}}</value> + <description>Capture cluster name from where Ranger knox plugin is enabled.</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml new file mode 100644 index 0000000..d8b9d54 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml @@ -0,0 +1,132 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="true"> + <property> + <name>policy_user</name> + <value>ambari-qa</value> + <display-name>Policy user for KNOX</display-name> + <description>This user must be system user and also present at Ranger admin portal</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>common.name.for.certificate</name> + <value/> + <description>Common name for certificate, this value should match what is specified in repo within ranger admin</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger-knox-plugin-enabled</name> + <value>No</value> + <display-name>Enable Ranger for KNOX</display-name> + <description>Enable ranger knox plugin ?</description> + <depends-on> + <property> + <type>ranger-env</type> + <name>ranger-knox-plugin-enabled</name> + </property> + </depends-on> + <value-attributes> + <type>boolean</type> + <overridable>false</overridable> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>REPOSITORY_CONFIG_USERNAME</name> + <value>admin</value> + <display-name>Ranger repository config user</display-name> + <description>Used for repository creation on ranger admin</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>REPOSITORY_CONFIG_PASSWORD</name> + <value>admin-password</value> + <property-type>PASSWORD</property-type> + <display-name>Ranger repository config password</display-name> + <description>Used for repository creation on ranger admin</description> + <value-attributes> + <type>password</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + + <property> + <name>KNOX_HOME</name> + <value>/usr/hdp/current/knox-server</value> + <display-name>Knox Home</display-name> + <description>Knox home folder</description> + <on-ambari-upgrade add="false"/> + </property> + + + + <property> + <name>external_admin_username</name> + <value></value> + <display-name>External Ranger admin username</display-name> + <description>Add ranger default admin username if want to communicate to external ranger</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + + <property> + <name>external_admin_password</name> + <value></value> + <display-name>External Ranger admin password</display-name> + <property-type>PASSWORD</property-type> + <description>Add ranger default admin password if want to communicate to external ranger</description> + <value-attributes> + <type>password</type> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + + <property> + <name>external_ranger_admin_username</name> + <value></value> + <display-name>External Ranger Ambari admin username</display-name> + <description>Add ranger default ambari admin username if want to communicate to external ranger</description> + <value-attributes> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + + <property> + <name>external_ranger_admin_password</name> + <value></value> + <display-name>External Ranger Ambari admin password</display-name> + <property-type>PASSWORD</property-type> + <description>Add ranger default ambari admin password if want to communicate to external ranger</description> + <value-attributes> + <type>password</type> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml new file mode 100644 index 0000000..bb0878f --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml @@ -0,0 +1,66 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>xasecure.policymgr.clientssl.keystore</name> + <value>/usr/hdp/current/knox-server/conf/ranger-plugin-keystore.jks</value> + <description>Java Keystore files</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.password</name> + <value>myKeyFilePassword</value> + <property-type>PASSWORD</property-type> + <description>password for keystore</description> + <value-attributes> + <type>password</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore</name> + <value>/usr/hdp/current/knox-server/conf/ranger-plugin-truststore.jks</value> + <description>java truststore file</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.password</name> + <value>changeit</value> + <property-type>PASSWORD</property-type> + <description>java truststore password</description> + <value-attributes> + <type>password</type> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.credential.file</name> + <value>jceks://file{{credential_file}}</value> + <description>java keystore credential file</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.credential.file</name> + <value>jceks://file{{credential_file}}</value> + <description>java truststore credential file</description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml new file mode 100644 index 0000000..37bda4c --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml @@ -0,0 +1,64 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration> + <property> + <name>ranger.plugin.knox.service.name</name> + <value>{{repo_name}}</value> + <description>Name of the Ranger service containing policies for this Knox instance</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.knox.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminJersey2RESTClient</value> + <description>Class to retrieve policies from the source</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.knox.policy.rest.url</name> + <value>{{policymgr_mgr_url}}</value> + <description>URL to Ranger Admin</description> + <on-ambari-upgrade add="false"/> + <depends-on> + <property> + <type>admin-properties</type> + <name>policymgr_external_url</name> + </property> + </depends-on> + </property> + <property> + <name>ranger.plugin.knox.policy.rest.ssl.config.file</name> + <value>/usr/hdp/current/knox-server/conf/ranger-policymgr-ssl.xml</value> + <description>Path to the file containing SSL details to contact Ranger Admin</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.knox.policy.pollIntervalMs</name> + <value>30000</value> + <description>How often to poll for changes in policies?</description> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger.plugin.knox.policy.cache.dir</name> + <value>/etc/ranger/{{repo_name}}/policycache</value> + <description>Directory where Ranger policies are cached after successful retrieval from the source</description> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml new file mode 100644 index 0000000..594ab18 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml @@ -0,0 +1,174 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="true"> + <!-- topology file --> + <property> + <name>content</name> + <display-name>topology template</display-name> + <value> + <topology> + + <gateway> + + <provider> + <role>authentication</role> + <name>ShiroProvider</name> + <enabled>true</enabled> + <param> + <name>sessionTimeout</name> + <value>30</value> + </param> + <param> + <name>main.ldapRealm</name> + <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> + </param> + <param> + <name>main.ldapRealm.userDnTemplate</name> + <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.url</name> + <value>ldap://{{knox_host_name}}:33389</value> + </param> + <param> + <name>main.ldapRealm.contextFactory.authenticationMechanism</name> + <value>simple</value> + </param> + <param> + <name>urls./**</name> + <value>authcBasic</value> + </param> + </provider> + + <provider> + <role>identity-assertion</role> + <name>Default</name> + <enabled>true</enabled> + </provider> + + <provider> + <role>authorization</role> + <name>AclsAuthz</name> + <enabled>true</enabled> + </provider> + + </gateway> + + <service> + <role>NAMENODE</role> + <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url> + </service> + + <service> + <role>JOBTRACKER</role> + <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url> + </service> + + <service> + <role>WEBHDFS</role> + {{webhdfs_service_urls}} + </service> + + <service> + <role>WEBHCAT</role> + <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url> + </service> + + <service> + <role>OOZIE</role> + <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url> + </service> + + <service> + <role>WEBHBASE</role> + <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url> + </service> + + <service> + <role>HIVE</role> + <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url> + </service> + + <service> + <role>RESOURCEMANAGER</role> + <url>http://{{rm_host}}:{{rm_port}}/ws</url> + </service> + + <service> + <role>DRUID-COORDINATOR-UI</role> + {{druid_coordinator_urls}} + </service> + + <service> + <role>DRUID-COORDINATOR</role> + {{druid_coordinator_urls}} + </service> + + <service> + <role>DRUID-OVERLORD-UI</role> + {{druid_overlord_urls}} + </service> + + <service> + <role>DRUID-OVERLORD</role> + {{druid_overlord_urls}} + </service> + + <service> + <role>DRUID-ROUTER</role> + {{druid_router_urls}} + </service> + + <service> + <role>DRUID-BROKER</role> + {{druid_broker_urls}} + </service> + + <service> + <role>ZEPPELINUI</role> + {{zeppelin_ui_urls}} + </service> + + <service> + <role>ZEPPELINWS</role> + {{zeppelin_ws_urls}} + </service> + + </topology> + </value> + <description> + The configuration specifies the Hadoop cluster services Knox will provide access to. + </description> + <value-attributes> + <type>content</type> + <empty-value-valid>true</empty-value-valid> + <show-property-name>false</show-property-name> + </value-attributes> + <depends-on> + <property> + <type>ranger-knox-plugin-properties</type> + <name>ranger-knox-plugin-enabled</name> + </property> + </depends-on> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml new file mode 100644 index 0000000..eefa8c9 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml @@ -0,0 +1,140 @@ +<?xml version="1.0"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_final="false" supports_adding_forbidden="true"> + <property> + <name>content</name> + <display-name>users-ldif template</display-name> + <value> +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +version: 1 + +# Please replace with site specific values +dn: dc=hadoop,dc=apache,dc=org +objectclass: organization +objectclass: dcObject +o: Hadoop +dc: hadoop + +# Entry for a sample people container +# Please replace with site specific values +dn: ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:organizationalUnit +ou: people + +# Entry for a sample end user +# Please replace with site specific values +dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: Guest +sn: User +uid: guest +userPassword:guest-password + +# entry for sample user admin +dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: Admin +sn: Admin +uid: admin +userPassword:admin-password + +# entry for sample user sam +dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: sam +sn: sam +uid: sam +userPassword:sam-password + +# entry for sample user tom +dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:person +objectclass:organizationalPerson +objectclass:inetOrgPerson +cn: tom +sn: tom +uid: tom +userPassword:tom-password + +# create FIRST Level groups branch +dn: ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass:organizationalUnit +ou: groups +description: generic groups branch + +# create the analyst group under groups +dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass: groupofnames +cn: analyst +description:analyst group +member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org +member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org + + +# create the scientist group under groups +dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org +objectclass:top +objectclass: groupofnames +cn: scientist +description: scientist group +member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org + + </value> + <description> + content for users-ldif file for the demo LDAP that comes with Knox. + </description> + <value-attributes> + <type>content</type> + <empty-value-valid>true</empty-value-valid> + <show-property-name>false</show-property-name> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json new file mode 100644 index 0000000..2d8aa0d --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json @@ -0,0 +1,81 @@ +{ + "services": [ + { + "name": "KNOX", + "components": [ + { + "name": "KNOX_GATEWAY", + "identities": [ + { + "name": "knox_principal", + "principal": { + "value": "${knox-env/knox_user}/_HOST@${realm}", + "type" : "service", + "configuration": "knox-env/knox_principal_name", + "local_username": "${knox-env/knox_user}" + + }, + "keytab": { + "file": "${keytab_dir}/knox.service.keytab", + "owner": { + "name": "${knox-env/knox_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "knox-env/knox_keytab_path" + } + }, + { + "name": "/KNOX/KNOX_GATEWAY/knox_principal", + "principal": { + "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ], + "configurations": [ + { + "gateway-site": { + "gateway.hadoop.kerberos.secured": "true", + "java.security.krb5.conf": "/etc/krb5.conf" + } + }, + { + "core-site": { + "hadoop.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "hadoop.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, + { + "webhcat-site": { + "webhcat.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "webhcat.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, + { + "oozie-site": { + "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}", + "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}" + } + }, + { + "ranger-knox-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ] + } + ] + } + ] +} http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml new file mode 100644 index 0000000..8954d0d --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml @@ -0,0 +1,109 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<metainfo> + <schemaVersion>2.0</schemaVersion> + <services> + <service> + <name>KNOX</name> + <displayName>Knox</displayName> + <comment>Provides a single point of authentication and access for Apache Hadoop services in a cluster</comment> + <version>0.5.0.3.0</version> + <components> + <component> + <name>KNOX_GATEWAY</name> + <displayName>Knox Gateway</displayName> + <category>MASTER</category> + <cardinality>1+</cardinality> + <versionAdvertised>true</versionAdvertised> + <commandScript> + <script>scripts/knox_gateway.py</script> + <scriptType>PYTHON</scriptType> + <timeout>1200</timeout> + </commandScript> + <logs> + <log> + <logId>knox_gateway</logId> + <primary>true</primary> + </log> + <log> + <logId>knox_cli</logId> + </log> + <log> + <logId>knox_ldap</logId> + </log> + </logs> + <customCommands> + <customCommand> + <name>STARTDEMOLDAP</name> + <commandScript> + <script>scripts/knox_gateway.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + </customCommand> + <customCommand> + <name>STOPDEMOLDAP</name> + <commandScript> + <script>scripts/knox_gateway.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + </customCommand> + </customCommands> + </component> + </components> + + <osSpecifics> + <osSpecific> + <osFamily>redhat7,amazon2015,redhat6,suse11,suse12</osFamily> + <packages> + <package> + <name>knox_${stack_version}</name> + </package> + </packages> + </osSpecific> + <osSpecific> + <osFamily>debian7,ubuntu12,ubuntu14,ubuntu16</osFamily> + <packages> + <package> + <name>knox-${stack_version}</name> + </package> + </packages> + </osSpecific> + </osSpecifics> + + <commandScript> + <script>scripts/service_check.py</script> + <scriptType>PYTHON</scriptType> + <timeout>300</timeout> + </commandScript> + + <configuration-dependencies> + <config-type>gateway-site</config-type> + <config-type>gateway-log4j</config-type> + <config-type>topology</config-type> + <config-type>admin-topology</config-type> + <config-type>knoxsso-topology</config-type> + <config-type>ranger-knox-plugin-properties</config-type> + <config-type>ranger-knox-audit</config-type> + <config-type>ranger-knox-policymgr-ssl</config-type> + <config-type>ranger-knox-security</config-type> + </configuration-dependencies> + </service> + </services> +</metainfo> http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py new file mode 100644 index 0000000..257abfb --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +import optparse +import socket + +# +# Main. +# +def main(): + parser = optparse.OptionParser(usage="usage: %prog [options]") + parser.add_option("-p", "--port", dest="port", help="Port for Knox process") + parser.add_option("-n", "--hostname", dest="hostname", help="Hostname of Knox Gateway component") + + (options, args) = parser.parse_args() + timeout_seconds = 5 + try: + s = socket.create_connection((options.hostname, int(options.port)),timeout=timeout_seconds) + print "Successfully connected to %s on port %s" % (options.hostname, options.port) + s.close() + except socket.error, e: + print "Connection to %s on port %s failed: %s" % (options.hostname, options.port, e) + exit(1) + +if __name__ == "__main__": + main() + http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py new file mode 100644 index 0000000..34b5643 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py @@ -0,0 +1,192 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +from resource_management.libraries.script.script import Script +from resource_management.libraries.resources.xml_config import XmlConfig +from resource_management.core.resources.service import ServiceConfig +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions.get_config import get_config +from resource_management.libraries.resources.template_config import TemplateConfig +from resource_management.core.resources.system import File, Execute, Directory +from resource_management.core.shell import as_user +from resource_management.core.source import InlineTemplate + +from ambari_commons import OSConst +from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl + +from resource_management.libraries.functions.stack_features import check_stack_feature +from resource_management.libraries.functions import StackFeature + +@OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY) +def knox(): + import params + + XmlConfig("gateway-site.xml", + conf_dir=params.knox_conf_dir, + configurations=params.config['configurations']['gateway-site'], + configuration_attributes=params.config['configuration_attributes']['gateway-site'], + owner=params.knox_user + ) + + # Manually overriding service logon user & password set by the installation package + ServiceConfig(params.knox_gateway_win_service_name, + action="change_user", + username = params.knox_user, + password = Script.get_password(params.knox_user)) + + File(os.path.join(params.knox_conf_dir, "gateway-log4j.properties"), + owner=params.knox_user, + content=params.gateway_log4j + ) + + File(os.path.join(params.knox_conf_dir, "topologies", "default.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.topology_template) + ) + + if params.admin_topology_template: + File(os.path.join(params.knox_conf_dir, "topologies", "admin.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.admin_topology_template) + ) + + if params.version_formatted and check_stack_feature(StackFeature.KNOX_SSO_TOPOLOGY, params.version_formatted): + knoxsso_topology_template_content = get_config("knoxsso-topology") + if knoxsso_topology_template_content: + File(os.path.join(params.knox_conf_dir, "topologies", "knoxsso.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.knoxsso_topology_template) + ) + + if params.security_enabled: + TemplateConfig( os.path.join(params.knox_conf_dir, "krb5JAASLogin.conf"), + owner = params.knox_user, + template_tag = None + ) + + if not os.path.isfile(params.knox_master_secret_path): + cmd = format('cmd /C {knox_client_bin} create-master --master {knox_master_secret!p}') + Execute(cmd) + cmd = format('cmd /C {knox_client_bin} create-cert --hostname {knox_host_name_in_cluster}') + Execute(cmd) + +@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT) +def knox(): + import params + Directory([params.knox_data_dir, params.knox_logs_dir, params.knox_pid_dir, params.knox_conf_dir, os.path.join(params.knox_conf_dir, "topologies")], + owner = params.knox_user, + group = params.knox_group, + create_parents = True, + cd_access = "a", + mode = 0755, + recursive_ownership = True, + ) + + XmlConfig("gateway-site.xml", + conf_dir=params.knox_conf_dir, + configurations=params.config['configurations']['gateway-site'], + configuration_attributes=params.config['configuration_attributes']['gateway-site'], + owner=params.knox_user, + group=params.knox_group, + ) + + File(format("{params.knox_conf_dir}/gateway-log4j.properties"), + mode=0644, + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.gateway_log4j) + ) + + File(format("{params.knox_conf_dir}/topologies/default.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.topology_template) + ) + + if params.admin_topology_template: + File(format("{params.knox_conf_dir}/topologies/admin.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.admin_topology_template) + ) + + if params.version_formatted and check_stack_feature(StackFeature.KNOX_SSO_TOPOLOGY, params.version_formatted): + knoxsso_topology_template_content = get_config("knoxsso-topology") + if knoxsso_topology_template_content: + File(os.path.join(params.knox_conf_dir, "topologies", "knoxsso.xml"), + group=params.knox_group, + owner=params.knox_user, + content=InlineTemplate(params.knoxsso_topology_template) + ) + + if params.security_enabled: + TemplateConfig( format("{knox_conf_dir}/krb5JAASLogin.conf"), + owner = params.knox_user, + template_tag = None + ) + + cmd = format('{knox_client_bin} create-master --master {knox_master_secret!p}') + master_secret_exist = as_user(format('test -f {knox_master_secret_path}'), params.knox_user) + + Execute(cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=master_secret_exist, + ) + + cmd = format('{knox_client_bin} create-cert --hostname {knox_host_name_in_cluster}') + cert_store_exist = as_user(format('test -f {knox_cert_store_path}'), params.knox_user) + + Execute(cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=cert_store_exist, + ) + + +@OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY) +def update_knox_folder_permissions(): + import params + Directory(params.knox_logs_dir, + owner = params.knox_user, + group = params.knox_group + ) + + +@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT) +def update_knox_logfolder_permissions(): + """ + Fix for the bug with rpm/deb packages. During installation of the package, they re-apply permissions to the + folders below; such behaviour will affect installations with non-standard user name/group and will put + cluster in non-working state + """ + import params + + Directory(params.knox_logs_dir, + owner = params.knox_user, + group = params.knox_group, + create_parents = True, + cd_access = "a", + mode = 0755, + recursive_ownership = True, + ) http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py new file mode 100644 index 0000000..8996d23 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py @@ -0,0 +1,220 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os + +from resource_management.libraries.script.script import Script +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions import conf_select, stack_select +from resource_management.libraries.functions.constants import Direction +from resource_management.libraries.functions.security_commons import build_expectations +from resource_management.libraries.functions.security_commons import cached_kinit_executor +from resource_management.libraries.functions.security_commons import validate_security_config_properties +from resource_management.libraries.functions.security_commons import get_params_from_filesystem +from resource_management.libraries.functions.security_commons import FILE_TYPE_XML +from resource_management.libraries.functions.show_logs import show_logs +from resource_management.core.resources.system import File, Execute, Link +from resource_management.core.resources.service import Service +from resource_management.core.logger import Logger + + +from ambari_commons import OSConst, OSCheck +from ambari_commons.os_family_impl import OsFamilyImpl + +if OSCheck.is_windows_family(): + from resource_management.libraries.functions.windows_service_utils import check_windows_service_status + +import upgrade +from knox import knox, update_knox_logfolder_permissions +from knox_ldap import ldap +from setup_ranger_knox import setup_ranger_knox + + +class KnoxGateway(Script): + def get_component_name(self): + return "knox-server" + + def install(self, env): + import params + env.set_params(params) + self.install_packages(env) + + File(os.path.join(params.knox_conf_dir, 'topologies', 'sandbox.xml'), + action = "delete", + ) + + def configure(self, env, upgrade_type=None): + import params + env.set_params(params) + knox() + ldap() + + def configureldap(self, env): + import params + env.set_params(params) + ldap() + + + +@OsFamilyImpl(os_family=OSConst.WINSRV_FAMILY) +class KnoxGatewayWindows(KnoxGateway): + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + self.configure(env) + # setup_ranger_knox(env) + Service(params.knox_gateway_win_service_name, action="start") + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + Service(params.knox_gateway_win_service_name, action="stop") + + def status(self, env): + import status_params + env.set_params(status_params) + check_windows_service_status(status_params.knox_gateway_win_service_name) + + def startdemoldap(self, env): + import params + env.set_params(params) + self.configureldap(env) + Service(params.knox_ldap_win_service_name, action="start") + + def stopdemoldap(self, env): + import params + env.set_params(params) + Service(params.knox_ldap_win_service_name, action="stop") + + + +@OsFamilyImpl(os_family=OsFamilyImpl.DEFAULT) +class KnoxGatewayDefault(KnoxGateway): + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + + # backup the data directory to /tmp/knox-upgrade-backup/knox-data-backup.tar just in case + # something happens; Knox is interesting in that they re-generate missing files like + # keystores which can cause side effects if the upgrade goes wrong + if params.upgrade_direction and params.upgrade_direction == Direction.UPGRADE: + absolute_backup_dir = upgrade.backup_data() + Logger.info("Knox data was successfully backed up to {0}".format(absolute_backup_dir)) + + # <conf-selector-tool> will change the symlink to the conf folder. + conf_select.select(params.stack_name, "knox", params.version) + stack_select.select("knox-server", params.version) + + # seed the new Knox data directory with the keystores of yesteryear + if params.upgrade_direction == Direction.UPGRADE: + upgrade.seed_current_data_directory() + + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + self.configure(env) + daemon_cmd = format('{knox_bin} start') + no_op_test = format('ls {knox_pid_file} >/dev/null 2>&1 && ps -p `cat {knox_pid_file}` >/dev/null 2>&1') + setup_ranger_knox(upgrade_type=upgrade_type) + # Used to setup symlink, needed to update the knox managed symlink, in case of custom locations + if os.path.islink(params.knox_managed_pid_symlink): + Link(params.knox_managed_pid_symlink, + to = params.knox_pid_dir, + ) + + update_knox_logfolder_permissions() + + try: + Execute(daemon_cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=no_op_test + ) + except: + show_logs(params.knox_logs_dir, params.knox_user) + raise + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + daemon_cmd = format('{knox_bin} stop') + + update_knox_logfolder_permissions() + + try: + Execute(daemon_cmd, + environment={'JAVA_HOME': params.java_home}, + user=params.knox_user, + ) + except: + show_logs(params.knox_logs_dir, params.knox_user) + raise + + File(params.knox_pid_file, + action="delete", + ) + + def status(self, env): + import status_params + env.set_params(status_params) + check_process_status(status_params.knox_pid_file) + + def startdemoldap(self, env): + import params + env.set_params(params) + self.configureldap(env) + daemon_cmd = format('{ldap_bin} start') + no_op_test = format('ls {ldap_pid_file} >/dev/null 2>&1 && ps -p `cat {ldap_pid_file}` >/dev/null 2>&1') + Execute(daemon_cmd, + user=params.knox_user, + environment={'JAVA_HOME': params.java_home}, + not_if=no_op_test + ) + + def stopdemoldap(self, env): + import params + env.set_params(params) + self.configureldap(env) + daemon_cmd = format('{ldap_bin} stop') + Execute(daemon_cmd, + environment={'JAVA_HOME': params.java_home}, + user=params.knox_user, + ) + File(params.ldap_pid_file, + action = "delete" + ) + + def get_log_folder(self): + import params + return params.knox_logs_dir + + def get_user(self): + import params + return params.knox_user + + def get_pid_files(self): + import status_params + return [status_params.knox_pid_file] + + +if __name__ == "__main__": + KnoxGateway().execute()
