This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 05d631e4a [ranger] disable Tomcat's shutdown port
05d631e4a is described below
commit 05d631e4a1035a04fe0c4e11c7c1b1e6b9530d99
Author: Alexey Serbin <[email protected]>
AuthorDate: Mon Oct 16 19:50:49 2023 -0700
[ranger] disable Tomcat's shutdown port
This patch explicitly disables Tomcat's shutdown port when running
MiniRanger and MiniRangerKMS wrappers. The port hasn't been used in
Kudu tests anyway, so now it's less hustle about dealing with those.
In addition, the HTTPS service port is now explicitly disabled as well
to add a bit more clarity for humans who might be looking into the XML
configuration files.
This patch also adds a sanity check to make sure WaitForTcpBind()
run against Ranger and RangerKMS detects the port exactly as configured.
Change-Id: I8b8d330ecd747ac8535d4138d7d49902991e31b0
Reviewed-on: http://gerrit.cloudera.org:8080/20583
Tested-by: Kudu Jenkins
Reviewed-by: Zoltan Martonka <[email protected]>
Reviewed-by: Yingchun Lai <[email protected]>
---
src/kudu/ranger-kms/mini_ranger_kms.cc | 17 ++++++++++-----
src/kudu/ranger-kms/mini_ranger_kms_configs.h | 8 ++++++-
src/kudu/ranger/mini_ranger.cc | 31 +++++++++++++--------------
src/kudu/ranger/mini_ranger_configs.h | 15 +++++++------
4 files changed, 43 insertions(+), 28 deletions(-)
diff --git a/src/kudu/ranger-kms/mini_ranger_kms.cc
b/src/kudu/ranger-kms/mini_ranger_kms.cc
index 040fdca50..368068895 100644
--- a/src/kudu/ranger-kms/mini_ranger_kms.cc
+++ b/src/kudu/ranger-kms/mini_ranger_kms.cc
@@ -272,13 +272,20 @@ Status MiniRangerKMS::StartRangerKMS() {
{ "RANGER_KMS_EWS_LIB_DIR", kLibDir }
});
RETURN_NOT_OK(process_->Start());
- LOG(INFO) << "Ranger KMS PID: " << process_->pid() << std::endl;
+ LOG(INFO) << "Ranger KMS PID: " << process_->pid();
+ LOG(INFO) << "Ranger KMS URL: " << ranger_kms_url_;
+
+ uint16_t port;
RETURN_NOT_OK(WaitForTcpBind(process_->pid(),
- &port_,
- { "0.0.0.0", "127.0.0.1", },
+ &port, { "0.0.0.0" },
MonoDelta::FromSeconds(120)));
- LOG(INFO) << "Ranger KMS bound to " << port_;
- LOG(INFO) << "Ranger KMS URL: " << ranger_kms_url_;
+ if (port_ != port) {
+ // A sanity check: with the configuration provided, RangerKMS is expected
+ // to listen only on a single port.
+ return Status::ConfigurationError(Substitute(
+ "Ranger KMS opens port $0, but the only expected one is $1",
+ port, port_));
+ }
}
return Status::OK();
diff --git a/src/kudu/ranger-kms/mini_ranger_kms_configs.h
b/src/kudu/ranger-kms/mini_ranger_kms_configs.h
index f34089b65..34cba157c 100644
--- a/src/kudu/ranger-kms/mini_ranger_kms_configs.h
+++ b/src/kudu/ranger-kms/mini_ranger_kms_configs.h
@@ -84,8 +84,14 @@ inline std::string GetRangerKMSSiteXml(const std::string&
kms_host,
<value>$1</value>
</property>
<property>
+ <!-- Explicitly disable opening HTTPS port -->
+ <name>ranger.service.https.port</name>
+ <value>-1</value>
+ </property>
+ <property>
+ <!-- Explicitly disable opening the shutdown port -->
<name>ranger.service.shutdown.port</name>
- <value>0</value>
+ <value>-1</value>
</property>
<property>
<name>ranger.contextName</name>
diff --git a/src/kudu/ranger/mini_ranger.cc b/src/kudu/ranger/mini_ranger.cc
index 087c5e6d5..2cf33fd8a 100644
--- a/src/kudu/ranger/mini_ranger.cc
+++ b/src/kudu/ranger/mini_ranger.cc
@@ -90,19 +90,12 @@ Status MiniRanger::InitRanger(const string& admin_home,
bool* fresh_install) {
}
Status MiniRanger::CreateConfigs() {
- // Ranger listens on 2 ports:
- //
- // - port_ is the RPC port (REST API) that the Ranger subprocess and
- // EasyCurl can talk to
- // - ranger_shutdown_port is the port which Ranger listens on for a shutdown
- // command. We're not using this shutdown port as we simply send a SIGTERM,
- // but it's necessary to set it to a random value to avoid collisions in
- // parallel testing.
+ // With the Tomcat's shutdown port disabled, Ranger listens just on a single
+ // REST API port (MiniRanger::port_) that the Ranger subprocess and EasyCurl
+ // can talk to.
if (port_ == 0) {
RETURN_NOT_OK(GetRandomPort(host_, &port_));
}
- uint16_t ranger_shutdown_port;
- RETURN_NOT_OK(GetRandomPort(host_, &ranger_shutdown_port));
string admin_home = ranger_admin_home();
ranger_admin_url_ = Substitute("http://$0:$1";, host_, port_);
@@ -119,9 +112,8 @@ Status MiniRanger::CreateConfigs() {
JoinPathSegments(admin_home, "ranger-admin-site.xml")));
RETURN_NOT_OK(WriteStringToFile(
- env_, GetRangerAdminDefaultSiteXml(
- JoinPathSegments(bin_dir(), "postgresql.jar"),
- ranger_shutdown_port),
+ env_, GetRangerAdminDefaultSiteXml(JoinPathSegments(bin_dir(),
+ "postgresql.jar")),
JoinPathSegments(admin_home, "ranger-admin-default-site.xml")));
RETURN_NOT_OK(WriteStringToFile(env_, GetRangerCoreSiteXml(kerberos_),
@@ -231,13 +223,20 @@ Status MiniRanger::StartRanger() {
{ "RANGER_USER", "miniranger" },
});
RETURN_NOT_OK(process_->Start());
+ LOG(INFO) << "Ranger admin URL: " << ranger_admin_url_;
+
uint16_t port;
RETURN_NOT_OK(WaitForTcpBind(process_->pid(),
&port,
- { "0.0.0.0", "127.0.0.1", },
+ { "0.0.0.0" },
MonoDelta::FromSeconds(120)));
- LOG(INFO) << "Ranger bound to " << port;
- LOG(INFO) << "Ranger admin URL: " << ranger_admin_url_;
+ if (port_ != port) {
+ // A sanity check: with the configuration provided, Ranger is expected
+ // to listen only on a single port.
+ return Status::ConfigurationError(Substitute(
+ "Ranger opens port $0, but the only expected one is $1",
+ port, port_));
+ }
}
if (fresh_install) {
RETURN_NOT_OK(CreateKuduService());
diff --git a/src/kudu/ranger/mini_ranger_configs.h
b/src/kudu/ranger/mini_ranger_configs.h
index c7d6e3d03..df7129cc1 100644
--- a/src/kudu/ranger/mini_ranger_configs.h
+++ b/src/kudu/ranger/mini_ranger_configs.h
@@ -135,6 +135,11 @@ inline std::string GetRangerAdminSiteXml(const
std::string& admin_host,
<name>ranger.service.http.port</name>
<value>$3</value>
</property>
+ <property>
+ <!-- Explicitly disable opening HTTPS port -->
+ <name>ranger.service.https.port</name>
+ <value>-1</value>
+ </property>
<property>
<name>ranger.admin.cookie.name</name>
<value>RANGERADMINSESSIONID</value>
@@ -178,15 +183,13 @@ inline std::string GetRangerAdminSiteXml(const
std::string& admin_host,
// Gets the ranger-admin-default-site.xml that has some additional
configuration
// needed to start Ranger. It's unclear why this has to be a separate file.
-inline std::string GetRangerAdminDefaultSiteXml(const std::string& pg_driver,
- uint16_t shutdown_port) {
+inline std::string GetRangerAdminDefaultSiteXml(const std::string& pg_driver) {
// ranger-admin-default-site.xml
// - postgres JDBC driver path
// - RANGER_HOME (needed for jceks/KMS), impala says this is ranger-home,
but the
// conf/jcsks directory doesn't exist for us.
//
// $0: postgres JDBC driver path
- // $1: ranger shutdown port
const char* kRangerAdminDefaultSiteTemplate = R"(
<configuration>
@@ -197,8 +200,9 @@ inline std::string GetRangerAdminDefaultSiteXml(const
std::string& pg_driver,
<description/>
</property>
<property>
+ <!-- Explicitly disable opening the shutdown port -->
<name>ranger.service.shutdown.port</name>
- <value>$1</value>
+ <value>-1</value>
</property>
<!-- JPA config we can't remove because Ranger fails to start due to config
resolution issues -->
@@ -300,8 +304,7 @@ inline std::string GetRangerAdminDefaultSiteXml(const
std::string& pg_driver,
</property>
</configuration>
)";
- return strings::Substitute(kRangerAdminDefaultSiteTemplate, pg_driver,
- shutdown_port);
+ return strings::Substitute(kRangerAdminDefaultSiteTemplate, pg_driver);
}
// Gets the contents of the log4j.properties file which is used to set up the
