RANGER-203: 1. Config file renamed to support new service-types: xasecure-audit.xml ==> ranger-type-audit.xml (type: hdfs/hive/hbase/knox/storm/yarn/â¦) xasecure-security.xml ==> ranger-type-security.xml (type: hdfs/hive/hbase/knox/storm/yarn/â¦)
2. Plugin installation script (enable-agent.sh) updated to support plugins whose installation directory is different from the plugin name (for example: yarn plugin needs to be installed under hadoop directory) 3. Replaced old/unused properties in ranger-type-security.xml with new properties. 4. RangerBasePlugin.init() updated to initialize Audit Framework 5. PolicyRefresher updated to store/use policies in local cache. Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2e486daa Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2e486daa Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2e486daa Branch: refs/heads/stack Commit: 2e486daa43bc219b430ccf73463d5fd65d3a0c79 Parents: 4476585 Author: Madhan Neethiraj <[email protected]> Authored: Tue Feb 3 15:57:00 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Tue Feb 3 15:57:00 2015 -0800 ---------------------------------------------------------------------- agents-common/scripts/enable-agent.sh | 9 +- .../hadoop/config/RangerConfiguration.java | 82 +++----- .../hadoop/constants/RangerHadoopConstants.java | 8 - .../plugin/policyengine/RangerResourceImpl.java | 6 +- .../ranger/plugin/service/RangerBasePlugin.java | 12 +- .../plugin/store/rest/ServiceRESTStore.java | 5 +- .../ranger/plugin/util/PolicyRefresher.java | 143 ++++++++++++-- hbase-agent/conf/ranger-hbase-audit-changes.cfg | 34 ++++ hbase-agent/conf/ranger-hbase-audit.xml | 191 +++++++++++++++++++ .../conf/ranger-hbase-security-changes.cfg | 28 +++ hbase-agent/conf/ranger-hbase-security.xml | 72 +++++++ hbase-agent/conf/xasecure-audit-changes.cfg | 34 ---- hbase-agent/conf/xasecure-audit.xml | 191 ------------------- .../conf/xasecure-hbase-security-changes.cfg | 26 --- hbase-agent/conf/xasecure-hbase-security.xml | 85 --------- .../hbase/RangerAuthorizationCoprocessor.java | 4 +- hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 34 ++++ hdfs-agent/conf/ranger-hdfs-audit.xml | 191 +++++++++++++++++++ .../conf/ranger-hdfs-security-changes.cfg | 26 +++ hdfs-agent/conf/ranger-hdfs-security.xml | 100 ++++++++++ hdfs-agent/conf/xasecure-audit-changes.cfg | 34 ---- hdfs-agent/conf/xasecure-audit.xml | 191 ------------------- .../conf/xasecure-hdfs-security-changes.cfg | 24 --- hdfs-agent/conf/xasecure-hdfs-security.xml | 125 ------------ .../namenode/RangerFSPermissionChecker.java | 17 +- hive-agent/conf/ranger-hive-audit-changes.cfg | 34 ++++ hive-agent/conf/ranger-hive-audit.xml | 191 +++++++++++++++++++ .../conf/ranger-hive-security-changes.cfg | 28 +++ hive-agent/conf/ranger-hive-security.xml | 73 +++++++ hive-agent/conf/xasecure-audit-changes.cfg | 34 ---- hive-agent/conf/xasecure-audit.xml | 191 ------------------- .../conf/xasecure-hive-security-changes.cfg | 27 --- hive-agent/conf/xasecure-hive-security.xml | 84 -------- .../hive/authorizer/RangerHiveAuthorizer.java | 36 ++-- .../org/apache/ranger/rest/ServiceREST.java | 4 +- .../conf.dist/security-applicationContext.xml | 1 + 36 files changed, 1215 insertions(+), 1160 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/scripts/enable-agent.sh ---------------------------------------------------------------------- diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index f8d90ad..ebaca12 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -105,7 +105,14 @@ PROJ_INSTALL_LIB_DIR="${PROJ_INSTALL_DIR}/install/lib" INSTALL_ARGS="${PROJ_INSTALL_DIR}/install.properties" JAVA=$JAVA_HOME/bin/java -hdir=${PROJ_INSTALL_DIR}/../${HCOMPONENT_NAME} +HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME') + +if [ "${HCOMPONENT_INSTALL_DIR_NAME}" = "" ] +then + HCOMPONENT_INSTALL_DIR_NAME=${HCOMPONENT_NAME} +fi + +hdir=${PROJ_INSTALL_DIR}/../${HCOMPONENT_INSTALL_DIR_NAME} # # TEST - START http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java index 796776a..7c81d09 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java @@ -28,7 +28,6 @@ import java.util.Properties; import org.apache.hadoop.conf.Configuration; import org.apache.log4j.Logger; import org.apache.ranger.audit.provider.AuditProviderFactory; -import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants; public class RangerConfiguration extends Configuration { @@ -38,36 +37,28 @@ public class RangerConfiguration extends Configuration { private RangerConfiguration() { super(false) ; + } + + public void addResourcesForServiceType(String serviceType) { + String auditCfg = "ranger-" + serviceType + "-audit.xml"; + String securityCfg = "ranger-" + serviceType + "-security.xml"; - // - // WorkAround for having all Hadoop Configuration in the CLASSPATH first, even if it is invoked by Hive Engine. - // - // So, we look for "hive-site.xml", if it is available, take the xasecure-audit.xml file from the same location. - // If we do not see "hive-site.xml", we look for "hbase-site.xml", if found, take the xasecure-audit.xml file from the same location. - // If we do not see "hbase-site.xml", we look for "hdfs-site.xml", if found, take the xasecure-audit.xml file from the same location. - // If we do not see, we let the CLASSPATH based search to find xasecure-audit.xml file. - - - URL auditFileLocation = getRangerAuditXMLFileLocation() ; - - if (auditFileLocation != null) { - addResource(auditFileLocation) ; - } - else { - addResourceIfReadable(RangerHadoopConstants.RANGER_AUDIT_FILE) ; - } - addResourceIfReadable(RangerHadoopConstants.RANGER_HDFS_SECURITY_FILE); - addResourceIfReadable(RangerHadoopConstants.RANGER_KNOX_SECURITY_FILE); - addResourceIfReadable(RangerHadoopConstants.RANGER_HBASE_SECURITY_FILE) ; - addResourceIfReadable(RangerHadoopConstants.RANGER_HIVE_SECURITY_FILE) ; - addResourceIfReadable(RangerHadoopConstants.RANGER_STORM_SECURITY_FILE); - + addResourceIfReadable(auditCfg); + addResourceIfReadable(securityCfg); } - + @SuppressWarnings("deprecation") private void addResourceIfReadable(String aResourceName) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> addResourceIfReadable(" + aResourceName + ")"); + } + String fName = getFileLocation(aResourceName) ; if (fName != null) { + if(LOG.isDebugEnabled()) { + LOG.debug("<== addResourceIfReadable(" + aResourceName + "): resource file is " + fName); + } + File f = new File(fName) ; if (f.exists() && f.canRead()) { URL fUrl = null ; @@ -75,10 +66,24 @@ public class RangerConfiguration extends Configuration { fUrl = f.toURL() ; addResource(fUrl) ; } catch (MalformedURLException e) { - LOG.debug("Unable to find URL for the resource name [" + aResourceName +"]. Ignoring the resource:" + aResourceName); + if(LOG.isDebugEnabled()) { + LOG.debug("Unable to find URL for the resource name [" + aResourceName +"]. Ignoring the resource:" + aResourceName); + } } + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("<== addResourceIfReadable(" + aResourceName + "): resource not readable"); + } + } + } else { + if(LOG.isDebugEnabled()) { + LOG.debug("<== addResourceIfReadable(" + aResourceName + "): couldn't find resource file location"); } } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== addResourceIfReadable(" + aResourceName + ")"); + } } @@ -118,31 +123,6 @@ public class RangerConfiguration extends Configuration { return auditFactory != null && auditFactory.isInitDone(); } - - - @SuppressWarnings("deprecation") - public URL getRangerAuditXMLFileLocation() { - URL ret = null ; - - try { - for(String cfgFile : new String[] { "hive-site.xml", "hbase-site.xml", "hdfs-site.xml" } ) { - String loc = getFileLocation(cfgFile) ; - if (loc != null) { - if (new File(loc).canRead()) { - File parentFile = new File(loc).getParentFile() ; - ret = new File(parentFile, RangerHadoopConstants.RANGER_AUDIT_FILE).toURL() ; - break ; - } - } - } - } - catch(Throwable t) { - LOG.error("Unable to locate audit file location." , t) ; - ret = null ; - } - - return ret ; - } private String getFileLocation(String fileName) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index 906e941..652d105 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -20,14 +20,6 @@ package org.apache.ranger.authorization.hadoop.constants; public class RangerHadoopConstants { - public static final String RANGER_AUDIT_FILE = "xasecure-audit.xml" ; - public static final String RANGER_HDFS_SECURITY_FILE = "xasecure-hdfs-security.xml" ; - public static final String RANGER_KNOX_SECURITY_FILE = "xasecure-knox-security.xml" ; - public static final String RANGER_HBASE_SECURITY_FILE = "xasecure-hbase-security.xml" ; - public static final String RANGER_HIVE_SECURITY_FILE = "xasecure-hive-security.xml" ; - public static final String RANGER_POLICYMGR_SSL_FILE = "xasecure-policymgr-ssl.xml" ; - public static final String RANGER_STORM_SECURITY_FILE = "xasecure-storm-security.xml" ; - public static final String RANGER_ADD_HDFS_PERMISSION_PROP = "xasecure.add-hadoop-authorization" ; public static final boolean RANGER_ADD_HDFS_PERMISSION_DEFAULT = false ; public static final String READ_ACCCESS_TYPE = "read"; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java index 86f7ea4..740a427 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerResourceImpl.java @@ -75,7 +75,11 @@ public class RangerResourceImpl implements RangerMutableResource { elements = new HashMap<String, String>(); } - elements.put(name, value); + if(value == null) { + elements.remove(name); + } else { + elements.put(name, value); + } } @Override http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 8f1fa5f..f442b9a 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -35,19 +35,25 @@ import org.apache.ranger.plugin.util.PolicyRefresher; public class RangerBasePlugin { private String serviceType = null; + private String auditAppType = null; private String serviceName = null; private RangerPolicyEngine policyEngine = null; private PolicyRefresher refresher = null; - public RangerBasePlugin(String serviceType) { - this.serviceType = serviceType; + public RangerBasePlugin(String serviceType, String auditAppType) { + this.serviceType = serviceType; + this.auditAppType = auditAppType; } public String getServiceType() { return serviceType; } + public String getAuditAppType() { + return auditAppType; + } + public String getServiceName() { return serviceName; } @@ -65,6 +71,8 @@ public class RangerBasePlugin { public synchronized void init(RangerPolicyEngine policyEngine) { cleanup(); + RangerConfiguration.getInstance().addResourcesForServiceType(serviceType); + RangerConfiguration.getInstance().initAudit(auditAppType); String serviceName = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name"); String serviceStoreClass = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.store.class", "org.apache.ranger.plugin.store.rest.ServiceRESTStore"); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java index dd3624b..2318f76 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java @@ -64,7 +64,7 @@ public class ServiceRESTStore implements ServiceStore { public final String REST_URL_POLICY_GET_ALL = "/service/plugins/policies"; public final String REST_URL_POLICY_GET_FOR_SERVICE = "/service/plugins/policies/service/"; public final String REST_URL_POLICY_GET_FOR_SERVICE_BY_NAME = "/service/plugins/policies/service/name/"; - public final String REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED = "/service/plugins/policies/service/name/"; + public final String REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED = "/service/plugins/policies/download/"; public static final String REST_MIME_TYPE_JSON = "application/json" ; @@ -83,12 +83,9 @@ public class ServiceRESTStore implements ServiceStore { @Override public void init() throws Exception { String restUrl = RangerConfiguration.getInstance().get("ranger.service.store.rest.url", "http://localhost:6080";); - String restUsername = RangerConfiguration.getInstance().get("ranger.service.store.rest.username", "admin"); - String restPassword = RangerConfiguration.getInstance().get("ranger.service.store.rest.password", "admin"); String sslConfigFile = RangerConfiguration.getInstance().get("ranger.service.store.rest.ssl.config.file", ""); restClient = new RangerRESTClient(restUrl, sslConfigFile); - restClient.setBasicAuthInfo(restUsername, restPassword); } @Override http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java index 7112562..152309d 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java @@ -19,11 +19,21 @@ package org.apache.ranger.plugin.util; +import java.io.File; +import java.io.FileReader; +import java.io.FileWriter; +import java.io.Reader; +import java.io.Writer; + +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; import org.apache.ranger.plugin.store.ServiceStore; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; + public class PolicyRefresher extends Thread { private static final Log LOG = LogFactory.getLog(PolicyRefresher.class); @@ -33,14 +43,17 @@ public class PolicyRefresher extends Thread { private String serviceName = null; private ServiceStore serviceStore = null; private long pollingIntervalMs = 30 * 1000; + private String cacheFile = null; + + private boolean shutdownFlag = false; + private long lastKnownVersion = -1; + private Gson gson = null; - private boolean shutdownFlag = false; - private ServicePolicies lastKnownPolicies = null; public PolicyRefresher(RangerPolicyEngine policyEngine, String serviceType, String serviceName, ServiceStore serviceStore, long pollingIntervalMs, String cacheDir) { if(LOG.isDebugEnabled()) { - LOG.debug("==> PolicyRefresher.PolicyRefresher(serviceName=" + serviceName + ")"); + LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()"); } this.policyEngine = policyEngine; @@ -48,9 +61,16 @@ public class PolicyRefresher extends Thread { this.serviceName = serviceName; this.serviceStore = serviceStore; this.pollingIntervalMs = pollingIntervalMs; + this.cacheFile = cacheDir == null ? null : (cacheDir + File.separator + String.format("%s_%s.json", serviceType, serviceName)); + + try { + this.gson = new GsonBuilder().setDateFormat("yyyyMMdd-HH:mm:ss.SSS-Z").setPrettyPrinting().create(); + } catch(Throwable excp) { + LOG.fatal("PolicyRefresher(): failed to create GsonBuilder object", excp); + } if(LOG.isDebugEnabled()) { - LOG.debug("<== PolicyRefresher.PolicyRefresher(serviceName=" + serviceName + ")"); + LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").PolicyRefresher()"); } } @@ -96,7 +116,10 @@ public class PolicyRefresher extends Thread { this.pollingIntervalMs = pollingIntervalMilliSeconds; } + public void startRefresher() { + loadFromCache(); + shutdownFlag = false; super.start(); @@ -108,34 +131,38 @@ public class PolicyRefresher extends Thread { public void run() { if(LOG.isDebugEnabled()) { - LOG.debug("==> PolicyRefresher.run()"); + LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").run()"); } while(! shutdownFlag) { try { - long lastKnownVersion = (lastKnownPolicies == null || lastKnownPolicies.getPolicyVersion() == null) ? 0 : lastKnownPolicies.getPolicyVersion().longValue(); - ServicePolicies svcPolicies = serviceStore.getServicePoliciesIfUpdated(serviceName, lastKnownVersion); - long newVersion = (svcPolicies == null || svcPolicies.getPolicyVersion() == null) ? 0 : svcPolicies.getPolicyVersion().longValue(); + long newVersion = (svcPolicies == null || svcPolicies.getPolicyVersion() == null) ? -1 : svcPolicies.getPolicyVersion().longValue(); - boolean isUpdated = newVersion != 0 && lastKnownVersion != newVersion; + boolean isUpdated = newVersion != -1 && lastKnownVersion != newVersion; if(isUpdated) { - if(LOG.isDebugEnabled()) { - LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): found updated version. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion); + if(!StringUtils.equals(serviceName, svcPolicies.getServiceName())) { + LOG.warn("PolicyRefresher(serviceName=" + serviceName + "): ignoring unexpected serviceName '" + svcPolicies.getServiceName() + "' in service-store"); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("PolicyRefresher(serviceName=" + serviceName + "): found updated version. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion); } + saveToCache(svcPolicies); + + lastKnownVersion = svcPolicies.getPolicyVersion() == null ? -1 : svcPolicies.getPolicyVersion().longValue(); + policyEngine.setPolicies(serviceName, svcPolicies.getServiceDef(), svcPolicies.getPolicies()); - - lastKnownPolicies = svcPolicies; } else { if(LOG.isDebugEnabled()) { LOG.debug("PolicyRefresher(serviceName=" + serviceName + ").run(): no update found. lastKnownVersion=" + lastKnownVersion + "; newVersion=" + newVersion); } } } catch(Exception excp) { - LOG.error("PolicyRefresher(serviceName=" + serviceName + ").run(): ", excp); + LOG.error("PolicyRefresher(serviceName=" + serviceName + "): failed to refresh policies. Will continue to use last known version of policies (" + lastKnownVersion + ")", excp); } try { @@ -148,7 +175,93 @@ public class PolicyRefresher extends Thread { } if(LOG.isDebugEnabled()) { - LOG.debug("<== PolicyRefresher.run()"); + LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").run()"); + } + } + + private void loadFromCache() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").loadFromCache()"); + } + + RangerPolicyEngine policyEngine = this.policyEngine; + + if(policyEngine != null) { + File cacheFile = StringUtils.isEmpty(this.cacheFile) ? null : new File(this.cacheFile); + + if(cacheFile != null && cacheFile.isFile() && cacheFile.canRead()) { + Reader reader = null; + + try { + reader = new FileReader(cacheFile); + + ServicePolicies policies = gson.fromJson(reader, ServicePolicies.class); + + if(policies != null) { + if(!StringUtils.equals(serviceName, policies.getServiceName())) { + LOG.warn("ignoring unexpected serviceName '" + policies.getServiceName() + "' in cache file '" + cacheFile.getAbsolutePath() + "'"); + } + + lastKnownVersion = policies.getPolicyVersion() == null ? -1 : policies.getPolicyVersion().longValue(); + + policyEngine.setPolicies(serviceName, policies.getServiceDef(), policies.getPolicies()); + } + } catch (Exception excp) { + LOG.error("failed to load policies from cache file " + cacheFile.getAbsolutePath(), excp); + } finally { + if(reader != null) { + try { + reader.close(); + } catch(Exception excp) { + LOG.error("error while closing opened cache file " + cacheFile.getAbsolutePath(), excp); + } + } + } + } else { + LOG.warn("cache file does not exist or not readble '" + (cacheFile == null ? null : cacheFile.getAbsolutePath()) + "'"); + } + } else { + LOG.warn("policyEngine is null"); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").loadFromCache()"); + } + } + + private void saveToCache(ServicePolicies policies) { + if(LOG.isDebugEnabled()) { + LOG.debug("==> PolicyRefresher(serviceName=" + serviceName + ").saveToCache()"); + } + + if(policies != null) { + File cacheFile = StringUtils.isEmpty(this.cacheFile) ? null : new File(this.cacheFile); + + if(cacheFile != null) { + Writer writer = null; + + try { + writer = new FileWriter(cacheFile); + + gson.toJson(policies, writer); + } catch (Exception excp) { + LOG.error("failed to save policies to cache file '" + cacheFile.getAbsolutePath() + "'", excp); + } finally { + if(writer != null) { + try { + writer.close(); + } catch(Exception excp) { + LOG.error("error while closing opened cache file '" + cacheFile.getAbsolutePath() + "'", excp); + } + } + } + } + } else { + LOG.info("policies is null. Nothing to save in cache"); + } + + if(LOG.isDebugEnabled()) { + LOG.debug("<== PolicyRefresher(serviceName=" + serviceName + ").saveToCache()"); } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-audit-changes.cfg b/hbase-agent/conf/ranger-hbase-audit-changes.cfg new file mode 100644 index 0000000..cbaf227 --- /dev/null +++ b/hbase-agent/conf/ranger-hbase-audit-changes.cfg @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists +xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists +xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists + +xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-audit.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-audit.xml b/hbase-agent/conf/ranger-hbase-audit.xml new file mode 100644 index 0000000..be2661a --- /dev/null +++ b/hbase-agent/conf/ranger-hbase-audit.xml @@ -0,0 +1,191 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.repository.name</name> + <value>hbasedev</value> + </property> + + + <!-- DB audit provider configuration --> + <property> + <name>xasecure.audit.db.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.db.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.db.batch.size</name> + <value>100</value> + </property> + + <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> + <value>jdbc:mysql://localhost:3306/ranger_audit</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> + <value>rangerlogger</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> + <value>none</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> + <value>com.mysql.jdbc.Driver</value> + </property> + + <property> + <name>xasecure.audit.credential.provider.file</name> + <value>jceks://file/etc/ranger/hbasedev/auditcred.jceks</value> + </property> + + + <!-- HDFS audit provider configuration --> + <property> + <name>xasecure.audit.hdfs.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.hdfs.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.queue.size</name> + <value>1048576</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.encoding</name> + <value></value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.directory</name> + <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.file</name> + <value>%hostname%-audit.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> + <value>900</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> + <value>86400</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.directory</name> + <value>/var/log/hbase/audit/%app-type%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file</name> + <value>%time:yyyyMMdd-HHmm.ss%.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> + <value>8192</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> + <value>600</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.directory</name> + <value>/var/log/hbase/audit/archive/%app-type%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> + <value>10</value> + </property> + + + <!-- Log4j audit provider configuration --> + <property> + <name>xasecure.audit.log4j.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.is.async</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> + <value>30000</value> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-security-changes.cfg b/hbase-agent/conf/ranger-hbase-security-changes.cfg new file mode 100644 index 0000000..28f84e7 --- /dev/null +++ b/hbase-agent/conf/ranger-hbase-security-changes.cfg @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Change the original policy parameter to work with policy manager based. +# +# +ranger.plugin.hbase.service.name %REPOSITORY_NAME% mod create-if-not-exists + +ranger.plugin.hbase.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists +ranger.plugin.hbase.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.hbase.service.store.pollIntervalMs 30000 mod create-if-not-exists + +ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.service.store.rest.ssl.config.file /etc/hbase/conf/ranger-policymgr-ssl.xml mod create-if-not-exists + +xasecure.hbase.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/ranger-hbase-security.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-security.xml b/hbase-agent/conf/ranger-hbase-security.xml new file mode 100644 index 0000000..697ab86 --- /dev/null +++ b/hbase-agent/conf/ranger-hbase-security.xml @@ -0,0 +1,72 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>ranger.plugin.hbase.service.name</name> + <value>hbasedev</value> + <description> + Name of the Ranger service containing policies for this YARN instance + </description> + </property> + + <property> + <name>ranger.plugin.hbase.service.store.class</name> + <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <description> + Service storage implementation class to use to retrieve policies + </description> + </property> + + <property> + <name>ranger.plugin.hbase.service.store.pollIntervalMs</name> + <value>30000</value> + <description> + How often to poll for changes in policies? + </description> + </property> + + <property> + <name>ranger.plugin.hbase.service.store.cache.dir</name> + <value>/etc/ranger/hbasedev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the store + </description> + </property> + + <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> + <property> + <name>ranger.service.store.rest.url</name> + <value>http://policymanagerhost:port</value> + <description> + URL to Ranger Admin + </description> + </property> + + <property> + <name>ranger.service.store.rest.ssl.config.file</name> + <value>/etc/hbase/conf/ranger-policymgr-ssl.xml</value> + <description>Path to the file containing SSL details to contact Ranger Admin</description> + </property> + + <property> + <name>xasecure.hbase.update.xapolicies.on.grant.revoke</name> + <value>true</value> + <description>Should Hbase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/xasecure-audit-changes.cfg b/hbase-agent/conf/xasecure-audit-changes.cfg deleted file mode 100644 index cbaf227..0000000 --- a/hbase-agent/conf/xasecure-audit-changes.cfg +++ /dev/null @@ -1,34 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists -xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists - -xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-audit.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/xasecure-audit.xml b/hbase-agent/conf/xasecure-audit.xml deleted file mode 100644 index be2661a..0000000 --- a/hbase-agent/conf/xasecure-audit.xml +++ /dev/null @@ -1,191 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - <property> - <name>xasecure.audit.is.enabled</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.repository.name</name> - <value>hbasedev</value> - </property> - - - <!-- DB audit provider configuration --> - <property> - <name>xasecure.audit.db.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.db.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.db.batch.size</name> - <value>100</value> - </property> - - <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> - <value>jdbc:mysql://localhost:3306/ranger_audit</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> - <value>rangerlogger</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> - <value>none</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> - <value>com.mysql.jdbc.Driver</value> - </property> - - <property> - <name>xasecure.audit.credential.provider.file</name> - <value>jceks://file/etc/ranger/hbasedev/auditcred.jceks</value> - </property> - - - <!-- HDFS audit provider configuration --> - <property> - <name>xasecure.audit.hdfs.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.hdfs.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.queue.size</name> - <value>1048576</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.encoding</name> - <value></value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.directory</name> - <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.file</name> - <value>%hostname%-audit.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> - <value>900</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> - <value>86400</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.directory</name> - <value>/var/log/hbase/audit/%app-type%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file</name> - <value>%time:yyyyMMdd-HHmm.ss%.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> - <value>8192</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> - <value>600</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.directory</name> - <value>/var/log/hbase/audit/archive/%app-type%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> - <value>10</value> - </property> - - - <!-- Log4j audit provider configuration --> - <property> - <name>xasecure.audit.log4j.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.is.async</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> - <value>30000</value> - </property> -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-hbase-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/xasecure-hbase-security-changes.cfg b/hbase-agent/conf/xasecure-hbase-security-changes.cfg deleted file mode 100644 index 86354ff..0000000 --- a/hbase-agent/conf/xasecure-hbase-security-changes.cfg +++ /dev/null @@ -1,26 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Change the original policy parameter to work with policy manager based. -# -# -xasecure.hbase.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists -xasecure.hbase.policymgr.url.saveAsFile /tmp/hbase_%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.hbase.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/hbase_%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.hbase.policymgr.url.reloadIntervalInMillis 30000 mod create-if-not-exists -xasecure.hbase.policymgr.ssl.config /etc/hbase/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists -xasecure.hbase.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists -xasecure.policymgr.url %POLICY_MGR_URL% mod create-if-not-exists -xasecure.policymgr.sslconfig.filename /etc/hbase/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/conf/xasecure-hbase-security.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/xasecure-hbase-security.xml b/hbase-agent/conf/xasecure-hbase-security.xml deleted file mode 100644 index 8ea2665..0000000 --- a/hbase-agent/conf/xasecure-hbase-security.xml +++ /dev/null @@ -1,85 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - - <!-- The following properties are used only when PolicyManager is used as - main storage for all policy --> - <property> - <name>xasecure.hbase.policymgr.url</name> - <value>http://policymanagerhost:port/service/assets/dev-hbase</value> - <description> - Location where XASecure Role Based Authorization Info is - located. - </description> - </property> - <property> - <name>xasecure.hbase.policymgr.url.saveAsFile</name> - <value>/tmp/xasecure-hbase-policy.json</value> - <description> - Location where XASecure Role Based Authorization Info is - saved after successful retrieval from policymanager - </description> - </property> - <property> - <name>xasecure.hbase.policymgr.url.laststoredfile</name> - <value>/home/hbase/last_xasecure-hbase-policy.json</value> - <description> - Location and file where last XASecure Role Based Authorization Info - is saved after successful retrieval from policymanager. - </description> - </property> - <property> - <name>xasecure.hbase.policymgr.url.reloadIntervalInMillis</name> - <value>30000</value> - <description> - How often do we need to verify the changes tothe - authorization url, - to reload to memory (reloaded only if there are - changes) - </description> - </property> - <property> - <name>xasecure.policymgr.url</name> - <value>http://policymanagerhost:port</value> - <description>Base URL for XASecure PolicyManager</description> - </property> - <property> - <name>xasecure.policymgr.sslconfig.filename</name> - <value>/etc/hbase/conf/xasecure-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact XASecure PolicyManager</description> - </property> - - - <!-- the following properties are used by PEP to show/hide audit information - about each field being read and/or written --> - <property> - <name>xasecure.auditlog.fieldInfoVisible</name> - <value>false</value> - <description> - Flag to indicate if the read/written values to be written in the audit - log file - </description> - </property> - <property> - <name>xasecure.hbase.update.xapolicies.on.grant.revoke</name> - <value>true</value> - <description>Should Hbase agent update XASecure policies for updates to permissions done using GRANT/REVOKE?</description> - </property> - -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java ---------------------------------------------------------------------- diff --git a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java index 68bd7ac..1a956d3 100644 --- a/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java +++ b/hbase-agent/src/main/java/org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.java @@ -875,8 +875,6 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess appType = "hbseRegional"; } - RangerConfiguration.getInstance().initAudit(appType); - if (superUserList == null) { superUserList = new ArrayList<String>(); Configuration conf = env.getConfiguration(); @@ -890,7 +888,7 @@ public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocess } } // create and initialize the plugin class - new RangerBasePlugin("hbase") {}.init(_authorizer); + new RangerBasePlugin("hbase", appType) {}.init(_authorizer); if (LOG.isDebugEnabled()) { LOG.debug("Start of Coprocessor: [" + coprocessorType + "] with superUserList [" + superUserList + "]"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg new file mode 100644 index 0000000..cbaf227 --- /dev/null +++ b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists +xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists +xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists +xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists + +xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists +xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-audit.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-audit.xml b/hdfs-agent/conf/ranger-hdfs-audit.xml new file mode 100644 index 0000000..28261ec --- /dev/null +++ b/hdfs-agent/conf/ranger-hdfs-audit.xml @@ -0,0 +1,191 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.repository.name</name> + <value>hadoopdev</value> + </property> + + + <!-- DB audit provider configuration --> + <property> + <name>xasecure.audit.db.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.db.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.db.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.db.batch.size</name> + <value>100</value> + </property> + + <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> + <value>jdbc:mysql://localhost:3306/ranger_audit</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> + <value>rangerlogger</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> + <value>none</value> + </property> + + <property> + <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> + <value>com.mysql.jdbc.Driver</value> + </property> + + <property> + <name>xasecure.audit.credential.provider.file</name> + <value>jceks://file/etc/ranger/hadoopdev/auditcred.jceks</value> + </property> + + + <!-- HDFS audit provider configuration --> + <property> + <name>xasecure.audit.hdfs.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.hdfs.is.async</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.queue.size</name> + <value>1048576</value> + </property> + + <property> + <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.encoding</name> + <value></value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.directory</name> + <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.file</name> + <value>%hostname%-audit.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> + <value>900</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> + <value>86400</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.directory</name> + <value>/var/log/hadoop/%app-type%/audit</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file</name> + <value>%time:yyyyMMdd-HHmm.ss%.log</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> + <value>8192</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> + <value>60</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> + <value>600</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.directory</name> + <value>/var/log/hadoop/%app-type%/audit/archive</value> + </property> + + <property> + <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> + <value>10</value> + </property> + + + <!-- Log4j audit provider configuration --> + <property> + <name>xasecure.audit.log4j.is.enabled</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.is.async</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.queue.size</name> + <value>10240</value> + </property> + + <property> + <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> + <value>30000</value> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg new file mode 100644 index 0000000..210247f --- /dev/null +++ b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg @@ -0,0 +1,26 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Change the original policy parameter to work with policy manager based. +# +# +ranger.plugin.hdfs.service.name %REPOSITORY_NAME% mod create-if-not-exists + +ranger.plugin.hdfs.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists +ranger.plugin.hdfs.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.hdfs.service.store.pollIntervalMs 30000 mod create-if-not-exists + +ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.service.store.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/ranger-hdfs-security.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-security.xml b/hdfs-agent/conf/ranger-hdfs-security.xml new file mode 100644 index 0000000..4e84232 --- /dev/null +++ b/hdfs-agent/conf/ranger-hdfs-security.xml @@ -0,0 +1,100 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>ranger.plugin.hdfs.service.name</name> + <value>hadoopdev</value> + <description> + Name of the Ranger service containing policies for this YARN instance + </description> + </property> + + <property> + <name>ranger.plugin.hdfs.service.store.class</name> + <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <description> + Service storage implementation class to use to retrieve policies + </description> + </property> + + <property> + <name>ranger.plugin.hdfs.service.store.pollIntervalMs</name> + <value>30000</value> + <description> + How often to poll for changes in policies? + </description> + </property> + + <property> + <name>ranger.plugin.hdfs.service.store.cache.dir</name> + <value>/etc/ranger/hadoopdev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the store + </description> + </property> + + <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> + <property> + <name>ranger.service.store.rest.url</name> + <value>http://policymanagerhost:port</value> + <description> + URL to Ranger Admin + </description> + </property> + + <property> + <name>ranger.service.store.rest.ssl.config.file</name> + <value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value> + <description>Path to the file containing SSL details to contact Ranger Admin</description> + </property> + + <!-- The following fields are used to customize the audit logging feature --> + <!-- + <property> + <name>xasecure.auditlog.xasecureAcl.name</name> + <value>xasecure-acl</value> + <description> The module name listed in the auditlog when the + permission check is done by RangerACL + </description> + </property> + <property> + <name>xasecure.auditlog.hadoopAcl.name</name> + <value>hadoop-acl</value> + <description> The module name listed in the auditlog + when the permission check is done by HadoopACL + </description> + </property> + <property> + <name>xasecure.auditlog.hdfs.excludeusers</name> + <value>hbase,hive</value> + <description> List of comma separated users for + whom the audit log is not written + </description> + </property> + --> + + <property> + <name>xasecure.add-hadoop-authorization</name> + <value>true</value> + <description> + Enable/Disable the default hadoop authorization (based on + rwxrwxrwx permission on the resource) if Ranger Authorization fails. + </description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/xasecure-audit-changes.cfg b/hdfs-agent/conf/xasecure-audit-changes.cfg deleted file mode 100644 index cbaf227..0000000 --- a/hdfs-agent/conf/xasecure-audit-changes.cfg +++ /dev/null @@ -1,34 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists -xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists -xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists - -xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists -xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-audit.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/xasecure-audit.xml b/hdfs-agent/conf/xasecure-audit.xml deleted file mode 100644 index 28261ec..0000000 --- a/hdfs-agent/conf/xasecure-audit.xml +++ /dev/null @@ -1,191 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - <property> - <name>xasecure.audit.is.enabled</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.repository.name</name> - <value>hadoopdev</value> - </property> - - - <!-- DB audit provider configuration --> - <property> - <name>xasecure.audit.db.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.db.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.db.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.db.batch.size</name> - <value>100</value> - </property> - - <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA --> - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name> - <value>jdbc:mysql://localhost:3306/ranger_audit</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name> - <value>rangerlogger</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name> - <value>none</value> - </property> - - <property> - <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name> - <value>com.mysql.jdbc.Driver</value> - </property> - - <property> - <name>xasecure.audit.credential.provider.file</name> - <value>jceks://file/etc/ranger/hadoopdev/auditcred.jceks</value> - </property> - - - <!-- HDFS audit provider configuration --> - <property> - <name>xasecure.audit.hdfs.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.hdfs.is.async</name> - <value>true</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.queue.size</name> - <value>1048576</value> - </property> - - <property> - <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name> - <value>30000</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.encoding</name> - <value></value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.directory</name> - <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.file</name> - <value>%hostname%-audit.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name> - <value>900</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name> - <value>86400</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.directory</name> - <value>/var/log/hadoop/%app-type%/audit</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file</name> - <value>%time:yyyyMMdd-HHmm.ss%.log</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name> - <value>8192</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name> - <value>60</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name> - <value>600</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.directory</name> - <value>/var/log/hadoop/%app-type%/audit/archive</value> - </property> - - <property> - <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name> - <value>10</value> - </property> - - - <!-- Log4j audit provider configuration --> - <property> - <name>xasecure.audit.log4j.is.enabled</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.is.async</name> - <value>false</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.queue.size</name> - <value>10240</value> - </property> - - <property> - <name>xasecure.audit.log4j.async.max.flush.interval.ms</name> - <value>30000</value> - </property> -</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg b/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg deleted file mode 100644 index 97e631a5..0000000 --- a/hdfs-agent/conf/xasecure-hdfs-security-changes.cfg +++ /dev/null @@ -1,24 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Change the original policy parameter to work with policy manager based. -# -# -hdfs.authorization.verifier.classname org.apache.ranger.pdp.hdfs.RangerAuthorizer mod create-if-not-exists -xasecure.hdfs.policymgr.url %POLICY_MGR_URL%/service/assets/policyList/%REPOSITORY_NAME% mod create-if-not-exists -xasecure.hdfs.policymgr.url.saveAsFile /tmp/hadoop_%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.hdfs.policymgr.url.laststoredfile %POLICY_CACHE_FILE_PATH%/hadoop_%REPOSITORY_NAME%_json mod create-if-not-exists -xasecure.hdfs.policymgr.url.reloadIntervalInMillis 30000 mod create-if-not-exists -xasecure.hdfs.policymgr.ssl.config /etc/hadoop/conf/xasecure-policymgr-ssl.xml mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2e486daa/hdfs-agent/conf/xasecure-hdfs-security.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/xasecure-hdfs-security.xml b/hdfs-agent/conf/xasecure-hdfs-security.xml deleted file mode 100644 index 9cf5b69..0000000 --- a/hdfs-agent/conf/xasecure-hdfs-security.xml +++ /dev/null @@ -1,125 +0,0 @@ -<?xml version="1.0"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one or more - contributor license agreements. See the NOTICE file distributed with - this work for additional information regarding copyright ownership. - The ASF licenses this file to You under the Apache License, Version 2.0 - (the "License"); you may not use this file except in compliance with - the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. ---> -<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> -<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> - - <!-- The following property is used to select appropriate XASecure Authorizer Module (filebased, policymanager based) --> - <property> - <name>hdfs.authorization.verifier.classname</name> - <value>org.apache.ranger.pdp.hdfs.RangerAuthorizer</value> - <description> - Class Name of the authorization Module - </description> - </property> - - <!-- The following properties are used only when PolicyManager is used as - main storage for all policy --> - <property> - <name>xasecure.hdfs.policymgr.url</name> - <value>http://policymanagerhost:port/service/assets/hadoopdev</value> - <description> - Location where XASecure Role Based Authorization Info is - located. - </description> - </property> - <property> - <name>xasecure.hdfs.policymgr.url.saveAsFile</name> - <value>/tmp/xasecure-hdfs-policy.json</value> - <description> - Location where XASecure Role Based Authorization Info is - saved after successful retrieval from policymanager - </description> - </property> - <property> - <name>xasecure.hdfs.policymgr.url.laststoredfile</name> - <value>/home/hdfs/last_xasecure-hdfs-policy.json</value> - <description> - Location and file where last XASecure Role Based Authorization Info - is saved after successful retrieval from policymanager. - </description> - </property> - <property> - <name>xasecure.hdfs.policymgr.url.reloadIntervalInMillis</name> - <value>30000</value> - <description> - How often do we need to verify the changes tothe - authorization url, - to reload to memory (reloaded only if there are - changes) - </description> - </property> - - <property> - <name>xasecure.add-hadoop-authorization</name> - <value>true</value> - <description> - Enable/Disable the default hadoop authorization (based on - rwxrwxrwx permission on - the resource) if the XASecure Authorization - fails. - </description> - </property> - - <!-- The following field are used to customize the audit logging feature --> - - <!-- - <property> - <name>xasecure.auditlog.fieldDelimiterString</name> - <value>@</value> - <description> Audit Log field delimiters </description> - </property> - <property> - <name>xasecure.auditlog.xasecureAcl.name</name> - <value>xasecure-acl</value> - <description> The module name listed in the auditlog when the - permission - check is done by XASecureACL - </description> - </property> - <property> - <name>xasecure.auditlog.hadoopAcl.name</name> - <value>hadoop-acl</value> - <description> The module name listed in the auditlog - when the permission check is done by HadoopACL - </description> - </property> - <property> - <name>xasecure.auditlog.accessgranted.text</name> - <value>granted</value> - <description> The text to be written in audit log when access is - granted - </description> - </property> - <property> - <name>xasecure.auditlog.accessdenied.text</name> - <value>denied</value> - <description> The text to be written in audit log when - access is denied - </description> - </property> - <property> - <name>xasecure.auditlog.hdfs.excludeusers</name> - <value>hbase,hive</value> - <description> List of comma separated users for - whom the audit log is not written - </description> - </property> - --> - - -</configuration>
