RANGER-203: updates to plugin configuration properties, to support policy download using RangerAdminClient interface (instead of service store).
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4bef89c8 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4bef89c8 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4bef89c8 Branch: refs/heads/master Commit: 4bef89c8ed558eaa7b6f99b7863684d6308caa55 Parents: 6edf6d8 Author: Madhan Neethiraj <[email protected]> Authored: Mon Feb 9 16:11:53 2015 -0800 Committer: Madhan Neethiraj <[email protected]> Committed: Mon Feb 9 16:11:53 2015 -0800 ---------------------------------------------------------------------- .../ranger/admin/client/RangerAdminClient.java | 2 + .../admin/client/RangerAdminRESTClient.java | 9 ++-- .../hadoop/constants/RangerHadoopConstants.java | 6 --- .../ranger/plugin/service/RangerBasePlugin.java | 47 +++++++++++++------- hbase-agent/conf/ranger-hbase-audit-changes.cfg | 1 - hbase-agent/conf/ranger-hbase-audit.xml | 5 --- .../conf/ranger-hbase-security-changes.cfg | 14 +++--- hbase-agent/conf/ranger-hbase-security.xml | 39 ++++++++-------- hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 1 - hdfs-agent/conf/ranger-hdfs-audit.xml | 5 --- .../conf/ranger-hdfs-security-changes.cfg | 12 ++--- hdfs-agent/conf/ranger-hdfs-security.xml | 45 ++++++++++--------- hive-agent/conf/ranger-hive-audit-changes.cfg | 1 - hive-agent/conf/ranger-hive-audit.xml | 5 --- .../conf/ranger-hive-security-changes.cfg | 14 +++--- hive-agent/conf/ranger-hive-security.xml | 34 +++++++------- knox-agent/conf/ranger-knox-audit-changes.cfg | 1 - knox-agent/conf/ranger-knox-audit.xml | 5 --- .../conf/ranger-knox-security-changes.cfg | 12 ++--- knox-agent/conf/ranger-knox-security.xml | 34 +++++++------- 20 files changed, 140 insertions(+), 152 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java index d5129bb..9807dd4 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java @@ -25,6 +25,8 @@ import org.apache.ranger.plugin.util.ServicePolicies; public interface RangerAdminClient { + void init(String configPropertyPrefix); + ServicePolicies getServicePoliciesIfUpdated(String serviceName, long lastKnownVersion) throws Exception; void grantAccess(String serviceName, GrantRevokeRequest request) throws Exception; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index 0c28062..8101250 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -45,13 +45,12 @@ public class RangerAdminRESTClient implements RangerAdminClient { public RangerAdminRESTClient() { - String url = RangerConfiguration.getInstance().get("ranger.service.store.rest.url"); - String sslConfigFileName = RangerConfiguration.getInstance().get("ranger.service.store.rest.ssl.config.file"); - - init(url, sslConfigFileName); } - public RangerAdminRESTClient(String url, String sslConfigFileName) { + public void init(String propertyPrefix) { + String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url"); + String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file"); + init(url, sslConfigFileName); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java index 652d105..be5a778 100644 --- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java +++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/constants/RangerHadoopConstants.java @@ -29,12 +29,6 @@ public class RangerHadoopConstants { public static final String HDFS_ROOT_FOLDER_PATH_ALT = ""; public static final String HDFS_ROOT_FOLDER_PATH = "/"; - public static final String HDFS_ACCESS_VERIFIER_CLASS_NAME_PROP = "hdfs.authorization.verifier.classname" ; - public static final String HDFS_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.hdfs.RangerAuthorizer" ; - - public static final String HIVE_ACCESS_VERIFIER_CLASS_NAME_PROP = "hive.authorization.verifier.classname" ; - public static final String HIVE_ACCESS_VERIFIER_CLASS_NAME_DEFAULT_VALUE = "org.apache.ranger.pdp.hive.RangerAuthorizer" ; - public static final String HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP = "xasecure.hive.update.xapolicies.on.grant.revoke" ; public static final boolean HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE = true; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 68ac3aa..3dbbe81 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -83,25 +83,13 @@ public class RangerBasePlugin { RangerConfiguration.getInstance().addResourcesForServiceType(serviceType); RangerConfiguration.getInstance().initAudit(auditAppType); - serviceName = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.name"); + String propertyPrefix = "ranger.plugin." + serviceType; + long pollingIntervalMs = RangerConfiguration.getInstance().getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000); + String cacheDir = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.cache.dir"); - if(StringUtils.isEmpty(serviceName)) { - // get the serviceName from download URL: http://ranger-admin-host:port/service/assets/policyList/serviceName - String policyDownloadUrl = RangerConfiguration.getInstance().get("xasecure." + serviceType + ".policymgr.url"); + serviceName = RangerConfiguration.getInstance().get(propertyPrefix + ".service.name"); - if(! StringUtils.isEmpty(policyDownloadUrl)) { - int idx = policyDownloadUrl.lastIndexOf('/'); - - if(idx != -1) { - serviceName = policyDownloadUrl.substring(idx + 1); - } - } - } - - String cacheDir = RangerConfiguration.getInstance().get("ranger.plugin." + serviceType + ".service.store.cache.dir", "/tmp"); - long pollingIntervalMs = RangerConfiguration.getInstance().getLong("ranger.plugin." + serviceType + ".service.store.pollIntervalMs", 30 * 1000); - - RangerAdminClient admin = new RangerAdminRESTClient(); + RangerAdminClient admin = getAdminClient(propertyPrefix); refresher = new PolicyRefresher(policyEngine, serviceType, serviceName, admin, pollingIntervalMs, cacheDir); refresher.startRefresher(); @@ -221,4 +209,29 @@ public class RangerBasePlugin { return ret; } + + private RangerAdminClient getAdminClient(String propertyPrefix) { + RangerAdminClient ret = null; + + String policySourceImpl = RangerConfiguration.getInstance().get(propertyPrefix + ".source.impl"); + + if(!StringUtils.isEmpty(policySourceImpl)) { + try { + @SuppressWarnings("unchecked") + Class<RangerAdminClient> adminClass = (Class<RangerAdminClient>)Class.forName(policySourceImpl); + + ret = adminClass.newInstance(); + } catch (Exception excp) { + LOG.error("failed to instantiate policy source of type '" + policySourceImpl + "'. Will use policy source of type '" + RangerAdminRESTClient.class.getName() + "'", excp); + } + } + + if(ret == null) { + ret = new RangerAdminRESTClient(); + } + + ret.init(propertyPrefix); + + return ret; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hbase-agent/conf/ranger-hbase-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-audit-changes.cfg b/hbase-agent/conf/ranger-hbase-audit-changes.cfg index cbaf227..e5c381a 100644 --- a/hbase-agent/conf/ranger-hbase-audit-changes.cfg +++ b/hbase-agent/conf/ranger-hbase-audit-changes.cfg @@ -16,7 +16,6 @@ xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hbase-agent/conf/ranger-hbase-audit.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-audit.xml b/hbase-agent/conf/ranger-hbase-audit.xml index be2661a..b39696b 100644 --- a/hbase-agent/conf/ranger-hbase-audit.xml +++ b/hbase-agent/conf/ranger-hbase-audit.xml @@ -22,11 +22,6 @@ <value>true</value> </property> - <property> - <name>xasecure.audit.repository.name</name> - <value>hbasedev</value> - </property> - <!-- DB audit provider configuration --> <property> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hbase-agent/conf/ranger-hbase-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-security-changes.cfg b/hbase-agent/conf/ranger-hbase-security-changes.cfg index 28f84e7..9c74898 100644 --- a/hbase-agent/conf/ranger-hbase-security-changes.cfg +++ b/hbase-agent/conf/ranger-hbase-security-changes.cfg @@ -16,13 +16,13 @@ # Change the original policy parameter to work with policy manager based. # # -ranger.plugin.hbase.service.name %REPOSITORY_NAME% mod create-if-not-exists +ranger.plugin.hbase.service.name %REPOSITORY_NAME% mod create-if-not-exists -ranger.plugin.hbase.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists -ranger.plugin.hbase.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -ranger.plugin.hbase.service.store.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.hbase.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists -ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists -ranger.service.store.rest.ssl.config.file /etc/hbase/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.hbase.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.hbase.policy.rest.ssl.config.file /etc/hbase/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.hbase.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.hbase.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -xasecure.hbase.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists +xasecure.hbase.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hbase-agent/conf/ranger-hbase-security.xml ---------------------------------------------------------------------- diff --git a/hbase-agent/conf/ranger-hbase-security.xml b/hbase-agent/conf/ranger-hbase-security.xml index 697ab86..43d5d36 100644 --- a/hbase-agent/conf/ranger-hbase-security.xml +++ b/hbase-agent/conf/ranger-hbase-security.xml @@ -21,52 +21,55 @@ <name>ranger.plugin.hbase.service.name</name> <value>hbasedev</value> <description> - Name of the Ranger service containing policies for this YARN instance + Name of the Ranger service containing HBase policies </description> </property> <property> - <name>ranger.plugin.hbase.service.store.class</name> - <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <name>ranger.plugin.hbase.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description> - Service storage implementation class to use to retrieve policies + Class to retrieve policies from the source </description> </property> <property> - <name>ranger.plugin.hbase.service.store.pollIntervalMs</name> - <value>30000</value> + <name>ranger.plugin.hbase.policy.rest.url</name> + <value>http://policymanagerhost:port</value> <description> - How often to poll for changes in policies? + URL to Ranger Admin </description> </property> <property> - <name>ranger.plugin.hbase.service.store.cache.dir</name> - <value>/etc/ranger/hbasedev/policycache</value> + <name>ranger.plugin.hbase.policy.rest.ssl.config.file</name> + <value>/etc/hbase/conf/ranger-policymgr-ssl.xml</value> <description> - Directory where Ranger policies are cached after successful retrieval from the store + Path to the file containing SSL details to contact Ranger Admin </description> </property> - <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> <property> - <name>ranger.service.store.rest.url</name> - <value>http://policymanagerhost:port</value> + <name>ranger.plugin.hbase.policy.pollIntervalMs</name> + <value>30000</value> <description> - URL to Ranger Admin + How often to poll for changes in policies? </description> </property> <property> - <name>ranger.service.store.rest.ssl.config.file</name> - <value>/etc/hbase/conf/ranger-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact Ranger Admin</description> + <name>ranger.plugin.hbase.policy.cache.dir</name> + <value>/etc/ranger/hbasedev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> </property> <property> <name>xasecure.hbase.update.xapolicies.on.grant.revoke</name> <value>true</value> - <description>Should Hbase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description> + <description> + Should HBase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE? + </description> </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg index cbaf227..e5c381a 100644 --- a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg +++ b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg @@ -16,7 +16,6 @@ xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hdfs-agent/conf/ranger-hdfs-audit.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-audit.xml b/hdfs-agent/conf/ranger-hdfs-audit.xml index 28261ec..d26345d 100644 --- a/hdfs-agent/conf/ranger-hdfs-audit.xml +++ b/hdfs-agent/conf/ranger-hdfs-audit.xml @@ -22,11 +22,6 @@ <value>true</value> </property> - <property> - <name>xasecure.audit.repository.name</name> - <value>hadoopdev</value> - </property> - <!-- DB audit provider configuration --> <property> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hdfs-agent/conf/ranger-hdfs-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg index 210247f..4bdb08f 100644 --- a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg +++ b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg @@ -16,11 +16,11 @@ # Change the original policy parameter to work with policy manager based. # # -ranger.plugin.hdfs.service.name %REPOSITORY_NAME% mod create-if-not-exists +ranger.plugin.hdfs.service.name %REPOSITORY_NAME% mod create-if-not-exists -ranger.plugin.hdfs.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists -ranger.plugin.hdfs.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -ranger.plugin.hdfs.service.store.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.hdfs.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists -ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists -ranger.service.store.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.hdfs.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.hdfs.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.hdfs.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.hdfs.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hdfs-agent/conf/ranger-hdfs-security.xml ---------------------------------------------------------------------- diff --git a/hdfs-agent/conf/ranger-hdfs-security.xml b/hdfs-agent/conf/ranger-hdfs-security.xml index 4e84232..9e03e38 100644 --- a/hdfs-agent/conf/ranger-hdfs-security.xml +++ b/hdfs-agent/conf/ranger-hdfs-security.xml @@ -26,42 +26,43 @@ </property> <property> - <name>ranger.plugin.hdfs.service.store.class</name> - <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <name>ranger.plugin.hdfs.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description> - Service storage implementation class to use to retrieve policies + Class to retrieve policies from the source </description> </property> <property> - <name>ranger.plugin.hdfs.service.store.pollIntervalMs</name> - <value>30000</value> + <name>ranger.plugin.hdfs.policy.rest.url</name> + <value>http://policymanagerhost:port</value> <description> - How often to poll for changes in policies? + URL to Ranger Admin </description> </property> <property> - <name>ranger.plugin.hdfs.service.store.cache.dir</name> - <value>/etc/ranger/hadoopdev/policycache</value> + <name>ranger.plugin.hdfs.policy.rest.ssl.config.file</name> + <value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value> <description> - Directory where Ranger policies are cached after successful retrieval from the store + Path to the file containing SSL details to contact Ranger Admin </description> </property> - <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> <property> - <name>ranger.service.store.rest.url</name> - <value>http://policymanagerhost:port</value> + <name>ranger.plugin.hdfs.policy.pollIntervalMs</name> + <value>30000</value> <description> - URL to Ranger Admin + How often to poll for changes in policies? </description> </property> <property> - <name>ranger.service.store.rest.ssl.config.file</name> - <value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact Ranger Admin</description> + <name>ranger.plugin.hdfs.policy.cache.dir</name> + <value>/etc/ranger/hadoopdev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> </property> <!-- The following fields are used to customize the audit logging feature --> @@ -69,22 +70,22 @@ <property> <name>xasecure.auditlog.xasecureAcl.name</name> <value>xasecure-acl</value> - <description> The module name listed in the auditlog when the - permission check is done by RangerACL + <description> + The module name listed in the auditlog when the permission check is done by RangerACL </description> </property> <property> <name>xasecure.auditlog.hadoopAcl.name</name> <value>hadoop-acl</value> - <description> The module name listed in the auditlog - when the permission check is done by HadoopACL + <description> + The module name listed in the auditlog when the permission check is done by HadoopACL </description> </property> <property> <name>xasecure.auditlog.hdfs.excludeusers</name> <value>hbase,hive</value> - <description> List of comma separated users for - whom the audit log is not written + <description> + List of comma separated users for whom the audit log is not written </description> </property> --> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hive-agent/conf/ranger-hive-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-audit-changes.cfg b/hive-agent/conf/ranger-hive-audit-changes.cfg index 83a1dff..9fa7608 100644 --- a/hive-agent/conf/ranger-hive-audit-changes.cfg +++ b/hive-agent/conf/ranger-hive-audit-changes.cfg @@ -16,7 +16,6 @@ xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hive-agent/conf/ranger-hive-audit.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-audit.xml b/hive-agent/conf/ranger-hive-audit.xml index 047cd96..d011b24 100644 --- a/hive-agent/conf/ranger-hive-audit.xml +++ b/hive-agent/conf/ranger-hive-audit.xml @@ -22,11 +22,6 @@ <value>true</value> </property> - <property> - <name>xasecure.audit.repository.name</name> - <value>hivedev</value> - </property> - <!-- DB audit provider configuration --> <property> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hive-agent/conf/ranger-hive-security-changes.cfg ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-security-changes.cfg b/hive-agent/conf/ranger-hive-security-changes.cfg index 399f424..504bf7d 100644 --- a/hive-agent/conf/ranger-hive-security-changes.cfg +++ b/hive-agent/conf/ranger-hive-security-changes.cfg @@ -16,13 +16,13 @@ # Change the original policy parameter to work with policy manager based. # # -ranger.plugin.hive.service.name %REPOSITORY_NAME% mod create-if-not-exists +ranger.plugin.hive.service.name %REPOSITORY_NAME% mod create-if-not-exists -ranger.plugin.hive.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists -ranger.plugin.hive.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -ranger.plugin.hive.service.store.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.hive.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists -ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists -ranger.service.store.rest.ssl.config.file /etc/hive/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.hive.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.hive.policy.rest.ssl.config.file /etc/hive/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.hive.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.hive.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -xasecure.hive.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists +xasecure.hive.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/hive-agent/conf/ranger-hive-security.xml ---------------------------------------------------------------------- diff --git a/hive-agent/conf/ranger-hive-security.xml b/hive-agent/conf/ranger-hive-security.xml index 86526c6..010debc 100644 --- a/hive-agent/conf/ranger-hive-security.xml +++ b/hive-agent/conf/ranger-hive-security.xml @@ -26,45 +26,45 @@ </property> <property> - <name>ranger.plugin.hive.service.store.class</name> - <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <name>ranger.plugin.hive.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description> - Service storage implementation class to use to retrieve policies + Class to retrieve policies from the source </description> </property> <property> - <name>ranger.plugin.hive.service.store.pollIntervalMs</name> - <value>30000</value> + <name>ranger.plugin.hive.policy.rest.url</name> + <value>http://policymanagerhost:port</value> <description> - How often to poll for changes in policies? + URL to Ranger Admin </description> </property> <property> - <name>ranger.plugin.hive.service.store.cache.dir</name> - <value>/etc/ranger/hivedev/policycache</value> + <name>ranger.plugin.hive.policy.rest.ssl.config.file</name> + <value>/etc/hive/conf/ranger-policymgr-ssl.xml</value> <description> - Directory where Ranger policies are cached after successful retrieval from the store + Path to the file containing SSL details to contact Ranger Admin </description> </property> - <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> <property> - <name>ranger.service.store.rest.url</name> - <value>http://policymanagerhost:port</value> + <name>ranger.plugin.hive.policy.pollIntervalMs</name> + <value>30000</value> <description> - URL to Ranger Admin + How often to poll for changes in policies? </description> </property> <property> - <name>ranger.service.store.rest.ssl.config.file</name> - <value>/etc/hive/conf/ranger-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact Ranger Admin</description> + <name>ranger.plugin.hive.policy.cache.dir</name> + <value>/etc/ranger/hivedev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> </property> - <property> <name>xasecure.hive.update.xapolicies.on.grant.revoke</name> <value>true</value> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/knox-agent/conf/ranger-knox-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/knox-agent/conf/ranger-knox-audit-changes.cfg b/knox-agent/conf/ranger-knox-audit-changes.cfg index f8226ce..7ae334e 100644 --- a/knox-agent/conf/ranger-knox-audit-changes.cfg +++ b/knox-agent/conf/ranger-knox-audit-changes.cfg @@ -16,7 +16,6 @@ xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists -xasecure.audit.repository.name %REPOSITORY_NAME% mod create-if-not-exists xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/knox-agent/conf/ranger-knox-audit.xml ---------------------------------------------------------------------- diff --git a/knox-agent/conf/ranger-knox-audit.xml b/knox-agent/conf/ranger-knox-audit.xml index d16899f..0fdcefc 100644 --- a/knox-agent/conf/ranger-knox-audit.xml +++ b/knox-agent/conf/ranger-knox-audit.xml @@ -21,11 +21,6 @@ <name>xasecure.audit.is.enabled</name> <value>true</value> </property> - - <property> - <name>xasecure.audit.repository.name</name> - <value>knoxdev</value> - </property> <!-- DB audit provider configuration --> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/knox-agent/conf/ranger-knox-security-changes.cfg ---------------------------------------------------------------------- diff --git a/knox-agent/conf/ranger-knox-security-changes.cfg b/knox-agent/conf/ranger-knox-security-changes.cfg index 7a2b597..98e2216 100644 --- a/knox-agent/conf/ranger-knox-security-changes.cfg +++ b/knox-agent/conf/ranger-knox-security-changes.cfg @@ -16,11 +16,11 @@ # Change the original policy parameter to work with policy manager based. # # -ranger.plugin.knox.service.name %REPOSITORY_NAME% mod create-if-not-exists +ranger.plugin.knox.service.name %REPOSITORY_NAME% mod create-if-not-exists -ranger.plugin.knox.service.store.class org.apache.ranger.plugin.store.rest.ServiceRESTStore mod create-if-not-exists -ranger.plugin.knox.service.store.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -ranger.plugin.knox.service.store.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.knox.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists -ranger.service.store.rest.url %POLICY_MGR_URL% mod create-if-not-exists -ranger.service.store.rest.ssl.config.file /etc/knox/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.knox.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.knox.policy.rest.ssl.config.file /etc/knox/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.knox.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.knox.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4bef89c8/knox-agent/conf/ranger-knox-security.xml ---------------------------------------------------------------------- diff --git a/knox-agent/conf/ranger-knox-security.xml b/knox-agent/conf/ranger-knox-security.xml index 0b03a35..e7d8490 100644 --- a/knox-agent/conf/ranger-knox-security.xml +++ b/knox-agent/conf/ranger-knox-security.xml @@ -27,42 +27,42 @@ </property> <property> - <name>ranger.plugin.knox.service.store.class</name> - <value>org.apache.ranger.plugin.store.rest.ServiceRESTStore</value> + <name>ranger.plugin.knox.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> <description> - Service storage implementation class to use to retrieve policies + Class to retrieve policies </description> </property> <property> - <name>ranger.plugin.knox.service.store.pollIntervalMs</name> - <value>30000</value> + <name>ranger.plugin.knox.policy.rest.url</name> + <value>http://policymanagerhost:port</value> <description> - How often to poll for changes in policies? + URL to Ranger Admin </description> </property> <property> - <name>ranger.plugin.knox.service.store.cache.dir</name> - <value>/etc/ranger/knoxdev/policycache</value> + <name>ranger.plugin.knox.policy.rest.ssl.config.file</name> + <value>/etc/knox/conf/ranger-policymgr-ssl.xml</value> <description> - Directory where Ranger policies are cached after successful retrieval from the store + Path to the file containing SSL details to contact Ranger Admin </description> </property> - <!-- The following properties are used only when Ranger Admin REST interface is used to retrieve the policies --> <property> - <name>ranger.service.store.rest.url</name> - <value>http://policymanagerhost:port</value> + <name>ranger.plugin.knox.policy.pollIntervalMs</name> + <value>30000</value> <description> - URL to Ranger Admin + How often to poll for changes in policies? </description> </property> <property> - <name>ranger.service.store.rest.ssl.config.file</name> - <value>/etc/knox/conf/ranger-policymgr-ssl.xml</value> - <description>Path to the file containing SSL details to contact Ranger Admin</description> + <name>ranger.plugin.knox.policy.cache.dir</name> + <value>/etc/ranger/knoxdev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> </property> - </configuration>
