Repository: incubator-ranger Updated Branches: refs/heads/master fa1248a2a -> 377eecbb7
RANGER-257: add KMS to run using existing embededtomcatserver instance Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/084ff13e Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/084ff13e Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/084ff13e Branch: refs/heads/master Commit: 084ff13e0851bc07bbd5422a299d6a1f55658d69 Parents: aedb1fc Author: sneethiraj <[email protected]> Authored: Sun Feb 22 16:24:33 2015 -0800 Committer: sneethiraj <[email protected]> Committed: Sun Feb 22 16:24:33 2015 -0800 ---------------------------------------------------------------------- .../ranger/server/tomcat/EmbeddedServer.java | 65 ++++++- kms/.gitignore | 1 + kms/config/kms-webapp/core-site.xml | 29 ++++ kms/config/kms-webapp/hdfs-site.xml | 16 ++ kms/config/kms-webapp/kms-acls.xml | 135 +++++++++++++++ kms/config/kms-webapp/kms-env.sh | 49 ++++++ kms/config/kms-webapp/kms-log4j.properties | 38 ++++ kms/config/kms-webapp/kms-site.xml | 173 +++++++++++++++++++ kms/config/webserver/kms_webserver.properties | 47 +++++ kms/pom.xml | 51 ++++++ kms/scripts/ranger-kms | 48 +++++ kms/scripts/ranger-kms-services.sh | 100 +++++++++++ .../hadoop/crypto/key/SampleKeyProvider.java | 90 ++++++++++ pom.xml | 2 + src/main/assembly/kms.xml | 111 ++++++++++++ 15 files changed, 951 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java ---------------------------------------------------------------------- diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java index cb01207..f9c7fcc 100644 --- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java +++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java @@ -25,6 +25,7 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.net.URL; +import java.util.Date; import java.util.Properties; import java.util.logging.Logger; @@ -42,6 +43,8 @@ public class EmbeddedServer { private static final String DEFAULT_CONFIG_FILENAME = "ranger_webserver.properties" ; + private static final String DEFAULT_WEBAPPS_ROOT_FOLDER = "webapps" ; + private static String configFile = DEFAULT_CONFIG_FILENAME ; private Properties serverConfigProperties = new Properties() ; @@ -116,6 +119,12 @@ public class EmbeddedServer { ssl.setAttribute("sslEnabledProtocols", enabledProtocols ) ; server.getService().addConnector(ssl); + + // + // Making this as a default connector + // + server.setConnector(ssl); + } @@ -153,9 +162,30 @@ public class EmbeddedServer { webapp_dir = catalina_base + File.separator + "webapp"; LOG.info("Deriving webapp folder from catalina.base property. folder=" + webapp_dir); } - LOG.info("Webapp folder=" + webapp_dir); - Context webappCtx = server.addWebapp("/", new File(webapp_dir).getAbsolutePath()) ; + + String webContextName = getConfig("xa.webapp.contextName", "/") ; + if (webContextName != null) { + if (! webContextName.startsWith("/")) { + LOG.info("Context Name [" + webContextName + "] is being loaded as [ /" + webContextName + "]"); + webContextName = "/" + webContextName ; + } + } + + File wad = new File (webapp_dir) ; + if (wad.isDirectory()) { + LOG.info("Webapp file =" + webapp_dir + ", webAppName = " + webContextName); + } + else if (wad.isFile()) { + File webAppDir = new File(DEFAULT_WEBAPPS_ROOT_FOLDER) ; + if (! webAppDir.exists()) { + webAppDir.mkdirs() ; + } + LOG.info("Webapp file =" + webapp_dir + ", webAppName = " + webContextName); + } + LOG.info("Adding webapp [" + webContextName + "] = path [" + webapp_dir + "] .....") ; + Context webappCtx = server.addWebapp(webContextName, new File(webapp_dir).getAbsolutePath()) ; webappCtx.init() ; + LOG.info("Finished init of webapp [" + webContextName + "] = path [" + webapp_dir + "].") ; } catch (ServletException e1) { LOG.severe("Tomcat Server failed to add webapp:" + e1.toString()) ; e1.printStackTrace(); @@ -167,6 +197,8 @@ public class EmbeddedServer { try { server.start(); server.getServer().await(); + shutdownServer() ; + } catch (LifecycleException e) { LOG.severe("Tomcat Server failed to start:" + e.toString()) ; e.printStackTrace(); @@ -233,8 +265,33 @@ public class EmbeddedServer { return ret ; - - + } + + + public void shutdownServer() { + int timeWaitForShutdownInSeconds = getIntConfig("service.waitTimeForFoceShutdownInSeconds", 120) ; + if (timeWaitForShutdownInSeconds > 0) { + long endTime = System.currentTimeMillis() + (timeWaitForShutdownInSeconds * 1000L) ; + LOG.info("Will wait for all threads to shutdown gracefully. Final shutdown Time: " + new Date(endTime)) ; + while (System.currentTimeMillis() < endTime) { + int activeCount = Thread.activeCount() ; + if (activeCount == 0) { + LOG.info("Number of active threads = " + activeCount + "."); + break ; + } + else { + LOG.info("Number of active threads = " + activeCount + ". Waiting for all threads to shutdown ..."); + try { + Thread.sleep(5000L); + } catch (InterruptedException e) { + LOG.warning("shutdownServer process is interrupted with exception: " + e); + break ; + } + } + } + } + LOG.info("Shuting down the Server.") ; + System.exit(0); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/.gitignore ---------------------------------------------------------------------- diff --git a/kms/.gitignore b/kms/.gitignore new file mode 100644 index 0000000..b83d222 --- /dev/null +++ b/kms/.gitignore @@ -0,0 +1 @@ +/target/ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/kms-webapp/core-site.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/core-site.xml b/kms/config/kms-webapp/core-site.xml new file mode 100644 index 0000000..f14e0a1 --- /dev/null +++ b/kms/config/kms-webapp/core-site.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="UTF-8"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> + +<!-- Put site-specific property overrides in this file. --> + +<configuration> + <property> + <name>hadoop.security.authorization</name> + <value>false</value> + </property> + <property> + <name>hadoop.security.authentication</name> + <value>simple</value> + </property> + <property><name>hadoop.security.auth_to_local</name><value>DEFAULT</value></property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/kms-webapp/hdfs-site.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/hdfs-site.xml b/kms/config/kms-webapp/hdfs-site.xml new file mode 100644 index 0000000..66b53b5 --- /dev/null +++ b/kms/config/kms-webapp/hdfs-site.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> +<configuration> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/kms-webapp/kms-acls.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/kms-acls.xml b/kms/config/kms-webapp/kms-acls.xml new file mode 100644 index 0000000..1d5b649 --- /dev/null +++ b/kms/config/kms-webapp/kms-acls.xml @@ -0,0 +1,135 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration> + + <!-- This file is hot-reloaded when it changes --> + + <!-- KMS ACLs --> + + <property> + <name>hadoop.kms.acl.CREATE</name> + <value>*</value> + <description> + ACL for create-key operations. + If the user is not in the GET ACL, the key material is not returned + as part of the response. + </description> + </property> + + <property> + <name>hadoop.kms.acl.DELETE</name> + <value>*</value> + <description> + ACL for delete-key operations. + </description> + </property> + + <property> + <name>hadoop.kms.acl.ROLLOVER</name> + <value>*</value> + <description> + ACL for rollover-key operations. + If the user does is not in the GET ACL, the key material is not returned + as part of the response. + </description> + </property> + + <property> + <name>hadoop.kms.acl.GET</name> + <value>*</value> + <description> + ACL for get-key-version and get-current-key operations. + </description> + </property> + + <property> + <name>hadoop.kms.acl.GET_KEYS</name> + <value>*</value> + <description> + ACL for get-keys operations. + </description> + </property> + + <property> + <name>hadoop.kms.acl.GET_METADATA</name> + <value>*</value> + <description> + ACL for get-key-metadata and get-keys-metadata operations. + </description> + </property> + + <property> + <name>hadoop.kms.acl.SET_KEY_MATERIAL</name> + <value>*</value> + <description> + Complementary ACL for CREATE and ROLLOVER operations to allow the client + to provide the key material when creating or rolling a key. + </description> + </property> + + <property> + <name>hadoop.kms.acl.GENERATE_EEK</name> + <value>*</value> + <description> + ACL for generateEncryptedKey CryptoExtension operations. + </description> + </property> + + <property> + <name>hadoop.kms.acl.DECRYPT_EEK</name> + <value>*</value> + <description> + ACL for decryptEncryptedKey CryptoExtension operations. + </description> + </property> + + <property> + <name>default.key.acl.MANAGEMENT</name> + <value>*</value> + <description> + default ACL for MANAGEMENT operations for all key acls that are not + explicitly defined. + </description> + </property> + + <property> + <name>default.key.acl.GENERATE_EEK</name> + <value>*</value> + <description> + default ACL for GENERATE_EEK operations for all key acls that are not + explicitly defined. + </description> + </property> + + <property> + <name>default.key.acl.DECRYPT_EEK</name> + <value>*</value> + <description> + default ACL for DECRYPT_EEK operations for all key acls that are not + explicitly defined. + </description> + </property> + + <property> + <name>default.key.acl.READ</name> + <value>*</value> + <description> + default ACL for READ operations for all key acls that are not + explicitly defined. + </description> + </property> + + +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/kms-webapp/kms-env.sh ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/kms-env.sh b/kms/config/kms-webapp/kms-env.sh new file mode 100644 index 0000000..88a2b86 --- /dev/null +++ b/kms/config/kms-webapp/kms-env.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. See accompanying LICENSE file. +# + +# Set kms specific environment variables here. + +# Settings for the Embedded Tomcat that runs KMS +# Java System properties for KMS should be specified in this variable +# +# export CATALINA_OPTS= + +# KMS logs directory +# +# export KMS_LOG=${KMS_HOME}/logs + +# KMS temporary directory +# +# export KMS_TEMP=${KMS_HOME}/temp + +# The HTTP port used by KMS +# +# export KMS_HTTP_PORT=16000 + +# The Admin port used by KMS +# +# export KMS_ADMIN_PORT=`expr ${KMS_HTTP_PORT} + 1` + +# The maximum number of Tomcat handler threads +# +# export KMS_MAX_THREADS=1000 + +# The location of the SSL keystore if using SSL +# +# export KMS_SSL_KEYSTORE_FILE=${HOME}/.keystore + +# The password of the SSL keystore if using SSL +# +# export KMS_SSL_KEYSTORE_PASS=password http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/kms-webapp/kms-log4j.properties ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/kms-log4j.properties b/kms/config/kms-webapp/kms-log4j.properties new file mode 100644 index 0000000..8e6d909 --- /dev/null +++ b/kms/config/kms-webapp/kms-log4j.properties @@ -0,0 +1,38 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. See accompanying LICENSE file. +# + +# If the Java System property 'kms.log.dir' is not defined at KMS start up time +# Setup sets its value to '${kms.home}/logs' + +log4j.appender.kms=org.apache.log4j.DailyRollingFileAppender +log4j.appender.kms.DatePattern='.'yyyy-MM-dd +log4j.appender.kms.File=${kms.log.dir}/kms.log +log4j.appender.kms.Append=true +log4j.appender.kms.layout=org.apache.log4j.PatternLayout +log4j.appender.kms.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n + +log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender +log4j.appender.kms-audit.DatePattern='.'yyyy-MM-dd +log4j.appender.kms-audit.File=${kms.log.dir}/kms-audit.log +log4j.appender.kms-audit.Append=true +log4j.appender.kms-audit.layout=org.apache.log4j.PatternLayout +log4j.appender.kms-audit.layout.ConversionPattern=%d{ISO8601} %m%n + +log4j.logger.kms-audit=INFO, kms-audit +log4j.additivity.kms-audit=false + +log4j.rootLogger=ALL, kms +log4j.logger.org.apache.hadoop.conf=ERROR +log4j.logger.org.apache.hadoop=INFO +log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/kms-webapp/kms-site.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/kms-site.xml b/kms/config/kms-webapp/kms-site.xml new file mode 100644 index 0000000..a810ca4 --- /dev/null +++ b/kms/config/kms-webapp/kms-site.xml @@ -0,0 +1,173 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<configuration> + + <!-- KMS Backend KeyProvider --> + + <property> + <name>hadoop.kms.key.provider.uri</name> + <value>jceks://file@/${user.home}/kms.keystore</value> + <description> + URI of the backing KeyProvider for the KMS. + </description> + </property> + + <property> + <name>hadoop.security.keystore.JavaKeyStoreProvider.password</name> + <value>none</value> + <description> + If using the JavaKeyStoreProvider, the password for the keystore file. + </description> + </property> + + <!-- KMS Cache --> + + <property> + <name>hadoop.kms.cache.enable</name> + <value>true</value> + <description> + Whether the KMS will act as a cache for the backing KeyProvider. + When the cache is enabled, operations like getKeyVersion, getMetadata, + and getCurrentKey will sometimes return cached data without consulting + the backing KeyProvider. Cached values are flushed when keys are deleted + or modified. + </description> + </property> + + <property> + <name>hadoop.kms.cache.timeout.ms</name> + <value>600000</value> + <description> + Expiry time for the KMS key version and key metadata cache, in + milliseconds. This affects getKeyVersion and getMetadata. + </description> + </property> + + <property> + <name>hadoop.kms.current.key.cache.timeout.ms</name> + <value>30000</value> + <description> + Expiry time for the KMS current key cache, in milliseconds. This + affects getCurrentKey operations. + </description> + </property> + + <!-- KMS Audit --> + + <property> + <name>hadoop.kms.audit.aggregation.window.ms</name> + <value>10000</value> + <description> + Duplicate audit log events within the aggregation window (specified in + ms) are quashed to reduce log traffic. A single message for aggregated + events is printed at the end of the window, along with a count of the + number of aggregated events. + </description> + </property> + + <!-- KMS Security --> + + <property> + <name>hadoop.kms.authentication.type</name> + <value>simple</value> + <description> + Authentication type for the KMS. Can be either "simple" + or "kerberos". + </description> + </property> + + <property> + <name>hadoop.kms.authentication.kerberos.keytab</name> + <value>${user.home}/kms.keytab</value> + <description> + Path to the keytab with credentials for the configured Kerberos principal. + </description> + </property> + + <property> + <name>hadoop.kms.authentication.kerberos.principal</name> + <value>HTTP/localhost</value> + <description> + The Kerberos principal to use for the HTTP endpoint. + The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification. + </description> + </property> + + <property> + <name>hadoop.kms.authentication.kerberos.name.rules</name> + <value>DEFAULT</value> + <description> + Rules used to resolve Kerberos principal names. + </description> + </property> + + <!-- Authentication cookie signature source --> + + <property> + <name>hadoop.kms.authentication.signer.secret.provider</name> + <value>random</value> + <description> + Indicates how the secret to sign the authentication cookies will be + stored. Options are 'random' (default), 'string' and 'zookeeper'. + If using a setup with multiple KMS instances, 'zookeeper' should be used. + </description> + </property> + + <!-- Configuration for 'zookeeper' authentication cookie signature source --> + + <property> + <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name> + <value>/hadoop-kms/hadoop-auth-signature-secret</value> + <description> + The Zookeeper ZNode path where the KMS instances will store and retrieve + the secret from. + </description> + </property> + + <property> + <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name> + <value>#HOSTNAME#:#PORT#,...</value> + <description> + The Zookeeper connection string, a list of hostnames and port comma + separated. + </description> + </property> + + <property> + <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name> + <value>kerberos</value> + <description> + The Zookeeper authentication type, 'none' or 'sasl' (Kerberos). + </description> + </property> + + <property> + <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name> + <value>/etc/hadoop/conf/kms.keytab</value> + <description> + The absolute path for the Kerberos keytab with the credentials to + connect to Zookeeper. + </description> + </property> + + <property> + <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name> + <value>kms/#HOSTNAME#</value> + <description> + The Kerberos service principal used to connect to Zookeeper. + </description> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/config/webserver/kms_webserver.properties ---------------------------------------------------------------------- diff --git a/kms/config/webserver/kms_webserver.properties b/kms/config/webserver/kms_webserver.properties new file mode 100644 index 0000000..4118a1f --- /dev/null +++ b/kms/config/webserver/kms_webserver.properties @@ -0,0 +1,47 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Service Information +# +service.host=localhost +http.service.port=9292 +service.shutdownPort=7085 +service.shutdownCommand=SHUTDOWN +service.waitTimeForFoceShutdownInSeconds=120 + +# +# SSL Connector Information +# +#https.service.port=7181 +https.attrib.SSLEnabled=true +https.attrib.sslProtocol=TLS +https.attrib.clientAuth=false +https.attrib.keyAlias=rangerkms +https.attrib.keystorePass=rangerkms +https.attrib.keystoreFile=./keys/server.jks + +# +# Access Log Information +# +accesslog.dateformat=yyyy-MM-dd +accesslog.pattern=%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i" + + +# +# Web Application root folder +# +xa.webapp.contextName=/kms +xa.webapp.dir=./webapp/root/hadoop-kms-2.6.0.war http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/pom.xml ---------------------------------------------------------------------- diff --git a/kms/pom.xml b/kms/pom.xml new file mode 100644 index 0000000..753e6ee --- /dev/null +++ b/kms/pom.xml @@ -0,0 +1,51 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <artifactId>ranger-kms</artifactId> + <version>0.4.0</version> + <name>Key Management Systems</name> + <description>Key Management Systems</description> + <packaging>jar</packaging> + <parent> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger</artifactId> + <version>0.4.0</version> + </parent> + <build> + <resources> + <resource> + <directory>src/main/resources</directory> + <filtering>true</filtering> + </resource> + </resources> + </build> + <dependencies> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-kms</artifactId> + <version>2.6.0</version> + <type>war</type> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <version>${hadoop-common.version}</version> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/scripts/ranger-kms ---------------------------------------------------------------------- diff --git a/kms/scripts/ranger-kms b/kms/scripts/ranger-kms new file mode 100755 index 0000000..a7cc20e --- /dev/null +++ b/kms/scripts/ranger-kms @@ -0,0 +1,48 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +### BEGIN INIT INFO +# Provides: ranger-kms +# Required-Start: $local_fs $remote_fs $network $named $syslog $time +# Required-Stop: $local_fs $remote_fs $network $named $syslog $time +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short-Description: Start/Stop Ranger Kms +### END INIT INFO + +BIN_PATH=/usr/bin +MOD_NAME=ranger-kms + +case $1 in +start) + echo "Starting Apache Ranger Kms." + ${BIN_PATH}/${MOD_NAME} start + ;; +stop) + echo "Stopping Apache Ranger Kms." + ${BIN_PATH}/${MOD_NAME} stop + ;; +restart) + echo "Stopping Apache Ranger Kms." + ${BIN_PATH}/${MOD_NAME} stop + echo "Stopping Apache Ranger Kms." + ${BIN_PATH}/${MOD_NAME} start + ;; +*) + echo "Invalid argument [$1]; Only start|stop|restart are supported." + exit 1 +esac http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/scripts/ranger-kms-services.sh ---------------------------------------------------------------------- diff --git a/kms/scripts/ranger-kms-services.sh b/kms/scripts/ranger-kms-services.sh new file mode 100755 index 0000000..7c80cc8 --- /dev/null +++ b/kms/scripts/ranger-kms-services.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ -z "$1" ] +then + echo "Invalid argument [$1];" + echo "Usage: Only start | stop | restart | version, are supported." + exit; +fi +action=$1 + +realScriptPath=`readlink -f $0` +realScriptDir=`dirname $realScriptPath` +RANGER_KMS_DIR=`(cd $realScriptDir/..; pwd)` +RANGER_KMS_EWS_DIR=${RANGER_KMS_DIR}/ews +RANGER_KMS_EWS_CONF_DIR="${RANGER_KMS_EWS_DIR}/conf" +RANGER_KMS_EWS_LIB_DIR="${RANGER_KMS_EWS_DIR}/lib" + +JAVA_OPTS=" ${JAVA_OPTS} -XX:MaxPermSize=256m -Xmx1024m -Xms1024m " + +for custom_env_script in `find ${RANGER_KMS_DIR}/ews/conf/ -name "ranger-admin-env*"`; do + if [ -f $custom_env_script ]; then + . $custom_env_script + fi +done + +if [ "$JAVA_HOME" != "" ]; then + export PATH=$JAVA_HOME/bin:$PATH +fi + +cd ${RANGER_KMS_EWS_DIR} + +if [ ! -d logs ] +then + mkdir logs +fi + + +PROC_NAME=proc_rangerkms +export PROC_NAME + +START_CLASS_NAME="org.apache.ranger.server.tomcat.EmbeddedServer" + +STOP_CLASS_NAME="org.apache.ranger.server.tomcat.StopEmbeddedServer" + +KMS_CONFIG_FILENAME=kms_webserver.properties + +TOMCAT_LOG_DIR=/var/log/ranger/kms + +TOMCAT_LOG_FILE=${TOMCAT_LOG_DIR}/catalina.out +TOMCAT_STOP_LOG_FILE=${TOMCAT_LOG_DIR}/stop_catalina.out + +if [ ! -d ${TOMCAT_LOG_DIR} ] +then + mkdir -p ${TOMCAT_LOG_DIR} +fi + +KMS_CONF_DIR=${RANGER_KMS_EWS_DIR}/webapp/config/ + +JAVA_OPTS="${JAVA_OPTS} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${JAVA_HOME}/lib/* " + +if [ "${action^^}" == "START" ]; then + echo "+ java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} " + java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} > ${TOMCAT_LOG_FILE} 2>&1 & + echo "Apache Ranger KMS has started." + exit +elif [ "${action^^}" == "STOP" ]; then + java ${JAVA_OPTS} ${STOP_CLASS_NAME} ${KMS_CONFIG_FILENAME} > ${TOMCAT_STOP_LOG_FILE} 2>&1 + echo "Apache Ranger KMS has been stopped." + exit +elif [ "${action^^}" == "RESTART" ]; then + echo "Restarting Apache Ranger KMS" + java ${JAVA_OPTS} ${STOP_CLASS_NAME} ${KMS_CONFIG_FILENAME} > ${TOMCAT_STOP_LOG_FILE} 2>&1 + echo "Apache Ranger KMS has been stopped." + echo "Starting Apache Ranger Admin.." + java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} > ${TOMCAT_LOG_FILE} 2>&1 & + echo "Apache Ranger KMS has started successfully." + exit +elif [ "${action^^}" == "VERSION" ]; then + ( cd ${RANGER_KMS_LIB_DIR} ; java -cp ranger-util-*.jar org.apache.ranger.common.RangerVersionInfo ) + exit +else + echo "Invalid argument [$1];" + echo "Usage: Only start | stop | restart | version, are supported." + exit; +fi http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/kms/src/main/java/org/apache/hadoop/crypto/key/SampleKeyProvider.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/SampleKeyProvider.java b/kms/src/main/java/org/apache/hadoop/crypto/key/SampleKeyProvider.java new file mode 100644 index 0000000..b579ebb --- /dev/null +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/SampleKeyProvider.java @@ -0,0 +1,90 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.hadoop.crypto.key; + +import java.io.IOException; +import java.util.List; + +import org.apache.hadoop.conf.Configuration; + + +public class SampleKeyProvider extends KeyProvider { + + public SampleKeyProvider(Configuration conf) { + super(conf); + // TODO Auto-generated constructor stub + } + + @Override + public KeyVersion getKeyVersion(String versionName) throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public List<String> getKeys() throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public List<KeyVersion> getKeyVersions(String name) throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public Metadata getMetadata(String name) throws IOException { + // TODO Auto-generated method stub + + new KeyProvider.Metadata(null) ; + + return null; + } + + @Override + public KeyVersion createKey(String name, byte[] material, Options options) + throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public void deleteKey(String name) throws IOException { + // TODO Auto-generated method stub + + } + + @Override + public KeyVersion rollNewVersion(String name, byte[] material) + throws IOException { + // TODO Auto-generated method stub + return null; + } + + @Override + public void flush() throws IOException { + // TODO Auto-generated method stub + + } + + + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index b1467a9..072e7a9 100644 --- a/pom.xml +++ b/pom.xml @@ -75,6 +75,7 @@ <modules> <module>jisql</module> + <module>kms</module> <module>agents-audit</module> <module>agents-common</module> <module>agents-cred</module> @@ -352,6 +353,7 @@ <descriptor>src/main/assembly/usersync.xml</descriptor> <descriptor>src/main/assembly/ranger-src.xml</descriptor> <descriptor>src/main/assembly/migration-util.xml</descriptor> + <descriptor>src/main/assembly/kms.xml</descriptor> </descriptors> </configuration> </plugin> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/084ff13e/src/main/assembly/kms.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml new file mode 100644 index 0000000..6796464 --- /dev/null +++ b/src/main/assembly/kms.xml @@ -0,0 +1,111 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<assembly> + <id>kms</id> + <formats> + <format>tar.gz</format> + <format>zip</format> + </formats> + <baseDirectory>${project.name}-${project.version}-kms</baseDirectory> + <includeBaseDirectory>true</includeBaseDirectory> + <moduleSets> + + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <outputDirectory>/ews/webapp/lib</outputDirectory> + <dependencySets> + <dependencySet> + <outputDirectory>/ews/webapp/root</outputDirectory> + <unpack>false</unpack> + <includes> + <include>org.apache.hadoop:hadoop-kms:war:2.6.0</include> + </includes> + </dependencySet> + <dependencySet> + <outputDirectory>/ews/webapp/lib</outputDirectory> + <unpack>false</unpack> + <includes> + <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> + </includes> + </dependencySet> + </dependencySets> + </binaries> + <includes> + <include>org.apache.ranger:ranger-kms</include> + </includes> + </moduleSet> + + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <outputDirectory>/ews/lib</outputDirectory> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <dependencySets> + <dependencySet> + <outputDirectory>/ews/lib</outputDirectory> + <includes> + <include>org.apache.tomcat.embed:tomcat-embed*</include> + <include>org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600</include> + </includes> + <unpack>false</unpack> + </dependencySet> + </dependencySets> + </binaries> + <includes> + <include>org.apache.ranger:embeddedwebserver</include> + </includes> + </moduleSet> + + </moduleSets> + + <fileSets> + + <fileSet> + <outputDirectory>/ews/webapp/config</outputDirectory> + <directoryMode>0500</directoryMode> + <directory>kms/config/kms-webapp</directory> + <fileMode>0400</fileMode> + </fileSet> + + <fileSet> + <outputDirectory>/ews/conf</outputDirectory> + <directoryMode>0500</directoryMode> + <directory>kms/config/webserver</directory> + <fileMode>0400</fileMode> + </fileSet> + + <fileSet> + <outputDirectory>/scripts</outputDirectory> + <directoryMode>0500</directoryMode> + <directory>kms/scripts</directory> + <includes> + <include>ranger-*</include> + </includes> + <fileMode>0544</fileMode> + </fileSet> + + + </fileSets> + + + +</assembly>
