RANGER-501 : Add solr audit connectivity properties to Ranger Admin Signed-off-by: sneethiraj <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0421271e Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0421271e Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0421271e Branch: refs/heads/ranger-0.5 Commit: 0421271e2b891a7fe0ade809e0e41f720fafe62a Parents: 6de1bbc Author: Gautam Borad <[email protected]> Authored: Thu May 21 20:26:05 2015 +0530 Committer: sneethiraj <[email protected]> Committed: Fri May 22 09:31:48 2015 -0400 ---------------------------------------------------------------------- security-admin/scripts/db_setup.py | 17 ++++-- security-admin/scripts/dba_script.py | 13 +++- security-admin/scripts/install.properties | 5 +- .../scripts/ranger-admin-site-template.xml | 2 +- security-admin/scripts/setup.sh | 63 +++++++++++++++++--- security-admin/scripts/upgrade_admin.py | 2 +- .../apache/ranger/common/PropertiesUtil.java | 19 ++++++ .../conf.dist/ranger-admin-default-site.xml | 6 +- .../resources/conf.dist/ranger-admin-site.xml | 18 +++++- 9 files changed, 125 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 6590eb2..e50421c 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -1263,6 +1263,14 @@ def main(argv): log("[I] --------- Verifying Ranger DB connection ---------","info") xa_sqlObj.check_connection(db_name, db_user, db_password) + if 'audit_store' in globalDict: + audit_store = globalDict['audit_store'] + else: + audit_store = None + + if audit_store is None or audit_store == "": + audit_store = "db" + audit_store=audit_store.lower() if len(argv)==1: log("[I] --------- Verifying Ranger DB tables ---------","info") @@ -1278,10 +1286,11 @@ def main(argv): xa_sqlObj.upgrade_db(db_name, db_user, db_password, xa_db_version_file) log("[I] --------- Applying Ranger DB patches ---------","info") xa_sqlObj.apply_patches(db_name, db_user, db_password, xa_patch_file) - log("[I] --------- Starting Audit Operation ---------","info") - audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit) - log("[I] --------- Applying Audit DB patches ---------","info") - audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit) + if audit_store == "db": + log("[I] --------- Starting Audit Operation ---------","info") + audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit) + log("[I] --------- Applying Audit DB patches ---------","info") + audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit) # ''' if len(argv)>1: for i in range(len(argv)): http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/dba_script.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 9dfba94..c37edbc 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -1373,6 +1373,14 @@ def main(argv): log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) + if 'audit_store' in globalDict: + audit_store = globalDict['audit_store'] + else: + audit_store = None + + if audit_store is None or audit_store == "": + audit_store = "db" + audit_store=audit_store.lower() # Methods Begin if DBA_MODE == "TRUE" : if (dryMode==True): @@ -1392,7 +1400,8 @@ def main(argv): log("[I] ---------- Granting permission to Ranger Admin db user ----------","info") xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) # Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same - log("[I] ---------- Verifying/Creating audit user --------- ","info") - audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) + if audit_store == "db": + log("[I] ---------- Verifying/Creating audit user --------- ","info") + audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed.. ---------- ","info") main(sys.argv) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/install.properties ---------------------------------------------------------------------- diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties index 7490dd6..820d9c7 100644 --- a/security-admin/scripts/install.properties +++ b/security-admin/scripts/install.properties @@ -66,7 +66,10 @@ db_password= audit_store=db # * audit_solr_url URL to Solr. E.g. http://<solr_host>:6083/solr/ranger_audits -audit_solr_url= +audit_solr_urls= +audit_solr_user= +audit_solr_password= +audit_solr_zookeepers= # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/ranger-admin-site-template.xml ---------------------------------------------------------------------- diff --git a/security-admin/scripts/ranger-admin-site-template.xml b/security-admin/scripts/ranger-admin-site-template.xml index 2c0462d..001248f 100644 --- a/security-admin/scripts/ranger-admin-site-template.xml +++ b/security-admin/scripts/ranger-admin-site-template.xml @@ -157,7 +157,7 @@ <value></value> </property> <property> - <name>ranger.solr.url</name> + <name>ranger.audit.solr.urls</name> <value></value> </property> <property> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 4b5e6b9..12224c4 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -157,10 +157,13 @@ init_variables(){ getPropertyFromFile 'db_password' $PROPFILE db_password if [ "${audit_store}" == "solr" ] then - getPropertyFromFile 'audit_solr_url' $PROPFILE audit_solr_url + getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls + getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user + getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password + getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers else - getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user - getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password + getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user + getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password fi } @@ -872,11 +875,11 @@ update_properties() { fi if [ "${audit_store}" == "solr" ] - then - propertyName=ranger.solr.url - newPropertyValue=${audit_solr_url} - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger - fi + then + propertyName=ranger.audit.solr.urls + newPropertyValue=${audit_solr_urls} + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.audit.source.type newPropertyValue=${audit_store} @@ -983,6 +986,50 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger fi fi + if [ "${audit_store}" == "solr" ] + then + if [ "${audit_solr_zookeepers}" != "" ] + then + propertyName=ranger.audit.solr.zookeepers + newPropertyValue=${audit_solr_zookeepers} + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi + if [ "${audit_solr_user}" != "" ] && [ "${audit_solr_password}" != "" ] + then + propertyName=ranger.solr.audit.user + newPropertyValue=${audit_solr_user} + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + + if [ "${keystore}" != "" ] + then + echo "Starting configuration for solr credentials:" + mkdir -p `dirname "${keystore}"` + audit_solr_password_alias=ranger.solr.password + + $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore + + propertyName=ranger.solr.audit.credential.alias + newPropertyValue="${audit_solr_password_alias}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default + + propertyName=ranger.solr.audit.user.password + newPropertyValue="_" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + else + propertyName=ranger.solr.audit.user.password + newPropertyValue="${audit_solr_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi + + if test -f $keystore; then + chown -R ${unix_user}:${unix_group} ${keystore} + else + propertyName=ranger.solr.audit.user.password + newPropertyValue="${audit_solr_password}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi + fi + fi } create_audit_db_user(){ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/upgrade_admin.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/upgrade_admin.py b/security-admin/scripts/upgrade_admin.py index 823edc1..5c79192 100755 --- a/security-admin/scripts/upgrade_admin.py +++ b/security-admin/scripts/upgrade_admin.py @@ -107,7 +107,7 @@ config2xmlMAP = { 'xa.logs.base.dir':'ranger.logs.base.dir', 'xa.scheduler.enabled':'ranger.scheduler.enabled', 'xa.audit.store':'ranger.audit.source.type', - 'audit_solr_url':'ranger.solr.url', + 'audit_solr_urls':'ranger.audit.solr.urls', 'auditDB.jdbc.dialect':'ranger.jpa.audit.jdbc.dialect', 'auditDB.jdbc.driver':'ranger.jpa.audit.jdbc.driver', 'auditDB.jdbc.url':'ranger.jpa.audit.jdbc.url', http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java index 5549578..a0bfff4 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java @@ -133,6 +133,25 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { } } } + if(propertiesMap!=null && propertiesMap.containsKey("ranger.audit.source.type")){ + String auditStore=propertiesMap.get("ranger.audit.source.type"); + if(auditStore!=null && (auditStore.equalsIgnoreCase("solr"))){ + if(propertiesMap!=null && propertiesMap.containsKey("ranger.credential.provider.path") && propertiesMap.containsKey("ranger.solr.audit.credential.alias")){ + String path=propertiesMap.get("ranger.credential.provider.path"); + String alias=propertiesMap.get("ranger.solr.audit.credential.alias"); + if(path!=null && alias!=null){ + String solrAuditPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim()); + if(solrAuditPassword!=null&& !solrAuditPassword.trim().isEmpty() && + !solrAuditPassword.trim().equalsIgnoreCase("none")){ + propertiesMap.put("ranger.solr.audit.user.password", solrAuditPassword); + props.put("ranger.solr.audit.user.password", solrAuditPassword); + }else{ + logger.info("Credential keystore password not applied for Solr ; clear text password shall be applicable"); + } + } + } + } + } super.processProperties(beanFactory, props); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml index 0783f69..75d2490 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml @@ -431,5 +431,9 @@ <value>100</value> <description></description> </property> - + <property> + <name>ranger.solr.audit.credential.alias</name> + <value>ranger.solr.password</value> + <description></description> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index d0a4fe4..2660e19 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -46,7 +46,7 @@ <description></description> </property> <property> - <name>ranger.solr.url</name> + <name>ranger.audit.solr.urls</name> <value>http://##solr_host##:6083/solr/ranger_audits</value> <description></description> </property> @@ -202,5 +202,19 @@ <name>ranger.service.https.attrib.keystore.file</name> <value>/etc/ranger/admin/keys/server.jks</value> </property> - + <property> + <name>ranger.solr.audit.user</name> + <value></value> + <description></description> + </property> + <property> + <name>ranger.solr.audit.user.password</name> + <value></value> + <description></description> + </property> + <property> + <name>ranger.audit.solr.zookeepers</name> + <value></value> + <description></description> + </property> </configuration>
