Repository: incubator-ranger Updated Branches: refs/heads/master be7465968 -> d21e6bb47
RANGER-991: Ranger should support authorization for Apache Atlas Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/72d61a87 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/72d61a87 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/72d61a87 Branch: refs/heads/master Commit: 72d61a87ed746d0e67cfdc3324faf7f5c5f7be45 Parents: be74659 Author: Gautam Borad <[email protected]> Authored: Tue May 24 12:14:33 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Tue May 24 12:14:33 2016 +0530 ---------------------------------------------------------------------- agents-common/scripts/enable-agent.sh | 33 +++ .../plugin/store/EmbeddedServiceDefsUtil.java | 10 +- .../ranger/services/tag/RangerServiceTag.java | 119 ----------- .../service-defs/ranger-servicedef-atlas.json | 207 +++++++++++++++++++ plugin-atlas/.gitignore | 3 + .../conf/ranger-atlas-audit-changes.cfg | 30 +++ plugin-atlas/conf/ranger-atlas-audit.xml | 122 +++++++++++ .../conf/ranger-atlas-security-changes.cfg | 29 +++ plugin-atlas/conf/ranger-atlas-security.xml | 83 ++++++++ .../conf/ranger-policymgr-ssl-changes.cfg | 23 +++ plugin-atlas/conf/ranger-policymgr-ssl.xml | 63 ++++++ plugin-atlas/pom.xml | 66 ++++++ plugin-atlas/scripts/install.properties | 110 ++++++++++ .../atlas/authorizer/RangerAtlasAuthorizer.java | 143 +++++++++++++ .../atlas/authorizer/RangerAtlasResource.java | 60 ++++++ .../services/atlas/RangerServiceAtlas.java | 62 ++++++ plugin-atlas/src/test/resource/log4j.properties | 34 +++ plugin-atlas/template/configuration.xml | 20 ++ pom.xml | 5 + ranger-atlas-plugin-shim/.gitignore | 2 + ranger-atlas-plugin-shim/pom.xml | 84 ++++++++ .../atlas/authorizer/RangerAtlasAuthorizer.java | 142 +++++++++++++ src/main/assembly/atlas-agent.xml | 170 +++++++++++++++ 23 files changed, 1500 insertions(+), 120 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/scripts/enable-agent.sh ---------------------------------------------------------------------- diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 1fa1845..39c4633 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -184,6 +184,8 @@ elif [ "${HCOMPONENT_NAME}" = "kafka" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/libs elif [ "${HCOMPONENT_NAME}" = "storm" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/extlib-daemon +elif [ "${HCOMPONENT_NAME}" = "atlas" ]; then + HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/server/webapp/atlas/WEB-INF/lib fi HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf @@ -713,6 +715,37 @@ then fi fi +#Update Properties to File +#$1 -> propertyName $2 -> newPropertyValue $3 -> fileName +updatePropertyToFile(){ + sed -i 's@^'$1'=[^ ]*$@'$1'='$2'@g' $3 + validate=$(sed '/^\#/d' $3 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation + if test -z "$validate" ; then log "[E] '$1' not found in $3 file while Updating....!!"; exit 1; fi + echo "Property $1 updated successfully with : '$2'" +} + +if [ "${HCOMPONENT_NAME}" = "atlas" ] +then + if [ "${action}" = "enable" ] + then + authName="org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer" + else + authName="org.apache.atlas.authorize.SimpleAtlasAuthorizer" + fi + + dt=`date '+%Y%m%d%H%M%S'` + fn=`ls ${HCOMPONENT_CONF_DIR}/atlas-application.properties 2> /dev/null` + if [ -f "${fn}" ] + then + dn=`dirname ${fn}` + bn=`basename ${fn}` + bf=${dn}/.${bn}.${dt} + echo "backup of ${fn} to ${bf} ..." + cp ${fn} ${bf} + echo "Updating properties file: [${fn}] ... " + updatePropertyToFile atlas.authorizer.impl $authName ${fn} + fi +fi # # Set notice to restart the ${HCOMPONENT_NAME} # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java index bf29ee6..2002295 100755 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java @@ -47,7 +47,7 @@ public class EmbeddedServiceDefsUtil { // following servicedef list should be reviewed/updated whenever a new embedded service-def is added - private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr"; + private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas"; private static final String PROPERTY_SUPPORTED_SERVICE_DEFS = "ranger.supportedcomponents"; private Set<String> supportedServiceDefs; public static final String EMBEDDED_SERVICEDEF_TAG_NAME = "tag"; @@ -61,6 +61,7 @@ public class EmbeddedServiceDefsUtil { public static final String EMBEDDED_SERVICEDEF_KAFKA_NAME = "kafka"; public static final String EMBEDDED_SERVICEDEF_SOLR_NAME = "solr"; public static final String EMBEDDED_SERVICEDEF_NIFI_NAME = "nifi"; + public static final String EMBEDDED_SERVICEDEF_ATLAS_NAME = "atlas"; public static final String PROPERTY_CREATE_EMBEDDED_SERVICE_DEFS = "ranger.service.store.create.embedded.service-defs"; @@ -74,6 +75,7 @@ public class EmbeddedServiceDefsUtil { public static final String KAFKA_IMPL_CLASS_NAME = "org.apache.ranger.services.kafka.RangerServiceKafka"; public static final String SOLR_IMPL_CLASS_NAME = "org.apache.ranger.services.solr.RangerServiceSolr"; public static final String NIFI_IMPL_CLASS_NAME = "org.apache.ranger.services.nifi.RangerServiceNiFi"; + public static final String ATLAS_IMPL_CLASS_NAME = "org.apache.ranger.services.atlas.RangerServiceAtlas"; private static EmbeddedServiceDefsUtil instance = new EmbeddedServiceDefsUtil(); @@ -88,6 +90,7 @@ public class EmbeddedServiceDefsUtil { private RangerServiceDef kafkaServiceDef = null; private RangerServiceDef solrServiceDef = null; private RangerServiceDef nifiServiceDef = null; + private RangerServiceDef atlasServiceDef = null; private RangerServiceDef tagServiceDef = null; @@ -125,6 +128,7 @@ public class EmbeddedServiceDefsUtil { kafkaServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KAFKA_NAME); solrServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_SOLR_NAME); nifiServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_NIFI_NAME); + atlasServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_ATLAS_NAME); tagServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_TAG_NAME); @@ -177,6 +181,10 @@ public class EmbeddedServiceDefsUtil { return getId(nifiServiceDef); } + public long getAtlasServiceDefId() { + return getId(atlasServiceDef); + } + public long getTagServiceDefId() { return getId(tagServiceDef); } private long getId(RangerServiceDef serviceDef) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java b/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java deleted file mode 100644 index f36a9a6..0000000 --- a/agents-common/src/main/java/org/apache/ranger/services/tag/RangerServiceTag.java +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.ranger.services.tag; - -import java.util.*; - -import org.apache.commons.collections.CollectionUtils; -import org.apache.commons.collections.MapUtils; -import org.apache.commons.io.FilenameUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.ranger.plugin.model.RangerService; -import org.apache.ranger.plugin.model.RangerServiceDef; -import org.apache.ranger.plugin.service.RangerBaseService; -import org.apache.ranger.plugin.service.ResourceLookupContext; -import org.apache.ranger.plugin.store.TagStore; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -public class RangerServiceTag extends RangerBaseService { - - private static final Log LOG = LogFactory.getLog(RangerServiceTag.class); - - public static final String TAG_RESOURCE_NAME = "tag"; - - private TagStore tagStore = null; - - - public RangerServiceTag() { - super(); - } - - @Override - public void init(RangerServiceDef serviceDef, RangerService service) { - super.init(serviceDef, service); - } - - public void setTagStore(TagStore tagStore) { - this.tagStore = tagStore; - } - - @Override - public HashMap<String,Object> validateConfig() throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceTag.validateConfig(" + serviceName + " )"); - } - - HashMap<String, Object> ret = new HashMap<String, Object>(); - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceTag.validateConfig(" + serviceName + " ): " + ret); - } - - return ret; - } - - @Override - public List<String> lookupResource(ResourceLookupContext context) throws Exception { - if(LOG.isDebugEnabled()) { - LOG.debug("==> RangerServiceTag.lookupResource(" + context + ")"); - } - - List<String> ret = new ArrayList<String>(); - - if (context != null && StringUtils.equals(context.getResourceName(), TAG_RESOURCE_NAME)) { - try { - List<String> tags = tagStore != null ? tagStore.getTagTypes() : null; - - if(CollectionUtils.isNotEmpty(tags)) { - List<String> valuesToExclude = MapUtils.isNotEmpty(context.getResources()) ? context.getResources().get(TAG_RESOURCE_NAME) : null; - - if(CollectionUtils.isNotEmpty(valuesToExclude)) { - for (String valueToExclude : valuesToExclude) { - tags.remove(valueToExclude); - } - } - - String valueToMatch = context.getUserInput(); - - if(StringUtils.isNotEmpty(valueToMatch)) { - if(! valueToMatch.endsWith("*")) { - valueToMatch += "*"; - } - - for (String tag : tags) { - if(FilenameUtils.wildcardMatch(tag, valueToMatch)) { - ret.add(tag); - } - } - } - } - } catch (Exception excp) { - LOG.error("RangerServiceTag.lookupResource()", excp); - } - } - - if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerServiceTag.lookupResource(): tag count=" + ret.size()); - } - - return ret; - } -} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json new file mode 100644 index 0000000..4a550c6 --- /dev/null +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json @@ -0,0 +1,207 @@ +{ + "id":11, + "name": "atlas", + "implClass": "org.apache.ranger.services.atlas.RangerServiceAtlas", + "label": "Atlas Metadata Server", + "description": "Atlas Metadata Server", + "resources": + [ + { + "itemId": 1, + "name": "entity", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Entity", + "description": "Entity" + }, + + { + "itemId": 2, + "name": "type", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Type", + "description": "Type" + }, + + { + "itemId": 3, + "name": "operation", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Operations", + "description": "Admin Operations" + }, + + { + "itemId": 4, + "name": "taxonomy", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Taxonomy", + "description": "Taxonomy" + }, + + { + "itemId": 5, + "name": "term", + "type": "string", + "level": 10, + "parent": "", + "mandatory": true, + "lookupSupported": true, + "recursiveSupported": false, + "excludesSupported": true, + "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher", + "matcherOptions": { "wildCard":true, "ignoreCase":true }, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Term", + "description": "Term" + } + + + ], + + "accessTypes": + [ + { + "itemId": 1, + "name": "read", + "label": "read" + }, + + { + "itemId": 2, + "name": "create", + "label": "create" + }, + + { + "itemId": 3, + "name": "update", + "label": "update" + }, + + { + "itemId": 4, + "name": "delete", + "label": "delete" + }, + + + { + "itemId": 5, + "name": "all", + "label": "All", + "impliedGrants": + [ + "read", + "create", + "update", + "delete" + ] + } + ], + + "configs": + [ + { + "itemId": 1, + "name": "username", + "type": "string", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Username" + }, + + { + "itemId": 2, + "name": "password", + "type": "password", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Password" + }, + + { + "itemId": 3, + "name": "atlas.rest.address", + "type": "string", + "mandatory": true, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "defaultValue": "http://localhost:21000"; + }, + + { + "itemId": 4, + "name": "commonNameForCertificate", + "type": "string", + "mandatory": false, + "validationRegEx":"", + "validationMessage": "", + "uiHint":"", + "label": "Common Name for Certificate" + } + ], + + "enums": + [ + + ], + + "contextEnrichers": + [ + ], + + "policyConditions": + [ + ] +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/.gitignore ---------------------------------------------------------------------- diff --git a/plugin-atlas/.gitignore b/plugin-atlas/.gitignore new file mode 100644 index 0000000..02f68bb --- /dev/null +++ b/plugin-atlas/.gitignore @@ -0,0 +1,3 @@ +/target/ +/bin/ +.settings/ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-audit-changes.cfg ---------------------------------------------------------------------- diff --git a/plugin-atlas/conf/ranger-atlas-audit-changes.cfg b/plugin-atlas/conf/ranger-atlas-audit-changes.cfg new file mode 100644 index 0000000..07fc382 --- /dev/null +++ b/plugin-atlas/conf/ranger-atlas-audit-changes.cfg @@ -0,0 +1,30 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +#solr configuration +xasecure.audit.destination.solr %XAAUDIT.SOLR.ENABLE% mod create-if-not-exists +xasecure.audit.destination.solr.urls %XAAUDIT.SOLR.URL% mod create-if-not-exists +xasecure.audit.destination.solr.user %XAAUDIT.SOLR.USER% mod create-if-not-exists +xasecure.audit.destination.solr.password %XAAUDIT.SOLR.PASSWORD% mod create-if-not-exists +xasecure.audit.destination.solr.zookeepers %XAAUDIT.SOLR.ZOOKEEPER% mod create-if-not-exists + + +#hdfs configuration +xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% mod create-if-not-exists +xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists + + + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-audit.xml ---------------------------------------------------------------------- diff --git a/plugin-atlas/conf/ranger-atlas-audit.xml b/plugin-atlas/conf/ranger-atlas-audit.xml new file mode 100644 index 0000000..93ad238 --- /dev/null +++ b/plugin-atlas/conf/ranger-atlas-audit.xml @@ -0,0 +1,122 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>xasecure.audit.is.enabled</name> + <value>true</value> + </property> + + <!-- Solr audit provider configuration --> + + <property> + <name>xasecure.audit.destination.solr</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.destination.solr.urls</name> + <value>NONE</value> + </property> + + <property> + <name>xasecure.audit.destination.solr.zookeepers</name> + <value></value> + </property> + + <property> + <name>xasecure.audit.destination.solr.collection</name> + <value>NONE</value> + </property> + + + <!-- HDFS audit provider configuration --> + <property> + <name>xasecure.audit.destination.hdfs</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.dir</name> + <value>hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.subdir</name> + <value>%app-type%/%time:yyyyMMdd%</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.filename.format</name> + <value>%app-type%_ranger_audit_%hostname%.log</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.file.rollover.sec</name> + <value>86400</value> + </property> + + <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the + following to audit to Azure Blob Datastore via hdfs' WASB schema. + + NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style + ==== + + <property> + <name>xasecure.audit.destination.hdfs</name> + <value>enabled</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.dir</name> + <value>wasb://[email protected]</value> + </property> + + the following 3 correspond to the properties with similar name in core-site.xml, i.e. + - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and + - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net, + - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script, + + <property> + <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name> + <value>YOUR ENCRYPTED ACCESS KEY</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name> + <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value> + </property> + + <property> + <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name> + <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value> + </property> + --> + + <!-- Log4j audit provider configuration --> + <property> + <name>xasecure.audit.destination.log4j</name> + <value>false</value> + </property> + + <property> + <name>xasecure.audit.destination.log4j.logger</name> + <value></value> + </property> + +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-security-changes.cfg ---------------------------------------------------------------------- diff --git a/plugin-atlas/conf/ranger-atlas-security-changes.cfg b/plugin-atlas/conf/ranger-atlas-security-changes.cfg new file mode 100644 index 0000000..08790b9 --- /dev/null +++ b/plugin-atlas/conf/ranger-atlas-security-changes.cfg @@ -0,0 +1,29 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Change the original policy parameter to work with policy manager based. +# +# +ranger.plugin.atlas.service.name %REPOSITORY_NAME% mod create-if-not-exists + +ranger.plugin.atlas.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists + +ranger.plugin.atlas.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.atlas.policy.rest.ssl.config.file /etc/atlas/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.atlas.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.atlas.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.atlas.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists +ranger.plugin.atlas.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-atlas-security.xml ---------------------------------------------------------------------- diff --git a/plugin-atlas/conf/ranger-atlas-security.xml b/plugin-atlas/conf/ranger-atlas-security.xml new file mode 100644 index 0000000..933c8e7 --- /dev/null +++ b/plugin-atlas/conf/ranger-atlas-security.xml @@ -0,0 +1,83 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <property> + <name>ranger.plugin.atlas.service.name</name> + <value>atlasdev</value> + <description> + Name of the Ranger service containing policies for this YARN instance + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.source.impl</name> + <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value> + <description> + Class to retrieve policies from the source + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.rest.url</name> + <value>http://policymanagerhost:port</value> + <description> + URL to Ranger Admin + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.rest.ssl.config.file</name> + <value>/etc/atlas/conf/ranger-policymgr-ssl.xml</value> + <description> + Path to the file containing SSL details to contact Ranger Admin + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.pollIntervalMs</name> + <value>30000</value> + <description> + How often to poll for changes in policies? + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.cache.dir</name> + <value>/etc/ranger/atlasdev/policycache</value> + <description> + Directory where Ranger policies are cached after successful retrieval from the source + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.rest.client.connection.timeoutMs</name> + <value>120000</value> + <description> + RangerRestClient Connection Timeout in Milli Seconds + </description> + </property> + + <property> + <name>ranger.plugin.atlas.policy.rest.client.read.timeoutMs</name> + <value>30000</value> + <description> + RangerRestClient read Timeout in Milli Seconds + </description> + </property> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg ---------------------------------------------------------------------- diff --git a/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg b/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg new file mode 100644 index 0000000..6bf4265 --- /dev/null +++ b/plugin-atlas/conf/ranger-policymgr-ssl-changes.cfg @@ -0,0 +1,23 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SSL Params +# +xasecure.policymgr.clientssl.keystore %SSL_KEYSTORE_FILE_PATH% mod create-if-not-exists +xasecure.policymgr.clientssl.keystore.password %SSL_KEYSTORE_PASSWORD% mod create-if-not-exists +xasecure.policymgr.clientssl.keystore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists +xasecure.policymgr.clientssl.truststore %SSL_TRUSTSTORE_FILE_PATH% mod create-if-not-exists +xasecure.policymgr.clientssl.truststore.password %SSL_TRUSTSTORE_PASSWORD% mod create-if-not-exists +xasecure.policymgr.clientssl.truststore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/conf/ranger-policymgr-ssl.xml ---------------------------------------------------------------------- diff --git a/plugin-atlas/conf/ranger-policymgr-ssl.xml b/plugin-atlas/conf/ranger-policymgr-ssl.xml new file mode 100644 index 0000000..964aac7 --- /dev/null +++ b/plugin-atlas/conf/ranger-policymgr-ssl.xml @@ -0,0 +1,63 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<configuration xmlns:xi="http://www.w3.org/2001/XInclude";> + <!-- The following properties are used for 2-way SSL client server validation --> + <property> + <name>xasecure.policymgr.clientssl.keystore</name> + <value>hadoopdev-clientcert.jks</value> + <description> + Java Keystore files + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.password</name> + <value>none</value> + <description> + password for keystore + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore</name> + <value>cacerts-xasecure.jks</value> + <description> + java truststore file + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.password</name> + <value>none</value> + <description> + java truststore password + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.keystore.credential.file</name> + <value>jceks://file/tmp/keystore-hadoopdev-ssl.jceks</value> + <description> + java keystore credential file + </description> + </property> + <property> + <name>xasecure.policymgr.clientssl.truststore.credential.file</name> + <value>jceks://file/tmp/truststore-hadoopdev-ssl.jceks</value> + <description> + java truststore credential file + </description> + </property> +</configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/pom.xml ---------------------------------------------------------------------- diff --git a/plugin-atlas/pom.xml b/plugin-atlas/pom.xml new file mode 100644 index 0000000..2c82c57 --- /dev/null +++ b/plugin-atlas/pom.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <artifactId>ranger-atlas-plugin</artifactId> + <name>Atlas Security Plugin</name> + <description>Atlas Security Plugins</description> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + <parent> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger</artifactId> + <version>0.6.0-SNAPSHOT</version> + <relativePath>..</relativePath> + </parent> + <dependencies> + <dependency> + <groupId>commons-lang</groupId> + <artifactId>commons-lang</artifactId> + <version>${commons.lang.version}</version> + </dependency> + <dependency> + <groupId>com.google.code.gson</groupId> + <artifactId>gson</artifactId> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-audit</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.atlas</groupId> + <artifactId>atlas-authorization</artifactId> + <version>${atlas.version}</version> + </dependency> + <dependency> + <groupId>org.apache.atlas</groupId> + <artifactId>atlas-common</artifactId> + <version>${atlas.version}</version> + </dependency> + </dependencies> +</project> + + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/scripts/install.properties ---------------------------------------------------------------------- diff --git a/plugin-atlas/scripts/install.properties b/plugin-atlas/scripts/install.properties new file mode 100644 index 0000000..b339d26 --- /dev/null +++ b/plugin-atlas/scripts/install.properties @@ -0,0 +1,110 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Location of Policy Manager URL +# +# Example: +# POLICY_MGR_URL=http://policymanager.xasecure.net:6080 +# +POLICY_MGR_URL= + +# +# Location of db client library (please check the location of the jar file) +# +# Example: +# SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar +# SQL_CONNECTOR_JAR=/usr/share/java/ojdbc6.jar +# +SQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar + +# +# This is the repository name created within policy manager +# +# Example: +# REPOSITORY_NAME=atlasdev +# +REPOSITORY_NAME= + +# AUDIT configuration with V3 properties + +#Should audit be summarized at source +XAAUDIT.SUMMARY.ENABLE=true + +# Enable audit logs to Solr +#Example +#XAAUDIT.SOLR.ENABLE=true +#XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits +#XAAUDIT.SOLR.ZOOKEEPER= +#XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/atlas/audit/solr/spool + +XAAUDIT.SOLR.ENABLE=false +XAAUDIT.SOLR.URL=NONE +XAAUDIT.SOLR.USER=NONE +XAAUDIT.SOLR.PASSWORD=NONE +XAAUDIT.SOLR.ZOOKEEPER=NONE + +# Enable audit logs to HDFS +#Example +#XAAUDIT.HDFS.ENABLE=true +#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit +# If using Azure Blob Storage +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path> +#XAAUDIT.HDFS.HDFS_DIR=wasb://[email protected]/ranger/audit +#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/atlas/audit/hdfs/spool + +XAAUDIT.HDFS.ENABLE=false +XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit + +# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS +# Get these values from your /etc/hadoop/conf/core-site.xml +#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path> +XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME +XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY +XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER +XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER + +# End of V3 properties + + +# +# SSL Client Certificate Information +# +# Example: +# SSL_KEYSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-keystore.jks +# SSL_KEYSTORE_PASSWORD=none +# SSL_TRUSTSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-truststore.jks +# SSL_TRUSTSTORE_PASSWORD=none +# +# You do not need use SSL between agent and security admin tool, please leave these sample value as it is. +# +SSL_KEYSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-keystore.jks +SSL_KEYSTORE_PASSWORD=myKeyFilePassword +SSL_TRUSTSTORE_FILE_PATH=/etc/atlas/conf/ranger-plugin-truststore.jks +SSL_TRUSTSTORE_PASSWORD=changeit + +# +# Custom component user +# CUSTOM_COMPONENT_USER=<custom-user> +# keep blank if component user is default +CUSTOM_USER=atlas + + +# +# Custom component group +# CUSTOM_COMPONENT_GROUP=<custom-group> +# keep blank if component group is default +CUSTOM_GROUP=hadoop + http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java new file mode 100644 index 0000000..c735aa7 --- /dev/null +++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -0,0 +1,143 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.atlas.authorizer; + +import java.util.Date; +import java.util.Set; + +import org.apache.atlas.authorize.AtlasAccessRequest; +import org.apache.atlas.authorize.AtlasAuthorizationException; +import org.apache.atlas.authorize.AtlasAuthorizer; +import org.apache.atlas.authorize.AtlasResourceTypes; +import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler; +import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; +import org.apache.ranger.plugin.policyengine.RangerAccessResult; +import org.apache.ranger.plugin.service.RangerBasePlugin; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class RangerAtlasAuthorizer implements AtlasAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasAuthorizer.class); + private static boolean isDebugEnabled = LOG.isDebugEnabled(); + private static volatile RangerBasePlugin atlasPlugin = null; + + @Override + public void init() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> RangerAtlasPlugin.init()"); + } + + RangerBasePlugin plugin = atlasPlugin; + + if (plugin == null) { + synchronized (RangerAtlasPlugin.class) { + plugin = atlasPlugin; + + if (plugin == null) { + plugin = new RangerAtlasPlugin(); + plugin.init(); + plugin.setResultProcessor(new RangerDefaultAuditHandler()); + atlasPlugin = plugin; + + } + } + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerAtlasPlugin.init()"); + } + } + + @Override + public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException { + boolean isAccessAllowed = true; + if (isDebugEnabled) { + LOG.debug("==> isAccessAllowed( " + request + " )"); + } + + String resource = request.getResource(); + String user = request.getUser(); + Set<String> userGroups = request.getUserGroups(); + String action = request.getAction().name(); + Set<AtlasResourceTypes> resourceTypes = request.getResourceTypes(); + String clientIPAddress = request.getClientIPAddress(); + + for (AtlasResourceTypes resourceType : resourceTypes) { + RangerAtlasAccessRequest rangerRequest = + new RangerAtlasAccessRequest(resourceType, resource, action, user, userGroups, clientIPAddress); + if (isDebugEnabled) { + LOG.debug("Creating RangerAtlasAccessRequest with values [resource : " + resource + ", user : " + user + + ", Groups : " + userGroups + ", action : " + action + ", resourceType : " + resourceType + + ", clientIP : " + clientIPAddress + "]"); + } + isAccessAllowed = checkAccess(rangerRequest); + if (!isAccessAllowed) { + break; + } + } + + if (isDebugEnabled) { + LOG.debug("<== isAccessAllowed Returning value :: " + isAccessAllowed); + } + return isAccessAllowed; + } + + private boolean checkAccess(RangerAtlasAccessRequest request) { + boolean isAccessAllowed = false; + RangerBasePlugin plugin = atlasPlugin; + + if (plugin != null) { + RangerAccessResult rangerResult = plugin.isAccessAllowed(request); + isAccessAllowed = (rangerResult == null) ? false : rangerResult.getIsAllowed(); + } else { + isAccessAllowed = false; + LOG.warn("AtlasPlugin not initialized properly : " + plugin+"... Access blocked!!!"); + } + return isAccessAllowed; + } + + @Override + public void cleanUp() { + if (isDebugEnabled) { + LOG.debug("==> cleanUp "); + } + } + + class RangerAtlasPlugin extends RangerBasePlugin { + RangerAtlasPlugin() { + super("atlas", "atlas"); + } + } + +} + +class RangerAtlasAccessRequest extends RangerAccessRequestImpl { + + public RangerAtlasAccessRequest(AtlasResourceTypes resType, String resource, String action, String user, + Set<String> userGroups, String clientIp) { + super.setResource(new RangerAtlasResource(resType, resource)); + super.setAccessType(action); + super.setUser(user); + super.setUserGroups(userGroups); + super.setAccessTime(new Date(System.currentTimeMillis())); + super.setClientIPAddress(clientIp); + super.setAction(action); + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java new file mode 100644 index 0000000..01b0f82 --- /dev/null +++ b/plugin-atlas/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasResource.java @@ -0,0 +1,60 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.atlas.authorizer; + +import org.apache.atlas.authorize.AtlasResourceTypes; +import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class RangerAtlasResource extends RangerAccessResourceImpl { + public static final String KEY_TYPE = "type"; + public static final String KEY_ENTITY = "entity"; + public static final String KEY_OPERATION = "operation"; + public static final String KEY_TAXONOMY = "taxonomy"; + public static final String KEY_TERM = "term"; + + private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasResource.class); + + public RangerAtlasResource(AtlasResourceTypes resourceType, String atlasResource) { + switch (resourceType) { + case TYPE: + setValue(KEY_TYPE, atlasResource); + break; + case ENTITY: + setValue(KEY_ENTITY, atlasResource); + break; + case OPERATION: + setValue(KEY_OPERATION, atlasResource); + break; + case TAXONOMY: + setValue(KEY_TAXONOMY, atlasResource); + break; + case TERM: + setValue(KEY_TERM, atlasResource); + break; + default: + LOG.warn("Invalid Resource : " + atlasResource); + break; + } + + } + +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java new file mode 100644 index 0000000..47616f4 --- /dev/null +++ b/plugin-atlas/src/main/java/org/apache/ranger/services/atlas/RangerServiceAtlas.java @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ranger.services.atlas; + +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.ranger.plugin.client.BaseClient; +import org.apache.ranger.plugin.model.RangerService; +import org.apache.ranger.plugin.model.RangerServiceDef; +import org.apache.ranger.plugin.service.RangerBaseService; +import org.apache.ranger.plugin.service.ResourceLookupContext; + +public class RangerServiceAtlas extends RangerBaseService { + + private static final Log LOG = LogFactory.getLog(RangerServiceAtlas.class); + + public RangerServiceAtlas() { + super(); + } + + @Override + public void init(RangerServiceDef serviceDef, RangerService service) { + super.init(serviceDef, service); + } + + @Override + public HashMap<String, Object> validateConfig() throws Exception { + if (LOG.isDebugEnabled()) { + LOG.debug("This method will be implemented"); + } + HashMap<String, Object> responseMap = new HashMap<String, Object>(); + String msg = "This feature is not available currently"; + BaseClient.generateResponseDataMap(true, msg, msg, null, null, responseMap); + return responseMap; + } + + @Override + public List<String> lookupResource(ResourceLookupContext context) throws Exception { + //This feature is not available currently + return new ArrayList<String>(); + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/src/test/resource/log4j.properties ---------------------------------------------------------------------- diff --git a/plugin-atlas/src/test/resource/log4j.properties b/plugin-atlas/src/test/resource/log4j.properties new file mode 100644 index 0000000..f7ab2ba --- /dev/null +++ b/plugin-atlas/src/test/resource/log4j.properties @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +##-- To prevent junits from cluttering the build run by default all test runs send output to null appender +log4j.appender.devnull=org.apache.log4j.varia.NullAppender +ranger.root.logger=FATAL,devnull + +##-- uncomment the following line during during development/debugging so see debug messages during test run to be emitted to console +# ranger.root.logger=DEBUG,console +log4j.rootLogger=${ranger.root.logger} + +# Logging Threshold +log4j.threshold=ALL + +# +# console +# Add "console" to rootlogger above if you want to use this +# +log4j.appender.console=org.apache.log4j.ConsoleAppender +log4j.appender.console.target=System.err +log4j.appender.console.layout=org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern=%d{ISO8601} %-5p [%t] %c{2}: %m%n http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/plugin-atlas/template/configuration.xml ---------------------------------------------------------------------- diff --git a/plugin-atlas/template/configuration.xml b/plugin-atlas/template/configuration.xml new file mode 100644 index 0000000..bdb0125 --- /dev/null +++ b/plugin-atlas/template/configuration.xml @@ -0,0 +1,20 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> +<configuration> +</configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index 327f30c..29292a7 100644 --- a/pom.xml +++ b/pom.xml @@ -104,9 +104,11 @@ <module>ranger-storm-plugin-shim</module> <module>ranger-kafka-plugin-shim</module> <module>ranger-solr-plugin-shim</module> + <module>ranger-atlas-plugin-shim</module> <module>ranger-hive-utils</module> <module>ranger-examples</module> <module>ranger-tools</module> + <module>plugin-atlas</module> </modules> <properties> <javac.source.version>1.7</javac.source.version> @@ -162,6 +164,7 @@ <hamcrest.all.version>1.3</hamcrest.all.version> <hbase.version>1.1.3</hbase.version> <hive.version>2.1.0-SNAPSHOT</hive.version> + <atlas.version>0.7-incubating-SNAPSHOT</atlas.version> <htrace-core.version>3.1.0-incubating</htrace-core.version> <httpcomponents.httpclient.version>4.3.6</httpcomponents.httpclient.version> <httpcomponents.httpcore.version>4.4.3</httpcomponents.httpcore.version> @@ -401,6 +404,7 @@ <descriptor>src/main/assembly/kms.xml</descriptor> <descriptor>src/main/assembly/ranger-tools.xml</descriptor> <descriptor>src/main/assembly/ranger-src.xml</descriptor> + <descriptor>src/main/assembly/atlas-agent.xml</descriptor> </descriptors> </configuration> </plugin> @@ -517,6 +521,7 @@ <exclude>**/.classpath/**</exclude> <exclude>**/*.iml</exclude> <exclude>**/target/**</exclude> + <exclude>**/bin/**</exclude> <exclude>**/CHANGES</exclude> <exclude>**/ISSUES</exclude> <exclude>**/patchprocess/**</exclude> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/ranger-atlas-plugin-shim/.gitignore ---------------------------------------------------------------------- diff --git a/ranger-atlas-plugin-shim/.gitignore b/ranger-atlas-plugin-shim/.gitignore new file mode 100644 index 0000000..b9c5b0b --- /dev/null +++ b/ranger-atlas-plugin-shim/.gitignore @@ -0,0 +1,2 @@ +/target/ +.settings/ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/ranger-atlas-plugin-shim/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-atlas-plugin-shim/pom.xml b/ranger-atlas-plugin-shim/pom.xml new file mode 100644 index 0000000..a656d94 --- /dev/null +++ b/ranger-atlas-plugin-shim/pom.xml @@ -0,0 +1,84 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd";> + <modelVersion>4.0.0</modelVersion> + <artifactId>ranger-atlas-plugin-shim</artifactId> + <name>Atlas Security Plugin Shim</name> + <description>Atlas Security Plugins Shim</description> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + <parent> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger</artifactId> + <version>0.6.0-SNAPSHOT</version> + <relativePath>..</relativePath> + </parent> + <dependencies> + <dependency> + <groupId>commons-logging</groupId> + <artifactId>commons-logging</artifactId> + <version>${commons.logging.version}</version> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <version>${hadoop.version}</version> + </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-hdfs</artifactId> + <version>${hadoop.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugin-classloader</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>commons-lang</groupId> + <artifactId>commons-lang</artifactId> + <version>${commons.lang.version}</version> + </dependency> + <dependency> + <groupId>com.google.code.gson</groupId> + <artifactId>gson</artifactId> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-audit</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> + <groupId>org.apache.atlas</groupId> + <artifactId>atlas-authorization</artifactId> + <version>${atlas.version}</version> + </dependency> + <dependency> + <groupId>org.apache.atlas</groupId> + <artifactId>atlas-common</artifactId> + <version>${atlas.version}</version> + </dependency> + </dependencies> +</project> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java ---------------------------------------------------------------------- diff --git a/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java new file mode 100644 index 0000000..d8bdefd --- /dev/null +++ b/ranger-atlas-plugin-shim/src/main/java/org/apache/ranger/authorization/atlas/authorizer/RangerAtlasAuthorizer.java @@ -0,0 +1,142 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.authorization.atlas.authorizer; + +import org.apache.atlas.authorize.AtlasAccessRequest; +import org.apache.atlas.authorize.AtlasAuthorizationException; +import org.apache.atlas.authorize.AtlasAuthorizer; +import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; +import org.apache.ranger.plugin.service.RangerBasePlugin; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +public class RangerAtlasAuthorizer implements AtlasAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(RangerAtlasAuthorizer.class); + private static boolean isDebugEnabled = LOG.isDebugEnabled(); + private static volatile RangerBasePlugin atlasPlugin = null; + + private static final String RANGER_PLUGIN_TYPE = "atlas"; + private static final String[] RANGER_PLUGIN_LIB_DIR = new String[] {"lib/ranger-atlas-plugin"}; + private static final String RANGER_ATLAS_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.atlas.authorizer.RangerAtlasAuthorizer"; + + private AtlasAuthorizer rangerAtlasAuthorizerImpl = null; + private static RangerPluginClassLoader rangerPluginClassLoader = null; + + public RangerAtlasAuthorizer() { + if(LOG.isDebugEnabled()) { + LOG.debug("==> RangerAtlasAuthorizer.RangerAtlasAuthorizer()"); + } + + this.init0(); + + if(LOG.isDebugEnabled()) { + LOG.debug("<== RangerAtlasAuthorizer.RangerAtlasAuthorizer()"); + } + } + + private void init0() { + LOG.info("Initializing RangerAtlasPlugin"); + try { + rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); + + @SuppressWarnings("unchecked") + Class<AtlasAuthorizer> cls = (Class<AtlasAuthorizer>) Class.forName(RANGER_ATLAS_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + + activatePluginClassLoader(); + + rangerAtlasAuthorizerImpl = cls.newInstance(); + } catch (Exception e) { + // check what need to be done + LOG.error("Error Enabling RangerAtlasPluing", e); + } finally { + deactivatePluginClassLoader(); + } + if (LOG.isDebugEnabled()) { + LOG.debug("<== RangerAtlasPlugin.init()"); + } + } + + @Override + public void init() { + if (isDebugEnabled) { + LOG.debug("gautam init <==="); + } + + try { + activatePluginClassLoader(); + + rangerAtlasAuthorizerImpl.init(); + } finally { + deactivatePluginClassLoader(); + } + + if (isDebugEnabled) { + LOG.debug("gautam init ===> " ); + } + + } + + @Override + public boolean isAccessAllowed(AtlasAccessRequest request) throws AtlasAuthorizationException { + boolean isAccessAllowed = false; + if (isDebugEnabled) { + LOG.debug("isAccessAllowed <==="); + } + + try { + activatePluginClassLoader(); + + isAccessAllowed = rangerAtlasAuthorizerImpl.isAccessAllowed(request); + } finally { + deactivatePluginClassLoader(); + } + + if (isDebugEnabled) { + LOG.debug("isAccessAllowed ===> Returning value :: " + isAccessAllowed); + } + return isAccessAllowed; + } + + @Override + public void cleanUp() { + if (isDebugEnabled) { + LOG.debug("cleanUp <==="); + } + try { + activatePluginClassLoader(); + rangerAtlasAuthorizerImpl.cleanUp(); + } finally { + deactivatePluginClassLoader(); + } + + } + + private void activatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.activate(); + } + } + + private void deactivatePluginClassLoader() { + if(rangerPluginClassLoader != null) { + rangerPluginClassLoader.deactivate(); + } + } +} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/72d61a87/src/main/assembly/atlas-agent.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/atlas-agent.xml b/src/main/assembly/atlas-agent.xml new file mode 100644 index 0000000..a1c1cc5 --- /dev/null +++ b/src/main/assembly/atlas-agent.xml @@ -0,0 +1,170 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<assembly> + <id>atlas-plugin</id> + <formats> + <format>tar.gz</format> + <format>zip</format> + </formats> + <baseDirectory>${project.name}-${project.version}-atlas-plugin</baseDirectory> + <includeBaseDirectory>true</includeBaseDirectory> + <moduleSets> + + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <outputDirectory>/lib</outputDirectory> + </binaries> + <includes> + <include>org.apache.ranger:ranger-atlas-plugin-shim</include> + <include>org.apache.ranger:ranger-plugin-classloader</include> + </includes> + </moduleSet> + + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <dependencySets> + <dependencySet> + <outputDirectory>/lib/ranger-atlas-plugin-impl</outputDirectory> + <includes> + <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> + <include>com.google.code.gson:gson</include> + <include>org.eclipse.persistence:eclipselink</include> + <include>org.eclipse.persistence:javax.persistence</include> + <include>com.sun.jersey:jersey-bundle</include> + <include>com.google.guava:guava:jar:${guava.version}</include> + <include>org.codehaus.jackson:jackson-core-asl</include> + <include>org.codehaus.jackson:jackson-jaxrs</include> + <include>org.codehaus.jackson:jackson-mapper-asl</include> + <include>org.codehaus.jackson:jackson-xc</include> + <include>commons-configuration:commons-configuration</include> + <include>com.google.code.gson:gson*</include> + <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include> + <include>org.noggit:noggit:jar:${noggit.version}</include> + <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include> + <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include> + <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> + <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include> + <include>org.codehaus.jackson:jackson-core-asl:jar:${codehaus.jackson.version}</include> + <include>org.codehaus.jackson:jackson-mapper-asl:jar:${codehaus.jackson.version}</include> + </includes> + <unpack>false</unpack> + </dependencySet> + <dependencySet> + <outputDirectory>/install/lib</outputDirectory> + <unpack>false</unpack> + <directoryMode>755</directoryMode> + <fileMode>644</fileMode> + <includes> + <include>commons-cli:commons-cli</include> + <include>commons-collections:commons-collections</include> + <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include> + <include>commons-io:commons-io:jar:${commons.io.version}</include> + <include>commons-lang:commons-lang:jar:${commons.lang.version}</include> + <include>commons-logging:commons-logging</include> + <include>com.google.guava:guava:jar:${guava.version}</include> + <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include> + <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include> + <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}</include> + <include>org.apache.ranger:ranger-plugins-cred</include> + <include>org.apache.ranger:credentialbuilder</include> + </includes> + </dependencySet> + </dependencySets> + <outputDirectory>/lib/ranger-atlas-plugin-impl</outputDirectory> + </binaries> + <includes> + <include>org.apache.ranger:ranger_solrj</include> + <include>org.apache.ranger:ranger-plugins-audit</include> + <include>org.apache.ranger:ranger-plugins-cred</include> + <include>org.apache.ranger:ranger-plugins-common</include> + <include>org.apache.ranger:ranger-atlas-plugin</include> + </includes> + </moduleSet> + <moduleSet> + <binaries> + <includeDependencies>false</includeDependencies> + <outputDirectory>/install/lib</outputDirectory> + <unpack>false</unpack> + </binaries> + <includes> + <include>org.apache.ranger:ranger-plugins-installer</include> + <include>org.apache.ranger:credentialbuilder</include> + </includes> + </moduleSet> + </moduleSets> + <fileSets> + <!-- conf.templates for enable --> + <fileSet> + <outputDirectory>/install/conf.templates/enable</outputDirectory> + <directory>plugin-atlas/conf</directory> + <excludes> + <exclude>*.sh</exclude> + </excludes> + <fileMode>700</fileMode> + </fileSet> + <fileSet> + <outputDirectory>/install/conf.templates/default</outputDirectory> + <directory>plugin-atlas/template</directory> + <fileMode>700</fileMode> + </fileSet> + <!-- version file --> + <fileSet> + <outputDirectory>/</outputDirectory> + <directory>${project.build.outputDirectory}</directory> + <includes> + <include>version</include> + </includes> + <fileMode>444</fileMode> + </fileSet> + </fileSets> + <!-- enable/disable script for plugin --> + <files> + <file> + <source>agents-common/scripts/enable-agent.sh</source> + <outputDirectory>/</outputDirectory> + <destName>enable-atlas-plugin.sh</destName> + <fileMode>755</fileMode> + </file> + <file> + <source>security-admin/scripts/ranger_credential_helper.py</source> + <outputDirectory>/</outputDirectory> + <fileMode>755</fileMode> + </file> + <file> + <source>agents-common/scripts/enable-agent.sh</source> + <outputDirectory>/</outputDirectory> + <destName>disable-atlas-plugin.sh</destName> + <fileMode>755</fileMode> + </file> + <file> + <source>plugin-atlas/scripts/install.properties</source> + <outputDirectory>/</outputDirectory> + <destName>install.properties</destName> + <fileMode>755</fileMode> + </file> + </files> +</assembly> +
