Repository: incubator-ranger Updated Branches: refs/heads/master ced7c3b7a -> bc634846b
RANGER-900 : Remove support for DB based auditing Signed-off-by: Gautam Borad <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4d3ce6cc Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4d3ce6cc Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4d3ce6cc Branch: refs/heads/master Commit: 4d3ce6cc036f490921653f9b3385b16b17fda181 Parents: ced7c3b Author: Pradeep Agrawal <[email protected]> Authored: Wed Apr 20 23:55:52 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Tue May 31 11:34:00 2016 +0530 ---------------------------------------------------------------------- agents-common/scripts/enable-agent.sh | 6 ++- plugin-kms/scripts/enable-kms-plugin.sh | 6 ++- security-admin/scripts/db_setup.py | 51 ++++++++++--------- security-admin/scripts/dba_script.py | 76 ++++++++++++++++++++-------- security-admin/scripts/setup.sh | 19 ++++--- 5 files changed, 102 insertions(+), 56 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d3ce6cc/agents-common/scripts/enable-agent.sh ---------------------------------------------------------------------- diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index 39c4633..1c94c40 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -395,7 +395,7 @@ then # We need to do the AUDIT JDBC url # db_flavor='' -#db_flavor=`echo $(getInstallProperty 'XAAUDIT.DB.FLAVOUR') | tr '[:lower:]' '[:upper:]'` +db_flavor=`echo $(getInstallProperty 'XAAUDIT.DB.FLAVOUR') | tr '[:lower:]' '[:upper:]'` if [ "${db_flavor}" != "" ] then audit_db_hostname=$(getInstallProperty 'XAAUDIT.DB.HOSTNAME') @@ -583,7 +583,9 @@ then auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD') - #create_jceks "${auditCredAlias}" "${auditdbCred}" "${CredFile}" + if [ "${auditdbCred}" != "" ]; then + create_jceks "${auditCredAlias}" "${auditdbCred}" "${CredFile}" + fi # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d3ce6cc/plugin-kms/scripts/enable-kms-plugin.sh ---------------------------------------------------------------------- diff --git a/plugin-kms/scripts/enable-kms-plugin.sh b/plugin-kms/scripts/enable-kms-plugin.sh index 1661a61..375544a 100755 --- a/plugin-kms/scripts/enable-kms-plugin.sh +++ b/plugin-kms/scripts/enable-kms-plugin.sh @@ -361,7 +361,7 @@ then # We need to do the AUDIT JDBC url # db_flavor='' -#db_flavor=`echo $(getInstallProperty 'XAAUDIT.DB.FLAVOUR') | tr '[:lower:]' '[:upper:]'` +db_flavor=`echo $(getInstallProperty 'XAAUDIT.DB.FLAVOUR') | tr '[:lower:]' '[:upper:]'` if [ "${db_flavor}" != "" ] then audit_db_hostname=$(getInstallProperty 'XAAUDIT.DB.HOSTNAME') @@ -528,7 +528,9 @@ then auditdbCred=$(getInstallProperty 'XAAUDIT.DB.PASSWORD') - #create_jceks "${auditCredAlias}" "${auditdbCred}" "${CredFile}" + if [ "${auditdbCred}" != "" ]; then + create_jceks "${auditCredAlias}" "${auditdbCred}" "${CredFile}" + fi # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d3ce6cc/security-admin/scripts/db_setup.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py index 595f810..0460efd 100644 --- a/security-admin/scripts/db_setup.py +++ b/security-admin/scripts/db_setup.py @@ -2106,9 +2106,21 @@ def main(argv): xa_access_audit = 'xa_access_audit' x_user = 'x_portal_user' - #audit_db_name = globalDict['db_name'] - #audit_db_user = globalDict['db_user'] - #audit_db_password = globalDict['db_password'] + audit_db_name='' + audit_db_user='' + audit_db_password='' + audit_store = None + if 'audit_store' in globalDict: + audit_store = globalDict['audit_store'] + audit_store=audit_store.lower() + + if audit_store =='db': + if 'audit_db_name' in globalDict: + audit_db_name = globalDict['audit_db_name'] + if 'audit_db_user' in globalDict: + audit_db_user = globalDict['audit_db_user'] + if 'audit_db_password' in globalDict: + audit_db_password = globalDict['audit_db_password'] if XA_DB_FLAVOR == "MYSQL": MYSQL_CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR'] @@ -2171,8 +2183,8 @@ def main(argv): audit_db_file = os.path.join(RANGER_ADMIN_HOME , oracle_audit_file) elif AUDIT_DB_FLAVOR == "POSTGRES": - #audit_db_user=audit_db_user.lower() - #audit_db_name=audit_db_name.lower() + audit_db_user=audit_db_user.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR'] audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME , postgres_audit_file) @@ -2193,17 +2205,6 @@ def main(argv): log("[I] --------- Verifying Ranger DB connection ---------","info") xa_sqlObj.check_connection(db_name, db_user, db_password) - if 'audit_store' in globalDict: - audit_store = globalDict['audit_store'] - else: - audit_store = None - - if audit_store is None or audit_store == "": - audit_store = "solr" - audit_store=audit_store.lower() - if not audit_store =='solr': - log("[E] Only 'Solr' audit store is supported from current version!","error") - sys.exit(1) if len(argv)==1: log("[I] --------- Verifying Ranger DB tables ---------","info") @@ -2212,10 +2213,10 @@ def main(argv): else: log("[I] --------- Importing Ranger Core DB Schema ---------","info") xa_sqlObj.import_db_file(db_name, db_user, db_password, xa_db_core_file) - #if XA_DB_FLAVOR == "ORACLE": - #if xa_sqlObj.check_table(db_name, db_user, db_password, xa_access_audit): - #if db_user != audit_db_user: - #xa_sqlObj.create_synonym(db_name, db_user, db_password,audit_db_user) + if XA_DB_FLAVOR == "ORACLE": + if xa_sqlObj.check_table(db_name, db_user, db_password, xa_access_audit): + if audit_db_user != "" and db_user != audit_db_user: + xa_sqlObj.create_synonym(db_name, db_user, db_password,audit_db_user) log("[I] --------- Verifying upgrade history table ---------","info") output = xa_sqlObj.check_table(db_name, db_user, db_password, x_db_version) if output == False: @@ -2223,11 +2224,11 @@ def main(argv): xa_sqlObj.upgrade_db(db_name, db_user, db_password, xa_db_version_file) log("[I] --------- Applying Ranger DB patches ---------","info") xa_sqlObj.apply_patches(db_name, db_user, db_password, xa_patch_file) - #if audit_store == "db": - #log("[I] --------- Starting Audit Operation ---------","info") - #audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit) - #log("[I] --------- Applying Audit DB patches ---------","info") - #audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit) + if audit_store == "db" and audit_db_password!='': + log("[I] --------- Starting Audit Operation ---------","info") + audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit) + log("[I] --------- Applying Audit DB patches ---------","info") + audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit) if len(argv)>1: for i in range(len(argv)): http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d3ce6cc/security-admin/scripts/dba_script.py ---------------------------------------------------------------------- diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py index 5f3fd42..89df1ad 100644 --- a/security-admin/scripts/dba_script.py +++ b/security-admin/scripts/dba_script.py @@ -1540,6 +1540,51 @@ def main(argv): log("Enter db user password:","info") db_password = getpass.getpass("Enter db user password:") + audit_db_name='' + audit_db_user='' + audit_db_password='' + audit_store = None + if 'audit_store' in globalDict: + audit_store = globalDict['audit_store'] + audit_store=audit_store.lower() + + if audit_store =='db': + if (quiteMode): + if 'audit_db_name' in globalDict: + audit_db_name = globalDict['audit_db_name'] + else: + if (dryMode): + audit_db_name='ranger_audit_db' + else: + audit_db_name='' + while audit_db_name == "": + log("Enter audit db name:","info") + audit_db_name = raw_input() + + if (quiteMode): + if 'audit_db_user' in globalDict: + audit_db_user = globalDict['audit_db_user'] + else: + if (dryMode): + audit_db_user='ranger_logger_user' + else: + audit_db_user='' + while audit_db_user == "": + log("Enter audit user name:","info") + audit_db_user = raw_input() + + if (quiteMode): + if 'audit_db_password' in globalDict: + audit_db_password = globalDict['audit_db_password'] + else: + if (dryMode): + audit_db_password='*****' + else: + audit_db_password='' + while audit_db_password == "": + log("Enter audit db user password:","info") + audit_db_password = getpass.getpass("Enter audit db user password:") + audit_db_root_user = xa_db_root_user audit_db_root_password = xa_db_root_password @@ -1633,8 +1678,8 @@ def main(argv): audit_db_file = os.path.join(RANGER_ADMIN_HOME,oracle_audit_file) elif AUDIT_DB_FLAVOR == "POSTGRES": - #audit_db_user=audit_db_user.lower() - #audit_db_name=audit_db_name.lower() + audit_db_user=audit_db_user.lower() + audit_db_name=audit_db_name.lower() POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN) audit_db_file = os.path.join(RANGER_ADMIN_HOME,postgres_audit_file) @@ -1652,18 +1697,6 @@ def main(argv): log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error") sys.exit(1) - if 'audit_store' in globalDict: - audit_store = globalDict['audit_store'] - else: - audit_store = None - - if audit_store is None or audit_store == "": - audit_store = "solr" - audit_store=audit_store.lower() - if not audit_store =='solr': - log("[E] Only 'Solr' audit store is supported from current version!","error") - sys.exit(1) - if not dryMode: log("[I] ---------- Verifying DB root password ---------- ","info") password_validation(xa_db_root_password,"DBA root"); @@ -1674,7 +1707,10 @@ def main(argv): if (dryMode==True): log("[I] Logging DBA Script in file:"+str(globalDict["dryModeOutputFile"]),"info") logFile("===============================================\n") - xa_sqlObj.writeDrymodeCmd(xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, db_user, db_password, db_name) + if audit_store=="db": + xa_sqlObj.writeDrymodeCmd(xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, audit_db_user, audit_db_password, audit_db_name) + else: + xa_sqlObj.writeDrymodeCmd(xa_db_host, audit_db_host, xa_db_root_user, xa_db_root_password, db_user, db_password, db_name, audit_db_root_user, audit_db_root_password, db_user, db_password, db_name) logFile("===============================================\n") if (dryMode==False): log("[I] ---------- Creating Ranger Admin db user ---------- ","info") @@ -1685,10 +1721,10 @@ def main(argv): if not XA_DB_FLAVOR == "SQLA": xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode) # Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same - #if audit_store == "db": - #log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info") - #password_validation(audit_db_password,"audit"); - #log("[I] ---------- Verifying/Creating audit user --------- ","info") - #audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) + if audit_store == "db" and audit_db_password!="": + log("[I] ---------- Verifying Ranger Audit db user password ---------- ","info") + password_validation(audit_db_password,"audit"); + log("[I] ---------- Verifying/Creating audit user --------- ","info") + audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode) log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed.. ---------- ","info") main(sys.argv) http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4d3ce6cc/security-admin/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh index 9633363..c6defd8 100755 --- a/security-admin/scripts/setup.sh +++ b/security-admin/scripts/setup.sh @@ -217,15 +217,17 @@ init_variables(){ fi log "[I] DB_FLAVOR=${DB_FLAVOR}" audit_store=`echo $audit_store | tr '[:upper:]' '[:lower:]'` + log "[I] Audit source=${audit_store}" if [ "${audit_store}" == "solr" ] ;then - log "[I] Audit source=${DB_FLAVOR}" if [ "${audit_solr_urls}" == "" ] ;then log "[I] Please provide valid URL for 'solr' audit store!" exit 1 fi - else - log "[I] Only 'solr' audit store is supported from current version, found : $audit_store" - exit 1 + fi + if [ "${audit_store}" == "db" ] ;then + audit_db_name=$(get_prop 'audit_db_name' $PROPFILE) + audit_db_user=$(get_prop 'audit_db_user' $PROPFILE) + audit_db_password=$(get_prop 'audit_db_password' $PROPFILE) fi } @@ -598,9 +600,12 @@ update_properties() { updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger fi - propertyName=ranger.audit.source.type - newPropertyValue=${audit_store} - updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + if [ "${audit_store}" != "" ] + then + propertyName=ranger.audit.source.type + newPropertyValue=${audit_store} + updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger + fi propertyName=ranger.externalurl newPropertyValue="${policymgr_external_url}"
