ramackri commented on code in PR #986: URL: https://github.com/apache/ranger/pull/986#discussion_r3317205895
########## dev-support/ranger-docker/scripts/admin/ranger-admin-install-postgres-opensearch.properties: ########## @@ -0,0 +1,99 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Ranger Admin install.properties — OpenSearch audit store +# +# Use this file instead of ranger-admin-install-postgres.properties when +# bootstrapping a fresh Ranger container for OpenSearch-based audits: +# +# -f docker-compose.ranger.yml with volume mount override: +# ./scripts/admin/ranger-admin-install-postgres-opensearch.properties +# + +PYTHON_COMMAND_INVOKER=python3 +RANGER_ADMIN_LOG_DIR=/var/log/ranger +RANGER_PID_DIR_PATH=/var/run/ranger +DB_FLAVOR=POSTGRES +SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar +RANGER_ADMIN_LOGBACK_CONF_FILE=/opt/ranger/admin/ews/webapp/WEB-INF/classes/conf/logback.xml + +db_root_user=postgres +db_root_password=rangerR0cks! +db_host=ranger-db + +db_name=ranger +db_user=rangeradmin +db_password=rangerR0cks! + +postgres_core_file=db/postgres/optimized/current/ranger_core_db_postgres.sql +postgres_audit_file=db/postgres/xa_audit_db_postgres.sql +mysql_core_file=db/mysql/optimized/current/ranger_core_db_mysql.sql +mysql_audit_file=db/mysql/xa_audit_db.sql + +rangerAdmin_password=rangerR0cks! +rangerTagsync_password=rangerR0cks! +rangerUsersync_password=rangerR0cks! +keyadmin_password=rangerR0cks! + +# OpenSearch replaces Solr for audit storage (Ranger uses audit_store=elasticsearch) +audit_store=elasticsearch +audit_elasticsearch_urls=ranger-opensearch +audit_elasticsearch_port=9200 +audit_elasticsearch_protocol=http +audit_elasticsearch_user=NONE +audit_elasticsearch_password=NONE +audit_elasticsearch_index=ranger_audits +audit_elasticsearch_bootstrap_enabled=true + Review Comment: How to differentiate whether it is open search or elasticsearch ########## dev-support/ranger-docker/scripts/audit-dispatcher/ranger-audit-dispatcher-opensearch-site.xml: ########## @@ -0,0 +1,164 @@ +<!-- + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. See accompanying LICENSE file. +--> +<configuration> + <property> + <name>ranger.audit.dispatcher.opensearch.class</name> + <value>org.apache.ranger.audit.dispatcher.OpenSearchDispatcherManager</value> + </property> + + <property> + <name>log.dir</name> + <value>${audit.dispatcher.opensearch.log.dir}</value> + <description>Log directory for OpenSearch dispatcher service</description> + </property> + + <property> + <name>ranger.audit.dispatcher.host</name> + <value>ranger-audit-dispatcher-opensearch.rangernw</value> + </property> + + <property> + <name>ranger.audit.dispatcher.service.kerberos.principal</name> + <value>rangerauditserver/[email protected]</value> + </property> + + <property> + <name>ranger.audit.dispatcher.service.kerberos.keytab</name> + <value>/etc/keytabs/rangerauditserver.keytab</value> + </property> + + <!-- KAFKA DISPATCHER CONFIGURATION --> + <property> + <name>ranger.audit.dispatcher.kafka.bootstrap.servers</name> + <value>ranger-kafka.rangernw:9092</value> + </property> + + <property> + <name>ranger.audit.dispatcher.kafka.topic.name</name> + <value>ranger_audits</value> + </property> + + <property> + <name>ranger.audit.dispatcher.kafka.security.protocol</name> + <value>SASL_PLAINTEXT</value> + </property> + + <property> + <name>ranger.audit.dispatcher.kafka.sasl.mechanism</name> + <value>GSSAPI</value> + </property> + + <property> + <name>ranger.audit.dispatcher.thread.count</name> + <value>1</value> + </property> + + <property> + <name>ranger.audit.dispatcher.offset.commit.strategy</name> + <value>batch</value> + </property> + + <property> + <name>ranger.audit.dispatcher.offset.commit.interval.ms</name> + <value>30000</value> + </property> + + <property> + <name>ranger.audit.dispatcher.max.poll.records</name> + <value>500</value> + </property> + + <property> + <name>ranger.audit.dispatcher.class</name> + <value>org.apache.ranger.audit.dispatcher.kafka.AuditOpenSearchDispatcher</value> + </property> + + <!-- OPENSEARCH DESTINATION CONFIGURATION --> + <property> + <name>xasecure.audit.destination.elasticsearch</name> + <value>true</value> + </property> + + <property> + <name>xasecure.audit.destination.elasticsearch.urls</name> + <value>ranger-opensearch.rangernw</value> + </property> + + <property> + <name>xasecure.audit.destination.elasticsearch.port</name> + <value>9200</value> + </property> + + <property> + <name>xasecure.audit.destination.elasticsearch.protocol</name> + <value>http</value> + </property> + + <property> + <name>xasecure.audit.destination.elasticsearch.index</name> + <value>ranger_audits</value> + </property> + + <property> Review Comment: Description correctly states unauthenticated OpenSearch is allowed. Cross-link to production hardening (require user/password when xasecure.audit.destination.elasticsearch=true). ########## audit-server/audit-dispatcher/dispatcher-opensearch/src/main/java/org/apache/ranger/audit/dispatcher/OpenSearchDispatcherManager.java: ########## @@ -0,0 +1,318 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.audit.dispatcher; + +import org.apache.ranger.audit.dispatcher.kafka.AuditDispatcher; +import org.apache.ranger.audit.dispatcher.kafka.AuditDispatcherTracker; +import org.apache.ranger.audit.provider.MiscUtil; +import org.apache.ranger.audit.server.AuditServerConstants; +import org.apache.ranger.audit.utils.AuditServerLogFormatter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.Properties; + +/** + * Manages the lifecycle of the OpenSearch dispatcher. + */ +public final class OpenSearchDispatcherManager { + /** Class logger. */ + private static final Logger LOG = + LoggerFactory.getLogger( + OpenSearchDispatcherManager.class); + /** System property for dispatcher type selection. */ + private static final String CONFIG_DISPATCHER_TYPE = + AuditServerConstants.PROP_DISPATCHER_TYPE; + /** Dispatcher type identifier. */ + private static final String TYPE_OPENSEARCH = + "opensearch"; + /** Property controlling OpenSearch destination. */ + private static final String ES_DEST_PROP = Review Comment: Module is dispatcher-opensearch but config uses xasecure.audit.destination.elasticsearch.*. Intentional for backward compatibility — please document in README/site XML so operators do not search for opensearch.urls. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
