paras200 commented on code in PR #986:
URL: https://github.com/apache/ranger/pull/986#discussion_r3317330060
##########
security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java:
##########
@@ -168,6 +168,7 @@ synchronized RestHighLevelClient connect() {
RestClientBuilder restClientBuilder =
getRestClientBuilder(urls, protocol, user, password, port);
client = new RestHighLevelClient(restClientBuilder);
+ me = client;
Review Comment:
Fixed — updated the PR description. The actual change is a bug fix:
`connect()` was not assigning the newly created `RestHighLevelClient` to the
return variable `me`, so the method could return `null` on first invocation.
##########
dev-support/ranger-docker/scripts/admin/ranger-admin-install-postgres-opensearch.properties:
##########
@@ -0,0 +1,99 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Ranger Admin install.properties — OpenSearch audit store
+#
+# Use this file instead of ranger-admin-install-postgres.properties when
+# bootstrapping a fresh Ranger container for OpenSearch-based audits:
+#
+# -f docker-compose.ranger.yml with volume mount override:
+# ./scripts/admin/ranger-admin-install-postgres-opensearch.properties
+#
+
+PYTHON_COMMAND_INVOKER=python3
+RANGER_ADMIN_LOG_DIR=/var/log/ranger
+RANGER_PID_DIR_PATH=/var/run/ranger
+DB_FLAVOR=POSTGRES
+SQL_CONNECTOR_JAR=/usr/share/java/postgresql.jar
+RANGER_ADMIN_LOGBACK_CONF_FILE=/opt/ranger/admin/ews/webapp/WEB-INF/classes/conf/logback.xml
+
+db_root_user=postgres
+db_root_password=rangerR0cks!
+db_host=ranger-db
+
+db_name=ranger
+db_user=rangeradmin
+db_password=rangerR0cks!
+
+postgres_core_file=db/postgres/optimized/current/ranger_core_db_postgres.sql
+postgres_audit_file=db/postgres/xa_audit_db_postgres.sql
+mysql_core_file=db/mysql/optimized/current/ranger_core_db_mysql.sql
+mysql_audit_file=db/mysql/xa_audit_db.sql
+
+rangerAdmin_password=rangerR0cks!
+rangerTagsync_password=rangerR0cks!
+rangerUsersync_password=rangerR0cks!
+keyadmin_password=rangerR0cks!
+
+# OpenSearch replaces Solr for audit storage (Ranger uses
audit_store=elasticsearch)
+audit_store=elasticsearch
+audit_elasticsearch_urls=ranger-opensearch
+audit_elasticsearch_port=9200
+audit_elasticsearch_protocol=http
+audit_elasticsearch_user=NONE
+audit_elasticsearch_password=NONE
+audit_elasticsearch_index=ranger_audits
+audit_elasticsearch_bootstrap_enabled=true
+
Review Comment:
From Ranger Admin's perspective, OpenSearch and Elasticsearch use the same
REST API (wire-compatible) — there is no separate `audit_store=opensearch`
value. The Admin connects using `audit_store=elasticsearch` and the
`audit_elasticsearch_*` properties regardless of whether the backend is
Elasticsearch or OpenSearch. The differentiation happens at the dispatcher
level (separate `dispatcher-opensearch` module with its own class), not at the
Admin level. This properties file is a Docker dev profile where the Admin
queries OpenSearch directly for the audit UI — the connection is API-compatible.
##########
dev-support/ranger-docker/scripts/audit-dispatcher/ranger-audit-dispatcher-opensearch-site.xml:
##########
@@ -0,0 +1,164 @@
+<!--
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License. See accompanying LICENSE file.
+-->
+<configuration>
+ <property>
+ <name>ranger.audit.dispatcher.opensearch.class</name>
+
<value>org.apache.ranger.audit.dispatcher.OpenSearchDispatcherManager</value>
+ </property>
+
+ <property>
+ <name>log.dir</name>
+ <value>${audit.dispatcher.opensearch.log.dir}</value>
+ <description>Log directory for OpenSearch dispatcher
service</description>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.host</name>
+ <value>ranger-audit-dispatcher-opensearch.rangernw</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.service.kerberos.principal</name>
+ <value>rangerauditserver/[email protected]</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.service.kerberos.keytab</name>
+ <value>/etc/keytabs/rangerauditserver.keytab</value>
+ </property>
+
+ <!-- KAFKA DISPATCHER CONFIGURATION -->
+ <property>
+ <name>ranger.audit.dispatcher.kafka.bootstrap.servers</name>
+ <value>ranger-kafka.rangernw:9092</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.kafka.topic.name</name>
+ <value>ranger_audits</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.kafka.security.protocol</name>
+ <value>SASL_PLAINTEXT</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.kafka.sasl.mechanism</name>
+ <value>GSSAPI</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.thread.count</name>
+ <value>1</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.offset.commit.strategy</name>
+ <value>batch</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.offset.commit.interval.ms</name>
+ <value>30000</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.max.poll.records</name>
+ <value>500</value>
+ </property>
+
+ <property>
+ <name>ranger.audit.dispatcher.class</name>
+
<value>org.apache.ranger.audit.dispatcher.kafka.AuditOpenSearchDispatcher</value>
+ </property>
+
+ <!-- OPENSEARCH DESTINATION CONFIGURATION -->
+ <property>
+ <name>xasecure.audit.destination.elasticsearch</name>
+ <value>true</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.elasticsearch.urls</name>
+ <value>ranger-opensearch.rangernw</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.elasticsearch.port</name>
+ <value>9200</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.elasticsearch.protocol</name>
+ <value>http</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.elasticsearch.index</name>
+ <value>ranger_audits</value>
+ </property>
+
+ <property>
Review Comment:
Done — updated the user/password property descriptions to explicitly note
`(dev only)` for empty values and added `Production: configure user/password or
Kerberos keytab` guidance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
