Review Request 56671: Add Solr authorization settings during LogSearch/Atlas/Ranger startup

Tue, 14 Feb 2017 10:04:34 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56671/
-----------------------------------------------------------

Review request for Ambari, Miklos Gergely, Mugdha Varadkar, and Robert 
Nettleton.


Bugs: AMBARI-20013
    https://issues.apache.org/jira/browse/AMBARI-20013


Repository: ambari


Description
-------

- make sure solr keytab and solr user is created on logsearch/ranger/atlas hosts
- created a new solr_cloud_util method called add roles (curl for adding user 
roles)
- updated secure znode method (adding infra-solr by default)
- move generated security.json into a static file
- added a custom security.json which can be used instead of the generated 
security.json

This patch still does not contain atlas/ranger fixes (it will, that review is 
mosly for review, i will include ranger/atlas changes later).

In ranger/atlas stack, the following calls can be used for securing znode and 
update user-roles:

solr_cloud_util.secure_znode(config=params.config, 
zookeeper_quorum=params.zookeeper_quorum,
                             
solr_znode=format("{infra_solr_znode}/collections/mycollectionznode"),
                             jaas_file=params.logsearch_jaas_file,
                             java64_home=params.java64_home, 
sasl_users=["myuser1@HOST", "myuser2"])
                             
and 

solr_cloud_util.add_solr_roles(params.config,
                                   roles = ["ranger_audit_user"],
                                   new_service_principals = ["audituser1", 
"audituser2"])
                                   
about ranger plugins:

there is a way to use these methods in other services like storm etc. , the 
problem is its needed to infra-solr be started, so if we include these in a lot 
of other services, it can really slows down the deployment. that is the reason 
why i kept the property dependencies in infra-solr-security-json config. other 
then that, with the changes ranger can start successfully if its added later to 
the cluster, and for plugins, infra-solr will be flagged to be restarted.


Diffs
-----

  
ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
 4628211 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
 e193a8c 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
 ab9aa61 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
 8d72f42 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
 PRE-CREATION 
  
ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
 ed764f0 
  
ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json 
bc8e351 
  
ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json 
49d1b10 
  
ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
 fecd802 
  
ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
 ba91e20 
  ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json 
253e32e 
  ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py 
cd88fec 

Diff: https://reviews.apache.org/r/56671/diff/


Testing
-------

unit tests done, still writing unit tests for atlas/ranger additions.


Thanks,

Oliver Szabo

Reply via email to