Re: Review Request 56671: Add Solr authorization settings during LogSearch/Atlas/Ranger startup

Wed, 15 Feb 2017 11:55:49 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56671/
-----------------------------------------------------------

(Updated Feb. 15, 2017, 7:55 p.m.)


Review request for Ambari, Miklos Gergely, Mugdha Varadkar, and Robert 
Nettleton.


Changes
-------

- add rangerkms, yarn principals
- move get_ranger_plugin_principals function into ranger stack
- add ranger audit permission to atlas
- use orderedDict instead of simple map -> as we are asserting the call during 
upgrade, its needed to have the same order every time
- upgrade tests


Bugs: AMBARI-20013
    https://issues.apache.org/jira/browse/AMBARI-20013


Repository: ambari


Description
-------

- make sure solr keytab and solr user is created on logsearch/ranger/atlas hosts
- created a new solr_cloud_util method called add roles (curl for adding user 
roles)
- updated secure znode method (adding infra-solr by default)
- move generated security.json into a static file
- added a custom security.json which can be used instead of the generated 
security.json

In ranger/atlas stack, the following calls can be used for securing znode and 
update user-roles:

solr_cloud_util.secure_znode(config=params.config, 
zookeeper_quorum=params.zookeeper_quorum,
                             
solr_znode=format("{infra_solr_znode}/collections/mycollectionznode"),
                             jaas_file=params.logsearch_jaas_file,
                             java64_home=params.java64_home, 
sasl_users=["myuser1@HOST", "myuser2"])
                             
and 

solr_cloud_util.add_solr_roles(params.config,
                                   roles = ["ranger_audit_user"],
                                   new_service_principals = ["audituser1", 
"audituser2"])
                                   
about ranger plugins:

there is a way to use these methods in other services like storm etc. , the 
problem is its needed to infra-solr be started, so if we include these in a lot 
of other services, it can really slows down the deployment. that is the reason 
why i kept the property dependencies in infra-solr-security-json config. other 
then that, with the changes ranger can start successfully if its added later to 
the cluster, and for plugins, infra-solr will be flagged to be restarted.


Diffs (updated)
-----

  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/common/MessageStatus.java
 PRE-CREATION 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/conf/ApiDocConfig.java
 86c1edd 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/dao/SolrDaoBase.java
 0568fd7 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/doc/DocConstants.java
 caf0636 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/manager/AuditLogsManager.java
 2dc0ef7 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/manager/ServiceLogsManager.java
 f960250 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/rest/AuditLogsResource.java
 d5b6525 
  
ambari-logsearch/ambari-logsearch-portal/src/main/java/org/apache/ambari/logsearch/rest/ServiceLogsResource.java
 40247a8 

Diff: https://reviews.apache.org/r/56671/diff/


Testing
-------

unit tests done.


Thanks,

Oliver Szabo

Reply via email to