You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/10/27 02:08:19 UTC
[01/33] incubator-ranger git commit: RANGER-658 : Make
ranger_credential_helper.py available in usersync path
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy f17ed1150 -> 5b5e0120f
RANGER-658 : Make ranger_credential_helper.py available in usersync path
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/adae7502
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/adae7502
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/adae7502
Branch: refs/heads/tag-policy
Commit: adae75020168b835e6b290cf1c9bd49a97e1dd5b
Parents: 5b371c7
Author: Gautam Borad <gb...@gmail.com>
Authored: Wed Sep 23 11:50:33 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sun Sep 27 21:51:06 2015 -0400
----------------------------------------------------------------------
src/main/assembly/usersync.xml | 8 ++++++++
1 file changed, 8 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/adae7502/src/main/assembly/usersync.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml
index a4bc87c..8c2600e 100644
--- a/src/main/assembly/usersync.xml
+++ b/src/main/assembly/usersync.xml
@@ -126,6 +126,14 @@
</includes>
<fileMode>444</fileMode>
</fileSet>
+ <fileSet>
+ <outputDirectory>/</outputDirectory>
+ <directory>security-admin/scripts</directory>
+ <includes>
+ <include>ranger_credential_helper.py</include>
+ </includes>
+ <fileMode>544</fileMode>
+ </fileSet>
</fileSets>
<files>
<file>
[27/33] incubator-ranger git commit: RANGER-697 : KeyAdmin role user
should see only KMS related audit access logs in Audit tab
Posted by ma...@apache.org.
RANGER-697 : KeyAdmin role user should see only KMS related audit access logs in Audit tab
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/cd584199
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/cd584199
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/cd584199
Branch: refs/heads/tag-policy
Commit: cd58419919aaac19a59e4f59981b0ff34374bb7a
Parents: 22d3ad0
Author: Gautam Borad <ga...@apache.org>
Authored: Tue Oct 13 17:34:13 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Tue Oct 13 20:32:31 2015 -0400
----------------------------------------------------------------------
.../main/java/org/apache/ranger/rest/AssetREST.java | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/cd584199/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index 79cea02..775c647 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -51,8 +51,11 @@ import org.apache.ranger.common.ServiceUtil;
import org.apache.ranger.common.StringUtil;
import org.apache.ranger.common.annotation.RangerAnnotationClassName;
import org.apache.ranger.common.annotation.RangerAnnotationJSMgrName;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServicePolicies;
@@ -134,7 +137,9 @@ public class AssetREST {
@Autowired
ServiceREST serviceREST;
-
+ @Autowired
+ RangerDaoManager daoManager;
+
@GET
@Path("/assets/{id}")
@Produces({ "application/xml", "application/json" })
@@ -645,6 +650,13 @@ public class AssetREST {
"startDate", "MM/dd/yyyy");
searchUtil.extractDate(request, searchCriteria, "endDate", "endDate",
"MM/dd/yyyy");
+
+ boolean isKeyAdmin = msBizUtil.isKeyAdmin();
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME);
+ if(isKeyAdmin && xxServiceDef != null){
+ searchCriteria.getParamList().put("repoType", xxServiceDef.getId());
+ }
+
return assetMgr.getAccessLogs(searchCriteria);
}
[22/33] incubator-ranger git commit: RANGER-652: Adding support for
ldap connection check tool
Posted by ma...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
new file mode 100644
index 0000000..53da9f2
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
@@ -0,0 +1,860 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.Control;
+import javax.naming.ldap.PagedResultsResponseControl;
+import javax.naming.ldap.PagedResultsControl;
+import java.io.PrintStream;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Set;
+
+public class UserSync {
+ private static String[] userNameAttrValues = { "sAMAccountName", "uid", "cn" };
+ private static String[] userObjClassValues = { "person", "posixAccount" }; //Not needed as this is read from the second occurence of objectClass attribute from user entry
+ private static String[] userGroupMemAttrValues = { "memberOf", "ismemberOf"};
+
+ private static String[] groupObjectClassValues = { "group", "groupOfNames", "posixGroup" };
+ private static String[] groupNameAttrValues = { "distinguishedName", "cn" };
+ private static String[] groupMemAttrValues = { "member", "memberUid" };
+
+ private String userNameAttribute = null;
+ private String userObjClassName = null;
+ private String userGroupMemberName = null;
+ private String groupMemberName = null;
+ private String groupNameAttrName = null;
+ private String groupObjClassName = null;
+ private String groupSearchBase = null;
+ private String groupSearchFilter = null;
+ private String userSearchBase = null;
+ private String userSearchFilter = null;
+ private String searchBase = null;
+ private String groupName = null;
+ private PrintStream logFile = null;
+ private PrintStream ambariProps = null;
+ private PrintStream installProps = null;
+
+ private LdapConfig config = null;
+
+ public String getUserNameAttribute() {
+ return userNameAttribute;
+ }
+
+ public String getUserObjClassName() {
+ return userObjClassName;
+ }
+
+ public String getUserGroupMemberName() {
+ return userGroupMemberName;
+ }
+
+ public String getGroupMemberName() {
+ return groupMemberName;
+ }
+
+ public String getGroupNameAttrName() {
+ return groupNameAttrName;
+ }
+
+ public String getGroupObjClassName() {
+ return groupObjClassName;
+ }
+
+ public String getGroupSearchBase() { return groupSearchBase; }
+
+ public String getUserSearchBase() { return userSearchBase; }
+
+ public String getSearchBase() {
+ return searchBase;
+ }
+
+ public UserSync(LdapConfig config, PrintStream logFile, PrintStream ambariProps, PrintStream installProps) {
+ this.config = config;
+ this.logFile = logFile;
+ this.ambariProps = ambariProps;
+ this.installProps = installProps;
+ initUserSync();
+ }
+
+ private void initUserSync() {
+ try {
+ String bindDn = config.getLdapBindDn();
+ userObjClassName = config.getUserObjectClass();
+ userNameAttribute = config.getUserNameAttribute();
+ userGroupMemberName = config.getUserGroupNameAttribute();
+ userSearchBase = config.getUserSearchBase();
+ userSearchFilter = config.getUserSearchFilter();
+ groupObjClassName = config.getGroupObjectClass();
+ groupNameAttrName = config.getGroupNameAttribute();
+ groupMemberName = config.getUserGroupMemberAttributeName();
+ groupSearchBase = config.getGroupSearchBase();
+ groupSearchFilter = config.getGroupSearchFilter();
+
+ //String userName = null;
+ if (bindDn.contains("@")) {
+ //userName = bindDn.substring(0, bindDn.indexOf("@"));
+ searchBase = bindDn.substring(bindDn.indexOf("@") + 1);
+ searchBase = "dc=".concat(searchBase);
+ searchBase = searchBase.replaceAll("\\.", ",dc=");
+ } else {
+ int dcIndex = bindDn.toLowerCase().indexOf("dc=");
+ //userName = bindDn.substring(bindDn.indexOf("=") + 1, dcIndex - 1);
+ searchBase = bindDn.substring(dcIndex);
+ }
+ } catch (Throwable t) {
+ logFile.println("ERROR: Failed to initialize the user sync properties " + t);
+ }
+ }
+
+ public void findUserProperties(LdapContext ldapContext) throws Throwable {
+ // 1. find basic user properties
+ // 2. find user search base and user search filter by passing basic attributes
+
+ findBasicUserProperties(ldapContext, true);
+
+ findAdvUserProperties(ldapContext, true);
+ }
+
+ /* Use the provided bind dn or the user search base and user search filter for sample user and determine the basic user attribute.
+ */
+ private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable{
+ String bindDn = config.getLdapBindDn();
+ String userSFilter = config.getUserSearchFilter();
+ String userSBase = config.getUserSearchBase();
+ Attribute userNameAttr = null;
+ Attribute groupMemberAttr;
+ SearchControls userSearchControls = new SearchControls();
+ userSearchControls.setSearchScope(config.getUserSearchScope());
+ userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"});
+ int noOfUsers = 0;
+
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+
+ try {
+ if (userSBase == null || userSBase.isEmpty()) {
+ if (bindDn.contains("@")) {
+ userSBase = bindDn.substring(bindDn.indexOf("@") + 1);
+ userSBase = "dc=".concat(userSBase);
+ userSBase = userSBase.replaceAll("\\.", ",dc=");
+ } else {
+ //int dcIndex = bindDn.toLowerCase().indexOf("dc=");
+ userSBase = bindDn.substring(bindDn.indexOf(",") + 1);
+ }
+ //System.out.println("Derived user search base = " + userSearchBase);
+ }
+
+ if (userSFilter == null || userSFilter.isEmpty()) {
+ if (bindDn.contains("@")) {
+ userSFilter = "userPrincipalName=" + bindDn;
+ } else {
+ int cnEndIndex = bindDn.indexOf(",");
+ userSFilter = bindDn.substring(0,cnEndIndex);
+
+ }
+ //System.out.println("Derived user search filter = " + userSearchFilter);
+ }
+
+ try {
+ userSearchResultEnum = ldapContext.search(userSBase,
+ userSFilter, userSearchControls);
+ while (userSearchResultEnum.hasMore()) {
+ if (noOfUsers >= 1) {
+ break;
+ }
+ final SearchResult userEntry = userSearchResultEnum.next();
+
+ if (userEntry == null) {
+ logFile.println("WARN: userEntry null");
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+
+ if (userNameAttribute == null || userNameAttribute.isEmpty()) {
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ userNameAttr = attributes.get(userNameAttrValues[i]);
+ if (userNameAttr != null) {
+ userNameAttribute = userNameAttrValues[i];
+ break;
+ }
+ }
+ if (userNameAttr == null) {
+ logFile.print("WARN: Failed to find any of ( ");
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ logFile.print(userNameAttrValues[i] + " ");
+ }
+ logFile.println(") for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ } else {
+ userNameAttr = attributes.get(userNameAttribute);
+ if (userNameAttr == null) {
+ logFile.println("WARN: Failed to find " + userNameAttribute + " for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ }
+
+ String userName = (String) userNameAttr.get();
+
+ if (userName == null || userName.trim().isEmpty()) {
+ logFile.println("WARN: " + userNameAttribute + " empty for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ userName = userName.toLowerCase();
+ Attribute userObjClassAttr = attributes.get("objectClass");
+ NamingEnumeration<?> userObjClassEnum = userObjClassAttr.getAll();
+ String userObjClass = null;
+ while (userObjClassEnum.hasMore()) {
+ userObjClass = userObjClassEnum.next().toString();
+ if (userObjClassName == null || userObjClassName.isEmpty()) {
+ if (userObjClass != null) {
+ for (int i = 0; i < userObjClassValues.length; i++) {
+ if (userObjClass.equalsIgnoreCase(userObjClassValues[i])) {
+ userObjClassName = userObjClass;
+ break;
+ }
+ }
+ } else {
+ logFile.println("WARN: Failed to find objectClass attribute for " + userName);
+ //continue;
+ }
+ }
+ }
+
+ if (userObjClassName == null || userObjClassName.isEmpty()) {
+ userObjClassName = userObjClass;
+ }
+
+ for (int i = 0; i < userGroupMemAttrValues.length; i++) {
+ groupMemberAttr = attributes.get(userGroupMemAttrValues[i]);
+ if (groupMemberAttr != null) {
+ userGroupMemberName = userGroupMemAttrValues[i];
+ groupName = groupMemberAttr.get(1).toString();
+ break;
+ }
+ }
+
+ noOfUsers++;
+ }
+ } catch (NamingException ne) {
+ String msg = "Exception occured while discovering basic user properties:\n" +
+ "ranger.usersync.ldap.user.nameattribute\n" +
+ "ranger.usersync.ldap.user.objectclass\n" +
+ "ranger.usersync.ldap.user.groupnameattribute\n";
+ if ((config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) ||
+ (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) {
+ throw new Exception(msg + "Please verify values for ranger.usersync.ldap.user.searchbase and ranger.usersync.ldap.user.searchfilter");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ }
+
+ if (isOutputNeeded) {
+ installProps.println("# Possible values for user search related properties:");
+ installProps.println("SYNC_LDAP_USER_NAME_ATTRIBUTE=" + userNameAttribute);
+ installProps.println("SYNC_LDAP_USER_OBJECT_CLASS=" + userObjClassName);
+ installProps.println("SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE=" + userGroupMemberName);
+
+ ambariProps.println("# Possible values for user search related properties:");
+ ambariProps.println("ranger.usersync.ldap.user.nameattribute=" + userNameAttribute);
+ ambariProps.println("ranger.usersync.ldap.user.objectclass=" + userObjClassName);
+ ambariProps.println("ranger.usersync.ldap.user.groupnameattribute=" + userGroupMemberName);
+ }
+ } finally {
+ try {
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ } catch (NamingException ne) {
+ throw new Exception("Exception occured while closing user search result: " + ne);
+ }
+ }
+ }
+
+ private void findAdvUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable{
+ int noOfUsers;
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+ SearchControls userSearchControls = new SearchControls();
+ userSearchControls.setSearchScope(config.getUserSearchScope());
+ if (userNameAttribute != null && !userNameAttribute.isEmpty()) {
+ Set<String> userSearchAttributes = new HashSet<>();
+ userSearchAttributes.add(userNameAttribute);
+ userSearchAttributes.add(userGroupMemberName);
+ userSearchAttributes.add("distinguishedName");
+ userSearchControls.setReturningAttributes(userSearchAttributes.toArray(
+ new String[userSearchAttributes.size()]));
+ } else {
+ userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"});
+ }
+
+ String extendedUserSearchFilter = "(objectclass=" + userObjClassName + ")";
+
+ try {
+
+ HashMap<String, Integer> ouOccurences = new HashMap<>();
+
+ userSearchResultEnum = ldapContext.search(searchBase,
+ extendedUserSearchFilter, userSearchControls);
+
+ noOfUsers = 0;
+ while (userSearchResultEnum.hasMore()) {
+ if (noOfUsers >= 20) {
+ break;
+ }
+ final SearchResult userEntry = userSearchResultEnum.next();
+
+ if (userEntry == null) {
+ logFile.println("WARN: userEntry null");
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+
+ String dnValue;
+
+ Attribute dnAttr = attributes.get("distinguishedName");
+ if (dnAttr != null) {
+ dnValue = dnAttr.get().toString();
+ String ouStr = "OU=";
+ int indexOfOU = dnValue.indexOf(ouStr);
+ if (indexOfOU > 0) {
+ dnValue = dnValue.substring(indexOfOU);
+
+ } else {
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+ }
+
+ } else {
+ // If distinguishedName is not found,
+ // strip off the userName from the long name for OU or sub domain
+ dnValue = userEntry.getNameInNamespace();
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+
+ }
+ //System.out.println("OU from dn = " + dnValue);
+ Integer ouOccrs = ouOccurences.get(dnValue);
+ if (ouOccrs == null) {
+ //System.out.println("value = 0");
+ ouOccrs = new Integer(0);
+ }
+ int val = ouOccrs.intValue();
+ ouOccrs = new Integer(++val);
+ ouOccurences.put(dnValue, ouOccrs);
+ noOfUsers++;
+ }
+
+ if (!ouOccurences.isEmpty()) {
+ Set<String> keys = ouOccurences.keySet();
+ int maxOUOccr = 0;
+ for (String key : keys) {
+ int ouOccurVal = ouOccurences.get(key).intValue();
+ logFile.println("INFO: No. of users from " + key + " = " + ouOccurVal);
+ if (ouOccurVal > maxOUOccr) {
+ maxOUOccr = ouOccurVal;
+ userSearchBase = key;
+ }
+ }
+ }
+ userSearchFilter = userNameAttribute + "=*";
+
+ if (isOutputNeeded) {
+ installProps.println("SYNC_LDAP_USER_SEARCH_BASE=" + userSearchBase);
+ installProps.println("SYNC_LDAP_USER_SEARCH_FILTER=" + userSearchFilter);
+
+ ambariProps.println("ranger.usersync.ldap.user.searchbase=" + userSearchBase);
+ ambariProps.println("ranger.usersync.ldap.user.searchfilter=" + userSearchFilter);
+ }
+
+ } catch (NamingException ne) {
+ String msg = "Exception occured while discovering user properties:\n" +
+ "ranger.usersync.ldap.user.searchbase\n" +
+ "ranger.usersync.ldap.user.searchfilter\n";
+ if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) ||
+ (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) ||
+ (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty())) {
+ throw new Exception("Please verify values for ranger.usersync.ldap.user.nameattribute, " +
+ "ranger.usersync.ldap.user.objectclass, and" +
+ "ranger.usersync.ldap.user.groupnameattribute");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ } finally {
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ }
+ }
+
+ public void getAllUsers(LdapContext ldapContext) throws Throwable {
+ int noOfUsers = 0;
+ Attribute userNameAttr = null;
+ String groupName = null;
+ Attribute groupMemberAttr;
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+ SearchControls userSearchControls = new SearchControls();
+ userSearchControls.setSearchScope(config.getUserSearchScope());
+ Set<String> userSearchAttributes = new HashSet<>();
+ if (userNameAttribute != null) {
+ userSearchAttributes.add(userNameAttribute);
+ }
+ if (userGroupMemberName != null) {
+ userSearchAttributes.add(userGroupMemberName);
+ }
+ if (userSearchAttributes.size() > 0) {
+ userSearchControls.setReturningAttributes(userSearchAttributes.toArray(
+ new String[userSearchAttributes.size()]));
+ } else {
+ userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"});
+ }
+
+ String extendedUserSearchFilter = "(objectclass=" + userObjClassName + ")";
+ if (userSearchFilter != null && !userSearchFilter.trim().isEmpty()) {
+ String customFilter = userSearchFilter.trim();
+ if (!customFilter.startsWith("(")) {
+ customFilter = "(" + customFilter + ")";
+ }
+ extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")";
+ }
+
+ byte[] cookie = null;
+ logFile.println();
+ logFile.println("INFO: First 20 Users and associated groups are:");
+
+ try {
+ do {
+
+ userSearchResultEnum = ldapContext.search(userSearchBase,
+ extendedUserSearchFilter, userSearchControls);
+
+ while (userSearchResultEnum.hasMore()) {
+ final SearchResult userEntry = userSearchResultEnum.next();
+
+ if (userEntry == null) {
+ logFile.println("WARN: userEntry null");
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+
+ if (userNameAttribute == null || userNameAttribute.isEmpty()) {
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ userNameAttr = attributes.get(userNameAttrValues[i]);
+ if (userNameAttr != null) {
+ userNameAttribute = userNameAttrValues[i];
+ break;
+ }
+ }
+ if (userNameAttr == null) {
+ logFile.print("WARN: Failed to find any of ( ");
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ logFile.print(userNameAttrValues[i] + " ");
+ }
+ logFile.println(") for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ } else {
+ userNameAttr = attributes.get(userNameAttribute);
+ if (userNameAttr == null) {
+ logFile.println("WARN: Failed to find " + userNameAttribute + " for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ }
+
+ String userName = userNameAttr.get().toString();
+
+ if (userName == null || userName.trim().isEmpty()) {
+ logFile.println("WARN: " + userNameAttribute + " empty for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ userName = userName.toLowerCase();
+
+ Set<String> groups = new HashSet<>();
+ groupMemberAttr = attributes.get(userGroupMemberName);
+
+ if (groupMemberAttr != null) {
+ NamingEnumeration<?> groupEnum = groupMemberAttr.getAll();
+ while (groupEnum.hasMore()) {
+ String groupRes = groupEnum.next().toString();
+ groups.add(groupRes);
+ if (groupName == null || groupName.isEmpty()) {
+ groupName = groupRes;
+ }
+ }
+ }
+
+ if (noOfUsers < 20) {
+ logFile.println("Username: " + userName + ", Groups: " + groups);
+ }
+ noOfUsers++;
+ }
+ // Examine the paged results control response
+ Control[] controls = ldapContext.getResponseControls();
+ if (controls != null) {
+ for (int i = 0; i < controls.length; i++) {
+ if (controls[i] instanceof PagedResultsResponseControl) {
+ PagedResultsResponseControl prrc =
+ (PagedResultsResponseControl)controls[i];
+ cookie = prrc.getCookie();
+ }
+ }
+ } else {
+ logFile.println("WARN: No controls were sent from the server");
+ }
+ // Re-activate paged results
+ if (config.isPagedResultsEnabled()) {
+ ldapContext.setRequestControls(new Control[]{
+ new PagedResultsControl(config.getPagedResultsSize(), cookie, Control.CRITICAL)});
+ }
+ } while (cookie != null);
+ logFile.println("\nINFO: Total no. of users = " + noOfUsers);
+
+ } catch (NamingException ne) {
+ String msg = "Exception occured while retreiving users\n";
+ if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) ||
+ (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) ||
+ (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) ||
+ (config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) ||
+ (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) {
+ throw new Exception("Please verify values for:\n ranger.usersync.ldap.user.nameattribute\n " +
+ "ranger.usersync.ldap.user.objectclass\n" +
+ "ranger.usersync.ldap.user.groupnameattribute\n" +
+ "ranger.usersync.ldap.user.searchbase\n" +
+ "ranger.usersync.ldap.user.searchfilter\n");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ } finally {
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ }
+ }
+
+ public void findGroupProperties(LdapContext ldapContext) throws Throwable {
+ // find basic group attributes/properties
+ // find group search base and group search filter
+ // Get all groups
+
+ if (groupName == null || groupName.isEmpty()) {
+ // Perform basic user search and get the group name from the user's group attribute name.
+ findBasicUserProperties(ldapContext, false);
+ }
+
+ if (groupName == null || groupName.isEmpty()) {
+ // Perform adv user search and get the group name from the user's group attribute name.
+ findAdvUserProperties(ldapContext, false);
+ }
+
+ findBasicGroupProperties(ldapContext);
+
+ findAdvGroupProperties(ldapContext);
+ }
+
+ private void findBasicGroupProperties(LdapContext ldapContext) throws Throwable {
+ int noOfGroups;
+ Attribute groupNameAttr;
+ String groupBase;
+ String groupFilter;
+ Attribute groupMemberAttr;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ SearchControls groupSearchControls = new SearchControls();
+ groupSearchControls.setSearchScope(config.getGroupSearchScope());
+
+ try {
+ int baseIndex = groupName.indexOf(",");
+ groupBase = groupName.substring(baseIndex + 1);
+ groupFilter = groupName.substring(0, baseIndex);
+ groupSearchResultEnum = ldapContext.search(groupBase, groupFilter,
+ groupSearchControls);
+
+ noOfGroups = 0;
+ while (groupSearchResultEnum.hasMore()) {
+ if (noOfGroups >= 1) {
+ break;
+ }
+
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry == null) {
+ continue;
+ }
+ Attributes groupAttributes = groupEntry.getAttributes();
+ if (groupAttributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ Attribute groupObjClassAttr = groupAttributes.get("objectClass");
+ if (groupObjClassAttr != null) {
+ NamingEnumeration<?> groupObjClassEnum = groupObjClassAttr.getAll();
+ while (groupObjClassEnum.hasMore()) {
+ String groupObjClassStr = groupObjClassEnum.next().toString();
+ for (int i = 0; i < groupObjectClassValues.length; i++) {
+ if (groupObjClassStr.equalsIgnoreCase(groupObjectClassValues[i])) {
+ groupObjClassName = groupObjClassStr;
+ break;
+ }
+ }
+ }
+ } else {
+ logFile.println("WARN: Failed to find group objectClass attribute for " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ if (groupNameAttrName == null || groupNameAttrName.isEmpty()) {
+
+ for (int i = 0; i < groupNameAttrValues.length; i++) {
+ groupNameAttr = groupAttributes.get(groupNameAttrValues[i]);
+ if (groupNameAttr != null) {
+ groupNameAttrName = groupNameAttrValues[i];
+ break;
+ }
+ }
+ }
+
+ for (int i = 0; i < groupMemAttrValues.length; i++) {
+ groupMemberAttr = groupAttributes.get(groupMemAttrValues[i]);
+ if (groupMemberAttr != null) {
+ groupMemberName = groupMemAttrValues[i];
+ break;
+ }
+ }
+ noOfGroups++;
+ }
+
+ installProps.println("\n# Possible values for group search related properties:");
+ installProps.println("SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=" + groupMemberName);
+ installProps.println("SYNC_GROUP_NAME_ATTRIBUTE=" + groupNameAttrName);
+ installProps.println("SYNC_GROUP_OBJECT_CLASS=" + groupObjClassName);
+
+ ambariProps.println("\n# Possible values for group search related properties:");
+ ambariProps.println("ranger.usersync.group.memberattributename=" + groupMemberName);
+ ambariProps.println("ranger.usersync.group.nameattribute=" + groupNameAttrName);
+ ambariProps.println("ranger.usersync.group.objectclass=" + groupObjClassName);
+
+ } finally {
+
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+
+ private void findAdvGroupProperties(LdapContext ldapContext) throws Throwable {
+ int noOfGroups = 0;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ SearchControls groupSearchControls = new SearchControls();
+ groupSearchControls.setSearchScope(config.getGroupSearchScope());
+ Set<String> groupSearchAttributes = new HashSet<>();
+ groupSearchAttributes.add(groupNameAttrName);
+ groupSearchAttributes.add(groupMemberName);
+ groupSearchAttributes.add("distinguishedName");
+ groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray(
+ new String[groupSearchAttributes.size()]));
+ String extendedGroupSearchFilter = "(objectclass=" + groupObjClassName + ")";
+
+ try {
+ HashMap<String, Integer> ouOccurences = new HashMap<>();
+
+ groupSearchResultEnum = ldapContext.search(searchBase, extendedGroupSearchFilter,
+ groupSearchControls);
+
+ while (groupSearchResultEnum.hasMore()) {
+ if (noOfGroups >= 20) {
+ break;
+ }
+
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry == null) {
+ continue;
+ }
+ Attributes groupAttributes = groupEntry.getAttributes();
+ if (groupAttributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ String dnValue;
+
+ Attribute dnAttr = groupAttributes.get("distinguishedName");
+ if (dnAttr != null) {
+ dnValue = dnAttr.get().toString();
+ String ouStr = "OU=";
+ int indexOfOU = dnValue.indexOf(ouStr);
+ if (indexOfOU > 0) {
+ dnValue = dnValue.substring(indexOfOU);
+
+ } else {
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+ }
+
+ } else {
+ // If distinguishedName is not found,
+ // strip off the userName from the long name for OU or sub domain
+ dnValue = groupEntry.getNameInNamespace();
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+ }
+ //System.out.println("OU from dn = " + dnValue);
+ Integer ouOccrs = ouOccurences.get(dnValue);
+ if (ouOccrs == null) {
+ //System.out.println("value = 0");
+ ouOccrs = new Integer(0);
+ }
+ int val = ouOccrs.intValue();
+ ouOccrs = new Integer(++val);
+ ouOccurences.put(dnValue, ouOccrs);
+
+ noOfGroups++;
+ }
+
+ if (!ouOccurences.isEmpty()) {
+ Set<String> keys = ouOccurences.keySet();
+ int maxOUOccr = 0;
+ for (String key : keys) {
+ int ouOccurVal = ouOccurences.get(key).intValue();
+ logFile.println("INFO: No. of groups from " + key + " = " + ouOccurVal);
+ if (ouOccurVal > maxOUOccr) {
+ maxOUOccr = ouOccurVal;
+ groupSearchBase = key;
+ }
+ }
+ }
+
+ groupSearchFilter = groupNameAttrName + "=*";
+
+ installProps.println("SYNC_GROUP_SEARCH_BASE=" + groupSearchBase);
+ installProps.println("SYNC_LDAP_GROUP_SEARCH_FILTER=" + groupSearchFilter);
+
+ ambariProps.println("ranger.usersync.group.searchbase=" + groupSearchBase);
+ ambariProps.println("ranger.usersync.group.searchfilter=" + groupSearchFilter);
+
+ } finally {
+
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+
+ public void getAllGroups(LdapContext ldapContext) throws Throwable {
+ int noOfGroups = 0;
+ Attribute groupNameAttr;
+ Attribute groupMemberAttr;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ SearchControls groupSearchControls = new SearchControls();
+ groupSearchControls.setSearchScope(config.getGroupSearchScope());
+ Set<String> groupSearchAttributes = new HashSet<>();
+ groupSearchAttributes.add(groupNameAttrName);
+ groupSearchAttributes.add(groupMemberName);
+ groupSearchAttributes.add("distinguishedName");
+ groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray(
+ new String[groupSearchAttributes.size()]));
+
+ String extendedGroupSearchFilter= "(objectclass=" + groupObjClassName + ")";
+ if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) {
+ String customFilter = groupSearchFilter.trim();
+ if (!customFilter.startsWith("(")) {
+ customFilter = "(" + customFilter + ")";
+ }
+ extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + customFilter + ")";
+ }
+
+ try {
+
+ groupSearchResultEnum = ldapContext.search(groupSearchBase, extendedGroupSearchFilter,
+ groupSearchControls);
+
+ logFile.println("\nINFO: First 20 Groups and associated Users are:");
+
+ while (groupSearchResultEnum.hasMore()) {
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry == null) {
+ continue;
+ }
+ Attributes groupAttributes = groupEntry.getAttributes();
+ if (groupAttributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ groupMemberAttr = groupAttributes.get(groupMemberName);
+
+ Set<String> users = new HashSet<>();
+ if (groupMemberAttr != null) {
+ NamingEnumeration<?> userEnum = groupMemberAttr.getAll();
+ while (userEnum.hasMore()) {
+ String userRes = userEnum.next().toString();
+ users.add(userRes);
+ }
+ }
+
+ groupNameAttr = groupAttributes.get(groupNameAttrName);
+ if (noOfGroups < 20) {
+ logFile.println("Group name: " + groupNameAttr.get().toString() + ", Users: " + users);
+ }
+ noOfGroups++;
+ }
+
+ logFile.println("\nINFO: Total no. of groups = " + noOfGroups);
+
+ } catch (NamingException ne) {
+ String msg = "Exception occured while retreiving groups\n";
+ if ((config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) ||
+ (config.getGroupObjectClass() != null && !config.getGroupObjectClass().isEmpty()) ||
+ (config.getUserGroupMemberAttributeName() != null && !config.getUserGroupMemberAttributeName().isEmpty()) ||
+ (config.getGroupSearchBase() != null && !config.getGroupSearchBase().isEmpty()) ||
+ (config.getGroupSearchFilter() != null && !config.getGroupSearchFilter().isEmpty())) {
+ throw new Exception("Please verify values for:\n ranger.usersync.group.memberattributename\n " +
+ "ranger.usersync.group.nameattribute\n" +
+ "ranger.usersync.group.objectclass\n" +
+ "ranger.usersync.group.searchbase\n" +
+ "ranger.usersync.group.searchfilter\n");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ } finally {
+
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+}
+
+
[31/33] incubator-ranger git commit: RANGER-704: Service
enable/disable should refresh the policies in the plugins
Posted by ma...@apache.org.
RANGER-704: Service enable/disable should refresh the policies in the plugins
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/66b77883
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/66b77883
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/66b77883
Branch: refs/heads/tag-policy
Commit: 66b778832907cef61d6930b0995aacb07251db9b
Parents: 6f75871
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Oct 21 18:57:48 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Oct 22 10:59:20 2015 -0700
----------------------------------------------------------------------
.../ranger/plugin/store/file/ServiceFileStore.java | 15 +++++++++++++--
.../java/org/apache/ranger/biz/ServiceDBStore.java | 17 +++++++++++++++--
2 files changed, 28 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/66b77883/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
index 751c3b3..de7bc1f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
@@ -338,6 +338,11 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore {
}
}
+ boolean hasIsEnabledChanged = !existing.getIsEnabled().equals(service.getIsEnabled());
+ if (hasIsEnabledChanged) {
+ handlePolicyUpdate(service);
+ }
+
RangerService ret = null;
try {
@@ -733,9 +738,15 @@ public class ServiceFileStore extends BaseFileStore implements ServiceStore {
}
if(lastKnownVersion == null || service.getPolicyVersion() == null || lastKnownVersion.longValue() != service.getPolicyVersion().longValue()) {
- SearchFilter filter = new SearchFilter(SearchFilter.SERVICE_NAME, serviceName);
- List<RangerPolicy> policies = getPolicies(filter);
+ List<RangerPolicy> policies = null;
+
+ if (service.getIsEnabled()) {
+ SearchFilter filter = new SearchFilter(SearchFilter.SERVICE_NAME, serviceName);
+ policies = getPolicies(filter);
+ } else {
+ policies = new ArrayList<RangerPolicy>();
+ }
ret = new ServicePolicies();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/66b77883/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 6e07e4e..e371415 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1121,6 +1121,8 @@ public class ServiceDBStore implements ServiceStore {
List<XXTrxLog> trxLogList = svcService.getTransactionLog(service, existing, RangerServiceService.OPERATION_UPDATE_CONTEXT);
+ boolean hasIsEnabledChanged = !existing.getIsenabled().equals(service.getIsEnabled());
+
if(populateExistingBaseFields) {
svcServiceWithAssignedId.setPopulateExistingBaseFields(true);
service = svcServiceWithAssignedId.update(service);
@@ -1130,7 +1132,17 @@ public class ServiceDBStore implements ServiceStore {
service.setGuid(existing.getGuid());
service.setVersion(existing.getVersion());
service.setPolicyUpdateTime(existing.getPolicyUpdateTime());
- service.setPolicyVersion(existing.getPolicyVersion());
+
+ Long policyVersion = existing.getPolicyVersion();
+
+ if(policyVersion == null) {
+ policyVersion = new Long(1);
+ service.setPolicyUpdateTime(new Date());
+ } else if (hasIsEnabledChanged) {
+ policyVersion = new Long(policyVersion.longValue() + 1);
+ service.setPolicyUpdateTime(new Date());
+ }
+ service.setPolicyVersion(policyVersion);
service = svcService.update(service);
}
@@ -1645,7 +1657,8 @@ public class ServiceDBStore implements ServiceStore {
throw new Exception("service-def does not exist. id=" + serviceDbObj.getType());
}
- List<RangerPolicy> policies = getServicePolicies(serviceName, null);
+ List<RangerPolicy> policies = serviceDbObj.getIsenabled() ? getServicePolicies(serviceName, null)
+ : new ArrayList<RangerPolicy>();
ret = new ServicePolicies();
[13/33] incubator-ranger git commit: RANGER-674 : Ranger public rest
api gives 200 response for wrong credential instead of 401
Posted by ma...@apache.org.
RANGER-674 : Ranger public rest api gives 200 response for wrong credential instead of 401
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ea0872f6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ea0872f6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ea0872f6
Branch: refs/heads/tag-policy
Commit: ea0872f69e7738c9ecd90becc4f9545948713622
Parents: 5872445
Author: Gautam Borad <gb...@gmail.com>
Authored: Thu Oct 1 16:38:58 2015 +0530
Committer: Gautam Borad <gb...@gmail.com>
Committed: Tue Oct 6 10:54:43 2015 +0530
----------------------------------------------------------------------
.../src/main/resources/conf.dist/ranger-admin-default-site.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ea0872f6/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index bd21365..3333827 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -183,7 +183,7 @@
<!-- # ServletMapping Url Pattern -->
<property>
<name>ranger.servlet.mapping.url.pattern</name>
- <value>false</value>
+ <value>service</value>
</property>
[07/33] incubator-ranger git commit: RANGER-573: Updated doc for the
ranger site
Posted by ma...@apache.org.
RANGER-573: Updated doc for the ranger site
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/919b550f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/919b550f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/919b550f
Branch: refs/heads/tag-policy
Commit: 919b550fa4fd94e6f8091f1865d3c43687c17210
Parents: 5ea6395
Author: sneethiraj <sn...@apache.org>
Authored: Tue Sep 29 11:43:17 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Tue Sep 29 11:43:17 2015 -0400
----------------------------------------------------------------------
docs/pom.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 46 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/919b550f/docs/pom.xml
----------------------------------------------------------------------
diff --git a/docs/pom.xml b/docs/pom.xml
index 2b43ee6..79dc0a4 100644
--- a/docs/pom.xml
+++ b/docs/pom.xml
@@ -84,6 +84,18 @@
</mailingLists>
<developers>
<developer>
+ <id>alok</id>
+ <name>Alok Lal</name>
+ <email>alok@apache.org</email>
+ <timezone>-8</timezone>
+ <roles>
+ <role>Committer</role>
+ </roles>
+ <organization>
+ Hortonworks
+ </organization>
+ </developer>
+ <developer>
<id>agates</id>
<name>Alan Gates</name>
<email>gates@apache.org</email>
@@ -101,6 +113,7 @@
<email>bganesan@apache.org</email>
<timezone>-8</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -137,6 +150,7 @@
<email>dillidorai@apache.org</email>
<timezone>-8</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -149,6 +163,7 @@
<email>bosco@apache.org</email>
<timezone>-8</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -156,6 +171,18 @@
</organization>
</developer>
<developer>
+ <id>gautam</id>
+ <name>Gautam Borad</name>
+ <email>gautam@apache.org</email>
+ <timezone>Asia/Kolkata</timezone>
+ <roles>
+ <role>Committer</role>
+ </roles>
+ <organization>
+ Freestone Infotech
+ </organization>
+ </developer>
+ <developer>
<id>jghoman</id>
<name>Jakob Homan</name>
<email>jghoman@apache.org</email>
@@ -173,6 +200,7 @@
<email>kminder@apache.org</email>
<timezone>-5</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -185,6 +213,7 @@
<email>lmccay@apache.org</email>
<timezone>-5</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -197,6 +226,7 @@
<email>madhan@apache.org</email>
<timezone>-8</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -221,6 +251,7 @@
<email>mani@hortonworks.com</email>
<timezone>-8</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -233,6 +264,7 @@
<email>sanjay@hortonworks.com</email>
<timezone>-8</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
@@ -245,12 +277,25 @@
<email>sneethir@apache.org</email>
<timezone>-5</timezone>
<roles>
+ <role>PMC</role>
<role>Committer</role>
</roles>
<organization>
Hortonworks
</organization>
- </developer>
+ </developer>
+ <developer>
+ <id>vel</id>
+ <name>Velmurugan Periasamy</name>
+ <email>vel@apache.org</email>
+ <timezone>-5</timezone>
+ <roles>
+ <role>Committer</role>
+ </roles>
+ <organization>
+ Hortonworks
+ </organization>
+ </developer>
</developers>
<contributors>
<contributor>
[04/33] incubator-ranger git commit: RANGER-666 : Add support for
Azure SQL Database
Posted by ma...@apache.org.
RANGER-666 : Add support for Azure SQL Database
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/f33879b4
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/f33879b4
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/f33879b4
Branch: refs/heads/tag-policy
Commit: f33879b4f1d13cf0b08f74b90f2e4607c00d24d4
Parents: 95cd9e8
Author: Gautam Borad <gb...@gmail.com>
Authored: Mon Sep 28 09:08:35 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Mon Sep 28 01:37:53 2015 -0400
----------------------------------------------------------------------
kms/scripts/dba_script.py | 35 ++++++++--------------
security-admin/scripts/dba_script.py | 50 ++++++++++++-------------------
security-admin/scripts/setup.sh | 4 +--
3 files changed, 33 insertions(+), 56 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f33879b4/kms/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py
index b2aa80a..950b8c3 100755
--- a/kms/scripts/dba_script.py
+++ b/kms/scripts/dba_script.py
@@ -708,11 +708,11 @@ class SqlServerConf(BaseDB):
def verify_user(self, root_user, db_root_password, db_user,dryMode):
if dryMode == False:
log("[I] Verifying user " + db_user , "info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"select loginname from master.dbo.syslogins where loginname = '%s';\"" %(db_user)
+ query = get_cmd + " -c \; -query \"select name from sys.sql_logins where name = '%s';\"" %(db_user)
elif os_name == "WINDOWS":
- query = get_cmd + " -query \"select loginname from master.dbo.syslogins where loginname = '%s';\" -c ;" %(db_user)
+ query = get_cmd + " -query \"select name from sys.sql_logins where name = '%s';\" -c ;" %(db_user)
output = check_output(query)
if output.strip(db_user + " |"):
return True
@@ -735,13 +735,13 @@ class SqlServerConf(BaseDB):
sys.exit(1)
def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode):
- if self.check_connection('msdb', root_user, db_root_password):
+ if self.check_connection('master', root_user, db_root_password):
if self.verify_user(root_user, db_root_password, db_user,dryMode):
if dryMode == False:
log("[I] SQL Server user " + db_user + " already exists.", "info")
else:
if dryMode == False:
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
log("[I] User does not exists, Creating Login user " + db_user, "info")
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\"" %(db_user,db_password)
@@ -764,7 +764,7 @@ class SqlServerConf(BaseDB):
def verify_db(self, root_user, db_root_password, db_name,dryMode):
if dryMode == False:
log("[I] Verifying database " + db_name, "info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"SELECT name from sys.databases where name='%s';\"" %(db_name)
elif os_name == "WINDOWS":
@@ -782,7 +782,7 @@ class SqlServerConf(BaseDB):
else:
if dryMode == False:
log("[I] Database does not exist. Creating database : " + db_name,"info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"create database %s;\"" %(db_name)
ret = subprocess.call(shlex.split(query))
@@ -805,7 +805,7 @@ class SqlServerConf(BaseDB):
logFile("create database %s;" %(db_name))
def create_user(self, root_user, db_name ,db_user, db_password, db_root_password,dryMode):
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name)
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name, db_user)
elif os_name == "WINDOWS":
@@ -842,28 +842,17 @@ class SqlServerConf(BaseDB):
def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode):
if dryMode == False:
log("[I] Granting permission to admin user '" + db_user + "' on db '" + db_name + "'" , "info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
- if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\"" %(db_user, db_name)
- ret = subprocess.call(shlex.split(query))
- elif os_name == "WINDOWS":
- query = get_cmd + " -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\" -c ;" %(db_user, db_name)
- ret = subprocess.call(query)
- if ret != 0:
- sys.exit(1)
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name)
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_name, db_user)
-# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user)
+ query = get_cmd + " -c \; -query \" EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_user)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd + " -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_name, db_user)
-# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user)
+ query = get_cmd + " -query \" EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_user)
ret = subprocess.call(query)
if ret != 0:
sys.exit(1)
else:
- logFile("ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];" %(db_user, db_name))
- logFile("USE %s EXEC sp_addrolemember N'db_owner', N'%s';" %(db_name, db_user))
+ logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user))
class SqlAnywhereConf(BaseDB):
# Constructor
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f33879b4/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 90ae561..4fd5593 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -917,11 +917,11 @@ class SqlServerConf(BaseDB):
def verify_user(self, root_user, db_root_password, db_user,dryMode):
if dryMode == False:
log("[I] Verifying user " + db_user , "info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"select loginname from master.dbo.syslogins where loginname = '%s';\"" %(db_user)
+ query = get_cmd + " -c \; -query \"select name from sys.sql_logins where name = '%s';\"" %(db_user)
elif os_name == "WINDOWS":
- query = get_cmd + " -query \"select loginname from master.dbo.syslogins where loginname = '%s';\" -c ;" %(db_user)
+ query = get_cmd + " -query \"select name from sys.sql_logins where name = '%s';\" -c ;" %(db_user)
output = check_output(query)
if output.strip(db_user + " |"):
return True
@@ -944,13 +944,13 @@ class SqlServerConf(BaseDB):
sys.exit(1)
def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode):
- if self.check_connection('msdb', root_user, db_root_password):
+ if self.check_connection('master', root_user, db_root_password):
if self.verify_user(root_user, db_root_password, db_user,dryMode):
if dryMode == False:
log("[I] SQL Server user " + db_user + " already exists.", "info")
else:
if dryMode == False:
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
log("[I] User does not exists, Creating Login user " + db_user, "info")
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"CREATE LOGIN %s WITH PASSWORD = '%s';\"" %(db_user,db_password)
@@ -973,7 +973,7 @@ class SqlServerConf(BaseDB):
def verify_db(self, root_user, db_root_password, db_name,dryMode):
if dryMode == False:
log("[I] Verifying database " + db_name, "info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"SELECT name from sys.databases where name='%s';\"" %(db_name)
elif os_name == "WINDOWS":
@@ -991,7 +991,7 @@ class SqlServerConf(BaseDB):
else:
if dryMode == False:
log("[I] Database does not exist. Creating database : " + db_name,"info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'master')
if os_name == "LINUX":
query = get_cmd + " -c \; -query \"create database %s;\"" %(db_name)
ret = subprocess.call(shlex.split(query))
@@ -1006,7 +1006,6 @@ class SqlServerConf(BaseDB):
self.create_user(root_user, db_name ,db_user, db_password, db_root_password,dryMode)
log("[I] Creating database " + db_name + " succeeded", "info")
return True
- # self.import_db_file(db_name, root_user, db_user, db_password, db_root_password, file_name)
else:
log("[E] Database creation failed..","error")
sys.exit(1)
@@ -1014,11 +1013,11 @@ class SqlServerConf(BaseDB):
logFile("create database %s;" %(db_name))
def create_user(self, root_user, db_name ,db_user, db_password, db_root_password,dryMode):
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name)
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name, db_user)
+ query = get_cmd + " -c \; -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_user)
elif os_name == "WINDOWS":
- query = get_cmd + " -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_name, db_user)
+ query = get_cmd + " -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_user)
output = check_output(query)
if output.strip(db_user + " |"):
if dryMode == False:
@@ -1026,16 +1025,16 @@ class SqlServerConf(BaseDB):
else:
if dryMode == False:
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"USE %s CREATE USER %s for LOGIN %s;\"" %(db_name ,db_user, db_user)
+ query = get_cmd + " -c \; -query \"CREATE USER %s for LOGIN %s;\"" %(db_user, db_user)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd + " -query \"USE %s CREATE USER %s for LOGIN %s;\" -c ;" %(db_name ,db_user, db_user)
+ query = get_cmd + " -query \"CREATE USER %s for LOGIN %s;\" -c ;" %(db_user, db_user)
ret = subprocess.call(query)
if ret == 0:
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_name ,db_user)
+ query = get_cmd + " -c \; -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\"" %(db_user)
elif os_name == "WINDOWS":
- query = get_cmd + " -query \"USE %s SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_name ,db_user)
+ query = get_cmd + " -query \"SELECT name FROM sys.database_principals WHERE name = N'%s';\" -c ;" %(db_user)
output = check_output(query)
if output.strip(db_user + " |"):
log("[I] User "+db_user+" exist ","info")
@@ -1046,33 +1045,22 @@ class SqlServerConf(BaseDB):
log("[E] Database creation failed..","error")
sys.exit(1)
else:
- logFile("USE %s CREATE USER %s for LOGIN %s;" %(db_name ,db_user, db_user))
+ logFile("CREATE USER %s for LOGIN %s;" %(db_user, db_user))
def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode):
if dryMode == False:
log("[I] Granting permission to admin user '" + db_user + "' on db '" + db_name + "'" , "info")
- get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'msdb')
- if os_name == "LINUX":
- query = get_cmd + " -c \; -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\"" %(db_user, db_name)
- ret = subprocess.call(shlex.split(query))
- elif os_name == "WINDOWS":
- query = get_cmd + " -query \"ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];\" -c ;" %(db_user, db_name)
- ret = subprocess.call(query)
- if ret != 0:
- sys.exit(1)
+ get_cmd = self.get_jisql_cmd(root_user, db_root_password, db_name)
if os_name == "LINUX":
- query = get_cmd + " -c \; -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_name, db_user)
-# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user)
+ query = get_cmd + " -c \; -query \" EXEC sp_addrolemember N'db_owner', N'%s';\"" %(db_user)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
- query = get_cmd + " -query \" USE %s EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_name, db_user)
-# query = get_cmd + " -c \; -query \" USE %s GRANT ALL PRIVILEGES to %s;\"" %(db_name , db_user)
+ query = get_cmd + " -query \" EXEC sp_addrolemember N'db_owner', N'%s';\" -c ;" %(db_user)
ret = subprocess.call(query)
if ret != 0:
sys.exit(1)
else:
- logFile("ALTER LOGIN [%s] WITH DEFAULT_DATABASE=[%s];" %(db_user, db_name))
- logFile("USE %s EXEC sp_addrolemember N'db_owner', N'%s';" %(db_name, db_user))
+ logFile("EXEC sp_addrolemember N'db_owner', N'%s';" %(db_user))
def create_auditdb_user(self, xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode):
is_revoke=False
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/f33879b4/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index bae6298..71c424c 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -874,7 +874,7 @@ update_properties() {
newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
- propertyName=ranger.jpa.jdbc.dialect
+ propertyName=ranger.jpa.audit.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
@@ -901,7 +901,7 @@ update_properties() {
newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
- propertyName=ranger.jpa.jdbc.dialect
+ propertyName=ranger.jpa.audit.jdbc.dialect
newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
[26/33] incubator-ranger git commit: RANGER-681 : Update default sync
intervals for LDAP and UNIX
Posted by ma...@apache.org.
RANGER-681 : Update default sync intervals for LDAP and UNIX
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/22d3ad0e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/22d3ad0e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/22d3ad0e
Branch: refs/heads/tag-policy
Commit: 22d3ad0ef7482b087b9866a5ef6c8ec630d72125
Parents: de170ab
Author: Gautam Borad <ga...@apache.org>
Authored: Tue Oct 13 15:44:06 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Tue Oct 13 20:27:56 2015 -0400
----------------------------------------------------------------------
.../config/UserGroupSyncConfig.java | 21 ++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/22d3ad0e/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index 7240fce..c1b305b 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -75,11 +75,11 @@ public class UserGroupSyncConfig {
private static final String UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_PARAM = "ranger.usersync.sleeptimeinmillisbetweensynccycle" ;
- private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE = 30000L ;
+ private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE = 60000L;
- private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE = 300000L ;
+ private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE = 60000L;
- private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE = 21600000L ;
+ private static final long UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE = 3600000L;
private static final String UGSYNC_SOURCE_CLASS_PARAM = "ranger.usersync.source.impl.class";
@@ -365,9 +365,18 @@ public class UserGroupSyncConfig {
}
else {
long ret = Long.parseLong(val) ;
- if (ret < UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE) {
- LOG.info("Sleep Time Between Cycle can not be lower than [" + UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE + "] millisec. resetting to min value.") ;
- ret = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE ;
+ long min_interval;
+ if (LGSYNC_SOURCE_CLASS.equals(getUserGroupSource().getClass().getName())) {
+ min_interval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_LDAP_DEFAULT_VALUE ;
+ }else if(UGSYNC_SOURCE_CLASS.equals(getUserGroupSource().getClass().getName())){
+ min_interval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_UNIX_DEFAULT_VALUE;
+ } else {
+ min_interval = UGSYNC_SLEEP_TIME_IN_MILLIS_BETWEEN_CYCLE_MIN_VALUE ;
+ }
+ if(ret < min_interval)
+ {
+ LOG.info("Sleep Time Between Cycle can not be lower than [" + min_interval + "] millisec. resetting to min value.") ;
+ ret = min_interval;
}
return ret;
}
[33/33] incubator-ranger git commit: Merge branch 'master' into
tag-policy
Posted by ma...@apache.org.
Merge branch 'master' into tag-policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5b5e0120
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5b5e0120
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5b5e0120
Branch: refs/heads/tag-policy
Commit: 5b5e0120fa8dfb3427885b34607a6508e10798d5
Parents: f17ed11 bc4ee64
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Mon Oct 26 18:07:49 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Mon Oct 26 18:07:49 2015 -0700
----------------------------------------------------------------------
.../audit/destination/HDFSAuditDestination.java | 37 +-
.../ranger/audit/provider/BaseAuditHandler.java | 19 +-
.../audit/provider/hdfs/HdfsAuditProvider.java | 3 +
.../audit/provider/hdfs/HdfsLogDestination.java | 26 +-
agents-common/scripts/enable-agent.sh | 28 +-
.../admin/client/RangerAdminRESTClient.java | 25 +-
.../plugin/store/file/ServiceFileStore.java | 2 +
.../ranger/plugin/util/RangerRESTClient.java | 40 +-
.../ranger/utils/install/XmlConfigChanger.java | 47 +-
docs/pom.xml | 49 +-
hbase-agent/conf/ranger-hbase-audit-changes.cfg | 5 +
hbase-agent/conf/ranger-hbase-audit.xml | 40 +-
.../conf/ranger-hbase-security-changes.cfg | 3 +
hbase-agent/conf/ranger-hbase-security.xml | 16 +
hbase-agent/scripts/install.properties | 24 +
hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 5 +
hdfs-agent/conf/ranger-hdfs-audit.xml | 36 +
.../conf/ranger-hdfs-security-changes.cfg | 2 +
hdfs-agent/conf/ranger-hdfs-security.xml | 16 +
hdfs-agent/scripts/install.properties | 24 +
hive-agent/conf/ranger-hive-audit-changes.cfg | 5 +
hive-agent/conf/ranger-hive-audit.xml | 36 +
.../conf/ranger-hive-security-changes.cfg | 2 +
hive-agent/conf/ranger-hive-security.xml | 16 +
hive-agent/scripts/install.properties | 24 +
kms/scripts/db_setup.py | 14 +-
kms/scripts/dba_script.py | 58 +-
kms/scripts/install.properties | 11 +
kms/scripts/setup.sh | 155 +-
knox-agent/conf/ranger-knox-audit-changes.cfg | 5 +
knox-agent/conf/ranger-knox-audit.xml | 36 +
.../conf/ranger-knox-security-changes.cfg | 2 +
knox-agent/conf/ranger-knox-security.xml | 16 +
knox-agent/scripts/install.properties | 25 +
.../client/RangerAdminJersey2RESTClient.java | 9 +-
.../conf/ranger-kafka-audit-changes.cfg | 5 +
plugin-kafka/conf/ranger-kafka-audit.xml | 36 +
.../conf/ranger-kafka-security-changes.cfg | 4 +-
plugin-kafka/conf/ranger-kafka-security.xml | 16 +
plugin-kafka/scripts/install.properties | 25 +
plugin-kms/conf/ranger-kms-audit-changes.cfg | 5 +
plugin-kms/conf/ranger-kms-audit.xml | 36 +
plugin-kms/conf/ranger-kms-security-changes.cfg | 4 +-
plugin-kms/conf/ranger-kms-security.xml | 16 +
plugin-kms/scripts/enable-kms-plugin.sh | 28 +-
plugin-solr/conf/ranger-solr-audit-changes.cfg | 5 +
plugin-solr/conf/ranger-solr-audit.xml | 36 +
.../conf/ranger-solr-security-changes.cfg | 4 +-
plugin-solr/conf/ranger-solr-security.xml | 16 +
plugin-solr/scripts/install.properties | 25 +
plugin-yarn/conf/ranger-yarn-audit-changes.cfg | 5 +
plugin-yarn/conf/ranger-yarn-audit.xml | 36 +
.../conf/ranger-yarn-security-changes.cfg | 2 +
plugin-yarn/conf/ranger-yarn-security.xml | 16 +
plugin-yarn/scripts/install.properties | 24 +
pom.xml | 1 +
.../create_hdfs_folders_for_audit_non_secure.sh | 78 +
.../create_hdfs_folders_for_audit_secure.sh | 79 +
.../contrib/solr_for_audit_setup/README.txt | 25 +
.../solr_for_audit_setup/conf/admin-extra.html | 24 +
.../conf/admin-extra.menu-bottom.html | 25 +
.../conf/admin-extra.menu-top.html | 25 +
.../solr_for_audit_setup/conf/elevate.xml | 38 +
.../solr_for_audit_setup/conf/schema.xml | 118 ++
.../solr_for_audit_setup/conf/solrconfig.xml | 1865 ++++++++++++++++++
.../solr_for_audit_setup/install.properties | 96 +
.../resources/log4j.properties.template | 39 +
.../contrib/solr_for_audit_setup/setup.sh | 425 ++++
.../add_ranger_audits_conf_to_zk.sh.template | 63 +
.../create_ranger_audits_collection.sh.template | 33 +
.../solr_cloud/scripts/start_solr.sh.template | 39 +
.../solr_cloud/scripts/stop_solr.sh.template | 35 +
.../solr_cloud/solr.xml.template | 26 +
.../ranger_audits/core.properties.template | 20 +
.../scripts/start_solr.sh.template | 38 +
.../scripts/stop_solr.sh.template | 35 +
.../solr_standalone/solr.xml | 19 +
.../db/mysql/patches/009-updated_schema.sql | 2 +-
.../db/oracle/patches/009-updated_schema.sql | 2 +-
.../db/postgres/xa_core_db_postgres.sql | 2 +-
.../db/sqlanywhere/xa_core_db_sqlanywhere.sql | 2 +-
.../db/sqlserver/xa_core_db_sqlserver.sql | 2 +-
security-admin/scripts/db_setup.py | 16 +-
security-admin/scripts/dba_script.py | 78 +-
security-admin/scripts/set_globals.sh | 26 +-
security-admin/scripts/setup.sh | 197 +-
security-admin/src/bin/ranger_install.py | 2 +-
.../java/org/apache/ranger/biz/SessionMgr.java | 102 +
.../java/org/apache/ranger/biz/UserMgr.java | 9 +-
.../java/org/apache/ranger/biz/XUserMgr.java | 509 +++--
.../org/apache/ranger/common/RESTErrorUtil.java | 26 +
.../org/apache/ranger/common/ServiceUtil.java | 30 +
.../org/apache/ranger/common/StringUtil.java | 1 -
.../apache/ranger/common/UserSessionBase.java | 64 +-
.../apache/ranger/db/XXGroupPermissionDao.java | 18 +-
.../org/apache/ranger/db/XXGroupUserDao.java | 11 +
.../org/apache/ranger/db/XXModuleDefDao.java | 10 -
.../org/apache/ranger/db/XXPortalUserDao.java | 21 +-
.../java/org/apache/ranger/db/XXUserDao.java | 12 +
.../apache/ranger/db/XXUserPermissionDao.java | 10 +-
.../patch/PatchPersmissionModel_J10003.java | 24 +-
.../java/org/apache/ranger/rest/AssetREST.java | 16 +-
.../java/org/apache/ranger/rest/XUserREST.java | 56 +-
.../ranger/security/context/RangerAPIList.java | 4 +
.../security/context/RangerAPIMapping.java | 4 +
.../context/RangerPreAuthSecurityHandler.java | 25 +-
.../listener/RangerHttpSessionListener.java | 48 +
.../CustomLogoutSuccessHandler.java | 1 +
.../RangerAuthFailureHandler.java | 1 +
.../RangerAuthSuccessHandler.java | 2 +-
.../RangerAuthenticationEntryPoint.java | 1 +
.../security/web/filter/MyRememberMeFilter.java | 7 +-
.../RangerSecurityContextFormationFilter.java | 5 +-
.../service/AbstractBaseResourceService.java | 5 +-
.../ranger/service/XGroupPermissionService.java | 13 +-
.../ranger/service/XUserPermissionService.java | 18 +-
.../service/XUserPermissionServiceBase.java | 65 +-
.../resources/META-INF/jpa_named_queries.xml | 19 +-
.../conf.dist/ranger-admin-default-site.xml | 2 +-
.../src/main/webapp/META-INF/context.xml | 4 +-
security-admin/src/main/webapp/WEB-INF/web.xml | 5 +-
security-admin/src/main/webapp/login.jsp | 4 +-
.../src/main/webapp/scripts/modules/XALinks.js | 42 +-
.../webapp/scripts/views/kms/KmsKeyCreate.js | 9 +-
.../views/permissions/ModulePermissionCreate.js | 1 -
.../webapp/scripts/views/users/GroupCreate.js | 3 +-
.../webapp/scripts/views/users/UserCreate.js | 2 -
.../java/org/apache/ranger/biz/TestUserMgr.java | 187 +-
.../org/apache/ranger/biz/TestXUserMgr.java | 562 +++++-
src/main/assembly/admin-web.xml | 7 +
src/main/assembly/usersync.xml | 44 +
storm-agent/conf/ranger-storm-audit-changes.cfg | 5 +
storm-agent/conf/ranger-storm-audit.xml | 36 +
.../conf/ranger-storm-security-changes.cfg | 4 +-
storm-agent/conf/ranger-storm-security.xml | 16 +
storm-agent/scripts/install.properties | 24 +
.../ldapconfigcheck/conf/input.properties | 63 +
.../ldapconfigchecktool/ldapconfigcheck/pom.xml | 130 ++
.../ldapconfigcheck/scripts/run.sh | 72 +
.../ldapconfigcheck/AuthenticationCheck.java | 208 ++
.../ldapconfigcheck/CommandLineOptions.java | 230 +++
.../ranger/ldapconfigcheck/LdapConfig.java | 436 ++++
.../ldapconfigcheck/LdapConfigCheckMain.java | 241 +++
.../apache/ranger/ldapconfigcheck/UserSync.java | 860 ++++++++
.../config/UserGroupSyncConfig.java | 21 +-
unixauthservice/scripts/set_globals.sh | 30 +-
unixauthservice/scripts/setup.py | 42 +-
147 files changed, 8503 insertions(+), 604 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/agents-common/src/main/java/org/apache/ranger/plugin/store/file/ServiceFileStore.java
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
----------------------------------------------------------------------
diff --cc knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index e06f5a2,c087f25..4166786
--- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@@ -34,8 -33,12 +34,9 @@@ import javax.ws.rs.core.Response
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.AccessControlException;
- import org.apache.ranger.plugin.model.RangerTag;
+import org.apache.ranger.plugin.util.*;
+ import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
-import org.apache.ranger.plugin.util.GrantRevokeRequest;
-import org.apache.ranger.plugin.util.RangerRESTUtils;
-import org.apache.ranger.plugin.util.RangerSslHelper;
-import org.apache.ranger.plugin.util.ServicePolicies;
+ import org.glassfish.jersey.client.ClientProperties;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/pom.xml
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/db/mysql/patches/009-updated_schema.sql
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/db/oracle/patches/009-updated_schema.sql
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/db/postgres/xa_core_db_postgres.sql
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --cc security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index 7131903,775c647..de4d16c
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@@ -645,8 -650,13 +650,15 @@@ public class AssetREST
"startDate", "MM/dd/yyyy");
searchUtil.extractDate(request, searchCriteria, "endDate", "endDate",
"MM/dd/yyyy");
+
+ searchUtil.extractString(request, searchCriteria, "tags", "tags", null);
+
+ boolean isKeyAdmin = msBizUtil.isKeyAdmin();
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_KMS_NAME);
+ if(isKeyAdmin && xxServiceDef != null){
+ searchCriteria.getParamList().put("repoType", xxServiceDef.getId());
+ }
+
return assetMgr.getAccessLogs(searchCriteria);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5b5e0120/security-admin/src/main/webapp/scripts/modules/XALinks.js
----------------------------------------------------------------------
[08/33] incubator-ranger git commit: RANGER-672 v0.4 plugins are
unable to download policies from 0.5 server
Posted by ma...@apache.org.
RANGER-672 v0.4 plugins are unable to download policies from 0.5 server
Signed-off-by: Alok Lal <al...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/483ea47f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/483ea47f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/483ea47f
Branch: refs/heads/tag-policy
Commit: 483ea47f3700c124bd045b42ce8f68aa8cb4231d
Parents: 919b550
Author: Alok Lal <al...@apache.org>
Authored: Tue Sep 29 17:01:08 2015 -0700
Committer: Alok Lal <al...@apache.org>
Committed: Tue Sep 29 17:29:19 2015 -0700
----------------------------------------------------------------------
.../org/apache/ranger/common/ServiceUtil.java | 30 ++++++++++++++++++++
.../java/org/apache/ranger/rest/AssetREST.java | 2 +-
2 files changed, 31 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/483ea47f/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
index 8a637a0..861240b 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
@@ -32,6 +32,8 @@ import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.WebApplicationException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
@@ -123,6 +125,34 @@ public class ServiceUtil {
version = "0";
}
+ public RangerService getServiceByName(@PathParam("name") String name) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceUtil.getServiceByName(" + name + ")");
+ }
+
+ RangerService ret = null;
+
+ try {
+ ret = svcStore.getServiceByName(name);
+ } catch(WebApplicationException excp) {
+ throw excp;
+ } catch(Throwable excp) {
+ LOG.error("getServiceByName(" + name + ") failed", excp);
+
+ throw restErrorUtil.createRESTException(excp.getMessage());
+ }
+
+ if(ret == null) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_NOT_FOUND, "Not found", true);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceUtil.getServiceByName(" + name + "): " + ret);
+ }
+
+ return ret;
+ }
+
public RangerService toRangerService(VXAsset asset) {
if(asset == null) {
return null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/483ea47f/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
index 19dbfaa..79cea02 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java
@@ -533,7 +533,7 @@ public class AssetREST {
logger.error("failed to retrieve policies for repository " + repository, excp);
}
- RangerService service = serviceREST.getServiceByName(repository);
+ RangerService service = serviceUtil.getServiceByName(repository);
List<RangerPolicy> policies = servicePolicies != null ? servicePolicies.getPolicies() : null;
long policyUpdTime = (servicePolicies != null && servicePolicies.getPolicyUpdateTime() != null) ? servicePolicies.getPolicyUpdateTime().getTime() : 0l;
VXAsset vAsset = serviceUtil.toVXAsset(service);
[25/33] incubator-ranger git commit: RANGER-526 : Provide REST API to
change user role
Posted by ma...@apache.org.
RANGER-526 : Provide REST API to change user role
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/de170ab2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/de170ab2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/de170ab2
Branch: refs/heads/tag-policy
Commit: de170ab2358739f938f52ccc871d4d9e3ebb52ef
Parents: 9474fe9
Author: Gautam Borad <ga...@apache.org>
Authored: Tue Oct 13 12:40:19 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Tue Oct 13 20:26:33 2015 -0400
----------------------------------------------------------------------
.../db/mysql/patches/009-updated_schema.sql | 2 +-
.../db/oracle/patches/009-updated_schema.sql | 2 +-
.../db/postgres/xa_core_db_postgres.sql | 2 +-
.../db/sqlanywhere/xa_core_db_sqlanywhere.sql | 2 +-
.../db/sqlserver/xa_core_db_sqlserver.sql | 2 +-
.../java/org/apache/ranger/biz/UserMgr.java | 9 +-
.../java/org/apache/ranger/biz/XUserMgr.java | 165 ++++++
.../apache/ranger/db/XXGroupPermissionDao.java | 2 +-
.../java/org/apache/ranger/rest/XUserREST.java | 41 ++
.../ranger/security/context/RangerAPIList.java | 4 +
.../security/context/RangerAPIMapping.java | 4 +
.../CustomLogoutSuccessHandler.java | 1 +
.../RangerAuthFailureHandler.java | 1 +
.../RangerAuthSuccessHandler.java | 2 +-
.../RangerAuthenticationEntryPoint.java | 1 +
.../security/web/filter/MyRememberMeFilter.java | 7 +-
.../RangerSecurityContextFormationFilter.java | 5 +-
security-admin/src/main/webapp/login.jsp | 4 +-
.../java/org/apache/ranger/biz/TestUserMgr.java | 187 ++++++-
.../org/apache/ranger/biz/TestXUserMgr.java | 511 ++++++++++++++++++-
20 files changed, 922 insertions(+), 32 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/db/mysql/patches/009-updated_schema.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/mysql/patches/009-updated_schema.sql b/security-admin/db/mysql/patches/009-updated_schema.sql
index c5aa728..beaeda6 100644
--- a/security-admin/db/mysql/patches/009-updated_schema.sql
+++ b/security-admin/db/mysql/patches/009-updated_schema.sql
@@ -52,7 +52,7 @@ CREATE TABLE `x_service` (
`upd_by_id` bigint(20) DEFAULT NULL,
`version` bigint(20) DEFAULT NULL,
`type` bigint(20) DEFAULT NULL,
-`name` varchar(512) DEFAULT NULL,
+`name` varchar(255) DEFAULT NULL,
`policy_version` bigint(20) DEFAULT NULL,
`policy_update_time`datetime DEFAULT NULL,
`description` varchar(1024) DEFAULT NULL,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/db/oracle/patches/009-updated_schema.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/oracle/patches/009-updated_schema.sql b/security-admin/db/oracle/patches/009-updated_schema.sql
index ef5ff3c..293d6a5 100644
--- a/security-admin/db/oracle/patches/009-updated_schema.sql
+++ b/security-admin/db/oracle/patches/009-updated_schema.sql
@@ -63,7 +63,7 @@ added_by_id NUMBER(20) DEFAULT NULL NULL,
upd_by_id NUMBER(20) DEFAULT NULL NULL,
version NUMBER(20) DEFAULT NULL NULL,
type NUMBER(20) DEFAULT NULL NULL,
-name varchar(512) DEFAULT NULL NULL,
+name varchar(255) DEFAULT NULL NULL,
policy_version NUMBER(20) DEFAULT NULL NULL,
policy_update_time DATE DEFAULT NULL NULL,
description VARCHAR(1024) DEFAULT NULL NULL,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/db/postgres/xa_core_db_postgres.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/postgres/xa_core_db_postgres.sql b/security-admin/db/postgres/xa_core_db_postgres.sql
index 5a76442..8245c23 100644
--- a/security-admin/db/postgres/xa_core_db_postgres.sql
+++ b/security-admin/db/postgres/xa_core_db_postgres.sql
@@ -492,7 +492,7 @@ added_by_id BIGINT DEFAULT NULL NULL,
upd_by_id BIGINT DEFAULT NULL NULL,
version BIGINT DEFAULT NULL NULL,
type BIGINT DEFAULT NULL NULL,
-name VARCHAR(512) DEFAULT NULL NULL,
+name VARCHAR(255) DEFAULT NULL NULL,
policy_version BIGINT DEFAULT NULL NULL,
policy_update_time TIMESTAMP DEFAULT NULL NULL,
description VARCHAR(1024) DEFAULT NULL NULL,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql b/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql
index 0760cb8..b063bad 100644
--- a/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql
+++ b/security-admin/db/sqlanywhere/xa_core_db_sqlanywhere.sql
@@ -312,7 +312,7 @@ create table dbo.x_service (
upd_by_id bigint DEFAULT NULL NULL,
version bigint DEFAULT NULL NULL,
type bigint DEFAULT NULL NULL,
- name varchar(512) DEFAULT NULL NULL,
+ name varchar(255) DEFAULT NULL NULL,
policy_version bigint DEFAULT NULL NULL,
policy_update_time datetime DEFAULT NULL NULL,
description varchar(1024) DEFAULT NULL NULL,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
----------------------------------------------------------------------
diff --git a/security-admin/db/sqlserver/xa_core_db_sqlserver.sql b/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
index 25d374e..f2e9644 100644
--- a/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/xa_core_db_sqlserver.sql
@@ -1778,7 +1778,7 @@ CREATE TABLE [dbo].[x_service] (
[upd_by_id] [bigint] DEFAULT NULL NULL,
[version] [bigint] DEFAULT NULL NULL,
[type] [bigint] DEFAULT NULL NULL,
- [name] [varchar](512) DEFAULT NULL NULL,
+ [name] [varchar](255) DEFAULT NULL NULL,
[policy_version] [bigint] DEFAULT NULL NULL,
[policy_update_time] [datetime2] DEFAULT NULL NULL,
[description] [varchar](1024) DEFAULT NULL NULL,
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
index ff0ea01..8fbad1f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java
@@ -304,7 +304,7 @@ public class UserMgr {
return gjUser;
}
- private boolean updateRoles(Long userId, Collection<String> rolesList) {
+ public boolean updateRoles(Long userId, Collection<String> rolesList) {
boolean rolesUpdated = false;
if (rolesList == null || rolesList.size() == 0) {
return false;
@@ -352,12 +352,13 @@ public class UserMgr {
* @param vStrings
*/
public void setUserRoles(Long userId, List<VXString> vStringRolesList) {
- checkAccess(userId);
List<String> stringRolesList = new ArrayList<String>();
for (VXString vXString : vStringRolesList) {
stringRolesList.add(vXString.getValue());
}
- updateRoles(userId, stringRolesList);
+ xUserMgr.checkAccessRoles(stringRolesList);
+ VXPortalUser oldUserProfile=getUserProfile(userId);
+ xUserMgr.updateUserRolesPermissions(oldUserProfile, stringRolesList);
}
/**
@@ -634,7 +635,7 @@ public class UserMgr {
.getXXUserPermission().findByUserPermissionIdAndIsAllowed(
userProfile.getId());
List<XXGroupPermission> xxGroupPermissions = daoManager
- .getXXGroupPermission().findbyVXPoratUserId(
+ .getXXGroupPermission().findbyVXPortalUserId(
userProfile.getId());
List<VXGroupPermission> groupPermissions = new ArrayList<VXGroupPermission>();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 5f43bc0..b860877 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -80,6 +80,10 @@ import org.springframework.stereotype.Component;
import javax.servlet.http.HttpServletResponse;
import org.apache.ranger.view.VXResponse;
+import org.apache.ranger.entity.XXPortalUserRole;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.ranger.view.VXString;
+import org.apache.ranger.view.VXStringList;
@Component
public class XUserMgr extends XUserMgrBase {
@@ -1131,4 +1135,165 @@ public class XUserMgr extends XUserMgrBase {
vxAuditMapList.setTotalCount(auditMapList.size());
}
+ public void checkAccessRoles(List<String> stringRolesList) {
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if (session != null && stringRolesList!=null) {
+ if (!session.isUserAdmin() && !session.isKeyAdmin()) {
+ throw restErrorUtil.create403RESTException("Permission"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "Not Logged In")
+ + " ,isn't permitted to perform the action.");
+ }else{
+ if (session.isUserAdmin() && stringRolesList.contains(RangerConstants.ROLE_KEY_ADMIN)) {
+ throw restErrorUtil.create403RESTException("Permission"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "")
+ + " isn't permitted to perform the action.");
+ }
+ if (session.isKeyAdmin() && stringRolesList.contains(RangerConstants.ROLE_SYS_ADMIN)) {
+ throw restErrorUtil.create403RESTException("Permission"
+ + " denied. LoggedInUser="
+ + (session != null ? session.getXXPortalUser().getId()
+ : "")
+ + " isn't permitted to perform the action.");
+ }
+ }
+ }else{
+ VXResponse vXResponse = new VXResponse();
+ vXResponse.setStatusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ vXResponse.setMsgDesc("Bad Credentials");
+ throw restErrorUtil.generateRESTException(vXResponse);
+ }
+ }
+
+ public VXStringList setUserRolesByExternalID(Long userId, List<VXString> vStringRolesList) {
+ List<String> roleListNewProfile = new ArrayList<String>();
+ if(vStringRolesList!=null){
+ for (VXString vXString : vStringRolesList) {
+ roleListNewProfile.add(vXString.getValue());
+ }
+ }
+ checkAccessRoles(roleListNewProfile);
+ VXUser vXUser=getXUser(userId);
+ List<XXPortalUserRole> portalUserRoleList =null;
+ if(vXUser!=null && roleListNewProfile.size()>0){
+ VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName());
+ if(oldUserProfile!=null){
+ updateUserRolesPermissions(oldUserProfile,roleListNewProfile);
+ portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId());
+ return getStringListFromUserRoleList(portalUserRoleList);
+ }else{
+ throw restErrorUtil.createRESTException("User ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
+ }
+ }else{
+ throw restErrorUtil.createRESTException("User ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ public VXStringList setUserRolesByName(String userName, List<VXString> vStringRolesList) {
+ List<String> roleListNewProfile = new ArrayList<String>();
+ if(vStringRolesList!=null){
+ for (VXString vXString : vStringRolesList) {
+ roleListNewProfile.add(vXString.getValue());
+ }
+ }
+ checkAccessRoles(roleListNewProfile);
+ if(userName!=null && roleListNewProfile.size()>0){
+ VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(userName);
+ if(oldUserProfile!=null){
+ updateUserRolesPermissions(oldUserProfile,roleListNewProfile);
+ List<XXPortalUserRole> portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId());
+ return getStringListFromUserRoleList(portalUserRoleList);
+ }else{
+ throw restErrorUtil.createRESTException("Login ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
+ }
+ }else{
+ throw restErrorUtil.createRESTException("Login ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
+ }
+
+ }
+
+ public VXStringList getUserRolesByExternalID(Long userId) {
+ VXUser vXUser=getXUser(userId);
+ if(vXUser==null){
+ throw restErrorUtil.createRESTException("Please provide a valid ID", MessageEnums.INVALID_INPUT_DATA);
+ }
+ List<XXPortalUserRole> portalUserRoleList =null;
+ VXPortalUser oldUserProfile = userMgr.getUserProfileByLoginId(vXUser.getName());
+ if(oldUserProfile!=null){
+ portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(oldUserProfile.getId());
+ return getStringListFromUserRoleList(portalUserRoleList);
+ }else{
+ throw restErrorUtil.createRESTException("User ID doesn't exist.", MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ public VXStringList getUserRolesByName(String userName) {
+ VXPortalUser vXPortalUser=null;
+ if(userName!=null && !userName.trim().isEmpty()){
+ vXPortalUser = userMgr.getUserProfileByLoginId(userName);
+ if(vXPortalUser!=null && vXPortalUser.getUserRoleList()!=null){
+ List<XXPortalUserRole> portalUserRoleList = daoManager.getXXPortalUserRole().findByUserId(vXPortalUser.getId());
+ return getStringListFromUserRoleList(portalUserRoleList);
+ }else{
+ throw restErrorUtil.createRESTException("Please provide a valid userName", MessageEnums.INVALID_INPUT_DATA);
+ }
+ }else{
+ throw restErrorUtil.createRESTException("Please provide a valid userName", MessageEnums.INVALID_INPUT_DATA);
+ }
+ }
+
+ public void updateUserRolesPermissions(VXPortalUser oldUserProfile,List<String> roleListNewProfile){
+ //update permissions start
+ Collection<String> roleListUpdatedProfile =new ArrayList<String>();
+ if (oldUserProfile != null && oldUserProfile.getId() != null) {
+ Collection<String> roleListOldProfile = oldUserProfile.getUserRoleList();
+ if(roleListNewProfile!=null && roleListOldProfile!=null){
+ for (String role : roleListNewProfile) {
+ if(role!=null && !roleListOldProfile.contains(role)){
+ roleListUpdatedProfile.add(role);
+ }
+ }
+ }
+ }
+ if(roleListUpdatedProfile!=null && roleListUpdatedProfile.size()>0){
+ oldUserProfile.setUserRoleList(roleListUpdatedProfile);
+ List<XXUserPermission> xuserPermissionList = daoManager
+ .getXXUserPermission()
+ .findByUserPermissionId(oldUserProfile.getId());
+ if (xuserPermissionList!=null && xuserPermissionList.size()>0){
+ for (XXUserPermission xXUserPermission : xuserPermissionList) {
+ if (xXUserPermission != null) {
+ xUserPermissionService.deleteResource(xXUserPermission.getId());
+ }
+ }
+ }
+ assignPermissionToUser(oldUserProfile,true);
+ if(roleListUpdatedProfile!=null && roleListUpdatedProfile.size()>0){
+ userMgr.updateRoles(oldUserProfile.getId(), oldUserProfile.getUserRoleList());
+ }
+ }
+ //update permissions end
+ }
+
+ public VXStringList getStringListFromUserRoleList(
+ List<XXPortalUserRole> listXXPortalUserRole) {
+ if(listXXPortalUserRole==null){
+ return null;
+ }
+ List<VXString> xStrList = new ArrayList<VXString>();
+ VXString vXStr=null;
+ for (XXPortalUserRole userRole : listXXPortalUserRole) {
+ if(userRole!=null){
+ vXStr = new VXString();
+ vXStr.setValue(userRole.getUserRole());
+ xStrList.add(vXStr);
+ }
+ }
+ VXStringList vXStringList = new VXStringList(xStrList);
+ return vXStringList;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
index db69cea..18ca9e3 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
@@ -80,7 +80,7 @@ public class XXGroupPermissionDao extends BaseDao<XXGroupPermission> {
}
return null;
}
- public List<XXGroupPermission> findbyVXPoratUserId(Long userId) {
+ public List<XXGroupPermission> findbyVXPortalUserId(Long userId) {
if (userId != null) {
try {
return getEntityManager()
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index b7884eb..448a60a 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -75,6 +75,9 @@ import org.apache.ranger.view.VXModuleDef;
import org.apache.ranger.view.VXModuleDefList;
import org.apache.ranger.view.VXPermMap;
import org.apache.ranger.view.VXPermMapList;
+import org.apache.ranger.view.VXPortalUser;
+import org.apache.ranger.view.VXResponse;
+import org.apache.ranger.view.VXStringList;
import org.apache.ranger.view.VXUser;
import org.apache.ranger.view.VXUserGroupInfo;
import org.apache.ranger.view.VXUserList;
@@ -957,4 +960,42 @@ public class XUserREST {
public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap){
xUserMgr.modifyUserActiveStatus(statusMap);
}
+
+ @PUT
+ @Path("/secure/users/roles/{userId}")
+ @Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES_BY_ID + "\")")
+ public VXStringList setUserRolesByExternalID(@PathParam("userId") Long userId,
+ VXStringList roleList) {
+ return xUserMgr.setUserRolesByExternalID(userId, roleList.getVXStrings());
+ }
+
+ @PUT
+ @Path("/secure/users/roles/userName/{userName}")
+ @Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.SET_USER_ROLES_BY_NAME + "\")")
+ public VXStringList setUserRolesByName(@PathParam("userName") String userName,
+ VXStringList roleList) {
+ return xUserMgr.setUserRolesByName(userName, roleList.getVXStrings());
+ }
+
+ @GET
+ @Path("/secure/users/external/{userId}")
+ @Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_ROLES_BY_ID + "\")")
+ public VXStringList getUserRolesByExternalID(@PathParam("userId") Long userId) {
+ VXStringList vXStringList=new VXStringList();
+ vXStringList=xUserMgr.getUserRolesByExternalID(userId);
+ return vXStringList;
+ }
+
+ @GET
+ @Path("/secure/users/roles/userName/{userName}")
+ @Produces({ "application/xml", "application/json" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.GET_USER_ROLES_BY_NAME + "\")")
+ public VXStringList getUserRolesByName(@PathParam("userName") String userName) {
+ VXStringList vXStringList=new VXStringList();
+ vXStringList=xUserMgr.getUserRolesByName(userName);
+ return vXStringList;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
index f10453c..ab16535 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIList.java
@@ -198,4 +198,8 @@ public class RangerAPIList {
public static final String SEARCH_X_GROUP_PERMISSION = "XUserREST.searchXGroupPermission";
public static final String COUNT_X_GROUP_PERMISSION = "XUserREST.countXGroupPermission";
public static final String MODIFY_USER_ACTIVE_STATUS = "XUserREST.modifyUserActiveStatus";
+ public static final String SET_USER_ROLES_BY_ID="XUserREST.setUserRolesByID";
+ public static final String SET_USER_ROLES_BY_NAME="XUserREST.setUserRolesByName";
+ public static final String GET_USER_ROLES_BY_ID="XUserREST.getUserRolesByID";
+ public static final String GET_USER_ROLES_BY_NAME="XUserREST.getUserRolesByName";
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
index adc8e2a..f8966f5 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerAPIMapping.java
@@ -345,6 +345,10 @@ public class RangerAPIMapping {
apiAssociatedWithUserAndGroups.add(RangerAPIList.UPDATE);
apiAssociatedWithUserAndGroups.add(RangerAPIList.SET_USER_ROLES);
apiAssociatedWithUserAndGroups.add(RangerAPIList.DEACTIVATE_USER);
+ apiAssociatedWithUserAndGroups.add(RangerAPIList.SET_USER_ROLES_BY_ID);
+ apiAssociatedWithUserAndGroups.add(RangerAPIList.SET_USER_ROLES_BY_NAME);
+ apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_USER_ROLES_BY_ID);
+ apiAssociatedWithUserAndGroups.add(RangerAPIList.GET_USER_ROLES_BY_NAME);
rangerAPIMappingWithUI.put(TAB_USERS_GROUPS, apiAssociatedWithUserAndGroups);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
index 80f5180..6a91834 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
@@ -45,6 +45,7 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
+ response.setHeader("X-Frame-Options", "DENY");
String jsonStr = "";
try {
VXResponse vXResponse = new VXResponse();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
index 94ce93a..cb4c16a 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthFailureHandler.java
@@ -76,6 +76,7 @@ ExceptionMappingAuthenticationFailureHandler {
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
+ response.setHeader("X-Frame-Options", "DENY");
String jsonResp = "";
try {
String msg = exception.getMessage();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
index 62ba781..bf16a57 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthSuccessHandler.java
@@ -86,7 +86,7 @@ SavedRequestAwareAuthenticationSuccessHandler {
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
-
+ response.setHeader("X-Frame-Options", "DENY");
VXResponse vXResponse = new VXResponse();
if(!isValidUser) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index a3f3ed5..52228dd 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -78,6 +78,7 @@ public class RangerAuthenticationEntryPoint extends
HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
String ajaxRequestHeader = request.getHeader("X-Requested-With");
+ response.setHeader("X-Frame-Options", "DENY");
if (logger.isDebugEnabled()) {
logger.debug("commence() X-Requested-With=" + ajaxRequestHeader);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/web/filter/MyRememberMeFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/MyRememberMeFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/MyRememberMeFilter.java
index d18006e..9867bb0 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/MyRememberMeFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/MyRememberMeFilter.java
@@ -71,8 +71,9 @@ public class MyRememberMeFilter extends RememberMeAuthenticationFilter {
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
- // TODO Auto-generated method stub
- super.doFilter(arg0, arg1, arg2);
+ HttpServletResponse res = (HttpServletResponse)arg1;
+ res.setHeader("X-Frame-Options", "DENY" );
+ super.doFilter(arg0, res, arg2);
}
/*
@@ -99,6 +100,7 @@ public class MyRememberMeFilter extends RememberMeAuthenticationFilter {
@Override
protected void onSuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response, Authentication authResult) {
+ response.setHeader("X-Frame-Options", "DENY" );
super.onSuccessfulAuthentication(request, response, authResult);
// if (logger.isDebugEnabled()) {
logger.info("onSuccessfulAuthentication() authResult=" + authResult);
@@ -119,6 +121,7 @@ public class MyRememberMeFilter extends RememberMeAuthenticationFilter {
HttpServletResponse response, AuthenticationException failed) {
logger.error("Authentication failure. failed=" + failed,
new Throwable());
+ response.setHeader("X-Frame-Options", "DENY" );
super.onUnsuccessfulAuthentication(request, response, failed);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index 52ea841..d92fcbb 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -29,6 +29,7 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger;
@@ -135,7 +136,9 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
// xUserMgr.checkPermissionRoleByGivenUrls(httpRequest.getRequestURL().toString(),httpMethod);
}
- chain.doFilter(request, response);
+ HttpServletResponse res = (HttpServletResponse)response;
+ res.setHeader("X-Frame-Options", "DENY" );
+ chain.doFilter(request, res);
} finally {
// [4]remove context from thread-local
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/main/webapp/login.jsp
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/login.jsp b/security-admin/src/main/webapp/login.jsp
index 1faae6a..0db6882 100644
--- a/security-admin/src/main/webapp/login.jsp
+++ b/security-admin/src/main/webapp/login.jsp
@@ -55,7 +55,9 @@
</head>
<body class="login" style="">
-
+ <%
+ response.setHeader("X-Frame-Options", "DENY");
+ %>
<!-- Page content
================================================== -->
<section id="signin-container" style="margin-top: 4.5px;">
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
index 479dfde..e617de6 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestUserMgr.java
@@ -105,7 +105,10 @@ public class TestUserMgr {
@Mock
SessionMgr sessionMgr;
-
+
+ @Mock
+ XUserMgr xUserMgr;
+
@Rule
public ExpectedException thrown = ExpectedException.none();
@@ -131,10 +134,9 @@ public class TestUserMgr {
return userProfile;
}
- @Ignore("Junit breakage: RANGER-425") // TODO
@Test
public void test11CreateUser() {
- setup();
+ setup();
XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class);
@@ -188,10 +190,9 @@ public class TestUserMgr {
Mockito.verify(daoManager).getXXPortalUserRole();
}
- @Ignore("Junit breakage: RANGER-425") // TODO
@Test
public void test12CreateUser() {
- setup();
+ setup();
XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
XXPortalUserRoleDao roleDao = Mockito.mock(XXPortalUserRoleDao.class);
@@ -426,7 +427,7 @@ public class TestUserMgr {
Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
xGroupPermissionDao);
Mockito.when(
- xGroupPermissionDao.findbyVXPoratUserId(userProfile.getId()))
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
.thenReturn(xGroupPermissionList);
VXPortalUser dbVXPortalUser = userMgr.createUser(userProfile);
@@ -710,7 +711,7 @@ public class TestUserMgr {
Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
xGroupPermissionDao);
Mockito.when(
- xGroupPermissionDao.findbyVXPoratUserId(userProfile.getId()))
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
.thenReturn(xGroupPermissionList);
Mockito.when(
@@ -744,6 +745,7 @@ public class TestUserMgr {
@Test
public void test30checkAccess() {
+ setup();
XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class);
XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class);
Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao);
@@ -755,6 +757,7 @@ public class TestUserMgr {
@Test
public void test31getUserProfile() {
+ setup();
XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class);
XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class);
XXUserPermissionDao xUserPermissionDao = Mockito
@@ -812,7 +815,7 @@ public class TestUserMgr {
Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
xGroupPermissionDao);
Mockito.when(
- xGroupPermissionDao.findbyVXPoratUserId(userProfile.getId()))
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
.thenReturn(xGroupPermissionList);
VXPortalUser dbVXPortalUser = userMgr.getUserProfile(userId);
Assert.assertNotNull(dbVXPortalUser);
@@ -825,6 +828,7 @@ public class TestUserMgr {
@Test
public void test32getUserProfileByLoginId() {
+ setup();
XXPortalUserDao xPortalUserDao = Mockito.mock(XXPortalUserDao.class);
XXPortalUser xPortalUser = Mockito.mock(XXPortalUser.class);
Mockito.when(daoManager.getXXPortalUser()).thenReturn(xPortalUserDao);
@@ -836,24 +840,175 @@ public class TestUserMgr {
Mockito.verify(daoManager).getXXPortalUser();
}
- @Ignore("Junit breakage: RANGER-526") // TODO
+
@Test
public void test33setUserRoles() {
- XXPortalUserRoleDao xPortalUserRoleDao = Mockito.mock(XXPortalUserRoleDao.class);
+ setup();
+ XXPortalUserRoleDao xPortalUserRoleDao = Mockito
+ .mock(XXPortalUserRoleDao.class);
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ XXUserPermissionDao xUserPermissionDao = Mockito
+ .mock(XXUserPermissionDao.class);
+ XXGroupPermissionDao xGroupPermissionDao = Mockito
+ .mock(XXGroupPermissionDao.class);
+ XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+
+ VXPortalUser userProfile = userProfile();
+ XXPortalUser user = new XXPortalUser();
+ user.setEmailAddress(userProfile.getEmailAddress());
+ user.setFirstName(userProfile.getFirstName());
+ user.setLastName(userProfile.getLastName());
+ user.setLoginId(userProfile.getLoginId());
+ user.setPassword(userProfile.getPassword());
+ user.setUserSource(userProfile.getUserSource());
+ user.setPublicScreenName(userProfile.getPublicScreenName());
+ user.setId(userProfile.getId());
+
List<VXString> vStringRolesList = new ArrayList<VXString>();
VXString vXStringObj = new VXString();
- vXStringObj.setValue("1L");
+ vXStringObj.setValue("ROLE_USER");
vStringRolesList.add(vXStringObj);
-
+
List<XXPortalUserRole> xPortalUserRoleList = new ArrayList<XXPortalUserRole>();
XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserId(userId);
XXPortalUserRole.setUserRole("ROLE_USER");
xPortalUserRoleList.add(XXPortalUserRole);
-
- Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(xPortalUserRoleDao);
- Mockito.when(xPortalUserRoleDao.findByUserId(userId))
- .thenReturn(xPortalUserRoleList);
+
+ List<XXUserPermission> xUserPermissionsList = new ArrayList<XXUserPermission>();
+ XXUserPermission xUserPermissionObj = new XXUserPermission();
+ xUserPermissionObj.setAddedByUserId(userId);
+ xUserPermissionObj.setCreateTime(new Date());
+ xUserPermissionObj.setId(userId);
+ xUserPermissionObj.setIsAllowed(1);
+ xUserPermissionObj.setModuleId(1L);
+ xUserPermissionObj.setUpdatedByUserId(userId);
+ xUserPermissionObj.setUpdateTime(new Date());
+ xUserPermissionObj.setUserId(userId);
+ xUserPermissionsList.add(xUserPermissionObj);
+
+ List<XXGroupPermission> xGroupPermissionList = new ArrayList<XXGroupPermission>();
+ XXGroupPermission xGroupPermissionObj = new XXGroupPermission();
+ xGroupPermissionObj.setAddedByUserId(userId);
+ xGroupPermissionObj.setCreateTime(new Date());
+ xGroupPermissionObj.setId(userId);
+ xGroupPermissionObj.setIsAllowed(1);
+ xGroupPermissionObj.setModuleId(1L);
+ xGroupPermissionObj.setUpdatedByUserId(userId);
+ xGroupPermissionObj.setUpdateTime(new Date());
+ xGroupPermissionObj.setGroupId(userId);
+ xGroupPermissionList.add(xGroupPermissionObj);
+
+ List<VXGroupPermission> groupPermList = new ArrayList<VXGroupPermission>();
+ VXGroupPermission groupPermission = new VXGroupPermission();
+ groupPermission.setId(1L);
+ groupPermission.setIsAllowed(1);
+ groupPermission.setModuleId(1L);
+ groupPermission.setGroupId(userId);
+ groupPermission.setGroupName("xyz");
+ groupPermission.setOwner("admin");
+ groupPermList.add(groupPermission);
+
+ XXModuleDef xModuleDef = new XXModuleDef();
+ xModuleDef.setUpdatedByUserId(userId);
+ xModuleDef.setAddedByUserId(userId);
+ xModuleDef.setCreateTime(new Date());
+ xModuleDef.setId(userId);
+ xModuleDef.setModule("Policy manager");
+ xModuleDef.setUpdateTime(new Date());
+ xModuleDef.setUrl("/policy manager");
+
+ VXUserPermission userPermission = new VXUserPermission();
+ userPermission.setId(1L);
+ userPermission.setIsAllowed(1);
+ userPermission.setModuleId(1L);
+ userPermission.setUserId(userId);
+ userPermission.setUserName("xyz");
+ userPermission.setOwner("admin");
+
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(
+ xPortalUserRoleDao);
+ Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(
+ xPortalUserRoleList);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.getById(userId)).thenReturn(user);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(
+ xUserPermissionDao);
+ Mockito.when(
+ xUserPermissionDao
+ .findByUserPermissionIdAndIsAllowed(userProfile.getId()))
+ .thenReturn(xUserPermissionsList);
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
+ xGroupPermissionDao);
+ Mockito.when(
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
+ .thenReturn(xGroupPermissionList);
+ Mockito.when(
+ xGroupPermissionService.populateViewBean(xGroupPermissionObj))
+ .thenReturn(groupPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(
+ xUserPermissionService.populateViewBean(xUserPermissionObj))
+ .thenReturn(userPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+
+ userMgr.checkAccess(userId);
userMgr.setUserRoles(userId, vStringRolesList);
+
+ Mockito.verify(daoManager).getXXUserPermission();
+ Mockito.verify(daoManager).getXXGroupPermission();
+ Mockito.verify(xGroupPermissionService).populateViewBean(
+ xGroupPermissionObj);
+ Mockito.verify(xUserPermissionService).populateViewBean(
+ xUserPermissionObj);
}
+
+ @Test
+ public void test19updateRoles() {
+ //setup();
+ Collection<String> rolesList = new ArrayList<String>();
+ rolesList.add("ROLE_USER");
+ rolesList.add("ROLE_ADMIN");
+ XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
+ XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserRole("ROLE_USER");
+ List<XXPortalUserRole> list = new ArrayList<XXPortalUserRole>();
+ list.add(XXPortalUserRole);
+ XXPortalUserRoleDao userDao = Mockito.mock(XXPortalUserRoleDao.class);
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(userDao);
+ Mockito.when(userDao.findByUserId(userId)).thenReturn(list);
+ boolean isFound = userMgr.updateRoles(userId, rolesList);
+ Assert.assertFalse(isFound);
+ }
+
+ @Test
+ public void test20UpdateUserWithPass() {
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ VXPortalUser userProfile = userProfile();
+ String userName = userProfile.getFirstName();
+ String userPassword = userProfile.getPassword();
+ XXPortalUser user = new XXPortalUser();
+ user.setEmailAddress(userProfile.getEmailAddress());
+ user.setFirstName(userProfile.getFirstName());
+ user.setLastName(userProfile.getLastName());
+ user.setLoginId(userProfile.getLoginId());
+ user.setPassword(userProfile.getPassword());
+ user.setUserSource(userProfile.getUserSource());
+ user.setPublicScreenName(userProfile.getPublicScreenName());
+ user.setId(userProfile.getId());
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.findByLoginId(Mockito.anyString())).thenReturn(
+ user);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.update(user)).thenReturn(user);
+ XXPortalUser dbXXPortalUser = userMgr.updatePasswordInSHA256(userName,
+ userPassword);
+ Assert.assertNotNull(dbXXPortalUser);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/de170ab2/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
index cda423e..e992190 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
@@ -61,10 +61,12 @@ import org.apache.ranger.view.VXGroupUser;
import org.apache.ranger.view.VXGroupUserList;
import org.apache.ranger.view.VXModuleDef;
import org.apache.ranger.view.VXPortalUser;
+import org.apache.ranger.view.VXStringList;
import org.apache.ranger.view.VXUser;
import org.apache.ranger.view.VXUserGroupInfo;
import org.apache.ranger.view.VXUserList;
import org.apache.ranger.view.VXUserPermission;
+import org.apache.ranger.view.VXString;
import org.junit.Assert;
import org.junit.FixMethodOrder;
import org.junit.Rule;
@@ -211,7 +213,19 @@ public class TestXUserMgr {
return groupPermission;
}
- @Ignore("temp disable")
+ private VXPortalUser userProfile() {
+ VXPortalUser userProfile = new VXPortalUser();
+ userProfile.setEmailAddress("test@test.com");
+ userProfile.setFirstName("user12");
+ userProfile.setLastName("test12");
+ userProfile.setLoginId("134");
+ userProfile.setPassword("usertest12323");
+ userProfile.setUserSource(123);
+ userProfile.setPublicScreenName("user");
+ userProfile.setId(userId);
+ return userProfile;
+ }
+
@Test
public void test11CreateXUser() {
setup();
@@ -1147,4 +1161,499 @@ public class TestXUserMgr {
Assert.assertNotNull(list);
Mockito.verify(xUserService).getXUserByUserName(userName);
}
+
+ @Test
+ public void test45setUserRolesByExternalID() {
+ setup();
+ XXPortalUserRoleDao xPortalUserRoleDao = Mockito
+ .mock(XXPortalUserRoleDao.class);
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ XXUserPermissionDao xUserPermissionDao = Mockito
+ .mock(XXUserPermissionDao.class);
+ XXGroupPermissionDao xGroupPermissionDao = Mockito
+ .mock(XXGroupPermissionDao.class);
+ XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+
+ VXUser vXUser = vxUser();
+ VXPortalUser userProfile = userProfile();
+ XXPortalUser user = new XXPortalUser();
+ user.setEmailAddress(userProfile.getEmailAddress());
+ user.setFirstName(userProfile.getFirstName());
+ user.setLastName(userProfile.getLastName());
+ user.setLoginId(userProfile.getLoginId());
+ user.setPassword(userProfile.getPassword());
+ user.setUserSource(userProfile.getUserSource());
+ user.setPublicScreenName(userProfile.getPublicScreenName());
+ user.setId(userProfile.getId());
+
+ List<VXString> vStringRolesList = new ArrayList<VXString>();
+ VXString vXStringObj = new VXString();
+ vXStringObj.setValue("ROLE_USER");
+ vStringRolesList.add(vXStringObj);
+
+ List<XXPortalUserRole> xPortalUserRoleList = new ArrayList<XXPortalUserRole>();
+ XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
+ XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserId(userId);
+ XXPortalUserRole.setUserRole("ROLE_USER");
+ xPortalUserRoleList.add(XXPortalUserRole);
+
+ List<XXUserPermission> xUserPermissionsList = new ArrayList<XXUserPermission>();
+ XXUserPermission xUserPermissionObj = new XXUserPermission();
+ xUserPermissionObj.setAddedByUserId(userId);
+ xUserPermissionObj.setCreateTime(new Date());
+ xUserPermissionObj.setId(userId);
+ xUserPermissionObj.setIsAllowed(1);
+ xUserPermissionObj.setModuleId(1L);
+ xUserPermissionObj.setUpdatedByUserId(userId);
+ xUserPermissionObj.setUpdateTime(new Date());
+ xUserPermissionObj.setUserId(userId);
+ xUserPermissionsList.add(xUserPermissionObj);
+
+ List<XXGroupPermission> xGroupPermissionList = new ArrayList<XXGroupPermission>();
+ XXGroupPermission xGroupPermissionObj = new XXGroupPermission();
+ xGroupPermissionObj.setAddedByUserId(userId);
+ xGroupPermissionObj.setCreateTime(new Date());
+ xGroupPermissionObj.setId(userId);
+ xGroupPermissionObj.setIsAllowed(1);
+ xGroupPermissionObj.setModuleId(1L);
+ xGroupPermissionObj.setUpdatedByUserId(userId);
+ xGroupPermissionObj.setUpdateTime(new Date());
+ xGroupPermissionObj.setGroupId(userId);
+ xGroupPermissionList.add(xGroupPermissionObj);
+
+ List<VXGroupPermission> groupPermList = new ArrayList<VXGroupPermission>();
+ VXGroupPermission groupPermission = new VXGroupPermission();
+ groupPermission.setId(1L);
+ groupPermission.setIsAllowed(1);
+ groupPermission.setModuleId(1L);
+ groupPermission.setGroupId(userId);
+ groupPermission.setGroupName("xyz");
+ groupPermission.setOwner("admin");
+ groupPermList.add(groupPermission);
+
+ XXModuleDef xModuleDef = new XXModuleDef();
+ xModuleDef.setUpdatedByUserId(userId);
+ xModuleDef.setAddedByUserId(userId);
+ xModuleDef.setCreateTime(new Date());
+ xModuleDef.setId(userId);
+ xModuleDef.setModule("Policy manager");
+ xModuleDef.setUpdateTime(new Date());
+ xModuleDef.setUrl("/policy manager");
+
+ VXUserPermission userPermission = new VXUserPermission();
+ userPermission.setId(1L);
+ userPermission.setIsAllowed(1);
+ userPermission.setModuleId(1L);
+ userPermission.setUserId(userId);
+ userPermission.setUserName("xyz");
+ userPermission.setOwner("admin");
+
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(
+ xPortalUserRoleDao);
+ Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(
+ xPortalUserRoleList);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.getById(userId)).thenReturn(user);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(
+ xUserPermissionDao);
+ Mockito.when(
+ xUserPermissionDao
+ .findByUserPermissionIdAndIsAllowed(userProfile.getId()))
+ .thenReturn(xUserPermissionsList);
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
+ xGroupPermissionDao);
+ Mockito.when(
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
+ .thenReturn(xGroupPermissionList);
+ Mockito.when(
+ xGroupPermissionService.populateViewBean(xGroupPermissionObj))
+ .thenReturn(groupPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(
+ xUserPermissionService.populateViewBean(xUserPermissionObj))
+ .thenReturn(userPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser);
+ Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName()))
+ .thenReturn(userProfile);
+ VXStringList vXStringList = xUserMgr.setUserRolesByExternalID(userId,
+ vStringRolesList);
+ Assert.assertNotNull(vXStringList);
+ }
+
+ @Test
+ public void test46setUserRolesByName() {
+ setup();
+ XXPortalUserRoleDao xPortalUserRoleDao = Mockito
+ .mock(XXPortalUserRoleDao.class);
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ XXUserPermissionDao xUserPermissionDao = Mockito
+ .mock(XXUserPermissionDao.class);
+ XXGroupPermissionDao xGroupPermissionDao = Mockito
+ .mock(XXGroupPermissionDao.class);
+ XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+
+ VXPortalUser userProfile = userProfile();
+ XXPortalUser user = new XXPortalUser();
+ user.setEmailAddress(userProfile.getEmailAddress());
+ user.setFirstName(userProfile.getFirstName());
+ user.setLastName(userProfile.getLastName());
+ user.setLoginId(userProfile.getLoginId());
+ user.setPassword(userProfile.getPassword());
+ user.setUserSource(userProfile.getUserSource());
+ user.setPublicScreenName(userProfile.getPublicScreenName());
+ user.setId(userProfile.getId());
+
+ List<VXString> vStringRolesList = new ArrayList<VXString>();
+ VXString vXStringObj = new VXString();
+ vXStringObj.setValue("ROLE_USER");
+ vStringRolesList.add(vXStringObj);
+
+ List<XXPortalUserRole> xPortalUserRoleList = new ArrayList<XXPortalUserRole>();
+ XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
+ XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserId(userId);
+ XXPortalUserRole.setUserRole("ROLE_USER");
+ xPortalUserRoleList.add(XXPortalUserRole);
+
+ List<XXUserPermission> xUserPermissionsList = new ArrayList<XXUserPermission>();
+ XXUserPermission xUserPermissionObj = new XXUserPermission();
+ xUserPermissionObj.setAddedByUserId(userId);
+ xUserPermissionObj.setCreateTime(new Date());
+ xUserPermissionObj.setId(userId);
+ xUserPermissionObj.setIsAllowed(1);
+ xUserPermissionObj.setModuleId(1L);
+ xUserPermissionObj.setUpdatedByUserId(userId);
+ xUserPermissionObj.setUpdateTime(new Date());
+ xUserPermissionObj.setUserId(userId);
+ xUserPermissionsList.add(xUserPermissionObj);
+
+ List<XXGroupPermission> xGroupPermissionList = new ArrayList<XXGroupPermission>();
+ XXGroupPermission xGroupPermissionObj = new XXGroupPermission();
+ xGroupPermissionObj.setAddedByUserId(userId);
+ xGroupPermissionObj.setCreateTime(new Date());
+ xGroupPermissionObj.setId(userId);
+ xGroupPermissionObj.setIsAllowed(1);
+ xGroupPermissionObj.setModuleId(1L);
+ xGroupPermissionObj.setUpdatedByUserId(userId);
+ xGroupPermissionObj.setUpdateTime(new Date());
+ xGroupPermissionObj.setGroupId(userId);
+ xGroupPermissionList.add(xGroupPermissionObj);
+
+ List<VXGroupPermission> groupPermList = new ArrayList<VXGroupPermission>();
+ VXGroupPermission groupPermission = new VXGroupPermission();
+ groupPermission.setId(1L);
+ groupPermission.setIsAllowed(1);
+ groupPermission.setModuleId(1L);
+ groupPermission.setGroupId(userId);
+ groupPermission.setGroupName("xyz");
+ groupPermission.setOwner("admin");
+ groupPermList.add(groupPermission);
+
+ XXModuleDef xModuleDef = new XXModuleDef();
+ xModuleDef.setUpdatedByUserId(userId);
+ xModuleDef.setAddedByUserId(userId);
+ xModuleDef.setCreateTime(new Date());
+ xModuleDef.setId(userId);
+ xModuleDef.setModule("Policy manager");
+ xModuleDef.setUpdateTime(new Date());
+ xModuleDef.setUrl("/policy manager");
+
+ VXUserPermission userPermission = new VXUserPermission();
+ userPermission.setId(1L);
+ userPermission.setIsAllowed(1);
+ userPermission.setModuleId(1L);
+ userPermission.setUserId(userId);
+ userPermission.setUserName("xyz");
+ userPermission.setOwner("admin");
+
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(
+ xPortalUserRoleDao);
+ Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(
+ xPortalUserRoleList);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.getById(userId)).thenReturn(user);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(
+ xUserPermissionDao);
+ Mockito.when(
+ xUserPermissionDao
+ .findByUserPermissionIdAndIsAllowed(userProfile.getId()))
+ .thenReturn(xUserPermissionsList);
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
+ xGroupPermissionDao);
+ Mockito.when(
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
+ .thenReturn(xGroupPermissionList);
+ Mockito.when(
+ xGroupPermissionService.populateViewBean(xGroupPermissionObj))
+ .thenReturn(groupPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(
+ xUserPermissionService.populateViewBean(xUserPermissionObj))
+ .thenReturn(userPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId()))
+ .thenReturn(userProfile);
+ VXStringList vXStringList = xUserMgr.setUserRolesByName(
+ userProfile.getLoginId(), vStringRolesList);
+ Assert.assertNotNull(vXStringList);
+ }
+
+ @Test
+ public void test47getUserRolesByExternalID() {
+ setup();
+ XXPortalUserRoleDao xPortalUserRoleDao = Mockito
+ .mock(XXPortalUserRoleDao.class);
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ XXUserPermissionDao xUserPermissionDao = Mockito
+ .mock(XXUserPermissionDao.class);
+ XXGroupPermissionDao xGroupPermissionDao = Mockito
+ .mock(XXGroupPermissionDao.class);
+ XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+
+ VXUser vXUser = vxUser();
+ VXPortalUser userProfile = userProfile();
+ XXPortalUser user = new XXPortalUser();
+ user.setEmailAddress(userProfile.getEmailAddress());
+ user.setFirstName(userProfile.getFirstName());
+ user.setLastName(userProfile.getLastName());
+ user.setLoginId(userProfile.getLoginId());
+ user.setPassword(userProfile.getPassword());
+ user.setUserSource(userProfile.getUserSource());
+ user.setPublicScreenName(userProfile.getPublicScreenName());
+ user.setId(userProfile.getId());
+
+ List<VXString> vStringRolesList = new ArrayList<VXString>();
+ VXString vXStringObj = new VXString();
+ vXStringObj.setValue("ROLE_USER");
+ vStringRolesList.add(vXStringObj);
+
+ List<XXPortalUserRole> xPortalUserRoleList = new ArrayList<XXPortalUserRole>();
+ XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
+ XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserId(userId);
+ XXPortalUserRole.setUserRole("ROLE_USER");
+ xPortalUserRoleList.add(XXPortalUserRole);
+
+ List<XXUserPermission> xUserPermissionsList = new ArrayList<XXUserPermission>();
+ XXUserPermission xUserPermissionObj = new XXUserPermission();
+ xUserPermissionObj.setAddedByUserId(userId);
+ xUserPermissionObj.setCreateTime(new Date());
+ xUserPermissionObj.setId(userId);
+ xUserPermissionObj.setIsAllowed(1);
+ xUserPermissionObj.setModuleId(1L);
+ xUserPermissionObj.setUpdatedByUserId(userId);
+ xUserPermissionObj.setUpdateTime(new Date());
+ xUserPermissionObj.setUserId(userId);
+ xUserPermissionsList.add(xUserPermissionObj);
+
+ List<XXGroupPermission> xGroupPermissionList = new ArrayList<XXGroupPermission>();
+ XXGroupPermission xGroupPermissionObj = new XXGroupPermission();
+ xGroupPermissionObj.setAddedByUserId(userId);
+ xGroupPermissionObj.setCreateTime(new Date());
+ xGroupPermissionObj.setId(userId);
+ xGroupPermissionObj.setIsAllowed(1);
+ xGroupPermissionObj.setModuleId(1L);
+ xGroupPermissionObj.setUpdatedByUserId(userId);
+ xGroupPermissionObj.setUpdateTime(new Date());
+ xGroupPermissionObj.setGroupId(userId);
+ xGroupPermissionList.add(xGroupPermissionObj);
+
+ List<VXGroupPermission> groupPermList = new ArrayList<VXGroupPermission>();
+ VXGroupPermission groupPermission = new VXGroupPermission();
+ groupPermission.setId(1L);
+ groupPermission.setIsAllowed(1);
+ groupPermission.setModuleId(1L);
+ groupPermission.setGroupId(userId);
+ groupPermission.setGroupName("xyz");
+ groupPermission.setOwner("admin");
+ groupPermList.add(groupPermission);
+
+ XXModuleDef xModuleDef = new XXModuleDef();
+ xModuleDef.setUpdatedByUserId(userId);
+ xModuleDef.setAddedByUserId(userId);
+ xModuleDef.setCreateTime(new Date());
+ xModuleDef.setId(userId);
+ xModuleDef.setModule("Policy manager");
+ xModuleDef.setUpdateTime(new Date());
+ xModuleDef.setUrl("/policy manager");
+
+ VXUserPermission userPermission = new VXUserPermission();
+ userPermission.setId(1L);
+ userPermission.setIsAllowed(1);
+ userPermission.setModuleId(1L);
+ userPermission.setUserId(userId);
+ userPermission.setUserName("xyz");
+ userPermission.setOwner("admin");
+
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(
+ xPortalUserRoleDao);
+ Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(
+ xPortalUserRoleList);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.getById(userId)).thenReturn(user);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(
+ xUserPermissionDao);
+ Mockito.when(
+ xUserPermissionDao
+ .findByUserPermissionIdAndIsAllowed(userProfile.getId()))
+ .thenReturn(xUserPermissionsList);
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
+ xGroupPermissionDao);
+ Mockito.when(
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
+ .thenReturn(xGroupPermissionList);
+ Mockito.when(
+ xGroupPermissionService.populateViewBean(xGroupPermissionObj))
+ .thenReturn(groupPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(
+ xUserPermissionService.populateViewBean(xUserPermissionObj))
+ .thenReturn(userPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(xUserMgr.getXUser(userId)).thenReturn(vXUser);
+ Mockito.when(userMgr.getUserProfileByLoginId(vXUser.getName()))
+ .thenReturn(userProfile);
+ VXStringList vXStringList = xUserMgr.getUserRolesByExternalID(userId);
+ Assert.assertNotNull(vXStringList);
+ }
+
+ @Test
+ public void test48getUserRolesByName() {
+ setup();
+ XXPortalUserRoleDao xPortalUserRoleDao = Mockito
+ .mock(XXPortalUserRoleDao.class);
+ XXPortalUserDao userDao = Mockito.mock(XXPortalUserDao.class);
+ XXUserPermissionDao xUserPermissionDao = Mockito
+ .mock(XXUserPermissionDao.class);
+ XXGroupPermissionDao xGroupPermissionDao = Mockito
+ .mock(XXGroupPermissionDao.class);
+ XXModuleDefDao xModuleDefDao = Mockito.mock(XXModuleDefDao.class);
+
+ VXPortalUser userProfile = userProfile();
+ Collection<String> userRoleList = new ArrayList<String>();
+ userRoleList.add("ROLE_USER");
+ userProfile.setUserRoleList(userRoleList);
+
+ XXPortalUser user = new XXPortalUser();
+ user.setEmailAddress(userProfile.getEmailAddress());
+ user.setFirstName(userProfile.getFirstName());
+ user.setLastName(userProfile.getLastName());
+ user.setLoginId(userProfile.getLoginId());
+ user.setPassword(userProfile.getPassword());
+ user.setUserSource(userProfile.getUserSource());
+ user.setPublicScreenName(userProfile.getPublicScreenName());
+ user.setId(userProfile.getId());
+
+ List<VXString> vStringRolesList = new ArrayList<VXString>();
+ VXString vXStringObj = new VXString();
+ vXStringObj.setValue("ROLE_USER");
+ vStringRolesList.add(vXStringObj);
+
+ List<XXPortalUserRole> xPortalUserRoleList = new ArrayList<XXPortalUserRole>();
+ XXPortalUserRole XXPortalUserRole = new XXPortalUserRole();
+ XXPortalUserRole.setId(userId);
+ XXPortalUserRole.setUserId(userId);
+ XXPortalUserRole.setUserRole("ROLE_USER");
+ xPortalUserRoleList.add(XXPortalUserRole);
+
+ List<XXUserPermission> xUserPermissionsList = new ArrayList<XXUserPermission>();
+ XXUserPermission xUserPermissionObj = new XXUserPermission();
+ xUserPermissionObj.setAddedByUserId(userId);
+ xUserPermissionObj.setCreateTime(new Date());
+ xUserPermissionObj.setId(userId);
+ xUserPermissionObj.setIsAllowed(1);
+ xUserPermissionObj.setModuleId(1L);
+ xUserPermissionObj.setUpdatedByUserId(userId);
+ xUserPermissionObj.setUpdateTime(new Date());
+ xUserPermissionObj.setUserId(userId);
+ xUserPermissionsList.add(xUserPermissionObj);
+
+ List<XXGroupPermission> xGroupPermissionList = new ArrayList<XXGroupPermission>();
+ XXGroupPermission xGroupPermissionObj = new XXGroupPermission();
+ xGroupPermissionObj.setAddedByUserId(userId);
+ xGroupPermissionObj.setCreateTime(new Date());
+ xGroupPermissionObj.setId(userId);
+ xGroupPermissionObj.setIsAllowed(1);
+ xGroupPermissionObj.setModuleId(1L);
+ xGroupPermissionObj.setUpdatedByUserId(userId);
+ xGroupPermissionObj.setUpdateTime(new Date());
+ xGroupPermissionObj.setGroupId(userId);
+ xGroupPermissionList.add(xGroupPermissionObj);
+
+ List<VXGroupPermission> groupPermList = new ArrayList<VXGroupPermission>();
+ VXGroupPermission groupPermission = new VXGroupPermission();
+ groupPermission.setId(1L);
+ groupPermission.setIsAllowed(1);
+ groupPermission.setModuleId(1L);
+ groupPermission.setGroupId(userId);
+ groupPermission.setGroupName("xyz");
+ groupPermission.setOwner("admin");
+ groupPermList.add(groupPermission);
+
+ XXModuleDef xModuleDef = new XXModuleDef();
+ xModuleDef.setUpdatedByUserId(userId);
+ xModuleDef.setAddedByUserId(userId);
+ xModuleDef.setCreateTime(new Date());
+ xModuleDef.setId(userId);
+ xModuleDef.setModule("Policy manager");
+ xModuleDef.setUpdateTime(new Date());
+ xModuleDef.setUrl("/policy manager");
+
+ VXUserPermission userPermission = new VXUserPermission();
+ userPermission.setId(1L);
+ userPermission.setIsAllowed(1);
+ userPermission.setModuleId(1L);
+ userPermission.setUserId(userId);
+ userPermission.setUserName("xyz");
+ userPermission.setOwner("admin");
+
+ Mockito.when(daoManager.getXXPortalUserRole()).thenReturn(
+ xPortalUserRoleDao);
+ Mockito.when(xPortalUserRoleDao.findByUserId(userId)).thenReturn(
+ xPortalUserRoleList);
+ Mockito.when(daoManager.getXXPortalUser()).thenReturn(userDao);
+ Mockito.when(userDao.getById(userId)).thenReturn(user);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(
+ xUserPermissionDao);
+ Mockito.when(
+ xUserPermissionDao
+ .findByUserPermissionIdAndIsAllowed(userProfile.getId()))
+ .thenReturn(xUserPermissionsList);
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(
+ xGroupPermissionDao);
+ Mockito.when(
+ xGroupPermissionDao.findbyVXPortalUserId(userProfile.getId()))
+ .thenReturn(xGroupPermissionList);
+ Mockito.when(
+ xGroupPermissionService.populateViewBean(xGroupPermissionObj))
+ .thenReturn(groupPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(
+ xUserPermissionService.populateViewBean(xUserPermissionObj))
+ .thenReturn(userPermission);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(xModuleDefDao);
+ Mockito.when(xModuleDefDao.findByModuleId(Mockito.anyLong()))
+ .thenReturn(xModuleDef);
+ Mockito.when(userMgr.getUserProfileByLoginId(userProfile.getLoginId()))
+ .thenReturn(userProfile);
+ VXStringList vXStringList = xUserMgr.getUserRolesByName(userProfile
+ .getLoginId());
+ Assert.assertNotNull(vXStringList);
+ }
}
[02/33] incubator-ranger git commit: RANGER-656 : Ranger UI - KMS
Need to handle 404 error when clicked on breadcrumb
Posted by ma...@apache.org.
RANGER-656 : Ranger UI - KMS Need to handle 404 error when clicked on breadcrumb
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d5c9dade
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d5c9dade
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d5c9dade
Branch: refs/heads/tag-policy
Commit: d5c9dade84984e995cb9a971be27db9331e14d02
Parents: adae750
Author: Gautam Borad <gb...@gmail.com>
Authored: Fri Sep 25 09:51:36 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sun Sep 27 21:55:33 2015 -0400
----------------------------------------------------------------------
.../src/main/webapp/scripts/modules/XALinks.js | 42 +++-----------------
.../webapp/scripts/views/kms/KmsKeyCreate.js | 9 +++--
.../scripts/views/service/ServiceCreate.js | 2 +-
3 files changed, 11 insertions(+), 42 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c9dade/security-admin/src/main/webapp/scripts/modules/XALinks.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/modules/XALinks.js b/security-admin/src/main/webapp/scripts/modules/XALinks.js
index efa3454..e15b45d 100755
--- a/security-admin/src/main/webapp/scripts/modules/XALinks.js
+++ b/security-admin/src/main/webapp/scripts/modules/XALinks.js
@@ -70,7 +70,7 @@ define(function(require) {
title: 'h.kms'
},
KmsKeyCreate : {
- href : '#!/kms/keys/create',
+ href : 'javascript:void(0);',
text : 'h.keyCreate',
title: 'h.keyCreate'
},
@@ -177,42 +177,10 @@ define(function(require) {
href : '#!/reports/audit/loginSession',
text : 'lbl.sessionDetail'
},
- AssetCreate : function(options){
- var href = '#!/asset/create';
- if(_.has(options,'model')){
- href = '#!/asset/create/'+options.model.get('assetType');
- }
- return {
- href : href,
- text : 'lbl.createAsset',
- title: 'lbl.createAsset'
- };
- },
- AssetEdit : function(options){
- var href = "javascript:void(0);";
- if(_.has(options,'model')){
- href = '#!/asset/'+options.model.get('id');
- }
- if(_.has(options,'id')){
- href = '#!/asset/'+options.id;
- }
- return {
- href : href,
- text : 'lbl.editService',
- title: 'lbl.editService'
- };
- },
-
- ServiceCreate : function(options){
- var href = '#!/service/create';
- if(_.has(options,'model')){
- href = '#!/service/create/'+options.model.get('assetType');
- }
- return {
- href : href,
- text : 'lbl.createService',
- title: 'lbl.createService'
- };
+ ServiceCreate : {
+ href : "javascript:void(0);",
+ text : 'lbl.createService',
+ title: 'lbl.createService'
},
ServiceEdit : function(options){
var href = "javascript:void(0);";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c9dade/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js
index 1ee0b3d..0bc62b6 100644
--- a/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/kms/KmsKeyCreate.js
@@ -166,13 +166,14 @@ define(function(require){
});
},
getKmsInfoFromServiceName : function() {
- var KmsServiceDef = require('models/RangerServiceDef');
- var KmsService = require('models/RangerService');
+ var KmsServiceDef = require('models/RangerServiceDef');
+ var KmsService = require('models/RangerService');
this.kmsService = new KmsService();
this.kmsService.url = XAUtil.getRangerServiceByName(this.kmsServiceName);
this.kmsService.fetch({ cache : false, async : false });
- this.kmsServiceDefModel = new KmsServiceDef({id : this.kmsService.id});
- this.kmsServiceDefModel.fetch({ cache : false, async : false })
+ this.kmsServiceDefModel = new KmsServiceDef();
+ this.kmsServiceDefModel.url = XAUtil.getRangerServiceDef(this.kmsService.get('type'));
+ this.kmsServiceDefModel.fetch({ cache : false, async : false });
},
/** on close */
onClose: function(){
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d5c9dade/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js
index 239b61e..f3b8d70 100644
--- a/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/service/ServiceCreate.js
@@ -51,7 +51,7 @@ define(function(require){
if(this.model.isNew())
return [XALinks.get('ServiceManager'), XALinks.get('ServiceCreate', {model:this.model})];
else
- return [XALinks.get('ServiceManager'), XALinks.get('ServiceEdit',{model:this.model})];
+ return [XALinks.get('ServiceManager'), XALinks.get('ServiceEdit')];
},
/** Layout sub regions */
[10/33] incubator-ranger git commit: RANGER-266: Solr configuration
and setup files and documentation
Posted by ma...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/setup.sh b/security-admin/contrib/solr_for_audit_setup/setup.sh
new file mode 100755
index 0000000..11d5501
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/setup.sh
@@ -0,0 +1,421 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#This script downloads Solr (optional) and sets up Solr for Ranger Audit Server
+curr_dir=`pwd`
+
+. ./install.properties
+
+#Current timestamp
+ts=$(date +"%m%d%y%H%M%S")
+
+#Validate all variables
+check_java_version() {
+ #Check for JAVA_HOME
+ if [ "${JAVA_HOME}" == "" ]; then
+ echo "Error: JAVA_HOME environment property not defined, aborting installation."
+ exit 1
+ fi
+
+ export JAVA_BIN=${JAVA_HOME}/bin/java
+
+ if [ ! -x ${JAVA_BIN} ]; then
+ echo "Error: '${JAVA_BIN}' command not found"
+ exit 1;
+ fi
+
+ version=$("$JAVA_BIN" -version 2>&1 | awk -F '"' '/version/ {print $2}')
+ major=`echo ${version} | cut -d. -f1`
+ minor=`echo ${version} | cut -d. -f2`
+ if [[ "${major}" == 1 && "${minor}" < 7 ]] ; then
+ echo "Error: Java 1.7 or above is required, current java version is $version"
+ exit 1;
+ fi
+}
+
+#Check Java version. Minimum JDK 1.7 is needed
+check_java_version
+
+if [ "$SOLR_INSTALL_FOLDER" = "" ]; then
+ echo "Error: SOLR_INSTALL_FOLDER not set"
+ exit 1
+fi
+
+if [ "$SOLR_RANGER_HOME" = "" ]; then
+ echo "Error: SOLR_RANGER_HOME not set"
+ exit 1
+fi
+
+if [ "$SOLR_RANGER_PORT" = "" ]; then
+ echo "Error: SOLR_RANGER_PORT not set"
+ exit 1
+fi
+
+if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then
+ if [ "$SOLR_RANGER_DATA_FOLDER" = "" ]; then
+ echo "Error: SOLR_RANGER_DATA_FOLDER not set"
+ exit 1
+ fi
+else
+ if [ "$SOLR_ZK" = "" ]; then
+ echo "Error: SOLR_ZK not set"
+ exit 1
+ fi
+fi
+
+if [ "$SOLR_USER" = "" ]; then
+ SOLR_USER=solr
+fi
+
+if [ "$SOLR_RANGER_COLLECTION" = "" ]; then
+ SOLR_RANGER_COLLECTION=ranger_audits
+fi
+
+curr_user=`whoami`
+is_root=0
+if [ -w /etc/passwd ]; then
+ is_root=1
+fi
+
+
+if [ "$SOLR_INSTALL" = "true" -a $is_root -eq 0 ]; then
+ echo "Error: Solr will be installed only if run as root. Please download and install before continuing"
+ exit 1
+fi
+
+if [ "$SOLR_INSTALL" = "true" -a "$SOLR_DOWNLOAD_URL" = "" ]; then
+ echo "Error: If SOLR_INSTALL=true, then SOLR_DOWNLOAD_URL can't be empty"
+ exit 1
+fi
+
+if [ "$SOLR_LOG_FOLDER" = "logs" ]; then
+ NEW_SOLR_LOG_FOLDER=$SOLR_INSTALL/server/${$SOLR_LOG_FOLDER}
+ echo "`date`|INFO|Changing SOLR_LOG_FOLDER from $SOLR_LOG_FOLDER to $NEW_SOLR_LOG_FOLDER"
+ SOLR_LOG_FOLDER=$NEW_SOLR_LOG_FOLDER
+fi
+
+function run_root_usage {
+ echo "sudo chown -R $SOLR_USER:$SOLR_USER $SOLR_INSTALL_FOLDER"
+ echo "sudo mkdir -p $SOLR_RANGER_HOME"
+ echo "sudo chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME"
+ if [ "$SOLR_LOG_FOLDER" != "logs" ]; then
+ echo "sudo mkdir -p $SOLR_LOG_FOLDER"
+ echo "sudo chown -R $SOLR_USER:$SOLR_USER $SOLR_LOG_FOLDER"
+ fi
+}
+
+if [ $is_root -ne 1 ]; then
+ if [ "$SOLR_USER" != "$curr_user" ]; then
+ echo "`date`|ERROR|You need to run this script as root or as user $SOLR_USER"
+ echo "If you need to run as $SOLR_USER, then first execute the following commands as root or sudo"
+ id $SOLR_USER 2>&1 > /dev/null
+ if [ $? -ne 0 ]; then
+ echo "sudo adduser $SOLR_USER"
+ fi
+ run_root_usage
+ exit 1
+ fi
+
+ #Let's make $curr_user has permission to write to $SOLR_RANGER_HOME and also chown
+ mkdir -p $SOLR_RANGER_HOME 2> /dev/null
+ if [ ! -d $SOLR_RANGER_HOME ]; then
+ echo "`date`|ERROR|Solr Ranger Home folder <$SOLR_RANGER_HOME> could not be created. Current user is $curr_user"
+ run_root_usage
+ exit 1
+ fi
+
+ test_file=${SOLR_RANGER_HOME}/testfile_${ts}.txt
+ touch $test_file 2> /dev/null
+ if [ $? -ne 0 ]; then
+ echo "`date`|ERROR|User $curr_user doesn't have permission to write to $SOLR_RANGER_HOME."
+ run_root_usage
+ exit 1
+ fi
+
+ chown $SOLR_USER:$SOLR_USER $test_file 2> /dev/null
+ if [ $? -ne 0 ]; then
+ echo "`date`|ERROR|User $curr_user doesn't have permission chown to $SOLR_USER in $SOLR_RANGER_HOME"
+ run_root_usage
+ exit 1
+ fi
+ rm -f $test_file
+
+ #Solr on first time startup, it creates the webapp folder. So the $SOLR_USER needs permission to create webapp
+ test_file=$SOLR_INSTALL_FOLDER/testfile_${ts}.txt
+ touch $test_file 2> /dev/null
+ if [ $? -ne 0 ]; then
+ echo "`date`|ERROR|User $curr_user doesn't have write permission to $SOLR_INSTALL_FOLDER"
+ run_root_usage
+ exit 1
+ fi
+ rm -f $test_file
+
+ #Let's make $curr_user has permission to write to logs folder
+ mkdir -p $SOLR_LOG_FOLDER 2> /dev/null
+ if [ ! -d $SOLR_LOG_FOLDER ]; then
+ echo "`date`|ERROR|Log folder <$SOLR_LOG_FOLDER> could not be created. Current user is $curr_user"
+ run_root_usage
+ exit 1
+ fi
+
+ test_file=$SOLR_LOG_FOLDER/testfile_${ts}.txt
+ touch $test_file 2> /dev/null
+ if [ $? -ne 0 ]; then
+ echo "`date`|ERROR|User $curr_user doesn't have permission to write to log folder $SOLR_LOG_FOLDER"
+ run_root_usage
+ exit 1
+ fi
+ rm -f $test_file
+fi
+
+
+if [ -d $SOLR_RANGER_HOME ]; then
+ #echo "`date`|WARN|Solr Ranger Home <$SOLR_RANGER_HOME> exists. Moving to ${SOLR_RANGER_HOME}.bk.${ts}"
+ echo "`date`|INFO|Solr Ranger Home <$SOLR_RANGER_HOME> exists. Will overwrite configurations"
+ #mv $SOLR_RANGER_HOME ${SOLR_RANGER_HOME}.bk.${ts}
+fi
+
+
+#Download and install Solr if needed
+if [ "$SOLR_INSTALL" = "true" ]; then
+ if [ ! -x `which wget 2> /dev/null` ]; then
+ echo "Error: wget is not found in the path. Please install wget"
+ exit
+ fi
+
+ if [ -d $SOLR_INSTALL_FOLDER ]; then
+ echo "`date`|WARN|$SOLR_INSTALL_FOLDER exists. This script will overwrite some files"
+ fi
+
+ echo "`date`|INFO|Downloading solr from $SOLR_DOWNLOAD_URL"
+ #Temporary create a folder to untar the folder
+ tmp_folder=/tmp/solr_untar_${ts}
+ mkdir -p ${tmp_folder}
+ cd ${tmp_folder}
+ wget $SOLR_DOWNLOAD_URL
+ #Assuming this is a new folder and there will be only one file
+ tgz_file=`ls *z`
+ if [ ! -f $tgz_file ]; then
+ echo "`date`|ERROR|Downloaded file <`pwd`/$tgz_file> not found"
+ exit 1
+ fi
+
+ mkdir tmp
+ tar xfz $tgz_file -C tmp
+ cd tmp
+
+ #Assuming there will only one folder begining with "s"
+ solr_folder=`ls | grep "^solr"`
+
+ if [ ! -d $solr_folder ]; then
+ echo "`date`|ERROR|Solr temporary folder `pwd`/<$solr_folder> not found"
+ exit 1
+ fi
+
+ if [ -d $SOLR_INSTALL_FOLDER ]; then
+ echo "`date`|WARN|$SOLR_INSTALL_FOLDER exists. Moving to ${SOLR_INSTALL_FOLDER}.bk.${ts}"
+ mv $SOLR_INSTALL_FOLDER ${SOLR_INSTALL_FOLDER}.bk.${ts}
+ fi
+
+ mv $solr_folder $SOLR_INSTALL_FOLDER
+ rm -rf $tmp_folder
+ echo "`date`|INFO|Installed Solr in $SOLR_INSTALL_FOLDER"
+fi
+
+if [ ! -d $SOLR_INSTALL_FOLDER ]; then
+ echo "`date`|ERROR|$SOLR_INSTALL_FOLDER not found. Check \$SOLR_INSTALL_FOLDER"
+ exit 1
+fi
+
+if [ ! -x $SOLR_INSTALL_FOLDER/bin/solr ]; then
+ echo "`date`|ERROR|Solr doesn't seem to be installed properly. $SOLR_INSTALL_FOLDER/bin/solr doesn't exist. Please check $SOLR_INSTALL_FOLDER"
+ exit 1
+fi
+
+########## At this point, we have the Solr installed folder ####
+
+######### Copy the Solr config file for Ranger ######
+cd $curr_dir
+
+mkdir -p $SOLR_RANGER_HOME/resources
+cp -r resources/* $SOLR_RANGER_HOME/resources
+
+if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then
+ echo "`date`|INFO|Configuring standalone instance"
+ echo "`date`|INFO|Copying Ranger Audit Server configuration to $SOLR_RANGER_HOME"
+ cp -r solr_standalone/* $SOLR_RANGER_HOME
+ mkdir -p $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf
+ cp -r conf/* $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/conf
+ sed "s#__RANGER_AUDITS_DATA_FOLDER__#$SOLR_RANGER_DATA_FOLDER#g" $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties.template > $SOLR_RANGER_HOME/${SOLR_RANGER_COLLECTION}/core.properties
+ sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_MAX_MEM__#$SOLR_MAX_MEM#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.template > $SOLR_RANGER_HOME/scripts/start_solr.sh
+
+else
+
+ echo "`date`|INFO|Configuring SolrCloud instance"
+ cp -r solr_cloud/* $SOLR_RANGER_HOME
+ mkdir -p $SOLR_RANGER_HOME/conf
+ cp -r conf/* $SOLR_RANGER_HOME/conf
+
+ #Get the first ZooKeeper host:port/path
+ FIRST_SOLR_ZK=$(IFS="," ; set -- $SOLR_ZK ; echo $1)
+
+ sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_MAX_MEM__#$SOLR_MAX_MEM#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_ZK__#$SOLR_ZK#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/start_solr.sh.template > $SOLR_RANGER_HOME/scripts/start_solr.sh
+
+ sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_RANGER_HOME__#$SOLR_RANGER_HOME#g" -e "s#__SOLR_ZK__#$FIRST_SOLR_ZK#g" $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh.template > $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh
+ sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_ZK__#$SOLR_ZK#g" -e "s#__SOLR_HOST_URL__#$SOLR_HOST_URL#g" -e "s#__SOLR_SHARDS__#$SOLR_SHARDS#g" -e "s#__SOLR_REPLICATION__#$SOLR_REPLICATION#g" $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh.template > $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh
+ sed -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" $SOLR_RANGER_HOME/solr.xml.template > $SOLR_RANGER_HOME/solr.xml
+fi
+
+#Common overrides
+sed -e "s#__JAVA_HOME__#$JAVA_HOME#g" -e "s#__SOLR_USER__#$SOLR_USER#g" -e "s#__SOLR_INSTALL_DIR__#$SOLR_INSTALL_FOLDER#g" -e "s#__SOLR_PORT__#$SOLR_RANGER_PORT#g" -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/scripts/stop_solr.sh.template > $SOLR_RANGER_HOME/scripts/stop_solr.sh
+sed -e "s#__SOLR_LOG_FOLDER__#$SOLR_LOG_FOLDER#g" $SOLR_RANGER_HOME/resources/log4j.properties.template > $SOLR_RANGER_HOME/resources/log4j.properties
+
+
+#Let's make all ownership is given to $SOLR_USER
+if [ $is_root -eq 1 ]; then
+ #Let's see if $SOLR_USER exists.
+ id $SOLR_USER 2>&1 > /dev/null
+ if [ $? -ne 0 ]; then
+ echo "`date`|INFO|Creating user $SOLR_USER"
+ adduser $SOLR_USER
+ fi
+
+ chown -R $SOLR_USER:$SOLR_USER $SOLR_INSTALL_FOLDER
+ mkdir -p $SOLR_RANGER_HOME
+ chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME
+ mkdir -p $SOLR_LOG_FOLDER
+ chown -R $SOLR_USER:$SOLR_USER $SOLR_LOG_FOLDER
+else
+ chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME
+fi
+chmod a+x $SOLR_RANGER_HOME/scripts/*.sh
+
+SOLR_INSTALL_NOTES=$SOLR_RANGER_HOME/install_notes.txt
+echo "Solr installation notes for Ranger Audits." > $SOLR_INSTALL_NOTES
+
+cat > $SOLR_INSTALL_NOTES <<EOF
+Solr installation notes for Ranger Audits.
+
+Note: Don't edit this file. It will be over written if you run $0 again.
+
+EOF
+
+if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then
+cat >> $SOLR_INSTALL_NOTES <<EOF
+You have installed Solr in standalone mode.
+
+Note: In production deployment, it is recommended to run in SolrCloud mode with at least 2 nodes and replication factor 2
+
+EOF
+else
+
+cat >> $SOLR_INSTALL_NOTES <<EOF
+You have installed Solr in SolrCloud mode. You will have to do additional steps to create the collections for Ranger Audit. See below for instructions:
+EOF
+
+ if [ "$SOLR_REPLICATION" = "1" ]; then
+cat >> $SOLR_INSTALL_NOTES <<EOF
+
+Note: In production deployment, it is recommended to run in SolrCloud mode with at least 2 nodes with replication factor 2
+EOF
+ fi
+
+cat >> $SOLR_INSTALL_NOTES <<EOF
+
+*** IMPORTANT ***
+For configuring SolrCloud, you need to do the following:
+EOF
+
+if [ "$SOLR_REPLICATION" != "1" ]; then
+ cat >> $SOLR_INSTALL_NOTES <<EOF
+1. Using $0 script install and configure Solr for Ranger Audits on all other nodes also (don't start it yet)
+2. Execute $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh (only once from any node)
+3. Start Solr on all nodes: $SOLR_RANGER_HOME/scripts/start_solr.sh
+4. Create Ranger Audit collection: $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh (only once from any node)
+
+EOF
+else
+ cat >> $SOLR_INSTALL_NOTES <<EOF
+1. Add Ranger Audit config to ZooKeeper: $SOLR_RANGER_HOME/scripts/add_ranger_audits_conf_to_zk.sh
+2. Start Solr: $SOLR_RANGER_HOME/scripts/start_solr.sh
+3. Create Ranger Audit collection: $SOLR_RANGER_HOME/scripts/create_ranger_audits_collection.sh
+
+EOF
+
+fi
+fi
+
+cat >> $SOLR_INSTALL_NOTES <<EOF
+Start and Stoping Solr:
+EOF
+
+if [ "$SOLR_USER" != "root" ]; then
+ cat >> $SOLR_INSTALL_NOTES <<EOF
+Login as user $SOLR_USER or root and the run the below commands to start or stop Solr:
+EOF
+else
+ cat >> $SOLR_INSTALL_NOTES <<EOF
+Login as root and the run the below commands to start or stop Solr:
+EOF
+
+fi
+
+cat >> $SOLR_INSTALL_NOTES <<EOF
+
+To start Solr run: $SOLR_RANGER_HOME/scripts/start_solr.sh
+To stop Solr run: $SOLR_RANGER_HOME/scripts/stop_solr.sh
+
+After starting Solr for RangerAudit, Solr will listen at $SOLR_RANGER_PORT. E.g http://`hostname -f`:$SOLR_RANGER_PORT
+
+Configure Ranger to use the following URL http://`hostname -f`:$SOLR_RANGER_PORT/solr/${SOLR_RANGER_COLLECTION}
+
+Solr HOME for Ranger Audit is $SOLR_RANGER_HOME
+
+EOF
+
+if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then
+cat >> $SOLR_INSTALL_NOTES <<EOF
+DATA FOLDER: $SOLR_RANGER_DATA_FOLDER
+
+Make sure you have enough disk space for index. In production, it is recommended to have at least 1TB free.
+`df -h $SOLR_RANGER_DATA_FOLDER`
+EOF
+else
+cat >> $SOLR_INSTALL_NOTES <<EOF
+SOLR_REPLICATION: $SOLR_REPLICATION
+SOLR_SHARDS: $SOLR_SHARDS
+DATA FOLDERS: $SOLR_RANGER_HOME/ranger_audits_shard*
+
+Make sure you have enough disk space for index. In production, it is recommended to have at least 1TB free.
+`df -h $SOLR_RANGER_HOME`
+EOF
+fi
+
+echo "`date`|INFO|Done configuring Solr for Apache Ranger Audit"
+echo "`date`|INFO|Solr HOME for Ranger Audit is $SOLR_RANGER_HOME"
+if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then
+ echo "`date`|INFO|Data folder for Audit logs is $SOLR_RANGER_DATA_FOLDER"
+fi
+echo "`date`|INFO|To start Solr run $SOLR_RANGER_HOME/scripts/start_solr.sh"
+echo "`date`|INFO|To stop Solr run $SOLR_RANGER_HOME/scripts/stop_solr.sh"
+echo "`date`|INFO|After starting Solr for RangerAudit, it will listen at $SOLR_RANGER_PORT. E.g http://`hostname -f`:$SOLR_RANGER_PORT"
+echo "`date`|INFO|Configure Ranger to use the following URL http://`hostname -f`:$SOLR_RANGER_PORT/solr/${SOLR_RANGER_COLLECTION}"
+if [ "$SOLR_DEPLOYMENT" = "solrcloud" ]; then
+ echo "`date`|INFO|Please refer to $SOLR_INSTALL_NOTES for instructions for setting up collections in SolrCloud"
+fi
+echo "########## Done ###################"
+echo "Created file $SOLR_INSTALL_NOTES with instructions to start and stop"
+echo "###################################"
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/add_ranger_audits_conf_to_zk.sh.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/add_ranger_audits_conf_to_zk.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/add_ranger_audits_conf_to_zk.sh.template
new file mode 100755
index 0000000..3d70106
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/add_ranger_audits_conf_to_zk.sh.template
@@ -0,0 +1,63 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#This scripts add the ranger_audit configuration with schema to zookeeper
+
+function usage {
+ echo "Error: The following properties need to be set in the script SOLR_ZK, SOLR_INSTALL_DIR and SOLR_RANGER_HOME"
+ exit 1
+}
+
+JAVA_HOME=__JAVA_HOME__
+SOLR_USER=__SOLR_USER__
+SOLR_ZK=__SOLR_ZK__
+SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__
+SOLR_RANGER_HOME=__SOLR_RANGER_HOME__
+
+if [ "`whoami`" != "$SOLR_USER" ]; then
+ if [ -w /etc/passwd ]; then
+ echo "Running this script as $SOLR_USER..."
+ su $SOLR_USER $0
+ else
+ echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`"
+ fi
+
+ exit 1
+fi
+
+if [ "$SOLR_ZK" = "" ]; then
+ usage
+fi
+
+if [ "$SOLR_INSTALL_DIR" = "" ]; then
+ usage
+fi
+
+if [ "$SOLR_RANGER_HOME" = "" ]; then
+ usage
+fi
+
+SOLR_RANGER_CONFIG_NAME=ranger_audits
+SOLR_RANGER_CONFIG_LOCAL_PATH=${SOLR_RANGER_HOME}/conf
+ZK_CLI=$SOLR_INSTALL_DIR/server/scripts/cloud-scripts/zkcli.sh
+
+
+if [ ! -x $ZK_CLI ]; then
+ echo "Error: $ZK_CLI is not found or you don't have permission to execute it."
+ exit 1
+fi
+set -x
+$ZK_CLI -cmd upconfig -zkhost $SOLR_ZK -confname $SOLR_RANGER_CONFIG_NAME -confdir $SOLR_RANGER_CONFIG_LOCAL_PATH
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/create_ranger_audits_collection.sh.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/create_ranger_audits_collection.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/create_ranger_audits_collection.sh.template
new file mode 100755
index 0000000..c44255c
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/create_ranger_audits_collection.sh.template
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+SOLR_HOST_URL=__SOLR_HOST_URL__
+SOLR_ZK=__SOLR_ZK__
+SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__
+SHARDS=__SOLR_SHARDS__
+REPLICATION=__SOLR_REPLICATION__
+
+CONF_NAME=ranger_audits
+COLLECTION_NAME=ranger_audits
+
+which curl 2>&1 > /dev/null
+if [ $? -ne 0 ]; then
+ echo "curl is not fould. Please install it for creating the collection"
+ exit 1
+fi
+
+set -x
+curl --negotiate -u : "${SOLR_HOST_URL}/solr/admin/collections?action=CREATE&name=${COLLECTION_NAME}&numShards=${SHARDS}&replicationFactor=${REPLICATION}&collection.configName=$CONF_NAME&maxShardsPerNode=100"
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template
new file mode 100755
index 0000000..f5a327e
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/start_solr.sh.template
@@ -0,0 +1,39 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+JAVA_HOME=__JAVA_HOME__
+SOLR_USER=__SOLR_USER__
+SOLR_ZK=__SOLR_ZK__
+SOLR_MEMORY=__SOLR_MAX_MEM__
+SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__
+SOLR_RANGER_HOME=__SOLR_RANGER_HOME__
+SOLR_PORT=__SOLR_PORT__
+SOLR_LOG4J_FILEPATH=$SOLR_RANGER_HOME/resources/log4j.properties
+
+export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__
+
+if [ "`whoami`" != "$SOLR_USER" ]; then
+ if [ -w /etc/passwd ]; then
+ echo "Running this script as $SOLR_USER..."
+ su $SOLR_USER $0
+ else
+ echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`"
+ fi
+
+ exit 1
+fi
+
+$SOLR_INSTALL_DIR/bin/solr start -p $SOLR_PORT -d $SOLR_INSTALL_DIR/server -m $SOLR_MEMORY -s $SOLR_RANGER_HOME -Dlog4j.configuration=file://$SOLR_LOG4J_FILEPATH -c -z $SOLR_ZK
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template
new file mode 100755
index 0000000..5b85c25
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/scripts/stop_solr.sh.template
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+JAVA_HOME=__JAVA_HOME__
+SOLR_USER=__SOLR_USER__
+SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__
+SOLR_PORT=__SOLR_PORT__
+
+export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__
+
+if [ "`whoami`" != "$SOLR_USER" ]; then
+ if [ -w /etc/passwd ]; then
+ echo "Running this script as $SOLR_USER..."
+ su $SOLR_USER $0
+ else
+ echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`"
+ fi
+
+ exit 1
+fi
+
+$SOLR_INSTALL_DIR/bin/solr stop -p $SOLR_PORT
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template b/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template
new file mode 100644
index 0000000..2fab751
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_cloud/solr.xml.template
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<solr>
+ <solrcloud>
+ <str name="host">${host:}</str>
+ <int name="hostPort">${jetty.port:__SOLR_PORT__}</int>
+ <str name="hostContext">${hostContext:solr}</str>
+ <int name="zkClientTimeout">${zkClientTimeout:15000}</int>
+ <bool name="genericCoreNodeNames">${genericCoreNodeNames:true}</bool>
+ </solrcloud>
+</solr>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template
new file mode 100644
index 0000000..f2d3205
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/ranger_audits/core.properties.template
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name=ranger_audits
+config=solrconfig.xml
+schema=schema.xml
+dataDir=__RANGER_AUDITS_DATA_FOLDER__
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template
new file mode 100755
index 0000000..2a4bb38
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/start_solr.sh.template
@@ -0,0 +1,38 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+JAVA_HOME=__JAVA_HOME__
+SOLR_USER=__SOLR_USER__
+SOLR_MEMORY=__SOLR_MAX_MEM__
+SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__
+SOLR_RANGER_HOME=__SOLR_RANGER_HOME__
+SOLR_PORT=__SOLR_PORT__
+SOLR_LOG4J_FILEPATH=$SOLR_RANGER_HOME/resources/log4j.properties
+
+export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__
+
+if [ "`whoami`" != "$SOLR_USER" ]; then
+ if [ -w /etc/passwd ]; then
+ echo "Running this script as $SOLR_USER..."
+ su $SOLR_USER $0
+ else
+ echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`"
+ fi
+
+ exit 1
+fi
+
+$SOLR_INSTALL_DIR/bin/solr start -p $SOLR_PORT -d $SOLR_INSTALL_DIR/server -m $SOLR_MEMORY -s $SOLR_RANGER_HOME -Dlog4j.configuration=file://$SOLR_LOG4J_FILEPATH
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template
new file mode 100755
index 0000000..5b85c25
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/scripts/stop_solr.sh.template
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+JAVA_HOME=__JAVA_HOME__
+SOLR_USER=__SOLR_USER__
+SOLR_INSTALL_DIR=__SOLR_INSTALL_DIR__
+SOLR_PORT=__SOLR_PORT__
+
+export SOLR_LOGS_DIR=__SOLR_LOG_FOLDER__
+
+if [ "`whoami`" != "$SOLR_USER" ]; then
+ if [ -w /etc/passwd ]; then
+ echo "Running this script as $SOLR_USER..."
+ su $SOLR_USER $0
+ else
+ echo "ERROR: You need to run this script $0 as user $SOLR_USER. You are currently running it as `whoami`"
+ fi
+
+ exit 1
+fi
+
+$SOLR_INSTALL_DIR/bin/solr stop -p $SOLR_PORT
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml b/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml
new file mode 100644
index 0000000..4720e05
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/solr_standalone/solr.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<solr>
+</solr>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/src/main/assembly/admin-web.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/admin-web.xml b/src/main/assembly/admin-web.xml
index 4f34ef6..7a8dca0 100644
--- a/src/main/assembly/admin-web.xml
+++ b/src/main/assembly/admin-web.xml
@@ -361,6 +361,13 @@
<directory>security-admin/db</directory>
<fileMode>544</fileMode>
</fileSet>
+
+ <fileSet>
+ <outputDirectory>/contrib</outputDirectory>
+ <directory>security-admin/contrib</directory>
+ <fileMode>544</fileMode>
+ </fileSet>
+
<fileSet>
<outputDirectory>/</outputDirectory>
<directory>security-admin/scripts</directory>
[16/33] incubator-ranger git commit: RANGER-677 : Ranger Admin fails
to render policies referring to groups that contain . (dot) in name
Posted by ma...@apache.org.
RANGER-677 : Ranger Admin fails to render policies referring to groups that contain . (dot) in name
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/4b2fd94f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/4b2fd94f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/4b2fd94f
Branch: refs/heads/tag-policy
Commit: 4b2fd94fbce6d3a5d54a537430d0a1fda9a95741
Parents: 9cb055f
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue Oct 6 12:36:29 2015 +0530
Committer: Gautam Borad <gb...@gmail.com>
Committed: Wed Oct 7 11:59:55 2015 +0530
----------------------------------------------------------------------
.../src/main/java/org/apache/ranger/common/StringUtil.java | 1 -
.../src/main/java/org/apache/ranger/rest/XUserREST.java | 6 ++----
security-admin/src/main/webapp/META-INF/context.xml | 4 ++--
security-admin/src/main/webapp/WEB-INF/web.xml | 5 ++++-
4 files changed, 8 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4b2fd94f/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java b/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
index 1eaff1a..f5990b4 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/StringUtil.java
@@ -36,7 +36,6 @@ public class StringUtil implements Serializable {
static final public String VALIDATION_NAME = "[\\w\\ \\-\\']*";
static final public String VALIDATION_TEXT = "[a-zA-Z0-9\\ \"!@#$%^&*()-_=+;:'"|~`<>?/{}\\.\\,\\-\\?<>]*";
- // Only for Student loginId
static final public String VALIDATION_LOGINID = "[a-z,A-Z][\\w\\-\\_]*[a-z,A-Z,0-9]";
static final public String VALIDATION_ALPHA = "[a-z,A-Z]*";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4b2fd94f/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index 472dad6..d4d0a76 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -225,11 +225,9 @@ public class XUserREST {
public VXGroupList searchXGroups(@Context HttpServletRequest request) {
SearchCriteria searchCriteria = searchUtil.extractCommonCriterias(
request, xGroupService.sortFields);
- searchUtil.extractString(request, searchCriteria, "name", "group name",
- StringUtil.VALIDATION_NAME);
+ searchUtil.extractString(request, searchCriteria, "name", "group name", null);
searchUtil.extractInt(request, searchCriteria, "isVisible", "Group Visibility");
- searchUtil.extractString(request, searchCriteria, "groupSource", "group source",
- StringUtil.VALIDATION_NAME);
+ searchUtil.extractString(request, searchCriteria, "groupSource", "group source", null);
return xUserMgr.searchXGroups(searchCriteria);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4b2fd94f/security-admin/src/main/webapp/META-INF/context.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/META-INF/context.xml b/security-admin/src/main/webapp/META-INF/context.xml
index 7a573f6..9c7ea95 100644
--- a/security-admin/src/main/webapp/META-INF/context.xml
+++ b/security-admin/src/main/webapp/META-INF/context.xml
@@ -14,7 +14,7 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<Context allowLinking="true">
+<Context allowLinking="true" useHttpOnly="true">
<Loader className="org.apache.catalina.loader.VirtualWebappLoader"
virtualClasspath="webapp/WEB-INF/classes/conf;webapp/WEB-INF/classes/lib/*" />
-</Context>
\ No newline at end of file
+</Context>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/4b2fd94f/security-admin/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/WEB-INF/web.xml b/security-admin/src/main/webapp/WEB-INF/web.xml
index cbd5724..0725633 100644
--- a/security-admin/src/main/webapp/WEB-INF/web.xml
+++ b/security-admin/src/main/webapp/WEB-INF/web.xml
@@ -79,6 +79,9 @@
<session-config>
<session-timeout>60</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
+ <cookie-config>
+ <http-only>true</http-only>
+ </cookie-config>
</session-config>
<error-page>
<error-code>500</error-code>
@@ -88,4 +91,4 @@
<error-code>404</error-code>
<location>/public/error404.jsp</location>
</error-page>
-</web-app>
\ No newline at end of file
+</web-app>
[23/33] incubator-ranger git commit: RANGER-652: Adding support for
ldap connection check tool
Posted by ma...@apache.org.
RANGER-652: Adding support for ldap connection check tool
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5ce7cc38
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5ce7cc38
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5ce7cc38
Branch: refs/heads/tag-policy
Commit: 5ce7cc38b2628380deab1f78bfa373f389c72faa
Parents: c22bdec
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Fri Oct 9 10:07:01 2015 -0700
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sat Oct 10 12:28:32 2015 -0400
----------------------------------------------------------------------
src/main/assembly/usersync.xml | 36 +
.../ldapconfigcheck/conf/input.properties | 63 ++
.../ldapconfigchecktool/ldapconfigcheck/pom.xml | 130 +++
.../ldapconfigcheck/scripts/run.sh | 72 ++
.../ldapconfigcheck/AuthenticationCheck.java | 208 +++++
.../ldapconfigcheck/CommandLineOptions.java | 230 +++++
.../ranger/ldapconfigcheck/LdapConfig.java | 436 ++++++++++
.../ldapconfigcheck/LdapConfigCheckMain.java | 241 ++++++
.../apache/ranger/ldapconfigcheck/UserSync.java | 860 +++++++++++++++++++
9 files changed, 2276 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/src/main/assembly/usersync.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml
index 8c2600e..161a443 100644
--- a/src/main/assembly/usersync.xml
+++ b/src/main/assembly/usersync.xml
@@ -134,6 +134,42 @@
</includes>
<fileMode>544</fileMode>
</fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>755</fileMode>
+ <outputDirectory>/ldaptool</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/scripts</directory>
+ <includes>
+ <include>run.sh</include>
+ </includes>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ldaptool/lib</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/target</directory>
+ <includes>
+ <include>ldapconfigcheck.jar</include>
+ </includes>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ldaptool/conf</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/conf</directory>
+ <includes>
+ <include>input.properties</include>
+ </includes>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ldaptool/output</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/conf</directory>
+ <excludes>
+ <exclude>input.properties</exclude>
+ </excludes>
+ </fileSet>
</fileSets>
<files>
<file>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties b/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties
new file mode 100755
index 0000000..dc6fc59
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties
@@ -0,0 +1,63 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Mandatory ldap configuration properties.
+ranger.usersync.ldap.url=
+ranger.usersync.ldap.binddn=
+ranger.usersync.ldap.ldapbindpassword=
+
+# Mandatory only for openLdap
+ranger.usersync.ldap.user.searchbase=
+ranger.usersync.ldap.user.searchfilter=
+
+# For verifying authentication please provide sample username and password
+ranger.admin.auth.sampleuser=
+ranger.admin.auth.samplepassword=
+
+# Optional properties will be determined based on the above search
+# User attributes
+ranger.usersync.ldap.user.nameattribute=
+ranger.usersync.ldap.user.objectclass=
+ranger.usersync.ldap.user.groupnameattribute=
+
+# Group attributes
+ranger.usersync.group.searchenabled=false
+ranger.usersync.group.memberattributename=
+ranger.usersync.group.nameattribute=
+ranger.usersync.group.objectclass=
+ranger.usersync.group.searchbase=
+ranger.usersync.group.searchfilter=
+
+# Other UserSync related attributes
+ranger.usersync.ldap.authentication.mechanism=simple
+ranger.usersync.pagedresultsenabled=true
+ranger.usersync.pagedresultssize=500
+ranger.usersync.ldap.username.caseconversion=lower
+ranger.usersync.ldap.groupname.caseconversion=lower
+ranger.usersync.ldap.user.searchscope=sub
+ranger.usersync.group.searchscope=sub
+
+ranger.usersync.credstore.filename=
+ranger.usersync.ldap.bindalias=
+ranger.usersync.ldap.searchBase=
+ranger.usersync.group.usermapsyncenabled=false
+
+# Authentication properties
+ranger.authentication.method=
+ranger.ldap.ad.domain=
+ranger.ldap.user.dnpattern=
+ranger.ldap.group.roleattribute=
+ranger.ldap.group.searchbase=
+ranger.ldap.group.searchfilter=
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
new file mode 100644
index 0000000..a0971f2
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>0.5.0</version>
+ <relativePath>..</relativePath>
+ </parent>
+
+ <artifactId>ldapconfigcheck</artifactId>
+
+ <packaging>jar</packaging>
+ <name>Ldap Config Check Tool</name>
+ <description>Ldap configuration check tool</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ <version>${commons.cli.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-configuration</groupId>
+ <artifactId>commons-configuration</artifactId>
+ <version>${commons.configuration.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>${commons.logging.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-beans</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-core</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-tx</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.ldap</groupId>
+ <artifactId>spring-ldap-core</artifactId>
+ <version>${spring-ldap-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-core</artifactId>
+ <version>${springframework.security.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-ldap</artifactId>
+ <version>${springframework.security.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>credentialbuilder</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-util</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ </dependencies>
+ <build>
+ <finalName>ldapconfigcheck</finalName>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-shade-plugin</artifactId>
+ <version>2.2</version>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals>
+ <goal>shade</goal>
+ </goals>
+ <configuration>
+ <transformers>
+ <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+ <mainClass>org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain</mainClass>
+ </transformer>
+ </transformers>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
new file mode 100755
index 0000000..787e216
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+AUTH=1
+
+usage() {
+ echo "usage: run.sh
+ -noauth ignore authentication properties
+ -d <arg> {all|users|groups}
+ -h show help.
+ -i <arg> Input file name
+ -o <arg> Output directory
+ -r <arg> {all|users|groups}"
+ exit 1
+}
+
+cdir=`pwd`
+cp="${cdir}/lib/*:${cdir}/conf"
+OUTDIR="${cdir}/output/"
+JAVA_CMD="java -cp ${cdir}/lib/ldapconfigcheck.jar:${cp} org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain"
+
+while getopts "i:o:d:r:noauthh" opt; do
+ case $opt in
+ i) INFILE=$OPTARG
+ JAVA_CMD="$JAVA_CMD -i $OPTARG"
+ ;;
+ o) OUTDIR=$OPTARG
+ ;;
+ d) DISCOVER=$OPTARG
+ JAVA_CMD="$JAVA_CMD -d $OPTARG"
+ ;;
+ r) RETRIEVE=$OPTARG
+ JAVA_CMD="$JAVA_CMD -r $OPTARG"
+ ;;
+ noauth) AUTH=0
+ JAVA_CMD="$JAVA_CMD -noauth"
+ ;;
+ h) usage
+ ;;
+ \?) echo -e \\n"Option -$OPTARG not allowed."
+ usage
+ ;;
+ esac
+done
+
+JAVA_CMD="$JAVA_CMD -o $OUTDIR"
+
+echo "JAVA commnad = $JAVA_CMD"
+
+if [ "${JAVA_HOME}" != "" ]
+then
+ export JAVA_HOME
+ PATH="${JAVA_HOME}/bin:${PATH}"
+ export PATH
+fi
+
+cd ${cdir}
+$JAVA_CMD
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java
new file mode 100644
index 0000000..f39f782
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java
@@ -0,0 +1,208 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.List;
+import org.springframework.ldap.core.support.LdapContextSource;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.ldap.authentication.BindAuthenticator;
+import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
+
+
+public class AuthenticationCheck {
+ private String ldapUrl = null;
+ private String authMethod = "NONE";
+ private String adDomain = null;
+ private String userDnPattern = null;
+ private String roleAttribute = null;
+ private String groupSearchBase = null;
+ private String groupSearchFilter = null;
+
+ private PrintStream logFile = null;
+ private PrintStream ambariProps = null;
+ private PrintStream installProps = null;
+
+ public AuthenticationCheck(String ldapUrl, UserSync userSyncObj, PrintStream logFile,
+ PrintStream ambariProps, PrintStream installProps) {
+
+ this.logFile = logFile;
+ this.ambariProps = ambariProps;
+ this.installProps = installProps;
+
+ if (userSyncObj.getUserNameAttribute().equalsIgnoreCase("sAMAccountName")) {
+ authMethod = "AD";
+ } else {
+ authMethod = "LDAP";
+ }
+ this.ldapUrl = ldapUrl;
+ adDomain = userSyncObj.getSearchBase();
+ userDnPattern = userSyncObj.getUserNameAttribute() + "={0}," + userSyncObj.getUserSearchBase();
+ roleAttribute = userSyncObj.getGroupNameAttrName();
+ groupSearchBase = userSyncObj.getGroupSearchBase();
+ groupSearchFilter = userSyncObj.getGroupMemberName() + "=" + userDnPattern;
+
+ }
+
+ public void discoverAuthProperties() {
+
+ ambariProps.println("\n# Possible values for authetication properties:");
+ installProps.println("\n# Possible values for authetication properties:");
+ if (authMethod.equalsIgnoreCase("AD")) {
+ installProps.println("xa_ldap_ad_url=" + ldapUrl);
+ installProps.println("xa_ldap_ad_domain=" + adDomain);
+ } else {
+ installProps.println("xa_ldap_url=" + ldapUrl);
+ installProps.println("xa_ldap_userDNpattern=" + userDnPattern);
+ installProps.println("xa_ldap_groupRoleAttribute=" + roleAttribute);
+ installProps.println("xa_ldap_groupSearchBase=" + groupSearchBase);
+ installProps.println("xa_ldap_groupSearchFilter=" + groupSearchFilter);
+ }
+
+ ambariProps.println("ranger.authentication.method=" + authMethod);
+ if (authMethod.equalsIgnoreCase("AD")) {
+ ambariProps.println("ranger.ldap.ad.url=" + ldapUrl);
+ ambariProps.println("ranger.ldap.ad.domain=" + adDomain);
+ } else {
+ ambariProps.println("ranger.ldap.url=" + ldapUrl);
+ ambariProps.println("ranger.ldap.user.dnpattern=" + userDnPattern);
+ ambariProps.println("ranger.ldap.group.roleattribute=" + roleAttribute);
+ ambariProps.println("ranger.ldap.group.searchbase=" + groupSearchBase);
+ ambariProps.println("ranger.ldap.group.searchfilter=" + groupSearchFilter);
+ }
+ }
+
+ public boolean isAuthenticated(String ldapUrl, String bindDn, String bindPassword, String userName,
+ String userPassword) {
+ boolean isAuthenticated = false;
+ //Verify Authentication
+ Authentication authentication;
+ if (authMethod.equalsIgnoreCase("AD")) {
+ authentication = getADBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
+ } else {
+ authentication = getLdapBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
+ }
+ if (authentication != null) {
+ isAuthenticated = authentication.isAuthenticated();
+ }
+
+ return isAuthenticated;
+ }
+
+ private Authentication getADBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
+ String userName, String userPassword) {
+ Authentication result = null;
+ try {
+ LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
+ ldapContextSource.setUserDn(bindDn);
+ ldapContextSource.setPassword(bindPassword);
+ ldapContextSource.setReferral("follow");
+ ldapContextSource.setCacheEnvironmentProperties(true);
+ ldapContextSource.setAnonymousReadOnly(false);
+ ldapContextSource.setPooled(true);
+ ldapContextSource.afterPropertiesSet();
+
+ String searchFilter="(sAMAccountName={0})";
+ FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
+ userSearch.setSearchSubtree(true);
+
+ BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
+ bindAuthenticator.setUserSearch(userSearch);
+ bindAuthenticator.afterPropertiesSet();
+
+ LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
+
+ if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
+ final UserDetails principal = new User(userName, userPassword, grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
+
+ result = ldapAuthenticationProvider.authenticate(finalAuthentication);
+ }
+
+ } catch (BadCredentialsException bce) {
+ logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
+ "ranger.admin.auth.samplepassword\n");
+ } catch (Exception e) {
+ logFile.println("ERROR: LDAP Authentication Failed: " + e);
+ }
+ return result;
+ }
+
+ private Authentication getLdapBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
+ String userName, String userPassword) {
+ Authentication result = null;
+ try {
+ LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
+ ldapContextSource.setUserDn(bindDn);
+ ldapContextSource.setPassword(bindPassword);
+ ldapContextSource.setReferral("follow");
+ ldapContextSource.setCacheEnvironmentProperties(false);
+ ldapContextSource.setAnonymousReadOnly(true);
+ ldapContextSource.setPooled(true);
+ ldapContextSource.afterPropertiesSet();
+
+ DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, groupSearchBase);
+ defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(roleAttribute);
+ defaultLdapAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
+ defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
+
+ String searchFilter="(uid={0})";
+ FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
+ userSearch.setSearchSubtree(true);
+
+ BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
+ bindAuthenticator.setUserSearch(userSearch);
+ String[] userDnPatterns = new String[] { userDnPattern };
+ bindAuthenticator.setUserDnPatterns(userDnPatterns);
+ bindAuthenticator.afterPropertiesSet();
+
+ LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator,defaultLdapAuthoritiesPopulator);
+
+ if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
+ final UserDetails principal = new User(userName, userPassword,grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
+
+ result = ldapAuthenticationProvider.authenticate(finalAuthentication);
+ }
+ } catch (BadCredentialsException bce) {
+ logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
+ "ranger.admin.auth.samplepassword\n");
+ } catch (Exception e) {
+ logFile.println("ERROR: LDAP Authentication Failed: " + e);
+ }
+ return result;
+ }
+}
+
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
new file mode 100644
index 0000000..790330f
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
@@ -0,0 +1,230 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import org.apache.commons.cli.*;
+import java.io.Console;
+
+public class CommandLineOptions {
+
+ private String[] args = null;
+ private Options options = new Options();
+ private String input = null;
+ private String output = null;
+ private String discoverProperties;
+ private String retrieveValues = null;
+ private boolean isAuthEnabled = true;
+ private String ldapUrl = "";
+ private String bindDn = "";
+ private String bindPassword = "";
+ private String userSearchBase = "";
+ private String userSearchFilter = "";
+ private String authUser = "";
+ private String authPass = "";
+
+ public CommandLineOptions(String[] args) {
+ this.args = args;
+ options.addOption("h", "help", false, "show help.");
+ options.addOption("i", "inputfile", true, "Input file name");
+ options.addOption("o", "outputdir", true, "Output directory");
+ options.addOption("d", "discoverProperties", true, "{all|users|groups}");
+ options.addOption("r", "retrieve", true, "{all|users|groups}");
+ options.addOption("noauth", "noAuthentication", false, "Ignore authentication properties");
+ }
+
+ public void parse() {
+ CommandLineParser parser = new BasicParser();
+ try {
+ CommandLine cmd = parser.parse(options, args);
+ if (cmd.hasOption("h")) {
+
+ }
+
+
+ if (cmd.hasOption("o")) {
+ output = cmd.getOptionValue("o");
+ } else {
+ System.out.println("Missing o option for output directory");
+ help();
+ }
+
+ if (cmd.hasOption("d")) {
+ discoverProperties = cmd.getOptionValue("d");
+ if (discoverProperties == null || (!discoverProperties.equalsIgnoreCase("all") &&
+ !discoverProperties.equalsIgnoreCase("users") && !discoverProperties.equalsIgnoreCase("groups"))) {
+ System.out.println("Unsupported value for option d");
+ help();
+ }
+ }
+
+ if (cmd.hasOption("r")) {
+ retrieveValues = cmd.getOptionValue("r");
+ if (retrieveValues == null || (!retrieveValues.equalsIgnoreCase("all")
+ && !retrieveValues.equalsIgnoreCase("users") && !retrieveValues.equalsIgnoreCase("groups"))) {
+ System.out.println("Unsupported value for option r");
+ help();
+ }
+ } else {
+ if (discoverProperties == null || discoverProperties.isEmpty()) {
+ System.out.println("Default to discover all usersync properties");
+ //help();
+ // If "d" or "r" option is not specified, then default to discover all usersync properties
+ discoverProperties = "all";
+ }
+ }
+
+ if (cmd.hasOption("noauth")) {
+ isAuthEnabled = false;
+ }
+
+ if (cmd.hasOption("i")) {
+ input = cmd.getOptionValue("i");
+ if (input == null || input.isEmpty()) {
+ System.out.println("Please specify the input properties file name");
+ help();
+ }
+
+ } else {
+ // Read the properties from CLI and write to the input properties file.
+ input = LdapConfig.CONFIG_FILE;
+ readCLI();
+ }
+
+ } catch (ParseException pe) {
+ System.out.println("Failed to parse command line arguments " + pe);
+ help();
+ }
+ }
+
+ public void help() {
+ // This prints out some help
+ HelpFormatter formater = new HelpFormatter();
+ formater.printHelp("ldapConfigCheck", options);
+ System.exit(0);
+ }
+
+ public String getInput() {
+ return input;
+ }
+
+ public String getOutput() {
+
+ return output;
+ }
+
+ public String getDiscoverProperties() {
+ return discoverProperties;
+ }
+
+ public boolean isAuthEnabled() {
+ return isAuthEnabled;
+ }
+
+ public String getRetrieveValues() {
+ return retrieveValues;
+ }
+
+ private void readCLI() {
+ boolean repeat;
+ Console console = System.console();
+ do {
+ repeat = false;
+ System.out.print("Ldap url [ldap://ldap.example.com:389]: ");
+ ldapUrl = console.readLine();
+ if (ldapUrl == null || ldapUrl.isEmpty()) {
+ System.out.println("Please enter valid ldap url.");
+ repeat = true;
+ }
+ } while (repeat == true);
+ do {
+ repeat = false;
+ System.out.print("Bind DN [cn=admin,ou=users,dc=example,dc=com]: ");
+ bindDn = console.readLine();
+ if (bindDn == null || bindDn.isEmpty()) {
+ System.out.println("Please enter valid bindDn.");
+ repeat = true;
+ }
+ } while (repeat == true);
+ do {
+ repeat = false;
+ System.out.print("Bind Password: ");
+ char[] password = console.readPassword();
+ bindPassword = String.valueOf(password);
+ if (bindPassword == null || bindPassword.isEmpty()) {
+ System.out.println("Bind Password can't be empty.");
+ repeat = true;
+ }
+ } while (repeat == true);
+ System.out.print("User Search Base [ou=users,dc=example,dc=com]: ");
+ userSearchBase = console.readLine();
+ System.out.print("User Search Filter [cn=user1]: ");
+ userSearchFilter = console.readLine();
+
+ if (isAuthEnabled) {
+ do {
+ repeat = false;
+ System.out.print("Sample Authentication User [user1]: ");
+ authUser = console.readLine();
+ if (authUser == null || authUser.isEmpty()) {
+ System.out.println("Sample Authentication user must not be empty!");
+ repeat = true;
+ }
+ } while (repeat == true);
+ do {
+ repeat = false;
+ System.out.print("Sample Authentication Password: ");
+ char[] password = console.readPassword();
+ authPass = String.valueOf(password);
+ if (authPass == null || authPass.isEmpty()) {
+ System.out.println("Sample Authentication password must not be empty!");
+ repeat = true;
+ }
+ } while (repeat == true);
+ }
+ }
+
+ public String getLdapUrl() {
+ return ldapUrl;
+ }
+
+ public String getBindDn() {
+ return bindDn;
+ }
+
+ public String getBindPassword() {
+ return bindPassword;
+ }
+
+ public String getUserSearchBase() {
+ return userSearchBase;
+ }
+
+ public String getUserSearchFilter() {
+ return userSearchFilter;
+ }
+
+ public String getAuthUser() {
+ return authUser;
+ }
+
+ public String getAuthPass() {
+ return authPass;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
new file mode 100644
index 0000000..a548957
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
@@ -0,0 +1,436 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.lang.NullArgumentException;
+import org.apache.commons.configuration.PropertiesConfiguration;
+
+public class LdapConfig {
+
+ public static final String CONFIG_FILE = "input.properties";
+
+ private static final String LGSYNC_LDAP_URL = "ranger.usersync.ldap.url";
+
+ private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn";
+
+ private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.credstore.filename";
+
+ private static final String LGSYNC_LDAP_BIND_ALIAS = "ranger.usersync.ldap.bindalias";
+
+ private static final String LGSYNC_LDAP_BIND_PASSWORD = "ranger.usersync.ldap.ldapbindpassword";
+
+ private static final String LGSYNC_LDAP_AUTHENTICATION_MECHANISM = "ranger.usersync.ldap.authentication.mechanism";
+ private static final String DEFAULT_AUTHENTICATION_MECHANISM = "simple";
+
+ private static final String LGSYNC_SEARCH_BASE = "ranger.usersync.ldap.searchBase";
+
+ private static final String LGSYNC_USER_SEARCH_BASE = "ranger.usersync.ldap.user.searchbase";
+
+ private static final String LGSYNC_USER_SEARCH_SCOPE = "ranger.usersync.ldap.user.searchscope";
+
+ private static final String LGSYNC_USER_OBJECT_CLASS = "ranger.usersync.ldap.user.objectclass";
+
+ private static final String LGSYNC_USER_SEARCH_FILTER = "ranger.usersync.ldap.user.searchfilter";
+
+ private static final String LGSYNC_USER_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.nameattribute";
+
+ private static final String LGSYNC_USER_GROUP_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.groupnameattribute";
+
+ public static final String UGSYNC_LOWER_CASE_CONVERSION_VALUE = "lower";
+
+ private static final String UGSYNC_USERNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.username.caseconversion";
+ private static final String DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE = UGSYNC_LOWER_CASE_CONVERSION_VALUE;
+
+ private static final String UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.groupname.caseconversion";
+ private static final String DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE = UGSYNC_LOWER_CASE_CONVERSION_VALUE;
+
+
+ private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled";
+ private static final boolean DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED = true;
+
+ private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize";
+ private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500;
+
+ private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled";
+ private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false;
+
+ private static final String LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = "ranger.usersync.group.usermapsyncenabled";
+ private static final boolean DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = false;
+
+ private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase";
+
+ private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope";
+
+ private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass";
+
+ private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter";
+
+ private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute";
+
+ private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename";
+
+ //Authentication relate properties
+ private static final String AUTHENTICATION_METHOD = "ranger.authentication.method";
+ private static final String AD_DOMAIN = "ranger.ldap.ad.domain";
+ private static final String USER_DN_PATTERN = "ranger.ldap.user.dnpattern";
+ private static final String GROUP_ROLE_ATTRIBUTE = "ranger.ldap.group.roleattribute";
+ private static final String GROUP_SEARCH_BASE = "ranger.ldap.group.searchbase";
+ private static final String GROUP_SEARCH_FILTER = "ranger.ldap.group.searchfilter";
+ private static final String AUTH_USERNAME = "ranger.admin.auth.sampleuser";
+ private static final String AUTH_PASSWORD = "ranger.admin.auth.samplepassword";
+
+
+ private Properties prop = new Properties();
+
+
+ public LdapConfig(String configFile) {
+ init(configFile);
+ }
+
+ private void init(String configFile) {
+ readConfigFile(configFile);
+ }
+
+ private void readConfigFile(String fileName) {
+ try {
+ InputStream in = getFileInputStream(fileName);
+ if (in != null) {
+ try {
+ System.out.println("Reading ldap properties from " + fileName);
+ prop.load(in);
+
+ } finally {
+ try {
+ in.close();
+ } catch (IOException ioe) {
+ // Ignore IOE when closing stream
+ System.out.println(ioe);
+ }
+ }
+ }
+ } catch (Throwable e) {
+ throw new RuntimeException("Unable to load configuration file [" + fileName + "]", e);
+ }
+ }
+
+
+ /*private InputStream getFileInputStream(String path) throws FileNotFoundException {
+
+ InputStream ret = null;
+
+ File f = new File(path);
+
+ if (f.exists()) {
+ ret = new FileInputStream(f);
+ }
+
+ return ret;
+ }*/
+
+ private InputStream getFileInputStream(String path) throws FileNotFoundException {
+
+ InputStream ret = null;
+
+ File f = new File(path);
+
+ if (f.exists()) {
+ ret = new FileInputStream(f);
+ } else {
+ ret = getClass().getResourceAsStream(path);
+
+ if (ret == null) {
+ if (! path.startsWith("/")) {
+ ret = getClass().getResourceAsStream("/" + path);
+ }
+ }
+
+ if (ret == null) {
+ ret = ClassLoader.getSystemClassLoader().getResourceAsStream(path) ;
+ if (ret == null) {
+ if (! path.startsWith("/")) {
+ ret = ClassLoader.getSystemResourceAsStream("/" + path);
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ public String getLdapUrl() throws Throwable {
+ String val = prop.getProperty(LGSYNC_LDAP_URL);
+ if (val == null || val.trim().isEmpty()) {
+ throw new NullArgumentException(LGSYNC_LDAP_URL);
+ }
+ return val;
+ }
+
+
+ public String getLdapBindDn() throws Throwable {
+ String val = prop.getProperty(LGSYNC_LDAP_BIND_DN);
+ if (val == null || val.trim().isEmpty()) {
+ throw new NullArgumentException(LGSYNC_LDAP_BIND_DN);
+ }
+ return val;
+ }
+
+
+ public String getLdapBindPassword() {
+ //update credential from keystore
+ if (prop == null) {
+ return null;
+ }
+ return prop.getProperty(LGSYNC_LDAP_BIND_PASSWORD);
+ }
+
+
+ public String getLdapAuthenticationMechanism() {
+ String val = prop.getProperty(LGSYNC_LDAP_AUTHENTICATION_MECHANISM);
+ if (val == null || val.trim().isEmpty()) {
+ return DEFAULT_AUTHENTICATION_MECHANISM;
+ }
+ return val;
+ }
+
+
+ public String getUserSearchBase() {
+ String val = prop.getProperty(LGSYNC_USER_SEARCH_BASE);
+ if (val == null || val.trim().isEmpty()) {
+ val = getSearchBase();
+ }
+ return val;
+ }
+
+
+ public int getUserSearchScope() {
+ String val = prop.getProperty(LGSYNC_USER_SEARCH_SCOPE);
+ if (val == null || val.trim().isEmpty()) {
+ return 2; //subtree scope
+ }
+
+ val = val.trim().toLowerCase();
+ if (val.equals("0") || val.startsWith("base")) {
+ return 0; // object scope
+ } else if (val.equals("1") || val.startsWith("one")) {
+ return 1; // one level scope
+ } else {
+ return 2; // subtree scope
+ }
+ }
+
+
+ public String getUserObjectClass() {
+ String val = prop.getProperty(LGSYNC_USER_OBJECT_CLASS);
+ return val;
+ }
+
+ public String getUserSearchFilter() {
+ return prop.getProperty(LGSYNC_USER_SEARCH_FILTER);
+ }
+
+
+ public String getUserNameAttribute() {
+ String val = prop.getProperty(LGSYNC_USER_NAME_ATTRIBUTE);
+ return val;
+ }
+
+ public String getUserGroupNameAttribute() {
+ String val = prop.getProperty(LGSYNC_USER_GROUP_NAME_ATTRIBUTE);
+ return val;
+ }
+
+ public String getUserNameCaseConversion() {
+ String ret = prop.getProperty(UGSYNC_USERNAME_CASE_CONVERSION_PARAM, DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE);
+ return ret.trim().toLowerCase();
+ }
+
+ public String getGroupNameCaseConversion() {
+ String ret = prop.getProperty(UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM, DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE);
+ return ret.trim().toLowerCase();
+ }
+
+ public String getSearchBase() {
+ return prop.getProperty(LGSYNC_SEARCH_BASE);
+ }
+
+ public boolean isPagedResultsEnabled() {
+ boolean pagedResultsEnabled;
+ String val = prop.getProperty(LGSYNC_PAGED_RESULTS_ENABLED);
+ if (val == null || val.trim().isEmpty()) {
+ pagedResultsEnabled = DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED;
+ } else {
+ pagedResultsEnabled = Boolean.valueOf(val);
+ }
+ return pagedResultsEnabled;
+ }
+
+ public int getPagedResultsSize() {
+ int pagedResultsSize;
+ String val = prop.getProperty(LGSYNC_PAGED_RESULTS_SIZE);
+ if (val == null || val.trim().isEmpty()) {
+ pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE;
+ } else {
+ pagedResultsSize = Integer.parseInt(val);
+ }
+ if (pagedResultsSize < 1) {
+ pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE;
+ }
+ return pagedResultsSize;
+ }
+
+ public boolean isGroupSearchEnabled() {
+ boolean groupSearchEnabled;
+ String val = prop.getProperty(LGSYNC_GROUP_SEARCH_ENABLED);
+ if (val == null || val.trim().isEmpty()) {
+ groupSearchEnabled = DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED;
+ } else {
+ groupSearchEnabled = Boolean.valueOf(val);
+ }
+ return groupSearchEnabled;
+ }
+
+ public boolean isGroupUserMapSyncEnabled() {
+ boolean groupUserMapSyncEnabled;
+ String val = prop.getProperty(LGSYNC_GROUP_USER_MAP_SYNC_ENABLED);
+ if (val == null || val.trim().isEmpty()) {
+ groupUserMapSyncEnabled = DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED;
+ } else {
+ groupUserMapSyncEnabled = Boolean.valueOf(val);
+ }
+ return groupUserMapSyncEnabled;
+ }
+
+ public String getGroupSearchBase() {
+ String val = prop.getProperty(LGSYNC_GROUP_SEARCH_BASE);
+ return val;
+ }
+
+ public int getGroupSearchScope() {
+ String val = prop.getProperty(LGSYNC_GROUP_SEARCH_SCOPE);
+ if (val == null || val.trim().isEmpty()) {
+ return 2; //subtree scope
+ }
+
+ val = val.trim().toLowerCase();
+ if (val.equals("0") || val.startsWith("base")) {
+ return 0; // object scope
+ } else if (val.equals("1") || val.startsWith("one")) {
+ return 1; // one level scope
+ } else {
+ return 2; // subtree scope
+ }
+ }
+
+ public String getGroupObjectClass() {
+ String val = prop.getProperty(LGSYNC_GROUP_OBJECT_CLASS);
+ return val;
+ }
+
+ public String getGroupSearchFilter() {
+ return prop.getProperty(LGSYNC_GROUP_SEARCH_FILTER);
+ }
+
+ public String getUserGroupMemberAttributeName() {
+ String val = prop.getProperty(LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME);
+ return val;
+ }
+
+ public String getGroupNameAttribute() {
+ String val = prop.getProperty(LGSYNC_GROUP_NAME_ATTRIBUTE);
+ return val;
+ }
+
+ public String getAuthenticationMethod() {
+ String val = prop.getProperty(AUTHENTICATION_METHOD);
+ return val;
+ }
+
+ public String getAdDomain() {
+ String val = prop.getProperty(AD_DOMAIN);
+ return val;
+ }
+
+ public String getUserDnPattern() {
+ String val = prop.getProperty(USER_DN_PATTERN);
+ return val;
+ }
+
+ public String getGroupRoleAttribute() {
+ String val = prop.getProperty(GROUP_ROLE_ATTRIBUTE);
+ return val;
+ }
+
+ public String getAuthGroupSearchBase() {
+ String val = prop.getProperty(GROUP_SEARCH_BASE);
+ return val;
+ }
+
+ public String getAuthGroupSearchFilter() {
+ String val = prop.getProperty(GROUP_SEARCH_FILTER);
+ return val;
+ }
+
+ public String getAuthUsername() {
+ return prop.getProperty(AUTH_USERNAME);
+ }
+
+ public String getAuthPassword() {
+ return prop.getProperty(AUTH_PASSWORD);
+ }
+
+ public void updateInputPropFile(String ldapUrl, String bindDn, String bindPassword,
+ String userSearchBase, String userSearchFilter,
+ String authUser, String authPass) {
+ try {
+ PropertiesConfiguration config = new PropertiesConfiguration(CONFIG_FILE);
+ // Update properties in memory and update the file as well
+ prop.setProperty(LGSYNC_LDAP_URL, ldapUrl);
+ prop.setProperty(LGSYNC_LDAP_BIND_DN, bindDn);
+ prop.setProperty(LGSYNC_LDAP_BIND_PASSWORD, bindPassword);
+ prop.setProperty(LGSYNC_USER_SEARCH_BASE, userSearchBase);
+ prop.setProperty(LGSYNC_USER_SEARCH_FILTER, userSearchFilter);
+ prop.setProperty(AUTH_USERNAME, authUser);
+ prop.setProperty(AUTH_PASSWORD, authPass);
+ config.setProperty(LGSYNC_LDAP_URL, ldapUrl);
+ config.setProperty(LGSYNC_LDAP_BIND_DN, bindDn);
+ config.setProperty(LGSYNC_LDAP_BIND_PASSWORD, bindPassword);
+ config.setProperty(LGSYNC_USER_SEARCH_BASE, userSearchBase);
+ config.setProperty(LGSYNC_USER_SEARCH_FILTER, userSearchFilter);
+ config.setProperty(AUTH_USERNAME, authUser);
+ config.setProperty(AUTH_PASSWORD, authPass);
+ config.save();
+ } catch (ConfigurationException e) {
+ System.out.println("Failed to update " + CONFIG_FILE + ": " + e);
+ }
+ }
+}
+
+
+
+
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ce7cc38/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
new file mode 100644
index 0000000..ad56b2e
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.ldap.Control;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.PagedResultsControl;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.Properties;
+
+import org.apache.commons.lang.NullArgumentException;
+
+public class LdapConfigCheckMain {
+
+ private static final String LOG_FILE = "ldapConfigCheck.log";
+ private static final String AMBARI_PROPERTIES = "ambari.properties";
+ private static final String INSTALL_PROPERTIES = "install.properties";
+
+ public static void main(String[] args) {
+
+ CommandLineOptions cli = new CommandLineOptions(args);
+ cli.parse();
+ String inFileName = cli.getInput();
+ String outputDir = cli.getOutput();
+ if (!outputDir.endsWith("/")) {
+ outputDir = outputDir.concat("/");
+ }
+
+ LdapConfig config = new LdapConfig(inFileName);
+ if (cli.getLdapUrl() != null && !cli.getLdapUrl().isEmpty()) {
+ config.updateInputPropFile(cli.getLdapUrl(), cli.getBindDn(), cli.getBindPassword(),
+ cli.getUserSearchBase(), cli.getUserSearchFilter(), cli.getAuthUser(), cli.getAuthPass());
+ }
+
+ PrintStream logFile = null;
+ PrintStream ambariProps = null;
+ PrintStream installProps = null;
+ LdapContext ldapContext;
+
+ try {
+ logFile = new PrintStream(new File(outputDir + LOG_FILE));
+ ambariProps = new PrintStream(new File(outputDir + AMBARI_PROPERTIES));
+ installProps = new PrintStream(new File(outputDir + INSTALL_PROPERTIES));
+
+ UserSync userSyncObj = new UserSync(config, logFile, ambariProps, installProps);
+
+ String bindDn = config.getLdapBindDn();
+
+ Properties env = new Properties();
+ env.put(Context.INITIAL_CONTEXT_FACTORY,
+ "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, config.getLdapUrl());
+ env.put(Context.SECURITY_PRINCIPAL, bindDn);
+ env.put(Context.SECURITY_CREDENTIALS, config.getLdapBindPassword());
+ env.put(Context.SECURITY_AUTHENTICATION, config.getLdapAuthenticationMechanism());
+ env.put(Context.REFERRAL, "follow");
+
+ ldapContext = new InitialLdapContext(env, null);
+
+ if (config.isPagedResultsEnabled()) {
+ ldapContext.setRequestControls(new Control[]{
+ new PagedResultsControl(config.getPagedResultsSize(), Control.CRITICAL) });
+ }
+
+ String retrieveValues = "all";
+
+ if (cli.getDiscoverProperties() != null) {
+ retrieveValues = cli.getDiscoverProperties();
+ if (cli.getDiscoverProperties().equalsIgnoreCase("users")) {
+ userSyncObj.findUserProperties(ldapContext);
+ } else if (cli.getDiscoverProperties().equalsIgnoreCase("groups")) {
+ userSyncObj.findGroupProperties(ldapContext);
+ } else {
+ findAllUserSyncProperties(ldapContext, userSyncObj);
+ }
+ }else if (cli.getRetrieveValues() != null){
+ retrieveValues = cli.getRetrieveValues();
+
+ } else {
+ cli.help();
+ }
+
+ if (cli.isAuthEnabled()) {
+ authenticate(userSyncObj, config, logFile, ambariProps, installProps);
+ }
+
+ retrieveUsersGroups(ldapContext, userSyncObj, retrieveValues);
+
+ if (ldapContext != null) {
+ ldapContext.close();
+ }
+
+ } catch (FileNotFoundException fe) {
+ System.out.println(fe.getMessage());
+ } catch (IOException ioe) {
+ logFile.println("ERROR: Failed while setting the paged results controls\n" + ioe);
+ } catch (NamingException ne) {
+ System.out.println("ERROR: Failed to perfom ldap bind. Please verify values for " +
+ "ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword\n" + ne);
+ } catch (Throwable t) {
+ if (logFile != null) {
+ logFile.println("ERROR: Connection failed: " + t.getMessage());
+ } else {
+ System.out.println("ERROR: Connection failed: " + t.getMessage());
+ }
+ } finally {
+ if (logFile != null) {
+ logFile.close();
+ }
+ if (ambariProps != null) {
+ ambariProps.close();
+ }
+ if (installProps != null) {
+ installProps.close();
+ }
+ }
+ }
+
+ private static void findAllUserSyncProperties(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
+
+ userSyncObj.findUserProperties(ldapContext);
+ userSyncObj.findGroupProperties(ldapContext);
+ }
+
+ private static void authenticate(UserSync userSyncObj, LdapConfig config,
+ PrintStream logFile, PrintStream ambariProps,
+ PrintStream installProps) throws Throwable{
+ AuthenticationCheck auth = new AuthenticationCheck(config.getLdapUrl(), userSyncObj, logFile, ambariProps, installProps);
+
+ auth.discoverAuthProperties();
+
+ String msg;
+ if (config.getAuthUsername() == null || config.getAuthUsername().isEmpty()) {
+ msg = "ranger.admin.auth.sampleuser ";
+ throw new NullArgumentException(msg);
+ }
+
+ if (config.getAuthPassword() == null || config.getAuthPassword().isEmpty()) {
+ msg = "ranger.admin.auth.samplepassword ";
+ throw new NullArgumentException(msg);
+ }
+
+ if (auth.isAuthenticated(config.getLdapUrl(), config.getLdapBindDn(), config.getLdapBindPassword(),
+ config.getAuthUsername(), config.getAuthPassword())) {
+ logFile.println("INFO: Authentication verified successfully");
+ } else {
+ logFile.println("ERROR: Failed to authenticate " + config.getAuthUsername());
+ }
+ }
+
+ private static void retrieveUsersGroups(LdapContext ldapContext, UserSync userSyncObj,
+ String retrieve) throws Throwable {
+ String msg;
+ if (retrieve == null || userSyncObj == null || ldapContext == null) {
+ msg = "Input validation failed while retrieving Users or Groups";
+ throw new NullArgumentException(msg);
+ }
+
+ if (retrieve.equalsIgnoreCase("users")) {
+ retrieveUsers(ldapContext, userSyncObj);
+ } else if (retrieve.equalsIgnoreCase("groups")){
+ retrieveGroups(ldapContext, userSyncObj);
+ } else {
+ // retrieve both
+ retrieveUsers(ldapContext, userSyncObj);
+ retrieveGroups(ldapContext, userSyncObj);
+ }
+ }
+
+ private static void retrieveUsers(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
+ String msg;
+ if (userSyncObj.getUserNameAttribute() == null || userSyncObj.getUserNameAttribute().isEmpty()) {
+ msg = "ranger.usersync.ldap.user.nameattribute ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getUserObjClassName() == null || userSyncObj.getUserObjClassName().isEmpty()) {
+ msg = "ranger.usersync.ldap.user.objectclass ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) {
+ msg = "ranger.usersync.ldap.user.groupnameattribute ";
+ throw new NullArgumentException(msg);
+ }
+ if ((userSyncObj.getUserSearchBase() == null || userSyncObj.getUserSearchBase().isEmpty()) &&
+ (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
+ msg = "ranger.usersync.ldap.user.searchbase and " +
+ "ranger.usersync.ldap.searchBase ";
+ throw new NullArgumentException(msg);
+ }
+ userSyncObj.getAllUsers(ldapContext);
+ }
+
+ private static void retrieveGroups(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
+ String msg;
+ if (userSyncObj.getGroupNameAttrName() == null || userSyncObj.getGroupNameAttrName().isEmpty()) {
+ msg = "ranger.usersync.group.nameattribute ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getGroupObjClassName() == null || userSyncObj.getGroupObjClassName().isEmpty()) {
+ msg = "ranger.usersync.group.objectclass ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) {
+ msg = "ranger.usersync.group.memberattributename ";
+ throw new NullArgumentException(msg);
+ }
+ if ((userSyncObj.getGroupSearchBase() == null || userSyncObj.getGroupSearchBase().isEmpty()) &&
+ (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
+ msg = "ranger.usersync.group.searchbase and " +
+ "ranger.usersync.ldap.searchBase ";
+ throw new NullArgumentException(msg);
+ }
+ userSyncObj.getAllGroups(ldapContext);
+ }
+
+
+}
+
[24/33] incubator-ranger git commit: Merge branch 'master' of
https://git-wip-us.apache.org/repos/asf/incubator-ranger
Posted by ma...@apache.org.
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/incubator-ranger
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9474fe9d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9474fe9d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9474fe9d
Branch: refs/heads/tag-policy
Commit: 9474fe9d55e2e9a85923781fec88e1e3829c6224
Parents: 5ce7cc3 a2c4bb2
Author: Velmurugan Periasamy <ve...@apache.org>
Authored: Sat Oct 10 12:28:55 2015 -0400
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sat Oct 10 12:28:55 2015 -0400
----------------------------------------------------------------------
----------------------------------------------------------------------
[05/33] incubator-ranger git commit: RANGER-664:Ranger PolicyRefresh
REST Client timeout parameter should be configurable
Posted by ma...@apache.org.
RANGER-664:Ranger PolicyRefresh REST Client timeout parameter should be configurable
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/fe44eb02
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/fe44eb02
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/fe44eb02
Branch: refs/heads/tag-policy
Commit: fe44eb027a063739fd71d9936281338ed29285da
Parents: f33879b
Author: rmani <rm...@hortonworks.com>
Authored: Mon Sep 28 22:32:41 2015 -0700
Committer: rmani <rm...@hortonworks.com>
Committed: Mon Sep 28 22:32:41 2015 -0700
----------------------------------------------------------------------
.../admin/client/RangerAdminRESTClient.java | 12 ++++--
.../ranger/plugin/util/RangerRESTClient.java | 40 ++++++++++++++------
.../conf/ranger-hbase-security-changes.cfg | 3 ++
hbase-agent/conf/ranger-hbase-security.xml | 16 ++++++++
.../conf/ranger-hdfs-security-changes.cfg | 2 +
hdfs-agent/conf/ranger-hdfs-security.xml | 16 ++++++++
.../conf/ranger-hive-security-changes.cfg | 2 +
hive-agent/conf/ranger-hive-security.xml | 16 ++++++++
.../conf/ranger-knox-security-changes.cfg | 2 +
knox-agent/conf/ranger-knox-security.xml | 16 ++++++++
.../client/RangerAdminJersey2RESTClient.java | 8 ++++
.../conf/ranger-kafka-security-changes.cfg | 4 +-
plugin-kafka/conf/ranger-kafka-security.xml | 16 ++++++++
plugin-kms/conf/ranger-kms-security-changes.cfg | 4 +-
plugin-kms/conf/ranger-kms-security.xml | 16 ++++++++
.../conf/ranger-solr-security-changes.cfg | 4 +-
plugin-solr/conf/ranger-solr-security.xml | 16 ++++++++
.../conf/ranger-yarn-security-changes.cfg | 2 +
plugin-yarn/conf/ranger-yarn-security.xml | 16 ++++++++
.../conf/ranger-storm-security-changes.cfg | 4 +-
storm-agent/conf/ranger-storm-security.xml | 16 ++++++++
21 files changed, 211 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index f74bc6d..7f1c6b3 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -51,10 +51,12 @@ public class RangerAdminRESTClient implements RangerAdminClient {
this.serviceName = serviceName;
this.pluginId = restUtils.getPluginId(serviceName, appId);
- String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url");
- String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file");
+ String url = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.url");
+ String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file");
+ int restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
+ int restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
- init(url, sslConfigFileName);
+ init(url, sslConfigFileName, restClientConnTimeOutMs , restClientReadTimeOutMs);
}
@Override
@@ -142,12 +144,14 @@ public class RangerAdminRESTClient implements RangerAdminClient {
}
}
- private void init(String url, String sslConfigFileName) {
+ private void init(String url, String sslConfigFileName, int restClientConnTimeOutMs , int restClientReadTimeOutMs ) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.init(" + url + ", " + sslConfigFileName + ")");
}
restClient = new RangerRESTClient(url, sslConfigFileName);
+ restClient.setRestClientConnTimeOutMs(restClientConnTimeOutMs);
+ restClient.setRestClientReadTimeOutMs(restClientReadTimeOutMs);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAdminRESTClient.init(" + url + ", " + sslConfigFileName + ")");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index 46fab40..c311670 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -83,14 +83,11 @@ public class RangerRESTClient {
public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = "SunX509" ;
public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "SSL" ;
- public static final int RANGER_POLICYMGR_CLIENT_CONNECTION_TIMEOUT = 120000;
- public static final int RANGER_POLICYMGR_CLIENT_READ_TIMEOUT = 30000;
-
- private String mUrl = null;
- private String mSslConfigFileName = null;
- private String mUsername = null;
- private String mPassword = null;
- private boolean mIsSSL = false;
+ private String mUrl = null;
+ private String mSslConfigFileName = null;
+ private String mUsername = null;
+ private String mPassword = null;
+ private boolean mIsSSL = false;
private String mKeyStoreURL = null;
private String mKeyStoreAlias = null;
@@ -101,8 +98,11 @@ public class RangerRESTClient {
private String mTrustStoreFile = null;
private String mTrustStoreType = null;
- private Gson gsonBuilder = null;
- private volatile Client client = null;
+ private Gson gsonBuilder = null;
+ private volatile Client client = null;
+
+ private int mRestClientConnTimeOutMs;
+ private int mRestClientReadTimeOutMs;
public RangerRESTClient() {
this(RangerConfiguration.getInstance().get(RANGER_PROP_POLICYMGR_URL),
@@ -132,6 +132,22 @@ public class RangerRESTClient {
return mPassword;
}
+ public int getRestClientConnTimeOutMs() {
+ return mRestClientConnTimeOutMs;
+ }
+
+ public void setRestClientConnTimeOutMs(int mRestClientConnTimeOutMs) {
+ this.mRestClientConnTimeOutMs = mRestClientConnTimeOutMs;
+ }
+
+ public int getRestClientReadTimeOutMs() {
+ return mRestClientReadTimeOutMs;
+ }
+
+ public void setRestClientReadTimeOutMs(int mRestClientReadTimeOutMs) {
+ this.mRestClientReadTimeOutMs = mRestClientReadTimeOutMs;
+ }
+
public void setBasicAuthInfo(String username, String password) {
mUsername = username;
mPassword = password;
@@ -202,8 +218,8 @@ public class RangerRESTClient {
}
// Set Connection Timeout and ReadTime for the PolicyRefresh
- client.setConnectTimeout(RANGER_POLICYMGR_CLIENT_CONNECTION_TIMEOUT);
- client.setReadTimeout(RANGER_POLICYMGR_CLIENT_READ_TIMEOUT);
+ client.setConnectTimeout(mRestClientConnTimeOutMs);
+ client.setReadTimeout(mRestClientReadTimeOutMs);
return client;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/hbase-agent/conf/ranger-hbase-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-security-changes.cfg b/hbase-agent/conf/ranger-hbase-security-changes.cfg
index 9c74898..31505b3 100644
--- a/hbase-agent/conf/ranger-hbase-security-changes.cfg
+++ b/hbase-agent/conf/ranger-hbase-security-changes.cfg
@@ -24,5 +24,8 @@ ranger.plugin.hbase.policy.rest.url %POLICY_MGR_URL%
ranger.plugin.hbase.policy.rest.ssl.config.file /etc/hbase/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.hbase.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.hbase.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.hbase.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.hbase.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
+
xasecure.hbase.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/hbase-agent/conf/ranger-hbase-security.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-security.xml b/hbase-agent/conf/ranger-hbase-security.xml
index 43d5d36..08716ea 100644
--- a/hbase-agent/conf/ranger-hbase-security.xml
+++ b/hbase-agent/conf/ranger-hbase-security.xml
@@ -72,4 +72,20 @@
Should HBase plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?
</description>
</property>
+
+ <property>
+ <name>ranger.plugin.hbase.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hbase.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
index 4bdb08f..5639c17 100644
--- a/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
+++ b/hdfs-agent/conf/ranger-hdfs-security-changes.cfg
@@ -24,3 +24,5 @@ ranger.plugin.hdfs.policy.rest.url %POLICY_MGR_URL%
ranger.plugin.hdfs.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.hdfs.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.hdfs.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.hdfs.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.hdfs.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/hdfs-agent/conf/ranger-hdfs-security.xml
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-security.xml b/hdfs-agent/conf/ranger-hdfs-security.xml
index 37230b7..10409d9 100644
--- a/hdfs-agent/conf/ranger-hdfs-security.xml
+++ b/hdfs-agent/conf/ranger-hdfs-security.xml
@@ -65,6 +65,22 @@
</description>
</property>
+ <property>
+ <name>ranger.plugin.hdfs.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ Hdfs Plugin RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hdfs.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ Hdfs Plugin RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
+
<!-- The following fields are used to customize the audit logging feature -->
<!--
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/hive-agent/conf/ranger-hive-security-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-security-changes.cfg b/hive-agent/conf/ranger-hive-security-changes.cfg
index 504bf7d..0e8d0d4 100644
--- a/hive-agent/conf/ranger-hive-security-changes.cfg
+++ b/hive-agent/conf/ranger-hive-security-changes.cfg
@@ -24,5 +24,7 @@ ranger.plugin.hive.policy.rest.url %POLICY_MGR_URL%
ranger.plugin.hive.policy.rest.ssl.config.file /etc/hive/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.hive.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.hive.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.hive.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.hive.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
xasecure.hive.update.xapolicies.on.grant.revoke %UPDATE_XAPOLICIES_ON_GRANT_REVOKE% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/hive-agent/conf/ranger-hive-security.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-security.xml b/hive-agent/conf/ranger-hive-security.xml
index 010debc..3a5fc54 100644
--- a/hive-agent/conf/ranger-hive-security.xml
+++ b/hive-agent/conf/ranger-hive-security.xml
@@ -70,4 +70,20 @@
<value>true</value>
<description>Should Hive plugin update Ranger policies for updates to permissions done using GRANT/REVOKE?</description>
</property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/knox-agent/conf/ranger-knox-security-changes.cfg
----------------------------------------------------------------------
diff --git a/knox-agent/conf/ranger-knox-security-changes.cfg b/knox-agent/conf/ranger-knox-security-changes.cfg
index 8fb8a7b..db702e5 100644
--- a/knox-agent/conf/ranger-knox-security-changes.cfg
+++ b/knox-agent/conf/ranger-knox-security-changes.cfg
@@ -22,3 +22,5 @@ ranger.plugin.knox.policy.rest.url %POLICY_MGR_URL%
ranger.plugin.knox.policy.rest.ssl.config.file /etc/knox/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.knox.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.knox.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.knox.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.knox.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/knox-agent/conf/ranger-knox-security.xml
----------------------------------------------------------------------
diff --git a/knox-agent/conf/ranger-knox-security.xml b/knox-agent/conf/ranger-knox-security.xml
index 8e442e9..e152671 100644
--- a/knox-agent/conf/ranger-knox-security.xml
+++ b/knox-agent/conf/ranger-knox-security.xml
@@ -65,4 +65,20 @@
Directory where Ranger policies are cached after successful retrieval from the source
</description>
</property>
+
+ <property>
+ <name>ranger.plugin.knox.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.knox.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index a8020a5..c087f25 100644
--- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -33,10 +33,12 @@ import javax.ws.rs.core.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.AccessControlException;
+import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerRESTUtils;
import org.apache.ranger.plugin.util.RangerSslHelper;
import org.apache.ranger.plugin.util.ServicePolicies;
+import org.glassfish.jersey.client.ClientProperties;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
@@ -59,6 +61,8 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
String _sslConfigFileName = null;
String _serviceName = null;
String _pluginId = null;
+ int _restClientConnTimeOutMs;
+ int _restClientReadTimeOutMs;
@Override
@@ -72,10 +76,14 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
_baseUrl = _utils.getPolicyRestUrl(configPropertyPrefix);
_sslConfigFileName = _utils.getSsslConfigFileName(configPropertyPrefix);
_isSSL = _utils.isSsl(_baseUrl);
+ _restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
+ _restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
LOG.info("Init params: " + String.format("Base URL[%s], SSL Congig filename[%s], ServiceName=[%s]", _baseUrl, _sslConfigFileName, _serviceName));
_client = getClient();
+ _client.property(ClientProperties.CONNECT_TIMEOUT, _restClientConnTimeOutMs);
+ _client.property(ClientProperties.READ_TIMEOUT, _restClientReadTimeOutMs);
if(LOG.isDebugEnabled()) {
LOG.debug("<== RangerAdminJersey2RESTClient.init(" + configPropertyPrefix + "): " + _client.toString());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-kafka/conf/ranger-kafka-security-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kafka/conf/ranger-kafka-security-changes.cfg b/plugin-kafka/conf/ranger-kafka-security-changes.cfg
index fe36616..a43eb23 100644
--- a/plugin-kafka/conf/ranger-kafka-security-changes.cfg
+++ b/plugin-kafka/conf/ranger-kafka-security-changes.cfg
@@ -21,6 +21,8 @@ ranger.plugin.kafka.service.name %REPOSITORY_NAME% mod create-if-not-exists
ranger.plugin.kafka.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
ranger.plugin.kafka.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
-ranger.plugin.kafka.policy.rest.ssl.config.file /etc/kafka/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.kafka.policy.rest.ssl.config.file /etc/kafka/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.kafka.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.kafka.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-kafka/conf/ranger-kafka-security.xml
----------------------------------------------------------------------
diff --git a/plugin-kafka/conf/ranger-kafka-security.xml b/plugin-kafka/conf/ranger-kafka-security.xml
index b11a71a..2c06f5c 100644
--- a/plugin-kafka/conf/ranger-kafka-security.xml
+++ b/plugin-kafka/conf/ranger-kafka-security.xml
@@ -64,4 +64,20 @@
Directory where Ranger policies are cached after successful retrieval from the source
</description>
</property>
+
+ <property>
+ <name>ranger.plugin.kafka.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kafka.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-kms/conf/ranger-kms-security-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kms/conf/ranger-kms-security-changes.cfg b/plugin-kms/conf/ranger-kms-security-changes.cfg
index fdd1723..f4779ac 100644
--- a/plugin-kms/conf/ranger-kms-security-changes.cfg
+++ b/plugin-kms/conf/ranger-kms-security-changes.cfg
@@ -21,6 +21,8 @@ ranger.plugin.kms.service.name %REPOSITORY_NAME% mod create-if-not-exists
ranger.plugin.kms.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
ranger.plugin.kms.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
-ranger.plugin.kms.policy.rest.ssl.config.file /etc/kms/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.kms.policy.rest.ssl.config.file /etc/kms/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.kms.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.kms.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.kms.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.kms.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-kms/conf/ranger-kms-security.xml
----------------------------------------------------------------------
diff --git a/plugin-kms/conf/ranger-kms-security.xml b/plugin-kms/conf/ranger-kms-security.xml
index 3aae5f1..a22e6cb 100755
--- a/plugin-kms/conf/ranger-kms-security.xml
+++ b/plugin-kms/conf/ranger-kms-security.xml
@@ -64,4 +64,20 @@
Directory where Ranger policies are cached after successful retrieval from the source
</description>
</property>
+
+ <property>
+ <name>ranger.plugin.kms.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kms.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-solr/conf/ranger-solr-security-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-solr/conf/ranger-solr-security-changes.cfg b/plugin-solr/conf/ranger-solr-security-changes.cfg
index ed8a509..7ab518a 100644
--- a/plugin-solr/conf/ranger-solr-security-changes.cfg
+++ b/plugin-solr/conf/ranger-solr-security-changes.cfg
@@ -21,6 +21,8 @@ ranger.plugin.solr.service.name %REPOSITORY_NAME% mod create-if-not-exists
ranger.plugin.solr.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
ranger.plugin.solr.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
-ranger.plugin.solr.policy.rest.ssl.config.file /etc/solr/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.solr.policy.rest.ssl.config.file /etc/solr/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.solr.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.solr.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.solr.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.solr.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-solr/conf/ranger-solr-security.xml
----------------------------------------------------------------------
diff --git a/plugin-solr/conf/ranger-solr-security.xml b/plugin-solr/conf/ranger-solr-security.xml
index c865749..9e63a08 100644
--- a/plugin-solr/conf/ranger-solr-security.xml
+++ b/plugin-solr/conf/ranger-solr-security.xml
@@ -64,4 +64,20 @@
Directory where Ranger policies are cached after successful retrieval from the source
</description>
</property>
+
+ <property>
+ <name>ranger.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-yarn/conf/ranger-yarn-security-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-yarn/conf/ranger-yarn-security-changes.cfg b/plugin-yarn/conf/ranger-yarn-security-changes.cfg
index 87fa972..d1c7308 100644
--- a/plugin-yarn/conf/ranger-yarn-security-changes.cfg
+++ b/plugin-yarn/conf/ranger-yarn-security-changes.cfg
@@ -24,3 +24,5 @@ ranger.plugin.yarn.policy.rest.url %POLICY_MGR_URL%
ranger.plugin.yarn.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.yarn.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.yarn.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.yarn.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.yarn.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/plugin-yarn/conf/ranger-yarn-security.xml
----------------------------------------------------------------------
diff --git a/plugin-yarn/conf/ranger-yarn-security.xml b/plugin-yarn/conf/ranger-yarn-security.xml
index f6e37f8..bb7467d 100644
--- a/plugin-yarn/conf/ranger-yarn-security.xml
+++ b/plugin-yarn/conf/ranger-yarn-security.xml
@@ -64,4 +64,20 @@
Directory where Ranger policies are cached after successful retrieval from the source
</description>
</property>
+
+ <property>
+ <name>ranger.plugin.yarn.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.yarn.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/storm-agent/conf/ranger-storm-security-changes.cfg
----------------------------------------------------------------------
diff --git a/storm-agent/conf/ranger-storm-security-changes.cfg b/storm-agent/conf/ranger-storm-security-changes.cfg
index 9d3ca13..9e84c77 100644
--- a/storm-agent/conf/ranger-storm-security-changes.cfg
+++ b/storm-agent/conf/ranger-storm-security-changes.cfg
@@ -21,6 +21,8 @@ ranger.plugin.storm.service.name %REPOSITORY_NAME% mod create-if-not-exists
ranger.plugin.storm.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
ranger.plugin.storm.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
-ranger.plugin.storm.policy.rest.ssl.config.file /etc/storm/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.storm.policy.rest.ssl.config.file /etc/storm/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
ranger.plugin.storm.policy.pollIntervalMs 30000 mod create-if-not-exists
ranger.plugin.storm.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.storm.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.storm.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fe44eb02/storm-agent/conf/ranger-storm-security.xml
----------------------------------------------------------------------
diff --git a/storm-agent/conf/ranger-storm-security.xml b/storm-agent/conf/ranger-storm-security.xml
index 9126fc9..e9e7ea9 100644
--- a/storm-agent/conf/ranger-storm-security.xml
+++ b/storm-agent/conf/ranger-storm-security.xml
@@ -64,4 +64,20 @@
Directory where Ranger policies are cached after successful retrieval from the source
</description>
</property>
+
+ <property>
+ <name>ranger.plugin.storm.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.storm.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
</configuration>
[09/33] incubator-ranger git commit: RANGER-266: Creating index data
folder during setup.sh
Posted by ma...@apache.org.
RANGER-266: Creating index data folder during setup.sh
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5872445a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5872445a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5872445a
Branch: refs/heads/tag-policy
Commit: 5872445a064df2e393459cc7657a7e8844d74f3d
Parents: c5ae2ed
Author: Don Bosco Durai <bo...@apache.org>
Authored: Sun Sep 27 11:24:51 2015 +0200
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Thu Oct 1 11:00:55 2015 -0700
----------------------------------------------------------------------
security-admin/contrib/solr_for_audit_setup/setup.sh | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5872445a/security-admin/contrib/solr_for_audit_setup/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/setup.sh b/security-admin/contrib/solr_for_audit_setup/setup.sh
index 11d5501..9032931 100755
--- a/security-admin/contrib/solr_for_audit_setup/setup.sh
+++ b/security-admin/contrib/solr_for_audit_setup/setup.sh
@@ -298,6 +298,10 @@ if [ $is_root -eq 1 ]; then
chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME
mkdir -p $SOLR_LOG_FOLDER
chown -R $SOLR_USER:$SOLR_USER $SOLR_LOG_FOLDER
+ if [ "$SOLR_DEPLOYMENT" = "standalone" ]; then
+ mkdir -p $SOLR_RANGER_DATA_FOLDER
+ chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_DATA_FOLDER
+ fi
else
chown -R $SOLR_USER:$SOLR_USER $SOLR_RANGER_HOME
fi
[11/33] incubator-ranger git commit: RANGER-266: Solr configuration
and setup files and documentation
Posted by ma...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml
new file mode 100644
index 0000000..0991eba
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/conf/solrconfig.xml
@@ -0,0 +1,1865 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!--
+ For more details about configurations options that may appear in
+ this file, see http://wiki.apache.org/solr/SolrConfigXml.
+-->
+<config>
+ <!-- In all configuration below, a prefix of "solr." for class names
+ is an alias that causes solr to search appropriate packages,
+ including org.apache.solr.(search|update|request|core|analysis)
+
+ You may also specify a fully qualified Java classname if you
+ have your own custom plugins.
+ -->
+
+ <!-- Controls what version of Lucene various components of Solr
+ adhere to. Generally, you want to use the latest version to
+ get all bug fixes and improvements. It is highly recommended
+ that you fully re-index after changing this setting as it can
+ affect both how text is indexed and queried.
+ -->
+ <luceneMatchVersion>5.0.0</luceneMatchVersion>
+
+ <!-- <lib/> directives can be used to instruct Solr to load any Jars
+ identified and use them to resolve any "plugins" specified in
+ your solrconfig.xml or schema.xml (ie: Analyzers, Request
+ Handlers, etc...).
+
+ All directories and paths are resolved relative to the
+ instanceDir.
+
+ Please note that <lib/> directives are processed in the order
+ that they appear in your solrconfig.xml file, and are "stacked"
+ on top of each other when building a ClassLoader - so if you have
+ plugin jars with dependencies on other jars, the "lower level"
+ dependency jars should be loaded first.
+
+ If a "./lib" directory exists in your instanceDir, all files
+ found in it are included as if you had used the following
+ syntax...
+
+ <lib dir="./lib" />
+ -->
+
+ <!-- A 'dir' option by itself adds any files found in the directory
+ to the classpath, this is useful for including all jars in a
+ directory.
+
+ When a 'regex' is specified in addition to a 'dir', only the
+ files in that directory which completely match the regex
+ (anchored on both ends) will be included.
+
+ If a 'dir' option (with or without a regex) is used and nothing
+ is found that matches, a warning will be logged.
+
+ The examples below can be used to load some solr-contribs along
+ with their external dependencies.
+ -->
+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-dataimporthandler-.*\.jar" />
+
+ <lib dir="${solr.install.dir:../../../..}/contrib/extraction/lib" regex=".*\.jar" />
+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-cell-\d.*\.jar" />
+
+ <lib dir="${solr.install.dir:../../../..}/contrib/clustering/lib/" regex=".*\.jar" />
+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-clustering-\d.*\.jar" />
+
+ <lib dir="${solr.install.dir:../../../..}/contrib/langid/lib/" regex=".*\.jar" />
+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-langid-\d.*\.jar" />
+
+ <lib dir="${solr.install.dir:../../../..}/contrib/velocity/lib" regex=".*\.jar" />
+ <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-velocity-\d.*\.jar" />
+
+ <!-- an exact 'path' can be used instead of a 'dir' to specify a
+ specific jar file. This will cause a serious error to be logged
+ if it can't be loaded.
+ -->
+ <!--
+ <lib path="../a-jar-that-does-not-exist.jar" />
+ -->
+
+ <!-- Data Directory
+
+ Used to specify an alternate directory to hold all index data
+ other than the default ./data under the Solr home. If
+ replication is in use, this should match the replication
+ configuration.
+ -->
+ <dataDir>${solr.data.dir:}</dataDir>
+
+
+ <!-- The DirectoryFactory to use for indexes.
+
+ solr.StandardDirectoryFactory is filesystem
+ based and tries to pick the best implementation for the current
+ JVM and platform. solr.NRTCachingDirectoryFactory, the default,
+ wraps solr.StandardDirectoryFactory and caches small files in memory
+ for better NRT performance.
+
+ One can force a particular implementation via solr.MMapDirectoryFactory,
+ solr.NIOFSDirectoryFactory, or solr.SimpleFSDirectoryFactory.
+
+ solr.RAMDirectoryFactory is memory based, not
+ persistent, and doesn't work with replication.
+ -->
+ <directoryFactory name="DirectoryFactory"
+ class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}">
+
+
+ <!-- These will be used if you are using the solr.HdfsDirectoryFactory,
+ otherwise they will be ignored. If you don't plan on using hdfs,
+ you can safely remove this section. -->
+ <!-- The root directory that collection data should be written to. -->
+ <str name="solr.hdfs.home">${solr.hdfs.home:}</str>
+ <!-- The hadoop configuration files to use for the hdfs client. -->
+ <str name="solr.hdfs.confdir">${solr.hdfs.confdir:}</str>
+ <!-- Enable/Disable the hdfs cache. -->
+ <str name="solr.hdfs.blockcache.enabled">${solr.hdfs.blockcache.enabled:true}</str>
+ <!-- Enable/Disable using one global cache for all SolrCores.
+ The settings used will be from the first HdfsDirectoryFactory created. -->
+ <str name="solr.hdfs.blockcache.global">${solr.hdfs.blockcache.global:true}</str>
+
+ </directoryFactory>
+
+ <!-- The CodecFactory for defining the format of the inverted index.
+ The default implementation is SchemaCodecFactory, which is the official Lucene
+ index format, but hooks into the schema to provide per-field customization of
+ the postings lists and per-document values in the fieldType element
+ (postingsFormat/docValuesFormat). Note that most of the alternative implementations
+ are experimental, so if you choose to customize the index format, it's a good
+ idea to convert back to the official format e.g. via IndexWriter.addIndexes(IndexReader)
+ before upgrading to a newer version to avoid unnecessary reindexing.
+ -->
+ <codecFactory class="solr.SchemaCodecFactory"/>
+
+ <!-- To enable dynamic schema REST APIs, use the following for <schemaFactory>: -->
+
+ <schemaFactory class="ManagedIndexSchemaFactory">
+ <bool name="mutable">true</bool>
+ <str name="managedSchemaResourceName">managed-schema</str>
+ </schemaFactory>
+<!--
+ When ManagedIndexSchemaFactory is specified, Solr will load the schema from
+ the resource named in 'managedSchemaResourceName', rather than from schema.xml.
+ Note that the managed schema resource CANNOT be named schema.xml. If the managed
+ schema does not exist, Solr will create it after reading schema.xml, then rename
+ 'schema.xml' to 'schema.xml.bak'.
+
+ Do NOT hand edit the managed schema - external modifications will be ignored and
+ overwritten as a result of schema modification REST API calls.
+
+ When ManagedIndexSchemaFactory is specified with mutable = true, schema
+ modification REST API calls will be allowed; otherwise, error responses will be
+ sent back for these requests.
+
+ <schemaFactory class="ClassicIndexSchemaFactory"/>
+ -->
+
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Index Config - These settings control low-level behavior of indexing
+ Most example settings here show the default value, but are commented
+ out, to more easily see where customizations have been made.
+
+ Note: This replaces <indexDefaults> and <mainIndex> from older versions
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <indexConfig>
+ <!-- maxFieldLength was removed in 4.0. To get similar behavior, include a
+ LimitTokenCountFilterFactory in your fieldType definition. E.g.
+ <filter class="solr.LimitTokenCountFilterFactory" maxTokenCount="10000"/>
+ -->
+ <!-- Maximum time to wait for a write lock (ms) for an IndexWriter. Default: 1000 -->
+ <!-- <writeLockTimeout>1000</writeLockTimeout> -->
+
+ <!-- The maximum number of simultaneous threads that may be
+ indexing documents at once in IndexWriter; if more than this
+ many threads arrive they will wait for others to finish.
+ Default in Solr/Lucene is 8. -->
+ <!-- <maxIndexingThreads>8</maxIndexingThreads> -->
+
+ <!-- Expert: Enabling compound file will use less files for the index,
+ using fewer file descriptors on the expense of performance decrease.
+ Default in Lucene is "true". Default in Solr is "false" (since 3.6) -->
+ <!-- <useCompoundFile>false</useCompoundFile> -->
+
+ <!-- ramBufferSizeMB sets the amount of RAM that may be used by Lucene
+ indexing for buffering added documents and deletions before they are
+ flushed to the Directory.
+ maxBufferedDocs sets a limit on the number of documents buffered
+ before flushing.
+ If both ramBufferSizeMB and maxBufferedDocs is set, then
+ Lucene will flush based on whichever limit is hit first.
+ The default is 100 MB. -->
+ <!-- <ramBufferSizeMB>100</ramBufferSizeMB> -->
+ <!-- <maxBufferedDocs>1000</maxBufferedDocs> -->
+
+ <!-- Expert: Merge Policy
+ The Merge Policy in Lucene controls how merging of segments is done.
+ The default since Solr/Lucene 3.3 is TieredMergePolicy.
+ The default since Lucene 2.3 was the LogByteSizeMergePolicy,
+ Even older versions of Lucene used LogDocMergePolicy.
+ -->
+ <!--
+ <mergePolicy class="org.apache.lucene.index.TieredMergePolicy">
+ <int name="maxMergeAtOnce">10</int>
+ <int name="segmentsPerTier">10</int>
+ </mergePolicy>
+ -->
+
+ <!-- Merge Factor
+ The merge factor controls how many segments will get merged at a time.
+ For TieredMergePolicy, mergeFactor is a convenience parameter which
+ will set both MaxMergeAtOnce and SegmentsPerTier at once.
+ For LogByteSizeMergePolicy, mergeFactor decides how many new segments
+ will be allowed before they are merged into one.
+ Default is 10 for both merge policies.
+ -->
+ <!--
+ <mergeFactor>10</mergeFactor>
+ -->
+
+ <!-- Expert: Merge Scheduler
+ The Merge Scheduler in Lucene controls how merges are
+ performed. The ConcurrentMergeScheduler (Lucene 2.3 default)
+ can perform merges in the background using separate threads.
+ The SerialMergeScheduler (Lucene 2.2 default) does not.
+ -->
+ <!--
+ <mergeScheduler class="org.apache.lucene.index.ConcurrentMergeScheduler"/>
+ -->
+
+ <!-- LockFactory
+
+ This option specifies which Lucene LockFactory implementation
+ to use.
+
+ single = SingleInstanceLockFactory - suggested for a
+ read-only index or when there is no possibility of
+ another process trying to modify the index.
+ native = NativeFSLockFactory - uses OS native file locking.
+ Do not use when multiple solr webapps in the same
+ JVM are attempting to share a single index.
+ simple = SimpleFSLockFactory - uses a plain file for locking
+
+ Defaults: 'native' is default for Solr3.6 and later, otherwise
+ 'simple' is the default
+
+ More details on the nuances of each LockFactory...
+ http://wiki.apache.org/lucene-java/AvailableLockFactories
+ -->
+ <lockType>${solr.lock.type:native}</lockType>
+
+ <!-- Unlock On Startup
+
+ If true, unlock any held write or commit locks on startup.
+ This defeats the locking mechanism that allows multiple
+ processes to safely access a lucene index, and should be used
+ with care. Default is "false".
+
+ This is not needed if lock type is 'single'
+ -->
+ <!--
+ <unlockOnStartup>false</unlockOnStartup>
+ -->
+
+ <!-- Commit Deletion Policy
+ Custom deletion policies can be specified here. The class must
+ implement org.apache.lucene.index.IndexDeletionPolicy.
+
+ The default Solr IndexDeletionPolicy implementation supports
+ deleting index commit points on number of commits, age of
+ commit point and optimized status.
+
+ The latest commit point should always be preserved regardless
+ of the criteria.
+ -->
+ <!--
+ <deletionPolicy class="solr.SolrDeletionPolicy">
+ -->
+ <!-- The number of commit points to be kept -->
+ <!-- <str name="maxCommitsToKeep">1</str> -->
+ <!-- The number of optimized commit points to be kept -->
+ <!-- <str name="maxOptimizedCommitsToKeep">0</str> -->
+ <!--
+ Delete all commit points once they have reached the given age.
+ Supports DateMathParser syntax e.g.
+ -->
+ <!--
+ <str name="maxCommitAge">30MINUTES</str>
+ <str name="maxCommitAge">1DAY</str>
+ -->
+ <!--
+ </deletionPolicy>
+ -->
+
+ <!-- Lucene Infostream
+
+ To aid in advanced debugging, Lucene provides an "InfoStream"
+ of detailed information when indexing.
+
+ Setting the value to true will instruct the underlying Lucene
+ IndexWriter to write its info stream to solr's log. By default,
+ this is enabled here, and controlled through log4j.properties.
+ -->
+ <infoStream>true</infoStream>
+ </indexConfig>
+
+
+ <!-- JMX
+
+ This example enables JMX if and only if an existing MBeanServer
+ is found, use this if you want to configure JMX through JVM
+ parameters. Remove this to disable exposing Solr configuration
+ and statistics to JMX.
+
+ For more details see http://wiki.apache.org/solr/SolrJmx
+ -->
+ <jmx />
+ <!-- If you want to connect to a particular server, specify the
+ agentId
+ -->
+ <!-- <jmx agentId="myAgent" /> -->
+ <!-- If you want to start a new MBeanServer, specify the serviceUrl -->
+ <!-- <jmx serviceUrl="service:jmx:rmi:///jndi/rmi://localhost:9999/solr"/>
+ -->
+
+ <!-- The default high-performance update handler -->
+ <updateHandler class="solr.DirectUpdateHandler2">
+
+ <!-- Enables a transaction log, used for real-time get, durability, and
+ and solr cloud replica recovery. The log can grow as big as
+ uncommitted changes to the index, so use of a hard autoCommit
+ is recommended (see below).
+ "dir" - the target directory for transaction logs, defaults to the
+ solr data directory. -->
+ <updateLog>
+ <str name="dir">${solr.ulog.dir:}</str>
+ </updateLog>
+
+ <!-- AutoCommit
+
+ Perform a hard commit automatically under certain conditions.
+ Instead of enabling autoCommit, consider using "commitWithin"
+ when adding documents.
+
+ http://wiki.apache.org/solr/UpdateXmlMessages
+
+ maxDocs - Maximum number of documents to add since the last
+ commit before automatically triggering a new commit.
+
+ maxTime - Maximum amount of time in ms that is allowed to pass
+ since a document was added before automatically
+ triggering a new commit.
+ openSearcher - if false, the commit causes recent index changes
+ to be flushed to stable storage, but does not cause a new
+ searcher to be opened to make those changes visible.
+
+ If the updateLog is enabled, then it's highly recommended to
+ have some sort of hard autoCommit to limit the log size.
+ -->
+ <autoCommit>
+ <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
+ <openSearcher>false</openSearcher>
+ </autoCommit>
+
+ <!-- softAutoCommit is like autoCommit except it causes a
+ 'soft' commit which only ensures that changes are visible
+ but does not ensure that data is synced to disk. This is
+ faster and more near-realtime friendly than a hard commit.
+ -->
+
+ <autoSoftCommit>
+ <maxTime>${solr.autoSoftCommit.maxTime:5000}</maxTime>
+ </autoSoftCommit>
+
+ <!-- Update Related Event Listeners
+
+ Various IndexWriter related events can trigger Listeners to
+ take actions.
+
+ postCommit - fired after every commit or optimize command
+ postOptimize - fired after every optimize command
+ -->
+ <!-- The RunExecutableListener executes an external command from a
+ hook such as postCommit or postOptimize.
+
+ exe - the name of the executable to run
+ dir - dir to use as the current working directory. (default=".")
+ wait - the calling thread waits until the executable returns.
+ (default="true")
+ args - the arguments to pass to the program. (default is none)
+ env - environment variables to set. (default is none)
+ -->
+ <!-- This example shows how RunExecutableListener could be used
+ with the script based replication...
+ http://wiki.apache.org/solr/CollectionDistribution
+ -->
+ <!--
+ <listener event="postCommit" class="solr.RunExecutableListener">
+ <str name="exe">solr/bin/snapshooter</str>
+ <str name="dir">.</str>
+ <bool name="wait">true</bool>
+ <arr name="args"> <str>arg1</str> <str>arg2</str> </arr>
+ <arr name="env"> <str>MYVAR=val1</str> </arr>
+ </listener>
+ -->
+
+ </updateHandler>
+
+ <!-- IndexReaderFactory
+
+ Use the following format to specify a custom IndexReaderFactory,
+ which allows for alternate IndexReader implementations.
+
+ ** Experimental Feature **
+
+ Please note - Using a custom IndexReaderFactory may prevent
+ certain other features from working. The API to
+ IndexReaderFactory may change without warning or may even be
+ removed from future releases if the problems cannot be
+ resolved.
+
+
+ ** Features that may not work with custom IndexReaderFactory **
+
+ The ReplicationHandler assumes a disk-resident index. Using a
+ custom IndexReader implementation may cause incompatibility
+ with ReplicationHandler and may cause replication to not work
+ correctly. See SOLR-1366 for details.
+
+ -->
+ <!--
+ <indexReaderFactory name="IndexReaderFactory" class="package.class">
+ <str name="someArg">Some Value</str>
+ </indexReaderFactory >
+ -->
+
+ <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Query section - these settings control query time things like caches
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
+ <query>
+ <!-- Max Boolean Clauses
+
+ Maximum number of clauses in each BooleanQuery, an exception
+ is thrown if exceeded.
+
+ ** WARNING **
+
+ This option actually modifies a global Lucene property that
+ will affect all SolrCores. If multiple solrconfig.xml files
+ disagree on this property, the value at any given moment will
+ be based on the last SolrCore to be initialized.
+
+ -->
+ <maxBooleanClauses>1024</maxBooleanClauses>
+
+
+ <!-- Solr Internal Query Caches
+
+ There are two implementations of cache available for Solr,
+ LRUCache, based on a synchronized LinkedHashMap, and
+ FastLRUCache, based on a ConcurrentHashMap.
+
+ FastLRUCache has faster gets and slower puts in single
+ threaded operation and thus is generally faster than LRUCache
+ when the hit ratio of the cache is high (> 75%), and may be
+ faster under other scenarios on multi-cpu systems.
+ -->
+
+ <!-- Filter Cache
+
+ Cache used by SolrIndexSearcher for filters (DocSets),
+ unordered sets of *all* documents that match a query. When a
+ new searcher is opened, its caches may be prepopulated or
+ "autowarmed" using data from caches in the old searcher.
+ autowarmCount is the number of items to prepopulate. For
+ LRUCache, the autowarmed items will be the most recently
+ accessed items.
+
+ Parameters:
+ class - the SolrCache implementation LRUCache or
+ (LRUCache or FastLRUCache)
+ size - the maximum number of entries in the cache
+ initialSize - the initial capacity (number of entries) of
+ the cache. (see java.util.HashMap)
+ autowarmCount - the number of entries to prepopulate from
+ and old cache.
+ -->
+ <filterCache class="solr.FastLRUCache"
+ size="512"
+ initialSize="512"
+ autowarmCount="0"/>
+
+ <!-- Query Result Cache
+
+ Caches results of searches - ordered lists of document ids
+ (DocList) based on a query, a sort, and the range of documents requested.
+ -->
+ <queryResultCache class="solr.LRUCache"
+ size="512"
+ initialSize="512"
+ autowarmCount="0"/>
+
+ <!-- Document Cache
+
+ Caches Lucene Document objects (the stored fields for each
+ document). Since Lucene internal document ids are transient,
+ this cache will not be autowarmed.
+ -->
+ <documentCache class="solr.LRUCache"
+ size="512"
+ initialSize="512"
+ autowarmCount="0"/>
+
+ <!-- custom cache currently used by block join -->
+ <cache name="perSegFilter"
+ class="solr.search.LRUCache"
+ size="10"
+ initialSize="0"
+ autowarmCount="10"
+ regenerator="solr.NoOpRegenerator" />
+
+ <!-- Field Value Cache
+
+ Cache used to hold field values that are quickly accessible
+ by document id. The fieldValueCache is created by default
+ even if not configured here.
+ -->
+ <!--
+ <fieldValueCache class="solr.FastLRUCache"
+ size="512"
+ autowarmCount="128"
+ showItems="32" />
+ -->
+
+ <!-- Custom Cache
+
+ Example of a generic cache. These caches may be accessed by
+ name through SolrIndexSearcher.getCache(),cacheLookup(), and
+ cacheInsert(). The purpose is to enable easy caching of
+ user/application level data. The regenerator argument should
+ be specified as an implementation of solr.CacheRegenerator
+ if autowarming is desired.
+ -->
+ <!--
+ <cache name="myUserCache"
+ class="solr.LRUCache"
+ size="4096"
+ initialSize="1024"
+ autowarmCount="1024"
+ regenerator="com.mycompany.MyRegenerator"
+ />
+ -->
+
+
+ <!-- Lazy Field Loading
+
+ If true, stored fields that are not requested will be loaded
+ lazily. This can result in a significant speed improvement
+ if the usual case is to not load all stored fields,
+ especially if the skipped fields are large compressed text
+ fields.
+ -->
+ <enableLazyFieldLoading>true</enableLazyFieldLoading>
+
+ <!-- Use Filter For Sorted Query
+
+ A possible optimization that attempts to use a filter to
+ satisfy a search. If the requested sort does not include
+ score, then the filterCache will be checked for a filter
+ matching the query. If found, the filter will be used as the
+ source of document ids, and then the sort will be applied to
+ that.
+
+ For most situations, this will not be useful unless you
+ frequently get the same search repeatedly with different sort
+ options, and none of them ever use "score"
+ -->
+ <!--
+ <useFilterForSortedQuery>true</useFilterForSortedQuery>
+ -->
+
+ <!-- Result Window Size
+
+ An optimization for use with the queryResultCache. When a search
+ is requested, a superset of the requested number of document ids
+ are collected. For example, if a search for a particular query
+ requests matching documents 10 through 19, and queryWindowSize is 50,
+ then documents 0 through 49 will be collected and cached. Any further
+ requests in that range can be satisfied via the cache.
+ -->
+ <queryResultWindowSize>20</queryResultWindowSize>
+
+ <!-- Maximum number of documents to cache for any entry in the
+ queryResultCache.
+ -->
+ <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
+
+ <!-- Query Related Event Listeners
+
+ Various IndexSearcher related events can trigger Listeners to
+ take actions.
+
+ newSearcher - fired whenever a new searcher is being prepared
+ and there is a current searcher handling requests (aka
+ registered). It can be used to prime certain caches to
+ prevent long request times for certain requests.
+
+ firstSearcher - fired whenever a new searcher is being
+ prepared but there is no current registered searcher to handle
+ requests or to gain autowarming data from.
+
+
+ -->
+ <!-- QuerySenderListener takes an array of NamedList and executes a
+ local query request for each NamedList in sequence.
+ -->
+ <listener event="newSearcher" class="solr.QuerySenderListener">
+ <arr name="queries">
+ <!--
+ <lst><str name="q">solr</str><str name="sort">price asc</str></lst>
+ <lst><str name="q">rocks</str><str name="sort">weight asc</str></lst>
+ -->
+ </arr>
+ </listener>
+ <listener event="firstSearcher" class="solr.QuerySenderListener">
+ <arr name="queries">
+ <lst>
+ <str name="q">static firstSearcher warming in solrconfig.xml</str>
+ </lst>
+ </arr>
+ </listener>
+
+ <!-- Use Cold Searcher
+
+ If a search request comes in and there is no current
+ registered searcher, then immediately register the still
+ warming searcher and use it. If "false" then all requests
+ will block until the first searcher is done warming.
+ -->
+ <useColdSearcher>false</useColdSearcher>
+
+ <!-- Max Warming Searchers
+
+ Maximum number of searchers that may be warming in the
+ background concurrently. An error is returned if this limit
+ is exceeded.
+
+ Recommend values of 1-2 for read-only slaves, higher for
+ masters w/o cache warming.
+ -->
+ <maxWarmingSearchers>2</maxWarmingSearchers>
+
+ </query>
+
+
+ <!-- Request Dispatcher
+
+ This section contains instructions for how the SolrDispatchFilter
+ should behave when processing requests for this SolrCore.
+
+ handleSelect is a legacy option that affects the behavior of requests
+ such as /select?qt=XXX
+
+ handleSelect="true" will cause the SolrDispatchFilter to process
+ the request and dispatch the query to a handler specified by the
+ "qt" param, assuming "/select" isn't already registered.
+
+ handleSelect="false" will cause the SolrDispatchFilter to
+ ignore "/select" requests, resulting in a 404 unless a handler
+ is explicitly registered with the name "/select"
+
+ handleSelect="true" is not recommended for new users, but is the default
+ for backwards compatibility
+ -->
+ <requestDispatcher handleSelect="false" >
+ <!-- Request Parsing
+
+ These settings indicate how Solr Requests may be parsed, and
+ what restrictions may be placed on the ContentStreams from
+ those requests
+
+ enableRemoteStreaming - enables use of the stream.file
+ and stream.url parameters for specifying remote streams.
+
+ multipartUploadLimitInKB - specifies the max size (in KiB) of
+ Multipart File Uploads that Solr will allow in a Request.
+
+ formdataUploadLimitInKB - specifies the max size (in KiB) of
+ form data (application/x-www-form-urlencoded) sent via
+ POST. You can use POST to pass request parameters not
+ fitting into the URL.
+
+ addHttpRequestToContext - if set to true, it will instruct
+ the requestParsers to include the original HttpServletRequest
+ object in the context map of the SolrQueryRequest under the
+ key "httpRequest". It will not be used by any of the existing
+ Solr components, but may be useful when developing custom
+ plugins.
+
+ *** WARNING ***
+ The settings below authorize Solr to fetch remote files, You
+ should make sure your system has some authentication before
+ using enableRemoteStreaming="true"
+
+ -->
+ <requestParsers enableRemoteStreaming="true"
+ multipartUploadLimitInKB="2048000"
+ formdataUploadLimitInKB="2048"
+ addHttpRequestToContext="false"/>
+
+ <!-- HTTP Caching
+
+ Set HTTP caching related parameters (for proxy caches and clients).
+
+ The options below instruct Solr not to output any HTTP Caching
+ related headers
+ -->
+ <httpCaching never304="true" />
+ <!-- If you include a <cacheControl> directive, it will be used to
+ generate a Cache-Control header (as well as an Expires header
+ if the value contains "max-age=")
+
+ By default, no Cache-Control header is generated.
+
+ You can use the <cacheControl> option even if you have set
+ never304="true"
+ -->
+ <!--
+ <httpCaching never304="true" >
+ <cacheControl>max-age=30, public</cacheControl>
+ </httpCaching>
+ -->
+ <!-- To enable Solr to respond with automatically generated HTTP
+ Caching headers, and to response to Cache Validation requests
+ correctly, set the value of never304="false"
+
+ This will cause Solr to generate Last-Modified and ETag
+ headers based on the properties of the Index.
+
+ The following options can also be specified to affect the
+ values of these headers...
+
+ lastModFrom - the default value is "openTime" which means the
+ Last-Modified value (and validation against If-Modified-Since
+ requests) will all be relative to when the current Searcher
+ was opened. You can change it to lastModFrom="dirLastMod" if
+ you want the value to exactly correspond to when the physical
+ index was last modified.
+
+ etagSeed="..." is an option you can change to force the ETag
+ header (and validation against If-None-Match requests) to be
+ different even if the index has not changed (ie: when making
+ significant changes to your config file)
+
+ (lastModifiedFrom and etagSeed are both ignored if you use
+ the never304="true" option)
+ -->
+ <!--
+ <httpCaching lastModifiedFrom="openTime"
+ etagSeed="Solr">
+ <cacheControl>max-age=30, public</cacheControl>
+ </httpCaching>
+ -->
+ </requestDispatcher>
+
+ <!-- Request Handlers
+
+ http://wiki.apache.org/solr/SolrRequestHandler
+
+ Incoming queries will be dispatched to a specific handler by name
+ based on the path specified in the request.
+
+ Legacy behavior: If the request path uses "/select" but no Request
+ Handler has that name, and if handleSelect="true" has been specified in
+ the requestDispatcher, then the Request Handler is dispatched based on
+ the qt parameter. Handlers without a leading '/' are accessed this way
+ like so: http://host/app/[core/]select?qt=name If no qt is
+ given, then the requestHandler that declares default="true" will be
+ used or the one named "standard".
+
+ If a Request Handler is declared with startup="lazy", then it will
+ not be initialized until the first request that uses it.
+
+ -->
+
+ <requestHandler name="/dataimport" class="solr.DataImportHandler">
+ <lst name="defaults">
+ <str name="config">solr-data-config.xml</str>
+ </lst>
+ </requestHandler>
+
+ <!-- SearchHandler
+
+ http://wiki.apache.org/solr/SearchHandler
+
+ For processing Search Queries, the primary Request Handler
+ provided with Solr is "SearchHandler" It delegates to a sequent
+ of SearchComponents (see below) and supports distributed
+ queries across multiple shards
+ -->
+ <requestHandler name="/select" class="solr.SearchHandler">
+ <!-- default values for query parameters can be specified, these
+ will be overridden by parameters in the request
+ -->
+ <lst name="defaults">
+ <str name="echoParams">explicit</str>
+ <int name="rows">10</int>
+ <str name="df">text</str>
+ </lst>
+ <!-- In addition to defaults, "appends" params can be specified
+ to identify values which should be appended to the list of
+ multi-val params from the query (or the existing "defaults").
+ -->
+ <!-- In this example, the param "fq=instock:true" would be appended to
+ any query time fq params the user may specify, as a mechanism for
+ partitioning the index, independent of any user selected filtering
+ that may also be desired (perhaps as a result of faceted searching).
+
+ NOTE: there is *absolutely* nothing a client can do to prevent these
+ "appends" values from being used, so don't use this mechanism
+ unless you are sure you always want it.
+ -->
+ <!--
+ <lst name="appends">
+ <str name="fq">inStock:true</str>
+ </lst>
+ -->
+ <!-- "invariants" are a way of letting the Solr maintainer lock down
+ the options available to Solr clients. Any params values
+ specified here are used regardless of what values may be specified
+ in either the query, the "defaults", or the "appends" params.
+
+ In this example, the facet.field and facet.query params would
+ be fixed, limiting the facets clients can use. Faceting is
+ not turned on by default - but if the client does specify
+ facet=true in the request, these are the only facets they
+ will be able to see counts for; regardless of what other
+ facet.field or facet.query params they may specify.
+
+ NOTE: there is *absolutely* nothing a client can do to prevent these
+ "invariants" values from being used, so don't use this mechanism
+ unless you are sure you always want it.
+ -->
+ <!--
+ <lst name="invariants">
+ <str name="facet.field">cat</str>
+ <str name="facet.field">manu_exact</str>
+ <str name="facet.query">price:[* TO 500]</str>
+ <str name="facet.query">price:[500 TO *]</str>
+ </lst>
+ -->
+ <!-- If the default list of SearchComponents is not desired, that
+ list can either be overridden completely, or components can be
+ prepended or appended to the default list. (see below)
+ -->
+ <!--
+ <arr name="components">
+ <str>nameOfCustomComponent1</str>
+ <str>nameOfCustomComponent2</str>
+ </arr>
+ -->
+ </requestHandler>
+
+ <!-- A request handler that returns indented JSON by default -->
+ <requestHandler name="/query" class="solr.SearchHandler">
+ <lst name="defaults">
+ <str name="echoParams">explicit</str>
+ <str name="wt">json</str>
+ <str name="indent">true</str>
+ <str name="df">text</str>
+ </lst>
+ </requestHandler>
+
+
+ <!-- realtime get handler, guaranteed to return the latest stored fields of
+ any document, without the need to commit or open a new searcher. The
+ current implementation relies on the updateLog feature being enabled.
+
+ ** WARNING **
+ Do NOT disable the realtime get handler at /get if you are using
+ SolrCloud otherwise any leader election will cause a full sync in ALL
+ replicas for the shard in question. Similarly, a replica recovery will
+ also always fetch the complete index from the leader because a partial
+ sync will not be possible in the absence of this handler.
+ -->
+ <requestHandler name="/get" class="solr.RealTimeGetHandler">
+ <lst name="defaults">
+ <str name="omitHeader">true</str>
+ <str name="wt">json</str>
+ <str name="indent">true</str>
+ </lst>
+ </requestHandler>
+
+
+ <!-- A Robust Example
+
+ This example SearchHandler declaration shows off usage of the
+ SearchHandler with many defaults declared
+
+ Note that multiple instances of the same Request Handler
+ (SearchHandler) can be registered multiple times with different
+ names (and different init parameters)
+ -->
+ <requestHandler name="/browse" class="solr.SearchHandler">
+ <lst name="defaults">
+ <str name="echoParams">explicit</str>
+
+ <!-- VelocityResponseWriter settings -->
+ <str name="wt">velocity</str>
+ <str name="v.template">browse</str>
+ <str name="v.layout">layout</str>
+
+ <!-- Query settings -->
+ <str name="defType">edismax</str>
+ <str name="q.alt">*:*</str>
+ <str name="rows">10</str>
+ <str name="fl">*,score</str>
+
+ <!-- Faceting defaults -->
+ <str name="facet">on</str>
+ <str name="facet.mincount">1</str>
+ </lst>
+ </requestHandler>
+
+
+ <initParams path="/update/**,/query,/select,/tvrh,/elevate,/spell,/browse">
+ <lst name="defaults">
+ <str name="df">text</str>
+ <str name="update.chain">add-unknown-fields-to-the-schema</str>
+ </lst>
+ </initParams>
+
+ <!-- Update Request Handler.
+
+ http://wiki.apache.org/solr/UpdateXmlMessages
+
+ The canonical Request Handler for Modifying the Index through
+ commands specified using XML, JSON, CSV, or JAVABIN
+
+ Note: Since solr1.1 requestHandlers requires a valid content
+ type header if posted in the body. For example, curl now
+ requires: -H 'Content-type:text/xml; charset=utf-8'
+
+ To override the request content type and force a specific
+ Content-type, use the request parameter:
+ ?update.contentType=text/csv
+
+ This handler will pick a response format to match the input
+ if the 'wt' parameter is not explicit
+ -->
+ <requestHandler name="/update" class="solr.UpdateRequestHandler">
+ <!-- See below for information on defining
+ updateRequestProcessorChains that can be used by name
+ on each Update Request
+ -->
+ <!--
+ <lst name="defaults">
+ <str name="update.chain">dedupe</str>
+ </lst>
+ -->
+ </requestHandler>
+
+ <!-- Solr Cell Update Request Handler
+
+ http://wiki.apache.org/solr/ExtractingRequestHandler
+
+ -->
+ <requestHandler name="/update/extract"
+ startup="lazy"
+ class="solr.extraction.ExtractingRequestHandler" >
+ <lst name="defaults">
+ <str name="lowernames">true</str>
+ <str name="uprefix">ignored_</str>
+
+ <!-- capture link hrefs but ignore div attributes -->
+ <str name="captureAttr">true</str>
+ <str name="fmap.a">links</str>
+ <str name="fmap.div">ignored_</str>
+ </lst>
+ </requestHandler>
+
+
+ <!-- Field Analysis Request Handler
+
+ RequestHandler that provides much the same functionality as
+ analysis.jsp. Provides the ability to specify multiple field
+ types and field names in the same request and outputs
+ index-time and query-time analysis for each of them.
+
+ Request parameters are:
+ analysis.fieldname - field name whose analyzers are to be used
+
+ analysis.fieldtype - field type whose analyzers are to be used
+ analysis.fieldvalue - text for index-time analysis
+ q (or analysis.q) - text for query time analysis
+ analysis.showmatch (true|false) - When set to true and when
+ query analysis is performed, the produced tokens of the
+ field value analysis will be marked as "matched" for every
+ token that is produces by the query analysis
+ -->
+ <requestHandler name="/analysis/field"
+ startup="lazy"
+ class="solr.FieldAnalysisRequestHandler" />
+
+
+ <!-- Document Analysis Handler
+
+ http://wiki.apache.org/solr/AnalysisRequestHandler
+
+ An analysis handler that provides a breakdown of the analysis
+ process of provided documents. This handler expects a (single)
+ content stream with the following format:
+
+ <docs>
+ <doc>
+ <field name="id">1</field>
+ <field name="name">The Name</field>
+ <field name="text">The Text Value</field>
+ </doc>
+ <doc>...</doc>
+ <doc>...</doc>
+ ...
+ </docs>
+
+ Note: Each document must contain a field which serves as the
+ unique key. This key is used in the returned response to associate
+ an analysis breakdown to the analyzed document.
+
+ Like the FieldAnalysisRequestHandler, this handler also supports
+ query analysis by sending either an "analysis.query" or "q"
+ request parameter that holds the query text to be analyzed. It
+ also supports the "analysis.showmatch" parameter which when set to
+ true, all field tokens that match the query tokens will be marked
+ as a "match".
+ -->
+ <requestHandler name="/analysis/document"
+ class="solr.DocumentAnalysisRequestHandler"
+ startup="lazy" />
+
+ <!-- Admin Handlers
+
+ Admin Handlers - This will register all the standard admin
+ RequestHandlers.
+ -->
+ <requestHandler name="/admin/"
+ class="solr.admin.AdminHandlers" />
+ <!-- This single handler is equivalent to the following... -->
+ <!--
+ <requestHandler name="/admin/luke" class="solr.admin.LukeRequestHandler" />
+ <requestHandler name="/admin/system" class="solr.admin.SystemInfoHandler" />
+ <requestHandler name="/admin/plugins" class="solr.admin.PluginInfoHandler" />
+ <requestHandler name="/admin/threads" class="solr.admin.ThreadDumpHandler" />
+ <requestHandler name="/admin/properties" class="solr.admin.PropertiesRequestHandler" />
+ <requestHandler name="/admin/file" class="solr.admin.ShowFileRequestHandler" >
+ -->
+ <!-- If you wish to hide files under ${solr.home}/conf, explicitly
+ register the ShowFileRequestHandler using the definition below.
+ NOTE: The glob pattern ('*') is the only pattern supported at present, *.xml will
+ not exclude all files ending in '.xml'. Use it to exclude _all_ updates
+ -->
+ <!--
+ <requestHandler name="/admin/file"
+ class="solr.admin.ShowFileRequestHandler" >
+ <lst name="invariants">
+ <str name="hidden">synonyms.txt</str>
+ <str name="hidden">anotherfile.txt</str>
+ <str name="hidden">*</str>
+ </lst>
+ </requestHandler>
+ -->
+
+ <!--
+ Enabling this request handler (which is NOT a default part of the admin handler) will allow the Solr UI to edit
+ all the config files. This is intended for secure/development use ONLY! Leaving available and publically
+ accessible is a security vulnerability and should be done with extreme caution!
+ -->
+ <!--
+ <requestHandler name="/admin/fileedit" class="solr.admin.EditFileRequestHandler" >
+ <lst name="invariants">
+ <str name="hidden">synonyms.txt</str>
+ <str name="hidden">anotherfile.txt</str>
+ </lst>
+ </requestHandler>
+ -->
+ <!-- ping/healthcheck -->
+ <requestHandler name="/admin/ping" class="solr.PingRequestHandler">
+ <lst name="invariants">
+ <str name="q">solrpingquery</str>
+ </lst>
+ <lst name="defaults">
+ <str name="echoParams">all</str>
+ </lst>
+ <!-- An optional feature of the PingRequestHandler is to configure the
+ handler with a "healthcheckFile" which can be used to enable/disable
+ the PingRequestHandler.
+ relative paths are resolved against the data dir
+ -->
+ <!-- <str name="healthcheckFile">server-enabled.txt</str> -->
+ </requestHandler>
+
+ <!-- Echo the request contents back to the client -->
+ <requestHandler name="/debug/dump" class="solr.DumpRequestHandler" >
+ <lst name="defaults">
+ <str name="echoParams">explicit</str>
+ <str name="echoHandler">true</str>
+ </lst>
+ </requestHandler>
+
+ <!-- Solr Replication
+
+ The SolrReplicationHandler supports replicating indexes from a
+ "master" used for indexing and "slaves" used for queries.
+
+ http://wiki.apache.org/solr/SolrReplication
+
+ It is also necessary for SolrCloud to function (in Cloud mode, the
+ replication handler is used to bulk transfer segments when nodes
+ are added or need to recover).
+
+ https://wiki.apache.org/solr/SolrCloud/
+ -->
+ <requestHandler name="/replication" class="solr.ReplicationHandler" >
+ <!--
+ To enable simple master/slave replication, uncomment one of the
+ sections below, depending on whether this solr instance should be
+ the "master" or a "slave". If this instance is a "slave" you will
+ also need to fill in the masterUrl to point to a real machine.
+ -->
+ <!--
+ <lst name="master">
+ <str name="replicateAfter">commit</str>
+ <str name="replicateAfter">startup</str>
+ <str name="confFiles">schema.xml,stopwords.txt</str>
+ </lst>
+ -->
+ <!--
+ <lst name="slave">
+ <str name="masterUrl">http://your-master-hostname:8983/solr</str>
+ <str name="pollInterval">00:00:60</str>
+ </lst>
+ -->
+ </requestHandler>
+
+ <!-- Search Components
+
+ Search components are registered to SolrCore and used by
+ instances of SearchHandler (which can access them by name)
+
+ By default, the following components are available:
+
+ <searchComponent name="query" class="solr.QueryComponent" />
+ <searchComponent name="facet" class="solr.FacetComponent" />
+ <searchComponent name="mlt" class="solr.MoreLikeThisComponent" />
+ <searchComponent name="highlight" class="solr.HighlightComponent" />
+ <searchComponent name="stats" class="solr.StatsComponent" />
+ <searchComponent name="debug" class="solr.DebugComponent" />
+
+ Default configuration in a requestHandler would look like:
+
+ <arr name="components">
+ <str>query</str>
+ <str>facet</str>
+ <str>mlt</str>
+ <str>highlight</str>
+ <str>stats</str>
+ <str>debug</str>
+ </arr>
+
+ If you register a searchComponent to one of the standard names,
+ that will be used instead of the default.
+
+ To insert components before or after the 'standard' components, use:
+
+ <arr name="first-components">
+ <str>myFirstComponentName</str>
+ </arr>
+
+ <arr name="last-components">
+ <str>myLastComponentName</str>
+ </arr>
+
+ NOTE: The component registered with the name "debug" will
+ always be executed after the "last-components"
+
+ -->
+
+ <!-- Spell Check
+
+ The spell check component can return a list of alternative spelling
+ suggestions.
+
+ http://wiki.apache.org/solr/SpellCheckComponent
+ -->
+ <searchComponent name="spellcheck" class="solr.SpellCheckComponent">
+
+ <str name="queryAnalyzerFieldType">text_general</str>
+
+ <!-- Multiple "Spell Checkers" can be declared and used by this
+ component
+ -->
+
+ <!-- a spellchecker built from a field of the main index -->
+ <lst name="spellchecker">
+ <str name="name">default</str>
+ <str name="field">text</str>
+ <str name="classname">solr.DirectSolrSpellChecker</str>
+ <!-- the spellcheck distance measure used, the default is the internal levenshtein -->
+ <str name="distanceMeasure">internal</str>
+ <!-- minimum accuracy needed to be considered a valid spellcheck suggestion -->
+ <float name="accuracy">0.5</float>
+ <!-- the maximum #edits we consider when enumerating terms: can be 1 or 2 -->
+ <int name="maxEdits">2</int>
+ <!-- the minimum shared prefix when enumerating terms -->
+ <int name="minPrefix">1</int>
+ <!-- maximum number of inspections per result. -->
+ <int name="maxInspections">5</int>
+ <!-- minimum length of a query term to be considered for correction -->
+ <int name="minQueryLength">4</int>
+ <!-- maximum threshold of documents a query term can appear to be considered for correction -->
+ <float name="maxQueryFrequency">0.01</float>
+ <!-- uncomment this to require suggestions to occur in 1% of the documents
+ <float name="thresholdTokenFrequency">.01</float>
+ -->
+ </lst>
+
+ <!-- a spellchecker that can break or combine words. See "/spell" handler below for usage -->
+ <lst name="spellchecker">
+ <str name="name">wordbreak</str>
+ <str name="classname">solr.WordBreakSolrSpellChecker</str>
+ <str name="field">name</str>
+ <str name="combineWords">true</str>
+ <str name="breakWords">true</str>
+ <int name="maxChanges">10</int>
+ </lst>
+
+ <!-- a spellchecker that uses a different distance measure -->
+ <!--
+ <lst name="spellchecker">
+ <str name="name">jarowinkler</str>
+ <str name="field">spell</str>
+ <str name="classname">solr.DirectSolrSpellChecker</str>
+ <str name="distanceMeasure">
+ org.apache.lucene.search.spell.JaroWinklerDistance
+ </str>
+ </lst>
+ -->
+
+ <!-- a spellchecker that use an alternate comparator
+
+ comparatorClass be one of:
+ 1. score (default)
+ 2. freq (Frequency first, then score)
+ 3. A fully qualified class name
+ -->
+ <!--
+ <lst name="spellchecker">
+ <str name="name">freq</str>
+ <str name="field">lowerfilt</str>
+ <str name="classname">solr.DirectSolrSpellChecker</str>
+ <str name="comparatorClass">freq</str>
+ -->
+
+ <!-- A spellchecker that reads the list of words from a file -->
+ <!--
+ <lst name="spellchecker">
+ <str name="classname">solr.FileBasedSpellChecker</str>
+ <str name="name">file</str>
+ <str name="sourceLocation">spellings.txt</str>
+ <str name="characterEncoding">UTF-8</str>
+ <str name="spellcheckIndexDir">spellcheckerFile</str>
+ </lst>
+ -->
+ </searchComponent>
+
+ <!-- A request handler for demonstrating the spellcheck component.
+
+ NOTE: This is purely as an example. The whole purpose of the
+ SpellCheckComponent is to hook it into the request handler that
+ handles your normal user queries so that a separate request is
+ not needed to get suggestions.
+
+ IN OTHER WORDS, THERE IS REALLY GOOD CHANCE THE SETUP BELOW IS
+ NOT WHAT YOU WANT FOR YOUR PRODUCTION SYSTEM!
+
+ See http://wiki.apache.org/solr/SpellCheckComponent for details
+ on the request parameters.
+ -->
+ <requestHandler name="/spell" class="solr.SearchHandler" startup="lazy">
+ <lst name="defaults">
+ <str name="df">text</str>
+ <!-- Solr will use suggestions from both the 'default' spellchecker
+ and from the 'wordbreak' spellchecker and combine them.
+ collations (re-written queries) can include a combination of
+ corrections from both spellcheckers -->
+ <str name="spellcheck.dictionary">default</str>
+ <str name="spellcheck.dictionary">wordbreak</str>
+ <str name="spellcheck">on</str>
+ <str name="spellcheck.extendedResults">true</str>
+ <str name="spellcheck.count">10</str>
+ <str name="spellcheck.alternativeTermCount">5</str>
+ <str name="spellcheck.maxResultsForSuggest">5</str>
+ <str name="spellcheck.collate">true</str>
+ <str name="spellcheck.collateExtendedResults">true</str>
+ <str name="spellcheck.maxCollationTries">10</str>
+ <str name="spellcheck.maxCollations">5</str>
+ </lst>
+ <arr name="last-components">
+ <str>spellcheck</str>
+ </arr>
+ </requestHandler>
+
+ <searchComponent name="suggest" class="solr.SuggestComponent">
+ <lst name="suggester">
+ <str name="name">mySuggester</str>
+ <str name="lookupImpl">FuzzyLookupFactory</str> <!-- org.apache.solr.spelling.suggest.fst -->
+ <str name="dictionaryImpl">DocumentDictionaryFactory</str> <!-- org.apache.solr.spelling.suggest.HighFrequencyDictionaryFactory -->
+ <str name="field">cat</str>
+ <str name="weightField">price</str>
+ <str name="suggestAnalyzerFieldType">string</str>
+ </lst>
+ </searchComponent>
+
+ <requestHandler name="/suggest" class="solr.SearchHandler" startup="lazy">
+ <lst name="defaults">
+ <str name="suggest">true</str>
+ <str name="suggest.count">10</str>
+ </lst>
+ <arr name="components">
+ <str>suggest</str>
+ </arr>
+ </requestHandler>
+ <!-- Term Vector Component
+
+ http://wiki.apache.org/solr/TermVectorComponent
+ -->
+ <searchComponent name="tvComponent" class="solr.TermVectorComponent"/>
+
+ <!-- A request handler for demonstrating the term vector component
+
+ This is purely as an example.
+
+ In reality you will likely want to add the component to your
+ already specified request handlers.
+ -->
+ <requestHandler name="/tvrh" class="solr.SearchHandler" startup="lazy">
+ <lst name="defaults">
+ <str name="df">text</str>
+ <bool name="tv">true</bool>
+ </lst>
+ <arr name="last-components">
+ <str>tvComponent</str>
+ </arr>
+ </requestHandler>
+
+ <!-- Clustering Component
+
+ You'll need to set the solr.clustering.enabled system property
+ when running solr to run with clustering enabled:
+
+ java -Dsolr.clustering.enabled=true -jar start.jar
+
+ http://wiki.apache.org/solr/ClusteringComponent
+ http://carrot2.github.io/solr-integration-strategies/
+ -->
+ <searchComponent name="clustering"
+ enable="${solr.clustering.enabled:false}"
+ class="solr.clustering.ClusteringComponent" >
+ <lst name="engine">
+ <str name="name">lingo</str>
+
+ <!-- Class name of a clustering algorithm compatible with the Carrot2 framework.
+
+ Currently available open source algorithms are:
+ * org.carrot2.clustering.lingo.LingoClusteringAlgorithm
+ * org.carrot2.clustering.stc.STCClusteringAlgorithm
+ * org.carrot2.clustering.kmeans.BisectingKMeansClusteringAlgorithm
+
+ See http://project.carrot2.org/algorithms.html for more information.
+
+ A commercial algorithm Lingo3G (needs to be installed separately) is defined as:
+ * com.carrotsearch.lingo3g.Lingo3GClusteringAlgorithm
+ -->
+ <str name="carrot.algorithm">org.carrot2.clustering.lingo.LingoClusteringAlgorithm</str>
+
+ <!-- Override location of the clustering algorithm's resources
+ (attribute definitions and lexical resources).
+
+ A directory from which to load algorithm-specific stop words,
+ stop labels and attribute definition XMLs.
+
+ For an overview of Carrot2 lexical resources, see:
+ http://download.carrot2.org/head/manual/#chapter.lexical-resources
+
+ For an overview of Lingo3G lexical resources, see:
+ http://download.carrotsearch.com/lingo3g/manual/#chapter.lexical-resources
+ -->
+ <str name="carrot.resourcesDir">clustering/carrot2</str>
+ </lst>
+
+ <!-- An example definition for the STC clustering algorithm. -->
+ <lst name="engine">
+ <str name="name">stc</str>
+ <str name="carrot.algorithm">org.carrot2.clustering.stc.STCClusteringAlgorithm</str>
+ </lst>
+
+ <!-- An example definition for the bisecting kmeans clustering algorithm. -->
+ <lst name="engine">
+ <str name="name">kmeans</str>
+ <str name="carrot.algorithm">org.carrot2.clustering.kmeans.BisectingKMeansClusteringAlgorithm</str>
+ </lst>
+ </searchComponent>
+
+ <!-- A request handler for demonstrating the clustering component
+
+ This is purely as an example.
+
+ In reality you will likely want to add the component to your
+ already specified request handlers.
+ -->
+ <requestHandler name="/clustering"
+ startup="lazy"
+ enable="${solr.clustering.enabled:false}"
+ class="solr.SearchHandler">
+ <lst name="defaults">
+ <bool name="clustering">true</bool>
+ <bool name="clustering.results">true</bool>
+ <!-- Field name with the logical "title" of a each document (optional) -->
+ <str name="carrot.title">name</str>
+ <!-- Field name with the logical "URL" of a each document (optional) -->
+ <str name="carrot.url">id</str>
+ <!-- Field name with the logical "content" of a each document (optional) -->
+ <str name="carrot.snippet">features</str>
+ <!-- Apply highlighter to the title/ content and use this for clustering. -->
+ <bool name="carrot.produceSummary">true</bool>
+ <!-- the maximum number of labels per cluster -->
+ <!--<int name="carrot.numDescriptions">5</int>-->
+ <!-- produce sub clusters -->
+ <bool name="carrot.outputSubClusters">false</bool>
+
+ <!-- Configure the remaining request handler parameters. -->
+ <str name="defType">edismax</str>
+ <str name="qf">
+ text^0.5 features^1.0 name^1.2 sku^1.5 id^10.0 manu^1.1 cat^1.4
+ </str>
+ <str name="q.alt">*:*</str>
+ <str name="rows">10</str>
+ <str name="fl">*,score</str>
+ </lst>
+ <arr name="last-components">
+ <str>clustering</str>
+ </arr>
+ </requestHandler>
+
+ <!-- Terms Component
+
+ http://wiki.apache.org/solr/TermsComponent
+
+ A component to return terms and document frequency of those
+ terms
+ -->
+ <searchComponent name="terms" class="solr.TermsComponent"/>
+
+ <!-- A request handler for demonstrating the terms component -->
+ <requestHandler name="/terms" class="solr.SearchHandler" startup="lazy">
+ <lst name="defaults">
+ <bool name="terms">true</bool>
+ <bool name="distrib">false</bool>
+ </lst>
+ <arr name="components">
+ <str>terms</str>
+ </arr>
+ </requestHandler>
+
+
+ <!-- Query Elevation Component
+
+ http://wiki.apache.org/solr/QueryElevationComponent
+
+ a search component that enables you to configure the top
+ results for a given query regardless of the normal lucene
+ scoring.
+ -->
+ <searchComponent name="elevator" class="solr.QueryElevationComponent" >
+ <!-- pick a fieldType to analyze queries -->
+ <str name="queryFieldType">string</str>
+ <str name="config-file">elevate.xml</str>
+ </searchComponent>
+
+ <!-- A request handler for demonstrating the elevator component -->
+ <requestHandler name="/elevate" class="solr.SearchHandler" startup="lazy">
+ <lst name="defaults">
+ <str name="echoParams">explicit</str>
+ <str name="df">text</str>
+ </lst>
+ <arr name="last-components">
+ <str>elevator</str>
+ </arr>
+ </requestHandler>
+
+ <!-- Highlighting Component
+
+ http://wiki.apache.org/solr/HighlightingParameters
+ -->
+ <searchComponent class="solr.HighlightComponent" name="highlight">
+ <highlighting>
+ <!-- Configure the standard fragmenter -->
+ <!-- This could most likely be commented out in the "default" case -->
+ <fragmenter name="gap"
+ default="true"
+ class="solr.highlight.GapFragmenter">
+ <lst name="defaults">
+ <int name="hl.fragsize">100</int>
+ </lst>
+ </fragmenter>
+
+ <!-- A regular-expression-based fragmenter
+ (for sentence extraction)
+ -->
+ <fragmenter name="regex"
+ class="solr.highlight.RegexFragmenter">
+ <lst name="defaults">
+ <!-- slightly smaller fragsizes work better because of slop -->
+ <int name="hl.fragsize">70</int>
+ <!-- allow 50% slop on fragment sizes -->
+ <float name="hl.regex.slop">0.5</float>
+ <!-- a basic sentence pattern -->
+ <str name="hl.regex.pattern">[-\w ,/\n\"']{20,200}</str>
+ </lst>
+ </fragmenter>
+
+ <!-- Configure the standard formatter -->
+ <formatter name="html"
+ default="true"
+ class="solr.highlight.HtmlFormatter">
+ <lst name="defaults">
+ <str name="hl.simple.pre"><![CDATA[<em>]]></str>
+ <str name="hl.simple.post"><![CDATA[</em>]]></str>
+ </lst>
+ </formatter>
+
+ <!-- Configure the standard encoder -->
+ <encoder name="html"
+ class="solr.highlight.HtmlEncoder" />
+
+ <!-- Configure the standard fragListBuilder -->
+ <fragListBuilder name="simple"
+ class="solr.highlight.SimpleFragListBuilder"/>
+
+ <!-- Configure the single fragListBuilder -->
+ <fragListBuilder name="single"
+ class="solr.highlight.SingleFragListBuilder"/>
+
+ <!-- Configure the weighted fragListBuilder -->
+ <fragListBuilder name="weighted"
+ default="true"
+ class="solr.highlight.WeightedFragListBuilder"/>
+
+ <!-- default tag FragmentsBuilder -->
+ <fragmentsBuilder name="default"
+ default="true"
+ class="solr.highlight.ScoreOrderFragmentsBuilder">
+ <!--
+ <lst name="defaults">
+ <str name="hl.multiValuedSeparatorChar">/</str>
+ </lst>
+ -->
+ </fragmentsBuilder>
+
+ <!-- multi-colored tag FragmentsBuilder -->
+ <fragmentsBuilder name="colored"
+ class="solr.highlight.ScoreOrderFragmentsBuilder">
+ <lst name="defaults">
+ <str name="hl.tag.pre"><![CDATA[
+ <b style="background:yellow">,<b style="background:lawgreen">,
+ <b style="background:aquamarine">,<b style="background:magenta">,
+ <b style="background:palegreen">,<b style="background:coral">,
+ <b style="background:wheat">,<b style="background:khaki">,
+ <b style="background:lime">,<b style="background:deepskyblue">]]></str>
+ <str name="hl.tag.post"><![CDATA[</b>]]></str>
+ </lst>
+ </fragmentsBuilder>
+
+ <boundaryScanner name="default"
+ default="true"
+ class="solr.highlight.SimpleBoundaryScanner">
+ <lst name="defaults">
+ <str name="hl.bs.maxScan">10</str>
+ <str name="hl.bs.chars">.,!? 	 </str>
+ </lst>
+ </boundaryScanner>
+
+ <boundaryScanner name="breakIterator"
+ class="solr.highlight.BreakIteratorBoundaryScanner">
+ <lst name="defaults">
+ <!-- type should be one of CHARACTER, WORD(default), LINE and SENTENCE -->
+ <str name="hl.bs.type">WORD</str>
+ <!-- language and country are used when constructing Locale object. -->
+ <!-- And the Locale object will be used when getting instance of BreakIterator -->
+ <str name="hl.bs.language">en</str>
+ <str name="hl.bs.country">US</str>
+ </lst>
+ </boundaryScanner>
+ </highlighting>
+ </searchComponent>
+
+ <!-- Update Processors
+
+ Chains of Update Processor Factories for dealing with Update
+ Requests can be declared, and then used by name in Update
+ Request Processors
+
+ http://wiki.apache.org/solr/UpdateRequestProcessor
+
+ -->
+
+ <!-- Add unknown fields to the schema
+
+ An example field type guessing update processor that will
+ attempt to parse string-typed field values as Booleans, Longs,
+ Doubles, or Dates, and then add schema fields with the guessed
+ field types.
+
+ This requires that the schema is both managed and mutable, by
+ declaring schemaFactory as ManagedIndexSchemaFactory, with
+ mutable specified as true.
+
+ See http://wiki.apache.org/solr/GuessingFieldTypes
+ -->
+ <updateRequestProcessorChain name="add-unknown-fields-to-the-schema">
+ <processor class="solr.RemoveBlankFieldUpdateProcessorFactory"/>
+ <processor class="solr.ParseBooleanFieldUpdateProcessorFactory"/>
+ <processor class="solr.ParseLongFieldUpdateProcessorFactory"/>
+ <processor class="solr.ParseDoubleFieldUpdateProcessorFactory"/>
+ <processor class="solr.ParseDateFieldUpdateProcessorFactory">
+ <arr name="format">
+ <str>yyyy-MM-dd'T'HH:mm:ss.SSSZ</str>
+ <str>yyyy-MM-dd'T'HH:mm:ss,SSSZ</str>
+ <str>yyyy-MM-dd'T'HH:mm:ss.SSS</str>
+ <str>yyyy-MM-dd'T'HH:mm:ss,SSS</str>
+ <str>yyyy-MM-dd'T'HH:mm:ssZ</str>
+ <str>yyyy-MM-dd'T'HH:mm:ss</str>
+ <str>yyyy-MM-dd'T'HH:mmZ</str>
+ <str>yyyy-MM-dd'T'HH:mm</str>
+ <str>yyyy-MM-dd HH:mm:ss.SSSZ</str>
+ <str>yyyy-MM-dd HH:mm:ss,SSSZ</str>
+ <str>yyyy-MM-dd HH:mm:ss.SSS</str>
+ <str>yyyy-MM-dd HH:mm:ss,SSS</str>
+ <str>yyyy-MM-dd HH:mm:ssZ</str>
+ <str>yyyy-MM-dd HH:mm:ss</str>
+ <str>yyyy-MM-dd HH:mmZ</str>
+ <str>yyyy-MM-dd HH:mm</str>
+ <str>yyyy-MM-dd</str>
+ </arr>
+ </processor>
+ <processor class="solr.AddSchemaFieldsUpdateProcessorFactory">
+ <str name="defaultFieldType">text_general</str>
+ <lst name="typeMapping">
+ <str name="valueClass">java.lang.Boolean</str>
+ <str name="fieldType">booleans</str>
+ </lst>
+ <lst name="typeMapping">
+ <str name="valueClass">java.util.Date</str>
+ <str name="fieldType">tdates</str>
+ </lst>
+ <lst name="typeMapping">
+ <str name="valueClass">java.lang.Long</str>
+ <str name="valueClass">java.lang.Integer</str>
+ <str name="fieldType">tlongs</str>
+ </lst>
+ <lst name="typeMapping">
+ <str name="valueClass">java.lang.Number</str>
+ <str name="fieldType">tdoubles</str>
+ </lst>
+ </processor>
+ <processor class="solr.LogUpdateProcessorFactory"/>
+ <processor class="solr.RunUpdateProcessorFactory"/>
+ </updateRequestProcessorChain>
+
+
+ <!-- Deduplication
+
+ An example dedup update processor that creates the "id" field
+ on the fly based on the hash code of some other fields. This
+ example has overwriteDupes set to false since we are using the
+ id field as the signatureField and Solr will maintain
+ uniqueness based on that anyway.
+
+ -->
+ <!--
+ <updateRequestProcessorChain name="dedupe">
+ <processor class="solr.processor.SignatureUpdateProcessorFactory">
+ <bool name="enabled">true</bool>
+ <str name="signatureField">id</str>
+ <bool name="overwriteDupes">false</bool>
+ <str name="fields">name,features,cat</str>
+ <str name="signatureClass">solr.processor.Lookup3Signature</str>
+ </processor>
+ <processor class="solr.LogUpdateProcessorFactory" />
+ <processor class="solr.RunUpdateProcessorFactory" />
+ </updateRequestProcessorChain>
+ -->
+
+ <!-- Language identification
+
+ This example update chain identifies the language of the incoming
+ documents using the langid contrib. The detected language is
+ written to field language_s. No field name mapping is done.
+ The fields used for detection are text, title, subject and description,
+ making this example suitable for detecting languages form full-text
+ rich documents injected via ExtractingRequestHandler.
+ See more about langId at http://wiki.apache.org/solr/LanguageDetection
+ -->
+ <!--
+ <updateRequestProcessorChain name="langid">
+ <processor class="org.apache.solr.update.processor.TikaLanguageIdentifierUpdateProcessorFactory">
+ <str name="langid.fl">text,title,subject,description</str>
+ <str name="langid.langField">language_s</str>
+ <str name="langid.fallback">en</str>
+ </processor>
+ <processor class="solr.LogUpdateProcessorFactory" />
+ <processor class="solr.RunUpdateProcessorFactory" />
+ </updateRequestProcessorChain>
+ -->
+
+ <!-- Script update processor
+
+ This example hooks in an update processor implemented using JavaScript.
+
+ See more about the script update processor at http://wiki.apache.org/solr/ScriptUpdateProcessor
+ -->
+ <!--
+ <updateRequestProcessorChain name="script">
+ <processor class="solr.StatelessScriptUpdateProcessorFactory">
+ <str name="script">update-script.js</str>
+ <lst name="params">
+ <str name="config_param">example config parameter</str>
+ </lst>
+ </processor>
+ <processor class="solr.RunUpdateProcessorFactory" />
+ </updateRequestProcessorChain>
+ -->
+
+ <!-- Response Writers
+
+ http://wiki.apache.org/solr/QueryResponseWriter
+
+ Request responses will be written using the writer specified by
+ the 'wt' request parameter matching the name of a registered
+ writer.
+
+ The "default" writer is the default and will be used if 'wt' is
+ not specified in the request.
+ -->
+ <!-- The following response writers are implicitly configured unless
+ overridden...
+ -->
+ <!--
+ <queryResponseWriter name="xml"
+ default="true"
+ class="solr.XMLResponseWriter" />
+ <queryResponseWriter name="json" class="solr.JSONResponseWriter"/>
+ <queryResponseWriter name="python" class="solr.PythonResponseWriter"/>
+ <queryResponseWriter name="ruby" class="solr.RubyResponseWriter"/>
+ <queryResponseWriter name="php" class="solr.PHPResponseWriter"/>
+ <queryResponseWriter name="phps" class="solr.PHPSerializedResponseWriter"/>
+ <queryResponseWriter name="csv" class="solr.CSVResponseWriter"/>
+ <queryResponseWriter name="schema.xml" class="solr.SchemaXmlResponseWriter"/>
+ -->
+
+ <queryResponseWriter name="json" class="solr.JSONResponseWriter">
+ <!-- For the purposes of the tutorial, JSON responses are written as
+ plain text so that they are easy to read in *any* browser.
+ If you expect a MIME type of "application/json" just remove this override.
+ -->
+ <str name="content-type">text/plain; charset=UTF-8</str>
+ </queryResponseWriter>
+
+ <!--
+ Custom response writers can be declared as needed...
+ -->
+ <queryResponseWriter name="velocity" class="solr.VelocityResponseWriter" startup="lazy">
+ <str name="template.base.dir">${velocity.template.base.dir:}</str>
+ </queryResponseWriter>
+
+ <!-- XSLT response writer transforms the XML output by any xslt file found
+ in Solr's conf/xslt directory. Changes to xslt files are checked for
+ every xsltCacheLifetimeSeconds.
+ -->
+ <queryResponseWriter name="xslt" class="solr.XSLTResponseWriter">
+ <int name="xsltCacheLifetimeSeconds">5</int>
+ </queryResponseWriter>
+
+ <!-- Query Parsers
+
+ http://wiki.apache.org/solr/SolrQuerySyntax
+
+ Multiple QParserPlugins can be registered by name, and then
+ used in either the "defType" param for the QueryComponent (used
+ by SearchHandler) or in LocalParams
+ -->
+ <!-- example of registering a query parser -->
+ <!--
+ <queryParser name="myparser" class="com.mycompany.MyQParserPlugin"/>
+ -->
+
+ <!-- Function Parsers
+
+ http://wiki.apache.org/solr/FunctionQuery
+
+ Multiple ValueSourceParsers can be registered by name, and then
+ used as function names when using the "func" QParser.
+ -->
+ <!-- example of registering a custom function parser -->
+ <!--
+ <valueSourceParser name="myfunc"
+ class="com.mycompany.MyValueSourceParser" />
+ -->
+
+
+ <!-- Document Transformers
+ http://wiki.apache.org/solr/DocTransformers
+ -->
+ <!--
+ Could be something like:
+ <transformer name="db" class="com.mycompany.LoadFromDatabaseTransformer" >
+ <int name="connection">jdbc://....</int>
+ </transformer>
+
+ To add a constant value to all docs, use:
+ <transformer name="mytrans2" class="org.apache.solr.response.transform.ValueAugmenterFactory" >
+ <int name="value">5</int>
+ </transformer>
+
+ If you want the user to still be able to change it with _value:something_ use this:
+ <transformer name="mytrans3" class="org.apache.solr.response.transform.ValueAugmenterFactory" >
+ <double name="defaultValue">5</double>
+ </transformer>
+
+ If you are using the QueryElevationComponent, you may wish to mark documents that get boosted. The
+ EditorialMarkerFactory will do exactly that:
+ <transformer name="qecBooster" class="org.apache.solr.response.transform.EditorialMarkerFactory" />
+ -->
+
+
+ <!-- Legacy config for the admin interface -->
+ <admin>
+ <defaultQuery>*:*</defaultQuery>
+ </admin>
+
+</config>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/install.properties b/security-admin/contrib/solr_for_audit_setup/install.properties
new file mode 100644
index 0000000..92ec1e6
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/install.properties
@@ -0,0 +1,96 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#Note:
+#1. This file is sourced from setup.sh, so make sure there are no spaces after the "="
+#2. For variable with file path, please provide full path
+
+#!/bin/bash
+
+#JAVA_HOME to be used by Solr. Solr only support JDK 1.7 and above. If JAVA_HOME is not set
+#in the env, then please set it here
+#JAVA_HOME=
+
+#The operating system (linux) user used by Solr process. You need to run Solr as the below user
+SOLR_USER=solr
+
+#If you want this script to isntall Solr, set the value to true. If it is already installed, then set this to false
+#If it is true, then it will download and install it.
+#NOTE: If you want the script to install Solr, then this script needs to be executed as root.
+SOLR_INSTALL=false
+
+### BEGIN: if SOLR_INSTALL==true ###
+#Location to download Solr. If SOLR_INSTALL is true, then SOLR_DOWNLOAD_URL is mandatory
+
+#For open source version, pick a mirror from below. Recommended versions are Apache Solr 5.2.1 or above
+#http://lucene.apache.org/solr/mirrors-solr-latest-redir.html
+
+#Note: If possible, use the link from one of the mirror site
+#SOLR_DOWNLOAD_URL=http://archive.apache.org/dist/lucene/solr/5.2.1/solr-5.2.1.tgz
+SOLR_DOWNLOAD_URL=
+
+### END: if SOLR_INSTALL==true ###
+
+#The folder where Solr is installed. If SOLR_INSTALL=false, then Solr need to be preinstalled, else the setup will
+#install at the below location
+#Note: If you are using RPM from LucidWorks in HDP, then Solr is by default installed in the following location:
+#SOLR_INSTALL_FOLDER=/opt/lucidworks-hdpsearch/solr
+SOLR_INSTALL_FOLDER=/opt/solr
+
+#The location for the Solr configuration for Ranger. This script copies required configuration and
+#startup scripts to the $SOLR_RANGER_HOME folder.
+#NOTE: In SolrCloud mode, the data folders are under this folder. So make sure this is on seperate drive
+# with enough disk space. Have 1TB free disk space on this volume. Also regularly monitor available disk space
+# for this volume
+#SOLR_RANGER_HOME=/opt/solr/ranger_audit_server
+SOLR_RANGER_HOME=/opt/solr/ranger_audit_server
+
+#Port for Solr instance to be used by Ranger.
+SOLR_RANGER_PORT=6083
+
+#Standalone or SolrCloud. Valid values are "standalone" or "solrcloud"
+SOLR_DEPLOYMENT=standalone
+
+#### BEGIN: if SOLR_DEPLOYMENT=standalone ##########################
+#Location for the data files. Make sure it has enough disk space. Since audits records can grow dramatically,
+#please have 1TB free disk space for the data folder. Also regularly monitor available disk space for this volume
+SOLR_RANGER_DATA_FOLDER=/opt/solr/ranger_audit_server/data
+#### END: if SOLR_DEPLOYMENT=standalone ##########################
+
+
+#### BEGIN: if SOLR_DEPLOYMENT=solrcloud ##########################
+#Comma seperated list of of zookeeper host and path. Give fully qualified domain name for the host
+#SOLR_ZK=localhost:2181/ranger_audits
+SOLR_ZK=
+#Base URL of the Solr. Used for creating collections
+SOLR_HOST_URL=http://`hostname -f`:${SOLR_RANGER_PORT}
+#Number of shards
+SOLR_SHARDS=1
+#Number of replication
+SOLR_REPLICATION=1
+#### END: if SOLR_DEPLOYMENT=solrcloud ##########################
+
+#Location for the log file. Please note that "solr" or the process owner should have write permission
+#to log folder
+#SOLR_LOG_FOLDER=logs
+SOLR_LOG_FOLDER=/var/log/solr/ranger_audits
+
+
+#Memory for Solr. Both min and max memory to the java process are set to this value.
+#Note: In production, please assign enough memory. It is recommended to have at least 2GB RAM.
+# Higher the RAM, the better. Solr core can take upto 32GB. For dev test you can use 512m
+#SOLR_MAX_MEM=2g
+#SOLR_MAX_MEM=512m
+SOLR_MAX_MEM=2g
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template b/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template
new file mode 100644
index 0000000..61b25ff
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/resources/log4j.properties.template
@@ -0,0 +1,39 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Logging level
+solr.log=__SOLR_LOG_FOLDER__
+log4j.rootLogger=INFO, file, CONSOLE
+
+log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
+
+log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
+log4j.appender.CONSOLE.layout.ConversionPattern=%-4r [%t] %-5p %c %x [%X{collection} %X{shard} %X{replica} %X{core}] \u2013 %m%n
+
+#- size rotation with log cleanup.
+log4j.appender.file=org.apache.log4j.RollingFileAppender
+log4j.appender.file.MaxFileSize=4MB
+log4j.appender.file.MaxBackupIndex=9
+
+#- File to log to and log format
+log4j.appender.file.File=${solr.log}/solr.log
+log4j.appender.file.layout=org.apache.log4j.PatternLayout
+log4j.appender.file.layout.ConversionPattern=%d{ISO8601} [%t] %-5p [%X{collection} %X{shard} %X{replica} %X{core}] %C (%F:%L) - %m%n
+
+log4j.logger.org.apache.zookeeper=WARN
+log4j.logger.org.apache.hadoop=WARN
+
+# set to INFO to enable infostream log messages
+log4j.logger.org.apache.solr.update.LoggingInfoStream=OFF
[28/33] incubator-ranger git commit: RANGER-688 : Handle scenario
where ids of XUser and XPortalUser are not in sync
Posted by ma...@apache.org.
RANGER-688 : Handle scenario where ids of XUser and XPortalUser are not in sync
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/1f43245f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/1f43245f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/1f43245f
Branch: refs/heads/tag-policy
Commit: 1f43245f2adceaed6b6ca3f45925b586d0f24d77
Parents: cd58419
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Oct 14 15:10:57 2015 +0530
Committer: Gautam Borad <ga...@apache.com>
Committed: Thu Oct 15 12:24:55 2015 +0530
----------------------------------------------------------------------
security-admin/scripts/setup.sh | 20 +++---
.../java/org/apache/ranger/biz/XUserMgr.java | 35 +++++++----
.../apache/ranger/common/UserSessionBase.java | 3 +-
.../org/apache/ranger/db/XXPortalUserDao.java | 21 ++++---
.../java/org/apache/ranger/db/XXUserDao.java | 12 ++++
.../apache/ranger/db/XXUserPermissionDao.java | 5 +-
.../patch/PatchPersmissionModel_J10003.java | 4 +-
.../ranger/service/XUserPermissionService.java | 24 ++------
.../service/XUserPermissionServiceBase.java | 65 ++++++++++++++++++--
.../resources/META-INF/jpa_named_queries.xml | 7 ++-
10 files changed, 131 insertions(+), 65 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 9710706..cd5d2bf 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -1513,26 +1513,22 @@ setup_install_files(){
log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf"
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf
cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf
+ fi
+ if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
fi
- if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
- chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
- fi
-
if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib"
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib
+ fi
+ if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib
fi
if [ -d /etc/init.d ]; then
log "[I] Setting up init.d"
cp ${INSTALL_DIR}/ews/${RANGER_ADMIN_INITD} /etc/init.d/${RANGER_ADMIN}
- if [ "${unix_user}" != "ranger" ]; then
- sed 's/LINUX_USER=ranger/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN}
- fi
-
chmod ug+rx /etc/init.d/${RANGER_ADMIN}
if [ -d /etc/rc2.d ]
@@ -1571,15 +1567,19 @@ setup_install_files(){
ln -s /etc/init.d/${RANGER_ADMIN} $RC_DIR/K90${RANGER_ADMIN}
fi
fi
+ if [ -f /etc/init.d/${RANGER_ADMIN} ]; then
+ if [ "${unix_user}" != "ranger" ]; then
+ sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN}
+ fi
+ fi
if [ ! -d ${XAPOLICYMGR_DIR}/ews/logs ]; then
log "[I] ${XAPOLICYMGR_DIR}/ews/logs folder"
mkdir -p ${XAPOLICYMGR_DIR}/ews/logs
- chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs
fi
-
if [ -d ${XAPOLICYMGR_DIR}/ews/logs ]; then
chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs
+ chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs/*
fi
log "[I] Setting up installation files and directory DONE";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index b860877..572323f 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -242,38 +242,47 @@ public class XUserMgr extends XUserMgrBase {
if (role.equals(RangerConstants.ROLE_USER)) {
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
} else if (role.equals(RangerConstants.ROLE_SYS_ADMIN)) {
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate);
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate);
} else if (role.equals(RangerConstants.ROLE_KEY_ADMIN)) {
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate);
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
- createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser, moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
}
}
}
// Insert or Updating Mapping permissions depending upon roles
- private void createOrUpdateUserPermisson(Long portalUserId, Long moduleId, boolean isCreate) {
+ private void createOrUpdateUserPermisson(VXPortalUser portalUser, Long moduleId, boolean isCreate) {
VXUserPermission vXUserPermission;
- XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndUserId(portalUserId, moduleId);
+ XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(portalUser.getId(), moduleId);
if (xUserPermission == null) {
vXUserPermission = new VXUserPermission();
- vXUserPermission.setUserId(portalUserId);
+
+ // When Creating XXUserPermission UI sends xUserId, to keep it consistent here xUserId should be used
+ XXUser xUser = daoManager.getXXUser().findByPortalUserId(portalUser.getId());
+ if (xUser == null) {
+ logger.warn("Could not found corresponding xUser for username: [" + portalUser.getLoginId() + "], So not assigning permission to this user");
+ return;
+ } else {
+ vXUserPermission.setUserId(xUser.getId());
+ }
+
vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED);
vXUserPermission.setModuleId(moduleId);
try {
vXUserPermission = this.createXUserPermission(vXUserPermission);
logger.info("Permission assigned to user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]");
} catch (Exception e) {
- logger.error("Error while assigning permission to user: [" + portalUserId + "] for module: [" + moduleId + "]", e);
+ logger.error("Error while assigning permission to user: [" + portalUser.getLoginId() + "] for module: [" + moduleId + "]", e);
}
} else if (isCreate) {
vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 59e55f3..175459c 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -128,7 +128,8 @@ public class UserSessionBase implements Serializable {
- public static class RangerUserPermission {
+ public static class RangerUserPermission implements Serializable {
+ private static final long serialVersionUID = 1L;
protected CopyOnWriteArraySet<String> userPermissions;
protected Long lastUpdatedTime;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
index d3467f8..393252c 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXPortalUserDao.java
@@ -21,9 +21,10 @@ package org.apache.ranger.db;
import java.util.List;
+import javax.persistence.NoResultException;
+
import org.apache.ranger.common.db.BaseDao;
import org.apache.ranger.entity.XXPortalUser;
-import org.apache.ranger.entity.XXPortalUserRole;
public class XXPortalUserDao extends BaseDao<XXPortalUser> {
@@ -76,16 +77,16 @@ public class XXPortalUserDao extends BaseDao<XXPortalUser> {
.getResultList();
}
-
- public XXPortalUser findByXUserId(Long id) {
-
- List resultList = getEntityManager()
- .createNamedQuery("XXPortalUser.findByXUserId")
- .setParameter("id", id).getResultList();
- if (resultList.size() != 0) {
- return (XXPortalUser) resultList.get(0);
+ public XXPortalUser findByXUserId(Long xUserId) {
+ if (xUserId == null) {
+ return null;
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXPortalUser.findByXUserId", tClass)
+ .setParameter("id", xUserId).getSingleResult();
+ } catch (NoResultException e) {
+ return null;
}
- return null;
}
@SuppressWarnings("unchecked")
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
index 0887594..225e733 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserDao.java
@@ -64,4 +64,16 @@ public class XXUserDao extends BaseDao<XXUser> {
return null;
}
}
+
+ public XXUser findByPortalUserId(Long portalUserId) {
+ if (portalUserId == null) {
+ return null;
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXUser.findByPortalUserId", tClass)
+ .setParameter("portalUserId", portalUserId).getSingleResult();
+ } catch (NoResultException e) {
+ return null;
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
index e10dc14..2db6fd6 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
@@ -25,7 +25,6 @@ import javax.persistence.NoResultException;
import org.apache.log4j.Logger;
import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.db.BaseDao;
-import org.apache.ranger.entity.XXGroupUser;
import org.apache.ranger.entity.XXUserPermission;
public class XXUserPermissionDao extends BaseDao<XXUserPermission>{
@@ -99,10 +98,10 @@ public class XXUserPermissionDao extends BaseDao<XXUserPermission>{
return null;
}
- public XXUserPermission findByModuleIdAndUserId(Long userId, Long moduleId) {
+ public XXUserPermission findByModuleIdAndPortalUserId(Long userId, Long moduleId) {
if (userId != null) {
try {
- return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class)
+ return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndPortalUserId", XXUserPermission.class)
.setParameter("userId", userId)
.setParameter("moduleId", moduleId)
.getSingleResult();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
index f0aa938..804d08e 100644
--- a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
@@ -84,9 +84,9 @@ public class PatchPersmissionModel_J10003 extends BaseLoader {
vPortalUser.setUserRoleList(daoManager.getXXPortalUser().findXPortalUserRolebyXPortalUserId(vPortalUser.getId()));
xUserMgr.assignPermissionToUser(vPortalUser, false);
countUserPermissionUpdated += 1;
- logger.info(" Permission was assigned to UserId - " + xPortalUser.getId());
+ logger.info("Permissions assigned/updated on base of User's Role, UserId [" + xPortalUser.getId() + "]");
}
- logger.info(countUserPermissionUpdated + " permissions where assigned");
+ logger.info(countUserPermissionUpdated + " permissions were assigned");
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
index 3ff9c8d..bd3a50d 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
@@ -17,7 +17,6 @@
package org.apache.ranger.service;
-import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.SearchField;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXModuleDef;
@@ -47,36 +46,23 @@ public class XUserPermissionService extends XUserPermissionServiceBase<XXUserPer
@Override
protected void validateForCreate(VXUserPermission vObj) {
- XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId());
- if (xUserPerm != null) {
- throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
- MessageEnums.ERROR_DUPLICATE_OBJECT);
- }
+
}
@Override
protected void validateForUpdate(VXUserPermission vObj, XXUserPermission mObj) {
- XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId());
- if (xUserPerm != null && !xUserPerm.getId().equals(vObj.getId())) {
- throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
- MessageEnums.ERROR_DUPLICATE_OBJECT);
- }
+
}
@Override
public VXUserPermission populateViewBean(XXUserPermission xObj) {
VXUserPermission vObj = super.populateViewBean(xObj);
- XXPortalUser xUser = rangerDaoManager.getXXPortalUser().getById(xObj.getUserId());
- if (xUser == null) {
- xUser=rangerDaoManager.getXXPortalUser().findByXUserId(xObj.getUserId());
- if(xUser==null)
- throw restErrorUtil.createRESTException(xUser + " is Not Found",
- MessageEnums.DATA_NOT_FOUND);
+ XXPortalUser xPortalUser = rangerDaoManager.getXXPortalUser().getById(xObj.getUserId());
+ if (xPortalUser != null) {
+ vObj.setUserName(xPortalUser.getLoginId());
}
- vObj.setUserName(xUser.getLoginId());
-
XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(xObj.getModuleId());
if (xModuleDef != null) {
vObj.setModuleName(xModuleDef.getModule());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
index 59c082d..a5a1213 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionServiceBase.java
@@ -20,7 +20,10 @@ package org.apache.ranger.service;
import java.util.ArrayList;
import java.util.List;
+import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.SearchCriteria;
+import org.apache.ranger.entity.XXPortalUser;
+import org.apache.ranger.entity.XXUser;
import org.apache.ranger.entity.XXUserPermission;
import org.apache.ranger.view.VXUserPermission;
import org.apache.ranger.view.VXUserPermissionList;
@@ -34,20 +37,48 @@ public abstract class XUserPermissionServiceBase<T extends XXUserPermission, V e
}
- @SuppressWarnings("unchecked")
@Override
- protected XXUserPermission mapViewToEntityBean(VXUserPermission vObj,
- XXUserPermission mObj, int OPERATION_CONTEXT) {
- mObj.setUserId(vObj.getUserId());
+ @SuppressWarnings("unchecked")
+ protected XXUserPermission mapViewToEntityBean(VXUserPermission vObj, XXUserPermission mObj, int OPERATION_CONTEXT) {
+
+ // Assuming that vObj.userId coming from UI/Client would be of XXUser, but in DB it should be of XXPortalUser so
+ // have to map XXUser.ID to XXPortalUser.ID and if portalUser does not exist then not allowing to create/update
+
+ XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(vObj.getUserId());
+ if (portalUser == null) {
+ throw restErrorUtil.createRESTException("Invalid UserId: [" + vObj.getUserId()
+ + "], Please make sure while create/update given userId should be of x_user",
+ MessageEnums.INVALID_INPUT_DATA);
+ }
+
+ mObj.setUserId(portalUser.getId());
mObj.setModuleId(vObj.getModuleId());
mObj.setIsAllowed(vObj.getIsAllowed());
+
+ if (OPERATION_CONTEXT == OPERATION_CREATE_CONTEXT) {
+ validateXUserPermForCreate(mObj);
+ } else if (OPERATION_CONTEXT == OPERATION_UPDATE_CONTEXT) {
+ validateXUserPermForUpdate(mObj);
+ }
+
return mObj;
}
- @SuppressWarnings("unchecked")
@Override
+ @SuppressWarnings("unchecked")
protected VXUserPermission mapEntityToViewBean(VXUserPermission vObj, XXUserPermission mObj) {
- vObj.setUserId(mObj.getUserId());
+
+ // As XXUserPermission.userID refers to XXPortalUser.ID, But UI/Client expects XXUser.ID so have to map
+ // XXUserPermission.userID from XXPortalUser.ID to XXUser.ID
+ XXUser xUser = daoManager.getXXUser().findByPortalUserId(mObj.getUserId());
+ Long userId;
+ if (xUser != null) {
+ userId = xUser.getId();
+ } else {
+ // In this case rather throwing exception, send it as null
+ userId = null;
+ }
+ vObj.setUserId(userId);
vObj.setModuleId(mObj.getModuleId());
vObj.setIsAllowed(mObj.getIsAllowed());
return vObj;
@@ -75,4 +106,26 @@ public abstract class XUserPermissionServiceBase<T extends XXUserPermission, V e
returnList.setvXModuleDef(vXUserPermissions);
return returnList;
}
+
+ protected void validateXUserPermForCreate(XXUserPermission mObj) {
+ XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(mObj.getUserId(),
+ mObj.getModuleId());
+ if (xUserPerm != null) {
+ throw restErrorUtil.createRESTException("User with ID [" + mObj.getUserId() + "] " + "is already "
+ + "assigned to the module with ID [" + mObj.getModuleId() + "]",
+ MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
+ }
+
+ protected void validateXUserPermForUpdate(XXUserPermission mObj) {
+
+ XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndPortalUserId(mObj.getUserId(),
+ mObj.getModuleId());
+ if (xUserPerm != null && !xUserPerm.getId().equals(mObj.getId())) {
+ throw restErrorUtil.createRESTException("User with ID [" + mObj.getUserId() + "] " + "is already "
+ + "assigned to the module with ID [" + mObj.getModuleId() + "]",
+ MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
+ }
+
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/1f43245f/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index 0370e9a..12c4c6d 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -192,6 +192,11 @@
where polItemUser.policyItemId = :polItemId and polItemUser.userId = obj.id </query>
</named-query>
+ <named-query name="XXUser.findByPortalUserId">
+ <query>select obj from XXUser obj, XXPortalUser portalUser where portalUser.id = :portalUserId and
+ obj.name = portalUser.loginId</query>
+ </named-query>
+
<named-query name="XXGroup.findByPolicyItemId">
<query>select obj.name from XXGroup obj, XXPolicyItemGroupPerm polItemGrp
where polItemGrp.policyItemId = :polItemId and polItemGrp.groupId = obj.id </query>
@@ -489,7 +494,7 @@
</query>
</named-query>
- <named-query name="XXUserPermission.findByModuleIdAndUserId">
+ <named-query name="XXUserPermission.findByModuleIdAndPortalUserId">
<query>SELECT XXUserPermObj
FROM XXUserPermission XXUserPermObj
WHERE XXUserPermObj.moduleId = :moduleId AND XXUserPermObj.userId =:userId
[14/33] incubator-ranger git commit: RANGER-173: Utility scripts to
create HDFS audit folders and policies
Posted by ma...@apache.org.
RANGER-173: Utility scripts to create HDFS audit folders and policies
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ed27cecb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ed27cecb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ed27cecb
Branch: refs/heads/tag-policy
Commit: ed27cecb62fe4ec7f9855326b5a8d3632ca0a3c9
Parents: ea0872f
Author: Don Bosco Durai <bo...@apache.org>
Authored: Mon Oct 5 16:11:04 2015 -0700
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Mon Oct 5 23:07:58 2015 -0700
----------------------------------------------------------------------
.../create_hdfs_folders_for_audit_non_secure.sh | 66 +++++++++++++++++++
.../create_hdfs_folders_for_audit_secure.sh | 67 ++++++++++++++++++++
2 files changed, 133 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed27cecb/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
new file mode 100755
index 0000000..eec3a08
--- /dev/null
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#Usage: Run this script as user hdfs.
+#Creating folders required for Apache Ranger auditing to HDFS.
+#Note 1: Use this script only for non-secure/kerberos environment
+#
+
+set -x
+hdfs dfs -mkdir -p /ranger/audit
+hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chmod 755 /ranger
+hdfs dfs -chmod 755 /ranger/audit
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
+
+hdfs dfs -mkdir -p /ranger/audit/hdfs
+hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
+
+hdfs dfs -mkdir -p /ranger/audit/hiveServer2
+hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
+
+hdfs dfs -mkdir -p /ranger/audit/kafka
+hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chmod -R 0700 /ranger/audit/kafka
+
+hdfs dfs -mkdir -p /ranger/audit/kms
+hdfs dfs -chown kms:kms /ranger/audit/kms
+hdfs dfs -chmod -R 0700 /ranger/audit/kms
+
+hdfs dfs -mkdir -p /ranger/audit/knox
+hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chmod -R 0700 /ranger/audit/knox
+
+hdfs dfs -mkdir -p /ranger/audit/solr
+hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chmod -R 0700 /ranger/audit/solr
+
+hdfs dfs -mkdir -p /ranger/audit/storm
+hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chmod -R 0700 /ranger/audit/storm
+
+hdfs dfs -mkdir -p /ranger/audit/yarn
+hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chmod -R 0700 /ranger/audit/yarn
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed27cecb/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
new file mode 100755
index 0000000..b15beee
--- /dev/null
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#Usage: Run this script as user hdfs.
+#Creating folders required for Apache Ranger auditing to HDFS.
+#Note 1: Use this script only for non-secure/kerberos environment
+#
+
+set -x
+hdfs dfs -mkdir -p /ranger/audit
+hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chmod 755 /ranger
+hdfs dfs -chmod 755 /ranger/audit
+
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
+
+hdfs dfs -mkdir -p /ranger/audit/hdfs
+hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
+
+hdfs dfs -mkdir -p /ranger/audit/hiveServer2
+hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
+
+hdfs dfs -mkdir -p /ranger/audit/kafka
+hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chmod -R 0700 /ranger/audit/kafka
+
+hdfs dfs -mkdir -p /ranger/audit/kms
+hdfs dfs -chown HTTP:HTTP /ranger/audit/kms
+hdfs dfs -chmod -R 0700 /ranger/audit/kms
+
+hdfs dfs -mkdir -p /ranger/audit/knox
+hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chmod -R 0700 /ranger/audit/knox
+
+hdfs dfs -mkdir -p /ranger/audit/solr
+hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chmod -R 0700 /ranger/audit/solr
+
+hdfs dfs -mkdir -p /ranger/audit/storm
+hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chmod -R 0700 /ranger/audit/storm
+
+hdfs dfs -mkdir -p /ranger/audit/yarn
+hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chmod -R 0700 /ranger/audit/yarn
[21/33] incubator-ranger git commit: RANGER-652: Adding support for
ldap connection check tool
Posted by ma...@apache.org.
RANGER-652: Adding support for ldap connection check tool
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/a2c4bb29
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/a2c4bb29
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/a2c4bb29
Branch: refs/heads/tag-policy
Commit: a2c4bb2941cf5f1026c50e7bc35494231a7da65f
Parents: c22bdec
Author: spolavarapu1 <sp...@hw12101.local>
Authored: Fri Oct 9 10:07:01 2015 -0700
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sat Oct 10 12:25:41 2015 -0400
----------------------------------------------------------------------
src/main/assembly/usersync.xml | 36 +
.../ldapconfigcheck/conf/input.properties | 63 ++
.../ldapconfigchecktool/ldapconfigcheck/pom.xml | 130 +++
.../ldapconfigcheck/scripts/run.sh | 72 ++
.../ldapconfigcheck/AuthenticationCheck.java | 208 +++++
.../ldapconfigcheck/CommandLineOptions.java | 230 +++++
.../ranger/ldapconfigcheck/LdapConfig.java | 436 ++++++++++
.../ldapconfigcheck/LdapConfigCheckMain.java | 241 ++++++
.../apache/ranger/ldapconfigcheck/UserSync.java | 860 +++++++++++++++++++
9 files changed, 2276 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/src/main/assembly/usersync.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml
index 8c2600e..161a443 100644
--- a/src/main/assembly/usersync.xml
+++ b/src/main/assembly/usersync.xml
@@ -134,6 +134,42 @@
</includes>
<fileMode>544</fileMode>
</fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>755</fileMode>
+ <outputDirectory>/ldaptool</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/scripts</directory>
+ <includes>
+ <include>run.sh</include>
+ </includes>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ldaptool/lib</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/target</directory>
+ <includes>
+ <include>ldapconfigcheck.jar</include>
+ </includes>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ldaptool/conf</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/conf</directory>
+ <includes>
+ <include>input.properties</include>
+ </includes>
+ </fileSet>
+ <fileSet>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/ldaptool/output</outputDirectory>
+ <directory>ugsync/ldapconfigchecktool/ldapconfigcheck/conf</directory>
+ <excludes>
+ <exclude>input.properties</exclude>
+ </excludes>
+ </fileSet>
</fileSets>
<files>
<file>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties b/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties
new file mode 100755
index 0000000..dc6fc59
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/conf/input.properties
@@ -0,0 +1,63 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Mandatory ldap configuration properties.
+ranger.usersync.ldap.url=
+ranger.usersync.ldap.binddn=
+ranger.usersync.ldap.ldapbindpassword=
+
+# Mandatory only for openLdap
+ranger.usersync.ldap.user.searchbase=
+ranger.usersync.ldap.user.searchfilter=
+
+# For verifying authentication please provide sample username and password
+ranger.admin.auth.sampleuser=
+ranger.admin.auth.samplepassword=
+
+# Optional properties will be determined based on the above search
+# User attributes
+ranger.usersync.ldap.user.nameattribute=
+ranger.usersync.ldap.user.objectclass=
+ranger.usersync.ldap.user.groupnameattribute=
+
+# Group attributes
+ranger.usersync.group.searchenabled=false
+ranger.usersync.group.memberattributename=
+ranger.usersync.group.nameattribute=
+ranger.usersync.group.objectclass=
+ranger.usersync.group.searchbase=
+ranger.usersync.group.searchfilter=
+
+# Other UserSync related attributes
+ranger.usersync.ldap.authentication.mechanism=simple
+ranger.usersync.pagedresultsenabled=true
+ranger.usersync.pagedresultssize=500
+ranger.usersync.ldap.username.caseconversion=lower
+ranger.usersync.ldap.groupname.caseconversion=lower
+ranger.usersync.ldap.user.searchscope=sub
+ranger.usersync.group.searchscope=sub
+
+ranger.usersync.credstore.filename=
+ranger.usersync.ldap.bindalias=
+ranger.usersync.ldap.searchBase=
+ranger.usersync.group.usermapsyncenabled=false
+
+# Authentication properties
+ranger.authentication.method=
+ranger.ldap.ad.domain=
+ranger.ldap.user.dnpattern=
+ranger.ldap.group.roleattribute=
+ranger.ldap.group.searchbase=
+ranger.ldap.group.searchfilter=
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
new file mode 100644
index 0000000..a0971f2
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>0.5.0</version>
+ <relativePath>..</relativePath>
+ </parent>
+
+ <artifactId>ldapconfigcheck</artifactId>
+
+ <packaging>jar</packaging>
+ <name>Ldap Config Check Tool</name>
+ <description>Ldap configuration check tool</description>
+
+ <dependencies>
+ <dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ <version>${commons.cli.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-configuration</groupId>
+ <artifactId>commons-configuration</artifactId>
+ <version>${commons.configuration.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>${commons.lang.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>${commons.logging.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-beans</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-core</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-tx</artifactId>
+ <version>${springframework.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.ldap</groupId>
+ <artifactId>spring-ldap-core</artifactId>
+ <version>${spring-ldap-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-core</artifactId>
+ <version>${springframework.security.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-ldap</artifactId>
+ <version>${springframework.security.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>credentialbuilder</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-util</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+
+ </dependencies>
+ <build>
+ <finalName>ldapconfigcheck</finalName>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-shade-plugin</artifactId>
+ <version>2.2</version>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals>
+ <goal>shade</goal>
+ </goals>
+ <configuration>
+ <transformers>
+ <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+ <mainClass>org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain</mainClass>
+ </transformer>
+ </transformers>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
new file mode 100755
index 0000000..787e216
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/scripts/run.sh
@@ -0,0 +1,72 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+AUTH=1
+
+usage() {
+ echo "usage: run.sh
+ -noauth ignore authentication properties
+ -d <arg> {all|users|groups}
+ -h show help.
+ -i <arg> Input file name
+ -o <arg> Output directory
+ -r <arg> {all|users|groups}"
+ exit 1
+}
+
+cdir=`pwd`
+cp="${cdir}/lib/*:${cdir}/conf"
+OUTDIR="${cdir}/output/"
+JAVA_CMD="java -cp ${cdir}/lib/ldapconfigcheck.jar:${cp} org.apache.ranger.ldapconfigcheck.LdapConfigCheckMain"
+
+while getopts "i:o:d:r:noauthh" opt; do
+ case $opt in
+ i) INFILE=$OPTARG
+ JAVA_CMD="$JAVA_CMD -i $OPTARG"
+ ;;
+ o) OUTDIR=$OPTARG
+ ;;
+ d) DISCOVER=$OPTARG
+ JAVA_CMD="$JAVA_CMD -d $OPTARG"
+ ;;
+ r) RETRIEVE=$OPTARG
+ JAVA_CMD="$JAVA_CMD -r $OPTARG"
+ ;;
+ noauth) AUTH=0
+ JAVA_CMD="$JAVA_CMD -noauth"
+ ;;
+ h) usage
+ ;;
+ \?) echo -e \\n"Option -$OPTARG not allowed."
+ usage
+ ;;
+ esac
+done
+
+JAVA_CMD="$JAVA_CMD -o $OUTDIR"
+
+echo "JAVA commnad = $JAVA_CMD"
+
+if [ "${JAVA_HOME}" != "" ]
+then
+ export JAVA_HOME
+ PATH="${JAVA_HOME}/bin:${PATH}"
+ export PATH
+fi
+
+cd ${cdir}
+$JAVA_CMD
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java
new file mode 100644
index 0000000..f39f782
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/AuthenticationCheck.java
@@ -0,0 +1,208 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import java.io.PrintStream;
+import java.util.ArrayList;
+import java.util.List;
+import org.springframework.ldap.core.support.LdapContextSource;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.ldap.search.FilterBasedLdapUserSearch;
+import org.springframework.security.ldap.authentication.BindAuthenticator;
+import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
+
+
+public class AuthenticationCheck {
+ private String ldapUrl = null;
+ private String authMethod = "NONE";
+ private String adDomain = null;
+ private String userDnPattern = null;
+ private String roleAttribute = null;
+ private String groupSearchBase = null;
+ private String groupSearchFilter = null;
+
+ private PrintStream logFile = null;
+ private PrintStream ambariProps = null;
+ private PrintStream installProps = null;
+
+ public AuthenticationCheck(String ldapUrl, UserSync userSyncObj, PrintStream logFile,
+ PrintStream ambariProps, PrintStream installProps) {
+
+ this.logFile = logFile;
+ this.ambariProps = ambariProps;
+ this.installProps = installProps;
+
+ if (userSyncObj.getUserNameAttribute().equalsIgnoreCase("sAMAccountName")) {
+ authMethod = "AD";
+ } else {
+ authMethod = "LDAP";
+ }
+ this.ldapUrl = ldapUrl;
+ adDomain = userSyncObj.getSearchBase();
+ userDnPattern = userSyncObj.getUserNameAttribute() + "={0}," + userSyncObj.getUserSearchBase();
+ roleAttribute = userSyncObj.getGroupNameAttrName();
+ groupSearchBase = userSyncObj.getGroupSearchBase();
+ groupSearchFilter = userSyncObj.getGroupMemberName() + "=" + userDnPattern;
+
+ }
+
+ public void discoverAuthProperties() {
+
+ ambariProps.println("\n# Possible values for authetication properties:");
+ installProps.println("\n# Possible values for authetication properties:");
+ if (authMethod.equalsIgnoreCase("AD")) {
+ installProps.println("xa_ldap_ad_url=" + ldapUrl);
+ installProps.println("xa_ldap_ad_domain=" + adDomain);
+ } else {
+ installProps.println("xa_ldap_url=" + ldapUrl);
+ installProps.println("xa_ldap_userDNpattern=" + userDnPattern);
+ installProps.println("xa_ldap_groupRoleAttribute=" + roleAttribute);
+ installProps.println("xa_ldap_groupSearchBase=" + groupSearchBase);
+ installProps.println("xa_ldap_groupSearchFilter=" + groupSearchFilter);
+ }
+
+ ambariProps.println("ranger.authentication.method=" + authMethod);
+ if (authMethod.equalsIgnoreCase("AD")) {
+ ambariProps.println("ranger.ldap.ad.url=" + ldapUrl);
+ ambariProps.println("ranger.ldap.ad.domain=" + adDomain);
+ } else {
+ ambariProps.println("ranger.ldap.url=" + ldapUrl);
+ ambariProps.println("ranger.ldap.user.dnpattern=" + userDnPattern);
+ ambariProps.println("ranger.ldap.group.roleattribute=" + roleAttribute);
+ ambariProps.println("ranger.ldap.group.searchbase=" + groupSearchBase);
+ ambariProps.println("ranger.ldap.group.searchfilter=" + groupSearchFilter);
+ }
+ }
+
+ public boolean isAuthenticated(String ldapUrl, String bindDn, String bindPassword, String userName,
+ String userPassword) {
+ boolean isAuthenticated = false;
+ //Verify Authentication
+ Authentication authentication;
+ if (authMethod.equalsIgnoreCase("AD")) {
+ authentication = getADBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
+ } else {
+ authentication = getLdapBindAuthentication(ldapUrl, bindDn, bindPassword, userName, userPassword);
+ }
+ if (authentication != null) {
+ isAuthenticated = authentication.isAuthenticated();
+ }
+
+ return isAuthenticated;
+ }
+
+ private Authentication getADBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
+ String userName, String userPassword) {
+ Authentication result = null;
+ try {
+ LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
+ ldapContextSource.setUserDn(bindDn);
+ ldapContextSource.setPassword(bindPassword);
+ ldapContextSource.setReferral("follow");
+ ldapContextSource.setCacheEnvironmentProperties(true);
+ ldapContextSource.setAnonymousReadOnly(false);
+ ldapContextSource.setPooled(true);
+ ldapContextSource.afterPropertiesSet();
+
+ String searchFilter="(sAMAccountName={0})";
+ FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
+ userSearch.setSearchSubtree(true);
+
+ BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
+ bindAuthenticator.setUserSearch(userSearch);
+ bindAuthenticator.afterPropertiesSet();
+
+ LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator);
+
+ if (userName != null && userPassword != null && !userName.trim().isEmpty() && !userPassword.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
+ final UserDetails principal = new User(userName, userPassword, grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
+
+ result = ldapAuthenticationProvider.authenticate(finalAuthentication);
+ }
+
+ } catch (BadCredentialsException bce) {
+ logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
+ "ranger.admin.auth.samplepassword\n");
+ } catch (Exception e) {
+ logFile.println("ERROR: LDAP Authentication Failed: " + e);
+ }
+ return result;
+ }
+
+ private Authentication getLdapBindAuthentication(String ldapUrl, String bindDn, String bindPassword,
+ String userName, String userPassword) {
+ Authentication result = null;
+ try {
+ LdapContextSource ldapContextSource = new DefaultSpringSecurityContextSource(ldapUrl);
+ ldapContextSource.setUserDn(bindDn);
+ ldapContextSource.setPassword(bindPassword);
+ ldapContextSource.setReferral("follow");
+ ldapContextSource.setCacheEnvironmentProperties(false);
+ ldapContextSource.setAnonymousReadOnly(true);
+ ldapContextSource.setPooled(true);
+ ldapContextSource.afterPropertiesSet();
+
+ DefaultLdapAuthoritiesPopulator defaultLdapAuthoritiesPopulator = new DefaultLdapAuthoritiesPopulator(ldapContextSource, groupSearchBase);
+ defaultLdapAuthoritiesPopulator.setGroupRoleAttribute(roleAttribute);
+ defaultLdapAuthoritiesPopulator.setGroupSearchFilter(groupSearchFilter);
+ defaultLdapAuthoritiesPopulator.setIgnorePartialResultException(true);
+
+ String searchFilter="(uid={0})";
+ FilterBasedLdapUserSearch userSearch=new FilterBasedLdapUserSearch(adDomain, searchFilter,ldapContextSource);
+ userSearch.setSearchSubtree(true);
+
+ BindAuthenticator bindAuthenticator = new BindAuthenticator(ldapContextSource);
+ bindAuthenticator.setUserSearch(userSearch);
+ String[] userDnPatterns = new String[] { userDnPattern };
+ bindAuthenticator.setUserDnPatterns(userDnPatterns);
+ bindAuthenticator.afterPropertiesSet();
+
+ LdapAuthenticationProvider ldapAuthenticationProvider = new LdapAuthenticationProvider(bindAuthenticator,defaultLdapAuthoritiesPopulator);
+
+ if (userName != null && userPassword != null && !userName.trim().isEmpty()&& !userPassword.trim().isEmpty()) {
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
+ final UserDetails principal = new User(userName, userPassword,grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, userPassword, grantedAuths);
+
+ result = ldapAuthenticationProvider.authenticate(finalAuthentication);
+ }
+ } catch (BadCredentialsException bce) {
+ logFile.println("ERROR: LDAP Authentication Failed. Please verify values for ranger.admin.auth.sampleuser and " +
+ "ranger.admin.auth.samplepassword\n");
+ } catch (Exception e) {
+ logFile.println("ERROR: LDAP Authentication Failed: " + e);
+ }
+ return result;
+ }
+}
+
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
new file mode 100644
index 0000000..790330f
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/CommandLineOptions.java
@@ -0,0 +1,230 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import org.apache.commons.cli.*;
+import java.io.Console;
+
+public class CommandLineOptions {
+
+ private String[] args = null;
+ private Options options = new Options();
+ private String input = null;
+ private String output = null;
+ private String discoverProperties;
+ private String retrieveValues = null;
+ private boolean isAuthEnabled = true;
+ private String ldapUrl = "";
+ private String bindDn = "";
+ private String bindPassword = "";
+ private String userSearchBase = "";
+ private String userSearchFilter = "";
+ private String authUser = "";
+ private String authPass = "";
+
+ public CommandLineOptions(String[] args) {
+ this.args = args;
+ options.addOption("h", "help", false, "show help.");
+ options.addOption("i", "inputfile", true, "Input file name");
+ options.addOption("o", "outputdir", true, "Output directory");
+ options.addOption("d", "discoverProperties", true, "{all|users|groups}");
+ options.addOption("r", "retrieve", true, "{all|users|groups}");
+ options.addOption("noauth", "noAuthentication", false, "Ignore authentication properties");
+ }
+
+ public void parse() {
+ CommandLineParser parser = new BasicParser();
+ try {
+ CommandLine cmd = parser.parse(options, args);
+ if (cmd.hasOption("h")) {
+
+ }
+
+
+ if (cmd.hasOption("o")) {
+ output = cmd.getOptionValue("o");
+ } else {
+ System.out.println("Missing o option for output directory");
+ help();
+ }
+
+ if (cmd.hasOption("d")) {
+ discoverProperties = cmd.getOptionValue("d");
+ if (discoverProperties == null || (!discoverProperties.equalsIgnoreCase("all") &&
+ !discoverProperties.equalsIgnoreCase("users") && !discoverProperties.equalsIgnoreCase("groups"))) {
+ System.out.println("Unsupported value for option d");
+ help();
+ }
+ }
+
+ if (cmd.hasOption("r")) {
+ retrieveValues = cmd.getOptionValue("r");
+ if (retrieveValues == null || (!retrieveValues.equalsIgnoreCase("all")
+ && !retrieveValues.equalsIgnoreCase("users") && !retrieveValues.equalsIgnoreCase("groups"))) {
+ System.out.println("Unsupported value for option r");
+ help();
+ }
+ } else {
+ if (discoverProperties == null || discoverProperties.isEmpty()) {
+ System.out.println("Default to discover all usersync properties");
+ //help();
+ // If "d" or "r" option is not specified, then default to discover all usersync properties
+ discoverProperties = "all";
+ }
+ }
+
+ if (cmd.hasOption("noauth")) {
+ isAuthEnabled = false;
+ }
+
+ if (cmd.hasOption("i")) {
+ input = cmd.getOptionValue("i");
+ if (input == null || input.isEmpty()) {
+ System.out.println("Please specify the input properties file name");
+ help();
+ }
+
+ } else {
+ // Read the properties from CLI and write to the input properties file.
+ input = LdapConfig.CONFIG_FILE;
+ readCLI();
+ }
+
+ } catch (ParseException pe) {
+ System.out.println("Failed to parse command line arguments " + pe);
+ help();
+ }
+ }
+
+ public void help() {
+ // This prints out some help
+ HelpFormatter formater = new HelpFormatter();
+ formater.printHelp("ldapConfigCheck", options);
+ System.exit(0);
+ }
+
+ public String getInput() {
+ return input;
+ }
+
+ public String getOutput() {
+
+ return output;
+ }
+
+ public String getDiscoverProperties() {
+ return discoverProperties;
+ }
+
+ public boolean isAuthEnabled() {
+ return isAuthEnabled;
+ }
+
+ public String getRetrieveValues() {
+ return retrieveValues;
+ }
+
+ private void readCLI() {
+ boolean repeat;
+ Console console = System.console();
+ do {
+ repeat = false;
+ System.out.print("Ldap url [ldap://ldap.example.com:389]: ");
+ ldapUrl = console.readLine();
+ if (ldapUrl == null || ldapUrl.isEmpty()) {
+ System.out.println("Please enter valid ldap url.");
+ repeat = true;
+ }
+ } while (repeat == true);
+ do {
+ repeat = false;
+ System.out.print("Bind DN [cn=admin,ou=users,dc=example,dc=com]: ");
+ bindDn = console.readLine();
+ if (bindDn == null || bindDn.isEmpty()) {
+ System.out.println("Please enter valid bindDn.");
+ repeat = true;
+ }
+ } while (repeat == true);
+ do {
+ repeat = false;
+ System.out.print("Bind Password: ");
+ char[] password = console.readPassword();
+ bindPassword = String.valueOf(password);
+ if (bindPassword == null || bindPassword.isEmpty()) {
+ System.out.println("Bind Password can't be empty.");
+ repeat = true;
+ }
+ } while (repeat == true);
+ System.out.print("User Search Base [ou=users,dc=example,dc=com]: ");
+ userSearchBase = console.readLine();
+ System.out.print("User Search Filter [cn=user1]: ");
+ userSearchFilter = console.readLine();
+
+ if (isAuthEnabled) {
+ do {
+ repeat = false;
+ System.out.print("Sample Authentication User [user1]: ");
+ authUser = console.readLine();
+ if (authUser == null || authUser.isEmpty()) {
+ System.out.println("Sample Authentication user must not be empty!");
+ repeat = true;
+ }
+ } while (repeat == true);
+ do {
+ repeat = false;
+ System.out.print("Sample Authentication Password: ");
+ char[] password = console.readPassword();
+ authPass = String.valueOf(password);
+ if (authPass == null || authPass.isEmpty()) {
+ System.out.println("Sample Authentication password must not be empty!");
+ repeat = true;
+ }
+ } while (repeat == true);
+ }
+ }
+
+ public String getLdapUrl() {
+ return ldapUrl;
+ }
+
+ public String getBindDn() {
+ return bindDn;
+ }
+
+ public String getBindPassword() {
+ return bindPassword;
+ }
+
+ public String getUserSearchBase() {
+ return userSearchBase;
+ }
+
+ public String getUserSearchFilter() {
+ return userSearchFilter;
+ }
+
+ public String getAuthUser() {
+ return authUser;
+ }
+
+ public String getAuthPass() {
+ return authPass;
+ }
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
new file mode 100644
index 0000000..a548957
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfig.java
@@ -0,0 +1,436 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Properties;
+
+import org.apache.commons.configuration.ConfigurationException;
+import org.apache.commons.lang.NullArgumentException;
+import org.apache.commons.configuration.PropertiesConfiguration;
+
+public class LdapConfig {
+
+ public static final String CONFIG_FILE = "input.properties";
+
+ private static final String LGSYNC_LDAP_URL = "ranger.usersync.ldap.url";
+
+ private static final String LGSYNC_LDAP_BIND_DN = "ranger.usersync.ldap.binddn";
+
+ private static final String LGSYNC_LDAP_BIND_KEYSTORE = "ranger.usersync.credstore.filename";
+
+ private static final String LGSYNC_LDAP_BIND_ALIAS = "ranger.usersync.ldap.bindalias";
+
+ private static final String LGSYNC_LDAP_BIND_PASSWORD = "ranger.usersync.ldap.ldapbindpassword";
+
+ private static final String LGSYNC_LDAP_AUTHENTICATION_MECHANISM = "ranger.usersync.ldap.authentication.mechanism";
+ private static final String DEFAULT_AUTHENTICATION_MECHANISM = "simple";
+
+ private static final String LGSYNC_SEARCH_BASE = "ranger.usersync.ldap.searchBase";
+
+ private static final String LGSYNC_USER_SEARCH_BASE = "ranger.usersync.ldap.user.searchbase";
+
+ private static final String LGSYNC_USER_SEARCH_SCOPE = "ranger.usersync.ldap.user.searchscope";
+
+ private static final String LGSYNC_USER_OBJECT_CLASS = "ranger.usersync.ldap.user.objectclass";
+
+ private static final String LGSYNC_USER_SEARCH_FILTER = "ranger.usersync.ldap.user.searchfilter";
+
+ private static final String LGSYNC_USER_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.nameattribute";
+
+ private static final String LGSYNC_USER_GROUP_NAME_ATTRIBUTE = "ranger.usersync.ldap.user.groupnameattribute";
+
+ public static final String UGSYNC_LOWER_CASE_CONVERSION_VALUE = "lower";
+
+ private static final String UGSYNC_USERNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.username.caseconversion";
+ private static final String DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE = UGSYNC_LOWER_CASE_CONVERSION_VALUE;
+
+ private static final String UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM = "ranger.usersync.ldap.groupname.caseconversion";
+ private static final String DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE = UGSYNC_LOWER_CASE_CONVERSION_VALUE;
+
+
+ private static final String LGSYNC_PAGED_RESULTS_ENABLED = "ranger.usersync.pagedresultsenabled";
+ private static final boolean DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED = true;
+
+ private static final String LGSYNC_PAGED_RESULTS_SIZE = "ranger.usersync.pagedresultssize";
+ private static final int DEFAULT_LGSYNC_PAGED_RESULTS_SIZE = 500;
+
+ private static final String LGSYNC_GROUP_SEARCH_ENABLED = "ranger.usersync.group.searchenabled";
+ private static final boolean DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED = false;
+
+ private static final String LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = "ranger.usersync.group.usermapsyncenabled";
+ private static final boolean DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED = false;
+
+ private static final String LGSYNC_GROUP_SEARCH_BASE = "ranger.usersync.group.searchbase";
+
+ private static final String LGSYNC_GROUP_SEARCH_SCOPE = "ranger.usersync.group.searchscope";
+
+ private static final String LGSYNC_GROUP_OBJECT_CLASS = "ranger.usersync.group.objectclass";
+
+ private static final String LGSYNC_GROUP_SEARCH_FILTER = "ranger.usersync.group.searchfilter";
+
+ private static final String LGSYNC_GROUP_NAME_ATTRIBUTE = "ranger.usersync.group.nameattribute";
+
+ private static final String LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME = "ranger.usersync.group.memberattributename";
+
+ //Authentication relate properties
+ private static final String AUTHENTICATION_METHOD = "ranger.authentication.method";
+ private static final String AD_DOMAIN = "ranger.ldap.ad.domain";
+ private static final String USER_DN_PATTERN = "ranger.ldap.user.dnpattern";
+ private static final String GROUP_ROLE_ATTRIBUTE = "ranger.ldap.group.roleattribute";
+ private static final String GROUP_SEARCH_BASE = "ranger.ldap.group.searchbase";
+ private static final String GROUP_SEARCH_FILTER = "ranger.ldap.group.searchfilter";
+ private static final String AUTH_USERNAME = "ranger.admin.auth.sampleuser";
+ private static final String AUTH_PASSWORD = "ranger.admin.auth.samplepassword";
+
+
+ private Properties prop = new Properties();
+
+
+ public LdapConfig(String configFile) {
+ init(configFile);
+ }
+
+ private void init(String configFile) {
+ readConfigFile(configFile);
+ }
+
+ private void readConfigFile(String fileName) {
+ try {
+ InputStream in = getFileInputStream(fileName);
+ if (in != null) {
+ try {
+ System.out.println("Reading ldap properties from " + fileName);
+ prop.load(in);
+
+ } finally {
+ try {
+ in.close();
+ } catch (IOException ioe) {
+ // Ignore IOE when closing stream
+ System.out.println(ioe);
+ }
+ }
+ }
+ } catch (Throwable e) {
+ throw new RuntimeException("Unable to load configuration file [" + fileName + "]", e);
+ }
+ }
+
+
+ /*private InputStream getFileInputStream(String path) throws FileNotFoundException {
+
+ InputStream ret = null;
+
+ File f = new File(path);
+
+ if (f.exists()) {
+ ret = new FileInputStream(f);
+ }
+
+ return ret;
+ }*/
+
+ private InputStream getFileInputStream(String path) throws FileNotFoundException {
+
+ InputStream ret = null;
+
+ File f = new File(path);
+
+ if (f.exists()) {
+ ret = new FileInputStream(f);
+ } else {
+ ret = getClass().getResourceAsStream(path);
+
+ if (ret == null) {
+ if (! path.startsWith("/")) {
+ ret = getClass().getResourceAsStream("/" + path);
+ }
+ }
+
+ if (ret == null) {
+ ret = ClassLoader.getSystemClassLoader().getResourceAsStream(path) ;
+ if (ret == null) {
+ if (! path.startsWith("/")) {
+ ret = ClassLoader.getSystemResourceAsStream("/" + path);
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+
+ public String getLdapUrl() throws Throwable {
+ String val = prop.getProperty(LGSYNC_LDAP_URL);
+ if (val == null || val.trim().isEmpty()) {
+ throw new NullArgumentException(LGSYNC_LDAP_URL);
+ }
+ return val;
+ }
+
+
+ public String getLdapBindDn() throws Throwable {
+ String val = prop.getProperty(LGSYNC_LDAP_BIND_DN);
+ if (val == null || val.trim().isEmpty()) {
+ throw new NullArgumentException(LGSYNC_LDAP_BIND_DN);
+ }
+ return val;
+ }
+
+
+ public String getLdapBindPassword() {
+ //update credential from keystore
+ if (prop == null) {
+ return null;
+ }
+ return prop.getProperty(LGSYNC_LDAP_BIND_PASSWORD);
+ }
+
+
+ public String getLdapAuthenticationMechanism() {
+ String val = prop.getProperty(LGSYNC_LDAP_AUTHENTICATION_MECHANISM);
+ if (val == null || val.trim().isEmpty()) {
+ return DEFAULT_AUTHENTICATION_MECHANISM;
+ }
+ return val;
+ }
+
+
+ public String getUserSearchBase() {
+ String val = prop.getProperty(LGSYNC_USER_SEARCH_BASE);
+ if (val == null || val.trim().isEmpty()) {
+ val = getSearchBase();
+ }
+ return val;
+ }
+
+
+ public int getUserSearchScope() {
+ String val = prop.getProperty(LGSYNC_USER_SEARCH_SCOPE);
+ if (val == null || val.trim().isEmpty()) {
+ return 2; //subtree scope
+ }
+
+ val = val.trim().toLowerCase();
+ if (val.equals("0") || val.startsWith("base")) {
+ return 0; // object scope
+ } else if (val.equals("1") || val.startsWith("one")) {
+ return 1; // one level scope
+ } else {
+ return 2; // subtree scope
+ }
+ }
+
+
+ public String getUserObjectClass() {
+ String val = prop.getProperty(LGSYNC_USER_OBJECT_CLASS);
+ return val;
+ }
+
+ public String getUserSearchFilter() {
+ return prop.getProperty(LGSYNC_USER_SEARCH_FILTER);
+ }
+
+
+ public String getUserNameAttribute() {
+ String val = prop.getProperty(LGSYNC_USER_NAME_ATTRIBUTE);
+ return val;
+ }
+
+ public String getUserGroupNameAttribute() {
+ String val = prop.getProperty(LGSYNC_USER_GROUP_NAME_ATTRIBUTE);
+ return val;
+ }
+
+ public String getUserNameCaseConversion() {
+ String ret = prop.getProperty(UGSYNC_USERNAME_CASE_CONVERSION_PARAM, DEFAULT_UGSYNC_USERNAME_CASE_CONVERSION_VALUE);
+ return ret.trim().toLowerCase();
+ }
+
+ public String getGroupNameCaseConversion() {
+ String ret = prop.getProperty(UGSYNC_GROUPNAME_CASE_CONVERSION_PARAM, DEFAULT_UGSYNC_GROUPNAME_CASE_CONVERSION_VALUE);
+ return ret.trim().toLowerCase();
+ }
+
+ public String getSearchBase() {
+ return prop.getProperty(LGSYNC_SEARCH_BASE);
+ }
+
+ public boolean isPagedResultsEnabled() {
+ boolean pagedResultsEnabled;
+ String val = prop.getProperty(LGSYNC_PAGED_RESULTS_ENABLED);
+ if (val == null || val.trim().isEmpty()) {
+ pagedResultsEnabled = DEFAULT_LGSYNC_PAGED_RESULTS_ENABLED;
+ } else {
+ pagedResultsEnabled = Boolean.valueOf(val);
+ }
+ return pagedResultsEnabled;
+ }
+
+ public int getPagedResultsSize() {
+ int pagedResultsSize;
+ String val = prop.getProperty(LGSYNC_PAGED_RESULTS_SIZE);
+ if (val == null || val.trim().isEmpty()) {
+ pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE;
+ } else {
+ pagedResultsSize = Integer.parseInt(val);
+ }
+ if (pagedResultsSize < 1) {
+ pagedResultsSize = DEFAULT_LGSYNC_PAGED_RESULTS_SIZE;
+ }
+ return pagedResultsSize;
+ }
+
+ public boolean isGroupSearchEnabled() {
+ boolean groupSearchEnabled;
+ String val = prop.getProperty(LGSYNC_GROUP_SEARCH_ENABLED);
+ if (val == null || val.trim().isEmpty()) {
+ groupSearchEnabled = DEFAULT_LGSYNC_GROUP_SEARCH_ENABLED;
+ } else {
+ groupSearchEnabled = Boolean.valueOf(val);
+ }
+ return groupSearchEnabled;
+ }
+
+ public boolean isGroupUserMapSyncEnabled() {
+ boolean groupUserMapSyncEnabled;
+ String val = prop.getProperty(LGSYNC_GROUP_USER_MAP_SYNC_ENABLED);
+ if (val == null || val.trim().isEmpty()) {
+ groupUserMapSyncEnabled = DEFAULT_LGSYNC_GROUP_USER_MAP_SYNC_ENABLED;
+ } else {
+ groupUserMapSyncEnabled = Boolean.valueOf(val);
+ }
+ return groupUserMapSyncEnabled;
+ }
+
+ public String getGroupSearchBase() {
+ String val = prop.getProperty(LGSYNC_GROUP_SEARCH_BASE);
+ return val;
+ }
+
+ public int getGroupSearchScope() {
+ String val = prop.getProperty(LGSYNC_GROUP_SEARCH_SCOPE);
+ if (val == null || val.trim().isEmpty()) {
+ return 2; //subtree scope
+ }
+
+ val = val.trim().toLowerCase();
+ if (val.equals("0") || val.startsWith("base")) {
+ return 0; // object scope
+ } else if (val.equals("1") || val.startsWith("one")) {
+ return 1; // one level scope
+ } else {
+ return 2; // subtree scope
+ }
+ }
+
+ public String getGroupObjectClass() {
+ String val = prop.getProperty(LGSYNC_GROUP_OBJECT_CLASS);
+ return val;
+ }
+
+ public String getGroupSearchFilter() {
+ return prop.getProperty(LGSYNC_GROUP_SEARCH_FILTER);
+ }
+
+ public String getUserGroupMemberAttributeName() {
+ String val = prop.getProperty(LGSYNC_GROUP_MEMBER_ATTRIBUTE_NAME);
+ return val;
+ }
+
+ public String getGroupNameAttribute() {
+ String val = prop.getProperty(LGSYNC_GROUP_NAME_ATTRIBUTE);
+ return val;
+ }
+
+ public String getAuthenticationMethod() {
+ String val = prop.getProperty(AUTHENTICATION_METHOD);
+ return val;
+ }
+
+ public String getAdDomain() {
+ String val = prop.getProperty(AD_DOMAIN);
+ return val;
+ }
+
+ public String getUserDnPattern() {
+ String val = prop.getProperty(USER_DN_PATTERN);
+ return val;
+ }
+
+ public String getGroupRoleAttribute() {
+ String val = prop.getProperty(GROUP_ROLE_ATTRIBUTE);
+ return val;
+ }
+
+ public String getAuthGroupSearchBase() {
+ String val = prop.getProperty(GROUP_SEARCH_BASE);
+ return val;
+ }
+
+ public String getAuthGroupSearchFilter() {
+ String val = prop.getProperty(GROUP_SEARCH_FILTER);
+ return val;
+ }
+
+ public String getAuthUsername() {
+ return prop.getProperty(AUTH_USERNAME);
+ }
+
+ public String getAuthPassword() {
+ return prop.getProperty(AUTH_PASSWORD);
+ }
+
+ public void updateInputPropFile(String ldapUrl, String bindDn, String bindPassword,
+ String userSearchBase, String userSearchFilter,
+ String authUser, String authPass) {
+ try {
+ PropertiesConfiguration config = new PropertiesConfiguration(CONFIG_FILE);
+ // Update properties in memory and update the file as well
+ prop.setProperty(LGSYNC_LDAP_URL, ldapUrl);
+ prop.setProperty(LGSYNC_LDAP_BIND_DN, bindDn);
+ prop.setProperty(LGSYNC_LDAP_BIND_PASSWORD, bindPassword);
+ prop.setProperty(LGSYNC_USER_SEARCH_BASE, userSearchBase);
+ prop.setProperty(LGSYNC_USER_SEARCH_FILTER, userSearchFilter);
+ prop.setProperty(AUTH_USERNAME, authUser);
+ prop.setProperty(AUTH_PASSWORD, authPass);
+ config.setProperty(LGSYNC_LDAP_URL, ldapUrl);
+ config.setProperty(LGSYNC_LDAP_BIND_DN, bindDn);
+ config.setProperty(LGSYNC_LDAP_BIND_PASSWORD, bindPassword);
+ config.setProperty(LGSYNC_USER_SEARCH_BASE, userSearchBase);
+ config.setProperty(LGSYNC_USER_SEARCH_FILTER, userSearchFilter);
+ config.setProperty(AUTH_USERNAME, authUser);
+ config.setProperty(AUTH_PASSWORD, authPass);
+ config.save();
+ } catch (ConfigurationException e) {
+ System.out.println("Failed to update " + CONFIG_FILE + ": " + e);
+ }
+ }
+}
+
+
+
+
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
new file mode 100644
index 0000000..ad56b2e
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/LdapConfigCheckMain.java
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.ldap.Control;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.PagedResultsControl;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.util.Properties;
+
+import org.apache.commons.lang.NullArgumentException;
+
+public class LdapConfigCheckMain {
+
+ private static final String LOG_FILE = "ldapConfigCheck.log";
+ private static final String AMBARI_PROPERTIES = "ambari.properties";
+ private static final String INSTALL_PROPERTIES = "install.properties";
+
+ public static void main(String[] args) {
+
+ CommandLineOptions cli = new CommandLineOptions(args);
+ cli.parse();
+ String inFileName = cli.getInput();
+ String outputDir = cli.getOutput();
+ if (!outputDir.endsWith("/")) {
+ outputDir = outputDir.concat("/");
+ }
+
+ LdapConfig config = new LdapConfig(inFileName);
+ if (cli.getLdapUrl() != null && !cli.getLdapUrl().isEmpty()) {
+ config.updateInputPropFile(cli.getLdapUrl(), cli.getBindDn(), cli.getBindPassword(),
+ cli.getUserSearchBase(), cli.getUserSearchFilter(), cli.getAuthUser(), cli.getAuthPass());
+ }
+
+ PrintStream logFile = null;
+ PrintStream ambariProps = null;
+ PrintStream installProps = null;
+ LdapContext ldapContext;
+
+ try {
+ logFile = new PrintStream(new File(outputDir + LOG_FILE));
+ ambariProps = new PrintStream(new File(outputDir + AMBARI_PROPERTIES));
+ installProps = new PrintStream(new File(outputDir + INSTALL_PROPERTIES));
+
+ UserSync userSyncObj = new UserSync(config, logFile, ambariProps, installProps);
+
+ String bindDn = config.getLdapBindDn();
+
+ Properties env = new Properties();
+ env.put(Context.INITIAL_CONTEXT_FACTORY,
+ "com.sun.jndi.ldap.LdapCtxFactory");
+ env.put(Context.PROVIDER_URL, config.getLdapUrl());
+ env.put(Context.SECURITY_PRINCIPAL, bindDn);
+ env.put(Context.SECURITY_CREDENTIALS, config.getLdapBindPassword());
+ env.put(Context.SECURITY_AUTHENTICATION, config.getLdapAuthenticationMechanism());
+ env.put(Context.REFERRAL, "follow");
+
+ ldapContext = new InitialLdapContext(env, null);
+
+ if (config.isPagedResultsEnabled()) {
+ ldapContext.setRequestControls(new Control[]{
+ new PagedResultsControl(config.getPagedResultsSize(), Control.CRITICAL) });
+ }
+
+ String retrieveValues = "all";
+
+ if (cli.getDiscoverProperties() != null) {
+ retrieveValues = cli.getDiscoverProperties();
+ if (cli.getDiscoverProperties().equalsIgnoreCase("users")) {
+ userSyncObj.findUserProperties(ldapContext);
+ } else if (cli.getDiscoverProperties().equalsIgnoreCase("groups")) {
+ userSyncObj.findGroupProperties(ldapContext);
+ } else {
+ findAllUserSyncProperties(ldapContext, userSyncObj);
+ }
+ }else if (cli.getRetrieveValues() != null){
+ retrieveValues = cli.getRetrieveValues();
+
+ } else {
+ cli.help();
+ }
+
+ if (cli.isAuthEnabled()) {
+ authenticate(userSyncObj, config, logFile, ambariProps, installProps);
+ }
+
+ retrieveUsersGroups(ldapContext, userSyncObj, retrieveValues);
+
+ if (ldapContext != null) {
+ ldapContext.close();
+ }
+
+ } catch (FileNotFoundException fe) {
+ System.out.println(fe.getMessage());
+ } catch (IOException ioe) {
+ logFile.println("ERROR: Failed while setting the paged results controls\n" + ioe);
+ } catch (NamingException ne) {
+ System.out.println("ERROR: Failed to perfom ldap bind. Please verify values for " +
+ "ranger.usersync.ldap.binddn and ranger.usersync.ldap.ldapbindpassword\n" + ne);
+ } catch (Throwable t) {
+ if (logFile != null) {
+ logFile.println("ERROR: Connection failed: " + t.getMessage());
+ } else {
+ System.out.println("ERROR: Connection failed: " + t.getMessage());
+ }
+ } finally {
+ if (logFile != null) {
+ logFile.close();
+ }
+ if (ambariProps != null) {
+ ambariProps.close();
+ }
+ if (installProps != null) {
+ installProps.close();
+ }
+ }
+ }
+
+ private static void findAllUserSyncProperties(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
+
+ userSyncObj.findUserProperties(ldapContext);
+ userSyncObj.findGroupProperties(ldapContext);
+ }
+
+ private static void authenticate(UserSync userSyncObj, LdapConfig config,
+ PrintStream logFile, PrintStream ambariProps,
+ PrintStream installProps) throws Throwable{
+ AuthenticationCheck auth = new AuthenticationCheck(config.getLdapUrl(), userSyncObj, logFile, ambariProps, installProps);
+
+ auth.discoverAuthProperties();
+
+ String msg;
+ if (config.getAuthUsername() == null || config.getAuthUsername().isEmpty()) {
+ msg = "ranger.admin.auth.sampleuser ";
+ throw new NullArgumentException(msg);
+ }
+
+ if (config.getAuthPassword() == null || config.getAuthPassword().isEmpty()) {
+ msg = "ranger.admin.auth.samplepassword ";
+ throw new NullArgumentException(msg);
+ }
+
+ if (auth.isAuthenticated(config.getLdapUrl(), config.getLdapBindDn(), config.getLdapBindPassword(),
+ config.getAuthUsername(), config.getAuthPassword())) {
+ logFile.println("INFO: Authentication verified successfully");
+ } else {
+ logFile.println("ERROR: Failed to authenticate " + config.getAuthUsername());
+ }
+ }
+
+ private static void retrieveUsersGroups(LdapContext ldapContext, UserSync userSyncObj,
+ String retrieve) throws Throwable {
+ String msg;
+ if (retrieve == null || userSyncObj == null || ldapContext == null) {
+ msg = "Input validation failed while retrieving Users or Groups";
+ throw new NullArgumentException(msg);
+ }
+
+ if (retrieve.equalsIgnoreCase("users")) {
+ retrieveUsers(ldapContext, userSyncObj);
+ } else if (retrieve.equalsIgnoreCase("groups")){
+ retrieveGroups(ldapContext, userSyncObj);
+ } else {
+ // retrieve both
+ retrieveUsers(ldapContext, userSyncObj);
+ retrieveGroups(ldapContext, userSyncObj);
+ }
+ }
+
+ private static void retrieveUsers(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
+ String msg;
+ if (userSyncObj.getUserNameAttribute() == null || userSyncObj.getUserNameAttribute().isEmpty()) {
+ msg = "ranger.usersync.ldap.user.nameattribute ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getUserObjClassName() == null || userSyncObj.getUserObjClassName().isEmpty()) {
+ msg = "ranger.usersync.ldap.user.objectclass ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) {
+ msg = "ranger.usersync.ldap.user.groupnameattribute ";
+ throw new NullArgumentException(msg);
+ }
+ if ((userSyncObj.getUserSearchBase() == null || userSyncObj.getUserSearchBase().isEmpty()) &&
+ (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
+ msg = "ranger.usersync.ldap.user.searchbase and " +
+ "ranger.usersync.ldap.searchBase ";
+ throw new NullArgumentException(msg);
+ }
+ userSyncObj.getAllUsers(ldapContext);
+ }
+
+ private static void retrieveGroups(LdapContext ldapContext, UserSync userSyncObj) throws Throwable {
+ String msg;
+ if (userSyncObj.getGroupNameAttrName() == null || userSyncObj.getGroupNameAttrName().isEmpty()) {
+ msg = "ranger.usersync.group.nameattribute ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getGroupObjClassName() == null || userSyncObj.getGroupObjClassName().isEmpty()) {
+ msg = "ranger.usersync.group.objectclass ";
+ throw new NullArgumentException(msg);
+ }
+ if (userSyncObj.getUserGroupMemberName() == null || userSyncObj.getUserGroupMemberName().isEmpty()) {
+ msg = "ranger.usersync.group.memberattributename ";
+ throw new NullArgumentException(msg);
+ }
+ if ((userSyncObj.getGroupSearchBase() == null || userSyncObj.getGroupSearchBase().isEmpty()) &&
+ (userSyncObj.getSearchBase() == null || userSyncObj.getSearchBase().isEmpty())) {
+ msg = "ranger.usersync.group.searchbase and " +
+ "ranger.usersync.ldap.searchBase ";
+ throw new NullArgumentException(msg);
+ }
+ userSyncObj.getAllGroups(ldapContext);
+ }
+
+
+}
+
[03/33] incubator-ranger git commit: RANGER-665 :
ranger.ldap.ad.referral property is not getting updated in
ranger-admin-site.xml
Posted by ma...@apache.org.
RANGER-665 : ranger.ldap.ad.referral property is not getting updated in ranger-admin-site.xml
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/95cd9e83
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/95cd9e83
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/95cd9e83
Branch: refs/heads/tag-policy
Commit: 95cd9e834f3d07cd9897ef9ea8293c5d4d5c2fd4
Parents: d5c9dad
Author: Gautam Borad <gb...@gmail.com>
Authored: Fri Sep 25 10:09:46 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sun Sep 27 21:57:26 2015 -0400
----------------------------------------------------------------------
security-admin/src/bin/ranger_install.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/95cd9e83/security-admin/src/bin/ranger_install.py
----------------------------------------------------------------------
diff --git a/security-admin/src/bin/ranger_install.py b/security-admin/src/bin/ranger_install.py
index 99c8ab8..294f0da 100644
--- a/security-admin/src/bin/ranger_install.py
+++ b/security-admin/src/bin/ranger_install.py
@@ -974,7 +974,7 @@ def update_properties():
newPropertyValue="_"
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
- propertyName="ranger.ad.referral"
+ propertyName="ranger.ldap.ad.referral"
newPropertyValue=os.getenv("RANGER_LDAP_AD_REFERRAL")
updatePropertyToFilePy(propertyName ,newPropertyValue ,to_file_ranger)
[15/33] incubator-ranger git commit: RANGER-173: Applied review
feedback to use variables for user/group
Posted by ma...@apache.org.
RANGER-173: Applied review feedback to use variables for user/group
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9cb055fc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9cb055fc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9cb055fc
Branch: refs/heads/tag-policy
Commit: 9cb055fc1a2f568f5b5fa9ab8ca0db43c56cf096
Parents: ed27cec
Author: Don Bosco Durai <bo...@apache.org>
Authored: Mon Oct 5 21:44:03 2015 -0700
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Mon Oct 5 23:07:59 2015 -0700
----------------------------------------------------------------------
.../create_hdfs_folders_for_audit_non_secure.sh | 42 ++++++++++++-------
.../create_hdfs_folders_for_audit_secure.sh | 44 +++++++++++++-------
2 files changed, 55 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9cb055fc/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
index eec3a08..ade46a7 100755
--- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
@@ -14,53 +14,65 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-#Usage: Run this script as user hdfs.
-#Creating folders required for Apache Ranger auditing to HDFS.
-#Note 1: Use this script only for non-secure/kerberos environment
-#
+#Usage: Run this script as user hdfs or the HDFS admin user.
+#This script creates the folders in HDFS required by Apache Ranger for writing Audit records
+#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "kms"
+#Note 2: Please update the below variables according to your environment
+
+HBASE_USER_GROUP=hbase:hbase
+HDFS_USER_GROUP=hdfs:hdfs
+HIVE_USER_GROUP=hive:hive
+KAFKA_USER_GROUP=kafka:kafka
+KMS_USER_GROUP=kms:kms
+KNOX_USER_GROUP=knox:knox
+SOLR_USER_GROUP=solr:solr
+STORM_USER_GROUP=storm:storm
+YARN_USER_GROUP=yarn:yarn
set -x
+#Create parent folder with rx permission
hdfs dfs -mkdir -p /ranger/audit
-hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit
hdfs dfs -chmod 755 /ranger
hdfs dfs -chmod 755 /ranger/audit
hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseMaster
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseRegional
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
hdfs dfs -mkdir -p /ranger/audit/hdfs
-hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit/hdfs
hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
hdfs dfs -mkdir -p /ranger/audit/hiveServer2
-hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chown $HIVE_USER_GROUP /ranger/audit/hiveServer2
hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
hdfs dfs -mkdir -p /ranger/audit/kafka
-hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chown $KAFKA_USER_GROUP /ranger/audit/kafka
hdfs dfs -chmod -R 0700 /ranger/audit/kafka
hdfs dfs -mkdir -p /ranger/audit/kms
-hdfs dfs -chown kms:kms /ranger/audit/kms
+hdfs dfs -chown $KMS_USER_GROUP /ranger/audit/kms
hdfs dfs -chmod -R 0700 /ranger/audit/kms
hdfs dfs -mkdir -p /ranger/audit/knox
-hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chown $KNOX_USER_GROUP /ranger/audit/knox
hdfs dfs -chmod -R 0700 /ranger/audit/knox
hdfs dfs -mkdir -p /ranger/audit/solr
-hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chown $SOLR_USER_GROUP /ranger/audit/solr
hdfs dfs -chmod -R 0700 /ranger/audit/solr
hdfs dfs -mkdir -p /ranger/audit/storm
-hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chown $STORM_USER_GROUP /ranger/audit/storm
hdfs dfs -chmod -R 0700 /ranger/audit/storm
hdfs dfs -mkdir -p /ranger/audit/yarn
-hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chown $YARN_USER_GROUP /ranger/audit/yarn
hdfs dfs -chmod -R 0700 /ranger/audit/yarn
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9cb055fc/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
index b15beee..12a4c93 100755
--- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
@@ -14,54 +14,66 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-#Usage: Run this script as user hdfs.
-#Creating folders required for Apache Ranger auditing to HDFS.
-#Note 1: Use this script only for non-secure/kerberos environment
-#
+#Usage: Run this script as user hdfs or the HDFS admin user.
+#This script creates the folders in HDFS required by Apache Ranger for writing Audit records
+#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "HTTP"
+#Note 2: Please update the below variables according to your environment
+
+HBASE_USER_GROUP=hbase:hbase
+HDFS_USER_GROUP=hdfs:hdfs
+HIVE_USER_GROUP=hive:hive
+KAFKA_USER_GROUP=kafka:kafka
+KMS_USER_GROUP=HTTP:HTTP
+KNOX_USER_GROUP=knox:knox
+SOLR_USER_GROUP=solr:solr
+STORM_USER_GROUP=storm:storm
+YARN_USER_GROUP=yarn:yarn
set -x
+
+#Create parent folder with rx permission
hdfs dfs -mkdir -p /ranger/audit
-hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit
hdfs dfs -chmod 755 /ranger
hdfs dfs -chmod 755 /ranger/audit
-
hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseMaster
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseRegional
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
hdfs dfs -mkdir -p /ranger/audit/hdfs
-hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit/hdfs
hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
hdfs dfs -mkdir -p /ranger/audit/hiveServer2
-hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chown $HIVE_USER_GROUP /ranger/audit/hiveServer2
hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
hdfs dfs -mkdir -p /ranger/audit/kafka
-hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chown $KAFKA_USER_GROUP /ranger/audit/kafka
hdfs dfs -chmod -R 0700 /ranger/audit/kafka
hdfs dfs -mkdir -p /ranger/audit/kms
-hdfs dfs -chown HTTP:HTTP /ranger/audit/kms
+hdfs dfs -chown $KMS_USER_GROUP /ranger/audit/kms
hdfs dfs -chmod -R 0700 /ranger/audit/kms
hdfs dfs -mkdir -p /ranger/audit/knox
-hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chown $KNOX_USER_GROUP /ranger/audit/knox
hdfs dfs -chmod -R 0700 /ranger/audit/knox
hdfs dfs -mkdir -p /ranger/audit/solr
-hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chown $SOLR_USER_GROUP /ranger/audit/solr
hdfs dfs -chmod -R 0700 /ranger/audit/solr
hdfs dfs -mkdir -p /ranger/audit/storm
-hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chown $STORM_USER_GROUP /ranger/audit/storm
hdfs dfs -chmod -R 0700 /ranger/audit/storm
hdfs dfs -mkdir -p /ranger/audit/yarn
-hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chown $YARN_USER_GROUP /ranger/audit/yarn
hdfs dfs -chmod -R 0700 /ranger/audit/yarn
+
[30/33] incubator-ranger git commit: RANGER-652: Include
ldapconfigcheck tool in main pom.xml
Posted by ma...@apache.org.
RANGER-652: Include ldapconfigcheck tool in main pom.xml
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/6f758715
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/6f758715
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/6f758715
Branch: refs/heads/tag-policy
Commit: 6f7587154d977290fe8b39ffecef5cd793eb0000
Parents: 8f07737
Author: Velmurugan Periasamy <ve...@apache.org>
Authored: Thu Oct 15 23:47:53 2015 -0400
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Thu Oct 15 23:47:53 2015 -0400
----------------------------------------------------------------------
pom.xml | 1 +
ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6f758715/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 2ae8d3d..0ccf12e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -92,6 +92,7 @@
<module>security-admin</module>
<module>plugin-solr</module>
<module>ugsync</module>
+ <module>ugsync/ldapconfigchecktool/ldapconfigcheck</module>
<module>unixauthclient</module>
<module>unixauthservice</module>
<module>ranger-util</module>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/6f758715/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
index a0971f2..4ac823f 100644
--- a/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/pom.xml
@@ -24,7 +24,7 @@
<groupId>org.apache.ranger</groupId>
<artifactId>ranger</artifactId>
<version>0.5.0</version>
- <relativePath>..</relativePath>
+ <relativePath>../../../pom.xml</relativePath>
</parent>
<artifactId>ldapconfigcheck</artifactId>
[19/33] incubator-ranger git commit: RANGER-673 : Setup changes to
allow Ranger service to installed using custom service user
Posted by ma...@apache.org.
RANGER-673 : Setup changes to allow Ranger service to installed using custom service user
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c22bdecf
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c22bdecf
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c22bdecf
Branch: refs/heads/tag-policy
Commit: c22bdecf8e028ec9e91d948d61d3dbbfbd00935e
Parents: 35aa706
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue Oct 6 17:07:10 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Sat Oct 10 12:02:57 2015 -0400
----------------------------------------------------------------------
agents-common/scripts/enable-agent.sh | 28 +++++++++++++++++++++++++++-
hbase-agent/scripts/install.properties | 13 +++++++++++++
hdfs-agent/scripts/install.properties | 13 +++++++++++++
hive-agent/scripts/install.properties | 13 +++++++++++++
kms/scripts/setup.sh | 7 ++++++-
knox-agent/scripts/install.properties | 14 ++++++++++++++
plugin-kafka/scripts/install.properties | 14 ++++++++++++++
plugin-kms/scripts/enable-kms-plugin.sh | 28 +++++++++++++++++++++++++++-
plugin-solr/scripts/install.properties | 14 ++++++++++++++
plugin-yarn/scripts/install.properties | 13 +++++++++++++
security-admin/scripts/set_globals.sh | 6 ++++++
security-admin/scripts/setup.sh | 11 +++++++++++
storm-agent/scripts/install.properties | 13 +++++++++++++
unixauthservice/scripts/set_globals.sh | 5 +++++
unixauthservice/scripts/setup.py | 20 ++++++++++++++++----
15 files changed, 205 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/agents-common/scripts/enable-agent.sh
----------------------------------------------------------------------
diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh
index 55130a5..f3db125 100755
--- a/agents-common/scripts/enable-agent.sh
+++ b/agents-common/scripts/enable-agent.sh
@@ -23,7 +23,7 @@ function getInstallProperty() {
do
if [ -f "${file}" ]
then
- propertyValue=`grep "^${propertyName}" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'`
+ propertyValue=`grep "^${propertyName}[ \t]*=" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'`
if [ "${propertyValue}" != "" ]
then
break
@@ -123,6 +123,32 @@ JAVA=$JAVA_HOME/bin/java
HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME')
+
+CUSTOM_USER=$(getInstallProperty 'CUSTOM_USER')
+CUSTOM_USER=${CUSTOM_USER// }
+
+CUSTOM_GROUP=$(getInstallProperty 'CUSTOM_GROUP')
+CUSTOM_GROUP=${CUSTOM_GROUP// }
+
+
+
+if [ ! -z "${CUSTOM_USER}" ] && [ ! -z "${CUSTOM_GROUP}" ]
+then
+ echo "Custom user and group is available, using custom user and group."
+ CFG_OWNER_INF="${CUSTOM_USER}:${CUSTOM_GROUP}"
+elif [ ! -z "${CUSTOM_USER}" ] && [ -z "${CUSTOM_GROUP}" ]
+then
+ echo "Custom user is available, using custom user and default group."
+ CFG_OWNER_INF="${CUSTOM_USER}:${HCOMPONENT_NAME}"
+elif [ -z "${CUSTOM_USER}" ] && [ ! -z "${CUSTOM_GROUP}" ]
+then
+ echo "Custom group is available, using default user and custom group."
+ CFG_OWNER_INF="${HCOMPONENT_NAME}:${CUSTOM_GROUP}"
+else
+ echo "Custom user and group are not available, using default user and group."
+ CFG_OWNER_INF="${HCOMPONENT_NAME}:${HCOMPONENT_NAME}"
+fi
+
if [ "${HCOMPONENT_INSTALL_DIR_NAME}" = "" ]
then
HCOMPONENT_INSTALL_DIR_NAME=${HCOMPONENT_NAME}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/hbase-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/hbase-agent/scripts/install.properties b/hbase-agent/scripts/install.properties
index 5df518a..795ea3e 100644
--- a/hbase-agent/scripts/install.properties
+++ b/hbase-agent/scripts/install.properties
@@ -161,3 +161,16 @@ SSL_TRUSTSTORE_PASSWORD=changeit
# UPDATE_XAPOLICIES_ON_GRANT_REVOKE=false
#
UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=hbase
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/hdfs-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/hdfs-agent/scripts/install.properties b/hdfs-agent/scripts/install.properties
index fa21949..b4dda13 100644
--- a/hdfs-agent/scripts/install.properties
+++ b/hdfs-agent/scripts/install.properties
@@ -149,3 +149,16 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=hdfs
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/hive-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/hive-agent/scripts/install.properties b/hive-agent/scripts/install.properties
index 2e41a37..6b71a85 100644
--- a/hive-agent/scripts/install.properties
+++ b/hive-agent/scripts/install.properties
@@ -158,3 +158,16 @@ SSL_TRUSTSTORE_PASSWORD=changeit
# UPDATE_XAPOLICIES_ON_GRANT_REVOKE=false
#
UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=hive
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/kms/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
index e0c3136..96bf6a0 100755
--- a/kms/scripts/setup.sh
+++ b/kms/scripts/setup.sh
@@ -538,7 +538,9 @@ setup_install_files(){
if [ -d /etc/init.d ]; then
log "[I] Setting up init.d"
cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS}
-
+ if [ "${unix_user}" != "kms" ]; then
+ sed 's/LINUX_USER=kms/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS}
+ fi
chmod ug+rx /etc/init.d/${RANGER_KMS}
if [ -d /etc/rc2.d ]
@@ -584,6 +586,9 @@ setup_install_files(){
chown -R ${unix_user} ${KMS_DIR}/ews/logs
fi
+ if [ -d ${KMS_DIR}/ews/logs ]; then
+ chown -R ${unix_user} ${KMS_DIR}/ews/logs
+ fi
log "[I] Setting up installation files and directory DONE";
if [ ! -f ${INSTALL_DIR}/rpm ]; then
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/knox-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties
index 506c53c..1febd49 100644
--- a/knox-agent/scripts/install.properties
+++ b/knox-agent/scripts/install.properties
@@ -152,3 +152,17 @@ SSL_KEYSTORE_FILE_PATH=/etc/knox/conf/ranger-plugin-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/etc/knox/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
+
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=knox
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=knox
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/plugin-kafka/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-kafka/scripts/install.properties b/plugin-kafka/scripts/install.properties
index bc6481b..79ea6db 100644
--- a/plugin-kafka/scripts/install.properties
+++ b/plugin-kafka/scripts/install.properties
@@ -155,3 +155,17 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
+
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=kafka
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/plugin-kms/scripts/enable-kms-plugin.sh
----------------------------------------------------------------------
diff --git a/plugin-kms/scripts/enable-kms-plugin.sh b/plugin-kms/scripts/enable-kms-plugin.sh
index 53187f7..468d39e 100755
--- a/plugin-kms/scripts/enable-kms-plugin.sh
+++ b/plugin-kms/scripts/enable-kms-plugin.sh
@@ -23,7 +23,7 @@ function getInstallProperty() {
do
if [ -f "${file}" ]
then
- propertyValue=`grep "^${propertyName}" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'`
+ propertyValue=`grep "^${propertyName}[ \t]*=" ${file} | awk -F= '{ sub("^[ \t]*", "", $2); sub("[ \t]*$", "", $2); print $2 }'`
if [ "${propertyValue}" != "" ]
then
break
@@ -118,6 +118,32 @@ JAVA=$JAVA_HOME/bin/java
HCOMPONENT_INSTALL_DIR_NAME=$(getInstallProperty 'COMPONENT_INSTALL_DIR_NAME')
+unix_user=$(getInstallProperty 'unix_user')
+unix_user=${unix_user// }
+
+unix_group=$(getInstallProperty 'unix_group')
+unix_group=${unix_group// }
+
+
+
+if [ ! -z "${unix_user}" ] && [ ! -z "${unix_group}" ]
+then
+ echo "Custom user and group is available, using custom user and group."
+ CFG_OWNER_INF="${unix_user}:${unix_group}"
+elif [ ! -z "${unix_user}" ] && [ -z "${unix_group}" ]
+then
+ echo "Custom user is available, using custom user and default group."
+ CFG_OWNER_INF="${unix_user}:${HCOMPONENT_NAME}"
+elif [ -z "${unix_user}" ] && [ ! -z "${unix_group}" ]
+then
+ echo "Custom group is available, using default user and custom group."
+ CFG_OWNER_INF="${HCOMPONENT_NAME}:${unix_group}"
+else
+ echo "Custom user and group are not available, using default user and group."
+ CFG_OWNER_INF="${HCOMPONENT_NAME}:${HCOMPONENT_NAME}"
+fi
+
+
if [ "${HCOMPONENT_INSTALL_DIR_NAME}" = "" ]
then
HCOMPONENT_INSTALL_DIR_NAME=${HCOMPONENT_NAME}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/plugin-solr/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-solr/scripts/install.properties b/plugin-solr/scripts/install.properties
index 9bc305b..a3d9887 100644
--- a/plugin-solr/scripts/install.properties
+++ b/plugin-solr/scripts/install.properties
@@ -155,3 +155,17 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
+
+
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=solr
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=solr
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/plugin-yarn/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-yarn/scripts/install.properties b/plugin-yarn/scripts/install.properties
index 01f733d..3780068 100644
--- a/plugin-yarn/scripts/install.properties
+++ b/plugin-yarn/scripts/install.properties
@@ -147,3 +147,16 @@ SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=yarn
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/security-admin/scripts/set_globals.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/set_globals.sh b/security-admin/scripts/set_globals.sh
index 2c00aed..9a4159c 100755
--- a/security-admin/scripts/set_globals.sh
+++ b/security-admin/scripts/set_globals.sh
@@ -91,5 +91,11 @@ if [ ! -d /var/log/ranger/admin ]; then
chmod 755 /var/log/ranger/admin
chown -R $unix_user:$unix_group /var/log/ranger
fi
+
+if [ -d /var/log/ranger/admin ]; then
+ chown -R $unix_user:$unix_group /var/log/ranger/admin
+fi
+
+
mv -f ews/logs ews/webapp/logs.$curDt 2> /dev/null
ln -sf /var/log/ranger/admin ews/logs
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 71c424c..9710706 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -1516,6 +1516,10 @@ setup_install_files(){
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
fi
+ if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
+ chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
+ fi
+
if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib"
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib
@@ -1525,6 +1529,9 @@ setup_install_files(){
if [ -d /etc/init.d ]; then
log "[I] Setting up init.d"
cp ${INSTALL_DIR}/ews/${RANGER_ADMIN_INITD} /etc/init.d/${RANGER_ADMIN}
+ if [ "${unix_user}" != "ranger" ]; then
+ sed 's/LINUX_USER=ranger/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN}
+ fi
chmod ug+rx /etc/init.d/${RANGER_ADMIN}
@@ -1571,6 +1578,10 @@ setup_install_files(){
chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs
fi
+ if [ -d ${XAPOLICYMGR_DIR}/ews/logs ]; then
+ chown -R ${unix_user} ${XAPOLICYMGR_DIR}/ews/logs
+ fi
+
log "[I] Setting up installation files and directory DONE";
if [ ! -f ${INSTALL_DIR}/rpm ]; then
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/storm-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/storm-agent/scripts/install.properties b/storm-agent/scripts/install.properties
index 82f17af..f2aa5c4 100644
--- a/storm-agent/scripts/install.properties
+++ b/storm-agent/scripts/install.properties
@@ -149,3 +149,16 @@ SSL_KEYSTORE_FILE_PATH=/etc/storm/conf/ranger-plugin-keystore.jks
SSL_KEYSTORE_PASSWORD=myKeyFilePassword
SSL_TRUSTSTORE_FILE_PATH=/etc/storm/conf/ranger-plugin-truststore.jks
SSL_TRUSTSTORE_PASSWORD=changeit
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=storm
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/unixauthservice/scripts/set_globals.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh
index c77fbf9..c92dfdc 100755
--- a/unixauthservice/scripts/set_globals.sh
+++ b/unixauthservice/scripts/set_globals.sh
@@ -89,5 +89,10 @@ if [ ! -d /var/log/ranger/usersync ]; then
chmod 755 /var/log/ranger/usersync
chown -R $unix_user:$unix_group /var/log/ranger
fi
+
+if [ -d /var/log/ranger/usersync ]; then
+ chown -R $unix_user:$unix_group /var/log/ranger/usersync
+fi
+
mv -f logs logs.$curDt 2> /dev/null
ln -sf /var/log/ranger/usersync logs
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c22bdecf/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index 5ba50d3..31c486e 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -232,13 +232,25 @@ def createGroup(groupname):
print "ERROR: Unable to create a new group: %s" % (groupname,e)
sys.exit(1)
-def initializeInitD():
+def initializeInitD(ownerName):
if (os.path.isdir(initdDirName)):
fn = join(installPropDirName,initdProgramName)
initdFn = join(initdDirName,initdProgramName)
shutil.copy(fn, initdFn)
- os.chmod(initdFn,0550)
- rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ]
+ if (ownerName != 'ranger'):
+ f = open(initdFn,'r')
+ filedata = f.read()
+ f.close()
+ find_str = "LINUX_USER=ranger"
+ replace_str = "LINUX_USER="+ ownerName
+ newdata = filedata.replace(find_str,replace_str)
+
+ f = open(initdFn,'w')
+ f.write(newdata)
+ f.close()
+
+ os.chmod(initdFn,0550)
+ rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ]
for rcDir in rcDirList:
if (os.path.isdir(rcDir)):
for prefix in initPrefixList:
@@ -365,7 +377,7 @@ def main():
os.chown(pidFolderName,ownerId,groupId)
os.chown(rangerBaseDirName,ownerId,groupId)
- initializeInitD()
+ initializeInitD(ownerName)
#
# Add password to crypt path
[29/33] incubator-ranger git commit: RANGER-687: Service update
should ignore user provided values for internal fields - like policyVersion
Posted by ma...@apache.org.
RANGER-687: Service update should ignore user provided values for internal fields - like policyVersion
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8f07737f
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8f07737f
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8f07737f
Branch: refs/heads/tag-policy
Commit: 8f07737f97c111eb6c088917076a2d86eb117a86
Parents: 1f43245
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Wed Oct 14 23:39:45 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Oct 15 16:03:14 2015 -0700
----------------------------------------------------------------------
.../src/main/java/org/apache/ranger/biz/ServiceDBStore.java | 6 ++++++
1 file changed, 6 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8f07737f/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index a5ac557..6e07e4e 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1126,6 +1126,12 @@ public class ServiceDBStore implements ServiceStore {
service = svcServiceWithAssignedId.update(service);
svcServiceWithAssignedId.setPopulateExistingBaseFields(false);
} else {
+ service.setCreateTime(existing.getCreateTime());
+ service.setGuid(existing.getGuid());
+ service.setVersion(existing.getVersion());
+ service.setPolicyUpdateTime(existing.getPolicyUpdateTime());
+ service.setPolicyVersion(existing.getPolicyVersion());
+
service = svcService.update(service);
}
[12/33] incubator-ranger git commit: RANGER-266: Solr configuration
and setup files and documentation
Posted by ma...@apache.org.
RANGER-266: Solr configuration and setup files and documentation
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/c5ae2edd
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/c5ae2edd
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/c5ae2edd
Branch: refs/heads/tag-policy
Commit: c5ae2edd9948b9cbb463533589b356c9b4313fae
Parents: 483ea47
Author: Don Bosco Durai <bo...@apache.org>
Authored: Sun Sep 20 01:57:35 2015 -0400
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Thu Oct 1 11:00:55 2015 -0700
----------------------------------------------------------------------
.../contrib/solr_for_audit_setup/README.txt | 25 +
.../solr_for_audit_setup/conf/admin-extra.html | 24 +
.../conf/admin-extra.menu-bottom.html | 25 +
.../conf/admin-extra.menu-top.html | 25 +
.../solr_for_audit_setup/conf/elevate.xml | 38 +
.../solr_for_audit_setup/conf/schema.xml | 118 ++
.../solr_for_audit_setup/conf/solrconfig.xml | 1865 ++++++++++++++++++
.../solr_for_audit_setup/install.properties | 96 +
.../resources/log4j.properties.template | 39 +
.../contrib/solr_for_audit_setup/setup.sh | 421 ++++
.../add_ranger_audits_conf_to_zk.sh.template | 63 +
.../create_ranger_audits_collection.sh.template | 33 +
.../solr_cloud/scripts/start_solr.sh.template | 39 +
.../solr_cloud/scripts/stop_solr.sh.template | 35 +
.../solr_cloud/solr.xml.template | 26 +
.../ranger_audits/core.properties.template | 20 +
.../scripts/start_solr.sh.template | 38 +
.../scripts/stop_solr.sh.template | 35 +
.../solr_standalone/solr.xml | 19 +
src/main/assembly/admin-web.xml | 7 +
20 files changed, 2991 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/README.txt
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/README.txt b/security-admin/contrib/solr_for_audit_setup/README.txt
new file mode 100644
index 0000000..ac4eb8e
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/README.txt
@@ -0,0 +1,25 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+This folder consists of the scripts required to install and configure Solr
+as an audit destination/source for Apache Ranger.
+
+Check Apache Ranger Wiki page for more information:
+https://cwiki.apache.org/confluence/display/RANGER/Install+and+Configure+Solr+for+Ranger+Audits+-+Apache+Ranger+0.5
+
+Steps:
+1. Update install.properties
+2. ./setup.sh
+3. Check $SOLR_RANGER_HOME/install_notes.txt for additional instructions
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html
new file mode 100755
index 0000000..fecab20
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.html
@@ -0,0 +1,24 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- The content of this page will be statically included into the top-
+right box of the cores overview page. Uncomment this as an example to
+see there the content will show up.
+
+<img src="img/ico/construction.png"> This line will appear at the top-
+right box on collection1's Overview
+-->
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html
new file mode 100755
index 0000000..3359a46
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-bottom.html
@@ -0,0 +1,25 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- admin-extra.menu-bottom.html -->
+<!--
+<li>
+ <a href="#" style="background-image: url(img/ico/construction.png);">
+ LAST ITEM
+ </a>
+</li>
+-->
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html
new file mode 100755
index 0000000..0886cee
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/conf/admin-extra.menu-top.html
@@ -0,0 +1,25 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- admin-extra.menu-top.html -->
+<!--
+<li>
+ <a href="#" style="background-image: url(img/ico/construction.png);">
+ FIRST ITEM
+ </a>
+</li>
+-->
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml b/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml
new file mode 100644
index 0000000..25d5ceb
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/conf/elevate.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- If this file is found in the config directory, it will only be
+ loaded once at startup. If it is found in Solr's data
+ directory, it will be re-loaded every commit.
+
+ See http://wiki.apache.org/solr/QueryElevationComponent for more info
+
+-->
+<elevate>
+ <query text="foo bar">
+ <doc id="1" />
+ <doc id="2" />
+ <doc id="3" />
+ </query>
+
+ <query text="ipod">
+ <doc id="MA147LL/A" /> <!-- put the actual ipod at the top -->
+ <doc id="IW-02" exclude="true" /> <!-- exclude this cable -->
+ </query>
+
+</elevate>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/c5ae2edd/security-admin/contrib/solr_for_audit_setup/conf/schema.xml
----------------------------------------------------------------------
diff --git a/security-admin/contrib/solr_for_audit_setup/conf/schema.xml b/security-admin/contrib/solr_for_audit_setup/conf/schema.xml
new file mode 100644
index 0000000..df56974
--- /dev/null
+++ b/security-admin/contrib/solr_for_audit_setup/conf/schema.xml
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<!-- Trimmed schema.xml to include only the fields used by RangerAudit and also to make it more manageable -->
+<schema name="ranger-audit-schema" version="1.5">
+ <fields>
+ <field name="id" type="string" indexed="true" stored="true" required="true" multiValued="false" />
+ <field name="_version_" type="long" indexed="true" stored="true"/>
+
+ <field name="resource" type="key_lower_case" multiValued="false"/>
+ <field name="cluster" type="key_lower_case" multiValued="false"/>
+ <field name="resType" type="key_lower_case" multiValued="false"/>
+ <field name="reqUser" type="key_lower_case" multiValued="false"/>
+ <field name="evtTime" type="tdate"/>
+ <field name="policy" type="tlong" docValues="true"/>
+ <field name="sess" type="key_lower_case" multiValued="false"/>
+ <field name="access" type="key_lower_case" multiValued="false"/>
+ <field name="result" type="tint" multiValued="false"/>
+ <field name="reason" type="text_std_token_lower_case" omitNorms="false" multiValued="false"/>
+ <field name="enforcer" type="key_lower_case" multiValued="false"/>
+ <field name="repo" type="key_lower_case" multiValued="false"/>
+ <field name="cliIP" type="key_lower_case" multiValued="false"/>
+ <field name="cliType" type="key_lower_case" multiValued="false"/>
+ <field name="action" type="key_lower_case" multiValued="false"/>
+ <field name="agent" type="key_lower_case" multiValued="false"/>
+ <field name="agentHost" type="key_lower_case" multiValued="false"/>
+ <field name="logType" type="key_lower_case" multiValued="false"/>
+ <field name="repoType" type="tint" multiValued="false" docValues="true"/>
+ <field name="reqData" type="text_std_token_lower_case" multiValued="false"/>
+ <field name="seq_num" type="tlong" multiValued="false" docValues="true"/>
+ <field name="tags" type="key_lower_case" multiValued="true"/>
+ <field name="tags_str" type="text_std_token_lower_case" multiValued="false"/>
+ <field name="event_count" type="tlong" multiValued="false" docValues="true"/>
+ <field name="event_dur_ms" type="tlong" multiValued="false" docValues="true"/>
+
+ <field name="text" type="text_std_token_lower_case" indexed="true" stored="false" multiValued="true"/>
+ </fields>
+
+ <uniqueKey>id</uniqueKey>
+
+ <types>
+
+ <!-- Updated from text_general and having only StandardTokenizer and LowerCaseFilter-->
+ <fieldType name="text_std_token_lower_case" class="solr.TextField" positionIncrementGap="100" multiValued="true">
+ <analyzer>
+ <tokenizer class="solr.StandardTokenizerFactory"/>
+ <filter class="solr.LowerCaseFilterFactory" />
+ </analyzer>
+ </fieldType>
+
+ <!-- Keyword tokenizer won't split the string. So is like full string search -->
+ <fieldType name="key_lower_case" class="solr.TextField"
+ sortMissingLast="true" omitNorms="true">
+ <analyzer>
+ <tokenizer class="solr.KeywordTokenizerFactory"/>
+ <filter class="solr.LowerCaseFilterFactory" />
+ </analyzer>
+ </fieldType>
+
+ <!-- The StrField type is not analyzed, but indexed/stored verbatim.
+ It supports doc values but in that case the field needs to be
+ single-valued and either required or have a default value.
+ -->
+ <fieldType name="string" class="solr.StrField" sortMissingLast="true" />
+
+ <!-- boolean type: "true" or "false" -->
+ <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
+
+ <fieldType name="booleans" class="solr.BoolField" sortMissingLast="true" multiValued="true"/>
+
+ <fieldType name="int" class="solr.TrieIntField" precisionStep="0" positionIncrementGap="0"/>
+ <fieldType name="float" class="solr.TrieFloatField" precisionStep="0" positionIncrementGap="0"/>
+ <fieldType name="long" class="solr.TrieLongField" precisionStep="0" positionIncrementGap="0"/>
+ <fieldType name="double" class="solr.TrieDoubleField" precisionStep="0" positionIncrementGap="0"/>
+
+ <fieldType name="tint" class="solr.TrieIntField" precisionStep="8" positionIncrementGap="0"/>
+ <fieldType name="tfloat" class="solr.TrieFloatField" precisionStep="8" positionIncrementGap="0"/>
+ <fieldType name="tlong" class="solr.TrieLongField" precisionStep="8" positionIncrementGap="0"/>
+ <fieldType name="tdouble" class="solr.TrieDoubleField" precisionStep="8" positionIncrementGap="0"/>
+
+ <fieldType name="tints" class="solr.TrieIntField" precisionStep="8" positionIncrementGap="0" multiValued="true"/>
+ <fieldType name="tfloats" class="solr.TrieFloatField" precisionStep="8" positionIncrementGap="0" multiValued="true"/>
+ <fieldType name="tlongs" class="solr.TrieLongField" precisionStep="8" positionIncrementGap="0" multiValued="true"/>
+ <fieldType name="tdoubles" class="solr.TrieDoubleField" precisionStep="8" positionIncrementGap="0" multiValued="true"/>
+ <fieldType name="date" class="solr.TrieDateField" precisionStep="0" positionIncrementGap="0"/>
+ <!-- A Trie based date field for faster date range queries and date faceting. -->
+ <fieldType name="tdate" class="solr.TrieDateField" precisionStep="6" positionIncrementGap="0"/>
+ <fieldType name="tdates" class="solr.TrieDateField" precisionStep="6" positionIncrementGap="0" multiValued="true"/>
+ <!--Binary data type. The data should be sent/retrieved in as Base64 encoded Strings -->
+ <fieldtype name="binary" class="solr.BinaryField"/>
+ <fieldType name="random" class="solr.RandomSortField" indexed="true" />
+ <!-- A text field that only splits on whitespace for exact matching of words -->
+ <fieldType name="text_ws" class="solr.TextField" positionIncrementGap="100">
+ <analyzer>
+ <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+ </analyzer>
+ </fieldType>
+ <!-- since fields of this type are by default not stored or indexed,
+ any data added to them will be ignored outright. -->
+ <fieldtype name="ignored" stored="false" indexed="false" multiValued="true" class="solr.StrField" />
+
+ </types>
+</schema>
[20/33] incubator-ranger git commit: RANGER-652: Adding support for
ldap connection check tool
Posted by ma...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/a2c4bb29/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
----------------------------------------------------------------------
diff --git a/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
new file mode 100644
index 0000000..53da9f2
--- /dev/null
+++ b/ugsync/ldapconfigchecktool/ldapconfigcheck/src/main/java/org/apache/ranger/ldapconfigcheck/UserSync.java
@@ -0,0 +1,860 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.ldapconfigcheck;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.Control;
+import javax.naming.ldap.PagedResultsResponseControl;
+import javax.naming.ldap.PagedResultsControl;
+import java.io.PrintStream;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Set;
+
+public class UserSync {
+ private static String[] userNameAttrValues = { "sAMAccountName", "uid", "cn" };
+ private static String[] userObjClassValues = { "person", "posixAccount" }; //Not needed as this is read from the second occurence of objectClass attribute from user entry
+ private static String[] userGroupMemAttrValues = { "memberOf", "ismemberOf"};
+
+ private static String[] groupObjectClassValues = { "group", "groupOfNames", "posixGroup" };
+ private static String[] groupNameAttrValues = { "distinguishedName", "cn" };
+ private static String[] groupMemAttrValues = { "member", "memberUid" };
+
+ private String userNameAttribute = null;
+ private String userObjClassName = null;
+ private String userGroupMemberName = null;
+ private String groupMemberName = null;
+ private String groupNameAttrName = null;
+ private String groupObjClassName = null;
+ private String groupSearchBase = null;
+ private String groupSearchFilter = null;
+ private String userSearchBase = null;
+ private String userSearchFilter = null;
+ private String searchBase = null;
+ private String groupName = null;
+ private PrintStream logFile = null;
+ private PrintStream ambariProps = null;
+ private PrintStream installProps = null;
+
+ private LdapConfig config = null;
+
+ public String getUserNameAttribute() {
+ return userNameAttribute;
+ }
+
+ public String getUserObjClassName() {
+ return userObjClassName;
+ }
+
+ public String getUserGroupMemberName() {
+ return userGroupMemberName;
+ }
+
+ public String getGroupMemberName() {
+ return groupMemberName;
+ }
+
+ public String getGroupNameAttrName() {
+ return groupNameAttrName;
+ }
+
+ public String getGroupObjClassName() {
+ return groupObjClassName;
+ }
+
+ public String getGroupSearchBase() { return groupSearchBase; }
+
+ public String getUserSearchBase() { return userSearchBase; }
+
+ public String getSearchBase() {
+ return searchBase;
+ }
+
+ public UserSync(LdapConfig config, PrintStream logFile, PrintStream ambariProps, PrintStream installProps) {
+ this.config = config;
+ this.logFile = logFile;
+ this.ambariProps = ambariProps;
+ this.installProps = installProps;
+ initUserSync();
+ }
+
+ private void initUserSync() {
+ try {
+ String bindDn = config.getLdapBindDn();
+ userObjClassName = config.getUserObjectClass();
+ userNameAttribute = config.getUserNameAttribute();
+ userGroupMemberName = config.getUserGroupNameAttribute();
+ userSearchBase = config.getUserSearchBase();
+ userSearchFilter = config.getUserSearchFilter();
+ groupObjClassName = config.getGroupObjectClass();
+ groupNameAttrName = config.getGroupNameAttribute();
+ groupMemberName = config.getUserGroupMemberAttributeName();
+ groupSearchBase = config.getGroupSearchBase();
+ groupSearchFilter = config.getGroupSearchFilter();
+
+ //String userName = null;
+ if (bindDn.contains("@")) {
+ //userName = bindDn.substring(0, bindDn.indexOf("@"));
+ searchBase = bindDn.substring(bindDn.indexOf("@") + 1);
+ searchBase = "dc=".concat(searchBase);
+ searchBase = searchBase.replaceAll("\\.", ",dc=");
+ } else {
+ int dcIndex = bindDn.toLowerCase().indexOf("dc=");
+ //userName = bindDn.substring(bindDn.indexOf("=") + 1, dcIndex - 1);
+ searchBase = bindDn.substring(dcIndex);
+ }
+ } catch (Throwable t) {
+ logFile.println("ERROR: Failed to initialize the user sync properties " + t);
+ }
+ }
+
+ public void findUserProperties(LdapContext ldapContext) throws Throwable {
+ // 1. find basic user properties
+ // 2. find user search base and user search filter by passing basic attributes
+
+ findBasicUserProperties(ldapContext, true);
+
+ findAdvUserProperties(ldapContext, true);
+ }
+
+ /* Use the provided bind dn or the user search base and user search filter for sample user and determine the basic user attribute.
+ */
+ private void findBasicUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable{
+ String bindDn = config.getLdapBindDn();
+ String userSFilter = config.getUserSearchFilter();
+ String userSBase = config.getUserSearchBase();
+ Attribute userNameAttr = null;
+ Attribute groupMemberAttr;
+ SearchControls userSearchControls = new SearchControls();
+ userSearchControls.setSearchScope(config.getUserSearchScope());
+ userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"});
+ int noOfUsers = 0;
+
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+
+ try {
+ if (userSBase == null || userSBase.isEmpty()) {
+ if (bindDn.contains("@")) {
+ userSBase = bindDn.substring(bindDn.indexOf("@") + 1);
+ userSBase = "dc=".concat(userSBase);
+ userSBase = userSBase.replaceAll("\\.", ",dc=");
+ } else {
+ //int dcIndex = bindDn.toLowerCase().indexOf("dc=");
+ userSBase = bindDn.substring(bindDn.indexOf(",") + 1);
+ }
+ //System.out.println("Derived user search base = " + userSearchBase);
+ }
+
+ if (userSFilter == null || userSFilter.isEmpty()) {
+ if (bindDn.contains("@")) {
+ userSFilter = "userPrincipalName=" + bindDn;
+ } else {
+ int cnEndIndex = bindDn.indexOf(",");
+ userSFilter = bindDn.substring(0,cnEndIndex);
+
+ }
+ //System.out.println("Derived user search filter = " + userSearchFilter);
+ }
+
+ try {
+ userSearchResultEnum = ldapContext.search(userSBase,
+ userSFilter, userSearchControls);
+ while (userSearchResultEnum.hasMore()) {
+ if (noOfUsers >= 1) {
+ break;
+ }
+ final SearchResult userEntry = userSearchResultEnum.next();
+
+ if (userEntry == null) {
+ logFile.println("WARN: userEntry null");
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+
+ if (userNameAttribute == null || userNameAttribute.isEmpty()) {
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ userNameAttr = attributes.get(userNameAttrValues[i]);
+ if (userNameAttr != null) {
+ userNameAttribute = userNameAttrValues[i];
+ break;
+ }
+ }
+ if (userNameAttr == null) {
+ logFile.print("WARN: Failed to find any of ( ");
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ logFile.print(userNameAttrValues[i] + " ");
+ }
+ logFile.println(") for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ } else {
+ userNameAttr = attributes.get(userNameAttribute);
+ if (userNameAttr == null) {
+ logFile.println("WARN: Failed to find " + userNameAttribute + " for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ }
+
+ String userName = (String) userNameAttr.get();
+
+ if (userName == null || userName.trim().isEmpty()) {
+ logFile.println("WARN: " + userNameAttribute + " empty for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ userName = userName.toLowerCase();
+ Attribute userObjClassAttr = attributes.get("objectClass");
+ NamingEnumeration<?> userObjClassEnum = userObjClassAttr.getAll();
+ String userObjClass = null;
+ while (userObjClassEnum.hasMore()) {
+ userObjClass = userObjClassEnum.next().toString();
+ if (userObjClassName == null || userObjClassName.isEmpty()) {
+ if (userObjClass != null) {
+ for (int i = 0; i < userObjClassValues.length; i++) {
+ if (userObjClass.equalsIgnoreCase(userObjClassValues[i])) {
+ userObjClassName = userObjClass;
+ break;
+ }
+ }
+ } else {
+ logFile.println("WARN: Failed to find objectClass attribute for " + userName);
+ //continue;
+ }
+ }
+ }
+
+ if (userObjClassName == null || userObjClassName.isEmpty()) {
+ userObjClassName = userObjClass;
+ }
+
+ for (int i = 0; i < userGroupMemAttrValues.length; i++) {
+ groupMemberAttr = attributes.get(userGroupMemAttrValues[i]);
+ if (groupMemberAttr != null) {
+ userGroupMemberName = userGroupMemAttrValues[i];
+ groupName = groupMemberAttr.get(1).toString();
+ break;
+ }
+ }
+
+ noOfUsers++;
+ }
+ } catch (NamingException ne) {
+ String msg = "Exception occured while discovering basic user properties:\n" +
+ "ranger.usersync.ldap.user.nameattribute\n" +
+ "ranger.usersync.ldap.user.objectclass\n" +
+ "ranger.usersync.ldap.user.groupnameattribute\n";
+ if ((config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) ||
+ (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) {
+ throw new Exception(msg + "Please verify values for ranger.usersync.ldap.user.searchbase and ranger.usersync.ldap.user.searchfilter");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ }
+
+ if (isOutputNeeded) {
+ installProps.println("# Possible values for user search related properties:");
+ installProps.println("SYNC_LDAP_USER_NAME_ATTRIBUTE=" + userNameAttribute);
+ installProps.println("SYNC_LDAP_USER_OBJECT_CLASS=" + userObjClassName);
+ installProps.println("SYNC_LDAP_USER_GROUP_NAME_ATTRIBUTE=" + userGroupMemberName);
+
+ ambariProps.println("# Possible values for user search related properties:");
+ ambariProps.println("ranger.usersync.ldap.user.nameattribute=" + userNameAttribute);
+ ambariProps.println("ranger.usersync.ldap.user.objectclass=" + userObjClassName);
+ ambariProps.println("ranger.usersync.ldap.user.groupnameattribute=" + userGroupMemberName);
+ }
+ } finally {
+ try {
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ } catch (NamingException ne) {
+ throw new Exception("Exception occured while closing user search result: " + ne);
+ }
+ }
+ }
+
+ private void findAdvUserProperties(LdapContext ldapContext, boolean isOutputNeeded) throws Throwable{
+ int noOfUsers;
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+ SearchControls userSearchControls = new SearchControls();
+ userSearchControls.setSearchScope(config.getUserSearchScope());
+ if (userNameAttribute != null && !userNameAttribute.isEmpty()) {
+ Set<String> userSearchAttributes = new HashSet<>();
+ userSearchAttributes.add(userNameAttribute);
+ userSearchAttributes.add(userGroupMemberName);
+ userSearchAttributes.add("distinguishedName");
+ userSearchControls.setReturningAttributes(userSearchAttributes.toArray(
+ new String[userSearchAttributes.size()]));
+ } else {
+ userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"});
+ }
+
+ String extendedUserSearchFilter = "(objectclass=" + userObjClassName + ")";
+
+ try {
+
+ HashMap<String, Integer> ouOccurences = new HashMap<>();
+
+ userSearchResultEnum = ldapContext.search(searchBase,
+ extendedUserSearchFilter, userSearchControls);
+
+ noOfUsers = 0;
+ while (userSearchResultEnum.hasMore()) {
+ if (noOfUsers >= 20) {
+ break;
+ }
+ final SearchResult userEntry = userSearchResultEnum.next();
+
+ if (userEntry == null) {
+ logFile.println("WARN: userEntry null");
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+
+ String dnValue;
+
+ Attribute dnAttr = attributes.get("distinguishedName");
+ if (dnAttr != null) {
+ dnValue = dnAttr.get().toString();
+ String ouStr = "OU=";
+ int indexOfOU = dnValue.indexOf(ouStr);
+ if (indexOfOU > 0) {
+ dnValue = dnValue.substring(indexOfOU);
+
+ } else {
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+ }
+
+ } else {
+ // If distinguishedName is not found,
+ // strip off the userName from the long name for OU or sub domain
+ dnValue = userEntry.getNameInNamespace();
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+
+ }
+ //System.out.println("OU from dn = " + dnValue);
+ Integer ouOccrs = ouOccurences.get(dnValue);
+ if (ouOccrs == null) {
+ //System.out.println("value = 0");
+ ouOccrs = new Integer(0);
+ }
+ int val = ouOccrs.intValue();
+ ouOccrs = new Integer(++val);
+ ouOccurences.put(dnValue, ouOccrs);
+ noOfUsers++;
+ }
+
+ if (!ouOccurences.isEmpty()) {
+ Set<String> keys = ouOccurences.keySet();
+ int maxOUOccr = 0;
+ for (String key : keys) {
+ int ouOccurVal = ouOccurences.get(key).intValue();
+ logFile.println("INFO: No. of users from " + key + " = " + ouOccurVal);
+ if (ouOccurVal > maxOUOccr) {
+ maxOUOccr = ouOccurVal;
+ userSearchBase = key;
+ }
+ }
+ }
+ userSearchFilter = userNameAttribute + "=*";
+
+ if (isOutputNeeded) {
+ installProps.println("SYNC_LDAP_USER_SEARCH_BASE=" + userSearchBase);
+ installProps.println("SYNC_LDAP_USER_SEARCH_FILTER=" + userSearchFilter);
+
+ ambariProps.println("ranger.usersync.ldap.user.searchbase=" + userSearchBase);
+ ambariProps.println("ranger.usersync.ldap.user.searchfilter=" + userSearchFilter);
+ }
+
+ } catch (NamingException ne) {
+ String msg = "Exception occured while discovering user properties:\n" +
+ "ranger.usersync.ldap.user.searchbase\n" +
+ "ranger.usersync.ldap.user.searchfilter\n";
+ if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) ||
+ (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) ||
+ (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty())) {
+ throw new Exception("Please verify values for ranger.usersync.ldap.user.nameattribute, " +
+ "ranger.usersync.ldap.user.objectclass, and" +
+ "ranger.usersync.ldap.user.groupnameattribute");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ } finally {
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ }
+ }
+
+ public void getAllUsers(LdapContext ldapContext) throws Throwable {
+ int noOfUsers = 0;
+ Attribute userNameAttr = null;
+ String groupName = null;
+ Attribute groupMemberAttr;
+ NamingEnumeration<SearchResult> userSearchResultEnum = null;
+ SearchControls userSearchControls = new SearchControls();
+ userSearchControls.setSearchScope(config.getUserSearchScope());
+ Set<String> userSearchAttributes = new HashSet<>();
+ if (userNameAttribute != null) {
+ userSearchAttributes.add(userNameAttribute);
+ }
+ if (userGroupMemberName != null) {
+ userSearchAttributes.add(userGroupMemberName);
+ }
+ if (userSearchAttributes.size() > 0) {
+ userSearchControls.setReturningAttributes(userSearchAttributes.toArray(
+ new String[userSearchAttributes.size()]));
+ } else {
+ userSearchControls.setReturningAttributes(new java.lang.String[]{"*", "+"});
+ }
+
+ String extendedUserSearchFilter = "(objectclass=" + userObjClassName + ")";
+ if (userSearchFilter != null && !userSearchFilter.trim().isEmpty()) {
+ String customFilter = userSearchFilter.trim();
+ if (!customFilter.startsWith("(")) {
+ customFilter = "(" + customFilter + ")";
+ }
+ extendedUserSearchFilter = "(&" + extendedUserSearchFilter + customFilter + ")";
+ }
+
+ byte[] cookie = null;
+ logFile.println();
+ logFile.println("INFO: First 20 Users and associated groups are:");
+
+ try {
+ do {
+
+ userSearchResultEnum = ldapContext.search(userSearchBase,
+ extendedUserSearchFilter, userSearchControls);
+
+ while (userSearchResultEnum.hasMore()) {
+ final SearchResult userEntry = userSearchResultEnum.next();
+
+ if (userEntry == null) {
+ logFile.println("WARN: userEntry null");
+ continue;
+ }
+
+ Attributes attributes = userEntry.getAttributes();
+ if (attributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+
+ if (userNameAttribute == null || userNameAttribute.isEmpty()) {
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ userNameAttr = attributes.get(userNameAttrValues[i]);
+ if (userNameAttr != null) {
+ userNameAttribute = userNameAttrValues[i];
+ break;
+ }
+ }
+ if (userNameAttr == null) {
+ logFile.print("WARN: Failed to find any of ( ");
+ for (int i = 0; i < userNameAttrValues.length; i++) {
+ logFile.print(userNameAttrValues[i] + " ");
+ }
+ logFile.println(") for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ } else {
+ userNameAttr = attributes.get(userNameAttribute);
+ if (userNameAttr == null) {
+ logFile.println("WARN: Failed to find " + userNameAttribute + " for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ }
+
+ String userName = userNameAttr.get().toString();
+
+ if (userName == null || userName.trim().isEmpty()) {
+ logFile.println("WARN: " + userNameAttribute + " empty for entry " + userEntry.getNameInNamespace());
+ continue;
+ }
+ userName = userName.toLowerCase();
+
+ Set<String> groups = new HashSet<>();
+ groupMemberAttr = attributes.get(userGroupMemberName);
+
+ if (groupMemberAttr != null) {
+ NamingEnumeration<?> groupEnum = groupMemberAttr.getAll();
+ while (groupEnum.hasMore()) {
+ String groupRes = groupEnum.next().toString();
+ groups.add(groupRes);
+ if (groupName == null || groupName.isEmpty()) {
+ groupName = groupRes;
+ }
+ }
+ }
+
+ if (noOfUsers < 20) {
+ logFile.println("Username: " + userName + ", Groups: " + groups);
+ }
+ noOfUsers++;
+ }
+ // Examine the paged results control response
+ Control[] controls = ldapContext.getResponseControls();
+ if (controls != null) {
+ for (int i = 0; i < controls.length; i++) {
+ if (controls[i] instanceof PagedResultsResponseControl) {
+ PagedResultsResponseControl prrc =
+ (PagedResultsResponseControl)controls[i];
+ cookie = prrc.getCookie();
+ }
+ }
+ } else {
+ logFile.println("WARN: No controls were sent from the server");
+ }
+ // Re-activate paged results
+ if (config.isPagedResultsEnabled()) {
+ ldapContext.setRequestControls(new Control[]{
+ new PagedResultsControl(config.getPagedResultsSize(), cookie, Control.CRITICAL)});
+ }
+ } while (cookie != null);
+ logFile.println("\nINFO: Total no. of users = " + noOfUsers);
+
+ } catch (NamingException ne) {
+ String msg = "Exception occured while retreiving users\n";
+ if ((config.getUserNameAttribute() != null && !config.getUserNameAttribute().isEmpty()) ||
+ (config.getUserObjectClass() != null && !config.getUserObjectClass().isEmpty()) ||
+ (config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) ||
+ (config.getUserSearchBase() != null && !config.getUserSearchBase().isEmpty()) ||
+ (config.getUserSearchFilter() != null && !config.getUserSearchFilter().isEmpty())) {
+ throw new Exception("Please verify values for:\n ranger.usersync.ldap.user.nameattribute\n " +
+ "ranger.usersync.ldap.user.objectclass\n" +
+ "ranger.usersync.ldap.user.groupnameattribute\n" +
+ "ranger.usersync.ldap.user.searchbase\n" +
+ "ranger.usersync.ldap.user.searchfilter\n");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ } finally {
+ if (userSearchResultEnum != null) {
+ userSearchResultEnum.close();
+ }
+ }
+ }
+
+ public void findGroupProperties(LdapContext ldapContext) throws Throwable {
+ // find basic group attributes/properties
+ // find group search base and group search filter
+ // Get all groups
+
+ if (groupName == null || groupName.isEmpty()) {
+ // Perform basic user search and get the group name from the user's group attribute name.
+ findBasicUserProperties(ldapContext, false);
+ }
+
+ if (groupName == null || groupName.isEmpty()) {
+ // Perform adv user search and get the group name from the user's group attribute name.
+ findAdvUserProperties(ldapContext, false);
+ }
+
+ findBasicGroupProperties(ldapContext);
+
+ findAdvGroupProperties(ldapContext);
+ }
+
+ private void findBasicGroupProperties(LdapContext ldapContext) throws Throwable {
+ int noOfGroups;
+ Attribute groupNameAttr;
+ String groupBase;
+ String groupFilter;
+ Attribute groupMemberAttr;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ SearchControls groupSearchControls = new SearchControls();
+ groupSearchControls.setSearchScope(config.getGroupSearchScope());
+
+ try {
+ int baseIndex = groupName.indexOf(",");
+ groupBase = groupName.substring(baseIndex + 1);
+ groupFilter = groupName.substring(0, baseIndex);
+ groupSearchResultEnum = ldapContext.search(groupBase, groupFilter,
+ groupSearchControls);
+
+ noOfGroups = 0;
+ while (groupSearchResultEnum.hasMore()) {
+ if (noOfGroups >= 1) {
+ break;
+ }
+
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry == null) {
+ continue;
+ }
+ Attributes groupAttributes = groupEntry.getAttributes();
+ if (groupAttributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ Attribute groupObjClassAttr = groupAttributes.get("objectClass");
+ if (groupObjClassAttr != null) {
+ NamingEnumeration<?> groupObjClassEnum = groupObjClassAttr.getAll();
+ while (groupObjClassEnum.hasMore()) {
+ String groupObjClassStr = groupObjClassEnum.next().toString();
+ for (int i = 0; i < groupObjectClassValues.length; i++) {
+ if (groupObjClassStr.equalsIgnoreCase(groupObjectClassValues[i])) {
+ groupObjClassName = groupObjClassStr;
+ break;
+ }
+ }
+ }
+ } else {
+ logFile.println("WARN: Failed to find group objectClass attribute for " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ if (groupNameAttrName == null || groupNameAttrName.isEmpty()) {
+
+ for (int i = 0; i < groupNameAttrValues.length; i++) {
+ groupNameAttr = groupAttributes.get(groupNameAttrValues[i]);
+ if (groupNameAttr != null) {
+ groupNameAttrName = groupNameAttrValues[i];
+ break;
+ }
+ }
+ }
+
+ for (int i = 0; i < groupMemAttrValues.length; i++) {
+ groupMemberAttr = groupAttributes.get(groupMemAttrValues[i]);
+ if (groupMemberAttr != null) {
+ groupMemberName = groupMemAttrValues[i];
+ break;
+ }
+ }
+ noOfGroups++;
+ }
+
+ installProps.println("\n# Possible values for group search related properties:");
+ installProps.println("SYNC_GROUP_MEMBER_ATTRIBUTE_NAME=" + groupMemberName);
+ installProps.println("SYNC_GROUP_NAME_ATTRIBUTE=" + groupNameAttrName);
+ installProps.println("SYNC_GROUP_OBJECT_CLASS=" + groupObjClassName);
+
+ ambariProps.println("\n# Possible values for group search related properties:");
+ ambariProps.println("ranger.usersync.group.memberattributename=" + groupMemberName);
+ ambariProps.println("ranger.usersync.group.nameattribute=" + groupNameAttrName);
+ ambariProps.println("ranger.usersync.group.objectclass=" + groupObjClassName);
+
+ } finally {
+
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+
+ private void findAdvGroupProperties(LdapContext ldapContext) throws Throwable {
+ int noOfGroups = 0;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ SearchControls groupSearchControls = new SearchControls();
+ groupSearchControls.setSearchScope(config.getGroupSearchScope());
+ Set<String> groupSearchAttributes = new HashSet<>();
+ groupSearchAttributes.add(groupNameAttrName);
+ groupSearchAttributes.add(groupMemberName);
+ groupSearchAttributes.add("distinguishedName");
+ groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray(
+ new String[groupSearchAttributes.size()]));
+ String extendedGroupSearchFilter = "(objectclass=" + groupObjClassName + ")";
+
+ try {
+ HashMap<String, Integer> ouOccurences = new HashMap<>();
+
+ groupSearchResultEnum = ldapContext.search(searchBase, extendedGroupSearchFilter,
+ groupSearchControls);
+
+ while (groupSearchResultEnum.hasMore()) {
+ if (noOfGroups >= 20) {
+ break;
+ }
+
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry == null) {
+ continue;
+ }
+ Attributes groupAttributes = groupEntry.getAttributes();
+ if (groupAttributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ String dnValue;
+
+ Attribute dnAttr = groupAttributes.get("distinguishedName");
+ if (dnAttr != null) {
+ dnValue = dnAttr.get().toString();
+ String ouStr = "OU=";
+ int indexOfOU = dnValue.indexOf(ouStr);
+ if (indexOfOU > 0) {
+ dnValue = dnValue.substring(indexOfOU);
+
+ } else {
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+ }
+
+ } else {
+ // If distinguishedName is not found,
+ // strip off the userName from the long name for OU or sub domain
+ dnValue = groupEntry.getNameInNamespace();
+ dnValue = dnValue.substring(dnValue.indexOf(",") + 1);
+ }
+ //System.out.println("OU from dn = " + dnValue);
+ Integer ouOccrs = ouOccurences.get(dnValue);
+ if (ouOccrs == null) {
+ //System.out.println("value = 0");
+ ouOccrs = new Integer(0);
+ }
+ int val = ouOccrs.intValue();
+ ouOccrs = new Integer(++val);
+ ouOccurences.put(dnValue, ouOccrs);
+
+ noOfGroups++;
+ }
+
+ if (!ouOccurences.isEmpty()) {
+ Set<String> keys = ouOccurences.keySet();
+ int maxOUOccr = 0;
+ for (String key : keys) {
+ int ouOccurVal = ouOccurences.get(key).intValue();
+ logFile.println("INFO: No. of groups from " + key + " = " + ouOccurVal);
+ if (ouOccurVal > maxOUOccr) {
+ maxOUOccr = ouOccurVal;
+ groupSearchBase = key;
+ }
+ }
+ }
+
+ groupSearchFilter = groupNameAttrName + "=*";
+
+ installProps.println("SYNC_GROUP_SEARCH_BASE=" + groupSearchBase);
+ installProps.println("SYNC_LDAP_GROUP_SEARCH_FILTER=" + groupSearchFilter);
+
+ ambariProps.println("ranger.usersync.group.searchbase=" + groupSearchBase);
+ ambariProps.println("ranger.usersync.group.searchfilter=" + groupSearchFilter);
+
+ } finally {
+
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+
+ public void getAllGroups(LdapContext ldapContext) throws Throwable {
+ int noOfGroups = 0;
+ Attribute groupNameAttr;
+ Attribute groupMemberAttr;
+ NamingEnumeration<SearchResult> groupSearchResultEnum = null;
+ SearchControls groupSearchControls = new SearchControls();
+ groupSearchControls.setSearchScope(config.getGroupSearchScope());
+ Set<String> groupSearchAttributes = new HashSet<>();
+ groupSearchAttributes.add(groupNameAttrName);
+ groupSearchAttributes.add(groupMemberName);
+ groupSearchAttributes.add("distinguishedName");
+ groupSearchControls.setReturningAttributes(groupSearchAttributes.toArray(
+ new String[groupSearchAttributes.size()]));
+
+ String extendedGroupSearchFilter= "(objectclass=" + groupObjClassName + ")";
+ if (groupSearchFilter != null && !groupSearchFilter.trim().isEmpty()) {
+ String customFilter = groupSearchFilter.trim();
+ if (!customFilter.startsWith("(")) {
+ customFilter = "(" + customFilter + ")";
+ }
+ extendedGroupSearchFilter = "(&" + extendedGroupSearchFilter + customFilter + ")";
+ }
+
+ try {
+
+ groupSearchResultEnum = ldapContext.search(groupSearchBase, extendedGroupSearchFilter,
+ groupSearchControls);
+
+ logFile.println("\nINFO: First 20 Groups and associated Users are:");
+
+ while (groupSearchResultEnum.hasMore()) {
+ final SearchResult groupEntry = groupSearchResultEnum.next();
+ if (groupEntry == null) {
+ continue;
+ }
+ Attributes groupAttributes = groupEntry.getAttributes();
+ if (groupAttributes == null) {
+ logFile.println("WARN: Attributes missing for entry " + groupEntry.getNameInNamespace());
+ continue;
+ }
+
+ groupMemberAttr = groupAttributes.get(groupMemberName);
+
+ Set<String> users = new HashSet<>();
+ if (groupMemberAttr != null) {
+ NamingEnumeration<?> userEnum = groupMemberAttr.getAll();
+ while (userEnum.hasMore()) {
+ String userRes = userEnum.next().toString();
+ users.add(userRes);
+ }
+ }
+
+ groupNameAttr = groupAttributes.get(groupNameAttrName);
+ if (noOfGroups < 20) {
+ logFile.println("Group name: " + groupNameAttr.get().toString() + ", Users: " + users);
+ }
+ noOfGroups++;
+ }
+
+ logFile.println("\nINFO: Total no. of groups = " + noOfGroups);
+
+ } catch (NamingException ne) {
+ String msg = "Exception occured while retreiving groups\n";
+ if ((config.getGroupNameAttribute() != null && !config.getGroupNameAttribute().isEmpty()) ||
+ (config.getGroupObjectClass() != null && !config.getGroupObjectClass().isEmpty()) ||
+ (config.getUserGroupMemberAttributeName() != null && !config.getUserGroupMemberAttributeName().isEmpty()) ||
+ (config.getGroupSearchBase() != null && !config.getGroupSearchBase().isEmpty()) ||
+ (config.getGroupSearchFilter() != null && !config.getGroupSearchFilter().isEmpty())) {
+ throw new Exception("Please verify values for:\n ranger.usersync.group.memberattributename\n " +
+ "ranger.usersync.group.nameattribute\n" +
+ "ranger.usersync.group.objectclass\n" +
+ "ranger.usersync.group.searchbase\n" +
+ "ranger.usersync.group.searchfilter\n");
+ } else {
+ throw new Exception(msg + ne);
+ }
+ } finally {
+
+ if (groupSearchResultEnum != null) {
+ groupSearchResultEnum.close();
+ }
+ }
+ }
+}
+
+
[32/33] incubator-ranger git commit: RANGER-701 : Update setup
scripts to allow special characters in passwords
Posted by ma...@apache.org.
RANGER-701 : Update setup scripts to allow special characters in passwords
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/bc4ee643
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/bc4ee643
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/bc4ee643
Branch: refs/heads/tag-policy
Commit: bc4ee643b6c73d2c357a26383767094f1f2bc3ea
Parents: 66b7788
Author: Gautam Borad <ga...@apache.org>
Authored: Mon Oct 26 13:46:42 2015 +0530
Committer: Gautam Borad <ga...@apache.com>
Committed: Mon Oct 26 15:00:53 2015 +0530
----------------------------------------------------------------------
kms/scripts/db_setup.py | 14 +-
kms/scripts/dba_script.py | 23 ++-
kms/scripts/setup.sh | 158 +++++++++++-----
security-admin/scripts/db_setup.py | 16 +-
security-admin/scripts/dba_script.py | 28 ++-
security-admin/scripts/set_globals.sh | 26 ++-
security-admin/scripts/setup.sh | 180 ++++++++++++++-----
.../org/apache/ranger/common/RESTErrorUtil.java | 26 +++
.../service/AbstractBaseResourceService.java | 5 +-
.../views/permissions/ModulePermissionCreate.js | 1 -
.../webapp/scripts/views/users/GroupCreate.js | 3 +-
.../webapp/scripts/views/users/UserCreate.js | 2 -
unixauthservice/scripts/set_globals.sh | 27 ++-
unixauthservice/scripts/setup.py | 54 +++---
14 files changed, 417 insertions(+), 146 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/kms/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/kms/scripts/db_setup.py b/kms/scripts/db_setup.py
old mode 100755
new mode 100644
index 5e2f950..bdac333
--- a/kms/scripts/db_setup.py
+++ b/kms/scripts/db_setup.py
@@ -100,9 +100,9 @@ class MysqlConf(BaseDB):
path = RANGER_KMS_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -327,9 +327,9 @@ class SqlServerConf(BaseDB):
path = RANGER_KMS_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR,path, user, password, self.host,db_name)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name)
+ jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -392,9 +392,9 @@ class SqlAnywhereConf(BaseDB):
path = RANGER_KMS_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -527,6 +527,8 @@ def main(argv):
xa_db_core_file = os.path.join(RANGER_KMS_HOME ,oracle_core_file)
elif XA_DB_FLAVOR == "POSTGRES":
+ db_user=db_user.lower()
+ db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
xa_db_core_file = os.path.join(RANGER_KMS_HOME , postgres_core_file)
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/kms/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/kms/scripts/dba_script.py b/kms/scripts/dba_script.py
index 950b8c3..d1da5d1 100755
--- a/kms/scripts/dba_script.py
+++ b/kms/scripts/dba_script.py
@@ -94,6 +94,17 @@ def logFile(msg):
print("Invalid input! Provide file path to write DBA scripts:")
sys.exit()
+def password_validation(password, userType):
+ if password:
+ if re.search("[\\\`'\"]",password):
+ log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error")
+ sys.exit(1)
+ else:
+ log("[I] "+userType+" user password validated","info")
+ else:
+ log("[E] Blank password is not allowed,please enter valid password.","error")
+ sys.exit(1)
+
class BaseDB(object):
def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode):
@@ -866,9 +877,9 @@ class SqlAnywhereConf(BaseDB):
path = RANGER_KMS_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
return jisql_cmd
def verify_user(self, root_user, db_root_password, db_user,dryMode):
if dryMode == False:
@@ -1036,6 +1047,10 @@ def main(argv):
dryMode=False
is_revoke=False
+ if len(argv) == 3:
+ password_validation(argv[1],argv[2]);
+ return;
+
if len(argv) > 1:
for i in range(len(argv)):
if str(argv[i]) == "-q":
@@ -1200,6 +1215,8 @@ def main(argv):
xa_db_core_file = os.path.join(RANGER_KMS_HOME,oracle_core_file)
elif XA_DB_FLAVOR == "POSTGRES":
+ db_user=db_user.lower()
+ db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR
xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
xa_db_core_file = os.path.join(RANGER_KMS_HOME,postgres_core_file)
@@ -1222,6 +1239,8 @@ def main(argv):
log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error")
sys.exit(1)
+ log("[I] ---------- Verifing Ranger KMS db user password ---------- ","info")
+ password_validation(db_password,"KMS");
# Methods Begin
if DBA_MODE == "TRUE" :
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/kms/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
index 96bf6a0..94b6e23 100755
--- a/kms/scripts/setup.sh
+++ b/kms/scripts/setup.sh
@@ -31,10 +31,6 @@ then
exit 1;
fi
-eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'`
-
-DB_HOST="${db_host}"
-
usage() {
[ "$*" ] && echo "$0: $*"
sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0"
@@ -46,6 +42,50 @@ log() {
echo "${prefix} $@" >> $LOGFILE
echo "${prefix} $@"
}
+#eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'`
+get_prop(){
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
+ if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
+ value=$(echo $validateProperty | cut -d "=" -f2-)
+ echo $value
+}
+
+PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE)
+DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE)
+SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE)
+SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE)
+db_root_user=$(get_prop 'db_root_user' $PROPFILE)
+db_root_password=$(get_prop 'db_root_password' $PROPFILE)
+db_host=$(get_prop 'db_host' $PROPFILE)
+db_name=$(get_prop 'db_name' $PROPFILE)
+db_user=$(get_prop 'db_user' $PROPFILE)
+db_password=$(get_prop 'db_password' $PROPFILE)
+KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE)
+unix_user=$(get_prop 'unix_user' $PROPFILE)
+unix_group=$(get_prop 'unix_group' $PROPFILE)
+POLICY_MGR_URL=$(get_prop 'POLICY_MGR_URL' $PROPFILE)
+REPOSITORY_NAME=$(get_prop 'REPOSITORY_NAME' $PROPFILE)
+SSL_KEYSTORE_FILE_PATH=$(get_prop 'SSL_KEYSTORE_FILE_PATH' $PROPFILE)
+SSL_KEYSTORE_PASSWORD=$(get_prop 'SSL_KEYSTORE_PASSWORD' $PROPFILE)
+SSL_TRUSTSTORE_FILE_PATH=$(get_prop 'SSL_TRUSTSTORE_FILE_PATH' $PROPFILE)
+SSL_TRUSTSTORE_PASSWORD=$(get_prop 'SSL_TRUSTSTORE_PASSWORD' $PROPFILE)
+KMS_DIR=$(eval echo "$(get_prop 'KMS_DIR' $PROPFILE)")
+app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)")
+TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)")
+LOGFILE=$(eval echo "$(get_prop 'LOGFILE' $PROPFILE)")
+LOGFILES=$(eval echo "$(get_prop 'LOGFILES' $PROPFILE)")
+JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE)
+JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE)
+JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE)
+mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE)
+oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE)
+postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE)
+sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE)
+sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE)
+cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)")
+KMS_BLACKLIST_DECRYPT_EEK=$(get_prop 'KMS_BLACKLIST_DECRYPT_EEK' $PROPFILE)
+
+DB_HOST="${db_host}"
check_ret_status(){
if [ $1 -ne 0 ]; then
@@ -82,29 +122,25 @@ get_distro(){
#Get Properties from File without erroring out if property is not there
#$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound
getPropertyFromFileNoExit(){
- validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
if test -z "$validateProperty" ; then
- log "[E] '$1' not found in $2 file while getting....!!";
- if [ $4 == "true" ] ; then
- exit 1;
- else
- value=""
- fi
- else
- value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-`
- fi
- #echo 'value:'$value
+ log "[E] '$1' not found in $2 file while getting....!!";
+ if [ $4 == "true" ] ; then
+ exit 1;
+ else
+ value=""
+ fi
+ else
+ value=$(echo $validateProperty | cut -d "=" -f2-)
+ fi
eval $3="'$value'"
}
#Get Properties from File
#$1 -> propertyName $2 -> fileName $3 -> variableName
getPropertyFromFile(){
- validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
- value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-`
- #echo 'value:'$value
- #validate=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation
- #if test -z "$validate" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
+ value=$(echo $validateProperty | cut -d "=" -f2-)
eval $3="'$value'"
}
@@ -132,7 +168,21 @@ init_logfiles () {
touch $f
done
}
-
+password_validation() {
+ if [ -z "$1" ]
+ then
+ log "[I] Blank password is not allowed for" $2". Please enter valid password."
+ exit 1
+ else
+ if [[ $1 =~ [\"\'\`\\\] ]]
+ then
+ log "[E]" $2 "password contains one of the unsupported special characters:\" ' \` \\"
+ exit 1
+ else
+ log "[I]" $2 "password validated."
+ fi
+ fi
+}
init_variables(){
curDt=`date '+%Y%m%d%H%M%S'`
@@ -157,11 +207,11 @@ init_variables(){
DB_FLAVOR="MYSQL"
fi
log "[I] DB_FLAVOR=${DB_FLAVOR}"
-
- getPropertyFromFile 'db_root_user' $PROPFILE db_root_user
- getPropertyFromFile 'db_root_password' $PROPFILE db_user
- getPropertyFromFile 'db_user' $PROPFILE db_user
- getPropertyFromFile 'db_password' $PROPFILE db_password
+ password_validation "$KMS_MASTER_KEY_PASSWD" "KMS Master key"
+ #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user
+ #getPropertyFromFile 'db_root_password' $PROPFILE db_user
+ #getPropertyFromFile 'db_user' $PROPFILE db_user
+ #getPropertyFromFile 'db_password' $PROPFILE db_password
#if [ -L ${CONF_FILE} ]
# then
@@ -345,11 +395,6 @@ update_properties() {
log "[E] $to_file does not exists" ; exit 1;
fi
-
- propertyName=ranger.ks.jpa.jdbc.user
- newPropertyValue="${db_user}"
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file
-
if [ "${DB_FLAVOR}" == "MYSQL" ]
then
propertyName=ranger.ks.jpa.jdbc.url
@@ -382,6 +427,9 @@ update_properties() {
fi
if [ "${DB_FLAVOR}" == "POSTGRES" ]
then
+ db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'`
+ db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'`
+
propertyName=ranger.ks.jpa.jdbc.url
newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
@@ -424,6 +472,10 @@ update_properties() {
newPropertyValue="sap.jdbc4.sqlanywhere.IDriver"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
fi
+ propertyName=ranger.ks.jpa.jdbc.user
+ newPropertyValue="${db_user}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+
keystore="${cred_keystore_filename}"
echo "Starting configuration for XA DB credentials:"
@@ -438,8 +490,10 @@ update_properties() {
then
mkdir -p `dirname "${keystore}"`
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${DB_CREDENTIAL_ALIAS}" -v "${db_password}" -c 1
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${MK_CREDENTIAL_ALIAS}" -v "${KMS_MASTER_KEY_PASSWD}" -c 1
+ #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore
+ #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore
propertyName=ranger.ks.jpa.jdbc.credential.alias
newPropertyValue="${DB_CREDENTIAL_ALIAS}"
@@ -524,23 +578,24 @@ setup_install_files(){
if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf"
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf
+ cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf
fi
- cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf
+ if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf/
+ fi
if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib"
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib
+ fi
+ if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib
fi
if [ -d /etc/init.d ]; then
log "[I] Setting up init.d"
cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS}
- if [ "${unix_user}" != "kms" ]; then
- sed 's/LINUX_USER=kms/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS}
- fi
chmod ug+rx /etc/init.d/${RANGER_KMS}
if [ -d /etc/rc2.d ]
@@ -579,16 +634,20 @@ setup_install_files(){
ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS}
fi
fi
+ if [ -f /etc/init.d/${RANGER_KMS} ]; then
+ if [ "${unix_user}" != "" ]; then
+ sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS}
+ fi
+ fi
if [ ! -d ${KMS_DIR}/ews/logs ]; then
log "[I] ${KMS_DIR}/ews/logs folder"
mkdir -p ${KMS_DIR}/ews/logs
- chown -R ${unix_user} ${KMS_DIR}/ews/logs
fi
-
if [ -d ${KMS_DIR}/ews/logs ]; then
chown -R ${unix_user} ${KMS_DIR}/ews/logs
fi
+
log "[I] Setting up installation files and directory DONE";
if [ ! -f ${INSTALL_DIR}/rpm ]; then
@@ -617,13 +676,17 @@ setup_install_files(){
ln -sf ${INSTALL_DIR}/ranger-kms-initd ${INSTALL_DIR}/ranger-kms-services.sh
chmod ug+rx ${INSTALL_DIR}/ranger-kms-services.sh
fi
-
- if [ ! -d /var/log/ranger/kms ]
- then
+ if [ ! -d /var/log/ranger/kms ]; then
mkdir -p /var/log/ranger/kms
+ if [ -d ews/logs ]; then
+ cp -r ews/logs/* /var/log/ranger/kms
+ fi
+ fi
+ if [ -d /var/log/ranger/kms ]; then
+ chmod 755 /var/log/ranger/kms
+ chown -R $unix_user:$unix_group /var/log/ranger/kms
fi
- chgrp ${unix_group} /var/log/ranger/kms
- chmod g+rwx /var/log/ranger/kms
+
}
init_logfiles
@@ -640,7 +703,12 @@ sanity_check_files
copy_db_connector
check_python_command
run_dba_steps
-$PYTHON_COMMAND_INVOKER db_setup.py
+if [ "$?" == "0" ]
+then
+ $PYTHON_COMMAND_INVOKER db_setup.py
+else
+ exit 1
+fi
if [ "$?" == "0" ]
then
update_properties
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index 1edc628..07a0655 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -161,9 +161,9 @@ class MysqlConf(BaseDB):
path = RANGER_ADMIN_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim -c \;" %(self.JAVA_BIN,self.SQL_CONNECTOR_JAR,path,self.host,db_name,user,password)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
+ jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u '%s' -p '%s' -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -939,9 +939,9 @@ class SqlServerConf(BaseDB):
path = RANGER_ADMIN_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s\\;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name)
+ jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver mssql -cstring jdbc:sqlserver://%s;databaseName=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password, self.host,db_name)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -1173,9 +1173,9 @@ class SqlAnywhereConf(BaseDB):
path = RANGER_ADMIN_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
return jisql_cmd
def check_connection(self, db_name, db_user, db_password):
@@ -1506,6 +1506,8 @@ def main(argv):
audit_patch_file = os.path.join(RANGER_ADMIN_HOME ,oracle_auditdb_patches)
elif XA_DB_FLAVOR == "POSTGRES":
+ db_user=db_user.lower()
+ db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME , postgres_dbversion_catalog)
@@ -1548,6 +1550,8 @@ def main(argv):
audit_db_file = os.path.join(RANGER_ADMIN_HOME , oracle_audit_file)
elif AUDIT_DB_FLAVOR == "POSTGRES":
+ audit_db_user=audit_db_user.lower()
+ audit_db_name=audit_db_name.lower()
POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
audit_db_file = os.path.join(RANGER_ADMIN_HOME , postgres_audit_file)
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 4fd5593..40a6c49 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -96,6 +96,17 @@ def logFile(msg):
print("Invalid input! Provide file path to write DBA scripts:")
sys.exit()
+def password_validation(password, userType):
+ if password:
+ if re.search("[\\\`'\"]",password):
+ log("[E] "+userType+" user password contains one of the unsupported special characters like \" ' \ `","error")
+ sys.exit(1)
+ else:
+ log("[I] "+userType+" user password validated","info")
+ else:
+ log("[E] Blank password is not allowed,please enter valid password.","error")
+ sys.exit(1)
+
class BaseDB(object):
def create_rangerdb_user(self, root_user, db_user, db_password, db_root_password,dryMode):
@@ -1085,9 +1096,9 @@ class SqlAnywhereConf(BaseDB):
path = RANGER_ADMIN_HOME
self.JAVA_BIN = self.JAVA_BIN.strip("'")
if os_name == "LINUX":
- jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s:%s/jisql/lib/* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path,user, password,db_name,self.host)
elif os_name == "WINDOWS":
- jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password %s -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
+ jisql_cmd = "%s -cp %s;%s\\jisql\\lib\\* org.apache.util.sql.Jisql -user %s -password '%s' -driver sapsajdbc4 -cstring jdbc:sqlanywhere:database=%s;host=%s -noheader -trim"%(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, user, password,db_name,self.host)
return jisql_cmd
def verify_user(self, root_user, db_root_password, db_user,dryMode):
@@ -1270,6 +1281,10 @@ def main(argv):
dryMode=False
is_revoke=False
+ if len(argv) == 3:
+ password_validation(argv[1],argv[2]);
+ return;
+
if len(argv) > 1:
for i in range(len(argv)):
if str(argv[i]) == "-q":
@@ -1503,6 +1518,8 @@ def main(argv):
elif XA_DB_FLAVOR == "POSTGRES":
#POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
#POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar'
+ db_user=db_user.lower()
+ db_name=db_name.lower()
POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR
xa_sqlObj = PostgresConf(xa_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
xa_db_version_file = os.path.join(RANGER_ADMIN_HOME,postgres_dbversion_catalog)
@@ -1553,6 +1570,8 @@ def main(argv):
elif AUDIT_DB_FLAVOR == "POSTGRES":
#POSTGRES_CONNECTOR_JAR = globalDict['SQL_CONNECTOR_JAR']
#POSTGRES_CONNECTOR_JAR='/usr/share/java/postgresql.jar'
+ audit_db_user=audit_db_user.lower()
+ audit_db_name=audit_db_name.lower()
POSTGRES_CONNECTOR_JAR=CONNECTOR_JAR
audit_sqlObj = PostgresConf(audit_db_host, POSTGRES_CONNECTOR_JAR, JAVA_BIN)
audit_db_file = os.path.join(RANGER_ADMIN_HOME,postgres_audit_file)
@@ -1580,6 +1599,11 @@ def main(argv):
if audit_store is None or audit_store == "":
audit_store = "db"
audit_store=audit_store.lower()
+
+ log("[I] ---------- Verifing Ranger Admin db user password ---------- ","info")
+ password_validation(db_password,"admin");
+ log("[I] ---------- Verifing Ranger Audit db user password ---------- ","info")
+ password_validation(audit_db_password,"audit");
# Methods Begin
if DBA_MODE == "TRUE" :
if (dryMode==True):
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/scripts/set_globals.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/set_globals.sh b/security-admin/scripts/set_globals.sh
index 9a4159c..5e985e2 100755
--- a/security-admin/scripts/set_globals.sh
+++ b/security-admin/scripts/set_globals.sh
@@ -21,6 +21,20 @@
#This will also create the ranger linux user and groups if required.
#This script needs to be run as root
+PROPFILE=$PWD/install.properties
+propertyValue=''
+
+if [ ! $? = "0" ];then
+ log "$PROPFILE file not found....!!";
+ exit 1;
+fi
+get_prop(){
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
+ if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
+ value=$(echo $validateProperty | cut -d "=" -f2-)
+ echo $value
+}
+
if [ ! -w /etc/passwd ]; then
echo "ERROR: Please run this script as root"
exit 1
@@ -43,8 +57,8 @@ log() {
}
#Create the ranger users and groups (if needed)
-unix_user=ranger
-unix_group=ranger
+unix_user=$(get_prop 'unix_user' $PROPFILE)
+unix_group=$(get_prop 'unix_group' $PROPFILE)
groupadd ${unix_group}
ret=$?
@@ -88,14 +102,14 @@ if [ ! -d /var/log/ranger/admin ]; then
if [ -d ews/logs ]; then
cp -r ews/logs/* /var/log/ranger/admin
fi
- chmod 755 /var/log/ranger/admin
- chown -R $unix_user:$unix_group /var/log/ranger
fi
if [ -d /var/log/ranger/admin ]; then
- chown -R $unix_user:$unix_group /var/log/ranger/admin
+ chown -R $unix_user:$unix_group /var/log/ranger
+ chown -R $unix_user:$unix_group /var/log/ranger/admin
+ chmod 755 /var/log/ranger
+ chmod 755 /var/log/ranger/admin
fi
-
mv -f ews/logs ews/webapp/logs.$curDt 2> /dev/null
ln -sf /var/log/ranger/admin ews/logs
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index cd5d2bf..11b72b4 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -22,14 +22,11 @@
PROPFILE=$PWD/install.properties
propertyValue=''
-. $PROPFILE
+#. $PROPFILE
if [ ! $? = "0" ];then
log "$PROPFILE file not found....!!";
exit 1;
fi
-
-DB_HOST="${db_host}"
-
usage() {
[ "$*" ] && echo "$0: $*"
sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0"
@@ -41,6 +38,77 @@ log() {
echo "${prefix} $@" >> $LOGFILE
echo "${prefix} $@"
}
+get_prop(){
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
+ if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
+ value=$(echo $validateProperty | cut -d "=" -f2-)
+ echo $value
+}
+
+PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE)
+DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE)
+SQL_COMMAND_INVOKER=$(get_prop 'SQL_COMMAND_INVOKER' $PROPFILE)
+SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE)
+db_root_user=$(get_prop 'db_root_user' $PROPFILE)
+db_root_password=$(get_prop 'db_root_password' $PROPFILE)
+db_host=$(get_prop 'db_host' $PROPFILE)
+db_name=$(get_prop 'db_name' $PROPFILE)
+db_user=$(get_prop 'db_user' $PROPFILE)
+db_password=$(get_prop 'db_password' $PROPFILE)
+audit_store=$(get_prop 'audit_store' $PROPFILE)
+audit_solr_urls=$(get_prop 'audit_solr_urls' $PROPFILE)
+audit_solr_user=$(get_prop 'audit_solr_user' $PROPFILE)
+audit_solr_password=$(get_prop 'audit_solr_password' $PROPFILE)
+audit_solr_zookeepers=$(get_prop 'audit_solr_zookeepers' $PROPFILE)
+audit_db_name=$(get_prop 'audit_db_name' $PROPFILE)
+audit_db_user=$(get_prop 'audit_db_user' $PROPFILE)
+audit_db_password=$(get_prop 'audit_db_password' $PROPFILE)
+policymgr_external_url=$(get_prop 'policymgr_external_url' $PROPFILE)
+policymgr_http_enabled=$(get_prop 'policymgr_http_enabled' $PROPFILE)
+unix_user=$(get_prop 'unix_user' $PROPFILE)
+unix_group=$(get_prop 'unix_group' $PROPFILE)
+authentication_method=$(get_prop 'authentication_method' $PROPFILE)
+remoteLoginEnabled=$(get_prop 'remoteLoginEnabled' $PROPFILE)
+authServiceHostName=$(get_prop 'authServiceHostName' $PROPFILE)
+authServicePort=$(get_prop 'authServicePort' $PROPFILE)
+xa_ldap_url=$(get_prop 'xa_ldap_url' $PROPFILE)
+xa_ldap_userDNpattern=$(get_prop 'xa_ldap_userDNpattern' $PROPFILE)
+xa_ldap_groupSearchBase=$(get_prop 'xa_ldap_groupSearchBase' $PROPFILE)
+xa_ldap_groupSearchFilter=$(get_prop 'xa_ldap_groupSearchFilter' $PROPFILE)
+xa_ldap_groupRoleAttribute=$(get_prop 'xa_ldap_groupRoleAttribute' $PROPFILE)
+xa_ldap_base_dn=$(get_prop 'xa_ldap_base_dn' $PROPFILE)
+xa_ldap_bind_dn=$(get_prop 'xa_ldap_bind_dn' $PROPFILE)
+xa_ldap_bind_password=$(get_prop 'xa_ldap_bind_password' $PROPFILE)
+xa_ldap_referral=$(get_prop 'xa_ldap_referral' $PROPFILE)
+xa_ldap_userSearchFilter=$(get_prop 'xa_ldap_userSearchFilter' $PROPFILE)
+xa_ldap_ad_domain=$(get_prop 'xa_ldap_ad_domain' $PROPFILE)
+xa_ldap_ad_url=$(get_prop 'xa_ldap_ad_url' $PROPFILE)
+xa_ldap_ad_base_dn=$(get_prop 'xa_ldap_ad_base_dn' $PROPFILE)
+xa_ldap_ad_bind_dn=$(get_prop 'xa_ldap_ad_bind_dn' $PROPFILE)
+xa_ldap_ad_bind_password=$(get_prop 'xa_ldap_ad_bind_password' $PROPFILE)
+xa_ldap_ad_referral=$(get_prop 'xa_ldap_ad_referral' $PROPFILE)
+xa_ldap_ad_userSearchFilter=$(get_prop 'xa_ldap_ad_userSearchFilter' $PROPFILE)
+XAPOLICYMGR_DIR=$(eval echo "$(get_prop 'XAPOLICYMGR_DIR' $PROPFILE)")
+app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)")
+TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)")
+LOGFILE=$(eval echo " $(get_prop 'LOGFILE' $PROPFILE)")
+LOGFILES=$(eval echo "$(get_prop 'LOGFILES' $PROPFILE)")
+JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE)
+JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE)
+JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE)
+mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE)
+mysql_audit_file=$(get_prop 'mysql_audit_file' $PROPFILE)
+oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE)
+oracle_audit_file=$(get_prop 'oracle_audit_file' $PROPFILE)
+postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE)
+postgres_audit_file=$(get_prop 'postgres_audit_file' $PROPFILE)
+sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE)
+sqlserver_audit_file=$(get_prop 'sqlserver_audit_file' $PROPFILE)
+sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE)
+sqlanywhere_audit_file=$(get_prop 'sqlanywhere_audit_file' $PROPFILE)
+cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)")
+
+DB_HOST="${db_host}"
check_ret_status(){
if [ $1 -ne 0 ]; then
@@ -77,29 +145,25 @@ get_distro(){
#Get Properties from File without erroring out if property is not there
#$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound
getPropertyFromFileNoExit(){
- validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
if test -z "$validateProperty" ; then
- log "[E] '$1' not found in $2 file while getting....!!";
- if [ $4 == "true" ] ; then
- exit 1;
- else
- value=""
- fi
- else
- value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-`
- fi
- #echo 'value:'$value
+ log "[E] '$1' not found in $2 file while getting....!!";
+ if [ $4 == "true" ] ; then
+ exit 1;
+ else
+ value=""
+ fi
+ else
+ value=$(echo $validateProperty | cut -d "=" -f2-)
+ fi
eval $3="'$value'"
}
#Get Properties from File
#$1 -> propertyName $2 -> fileName $3 -> variableName
getPropertyFromFile(){
- validateProperty=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1) # for validation
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
- value=`sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-`
- #echo 'value:'$value
- #validate=$(sed '/^\#/d' $2 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation
- #if test -z "$validate" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
+ value=$(echo $validateProperty | cut -d "=" -f2-)
eval $3="'$value'"
}
@@ -151,20 +215,20 @@ init_variables(){
fi
log "[I] DB_FLAVOR=${DB_FLAVOR}"
- getPropertyFromFile 'db_root_user' $PROPFILE db_root_user
- getPropertyFromFile 'db_root_password' $PROPFILE db_user
- getPropertyFromFile 'db_user' $PROPFILE db_user
- getPropertyFromFile 'db_password' $PROPFILE db_password
- if [ "${audit_store}" == "solr" ]
- then
- getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls
- getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user
- getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password
- getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers
- else
- getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user
- getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password
- fi
+ #getPropertyFromFile 'db_root_user' $PROPFILE db_root_user
+ #getPropertyFromFile 'db_root_password' $PROPFILE db_user
+ #getPropertyFromFile 'db_user' $PROPFILE db_user
+ #getPropertyFromFile 'db_password' $PROPFILE db_password
+ #if [ "${audit_store}" == "solr" ]
+ #then
+ # getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls
+ # getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user
+ # getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password
+ # getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers
+ #else
+ # getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user
+ # getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password
+ #fi
}
wait_for_tomcat_shutdown() {
@@ -835,6 +899,11 @@ update_properties() {
fi
if [ "${DB_FLAVOR}" == "POSTGRES" ]
then
+ db_name=`echo ${db_name} | tr '[:upper:]' '[:lower:]'`
+ audit_db_name=`echo ${audit_db_name} | tr '[:upper:]' '[:lower:]'`
+ db_user=`echo ${db_user} | tr '[:upper:]' '[:lower:]'`
+ audit_db_user=`echo ${audit_db_user} | tr '[:upper:]' '[:lower:]'`
+
propertyName=ranger.jpa.jdbc.url
newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
@@ -952,8 +1021,8 @@ update_properties() {
if [ "${keystore}" != "" ]
then
mkdir -p `dirname "${keystore}"`
-
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$db_password_alias" -v "$db_password" -c 1
+ #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$db_password_alias" -value "$db_password" -provider jceks://file$keystore
propertyName=ranger.credential.provider.path
newPropertyValue="${keystore}"
@@ -995,7 +1064,8 @@ update_properties() {
if [ "${keystore}" != "" ]
then
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_db_password_alias" -v "$audit_db_password" -c 1
+ #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_db_password_alias" -value "$audit_db_password" -provider jceks://file$keystore
propertyName=ranger.jpa.audit.jdbc.credential.alias
newPropertyValue="${audit_db_password_alias}"
@@ -1046,7 +1116,8 @@ update_properties() {
mkdir -p `dirname "${keystore}"`
audit_solr_password_alias=ranger.solr.password
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$audit_solr_password_alias" -v "$audit_solr_password" -c 1
+# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore
propertyName=ranger.solr.audit.credential.alias
newPropertyValue="${audit_solr_password_alias}"
@@ -1318,6 +1389,12 @@ do_authentication_setup(){
if [ "${xa_ldap_base_dn}" != "" ] && [ "${xa_ldap_bind_dn}" != "" ] && [ "${xa_ldap_bind_password}" != "" ]
then
+ $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_bind_password} 'LDAP'
+ if [ "$?" != "0" ]
+ then
+ exit 1
+ fi
+
propertyName=ranger.ldap.base.dn
newPropertyValue="${xa_ldap_base_dn}"
updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file
@@ -1341,7 +1418,8 @@ do_authentication_setup(){
mkdir -p `dirname "${keystore}"`
ldap_password_alias=ranger.ldap.binddn.password
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ldap_password_alias" -v "$xa_ldap_bind_password" -c 1
+# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ldap_password_alias" -value "$xa_ldap_bind_password" -provider jceks://file$keystore
to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml
@@ -1403,6 +1481,11 @@ do_authentication_setup(){
if [ "${xa_ldap_ad_base_dn}" != "" ] && [ "${xa_ldap_ad_bind_dn}" != "" ] && [ "${xa_ldap_ad_bind_password}" != "" ]
then
+ $PYTHON_COMMAND_INVOKER dba_script.py ${xa_ldap_ad_bind_password} 'AD'
+ if [ "$?" != "0" ]
+ then
+ exit 1
+ fi
propertyName=ranger.ldap.ad.base.dn
newPropertyValue="${xa_ldap_ad_base_dn}"
updatePropertyToFilePy $propertyName $newPropertyValue $ldap_file
@@ -1426,7 +1509,8 @@ do_authentication_setup(){
mkdir -p `dirname "${keystore}"`
ad_password_alias=ranger.ad.binddn.password
- $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore
+ $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$ad_password_alias" -v "$xa_ldap_ad_bind_password" -c 1
+# $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$ad_password_alias" -value "$xa_ldap_ad_bind_password" -provider jceks://file$keystore
to_file_default=$app_home/WEB-INF/classes/conf/ranger-admin-default-site.xml
@@ -1568,7 +1652,7 @@ setup_install_files(){
fi
fi
if [ -f /etc/init.d/${RANGER_ADMIN} ]; then
- if [ "${unix_user}" != "ranger" ]; then
+ if [ "${unix_user}" != "" ]; then
sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_ADMIN}
fi
fi
@@ -1702,17 +1786,27 @@ copy_db_connector
#create_audit_db_user
check_python_command
run_dba_steps
+if [ "$?" == "0" ]
+then
$PYTHON_COMMAND_INVOKER db_setup.py
+else
+ exit 1
+fi
if [ "$?" == "0" ]
then
update_properties
do_authentication_setup
-$PYTHON_COMMAND_INVOKER db_setup.py -javapatch
-#execute_java_patches
else
log "[E] DB schema setup failed! Please contact Administrator."
exit 1
fi
+#execute_java_patches
+$PYTHON_COMMAND_INVOKER db_setup.py -javapatch
+if [ "$?" == "0" ]
+then
echo "ln -sf ${WEBAPP_ROOT}/WEB-INF/classes/conf ${INSTALL_DIR}/conf"
ln -sf ${WEBAPP_ROOT}/WEB-INF/classes/conf ${INSTALL_DIR}/conf
echo "Installation of Ranger PolicyManager Web Application is completed."
+else
+ exit 1
+fi
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
index c46964c..3f92d8d 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/RESTErrorUtil.java
@@ -375,4 +375,30 @@ public class RESTErrorUtil {
fieldName, value);
}
}
+
+ public WebApplicationException createRESTException(String errorMessage,
+ MessageEnums messageEnum, Long objectId, String fieldName,
+ String logMessage,int statusCode)
+ {
+ List<VXMessage> messageList = new ArrayList<VXMessage>();
+ messageList.add(messageEnum.getMessage(objectId, fieldName));
+ VXResponse vResponse = new VXResponse();
+ vResponse.setStatusCode(vResponse.STATUS_ERROR);
+ vResponse.setMsgDesc(errorMessage);
+ vResponse.setMessageList(messageList);
+ Response errorResponse = Response.status(statusCode).entity(vResponse).build();
+ WebApplicationException restException = new WebApplicationException(errorResponse);
+ restException.fillInStackTrace();
+ UserSessionBase userSession = ContextUtil.getCurrentUserSession();
+ Long sessionId = null;
+ String loginId = null;
+ if (userSession != null) {
+ loginId = userSession.getLoginId();
+ sessionId = userSession.getSessionId();
+ }
+ logger.info("Request failed. SessionId=" + sessionId + ", loginId="
+ + loginId + ", logMessage=" + vResponse.getMsgDesc(),
+ restException);
+ return restException;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
index 0ddfb0e..49f5dde 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/AbstractBaseResourceService.java
@@ -37,6 +37,7 @@ import javax.persistence.criteria.Expression;
import javax.persistence.criteria.Path;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
+import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.RangerBizUtil;
@@ -318,10 +319,10 @@ public abstract class AbstractBaseResourceService<T extends XXDBBase, V extends
T resource = getDao().getById(id);
if (resource == null) {
- // Returns code 400 with DATA_NOT_FOUND as the error message
+ // Returns code 404 with DATA_NOT_FOUND as the error message
throw restErrorUtil.createRESTException(getResourceName()
+ " not found", MessageEnums.DATA_NOT_FOUND, id, null,
- "preRead: " + id + " not found.");
+ "preRead: " + id + " not found.",HttpServletResponse.SC_NOT_FOUND);
}
V viewBean = readResource(resource);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js
index 7981d34..3e03d80 100644
--- a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionCreate.js
@@ -145,7 +145,6 @@ define(function(require){
} ,
error : function(model,resp){
XAUtil.blockUI('unblock');
- console.log('error');
if(!_.isUndefined(resp.responseJSON) && !_.isUndefined(resp.responseJSON.msgDesc)){
XAUtil.notifyError('Error',resp.responseJSON.msgDesc);
}else
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js b/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js
index 40e6837..dca6b13 100644
--- a/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/users/GroupCreate.js
@@ -160,8 +160,7 @@ define(function(require){
else
XAUtil.notifyError('Error', response.responseJSON.msgDesc);
}else
- XAUtil.notifyError('Error', 'Error creating Policy!');
- console.log('error');
+ XAUtil.notifyError('Error', 'Error occurred while creating/updating group!');
}
});
},
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/security-admin/src/main/webapp/scripts/views/users/UserCreate.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/users/UserCreate.js b/security-admin/src/main/webapp/scripts/views/users/UserCreate.js
index a37fd88..817831d 100644
--- a/security-admin/src/main/webapp/scripts/views/users/UserCreate.js
+++ b/security-admin/src/main/webapp/scripts/views/users/UserCreate.js
@@ -194,7 +194,6 @@ define(function(require){
} ,
error : function(model,resp){
XAUtil.blockUI('unblock');
- console.log('error');
if(!_.isUndefined(resp.responseJSON) && !_.isUndefined(resp.responseJSON.msgDesc)){
if(resp.responseJSON.msgDesc == "XUser already exists")
XAUtil.notifyError('Error',"User already exists.");
@@ -226,7 +225,6 @@ define(function(require){
XAUtil.notifyError('Error',resp.responseJSON.msgDesc);
}else
XAUtil.notifyError('Error', "Error occurred while creating/updating user.");
- console.log('error');
}
});
},
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/unixauthservice/scripts/set_globals.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/set_globals.sh b/unixauthservice/scripts/set_globals.sh
index c92dfdc..7774e48 100755
--- a/unixauthservice/scripts/set_globals.sh
+++ b/unixauthservice/scripts/set_globals.sh
@@ -21,6 +21,19 @@
#This will also create the ranger linux user and groups if required.
#This script needs to be run as root
+PROPFILE=$PWD/install.properties
+propertyValue=''
+
+if [ ! $? = "0" ];then
+ log "$PROPFILE file not found....!!";
+ exit 1;
+fi
+get_prop(){
+ validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation
+ if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi
+ value=$(echo $validateProperty | cut -d "=" -f2-)
+ echo $value
+}
if [ ! -w /etc/passwd ]; then
echo "ERROR: Please run this script as root"
exit 1
@@ -43,8 +56,8 @@ log() {
}
#Create the ranger users and groups (if needed)
-unix_user=ranger
-unix_group=ranger
+unix_user=$(get_prop 'unix_user' $PROPFILE)
+unix_group=$(get_prop 'unix_group' $PROPFILE)
groupadd ${unix_group}
ret=$?
@@ -83,16 +96,16 @@ ln -sf /etc/ranger/usersync/conf conf
#Create the log folder
if [ ! -d /var/log/ranger/usersync ]; then
mkdir -p /var/log/ranger/usersync
- if [ -d logs ]; then
- cp -r logs/* /var/log/ranger/usersync
+ if [ -d ews/logs ]; then
+ cp -r ews/logs/* /var/log/ranger/usersync
fi
- chmod 755 /var/log/ranger/usersync
- chown -R $unix_user:$unix_group /var/log/ranger
fi
if [ -d /var/log/ranger/usersync ]; then
- chown -R $unix_user:$unix_group /var/log/ranger/usersync
+ chown -R $unix_user:$unix_group /var/log/ranger/usersync
+ chmod 755 /var/log/ranger/usersync
fi
+
mv -f logs logs.$curDt 2> /dev/null
ln -sf /var/log/ranger/usersync logs
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/bc4ee643/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index 31c486e..b35a261 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -81,7 +81,7 @@ SYNC_INTERVAL_NEW_KEY = 'ranger.usersync.sleeptimeinmillisbetweensynccycle'
SYNC_SOURCE_UNIX = 'unix'
SYNC_SOURCE_LDAP = 'ldap'
SYNC_SOURCE_LIST = [ SYNC_SOURCE_UNIX, SYNC_SOURCE_LDAP ]
-
+SYNC_LDAP_BIND_PASSWORD_KEY = 'ranger.usersync.ldap.ldapbindpassword'
credUpdateClassName = 'org.apache.ranger.credentialapi.buildks'
#credUpdateClassName = 'com.hortonworks.credentialapi.buildks'
@@ -166,6 +166,17 @@ def updateProppertyInJCKSFile(jcksFileName,propName,value):
sys.exit(1)
return ret
+def password_validation(password, userType):
+ if password:
+ if re.search("[\\\`'\"]",password):
+ print "[E] "+userType+" proprty contains one of the unsupported special characters like \" ' \ `"
+ sys.exit(1)
+ else:
+ print "[I] "+userType+" proprty is verified."
+ else:
+ print "[E] Blank password is not allowed for proprty " +userType+ ",please enter valid password."
+ sys.exit(1)
+
def convertInstallPropsToXML(props):
directKeyMap = getPropertiesConfigMap(join(installTemplateDirName,install2xmlMapFileName))
@@ -190,6 +201,8 @@ def convertInstallPropsToXML(props):
# if (key.startswith("ranger.usersync.ldap") or key.startswith("ranger.usersync.group") or key.startswith("ranger.usersync.paged")):
# del ret[key]
elif (syncSource == SYNC_SOURCE_LDAP):
+ ldapPass=ret[SYNC_LDAP_BIND_PASSWORD_KEY]
+ password_validation(ldapPass, SYNC_LDAP_BIND_PASSWORD_KEY)
ret['ranger.usersync.source.impl.class'] = 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder'
if (SYNC_INTERVAL_NEW_KEY not in ret or len(str(ret[SYNC_INTERVAL_NEW_KEY])) == 0):
ret[SYNC_INTERVAL_NEW_KEY] = "3600000"
@@ -237,20 +250,18 @@ def initializeInitD(ownerName):
fn = join(installPropDirName,initdProgramName)
initdFn = join(initdDirName,initdProgramName)
shutil.copy(fn, initdFn)
- if (ownerName != 'ranger'):
- f = open(initdFn,'r')
- filedata = f.read()
- f.close()
- find_str = "LINUX_USER=ranger"
- replace_str = "LINUX_USER="+ ownerName
- newdata = filedata.replace(find_str,replace_str)
-
- f = open(initdFn,'w')
- f.write(newdata)
- f.close()
-
- os.chmod(initdFn,0550)
- rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ]
+ if (ownerName != 'ranger'):
+ f = open(initdFn,'r')
+ filedata = f.read()
+ f.close()
+ find_str = "LINUX_USER=ranger"
+ replace_str = "LINUX_USER="+ ownerName
+ newdata = filedata.replace(find_str,replace_str)
+ f = open(initdFn,'w')
+ f.write(newdata)
+ f.close()
+ os.chmod(initdFn,0550)
+ rcDirList = [ "/etc/rc2.d", "/etc/rc3.d", "/etc/rc.d/rc2.d", "/etc/rc.d/rc3.d" ]
for rcDir in rcDirList:
if (os.path.isdir(rcDir)):
for prefix in initPrefixList:
@@ -258,14 +269,13 @@ def initializeInitD(ownerName):
scriptName = join(rcDir, scriptFn)
if isfile(scriptName):
os.remove(scriptName)
- #print "+ ln -sf %s %s" % (initdFn, scriptName)
os.symlink(initdFn,scriptName)
- userSyncScriptName = "ranger-usersync-services.sh"
- localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName))
- ubinScriptName = join("/usr/bin",initdProgramName)
- if isfile(ubinScriptName):
- os.remove(ubinScriptName)
- os.symlink(localScriptName,ubinScriptName)
+ userSyncScriptName = "ranger-usersync-services.sh"
+ localScriptName = os.path.abspath(join(installPropDirName,userSyncScriptName))
+ ubinScriptName = join("/usr/bin",initdProgramName)
+ if isfile(ubinScriptName):
+ os.remove(ubinScriptName)
+ os.symlink(localScriptName,ubinScriptName)
def createJavaKeystoreForSSL(fn,passwd):
[06/33] incubator-ranger git commit: RANGER-573: Updated doc for the
ranger site
Posted by ma...@apache.org.
RANGER-573: Updated doc for the ranger site
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/5ea63954
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/5ea63954
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/5ea63954
Branch: refs/heads/tag-policy
Commit: 5ea6395470f958fd2a571521f19d50de353e0612
Parents: fe44eb0
Author: sneethiraj <sn...@apache.org>
Authored: Tue Sep 29 11:11:04 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Tue Sep 29 11:11:04 2015 -0400
----------------------------------------------------------------------
docs/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/5ea63954/docs/pom.xml
----------------------------------------------------------------------
diff --git a/docs/pom.xml b/docs/pom.xml
index d6781f5..2b43ee6 100644
--- a/docs/pom.xml
+++ b/docs/pom.xml
@@ -140,7 +140,7 @@
<role>Committer</role>
</roles>
<organization>
- Hortonworks
+ BlueTalon
</organization>
</developer>
<developer>
[17/33] incubator-ranger git commit: RANGER-671 : Add support to
retrieve permissions for the logged in user from UserSession rather going to
database every time
Posted by ma...@apache.org.
RANGER-671 : Add support to retrieve permissions for the logged in user from UserSession rather going to database every time
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/140f7efb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/140f7efb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/140f7efb
Branch: refs/heads/tag-policy
Commit: 140f7efb8ad202105bb23aa16469a961004b0c4f
Parents: 4b2fd94
Author: Gautam Borad <gb...@gmail.com>
Authored: Thu Oct 8 12:14:35 2015 +0530
Committer: Gautam Borad <gb...@gmail.com>
Committed: Thu Oct 8 12:14:35 2015 +0530
----------------------------------------------------------------------
.../java/org/apache/ranger/biz/SessionMgr.java | 102 ++++++
.../java/org/apache/ranger/biz/XUserMgr.java | 335 +++++++++----------
.../apache/ranger/common/UserSessionBase.java | 63 +++-
.../apache/ranger/db/XXGroupPermissionDao.java | 16 +-
.../org/apache/ranger/db/XXGroupUserDao.java | 11 +
.../org/apache/ranger/db/XXModuleDefDao.java | 10 -
.../apache/ranger/db/XXUserPermissionDao.java | 9 +-
.../patch/PatchPersmissionModel_J10003.java | 22 +-
.../java/org/apache/ranger/rest/XUserREST.java | 9 +
.../context/RangerPreAuthSecurityHandler.java | 25 +-
.../listener/RangerHttpSessionListener.java | 48 +++
.../ranger/service/XGroupPermissionService.java | 13 +-
.../ranger/service/XUserPermissionService.java | 20 +-
.../resources/META-INF/jpa_named_queries.xml | 12 +-
.../org/apache/ranger/biz/TestXUserMgr.java | 51 ++-
15 files changed, 503 insertions(+), 243 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index ccb1855..adae1d6 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -21,10 +21,17 @@
import java.util.ArrayList;
import java.util.Calendar;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
+import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.concurrent.CopyOnWriteArraySet;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.time.DateUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.DateUtil;
import org.apache.ranger.common.HTTPUtil;
@@ -39,8 +46,11 @@ import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXAuthSession;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXPortalUserRole;
+import org.apache.ranger.entity.XXUser;
import org.apache.ranger.security.context.RangerContextHolder;
import org.apache.ranger.security.context.RangerSecurityContext;
+import org.apache.ranger.security.listener.RangerHttpSessionListener;
+import org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter;
import org.apache.ranger.service.AuthSessionService;
import org.apache.ranger.util.RestUtil;
import org.apache.ranger.view.VXAuthSession;
@@ -79,6 +89,8 @@ public class SessionMgr {
logger.debug("SessionManager created");
}
+ private static final Long SESSION_UPDATE_INTERVAL_IN_MILLIS = 30 * DateUtils.MILLIS_PER_MINUTE;
+
public UserSessionBase processSuccessLogin(int authType, String userAgent) {
return processSuccessLogin(authType, userAgent, null);
}
@@ -135,7 +147,10 @@ public class SessionMgr {
userSession = new UserSessionBase();
userSession.setXXPortalUser(gjUser);
userSession.setXXAuthSession(gjAuthSession);
+
resetUserSessionForProfiles(userSession);
+ resetUserModulePermission(userSession);
+
Calendar cal = Calendar.getInstance();
if (details != null) {
logger.info("Login Success: loginId=" + currentLoginId
@@ -155,6 +170,28 @@ public class SessionMgr {
return userSession;
}
+ public void resetUserModulePermission(UserSessionBase userSession) {
+
+ XXUser xUser = daoManager.getXXUser().findByUserName(userSession.getLoginId());
+ if (xUser != null) {
+ List<String> permissionList = daoManager.getXXModuleDef().findAccessibleModulesByUserId(userSession.getUserId(), xUser.getId());
+ CopyOnWriteArraySet<String> userPermissions = new CopyOnWriteArraySet<String>(permissionList);
+
+ UserSessionBase.RangerUserPermission rangerUserPermission = userSession.getRangerUserPermission();
+
+ if (rangerUserPermission == null) {
+ rangerUserPermission = new UserSessionBase.RangerUserPermission();
+ }
+
+ rangerUserPermission.setUserPermissions(userPermissions);
+ rangerUserPermission.setLastUpdatedTime(Calendar.getInstance().getTimeInMillis());
+ userSession.setRangerUserPermission(rangerUserPermission);
+ logger.info("UserSession Updated to set new Permissions to User: " + userSession.getLoginId());
+ } else {
+ logger.error("No XUser found with username: " + userSession.getLoginId() + "So Permission is not set for the user");
+ }
+ }
+
public void resetUserSessionForProfiles(UserSessionBase userSession) {
if (userSession == null) {
// Nothing to reset
@@ -274,6 +311,7 @@ public class SessionMgr {
RangerContextHolder.setSecurityContext(context);
resetUserSessionForProfiles(userSession);
+ resetUserModulePermission(userSession);
return userSession;
}
@@ -351,4 +389,68 @@ public class SessionMgr {
}
+ public CopyOnWriteArrayList<UserSessionBase> getActiveSessionsOnServer() {
+
+ CopyOnWriteArrayList<HttpSession> activeHttpUserSessions = RangerHttpSessionListener.getActiveSessionOnServer();
+ CopyOnWriteArrayList<UserSessionBase> activeRangerUserSessions = new CopyOnWriteArrayList<UserSessionBase>();
+
+ if (CollectionUtils.isEmpty(activeHttpUserSessions)) {
+ return activeRangerUserSessions;
+ }
+
+ for (HttpSession httpSession : activeHttpUserSessions) {
+
+ if (httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY) == null) {
+ continue;
+ }
+
+ RangerSecurityContext securityContext = (RangerSecurityContext) httpSession.getAttribute(RangerSecurityContextFormationFilter.AKA_SC_SESSION_KEY);
+ if (securityContext.getUserSession() != null) {
+ activeRangerUserSessions.add(securityContext.getUserSession());
+ }
+ }
+
+ return activeRangerUserSessions;
+ }
+
+ public Set<UserSessionBase> getActiveUserSessionsForPortalUserId(Long portalUserId) {
+ CopyOnWriteArrayList<UserSessionBase> activeSessions = getActiveSessionsOnServer();
+
+ if (CollectionUtils.isEmpty(activeSessions)) {
+ return null;
+ }
+
+ Set<UserSessionBase> activeUserSessions = new HashSet<UserSessionBase>();
+ for (UserSessionBase session : activeSessions) {
+ if (session.getUserId().equals(portalUserId)) {
+ activeUserSessions.add(session);
+ }
+ }
+ if (logger.isDebugEnabled()) {
+ logger.debug("No Session Found with portalUserId: " + portalUserId);
+ }
+ return activeUserSessions;
+ }
+
+ public Set<UserSessionBase> getActiveUserSessionsForXUserId(Long xUserId) {
+ XXPortalUser portalUser = daoManager.getXXPortalUser().findByXUserId(xUserId);
+ if (portalUser != null) {
+ return getActiveUserSessionsForPortalUserId(portalUser.getId());
+ } else {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Could not find corresponding portalUser for xUserId" + xUserId);
+ }
+ return null;
+ }
+ }
+
+ public synchronized void refreshPermissionsIfNeeded(UserSessionBase userSession) {
+ if (userSession != null) {
+ Long lastUpdatedTime = (userSession.getRangerUserPermission() != null) ? userSession.getRangerUserPermission().getLastUpdatedTime() : null;
+ if (lastUpdatedTime == null || (Calendar.getInstance().getTimeInMillis() - lastUpdatedTime) > SESSION_UPDATE_INTERVAL_IN_MILLIS) {
+ this.resetUserModulePermission(userSession);
+ }
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 41bc6f8..5f43bc0 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -52,6 +52,7 @@ import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.db.XXGroupUserDao;
import org.apache.ranger.entity.XXAuditMap;
import org.apache.ranger.entity.XXGroup;
+import org.apache.ranger.entity.XXGroupUser;
import org.apache.ranger.entity.XXPermMap;
import org.apache.ranger.entity.XXPortalUser;
import org.apache.ranger.entity.XXResource;
@@ -115,6 +116,9 @@ public class XUserMgr extends XUserMgrBase {
@Autowired
XResourceService xResourceService;
+ @Autowired
+ SessionMgr sessionMgr;
+
static final Logger logger = Logger.getLogger(XUserMgr.class);
public void deleteXGroup(Long id, boolean force) {
@@ -227,101 +231,64 @@ public class XUserMgr extends XUserMgrBase {
return createdXUser;
}
- // Assigning Permission
- public void assignPermissionToUser(VXPortalUser vXPortalUser,
- boolean isCreate) {
- HashMap<String, Long> moduleNameId = getModelNames();
+ public void assignPermissionToUser(VXPortalUser vXPortalUser, boolean isCreate) {
+ HashMap<String, Long> moduleNameId = getAllModuleNameAndIdMap();
for (String role : vXPortalUser.getUserRoleList()) {
if (role.equals(RangerConstants.ROLE_USER)) {
- insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES),
- isCreate);
- insertMappingUserPermisson(
- vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_REPORTS),
- isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
} else if (role.equals(RangerConstants.ROLE_SYS_ADMIN)) {
- insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_REPORTS),
- isCreate);
- insertMappingUserPermisson(
- vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES),
- isCreate);
- insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_AUDIT),
- isCreate);
- /*insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_KMS),
- isCreate);*/
- /*insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_PERMISSION),
- isCreate);*/
- insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_USER_GROUPS),
- isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_AUDIT), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_USER_GROUPS), isCreate);
} else if (role.equals(RangerConstants.ROLE_KEY_ADMIN)) {
- insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate);
- insertMappingUserPermisson(vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_REPORTS),
- isCreate);
- insertMappingUserPermisson(
- vXPortalUser.getId(),
- moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES),
- isCreate);
+
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_KEY_MANAGER), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_REPORTS), isCreate);
+ createOrUpdateUserPermisson(vXPortalUser.getId(), moduleNameId.get(RangerConstants.MODULE_RESOURCE_BASED_POLICIES), isCreate);
}
}
}
- // Insert or Updating Mapping permissons depending upon roles
- private void insertMappingUserPermisson(Long userId, Long moduleId,
- boolean isCreate) {
- VXUserPermission vXuserPermission;
- List<XXUserPermission> xuserPermissionList = daoManager
- .getXXUserPermission()
- .findByModuleIdAndUserId(userId, moduleId);
- if (xuserPermissionList == null || xuserPermissionList.isEmpty()) {
- vXuserPermission = new VXUserPermission();
- vXuserPermission.setUserId(userId);
- vXuserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED);
- vXuserPermission.setModuleId(moduleId);
+ // Insert or Updating Mapping permissions depending upon roles
+ private void createOrUpdateUserPermisson(Long portalUserId, Long moduleId, boolean isCreate) {
+ VXUserPermission vXUserPermission;
+ XXUserPermission xUserPermission = daoManager.getXXUserPermission().findByModuleIdAndUserId(portalUserId, moduleId);
+ if (xUserPermission == null) {
+ vXUserPermission = new VXUserPermission();
+ vXUserPermission.setUserId(portalUserId);
+ vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED);
+ vXUserPermission.setModuleId(moduleId);
try {
- xUserPermissionService.createResource(vXuserPermission);
+ vXUserPermission = this.createXUserPermission(vXUserPermission);
+ logger.info("Permission assigned to user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]");
} catch (Exception e) {
- logger.error(e);
+ logger.error("Error while assigning permission to user: [" + portalUserId + "] for module: [" + moduleId + "]", e);
}
} else if (isCreate) {
- for (XXUserPermission xUserPermission : xuserPermissionList) {
- vXuserPermission = xUserPermissionService
- .populateViewBean(xUserPermission);
- vXuserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED);
- xUserPermissionService.updateResource(vXuserPermission);
- }
+ vXUserPermission = xUserPermissionService.populateViewBean(xUserPermission);
+ vXUserPermission.setIsAllowed(RangerCommonEnums.IS_ALLOWED);
+ vXUserPermission = this.updateXUserPermission(vXUserPermission);
+ logger.info("Permission Updated for user: [" + vXUserPermission.getUserName() + "] For Module: [" + vXUserPermission.getModuleName() + "]");
}
-
}
- public HashMap<String, Long> getModelNames() {
- List<XXModuleDef> xxModuleDefs = daoManager.getXXModuleDef()
- .findModuleNamesWithIds();
- if (xxModuleDefs.isEmpty() || xxModuleDefs != null) {
- HashMap<String, Long> moduleNameId = new HashMap<String, Long>();
- try {
+ public HashMap<String, Long> getAllModuleNameAndIdMap() {
- for (XXModuleDef xxModuleDef : xxModuleDefs) {
- moduleNameId.put(xxModuleDef.getModule(),
- xxModuleDef.getId());
- }
- return moduleNameId;
- } catch (Exception e) {
- logger.error(e);
+ List<XXModuleDef> xXModuleDefs = daoManager.getXXModuleDef().getAll();
+
+ if (!CollectionUtils.isEmpty(xXModuleDefs)) {
+ HashMap<String, Long> moduleNameAndIdMap = new HashMap<String, Long>();
+ for (XXModuleDef xXModuleDef : xXModuleDefs) {
+ moduleNameAndIdMap.put(xXModuleDef.getModule(), xXModuleDef.getId());
}
+ return moduleNameAndIdMap;
}
return null;
@@ -795,50 +762,15 @@ public class XUserMgr extends XUserMgrBase {
}
}
- /*public void checkPermissionRoleByGivenUrls(String enteredURL, String method) {
- Long currentUserId = ContextUtil.getCurrentUserId();
- List<String> notPermittedUrls = daoManager.getXXModuleDef()
- .findModuleURLOfPemittedModules(currentUserId);
- if (notPermittedUrls != null) {
- List<XXPortalUserRole> xPortalUserRoles = daoManager
- .getXXPortalUserRole().findByUserId(currentUserId);
- for (XXPortalUserRole xPortalUserRole : xPortalUserRoles) {
- if (xPortalUserRole.getUserRole().equalsIgnoreCase(
- RangerConstants.ROLE_USER)) {
- notPermittedUrls.add("/permission");
- notPermittedUrls.add("/kms");
- }
- }
- boolean flag = false;
- for (String notPermittedUrl : notPermittedUrls) {
- if (enteredURL.toLowerCase().contains(
- notPermittedUrl.toLowerCase()))
- flag = true;
- }
- if (flag) {
- throw restErrorUtil.create403RESTException("Access Denied");
- }
- }
- boolean flag = false;
- List<XXPortalUserRole> xPortalUserRoles = daoManager
- .getXXPortalUserRole().findByUserId(currentUserId);
- for (XXPortalUserRole xPortalUserRole : xPortalUserRoles) {
- if (xPortalUserRole.getUserRole().equalsIgnoreCase(
- RangerConstants.ROLE_USER)
- && enteredURL.contains("/permission")
- && !enteredURL.contains("/templates")) {
- flag = true;
- }
- }
- if (flag) {
- throw restErrorUtil.create403RESTException("Access Denied");
- }
-
- }*/
-
// Module permissions
public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) {
- checkAdminAccess();
+
+ XXModuleDef xModDef = daoManager.getXXModuleDef().findByModuleName(vXModuleDef.getModule());
+
+ if (xModDef != null) {
+ throw restErrorUtil.createRESTException("Module Def with same name already exists.", MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
+
return xModuleDefService.createResource(vXModuleDef);
}
@@ -847,36 +779,28 @@ public class XUserMgr extends XUserMgrBase {
}
public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) {
- checkAdminAccess();
- List<VXGroupPermission> groupPermListNew = vXModuleDef
- .getGroupPermList();
+
+ List<VXGroupPermission> groupPermListNew = vXModuleDef.getGroupPermList();
List<VXUserPermission> userPermListNew = vXModuleDef.getUserPermList();
List<VXGroupPermission> groupPermListOld = new ArrayList<VXGroupPermission>();
List<VXUserPermission> userPermListOld = new ArrayList<VXUserPermission>();
- XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(
- vXModuleDef.getId());
- VXModuleDef vModuleDefPopulateOld = xModuleDefService
- .populateViewBean(xModuleDef);
- List<XXGroupPermission> xgroupPermissionList = daoManager
- .getXXGroupPermission().findByModuleId(vXModuleDef.getId(),
- true);
+ XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(vXModuleDef.getId());
+ VXModuleDef vModuleDefPopulateOld = xModuleDefService.populateViewBean(xModuleDef);
+
+ List<XXGroupPermission> xgroupPermissionList = daoManager.getXXGroupPermission().findByModuleId(vXModuleDef.getId(), true);
for (XXGroupPermission xGrpPerm : xgroupPermissionList) {
- VXGroupPermission vXGrpPerm = xGroupPermissionService
- .populateViewBean(xGrpPerm);
+ VXGroupPermission vXGrpPerm = xGroupPermissionService.populateViewBean(xGrpPerm);
groupPermListOld.add(vXGrpPerm);
}
vModuleDefPopulateOld.setGroupPermList(groupPermListOld);
- List<XXUserPermission> xuserPermissionList = daoManager
- .getXXUserPermission()
- .findByModuleId(vXModuleDef.getId(), true);
+ List<XXUserPermission> xuserPermissionList = daoManager.getXXUserPermission().findByModuleId(vXModuleDef.getId(), true);
for (XXUserPermission xUserPerm : xuserPermissionList) {
- VXUserPermission vUserPerm = xUserPermissionService
- .populateViewBean(xUserPerm);
+ VXUserPermission vUserPerm = xUserPermissionService.populateViewBean(xUserPerm);
userPermListOld.add(vUserPerm);
}
vModuleDefPopulateOld.setUserPermList(userPermListOld);
@@ -887,20 +811,16 @@ public class XUserMgr extends XUserMgrBase {
boolean isExist = false;
for (VXGroupPermission oldVXGroupPerm : groupPermListOld) {
- if (newVXGroupPerm.getModuleId().equals(
- oldVXGroupPerm.getModuleId())
- && newVXGroupPerm.getGroupId().equals(
- oldVXGroupPerm.getGroupId())) {
- oldVXGroupPerm.setIsAllowed(newVXGroupPerm
- .getIsAllowed());
- oldVXGroupPerm = xGroupPermissionService
- .updateResource(oldVXGroupPerm);
+ if (newVXGroupPerm.getModuleId().equals(oldVXGroupPerm.getModuleId()) && newVXGroupPerm.getGroupId().equals(oldVXGroupPerm.getGroupId())) {
+ if (newVXGroupPerm.getIsAllowed() != oldVXGroupPerm.getIsAllowed()) {
+ oldVXGroupPerm.setIsAllowed(newVXGroupPerm.getIsAllowed());
+ oldVXGroupPerm = this.updateXGroupPermission(oldVXGroupPerm);
+ }
isExist = true;
}
}
if (!isExist) {
- newVXGroupPerm = xGroupPermissionService
- .createResource(newVXGroupPerm);
+ newVXGroupPerm = this.createXGroupPermission(newVXGroupPerm);
}
}
}
@@ -910,74 +830,143 @@ public class XUserMgr extends XUserMgrBase {
boolean isExist = false;
for (VXUserPermission oldVXUserPerm : userPermListOld) {
- if (newVXUserPerm.getModuleId().equals(
- oldVXUserPerm.getModuleId())
- && newVXUserPerm.getUserId().equals(
- oldVXUserPerm.getUserId())) {
- oldVXUserPerm
- .setIsAllowed(newVXUserPerm.getIsAllowed());
- oldVXUserPerm = xUserPermissionService
- .updateResource(oldVXUserPerm);
+ if (newVXUserPerm.getModuleId().equals(oldVXUserPerm.getModuleId()) && newVXUserPerm.getUserId().equals(oldVXUserPerm.getUserId())) {
+ if (newVXUserPerm.getIsAllowed() != oldVXUserPerm.getIsAllowed()) {
+ oldVXUserPerm.setIsAllowed(newVXUserPerm.getIsAllowed());
+ oldVXUserPerm = this.updateXUserPermission(oldVXUserPerm);
+ }
isExist = true;
}
}
if (!isExist) {
- newVXUserPerm = xUserPermissionService
- .createResource(newVXUserPerm);
-
+ newVXUserPerm = this.createXUserPermission(newVXUserPerm);
}
}
}
- return xModuleDefService.updateResource(vXModuleDef);
+ vXModuleDef = xModuleDefService.updateResource(vXModuleDef);
+
+ return vXModuleDef;
}
public void deleteXModuleDefPermission(Long id, boolean force) {
- checkAdminAccess();
xModuleDefService.deleteResource(id);
}
// User permission
- public VXUserPermission createXUserPermission(
- VXUserPermission vXUserPermission) {
- checkAdminAccess();
- return xUserPermissionService.createResource(vXUserPermission);
+ public VXUserPermission createXUserPermission(VXUserPermission vXUserPermission) {
+
+ vXUserPermission = xUserPermissionService.createResource(vXUserPermission);
+
+ Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId());
+ if (!CollectionUtils.isEmpty(userSessions)) {
+ for (UserSessionBase userSession : userSessions) {
+ logger.info("Assigning permission to user who's found logged in into system, so updating permission in session of that user: [" + vXUserPermission.getUserName()
+ + "]");
+ sessionMgr.resetUserModulePermission(userSession);
+ }
+ }
+
+ return vXUserPermission;
}
public VXUserPermission getXUserPermission(Long id) {
return xUserPermissionService.readResource(id);
}
- public VXUserPermission updateXUserPermission(
- VXUserPermission vXUserPermission) {
- checkAdminAccess();
- return xUserPermissionService.updateResource(vXUserPermission);
+ public VXUserPermission updateXUserPermission(VXUserPermission vXUserPermission) {
+
+ vXUserPermission = xUserPermissionService.updateResource(vXUserPermission);
+
+ Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(vXUserPermission.getUserId());
+ if (!CollectionUtils.isEmpty(userSessions)) {
+ for (UserSessionBase userSession : userSessions) {
+ logger.info("Updating permission of user who's found logged in into system, so updating permission in session of user: [" + vXUserPermission.getUserName() + "]");
+ sessionMgr.resetUserModulePermission(userSession);
+ }
+ }
+
+ return vXUserPermission;
}
public void deleteXUserPermission(Long id, boolean force) {
- checkAdminAccess();
+
+ XXUserPermission xUserPermission = daoManager.getXXUserPermission().getById(id);
+ if (xUserPermission == null) {
+ throw restErrorUtil.createRESTException("No UserPermission found to delete, ID: " + id, MessageEnums.DATA_NOT_FOUND);
+ }
+
xUserPermissionService.deleteResource(id);
+
+ Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForPortalUserId(xUserPermission.getUserId());
+ if (!CollectionUtils.isEmpty(userSessions)) {
+ for (UserSessionBase userSession : userSessions) {
+ logger.info("deleting permission of user who's found logged in into system, so updating permission in session of that user");
+ sessionMgr.resetUserModulePermission(userSession);
+ }
+ }
}
// Group permission
- public VXGroupPermission createXGroupPermission(
- VXGroupPermission vXGroupPermission) {
- checkAdminAccess();
- return xGroupPermissionService.createResource(vXGroupPermission);
+ public VXGroupPermission createXGroupPermission(VXGroupPermission vXGroupPermission) {
+
+ vXGroupPermission = xGroupPermissionService.createResource(vXGroupPermission);
+
+ List<XXGroupUser> grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId());
+ for (XXGroupUser xGrpUser : grpUsers) {
+ Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId());
+ if (!CollectionUtils.isEmpty(userSessions)) {
+ for (UserSessionBase userSession : userSessions) {
+ logger.info("Assigning permission to group, one of the user belongs to that group found logged in into system, so updating permission in session of that user");
+ sessionMgr.resetUserModulePermission(userSession);
+ }
+ }
+ }
+
+ return vXGroupPermission;
}
public VXGroupPermission getXGroupPermission(Long id) {
return xGroupPermissionService.readResource(id);
}
- public VXGroupPermission updateXGroupPermission(
- VXGroupPermission vXGroupPermission) {
- checkAdminAccess();
- return xGroupPermissionService.updateResource(vXGroupPermission);
+ public VXGroupPermission updateXGroupPermission(VXGroupPermission vXGroupPermission) {
+
+ vXGroupPermission = xGroupPermissionService.updateResource(vXGroupPermission);
+
+ List<XXGroupUser> grpUsers = daoManager.getXXGroupUser().findByGroupId(vXGroupPermission.getGroupId());
+ for (XXGroupUser xGrpUser : grpUsers) {
+ Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId());
+ if (!CollectionUtils.isEmpty(userSessions)) {
+ for (UserSessionBase userSession : userSessions) {
+ logger.info("Assigning permission to group whose one of the user found logged in into system, so updating permission in session of that user");
+ sessionMgr.resetUserModulePermission(userSession);
+ }
+ }
+ }
+
+ return vXGroupPermission;
}
public void deleteXGroupPermission(Long id, boolean force) {
- checkAdminAccess();
+
+ XXGroupPermission xGrpPerm = daoManager.getXXGroupPermission().getById(id);
+
+ if (xGrpPerm == null) {
+ throw restErrorUtil.createRESTException("No GroupPermission object with ID: [" + id + "found.", MessageEnums.DATA_NOT_FOUND);
+ }
+
xGroupPermissionService.deleteResource(id);
+
+ List<XXGroupUser> grpUsers = daoManager.getXXGroupUser().findByGroupId(xGrpPerm.getGroupId());
+ for (XXGroupUser xGrpUser : grpUsers) {
+ Set<UserSessionBase> userSessions = sessionMgr.getActiveUserSessionsForXUserId(xGrpUser.getUserId());
+ if (!CollectionUtils.isEmpty(userSessions)) {
+ for (UserSessionBase userSession : userSessions) {
+ logger.info("deleting permission of the group whose one of the user found logged in into system, so updating permission in session of that user");
+ sessionMgr.resetUserModulePermission(userSession);
+ }
+ }
+ }
}
public void modifyUserActiveStatus(HashMap<Long, Integer> statusMap) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 37b2049..59e55f3 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -22,6 +22,7 @@
import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
+import java.util.concurrent.CopyOnWriteArraySet;
import org.apache.ranger.entity.XXAuthSession;
import org.apache.ranger.entity.XXPortalUser;
@@ -36,7 +37,9 @@ public class UserSessionBase implements Serializable {
private boolean keyAdmin = false;
private int authProvider = RangerConstants.USER_APP;
private List<String> userRoleList = new ArrayList<String>();
+ private RangerUserPermission rangerUserPermission;
int clientTimeOffsetInMinute = 0;
+
public Long getUserId() {
if (xXPortalUser != null) {
return xXPortalUser.getId();
@@ -58,14 +61,9 @@ public class UserSessionBase implements Serializable {
return null;
}
-
-
public boolean isUserAdmin() {
return userAdmin;
}
-
-
-
public void setUserAdmin(boolean userAdmin) {
this.userAdmin = userAdmin;
@@ -75,13 +73,6 @@ public class UserSessionBase implements Serializable {
return xXPortalUser;
}
- public String getUserName() {
- if (xXPortalUser != null) {
- return xXPortalUser.getFirstName() + " " + xXPortalUser.getLastName();
- }
- return null;
- }
-
public void setXXAuthSession(XXAuthSession gjAuthSession) {
this.xXAuthSession = gjAuthSession;
}
@@ -121,4 +112,52 @@ public class UserSessionBase implements Serializable {
this.keyAdmin = keyAdmin;
}
+ /**
+ * @return the rangerUserPermission
+ */
+ public RangerUserPermission getRangerUserPermission() {
+ return rangerUserPermission;
+ }
+
+ /**
+ * @param rangerUserPermission the rangerUserPermission to set
+ */
+ public void setRangerUserPermission(RangerUserPermission rangerUserPermission) {
+ this.rangerUserPermission = rangerUserPermission;
+ }
+
+
+
+ public static class RangerUserPermission {
+
+ protected CopyOnWriteArraySet<String> userPermissions;
+ protected Long lastUpdatedTime;
+
+ /**
+ * @return the userPermissions
+ */
+ public CopyOnWriteArraySet<String> getUserPermissions() {
+ return userPermissions;
+ }
+ /**
+ * @param userPermissions the userPermissions to set
+ */
+ public void setUserPermissions(CopyOnWriteArraySet<String> userPermissions) {
+ this.userPermissions = userPermissions;
+ }
+ /**
+ * @return the lastUpdatedTime
+ */
+ public Long getLastUpdatedTime() {
+ return lastUpdatedTime;
+ }
+ /**
+ * @param lastUpdatedTime the lastUpdatedTime to set
+ */
+ public void setLastUpdatedTime(Long lastUpdatedTime) {
+ this.lastUpdatedTime = lastUpdatedTime;
+ }
+
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
index 3121e7a..db69cea 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupPermissionDao.java
@@ -26,7 +26,6 @@ import org.apache.log4j.Logger;
import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.db.BaseDao;
import org.apache.ranger.entity.XXGroupPermission;
-import org.apache.ranger.entity.XXUserPermission;
public class XXGroupPermissionDao extends BaseDao<XXGroupPermission> {
@@ -100,4 +99,19 @@ public class XXGroupPermissionDao extends BaseDao<XXGroupPermission> {
}
return null;
}
+
+ public XXGroupPermission findByModuleIdAndGroupId(Long groupId, Long moduleId) {
+ if (groupId != null && moduleId != null) {
+ try {
+ return getEntityManager().createNamedQuery("XXGroupPermission.findByModuleIdAndGroupId", tClass).setParameter("groupId", groupId).setParameter("moduleId", moduleId)
+ .getSingleResult();
+ } catch (NoResultException e) {
+ logger.debug(e.getMessage());
+ }
+ } else {
+ return null;
+ }
+ return null;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
index 104e188..ffc3c32 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXGroupUserDao.java
@@ -81,4 +81,15 @@ public class XXGroupUserDao extends BaseDao<XXGroupUser> {
return null;
}
+ public List<XXGroupUser> findByGroupId(Long groupId) {
+ if (groupId == null) {
+ return new ArrayList<XXGroupUser>();
+ }
+ try {
+ return getEntityManager().createNamedQuery("XXGroupUser.findByGroupId", tClass).setParameter("groupId", groupId).getResultList();
+ } catch (NoResultException e) {
+ return new ArrayList<XXGroupUser>();
+ }
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
index fa2b3d9..dd9ae5f 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXModuleDefDao.java
@@ -66,16 +66,6 @@ public class XXModuleDefDao extends BaseDao<XXModuleDef>{
return new XXModuleDef();
}
}
- @SuppressWarnings("unchecked")
- public List<XXModuleDef> findModuleNamesWithIds() {
- try {
- return getEntityManager()
- .createNamedQuery("XXModuleDef.findModuleNamesWithIds")
- .getResultList();
- } catch (NoResultException e) {
- return null;
- }
- }
@SuppressWarnings("unchecked")
public List<String> findModuleURLOfPemittedModules(Long userId) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
index 1956b30..e10dc14 100644
--- a/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
+++ b/security-admin/src/main/java/org/apache/ranger/db/XXUserPermissionDao.java
@@ -99,20 +99,19 @@ public class XXUserPermissionDao extends BaseDao<XXUserPermission>{
return null;
}
- public List<XXUserPermission> findByModuleIdAndUserId(Long userId,Long moduleId) {
+ public XXUserPermission findByModuleIdAndUserId(Long userId, Long moduleId) {
if (userId != null) {
try {
- return getEntityManager()
- .createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class)
+ return getEntityManager().createNamedQuery("XXUserPermission.findByModuleIdAndUserId", XXUserPermission.class)
.setParameter("userId", userId)
.setParameter("moduleId", moduleId)
- .getResultList();
+ .getSingleResult();
} catch (NoResultException e) {
logger.debug(e.getMessage());
}
} else {
logger.debug("ResourceUserId not provided.");
- return new ArrayList<XXUserPermission>();
+ return null;
}
return null;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
index 841e386..f0aa938 100644
--- a/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchPersmissionModel_J10003.java
@@ -70,27 +70,27 @@ public class PatchPersmissionModel_J10003 extends BaseLoader {
@Override
public void execLoad() {
logger.info("==> PermissionPatch.execLoad()");
- printStats();
+ assignPermissionToExistingUsers();
logger.info("<== PermissionPatch.execLoad()");
}
- @Override
- public void printStats() {
+ public void assignPermissionToExistingUsers() {
int countUserPermissionUpdated = 1;
- List<XXPortalUser> allPortalUser = daoManager.getXXPortalUser()
- .findAllXPortalUser();
+ List<XXPortalUser> allPortalUser = daoManager.getXXPortalUser().findAllXPortalUser();
List<VXPortalUser> vPortalUsers = new ArrayList<VXPortalUser>();
for (XXPortalUser xPortalUser : allPortalUser) {
- VXPortalUser vPortalUser = xPortalUserService
- .populateViewBean(xPortalUser);
+ VXPortalUser vPortalUser = xPortalUserService.populateViewBean(xPortalUser);
vPortalUsers.add(vPortalUser);
- vPortalUser.setUserRoleList(daoManager.getXXPortalUser()
- .findXPortalUserRolebyXPortalUserId(vPortalUser.getId()));
+ vPortalUser.setUserRoleList(daoManager.getXXPortalUser().findXPortalUserRolebyXPortalUserId(vPortalUser.getId()));
xUserMgr.assignPermissionToUser(vPortalUser, false);
countUserPermissionUpdated += 1;
- logger.info(" Permission was assigned to UserId - "
- + xPortalUser.getId());
+ logger.info(" Permission was assigned to UserId - " + xPortalUser.getId());
}
logger.info(countUserPermissionUpdated + " permissions where assigned");
}
+
+ @Override
+ public void printStats() {
+ }
+
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
index d4d0a76..b7884eb 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
@@ -759,6 +759,7 @@ public class XUserREST {
@Produces({ "application/xml", "application/json" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_MODULE_DEF_PERMISSION + "\")")
public VXModuleDef createXModuleDefPermission(VXModuleDef vXModuleDef) {
+ xUserMgr.checkAdminAccess();
return xUserMgr.createXModuleDefPermission(vXModuleDef);
}
@@ -775,6 +776,7 @@ public class XUserREST {
@Produces({ "application/xml", "application/json" })
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_MODULE_DEF_PERMISSION + "\")")
public VXModuleDef updateXModuleDefPermission(VXModuleDef vXModuleDef) {
+ xUserMgr.checkAdminAccess();
return xUserMgr.updateXModuleDefPermission(vXModuleDef);
}
@@ -784,6 +786,7 @@ public class XUserREST {
public void deleteXModuleDefPermission(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = true;
+ xUserMgr.checkAdminAccess();
xUserMgr.deleteXModuleDefPermission(id, force);
}
@@ -825,6 +828,7 @@ public class XUserREST {
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_USER_PERMISSION + "\")")
public VXUserPermission createXUserPermission(
VXUserPermission vXUserPermission) {
+ xUserMgr.checkAdminAccess();
return xUserMgr.createXUserPermission(vXUserPermission);
}
@@ -842,6 +846,7 @@ public class XUserREST {
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_USER_PERMISSION + "\")")
public VXUserPermission updateXUserPermission(
VXUserPermission vXUserPermission) {
+ xUserMgr.checkAdminAccess();
return xUserMgr.updateXUserPermission(vXUserPermission);
}
@@ -851,6 +856,7 @@ public class XUserREST {
public void deleteXUserPermission(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = true;
+ xUserMgr.checkAdminAccess();
xUserMgr.deleteXUserPermission(id, force);
}
@@ -887,6 +893,7 @@ public class XUserREST {
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.CREATE_X_GROUP_PERMISSION + "\")")
public VXGroupPermission createXGroupPermission(
VXGroupPermission vXGroupPermission) {
+ xUserMgr.checkAdminAccess();
return xUserMgr.createXGroupPermission(vXGroupPermission);
}
@@ -904,6 +911,7 @@ public class XUserREST {
@PreAuthorize("@rangerPreAuthSecurityHandler.isAPIAccessible(\"" + RangerAPIList.UPDATE_X_GROUP_PERMISSION + "\")")
public VXGroupPermission updateXGroupPermission(
VXGroupPermission vXGroupPermission) {
+ xUserMgr.checkAdminAccess();
return xUserMgr.updateXGroupPermission(vXGroupPermission);
}
@@ -913,6 +921,7 @@ public class XUserREST {
public void deleteXGroupPermission(@PathParam("id") Long id,
@Context HttpServletRequest request) {
boolean force = true;
+ xUserMgr.checkAdminAccess();
xUserMgr.deleteXGroupPermission(id, force);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
index 6d132e6..daf732e 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
@@ -19,19 +19,18 @@
package org.apache.ranger.security.context;
-import java.util.List;
import java.util.Set;
+import java.util.concurrent.CopyOnWriteArraySet;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections.CollectionUtils;
import org.apache.log4j.Logger;
+import org.apache.ranger.biz.SessionMgr;
import org.apache.ranger.common.ContextUtil;
-import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
-import org.apache.ranger.entity.XXUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
@@ -47,6 +46,9 @@ public class RangerPreAuthSecurityHandler {
@Autowired
RangerAPIMapping rangerAPIMapping;
+
+ @Autowired
+ SessionMgr sessionMgr;
public boolean isAPIAccessible(String methodName) throws Exception {
@@ -77,14 +79,15 @@ public class RangerPreAuthSecurityHandler {
public boolean isAPIAccessible(Set<String> associatedTabs) throws Exception {
- XXUser xUser = daoManager.getXXUser().findByUserName(ContextUtil.getCurrentUserLoginId());
- if (xUser == null) {
- restErrorUtil.createRESTException("x_user cannot be null.", MessageEnums.ERROR_SYSTEM);
- }
-
- List<String> accessibleModules = daoManager.getXXModuleDef().findAccessibleModulesByUserId(ContextUtil.getCurrentUserId(), xUser.getId());
- if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) {
- return true;
+ UserSessionBase userSession = ContextUtil.getCurrentUserSession();
+ if (userSession != null) {
+ sessionMgr.refreshPermissionsIfNeeded(userSession);
+ if (userSession.getRangerUserPermission() != null) {
+ CopyOnWriteArraySet<String> accessibleModules = userSession.getRangerUserPermission().getUserPermissions();
+ if (CollectionUtils.containsAny(accessibleModules, associatedTabs)) {
+ return true;
+ }
+ }
}
throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java b/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java
new file mode 100644
index 0000000..259a7e7
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/listener/RangerHttpSessionListener.java
@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.security.listener;
+
+import java.util.concurrent.CopyOnWriteArrayList;
+
+import javax.servlet.http.HttpSession;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
+
+public class RangerHttpSessionListener implements HttpSessionListener {
+
+ private static CopyOnWriteArrayList<HttpSession> listOfSession = new CopyOnWriteArrayList<HttpSession>();
+
+ @Override
+ public void sessionCreated(HttpSessionEvent event) {
+ listOfSession.add(event.getSession());
+ }
+
+ @Override
+ public void sessionDestroyed(HttpSessionEvent event) {
+ if (listOfSession.size() > 0) {
+ listOfSession.remove(event.getSession());
+ }
+ }
+
+ public static CopyOnWriteArrayList<HttpSession> getActiveSessionOnServer() {
+ return listOfSession;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java
index d5168eb..c3bc78d 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XGroupPermissionService.java
@@ -22,6 +22,7 @@ import org.apache.ranger.common.SearchField;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXGroup;
import org.apache.ranger.entity.XXGroupPermission;
+import org.apache.ranger.entity.XXUserPermission;
import org.apache.ranger.view.VXGroupPermission;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Scope;
@@ -47,12 +48,20 @@ public class XGroupPermissionService extends XGroupPermissionServiceBase<XXGroup
@Override
protected void validateForCreate(VXGroupPermission vObj) {
-
+ XXGroupPermission xGroupPerm = daoManager.getXXGroupPermission().findByModuleIdAndGroupId(vObj.getGroupId(), vObj.getModuleId());
+ if (xGroupPerm != null) {
+ throw restErrorUtil.createRESTException("Group with ID [" + vObj.getGroupId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
+ MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
}
@Override
protected void validateForUpdate(VXGroupPermission vObj, XXGroupPermission mObj) {
-
+ XXGroupPermission xGroupPerm = daoManager.getXXGroupPermission().findByModuleIdAndGroupId(vObj.getGroupId(), vObj.getModuleId());
+ if (xGroupPerm != null && !xGroupPerm.getId().equals(vObj.getId())) {
+ throw restErrorUtil.createRESTException("Group with ID [" + vObj.getGroupId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
+ MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
}
@Override
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
index 92b6951..3ff9c8d 100644
--- a/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
+++ b/security-admin/src/main/java/org/apache/ranger/service/XUserPermissionService.java
@@ -20,8 +20,8 @@ package org.apache.ranger.service;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.SearchField;
import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXModuleDef;
import org.apache.ranger.entity.XXPortalUser;
-import org.apache.ranger.entity.XXUser;
import org.apache.ranger.entity.XXUserPermission;
import org.apache.ranger.view.VXUserPermission;
import org.springframework.beans.factory.annotation.Autowired;
@@ -47,12 +47,20 @@ public class XUserPermissionService extends XUserPermissionServiceBase<XXUserPer
@Override
protected void validateForCreate(VXUserPermission vObj) {
-
+ XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId());
+ if (xUserPerm != null) {
+ throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
+ MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
}
@Override
protected void validateForUpdate(VXUserPermission vObj, XXUserPermission mObj) {
-
+ XXUserPermission xUserPerm = daoManager.getXXUserPermission().findByModuleIdAndUserId(vObj.getUserId(), vObj.getModuleId());
+ if (xUserPerm != null && !xUserPerm.getId().equals(vObj.getId())) {
+ throw restErrorUtil.createRESTException("User with ID [" + vObj.getUserId() + "] " + "is already " + "assigned to the module with ID [" + vObj.getModuleId() + "]",
+ MessageEnums.ERROR_DUPLICATE_OBJECT);
+ }
}
@Override
@@ -68,6 +76,12 @@ public class XUserPermissionService extends XUserPermissionServiceBase<XXUserPer
}
vObj.setUserName(xUser.getLoginId());
+
+ XXModuleDef xModuleDef = daoManager.getXXModuleDef().getById(xObj.getModuleId());
+ if (xModuleDef != null) {
+ vObj.setModuleName(xModuleDef.getModule());
+ }
+
return vObj;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
index ac4c753..0370e9a 100644
--- a/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
+++ b/security-admin/src/main/resources/META-INF/jpa_named_queries.xml
@@ -177,6 +177,11 @@
</query>
</named-query>
+ <named-query name="XXGroupUser.findByGroupId">
+ <query>SELECT obj FROM XXGroupUser obj WHERE obj.parentGroupId=:groupId
+ </query>
+ </named-query>
+
<named-query name="XXTrxLog.findByTrxId">
<query>SELECT obj FROM XXTrxLog obj WHERE obj.transactionId = :transactionId
</query>
@@ -490,10 +495,9 @@
WHERE XXUserPermObj.moduleId = :moduleId AND XXUserPermObj.userId =:userId
</query>
</named-query>
-
- <named-query name="XXModuleDef.findModuleNamesWithIds">
- <query>SELECT XXMObj
- FROM XXModuleDef XXMObj
+
+ <named-query name="XXGroupPermission.findByModuleIdAndGroupId">
+ <query>SELECT obj FROM XXGroupPermission obj WHERE obj.moduleId = :moduleId AND obj.groupId =:groupId
</query>
</named-query>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/140f7efb/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
index ab149ad..cda423e 100644
--- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
+++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java
@@ -20,6 +20,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Set;
@@ -129,6 +130,9 @@ public class TestXUserMgr {
@Mock
XPortalUserService xPortalUserService;
+
+ @Mock
+ SessionMgr sessionMgr;
@Rule
public ExpectedException thrown = ExpectedException.none();
@@ -225,7 +229,6 @@ public class TestXUserMgr {
XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class);
Mockito.when(daoManager.getXXModuleDef()).thenReturn(value);
List<XXModuleDef> lsvalue = new ArrayList<XXModuleDef>();
- Mockito.when(value.findModuleNamesWithIds()).thenReturn(lsvalue);
Mockito.when(
userMgr.createDefaultAccountUser((VXPortalUser) Mockito
@@ -250,7 +253,6 @@ public class TestXUserMgr {
Mockito.verify(userMgr).createDefaultAccountUser(
(VXPortalUser) Mockito.anyObject());
Mockito.verify(daoManager).getXXModuleDef();
- Mockito.verify(value).findModuleNamesWithIds();
Assert.assertNotNull(dbvxUser);
Assert.assertEquals(userId, dbvxUser.getId());
Assert.assertEquals(dbvxUser.getDescription(), vxUser.getDescription());
@@ -726,6 +728,8 @@ public class TestXUserMgr {
Mockito.when(xModuleDefService.createResource(vXModuleDef)).thenReturn(
vXModuleDef);
+ XXModuleDefDao obj = Mockito.mock(XXModuleDefDao.class);
+ Mockito.when(daoManager.getXXModuleDef()).thenReturn(obj);
VXModuleDef dbMuduleDef = xUserMgr
.createXModuleDefPermission(vXModuleDef);
@@ -825,7 +829,17 @@ public class TestXUserMgr {
xGroupPermission);
Mockito.when(xGroupPermissionService.populateViewBean(xGroupPermission))
.thenReturn(vXGroupPermission);
-
+ XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class);
+ Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao);
+
+ UserSessionBase userSession = Mockito.mock(UserSessionBase.class);
+ Set<UserSessionBase> userSessions = new HashSet<UserSessionBase>();
+ userSessions.add(userSession);
+
+ Mockito.when(xGroupPermissionService.createResource((VXGroupPermission) Mockito.anyObject())).thenReturn(vXGroupPermission);
+ Mockito.when(xUserPermissionService.createResource((VXUserPermission) Mockito.anyObject())).thenReturn(vXUserPermission);
+ Mockito.when(sessionMgr.getActiveUserSessionsForPortalUserId(userId)).thenReturn(userSessions);
+
VXModuleDef dbMuduleDef = xUserMgr
.updateXModuleDefPermission(vXModuleDef);
Assert.assertEquals(dbMuduleDef, vXModuleDef);
@@ -962,6 +976,10 @@ public class TestXUserMgr {
Mockito.when(xUserPermissionService.deleteResource(1L))
.thenReturn(true);
+ XXUserPermission xUserPerm = Mockito.mock(XXUserPermission.class);
+ XXUserPermissionDao xUserPermDao = Mockito.mock(XXUserPermissionDao.class);
+ Mockito.when(daoManager.getXXUserPermission()).thenReturn(xUserPermDao);
+ Mockito.when(daoManager.getXXUserPermission().getById(1L)).thenReturn(xUserPerm);
xUserMgr.deleteXUserPermission(1L, true);
Mockito.verify(xUserPermissionService).deleteResource(1L);
}
@@ -970,9 +988,11 @@ public class TestXUserMgr {
public void test39createXGroupPermission() {
VXGroupPermission vXGroupPermission = vXGroupPermission();
- Mockito.when(xGroupPermissionService.createResource(vXGroupPermission))
- .thenReturn(vXGroupPermission);
-
+ XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class);
+ Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao);
+
+ Mockito.when(xGroupPermissionService.createResource(vXGroupPermission)).thenReturn(vXGroupPermission);
+
VXGroupPermission dbGroupPermission = xUserMgr
.createXGroupPermission(vXGroupPermission);
Assert.assertNotNull(dbGroupPermission);
@@ -1036,8 +1056,9 @@ public class TestXUserMgr {
public void test41updateXGroupPermission() {
VXGroupPermission vXGroupPermission = vXGroupPermission();
- Mockito.when(xGroupPermissionService.updateResource(vXGroupPermission))
- .thenReturn(vXGroupPermission);
+ XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class);
+ Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao);
+ Mockito.when(xGroupPermissionService.updateResource(vXGroupPermission)).thenReturn(vXGroupPermission);
VXGroupPermission dbGroupPermission = xUserMgr
.updateXGroupPermission(vXGroupPermission);
@@ -1069,12 +1090,20 @@ public class TestXUserMgr {
@Test
public void test42deleteXGroupPermission() {
- Mockito.when(xGroupPermissionService.deleteResource(1L)).thenReturn(
- true);
+ XXGroupPermissionDao xGrpPermDao = Mockito.mock(XXGroupPermissionDao.class);
+ XXGroupPermission xGrpPerm = Mockito.mock(XXGroupPermission.class);
+
+ Mockito.when(daoManager.getXXGroupPermission()).thenReturn(xGrpPermDao);
+ Mockito.when(daoManager.getXXGroupPermission().getById(1L)).thenReturn(xGrpPerm);
+
+ XXGroupUserDao xGrpUserDao = Mockito.mock(XXGroupUserDao.class);
+ Mockito.when(daoManager.getXXGroupUser()).thenReturn(xGrpUserDao);
+
+ Mockito.when(xGroupPermissionService.deleteResource(1L)).thenReturn(true);
xUserMgr.deleteXGroupPermission(1L, true);
Mockito.verify(xGroupPermissionService).deleteResource(1L);
}
-
+
/*@Test
public void test43checkPermissionRoleByGivenUrls() {
XXModuleDefDao value = Mockito.mock(XXModuleDefDao.class);
[18/33] incubator-ranger git commit: RANGER-682 Add support for audit
to Azure Blob Storage via HDFS audit handler
Posted by ma...@apache.org.
RANGER-682 Add support for audit to Azure Blob Storage via HDFS audit handler
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/35aa706e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/35aa706e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/35aa706e
Branch: refs/heads/tag-policy
Commit: 35aa706ecbdd86b25a13f20e79248e59060935b9
Parents: 140f7ef
Author: Alok Lal <al...@apache.org>
Authored: Mon Sep 21 12:06:20 2015 -0700
Committer: Alok Lal <al...@apache.org>
Committed: Fri Oct 9 16:19:54 2015 -0700
----------------------------------------------------------------------
.../audit/destination/HDFSAuditDestination.java | 37 +++++++++++----
.../ranger/audit/provider/BaseAuditHandler.java | 19 ++++++--
.../audit/provider/hdfs/HdfsAuditProvider.java | 3 ++
.../audit/provider/hdfs/HdfsLogDestination.java | 26 ++++++++++-
.../ranger/utils/install/XmlConfigChanger.java | 47 ++++++++++++++++----
hbase-agent/conf/ranger-hbase-audit-changes.cfg | 5 +++
hbase-agent/conf/ranger-hbase-audit.xml | 40 ++++++++++++++++-
hbase-agent/scripts/install.properties | 11 +++++
hdfs-agent/conf/ranger-hdfs-audit-changes.cfg | 5 +++
hdfs-agent/conf/ranger-hdfs-audit.xml | 36 +++++++++++++++
hdfs-agent/scripts/install.properties | 11 +++++
hive-agent/conf/ranger-hive-audit-changes.cfg | 5 +++
hive-agent/conf/ranger-hive-audit.xml | 36 +++++++++++++++
hive-agent/scripts/install.properties | 11 +++++
kms/scripts/install.properties | 11 +++++
knox-agent/conf/ranger-knox-audit-changes.cfg | 5 +++
knox-agent/conf/ranger-knox-audit.xml | 36 +++++++++++++++
knox-agent/scripts/install.properties | 11 +++++
.../conf/ranger-kafka-audit-changes.cfg | 5 +++
plugin-kafka/conf/ranger-kafka-audit.xml | 36 +++++++++++++++
plugin-kafka/scripts/install.properties | 11 +++++
plugin-kms/conf/ranger-kms-audit-changes.cfg | 5 +++
plugin-kms/conf/ranger-kms-audit.xml | 36 +++++++++++++++
plugin-solr/conf/ranger-solr-audit-changes.cfg | 5 +++
plugin-solr/conf/ranger-solr-audit.xml | 36 +++++++++++++++
plugin-solr/scripts/install.properties | 11 +++++
plugin-yarn/conf/ranger-yarn-audit-changes.cfg | 5 +++
plugin-yarn/conf/ranger-yarn-audit.xml | 36 +++++++++++++++
plugin-yarn/scripts/install.properties | 11 +++++
storm-agent/conf/ranger-storm-audit-changes.cfg | 5 +++
storm-agent/conf/ranger-storm-audit.xml | 36 +++++++++++++++
storm-agent/scripts/install.properties | 11 +++++
32 files changed, 580 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
index 49e5fbb..96755be 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java
@@ -23,12 +23,9 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintWriter;
import java.net.URI;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Date;
-import java.util.List;
-import java.util.Properties;
+import java.util.*;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
@@ -99,7 +96,7 @@ public class HDFSAuditDestination extends AuditDestination {
logger.info("logFolder=" + logFolder + ", destName=" + getName());
logger.info("logFileNameFormat=" + logFileNameFormat + ", destName="
+ getName());
-
+ logger.info("config=" + configProps.toString());
initDone = true;
}
@@ -127,7 +124,15 @@ public class HDFSAuditDestination extends AuditDestination {
for (String event : events) {
out.println(event);
}
- out.flush();
+ // flush and check the stream for errors
+ if (out.checkError()) {
+ // In theory, this count may NOT be accurate as part of the messages may have been successfully written.
+ // However, in practice, since client does buffering, either all of none would succeed.
+ addDeferredCount(events.size());
+ out.close();
+ logWriter = null;
+ return false;
+ }
} catch (Throwable t) {
addDeferredCount(events.size());
logError("Error writing to log file.", t);
@@ -207,7 +212,7 @@ public class HDFSAuditDestination extends AuditDestination {
currentTime.getTime());
String parentFolder = MiscUtil.replaceTokens(logFolder,
currentTime.getTime());
- Configuration conf = new Configuration();
+ Configuration conf = createConfiguration();
String fullPath = parentFolder
+ org.apache.hadoop.fs.Path.SEPARATOR + fileName;
@@ -243,6 +248,22 @@ public class HDFSAuditDestination extends AuditDestination {
return logWriter;
}
+ Configuration createConfiguration() {
+ Configuration conf = new Configuration();
+ for (Map.Entry<String, String> entry : configProps.entrySet()) {
+ String key = entry.getKey();
+ String value = entry.getValue();
+ // for ease of install config file may contain properties with empty value, skip those
+ if (StringUtils.isNotEmpty(value)) {
+ conf.set(key, value);
+ }
+ logger.info("Adding property to HDFS config: " + key + " => " + value);
+ }
+
+ logger.info("Returning HDFS Filesystem Config: " + conf.toString());
+ return conf;
+ }
+
private void createParents(Path pathLogfile, FileSystem fileSystem)
throws Throwable {
logger.info("Creating parent folder for " + pathLogfile);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
index 30db18b..6717c92 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java
@@ -25,17 +25,15 @@ import org.apache.ranger.audit.model.AuthzAuditEvent;
import com.google.gson.GsonBuilder;
+import java.util.*;
import java.util.concurrent.atomic.AtomicLong;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Properties;
public abstract class BaseAuditHandler implements AuditHandler {
private static final Log LOG = LogFactory.getLog(BaseAuditHandler.class);
static final String AUDIT_LOG_FAILURE_REPORT_MIN_INTERVAL_PROP = "xasecure.audit.log.failure.report.min.interval.ms";
protected static final String AUDIT_DB_CREDENTIAL_PROVIDER_FILE = "xasecure.audit.credential.provider.file";
+ public static final String PROP_CONFIG = "config";
private int mLogFailureReportMinIntervalInMs = 60 * 1000;
@@ -75,6 +73,7 @@ public abstract class BaseAuditHandler implements AuditHandler {
long statusLogIntervalMS = 1 * 60 * 1000;
protected Properties props = null;
+ protected Map<String, String> configProps = new HashMap<String, String>();
@Override
public void init(Properties props) {
@@ -116,6 +115,18 @@ public abstract class BaseAuditHandler implements AuditHandler {
mLogFailureReportMinIntervalInMs = MiscUtil.getIntProperty(props,
AUDIT_LOG_FAILURE_REPORT_MIN_INTERVAL_PROP, 60 * 1000);
+ String configPropsNamePrefix = propPrefix + "." + PROP_CONFIG + ".";
+ for (Object propNameObj : props.keySet()) {
+ String propName = propNameObj.toString();
+
+ if (!propName.startsWith(configPropsNamePrefix)) {
+ continue;
+ }
+ String configName = propName.substring(configPropsNamePrefix.length());
+ String configValue = props.getProperty(propName);
+ configProps.put(configName, configValue);
+ LOG.info("Found Config property: " + configName + " => " + configValue);
+ }
}
/*
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java
index a18e3e9..8cdf869 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsAuditProvider.java
@@ -60,6 +60,8 @@ public class HdfsAuditProvider extends BufferedAuditProvider {
int localFileBufferRolloverIntervalSeconds = MiscUtil.parseInteger(hdfsProps.get("local.buffer.rollover.interval.seconds"), 10 * 60);
String localFileBufferArchiveDirectory = hdfsProps.get("local.archive.directory");
int localFileBufferArchiveFileCount = MiscUtil.parseInteger(hdfsProps.get("local.archive.max.file.count"), 10);
+ // Added for Azure. Note that exact name of these properties is not known as it contains the variable account name in it.
+ Map<String, String> configProps = MiscUtil.getPropertiesWithPrefix(props, "xasecure.audit.destination.hdfs.config.");
DebugTracer tracer = new Log4jTracer(LOG);
@@ -71,6 +73,7 @@ public class HdfsAuditProvider extends BufferedAuditProvider {
mHdfsDestination.setEncoding(encoding);
mHdfsDestination.setRolloverIntervalSeconds(hdfsDestinationRolloverIntervalSeconds);
mHdfsDestination.setOpenRetryIntervalSeconds(hdfsDestinationOpenRetryIntervalSeconds);
+ mHdfsDestination.setConfigProps(configProps);
LocalFileLogBuffer<AuditEventBase> mLocalFileBuffer = new LocalFileLogBuffer<AuditEventBase>(tracer);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java
----------------------------------------------------------------------
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java
index 49f4e65..a9aa8c1 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/hdfs/HdfsLogDestination.java
@@ -24,7 +24,9 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException;
import java.net.URI;
+import java.util.Map;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.FileSystem;
@@ -55,6 +57,7 @@ public class HdfsLogDestination<T> implements LogDestination<T> {
private long mNextFlushTime = 0;
private long mLastOpenFailedTime = 0;
private boolean mIsStopInProgress = false;
+ private Map<String, String> configProps = null;
public HdfsLogDestination(DebugTracer tracer) {
mLogger = tracer;
@@ -272,7 +275,7 @@ public class HdfsLogDestination<T> implements LogDestination<T> {
// TODO: mechanism to XA-HDFS plugin to disable auditing of access checks to the current HDFS file
- conf = new Configuration();
+ conf = createConfiguration();
pathLogfile = new Path(mHdfsFilename);
fileSystem = FileSystem.get(uri, conf);
@@ -490,4 +493,25 @@ public class HdfsLogDestination<T> implements LogDestination<T> {
return sb.toString();
}
+ public void setConfigProps(Map<String,String> configProps) {
+ this.configProps = configProps;
+ }
+
+ Configuration createConfiguration() {
+ Configuration conf = new Configuration();
+ if (configProps != null) {
+ for (Map.Entry<String, String> entry : configProps.entrySet()) {
+ String key = entry.getKey();
+ String value = entry.getValue();
+ // for ease of install config file may contain properties with empty value, skip those
+ if (StringUtils.isNotEmpty(value)) {
+ conf.set(key, value);
+ }
+ mLogger.info("Adding property to HDFS config: " + key + " => " + value);
+ }
+ }
+
+ mLogger.info("Returning HDFS Filesystem Config: " + conf.toString());
+ return conf;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
----------------------------------------------------------------------
diff --git a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
index 05fbb23..958ae83 100644
--- a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
+++ b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
@@ -25,6 +25,8 @@ import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
import java.util.Properties;
import javax.xml.parsers.DocumentBuilder;
@@ -45,6 +47,7 @@ import org.apache.commons.cli.Option;
import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang.StringUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -157,7 +160,7 @@ public class XmlConfigChanger {
}
-
+
public void run() throws ParserConfigurationException, SAXException, IOException, TransformerException {
@@ -177,7 +180,7 @@ public class XmlConfigChanger {
@SuppressWarnings("unused")
int lineNo = 0 ;
-
+ Properties variables = new Properties();
while ((line = reader.readLine()) != null) {
lineNo++ ;
@@ -198,18 +201,21 @@ public class XmlConfigChanger {
String[] tokens = line.split("\\s+") ;
String propName = tokens[0] ;
-
+
String propValue = null ;
-
+
try {
+ if (propnameContainsVariables(propName)) {
+ propName = replaceProp(propName, variables);
+ }
propValue = replaceProp(tokens[1],installProperties) ;
} catch (ValidationException e) {
// throw new RuntimeException("Unable to replace tokens in the line: \n[" + line + "]\n in file [" + confFile.getAbsolutePath() + "] line number:[" + lineNo + "]" ) ;
throw new RuntimeException(e) ;
}
-
-
-
+
+
+
String actionType = tokens[2] ;
String options = (tokens.length > 3 ? tokens[3] : null) ;
boolean createIfNotExists = (options != null && options.contains("create-if-not-exists")) ;
@@ -265,6 +271,9 @@ public class XmlConfigChanger {
}
}
}
+ else if ("var".equals(actionType)) {
+ variables.put(propName, propValue);
+ }
else {
throw new RuntimeException("Unknown Command Found: [" + actionType + "], Supported Types: add modify del append") ;
}
@@ -290,8 +299,28 @@ public class XmlConfigChanger {
}
}
-
-
+
+ /**
+ * Check if prop name contains a substitution variable embedded in it, e.g. %VAR_NAME%.
+ * @param propName
+ * @return true if propname contains at least 2 '%' characters in it, else false
+ */
+ private boolean propnameContainsVariables(String propName) {
+
+ if (propName != null) {
+ int first = propName.indexOf('%');
+ if (first != -1) {
+ // indexof is safe even if 2nd argument is beyond size of string, i.e. if 1st percent was the last character of the string.
+ int second = propName.indexOf('%', first + 1);
+ if (second != -1) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+
private void addProperty(String propName, String val) {
NodeList nl = doc.getElementsByTagName(ROOT_NODE_NAME) ;
Node rootConfig = nl.item(0) ;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hbase-agent/conf/ranger-hbase-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-audit-changes.cfg b/hbase-agent/conf/ranger-hbase-audit-changes.cfg
index b540e18..e29ccd5 100644
--- a/hbase-agent/conf/ranger-hbase-audit-changes.cfg
+++ b/hbase-agent/conf/ranger-hbase-audit-changes.cfg
@@ -58,5 +58,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hbase-agent/conf/ranger-hbase-audit.xml
----------------------------------------------------------------------
diff --git a/hbase-agent/conf/ranger-hbase-audit.xml b/hbase-agent/conf/ranger-hbase-audit.xml
index c5f416e..5f88224 100644
--- a/hbase-agent/conf/ranger-hbase-audit.xml
+++ b/hbase-agent/conf/ranger-hbase-audit.xml
@@ -160,8 +160,44 @@
<property>
<name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
<value>10</value>
- </property>
-
+ </property>
+
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hbase-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/hbase-agent/scripts/install.properties b/hbase-agent/scripts/install.properties
index 9170f41..5df518a 100644
--- a/hbase-agent/scripts/install.properties
+++ b/hbase-agent/scripts/install.properties
@@ -61,12 +61,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hbase/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hbase/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hbase/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
index 93e7b86..9c88450 100644
--- a/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
+++ b/hdfs-agent/conf/ranger-hdfs-audit-changes.cfg
@@ -55,5 +55,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hdfs-agent/conf/ranger-hdfs-audit.xml
----------------------------------------------------------------------
diff --git a/hdfs-agent/conf/ranger-hdfs-audit.xml b/hdfs-agent/conf/ranger-hdfs-audit.xml
index 4c60c02..a380906 100644
--- a/hdfs-agent/conf/ranger-hdfs-audit.xml
+++ b/hdfs-agent/conf/ranger-hdfs-audit.xml
@@ -162,6 +162,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hdfs-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/hdfs-agent/scripts/install.properties b/hdfs-agent/scripts/install.properties
index 289117b..fa21949 100644
--- a/hdfs-agent/scripts/install.properties
+++ b/hdfs-agent/scripts/install.properties
@@ -58,11 +58,22 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/solr/spool
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/hdfs/spool
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hive-agent/conf/ranger-hive-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-audit-changes.cfg b/hive-agent/conf/ranger-hive-audit-changes.cfg
index daa8b74..4e61c7d 100644
--- a/hive-agent/conf/ranger-hive-audit-changes.cfg
+++ b/hive-agent/conf/ranger-hive-audit-changes.cfg
@@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hive-agent/conf/ranger-hive-audit.xml
----------------------------------------------------------------------
diff --git a/hive-agent/conf/ranger-hive-audit.xml b/hive-agent/conf/ranger-hive-audit.xml
index 867080c..ae1dce9 100644
--- a/hive-agent/conf/ranger-hive-audit.xml
+++ b/hive-agent/conf/ranger-hive-audit.xml
@@ -162,6 +162,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/hive-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/hive-agent/scripts/install.properties b/hive-agent/scripts/install.properties
index 9370600..2e41a37 100644
--- a/hive-agent/scripts/install.properties
+++ b/hive-agent/scripts/install.properties
@@ -58,12 +58,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hive/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hive/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hive/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/kms/scripts/install.properties
----------------------------------------------------------------------
diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
index 563a0e0..247e499 100755
--- a/kms/scripts/install.properties
+++ b/kms/scripts/install.properties
@@ -118,12 +118,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/ranger/kms/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/ranger/kms/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/ranger/kms/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/knox-agent/conf/ranger-knox-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/knox-agent/conf/ranger-knox-audit-changes.cfg b/knox-agent/conf/ranger-knox-audit-changes.cfg
index 57858f7..f722e53 100644
--- a/knox-agent/conf/ranger-knox-audit-changes.cfg
+++ b/knox-agent/conf/ranger-knox-audit-changes.cfg
@@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/knox-agent/conf/ranger-knox-audit.xml
----------------------------------------------------------------------
diff --git a/knox-agent/conf/ranger-knox-audit.xml b/knox-agent/conf/ranger-knox-audit.xml
index ccc2691..7b5bfb3 100644
--- a/knox-agent/conf/ranger-knox-audit.xml
+++ b/knox-agent/conf/ranger-knox-audit.xml
@@ -162,6 +162,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/knox-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/knox-agent/scripts/install.properties b/knox-agent/scripts/install.properties
index 2fee7ee..506c53c 100644
--- a/knox-agent/scripts/install.properties
+++ b/knox-agent/scripts/install.properties
@@ -61,12 +61,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/knox/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/knox/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/knox/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-kafka/conf/ranger-kafka-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kafka/conf/ranger-kafka-audit-changes.cfg b/plugin-kafka/conf/ranger-kafka-audit-changes.cfg
index 0445576..46ee29a 100644
--- a/plugin-kafka/conf/ranger-kafka-audit-changes.cfg
+++ b/plugin-kafka/conf/ranger-kafka-audit-changes.cfg
@@ -49,5 +49,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-kafka/conf/ranger-kafka-audit.xml
----------------------------------------------------------------------
diff --git a/plugin-kafka/conf/ranger-kafka-audit.xml b/plugin-kafka/conf/ranger-kafka-audit.xml
index bff6cbf..5fbbf33 100644
--- a/plugin-kafka/conf/ranger-kafka-audit.xml
+++ b/plugin-kafka/conf/ranger-kafka-audit.xml
@@ -163,6 +163,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-kafka/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-kafka/scripts/install.properties b/plugin-kafka/scripts/install.properties
index 1e2854e..bc6481b 100644
--- a/plugin-kafka/scripts/install.properties
+++ b/plugin-kafka/scripts/install.properties
@@ -64,12 +64,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/kafka/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kafka/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kafka/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-kms/conf/ranger-kms-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kms/conf/ranger-kms-audit-changes.cfg b/plugin-kms/conf/ranger-kms-audit-changes.cfg
index f7d3543..5a51455 100644
--- a/plugin-kms/conf/ranger-kms-audit-changes.cfg
+++ b/plugin-kms/conf/ranger-kms-audit-changes.cfg
@@ -58,5 +58,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-kms/conf/ranger-kms-audit.xml
----------------------------------------------------------------------
diff --git a/plugin-kms/conf/ranger-kms-audit.xml b/plugin-kms/conf/ranger-kms-audit.xml
index f1c4187..02c1a79 100755
--- a/plugin-kms/conf/ranger-kms-audit.xml
+++ b/plugin-kms/conf/ranger-kms-audit.xml
@@ -161,6 +161,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-solr/conf/ranger-solr-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-solr/conf/ranger-solr-audit-changes.cfg b/plugin-solr/conf/ranger-solr-audit-changes.cfg
index 7e77a30..2742bc1 100644
--- a/plugin-solr/conf/ranger-solr-audit-changes.cfg
+++ b/plugin-solr/conf/ranger-solr-audit-changes.cfg
@@ -50,5 +50,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-solr/conf/ranger-solr-audit.xml
----------------------------------------------------------------------
diff --git a/plugin-solr/conf/ranger-solr-audit.xml b/plugin-solr/conf/ranger-solr-audit.xml
index a42716f..f55b623 100644
--- a/plugin-solr/conf/ranger-solr-audit.xml
+++ b/plugin-solr/conf/ranger-solr-audit.xml
@@ -163,6 +163,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-solr/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-solr/scripts/install.properties b/plugin-solr/scripts/install.properties
index 1f3852e..9bc305b 100644
--- a/plugin-solr/scripts/install.properties
+++ b/plugin-solr/scripts/install.properties
@@ -64,12 +64,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/solr/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/solr/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/solr/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-yarn/conf/ranger-yarn-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-yarn/conf/ranger-yarn-audit-changes.cfg b/plugin-yarn/conf/ranger-yarn-audit-changes.cfg
index bfc2cd8..b650be1 100644
--- a/plugin-yarn/conf/ranger-yarn-audit-changes.cfg
+++ b/plugin-yarn/conf/ranger-yarn-audit-changes.cfg
@@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-yarn/conf/ranger-yarn-audit.xml
----------------------------------------------------------------------
diff --git a/plugin-yarn/conf/ranger-yarn-audit.xml b/plugin-yarn/conf/ranger-yarn-audit.xml
index c30f963..667419d 100644
--- a/plugin-yarn/conf/ranger-yarn-audit.xml
+++ b/plugin-yarn/conf/ranger-yarn-audit.xml
@@ -163,6 +163,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/plugin-yarn/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-yarn/scripts/install.properties b/plugin-yarn/scripts/install.properties
index 9358033..01f733d 100644
--- a/plugin-yarn/scripts/install.properties
+++ b/plugin-yarn/scripts/install.properties
@@ -56,12 +56,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/hadoop/yarn/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/yarn/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/yarn/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/storm-agent/conf/ranger-storm-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/storm-agent/conf/ranger-storm-audit-changes.cfg b/storm-agent/conf/ranger-storm-audit-changes.cfg
index bfc2cd8..b650be1 100644
--- a/storm-agent/conf/ranger-storm-audit-changes.cfg
+++ b/storm-agent/conf/ranger-storm-audit-changes.cfg
@@ -56,5 +56,10 @@ xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE%
xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/storm-agent/conf/ranger-storm-audit.xml
----------------------------------------------------------------------
diff --git a/storm-agent/conf/ranger-storm-audit.xml b/storm-agent/conf/ranger-storm-audit.xml
index 6a5ff69..c0c66d4 100644
--- a/storm-agent/conf/ranger-storm-audit.xml
+++ b/storm-agent/conf/ranger-storm-audit.xml
@@ -162,6 +162,42 @@
<value>10</value>
</property>
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
<!-- Log4j audit provider configuration -->
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/35aa706e/storm-agent/scripts/install.properties
----------------------------------------------------------------------
diff --git a/storm-agent/scripts/install.properties b/storm-agent/scripts/install.properties
index 0cee655..82f17af 100644
--- a/storm-agent/scripts/install.properties
+++ b/storm-agent/scripts/install.properties
@@ -58,12 +58,23 @@ XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/storm/audit/solr/spool
#Example
#XAAUDIT.HDFS.ENABLE=true
#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/storm/audit/hdfs/spool
XAAUDIT.HDFS.ENABLE=false
XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/storm/audit/hdfs/spool
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
# End of V3 properties
#