You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2017/01/18 15:57:46 UTC
[13/50] [abbrv] ambari git commit: AMBARI-19044 Install & configure
Ranger plugin components independently of Ranger admin components (mugdha)
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml
index b4c0790..5257549 100644
--- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml
+++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-audit.xml
@@ -23,7 +23,7 @@
<name>xasecure.audit.is.enabled</name>
<value>true</value>
<description>Is Audit enabled?</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db</name>
@@ -39,19 +39,19 @@
<name>xasecure.audit.destination.db</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.jdbc.url</name>
<value>{{audit_jdbc_url}}</value>
<description>Audit DB JDBC URL</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.user</name>
<value>{{xa_audit_db_user}}</value>
<description>Audit DB JDBC User</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.password</name>
@@ -61,25 +61,25 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.jdbc.driver</name>
<value>{{jdbc_driver}}</value>
<description>Audit DB JDBC Driver</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.credential.provider.file</name>
<value>jceks://file{{credential_file}}</value>
<description>Credential file store</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.batch.filespool.dir</name>
<value>/var/log/kafka/audit/db/spool</value>
<description>/var/log/kafka/audit/db/spool</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.hdfs</name>
@@ -95,7 +95,7 @@
<name>xasecure.audit.destination.hdfs</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.hdfs.dir</name>
@@ -107,13 +107,13 @@
<name>xasecure.audit.destination.hdfs.dir</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
<value>/var/log/kafka/audit/hdfs/spool</value>
<description>/var/log/kafka/audit/hdfs/spool</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr</name>
@@ -129,7 +129,7 @@
<name>xasecure.audit.destination.solr</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr.urls</name>
@@ -144,7 +144,7 @@
<name>ranger.audit.solr.urls</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr.zookeepers</name>
@@ -156,13 +156,13 @@
<name>ranger.audit.solr.zookeepers</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr.batch.filespool.dir</name>
<value>/var/log/kafka/audit/solr/spool</value>
<description>/var/log/kafka/audit/solr/spool</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.provider.summary.enabled</name>
@@ -172,6 +172,6 @@
<value-attributes>
<type>boolean</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml
index 3949402..7f594a0 100644
--- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml
+++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-plugin-properties.xml
@@ -24,7 +24,7 @@
<value>ambari-qa</value>
<display-name>Policy user for KAFKA</display-name>
<description>This user must be system user and also present at Ranger admin portal</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>hadoop.rpc.protection</name>
@@ -33,7 +33,7 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>common.name.for.certificate</name>
@@ -42,13 +42,13 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>zookeeper.connect</name>
<value>localhost:2181</value>
<description>Used for repository creation on ranger admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger-kafka-plugin-enabled</name>
@@ -65,14 +65,14 @@
<type>boolean</type>
<overridable>false</overridable>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_USERNAME</name>
<value>kafka</value>
<display-name>Ranger repository config user</display-name>
<description>Used for repository creation on ranger admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_PASSWORD</name>
@@ -83,6 +83,6 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml
index cf4a82e..f0fc160 100644
--- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml
+++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-policymgr-ssl.xml
@@ -23,7 +23,7 @@
<name>xasecure.policymgr.clientssl.keystore</name>
<value>kafkadev-clientcert.jks</value>
<description>Java Keystore files</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
@@ -33,13 +33,13 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>cacerts-xasecure.jks</value>
<description>java truststore file</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
@@ -49,18 +49,18 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file/{{credential_file}}</value>
<description>java keystore credential file</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file/{{credential_file}}</value>
<description>java truststore credential file</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml
index 91061d1..a9f84a4 100644
--- a/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml
+++ b/ambari-server/src/main/resources/common-services/KAFKA/0.9.0/configuration/ranger-kafka-security.xml
@@ -23,36 +23,42 @@
<name>ranger.plugin.kafka.service.name</name>
<value>{{repo_name}}</value>
<description>Name of the Ranger service containing policies for this Kafka instance</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.kafka.policy.source.impl</name>
<value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
<description>Class to retrieve policies from the source</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.kafka.policy.rest.url</name>
<value>{{policymgr_mgr_url}}</value>
<description>URL to Ranger Admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
+ <depends-on>
+ <property>
+ <type>admin-properties</type>
+ <name>policymgr_external_url</name>
+ </property>
+ </depends-on>
</property>
<property>
<name>ranger.plugin.kafka.policy.rest.ssl.config.file</name>
<value>/etc/kafka/conf/ranger-policymgr-ssl.xml</value>
<description>Path to the file containing SSL details to contact Ranger Admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.kafka.policy.pollIntervalMs</name>
<value>30000</value>
<description>How often to poll for changes in policies?</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.kafka.policy.cache.dir</name>
<value>/etc/ranger/{{repo_name}}/policycache</value>
<description>Directory where Ranger policies are cached after successful retrieval from the source</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml
index ae9314b..7f85667 100644
--- a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/configuration/ranger-knox-plugin-properties.xml
@@ -24,7 +24,7 @@
<value>ambari-qa</value>
<display-name>Policy user for KNOX</display-name>
<description>This user must be system user and also present at Ranger admin portal</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>common.name.for.certificate</name>
@@ -33,7 +33,7 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger-knox-plugin-enabled</name>
@@ -50,14 +50,14 @@
<type>boolean</type>
<overridable>false</overridable>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_USERNAME</name>
<value>admin</value>
<display-name>Ranger repository config user</display-name>
<description>Used for repository creation on ranger admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_PASSWORD</name>
@@ -68,14 +68,14 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>KNOX_HOME</name>
<value>/usr/local/knox-server</value>
<display-name>Knox Home</display-name>
<description>Knox home folder</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>XAAUDIT.DB.IS_ENABLED</name>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py
index dd5fc3a..9b61a5f 100644
--- a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/params_linux.py
@@ -38,6 +38,7 @@ from resource_management.libraries.functions.stack_features import check_stack_f
from resource_management.libraries.functions.stack_features import get_stack_feature_version
from resource_management.libraries.functions.constants import StackFeature
from resource_management.libraries.functions import is_empty
+from resource_management.libraries.functions.setup_ranger_plugin_xml import get_audit_configs
# server configurations
config = Script.get_config()
@@ -260,82 +261,86 @@ if security_enabled:
_hostname_lowercase = config['hostname'].lower()
knox_principal_name = config['configurations']['knox-env']['knox_principal_name'].replace('_HOST',_hostname_lowercase)
+# for curl command in ranger plugin to get db connector
+jdk_location = config['hostLevelParams']['jdk_location']
+
+# ranger knox plugin start section
+
# ranger host
ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", [])
has_ranger_admin = not len(ranger_admin_hosts) == 0
-xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported']
+# ranger support xml_configuration flag, instead of depending on ranger xml_configurations_supported/ranger-env, using stack feature
+xml_configurations_supported = check_stack_feature(StackFeature.RANGER_XML_CONFIGURATION, version_for_stack_feature_checks)
+
+# ambari-server hostname
ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0]
-# ranger knox properties
-policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url']
-if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'):
- policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
-xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits')
-xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
-xa_db_host = config['configurations']['admin-properties']['db_host']
-repo_name = str(config['clusterName']) + '_knox'
-repo_name_value = config['configurations']['ranger-knox-security']['ranger.plugin.knox.service.name']
-if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
- repo_name = repo_name_value
+# ranger knox plugin enabled property
+enable_ranger_knox = default("/configurations/ranger-knox-plugin-properties/ranger-knox-plugin-enabled", "No")
+enable_ranger_knox = True if enable_ranger_knox.lower() == 'yes' else False
+
+# get ranger knox properties if enable_ranger_knox is True
+if enable_ranger_knox:
+ # get ranger policy url
+ policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url']
+ if xml_configurations_supported:
+ policymgr_mgr_url = config['configurations']['ranger-knox-security']['ranger.plugin.knox.policy.rest.url']
+
+ if not is_empty(policymgr_mgr_url) and policymgr_mgr_url.endswith('/'):
+ policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
+
+ # ranger audit db user
+ xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
+
+ # ranger knox service/repositry name
+ repo_name = str(config['clusterName']) + '_knox'
+ repo_name_value = config['configurations']['ranger-knox-security']['ranger.plugin.knox.service.name']
+ if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
+ repo_name = repo_name_value
+
+ knox_home = config['configurations']['ranger-knox-plugin-properties']['KNOX_HOME']
+ common_name_for_certificate = config['configurations']['ranger-knox-plugin-properties']['common.name.for.certificate']
+ repo_config_username = config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_USERNAME']
+
+ # ranger-env config
+ ranger_env = config['configurations']['ranger-env']
+
+ # create ranger-env config having external ranger credential properties
+ if not has_ranger_admin and enable_ranger_knox:
+ external_admin_username = default('/configurations/ranger-knox-plugin-properties/external_admin_username', 'admin')
+ external_admin_password = default('/configurations/ranger-knox-plugin-properties/external_admin_password', 'admin')
+ external_ranger_admin_username = default('/configurations/ranger-knox-plugin-properties/external_ranger_admin_username', 'amb_ranger_admin')
+ external_ranger_admin_password = default('/configurations/ranger-knox-plugin-properties/external_ranger_admin_password', 'amb_ranger_admin')
+ ranger_env = {}
+ ranger_env['admin_username'] = external_admin_username
+ ranger_env['admin_password'] = external_admin_password
+ ranger_env['ranger_admin_username'] = external_ranger_admin_username
+ ranger_env['ranger_admin_password'] = external_ranger_admin_password
+
+ ranger_plugin_properties = config['configurations']['ranger-knox-plugin-properties']
+ policy_user = config['configurations']['ranger-knox-plugin-properties']['policy_user']
+ repo_config_password = config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']
-knox_home = config['configurations']['ranger-knox-plugin-properties']['KNOX_HOME']
-common_name_for_certificate = config['configurations']['ranger-knox-plugin-properties']['common.name.for.certificate']
+ xa_audit_db_password = ''
+ if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db and has_ranger_admin:
+ xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password']
-repo_config_username = config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_USERNAME']
+ downloaded_custom_connector = None
+ previous_jdbc_jar_name = None
+ driver_curl_source = None
+ driver_curl_target = None
+ previous_jdbc_jar = None
-ranger_env = config['configurations']['ranger-env']
-ranger_plugin_properties = config['configurations']['ranger-knox-plugin-properties']
-policy_user = config['configurations']['ranger-knox-plugin-properties']['policy_user']
+ if has_ranger_admin and stack_supports_ranger_audit_db:
+ xa_audit_db_flavor = config['configurations']['admin-properties']['DB_FLAVOR']
+ jdbc_jar_name, previous_jdbc_jar_name, audit_jdbc_url, jdbc_driver = get_audit_configs(config)
-#For curl command in ranger plugin to get db connector
-jdk_location = config['hostLevelParams']['jdk_location']
-java_share_dir = '/usr/share/java'
-if has_ranger_admin:
- enable_ranger_knox = (config['configurations']['ranger-knox-plugin-properties']['ranger-knox-plugin-enabled'].lower() == 'yes')
- xa_audit_db_password = ''
- if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db:
- xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password'])
- repo_config_password = unicode(config['configurations']['ranger-knox-plugin-properties']['REPOSITORY_CONFIG_PASSWORD'])
- xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower()
- previous_jdbc_jar_name= None
-
- if stack_supports_ranger_audit_db:
- if xa_audit_db_flavor == 'mysql':
- jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None)
- audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}')
- jdbc_driver = "com.mysql.jdbc.Driver"
- elif xa_audit_db_flavor == 'oracle':
- jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None)
- colon_count = xa_db_host.count(':')
- if colon_count == 2 or colon_count == 0:
- audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}')
- else:
- audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}')
- jdbc_driver = "oracle.jdbc.OracleDriver"
- elif xa_audit_db_flavor == 'postgres':
- jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None)
- audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}')
- jdbc_driver = "org.postgresql.Driver"
- elif xa_audit_db_flavor == 'mssql':
- jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None)
- audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}')
- jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
- elif xa_audit_db_flavor == 'sqla':
- jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None)
- audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}')
- jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver"
-
- downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- driver_curl_target = format("{stack_root}/current/knox-server/ext/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- previous_jdbc_jar = format("{stack_root}/current/knox-server/ext/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- sql_connector_jar = ''
+ downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ driver_curl_target = format("{stack_root}/current/knox-server/ext/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ previous_jdbc_jar = format("{stack_root}/current/knox-server/ext/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ sql_connector_jar = ''
knox_ranger_plugin_config = {
'username': repo_config_username,
@@ -368,21 +373,21 @@ if has_ranger_admin:
'type': 'knox'
}
-
-
xa_audit_db_is_enabled = False
- ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls']
if xml_configurations_supported and stack_supports_ranger_audit_db:
xa_audit_db_is_enabled = config['configurations']['ranger-knox-audit']['xasecure.audit.destination.db']
- xa_audit_hdfs_is_enabled = config['configurations']['ranger-knox-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else None
- ssl_keystore_password = unicode(config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) if xml_configurations_supported else None
- ssl_truststore_password = unicode(config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) if xml_configurations_supported else None
- credential_file = format('/etc/ranger/{repo_name}/cred.jceks') if xml_configurations_supported else None
- #For SQLA explicitly disable audit to DB for Ranger
- if xa_audit_db_flavor == 'sqla':
+ xa_audit_hdfs_is_enabled = config['configurations']['ranger-knox-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else False
+ ssl_keystore_password = config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] if xml_configurations_supported else None
+ ssl_truststore_password = config['configurations']['ranger-knox-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] if xml_configurations_supported else None
+ credential_file = format('/etc/ranger/{repo_name}/cred.jceks')
+
+ # for SQLA explicitly disable audit to DB for Ranger
+ if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor == 'sqla':
xa_audit_db_is_enabled = False
+# ranger knox plugin end section
+
hdfs_user = config['configurations']['hadoop-env']['hdfs_user'] if has_namenode else None
hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab'] if has_namenode else None
hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name'] if has_namenode else None
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py
index 7601dfa..67a1670 100644
--- a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.2.2/package/scripts/setup_ranger_knox.py
@@ -25,8 +25,7 @@ from resource_management.libraries.functions.setup_ranger_plugin_xml import setu
def setup_ranger_knox(upgrade_type=None):
import params
- if params.has_ranger_admin:
-
+ if params.enable_ranger_knox:
stack_version = None
if upgrade_type is not None:
@@ -105,4 +104,4 @@ def setup_ranger_knox(upgrade_type=None):
Logger.info("Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations")
else:
- Logger.info('Ranger admin not installed')
+ Logger.info('Ranger Knox plugin is not enabled')
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml
index 95e653c..b0efb6d 100644
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/ranger-kms-security.xml
@@ -36,6 +36,12 @@
<value>{{policymgr_mgr_url}}</value>
<description>URL to Ranger Admin</description>
<on-ambari-upgrade add="true"/>
+ <depends-on>
+ <property>
+ <type>admin-properties</type>
+ <name>policymgr_external_url</name>
+ </property>
+ </depends-on>
</property>
<property>
<name>ranger.plugin.kms.policy.rest.ssl.config.file</name>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml
index 4dc51eb..b7cf4c5 100644
--- a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml
+++ b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-audit.xml
@@ -23,7 +23,7 @@
<name>xasecure.audit.is.enabled</name>
<value>true</value>
<description>Is Audit enabled?</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db</name>
@@ -39,19 +39,19 @@
<name>xasecure.audit.destination.db</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.jdbc.url</name>
<value>{{audit_jdbc_url}}</value>
<description>Audit DB JDBC URL</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.user</name>
<value>{{xa_audit_db_user}}</value>
<description>Audit DB JDBC User</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.password</name>
@@ -61,25 +61,25 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.jdbc.driver</name>
<value>{{jdbc_driver}}</value>
<description>Audit DB JDBC Driver</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.credential.provider.file</name>
<value>jceks://file{{credential_file}}</value>
<description>Credential file store</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.db.batch.filespool.dir</name>
<value>/var/log/storm/audit/db/spool</value>
<description>/var/log/storm/audit/db/spool</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.hdfs</name>
@@ -95,7 +95,7 @@
<name>xasecure.audit.destination.hdfs</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.hdfs.dir</name>
@@ -107,13 +107,13 @@
<name>xasecure.audit.destination.hdfs.dir</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
<value>/var/log/storm/audit/hdfs/spool</value>
<description>/var/log/storm/audit/hdfs/spool</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr</name>
@@ -129,7 +129,7 @@
<name>xasecure.audit.destination.solr</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr.urls</name>
@@ -144,7 +144,7 @@
<name>ranger.audit.solr.urls</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr.zookeepers</name>
@@ -156,13 +156,13 @@
<name>ranger.audit.solr.zookeepers</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.destination.solr.batch.filespool.dir</name>
<value>/var/log/storm/audit/solr/spool</value>
<description>/var/log/storm/audit/solr/spool</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.audit.provider.summary.enabled</name>
@@ -172,6 +172,6 @@
<value-attributes>
<type>boolean</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml
index b1f6e1e..9592914 100644
--- a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml
+++ b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-policymgr-ssl.xml
@@ -23,7 +23,7 @@
<name>xasecure.policymgr.clientssl.keystore</name>
<value>hadoopdev-clientcert.jks</value>
<description>Java Keystore files</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.password</name>
@@ -33,13 +33,13 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value>cacerts-xasecure.jks</value>
<description>java truststore file</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.password</name>
@@ -49,18 +49,18 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value>jceks://file{{credential_file}}</value>
<description>java keystore credential file</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value>jceks://file{{credential_file}}</value>
<description>java truststore credential file</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml
index 983702f..84e394b4 100644
--- a/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml
+++ b/ambari-server/src/main/resources/common-services/STORM/0.10.0/configuration/ranger-storm-security.xml
@@ -23,36 +23,42 @@
<name>ranger.plugin.storm.service.name</name>
<value>{{repo_name}}</value>
<description>Name of the Ranger service containing policies for this Storm instance</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.storm.policy.source.impl</name>
<value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
<description>Class to retrieve policies from the source</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.storm.policy.rest.url</name>
<value>{{policymgr_mgr_url}}</value>
<description>URL to Ranger Admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
+ <depends-on>
+ <property>
+ <type>admin-properties</type>
+ <name>policymgr_external_url</name>
+ </property>
+ </depends-on>
</property>
<property>
<name>ranger.plugin.storm.policy.rest.ssl.config.file</name>
<value>/etc/storm/conf/ranger-policymgr-ssl.xml</value>
<description>Path to the file containing SSL details to contact Ranger Admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.storm.policy.pollIntervalMs</name>
<value>30000</value>
<description>How often to poll for changes in policies?</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger.plugin.storm.policy.cache.dir</name>
<value>/etc/ranger/{{repo_name}}/policycache</value>
<description>Directory where Ranger policies are cached after successful retrieval from the source</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py
index dbb26f6..137f29a 100644
--- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/params_linux.py
@@ -41,6 +41,7 @@ from resource_management.libraries.functions.expect import expect
from resource_management.libraries.functions.setup_atlas_hook import has_atlas_in_cluster
from resource_management.libraries.functions import is_empty
from ambari_commons.ambari_metrics_helper import select_metric_collector_hosts_from_hostnames
+from resource_management.libraries.functions.setup_ranger_plugin_xml import get_audit_configs
# server configurations
config = Script.get_config()
@@ -225,34 +226,8 @@ if enable_atlas_hook:
jar_jvm_opts += '-Datlas.conf=' + atlas_conf_dir
#endregion
-
-# ranger host
-ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", [])
-has_ranger_admin = not len(ranger_admin_hosts) == 0
-xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported']
-ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0]
-
-#ranger storm properties
-policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url']
-if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'):
- policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
-xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits')
-xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
-xa_db_host = config['configurations']['admin-properties']['db_host']
-repo_name = str(config['clusterName']) + '_storm'
-repo_name_value = config['configurations']['ranger-storm-security']['ranger.plugin.storm.service.name']
-if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
- repo_name = repo_name_value
-
-common_name_for_certificate = config['configurations']['ranger-storm-plugin-properties']['common.name.for.certificate']
-
storm_ui_port = config['configurations']['storm-site']['ui.port']
-repo_config_username = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_USERNAME']
-ranger_env = config['configurations']['ranger-env']
-ranger_plugin_properties = config['configurations']['ranger-storm-plugin-properties']
-policy_user = storm_user
-
#Storm log4j properties
storm_a1_maxfilesize = default('/configurations/storm-cluster-log4j/storm_a1_maxfilesize', 100)
storm_a1_maxbackupindex = default('/configurations/storm-cluster-log4j/storm_a1_maxbackupindex', 9)
@@ -269,55 +244,87 @@ storm_worker_log4j_content = config['configurations']['storm-worker-log4j']['con
# some commands may need to supply the JAAS location when running as storm
storm_jaas_file = format("{conf_dir}/storm_jaas.conf")
-# For curl command in ranger plugin to get db connector
+# for curl command in ranger plugin to get db connector
jdk_location = config['hostLevelParams']['jdk_location']
-java_share_dir = '/usr/share/java'
-if has_ranger_admin:
- enable_ranger_storm = (config['configurations']['ranger-storm-plugin-properties']['ranger-storm-plugin-enabled'].lower() == 'yes')
+# ranger storm plugin start section
+
+# ranger host
+ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", [])
+has_ranger_admin = not len(ranger_admin_hosts) == 0
+
+# ranger support xml_configuration flag, instead of depending on ranger xml_configurations_supported/ranger-env, using stack feature
+xml_configurations_supported = check_stack_feature(StackFeature.RANGER_XML_CONFIGURATION, version_for_stack_feature_checks)
+
+# ambari-server hostname
+ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0]
+
+# ranger storm plugin enabled property
+enable_ranger_storm = default("/configurations/ranger-storm-plugin-properties/ranger-storm-plugin-enabled", "No")
+enable_ranger_storm = True if enable_ranger_storm.lower() == 'yes' else False
+
+# ranger storm properties
+if enable_ranger_storm:
+ # get ranger policy url
+ policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url']
+ if xml_configurations_supported:
+ policymgr_mgr_url = config['configurations']['ranger-storm-security']['ranger.plugin.storm.policy.rest.url']
+
+ if not is_empty(policymgr_mgr_url) and policymgr_mgr_url.endswith('/'):
+ policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
+
+ # ranger audit db user
+ xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
+
+ # ranger storm service name
+ repo_name = str(config['clusterName']) + '_storm'
+ repo_name_value = config['configurations']['ranger-storm-security']['ranger.plugin.storm.service.name']
+ if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
+ repo_name = repo_name_value
+
+ common_name_for_certificate = config['configurations']['ranger-storm-plugin-properties']['common.name.for.certificate']
+ repo_config_username = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_USERNAME']
+
+ # ranger-env config
+ ranger_env = config['configurations']['ranger-env']
+
+ # create ranger-env config having external ranger credential properties
+ if not has_ranger_admin and enable_ranger_storm:
+ external_admin_username = default('/configurations/ranger-storm-plugin-properties/external_admin_username', 'admin')
+ external_admin_password = default('/configurations/ranger-storm-plugin-properties/external_admin_password', 'admin')
+ external_ranger_admin_username = default('/configurations/ranger-storm-plugin-properties/external_ranger_admin_username', 'amb_ranger_admin')
+ external_ranger_admin_password = default('/configurations/ranger-storm-plugin-properties/external_ranger_admin_password', 'amb_ranger_admin')
+ ranger_env = {}
+ ranger_env['admin_username'] = external_admin_username
+ ranger_env['admin_password'] = external_admin_password
+ ranger_env['ranger_admin_username'] = external_ranger_admin_username
+ ranger_env['ranger_admin_password'] = external_ranger_admin_password
+
+ ranger_plugin_properties = config['configurations']['ranger-storm-plugin-properties']
+ policy_user = storm_user
+ repo_config_password = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']
+
xa_audit_db_password = ''
- if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db:
- xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password'])
- repo_config_password = unicode(config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_PASSWORD'])
- xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower()
+ if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db and has_ranger_admin:
+ xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password']
+
+ repo_config_password = config['configurations']['ranger-storm-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']
+
+ downloaded_custom_connector = None
previous_jdbc_jar_name = None
+ driver_curl_source = None
+ driver_curl_target = None
+ previous_jdbc_jar = None
+
+ if has_ranger_admin and stack_supports_ranger_audit_db:
+ xa_audit_db_flavor = config['configurations']['admin-properties']['DB_FLAVOR']
+ jdbc_jar_name, previous_jdbc_jar_name, audit_jdbc_url, jdbc_driver = get_audit_configs(config)
- if stack_supports_ranger_audit_db:
- if xa_audit_db_flavor == 'mysql':
- jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None)
- audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}')
- jdbc_driver = "com.mysql.jdbc.Driver"
- elif xa_audit_db_flavor == 'oracle':
- jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None)
- colon_count = xa_db_host.count(':')
- if colon_count == 2 or colon_count == 0:
- audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}')
- else:
- audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}')
- jdbc_driver = "oracle.jdbc.OracleDriver"
- elif xa_audit_db_flavor == 'postgres':
- jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None)
- audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}')
- jdbc_driver = "org.postgresql.Driver"
- elif xa_audit_db_flavor == 'mssql':
- jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None)
- audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}')
- jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
- elif xa_audit_db_flavor == 'sqla':
- jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None)
- audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}')
- jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver"
-
- downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- driver_curl_target = format("{storm_component_home_dir}/lib/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- previous_jdbc_jar = format("{storm_component_home_dir}/lib/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None
- sql_connector_jar = ''
+ downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ driver_curl_target = format("{storm_component_home_dir}/lib/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ previous_jdbc_jar = format("{storm_component_home_dir}/lib/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ sql_connector_jar = ''
storm_ranger_plugin_config = {
'username': repo_config_username,
@@ -356,18 +363,20 @@ if has_ranger_admin:
ranger_storm_keytab = storm_keytab_path
xa_audit_db_is_enabled = False
- ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls']
if xml_configurations_supported and stack_supports_ranger_audit_db:
xa_audit_db_is_enabled = config['configurations']['ranger-storm-audit']['xasecure.audit.destination.db']
+
xa_audit_hdfs_is_enabled = default('/configurations/ranger-storm-audit/xasecure.audit.destination.hdfs', False)
- ssl_keystore_password = unicode(config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) if xml_configurations_supported else None
- ssl_truststore_password = unicode(config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) if xml_configurations_supported else None
- credential_file = format('/etc/ranger/{repo_name}/cred.jceks') if xml_configurations_supported else None
+ ssl_keystore_password = config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] if xml_configurations_supported else None
+ ssl_truststore_password = config['configurations']['ranger-storm-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] if xml_configurations_supported else None
+ credential_file = format('/etc/ranger/{repo_name}/cred.jceks')
- #For SQLA explicitly disable audit to DB for Ranger
- if xa_audit_db_flavor == 'sqla':
+ # for SQLA explicitly disable audit to DB for Ranger
+ if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor.lower() == 'sqla':
xa_audit_db_is_enabled = False
+# ranger storm plugin end section
+
namenode_hosts = default("/clusterHostInfo/namenode_host", [])
has_namenode = not len(namenode_hosts) == 0
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py
index e81d62a..c04496e 100644
--- a/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py
+++ b/ambari-server/src/main/resources/common-services/STORM/0.9.1/package/scripts/setup_ranger_storm.py
@@ -28,7 +28,7 @@ def setup_ranger_storm(upgrade_type=None):
:param upgrade_type: Upgrade Type such as "rolling" or "nonrolling"
"""
import params
- if params.has_ranger_admin and params.security_enabled:
+ if params.enable_ranger_storm and params.security_enabled:
stack_version = None
if upgrade_type is not None:
@@ -130,4 +130,4 @@ def setup_ranger_storm(upgrade_type=None):
else:
Logger.info("Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations")
else:
- Logger.info('Ranger admin not installed')
+ Logger.info('Ranger Storm plugin is not enabled')
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml
new file mode 100644
index 0000000..3450970
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/configuration/ranger-storm-plugin-properties.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+
+ <property>
+ <name>external_admin_username</name>
+ <value></value>
+ <display-name>External Ranger admin username</display-name>
+ <description>Add ranger default admin username if want to communicate to external ranger</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+
+ <property>
+ <name>external_admin_password</name>
+ <value></value>
+ <display-name>External Ranger admin password</display-name>
+ <property-type>PASSWORD</property-type>
+ <description>Add ranger default admin password if want to communicate to external ranger</description>
+ <value-attributes>
+ <type>password</type>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+
+ <property>
+ <name>external_ranger_admin_username</name>
+ <value></value>
+ <display-name>External Ranger Ambari admin username</display-name>
+ <description>Add ranger default ambari admin username if want to communicate to external ranger</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+
+ <property>
+ <name>external_ranger_admin_password</name>
+ <value></value>
+ <display-name>External Ranger Ambari admin password</display-name>
+ <property-type>PASSWORD</property-type>
+ <description>Add ranger default ambari admin password if want to communicate to external ranger</description>
+ <value-attributes>
+ <type>password</type>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
+
+</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py
index 177e0e0..653fa0a 100644
--- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py
+++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/params_linux.py
@@ -35,6 +35,7 @@ from resource_management.libraries.functions.default import default
from resource_management.libraries import functions
from resource_management.libraries.functions import is_empty
from resource_management.libraries.functions.get_architecture import get_architecture
+from resource_management.libraries.functions.setup_ranger_plugin_xml import get_audit_configs
import status_params
@@ -303,9 +304,6 @@ tez_lib_uris = default("/configurations/tez-site/tez.lib.uris", None)
#for create_hdfs_directory
hdfs_user_keytab = config['configurations']['hadoop-env']['hdfs_user_keytab']
hdfs_principal_name = config['configurations']['hadoop-env']['hdfs_principal_name']
-
-
-
hdfs_site = config['configurations']['hdfs-site']
default_fs = config['configurations']['core-site']['fs.defaultFS']
is_webhdfs_enabled = hdfs_site['dfs.webhdfs.enabled']
@@ -350,12 +348,6 @@ node_label_enable = config['configurations']['yarn-site']['yarn.node-labels.enab
cgroups_dir = "/cgroups_test/cpu"
-# *********************** RANGER PLUGIN CHANGES ***********************
-# ranger host
-ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", [])
-has_ranger_admin = not len(ranger_admin_hosts) == 0
-xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported']
-ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0]
# hostname of the active HDFS HA Namenode (only used when HA is enabled)
dfs_ha_namenode_active = default("/configurations/hadoop-env/dfs_ha_initial_namenode_active", None)
if dfs_ha_namenode_active is not None:
@@ -386,106 +378,119 @@ if rm_ha_enabled:
rm_webapp_address = config['configurations']['yarn-site'][rm_webapp_address_property]
rm_webapp_addresses_list.append(rm_webapp_address)
-#ranger yarn properties
-if has_ranger_admin:
- is_supported_yarn_ranger = config['configurations']['yarn-env']['is_supported_yarn_ranger']
-
- if is_supported_yarn_ranger:
- enable_ranger_yarn = (config['configurations']['ranger-yarn-plugin-properties']['ranger-yarn-plugin-enabled'].lower() == 'yes')
- policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url']
- if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'):
- policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
- xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower()
- xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits')
- xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
- xa_audit_db_password = ''
- if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db:
- xa_audit_db_password = unicode(config['configurations']['admin-properties']['audit_db_password'])
- xa_db_host = config['configurations']['admin-properties']['db_host']
- repo_name = str(config['clusterName']) + '_yarn'
- repo_name_value = config['configurations']['ranger-yarn-security']['ranger.plugin.yarn.service.name']
- if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
- repo_name = repo_name_value
-
- ranger_env = config['configurations']['ranger-env']
- ranger_plugin_properties = config['configurations']['ranger-yarn-plugin-properties']
- policy_user = config['configurations']['ranger-yarn-plugin-properties']['policy_user']
- yarn_rest_url = config['configurations']['yarn-site']['yarn.resourcemanager.webapp.address']
-
- ranger_plugin_config = {
- 'username' : config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_USERNAME'],
- 'password' : unicode(config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']),
- 'yarn.url' : format('{scheme}://{yarn_rest_url}'),
- 'commonNameForCertificate' : config['configurations']['ranger-yarn-plugin-properties']['common.name.for.certificate']
- }
-
- yarn_ranger_plugin_repo = {
- 'isEnabled': 'true',
- 'configs': ranger_plugin_config,
- 'description': 'yarn repo',
- 'name': repo_name,
- 'repositoryType': 'yarn',
- 'type': 'yarn',
- 'assetType': '1'
- }
-
- if stack_supports_ranger_kerberos:
- ranger_plugin_config['ambari.service.check.user'] = policy_user
- ranger_plugin_config['hadoop.security.authentication'] = 'kerberos' if security_enabled else 'simple'
-
- if stack_supports_ranger_kerberos and security_enabled:
- ranger_plugin_config['policy.download.auth.users'] = yarn_user
- ranger_plugin_config['tag.download.auth.users'] = yarn_user
-
- #For curl command in ranger plugin to get db connector
- jdk_location = config['hostLevelParams']['jdk_location']
- java_share_dir = '/usr/share/java'
- previous_jdbc_jar_name = None
- if stack_supports_ranger_audit_db:
- if xa_audit_db_flavor and xa_audit_db_flavor == 'mysql':
- jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None)
- audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}')
- jdbc_driver = "com.mysql.jdbc.Driver"
- elif xa_audit_db_flavor and xa_audit_db_flavor == 'oracle':
- jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None)
- colon_count = xa_db_host.count(':')
- if colon_count == 2 or colon_count == 0:
- audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}')
- else:
- audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}')
- jdbc_driver = "oracle.jdbc.OracleDriver"
- elif xa_audit_db_flavor and xa_audit_db_flavor == 'postgres':
- jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None)
- audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}')
- jdbc_driver = "org.postgresql.Driver"
- elif xa_audit_db_flavor and xa_audit_db_flavor == 'mssql':
- jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None)
- audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}')
- jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
- elif xa_audit_db_flavor and xa_audit_db_flavor == 'sqla':
- jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None)
- previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None)
- audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}')
- jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver"
+# for curl command in ranger plugin to get db connector
+jdk_location = config['hostLevelParams']['jdk_location']
+
+# ranger yarn plugin section start
+
+# ranger host
+ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", [])
+has_ranger_admin = not len(ranger_admin_hosts) == 0
+
+# ranger support xml_configuration flag, instead of depending on ranger xml_configurations_supported/ranger-env, using stack feature
+xml_configurations_supported = check_stack_feature(StackFeature.RANGER_XML_CONFIGURATION, version_for_stack_feature_checks)
+
+# ambari-server hostname
+ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0]
+
+# ranger yarn plugin enabled property
+enable_ranger_yarn = default("/configurations/ranger-yarn-plugin-properties/ranger-yarn-plugin-enabled", "No")
+enable_ranger_yarn = True if enable_ranger_yarn.lower() == 'yes' else False
+
+# ranger yarn-plugin supported flag, instead of using is_supported_yarn_ranger/yarn-env, using stack feature
+is_supported_yarn_ranger = check_stack_feature(StackFeature.YARN_RANGER_PLUGIN_SUPPORT, version_for_stack_feature_checks)
+
+# get ranger yarn properties if enable_ranger_yarn is True
+if enable_ranger_yarn and is_supported_yarn_ranger:
+ # get ranger policy url
+ policymgr_mgr_url = config['configurations']['ranger-yarn-security']['ranger.plugin.yarn.policy.rest.url']
+
+ if not is_empty(policymgr_mgr_url) and policymgr_mgr_url.endswith('/'):
+ policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
+
+ # ranger audit db user
+ xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
+
+ xa_audit_db_password = ''
+ if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db and has_ranger_admin:
+ xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password']
+
+ # ranger yarn service/repository name
+ repo_name = str(config['clusterName']) + '_yarn'
+ repo_name_value = config['configurations']['ranger-yarn-security']['ranger.plugin.yarn.service.name']
+ if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
+ repo_name = repo_name_value
+
+ # ranger-env config
+ ranger_env = config['configurations']['ranger-env']
+
+ # create ranger-env config having external ranger credential properties
+ if not has_ranger_admin and enable_ranger_yarn:
+ external_admin_username = default('/configurations/ranger-yarn-plugin-properties/external_admin_username', 'admin')
+ external_admin_password = default('/configurations/ranger-yarn-plugin-properties/external_admin_password', 'admin')
+ external_ranger_admin_username = default('/configurations/ranger-yarn-plugin-properties/external_ranger_admin_username', 'amb_ranger_admin')
+ external_ranger_admin_password = default('/configurations/ranger-yarn-plugin-properties/external_ranger_admin_password', 'amb_ranger_admin')
+ ranger_env = {}
+ ranger_env['admin_username'] = external_admin_username
+ ranger_env['admin_password'] = external_admin_password
+ ranger_env['ranger_admin_username'] = external_ranger_admin_username
+ ranger_env['ranger_admin_password'] = external_ranger_admin_password
+
+ ranger_plugin_properties = config['configurations']['ranger-yarn-plugin-properties']
+ policy_user = config['configurations']['ranger-yarn-plugin-properties']['policy_user']
+ yarn_rest_url = config['configurations']['yarn-site']['yarn.resourcemanager.webapp.address']
+
+ ranger_plugin_config = {
+ 'username' : config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_USERNAME'],
+ 'password' : unicode(config['configurations']['ranger-yarn-plugin-properties']['REPOSITORY_CONFIG_PASSWORD']),
+ 'yarn.url' : format('{scheme}://{yarn_rest_url}'),
+ 'commonNameForCertificate' : config['configurations']['ranger-yarn-plugin-properties']['common.name.for.certificate']
+ }
+
+ yarn_ranger_plugin_repo = {
+ 'isEnabled': 'true',
+ 'configs': ranger_plugin_config,
+ 'description': 'yarn repo',
+ 'name': repo_name,
+ 'repositoryType': 'yarn',
+ 'type': 'yarn',
+ 'assetType': '1'
+ }
+
+ if stack_supports_ranger_kerberos:
+ ranger_plugin_config['ambari.service.check.user'] = policy_user
+ ranger_plugin_config['hadoop.security.authentication'] = 'kerberos' if security_enabled else 'simple'
+
+ if stack_supports_ranger_kerberos and security_enabled:
+ ranger_plugin_config['policy.download.auth.users'] = yarn_user
+ ranger_plugin_config['tag.download.auth.users'] = yarn_user
+
+ downloaded_custom_connector = None
+ previous_jdbc_jar_name = None
+ driver_curl_source = None
+ driver_curl_target = None
+ previous_jdbc_jar = None
+
+ if has_ranger_admin and stack_supports_ranger_audit_db:
+ xa_audit_db_flavor = config['configurations']['admin-properties']['DB_FLAVOR']
+ jdbc_jar_name, previous_jdbc_jar_name, audit_jdbc_url, jdbc_driver = get_audit_configs(config)
downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
driver_curl_target = format("{hadoop_yarn_home}/lib/{jdbc_jar_name}") if stack_supports_ranger_audit_db else None
previous_jdbc_jar = format("{hadoop_yarn_home}/lib/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+ xa_audit_db_is_enabled = False
+ if xml_configurations_supported and stack_supports_ranger_audit_db:
+ xa_audit_db_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.db']
+
+ xa_audit_hdfs_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else False
+ ssl_keystore_password = config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] if xml_configurations_supported else None
+ ssl_truststore_password = config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] if xml_configurations_supported else None
+ credential_file = format('/etc/ranger/{repo_name}/cred.jceks')
+
+ # for SQLA explicitly disable audit to DB for Ranger
+ if has_ranger_admin and stack_supports_ranger_audit_db and xa_audit_db_flavor == 'sqla':
xa_audit_db_is_enabled = False
- ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls']
- if xml_configurations_supported and stack_supports_ranger_audit_db:
- xa_audit_db_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.db']
- xa_audit_hdfs_is_enabled = config['configurations']['ranger-yarn-audit']['xasecure.audit.destination.hdfs'] if xml_configurations_supported else None
- ssl_keystore_password = unicode(config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password']) if xml_configurations_supported else None
- ssl_truststore_password = unicode(config['configurations']['ranger-yarn-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password']) if xml_configurations_supported else None
- credential_file = format('/etc/ranger/{repo_name}/cred.jceks') if xml_configurations_supported else None
-
- #For SQLA explicitly disable audit to DB for Ranger
- if xa_audit_db_flavor == 'sqla':
- xa_audit_db_is_enabled = False
+
+# ranger yarn plugin end section
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py
index 3207f27..f2e6660 100644
--- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py
+++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/resourcemanager.py
@@ -115,7 +115,7 @@ class ResourcemanagerDefault(Resourcemanager):
env.set_params(params)
self.configure(env) # FOR SECURITY
- if params.has_ranger_admin and params.is_supported_yarn_ranger:
+ if params.enable_ranger_yarn and params.is_supported_yarn_ranger:
setup_ranger_yarn() #Ranger Yarn Plugin related calls
# wait for active-dir and done-dir to be created by ATS if needed
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py
index 6ea7f82..d29e4dc 100644
--- a/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py
+++ b/ambari-server/src/main/resources/common-services/YARN/2.1.0.2.0/package/scripts/setup_ranger_yarn.py
@@ -19,7 +19,7 @@ from resource_management.core.logger import Logger
def setup_ranger_yarn():
import params
- if params.has_ranger_admin:
+ if params.enable_ranger_yarn:
from resource_management.libraries.functions.setup_ranger_plugin_xml import setup_ranger_plugin
@@ -68,4 +68,4 @@ def setup_ranger_yarn():
component_user_keytab=params.rm_keytab if params.security_enabled else None
)
else:
- Logger.info('Ranger admin not installed')
+ Logger.info('Ranger Yarn plugin is not enabled')
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
index a64af73..6801d5a 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
@@ -122,7 +122,7 @@
"name": "ranger_audit_db_support",
"description": "Ranger Audit to DB support",
"min_version": "2.2.0.0",
- "max_version": "2.5.0.0"
+ "max_version": "2.4.99.99"
},
{
"name": "accumulo_kerberos_user_auth",
@@ -334,6 +334,21 @@
"min_version": "2.6.0.0"
},
{
+ "name": "ranger_xml_configuration",
+ "description": "Ranger code base support xml configurations",
+ "min_version": "2.3.0.0"
+ },
+ {
+ "name": "kafka_ranger_plugin_support",
+ "description": "Ambari stack changes for Ranger Kafka Plugin (AMBARI-11299)",
+ "min_version": "2.3.0.0"
+ },
+ {
+ "name": "yarn_ranger_plugin_support",
+ "description": "Implement Stack changes for Ranger Yarn Plugin integration (AMBARI-10866)",
+ "min_version": "2.3.0.0"
+ },
+ {
"name": "ranger_solr_config_support",
"description": "Showing Ranger solrconfig.xml on UI",
"min_version": "2.6.0.0"
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml
index 960c751..0de538d 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/configuration/ranger-hbase-plugin-properties.xml
@@ -26,7 +26,7 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>policy_user</name>
@@ -39,7 +39,7 @@
</property>
</depends-on>
<description>This user must be system user and also present at Ranger admin portal</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger-hbase-plugin-enabled</name>
@@ -56,14 +56,14 @@
<name>ranger-hbase-plugin-enabled</name>
</property>
</depends-on>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_USERNAME</name>
<value>hbase</value>
<display-name>Ranger repository config user</display-name>
<description>Used for repository creation on ranger admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_PASSWORD</name>
@@ -74,7 +74,7 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>XAAUDIT.DB.IS_ENABLED</name>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml
index c57c5f0..7460d26 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/configuration/ranger-hdfs-plugin-properties.xml
@@ -17,7 +17,7 @@
<display-name>Policy user for HDFS</display-name>
<description>This user must be system user and also present at Ranger
admin portal</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>hadoop.rpc.protection</name>
@@ -27,7 +27,7 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>common.name.for.certificate</name>
@@ -36,7 +36,7 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>ranger-hdfs-plugin-enabled</name>
@@ -53,7 +53,7 @@
<type>boolean</type>
<overridable>false</overridable>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_USERNAME</name>
@@ -61,7 +61,7 @@
<display-name>Ranger repository config user</display-name>
<description>Used for repository creation on ranger admin
</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_PASSWORD</name>
@@ -73,7 +73,7 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>XAAUDIT.DB.IS_ENABLED</name>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml
index 830c539..0db5565 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/ranger-hive-plugin-properties.xml
@@ -24,13 +24,13 @@
<value>ambari-qa</value>
<display-name>Policy user for HIVE</display-name>
<description>This user must be system user and also present at Ranger admin portal</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>jdbc.driverClassName</name>
<value>org.apache.hive.jdbc.HiveDriver</value>
<description>Used for repository creation on ranger admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>common.name.for.certificate</name>
@@ -39,14 +39,14 @@
<value-attributes>
<empty-value-valid>true</empty-value-valid>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_USERNAME</name>
<value>hive</value>
<display-name>Ranger repository config user</display-name>
<description>Used for repository creation on ranger admin</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>REPOSITORY_CONFIG_PASSWORD</name>
@@ -57,7 +57,7 @@
<value-attributes>
<type>password</type>
</value-attributes>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
<property>
<name>XAAUDIT.DB.IS_ENABLED</name>
http://git-wip-us.apache.org/repos/asf/ambari/blob/1524fd77/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml
index d5880dd..ad2b1e4 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/KNOX/configuration/ranger-knox-plugin-properties.xml
@@ -24,6 +24,6 @@
<value>/usr/hdp/current/knox-server</value>
<display-name>Knox Home</display-name>
<description>Knox home folder</description>
- <on-ambari-upgrade add="false"/>
+ <on-ambari-upgrade add="true"/>
</property>
</configuration>