You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ol...@apache.org on 2017/02/16 19:29:27 UTC
ambari git commit: AMBARI-20013. Add Solr authorization settings
during LogSearch/Atlas/Ranger startup (oleewere)
Repository: ambari
Updated Branches:
refs/heads/trunk bfaaba2fa -> 347ba2a99
AMBARI-20013. Add Solr authorization settings during LogSearch/Atlas/Ranger startup (oleewere)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/347ba2a9
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/347ba2a9
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/347ba2a9
Branch: refs/heads/trunk
Commit: 347ba2a9983d400cddf4d888e7f8c15d72b71d5a
Parents: bfaaba2
Author: oleewere <ol...@gmail.com>
Authored: Mon Feb 13 18:34:50 2017 +0100
Committer: oleewere <ol...@gmail.com>
Committed: Thu Feb 16 20:18:59 2017 +0100
----------------------------------------------------------------------
.../libraries/functions/solr_cloud_util.py | 110 ++++++++++++++++++-
.../configuration/infra-solr-security-json.xml | 82 +++++++++++---
.../0.1.0/package/scripts/params.py | 9 +-
.../0.1.0/package/scripts/setup_infra_solr.py | 17 ++-
.../templates/infra-solr-security.json.j2 | 68 ++++++++++++
.../properties/infra-solr-security.json.j2 | 68 ------------
.../ATLAS/0.1.0.2.3/package/scripts/metadata.py | 20 ++++
.../ATLAS/0.1.0.2.3/package/scripts/params.py | 3 +
.../ATLAS/0.7.0.2.5/kerberos.json | 3 +
.../LOGSEARCH/0.5.0/kerberos.json | 39 ++++---
.../LOGSEARCH/0.5.0/package/scripts/params.py | 5 +
.../0.5.0/package/scripts/setup_logsearch.py | 22 +++-
.../RANGER/0.4.0/package/scripts/params.py | 3 +
.../0.4.0/package/scripts/setup_ranger_xml.py | 41 +++++++
.../common-services/RANGER/0.6.0/kerberos.json | 3 +
.../stacks/2.3/ATLAS/test_metadata_server.py | 8 ++
.../test/python/stacks/2.3/configs/secure.json | 7 +-
.../stacks/2.4/AMBARI_INFRA/test_infra_solr.py | 4 +-
.../stacks/2.4/LOGSEARCH/test_logsearch.py | 3 +-
.../stacks/2.5/RANGER/test_ranger_admin.py | 11 ++
.../stacks/2.6/RANGER/test_ranger_admin.py | 9 ++
21 files changed, 418 insertions(+), 117 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
index 4628211..1eeb86b 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py
@@ -17,12 +17,17 @@ limitations under the License.
"""
import random
+import json
+from random import randrange
from ambari_commons.constants import AMBARI_SUDO_BINARY
from ambari_jinja2 import Environment as JinjaEnvironment
+from resource_management.libraries.functions import get_kinit_path
from resource_management.libraries.functions.default import default
from resource_management.libraries.functions.format import format
from resource_management.core.resources.system import Directory, Execute, File
from resource_management.core.source import StaticFile
+from resource_management.core.shell import as_sudo
+from resource_management.core.logger import Logger
__all__ = ["upload_configuration_to_zk", "create_collection", "setup_kerberos", "set_cluster_prop",
"setup_kerberos_plugin", "create_znode", "check_znode", "secure_solr_znode", "secure_znode"]
@@ -163,13 +168,16 @@ def set_cluster_prop(zookeeper_quorum, solr_znode, prop_name, prop_value, java64
set_cluster_prop_cmd+=format(' --jaas-file {jaas_file}')
Execute(set_cluster_prop_cmd)
-def secure_znode(zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[]):
+def secure_znode(config, zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[], retry = 5 , interval = 10):
"""
- Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world.
+ Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world.
+ Add infra-solr user by default if its available.
"""
solr_cli_prefix = __create_solr_cloud_cli_prefix(zookeeper_quorum, solr_znode, java64_home, True)
- sasl_users_str = ",".join(str(x) for x in sasl_users)
- secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str}')
+ if "infra-solr-env" in config['configurations']:
+ sasl_users.append(__get_name_from_principal(config['configurations']['infra-solr-env']['infra_solr_kerberos_principal']))
+ sasl_users_str = ",".join(str(__get_name_from_principal(x)) for x in sasl_users)
+ secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str} --retry {retry} --interval {interval}')
Execute(secure_znode_cmd)
@@ -243,3 +251,97 @@ def setup_solr_client(config, custom_log4j = True, custom_log_location = None, l
mode=0664,
content=''
)
+
+def __get_name_from_principal(principal):
+ if not principal: # return if empty
+ return principal
+ slash_split = principal.split('/')
+ if len(slash_split) == 2:
+ return slash_split[0]
+ else:
+ at_split = principal.split('@')
+ return at_split[0]
+
+def __remove_host_from_principal(principal, realm):
+ if not realm:
+ raise Exception("Realm parameter is missing.")
+ if not principal:
+ raise Exception("Principal parameter is missing.")
+ username=__get_name_from_principal(principal)
+ at_split = principal.split('@')
+ if len(at_split) == 2:
+ realm = at_split[1]
+ return format('{username}@{realm}')
+
+def __get_random_solr_host(actual_host, solr_hosts = []):
+ """
+ Get a random solr host, use the actual one, if there is an installed infra solr there (helps blueprint installs)
+ If there is only one solr host on the cluster, use that.
+ """
+ if not solr_hosts:
+ raise Exception("Solr hosts parameter is empty.")
+ if len(solr_hosts) == 1:
+ return solr_hosts[0]
+ if actual_host in solr_hosts:
+ return actual_host
+ else:
+ random_index = randrange(0, len(solr_hosts))
+ return solr_hosts[random_index]
+
+def add_solr_roles(config, roles = [], new_service_principals = [], tries = 30, try_sleep = 10):
+ """
+ Set user-role mappings based on roles and principal users for secured cluster. Use solr REST API to check is there any authoirzation enabled,
+ if it is then update the user-roles mapping for Solr (this will upgrade the solr_znode/security.json file).
+ In case of custom security.json is used for infra-solr, this step will be skipped.
+ """
+ sudo = AMBARI_SUDO_BINARY
+ solr_hosts = default_config(config, "/clusterHostInfo/infra_solr_hosts", [])
+ security_enabled = config['configurations']['cluster-env']['security_enabled']
+ solr_ssl_enabled = default_config(config, 'configurations/infra-solr-env/infra_solr_ssl_enabled', False)
+ solr_port = default_config(config, 'configurations/infra-solr-env/infra_solr_port', '8886')
+ kinit_path_local = get_kinit_path(default_config(config, '/configurations/kerberos-env/executable_search_paths', None))
+ infra_solr_custom_security_json_content = None
+
+ if 'infra-solr-security-json' in config['configurations']:
+ infra_solr_custom_security_json_content = config['configurations']['infra-solr-security-json']['content']
+
+ Logger.info(format("Adding {roles} roles to {new_service_principals} if infra-solr is installed."))
+ if infra_solr_custom_security_json_content and str(infra_solr_custom_security_json_content).strip():
+ Logger.info("Custom security.json is not empty for infra-solr, skip adding roles...")
+ elif security_enabled \
+ and "infra-solr-env" in config['configurations'] \
+ and solr_hosts is not None \
+ and len(solr_hosts) > 0:
+ solr_protocol = "https" if solr_ssl_enabled else "http"
+ hostname = config['hostname'].lower()
+ solr_host = __get_random_solr_host(hostname, solr_hosts)
+ solr_url = format("{solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization")
+ solr_user_keytab = config['configurations']['infra-solr-env']['infra_solr_kerberos_keytab']
+ solr_user_principal = config['configurations']['infra-solr-env']['infra_solr_kerberos_principal'].replace('_HOST', hostname)
+ solr_user_kinit_cmd = format("{kinit_path_local} -kt {solr_user_keytab} {solr_user_principal};")
+ solr_authorization_enabled_cmd=format("{sudo} {solr_user_kinit_cmd} {sudo} curl -k -s --negotiate -u : {solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization | grep authorization.enabled")
+
+ if len(new_service_principals) > 0:
+ new_service_users = []
+
+ kerberos_realm = config['configurations']['kerberos-env']['realm']
+ for new_service_user in new_service_principals:
+ new_service_users.append(__remove_host_from_principal(new_service_user, kerberos_realm))
+ user_role_map = {}
+
+ for new_service_user in new_service_users:
+ user_role_map[new_service_user] = roles
+
+ Logger.info(format("New service users after removing fully qualified names: {new_service_users}"))
+
+ set_user_role_map = {}
+ set_user_role_map['set-user-role'] = user_role_map
+ set_user_role_json = json.dumps(set_user_role_map)
+
+ add_solr_role_cmd = format("{sudo} {solr_user_kinit_cmd} {sudo} curl -H 'Content-type:application/json' -d '{set_user_role_json}' -s -o /dev/null -w'%{{http_code}}' --negotiate -u: -k {solr_url} | grep 200")
+
+ Logger.info(format("Check authorization enabled command: {solr_authorization_enabled_cmd} \nSet user-role settings command: {add_solr_role_cmd}"))
+ Execute(solr_authorization_enabled_cmd + " && "+ add_solr_role_cmd,
+ tries=tries,
+ try_sleep=try_sleep,
+ logoutput=True)
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
index e193a8c..e99d961 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml
@@ -26,9 +26,12 @@
<display-name>Ranger audit service users</display-name>
<value>{default_ranger_audit_users}</value>
<description>
- List of comma separated kerberos service users who can write into ranger audit collections if the cluster is secure. (atlas and rangeradmin supported by default)
- Change values in that case of custom values are used for kerberos principals. (default_ranger_audit_users is resolved ranger-*-audit/xasecure.audit.jaas.Client.option.principal,
- by default namenode, hbase, hive knox, kafka, ranger kms and nifi are supported, to change it you can edit the security content,
+ List of comma separated kerberos service users who can write into ranger audit collections if the cluster is
+ secure. (atlas and rangeradmin supported by default)
+ Change values in that case of custom values are used for kerberos principals. (default_ranger_audit_users is
+ resolved ranger-*-audit/xasecure.audit.jaas.Client.option.principal,
+ by default namenode, hbase, hive knox, kafka, ranger kms and nifi are supported, to change it you can edit the
+ security content,
or add a new username next to the default value, e.g.: {default_ranger_audit_users},customuser)
</description>
<depends-on>
@@ -68,20 +71,6 @@
<type>ranger-nifi-audit</type>
<name>xasecure.audit.jaas.Client.option.principal</name>
</property>
- </depends-on>
- <on-ambari-upgrade add="true"/>
- </property>
- <property>
- <name>content</name>
- <display-name>security.json template</display-name>
- <description>This is the jinja template for security.json file on the solr znode (only used if the cluster is secure)</description>
- <value/>
- <property-type>VALUE_FROM_PROPERTY_FILE</property-type>
- <value-attributes>
- <property-file-name>infra-solr-security.json.j2</property-file-name>
- <property-file-type>text</property-file-type>
- </value-attributes>
- <depends-on>
<property>
<type>application-properties</type>
<name>atlas.authentication.principal</name>
@@ -93,4 +82,63 @@
</depends-on>
<on-ambari-upgrade add="true"/>
</property>
+ <property>
+ <name>infra_solr_role_ranger_admin</name>
+ <display-name>Ranger admin role</display-name>
+ <value>ranger_admin_user</value>
+ <description>Ranger admin role, it allows users to create collection, and perform any action on ranger audit collection.</description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>infra_solr_role_ranger_audit</name>
+ <display-name>Ranger audit role</display-name>
+ <value>ranger_audit_user</value>
+ <description>Ranger audit role, it allows users to perform any action on ranger audit collection.</description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>infra_solr_role_atlas</name>
+ <display-name>Atlas role</display-name>
+ <value>atlas_user</value>
+ <description>Atlas role, it allows users to create collection, and perform any action on atlas collections.</description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>infra_solr_role_logsearch</name>
+ <display-name>Log Search role</display-name>
+ <value>logsearch_user</value>
+ <description>Log Search role, it allows users to create collection, and perform any action on Log Search collections.</description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>infra_solr_role_logfeeder</name>
+ <display-name>Log Feeder role</display-name>
+ <value>logfeeder_user</value>
+ <description>Log Feeder role, it allows users to perform any action on Log Search collections.</description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>infra_solr_role_dev</name>
+ <display-name>Dev role</display-name>
+ <value>dev</value>
+ <description>Dev role, it allows to perform any read action on any collection.</description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>content</name>
+ <display-name>Custom security.json template</display-name>
+ <description>
+ This is the jinja template for custom security.json file on the solr znode
+ (only used if the cluster is secure and this property overrides the security.json which generated during solr
+ start).
+ </description>
+ <value>
+ </value>
+ <value-attributes>
+ <type>content</type>
+ <show-property-name>false</show-property-name>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="true"/>
+ </property>
</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
index ab9aa61..acf420e 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py
@@ -129,7 +129,7 @@ if security_enabled:
ranger_audit_principals.append(default('configurations/ranger-hive-audit/' + ranger_audit_principal_conf_key, 'hive'))
ranger_audit_principals.append(default('configurations/ranger-knox-audit/' + ranger_audit_principal_conf_key, 'knox'))
ranger_audit_principals.append(default('configurations/ranger-kafka-audit/' + ranger_audit_principal_conf_key, 'kafka'))
- ranger_audit_principals.append(default('configurations/ranger-kms-audit/' + ranger_audit_principal_conf_key, 'kms'))
+ ranger_audit_principals.append(default('configurations/ranger-kms-audit/' + ranger_audit_principal_conf_key, 'rangerkms'))
ranger_audit_principals.append(default('configurations/ranger-storm-audit/' + ranger_audit_principal_conf_key, 'storm'))
ranger_audit_principals.append(default('configurations/ranger-yarn-audit/' + ranger_audit_principal_conf_key, 'yarn'))
ranger_audit_principals.append(default('configurations/ranger-nifi-audit/' + ranger_audit_principal_conf_key, 'nifi'))
@@ -160,3 +160,10 @@ logsearch_kerberos_service_user = get_name_from_principal(default('configuration
logfeeder_kerberos_service_user = get_name_from_principal(default('configurations/logfeeder-env/logfeeder_kerberos_principal', 'logfeeder'))
infra_solr_kerberos_service_user = get_name_from_principal(default('configurations/infra-solr-env/infra_solr_kerberos_principal', 'infra-solr'))
+infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user')
+infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user')
+infra_solr_role_atlas = default('configurations/infra-solr-security-json/infra_solr_role_atlas', 'atlas_user')
+infra_solr_role_logsearch = default('configurations/infra-solr-security-json/infra_solr_role_logsearch', 'logsearch_user')
+infra_solr_role_logfeeder = default('configurations/infra-solr-security-json/infra_solr_role_logfeeder', 'logfeeder_user')
+infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
+
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
index 8d72f42..f3dbcf3 100644
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py
@@ -72,13 +72,12 @@ def setup_infra_solr(name = None):
group=params.user_group
)
- security_json_file_location = format("{infra_solr_conf}/security.json")
-
- File(security_json_file_location,
+ custom_security_json_location = format("{infra_solr_conf}/custom-security.json")
+ File(custom_security_json_location,
content=InlineTemplate(params.infra_solr_security_json_content),
owner=params.infra_solr_user,
group=params.user_group,
- mode=0644
+ mode=0640
)
jaas_file = params.infra_solr_jaas_file if params.security_enabled else None
@@ -86,11 +85,21 @@ def setup_infra_solr(name = None):
create_ambari_solr_znode()
+ security_json_file_location = custom_security_json_location \
+ if params.infra_solr_security_json_content and str(params.infra_solr_security_json_content).strip() \
+ else format("{infra_solr_conf}/security.json") # security.json file to upload
+
if params.security_enabled:
File(format("{infra_solr_jaas_file}"),
content=Template("infra_solr_jaas.conf.j2"),
owner=params.infra_solr_user)
+ File(format("{infra_solr_conf}/security.json"),
+ content=Template("infra-solr-security.json.j2"),
+ owner=params.infra_solr_user,
+ group=params.user_group,
+ mode=0640)
+
solr_cloud_util.set_cluster_prop(
zookeeper_quorum=params.zookeeper_quorum,
solr_znode=params.infra_solr_znode,
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
new file mode 100644
index 0000000..65d38e9
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
@@ -0,0 +1,68 @@
+{#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#}
+{
+ "authentication": {
+ "class": "org.apache.solr.security.KerberosPlugin"
+ },
+ "authorization": {
+ "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin",
+ "user-role": {
+ "{{infra_solr_kerberos_service_user}}@{{kerberos_realm}}": "admin",
+ "{{logsearch_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_logsearch}}", "{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_dev}}"],
+ "{{logfeeder_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_logfeeder}}", "{{infra_solr_role_dev}}"],
+ "{{atlas_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_atlas}}", "{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"],
+{% if infra_solr_ranger_audit_service_users %}
+{% for ranger_audit_service_user in infra_solr_ranger_audit_service_users %}
+ "{{ranger_audit_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"],
+{% endfor %}
+{% endif %}
+ "{{ranger_admin_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"]
+ },
+ "permissions": [
+ {
+ "name" : "collection-admin-read",
+ "role" :null
+ },
+ {
+ "name" : "collection-admin-edit",
+ "role" : ["admin", "{{infra_solr_role_logsearch}}", "{{infra_solr_role_logfeeder}}", "{{infra_solr_role_atlas}}", "{{infra_solr_role_ranger_admin}}"]
+ },
+ {
+ "name":"read",
+ "role": "{{infra_solr_role_dev}}"
+ },
+ {
+ "collection": ["{{logsearch_service_logs_collection}}", "{{logsearch_audit_logs_collection}}", "history"],
+ "role": ["admin", "{{infra_solr_role_logsearch}}", "{{infra_solr_role_logfeeder}}"],
+ "name": "logsearch-manager",
+ "path": "/*"
+ },
+ {
+ "collection": ["vertex_index", "edge_index", "fulltext_index"],
+ "role": ["admin", "{{infra_solr_role_atlas}}"],
+ "name": "atlas-manager",
+ "path": "/*"
+ },
+ {
+ "collection": "{{ranger_solr_collection_name}}",
+ "role": ["admin", "{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_ranger_audit}}"],
+ "name": "ranger-manager",
+ "path": "/*"
+ }]
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
deleted file mode 100644
index ed764f0..0000000
--- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2
+++ /dev/null
@@ -1,68 +0,0 @@
-{#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#}
-{
- "authentication": {
- "class": "org.apache.solr.security.KerberosPlugin"
- },
- "authorization": {
- "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin",
- "user-role": {
- "{{infra_solr_kerberos_service_user}}@{{kerberos_realm}}": "admin",
- "{{logsearch_kerberos_service_user}}@{{kerberos_realm}}": ["logsearch_user", "ranger_user", "dev"],
- "{{logfeeder_kerberos_service_user}}@{{kerberos_realm}}": ["logfeeder_user", "dev"],
- "{{atlas_kerberos_service_user}}@{{kerberos_realm}}": ["atlas_user", "ranger_audit_user", "dev"],
-{% if infra_solr_ranger_audit_service_users %}
-{% for ranger_audit_service_user in infra_solr_ranger_audit_service_users %}
- "{{ranger_audit_service_user}}@{{kerberos_realm}}": ["ranger_audit_user", "dev"],
-{% endfor %}
-{% endif %}
- "{{ranger_admin_kerberos_service_user}}@{{kerberos_realm}}": ["ranger_user", "ranger_audit_user", "dev"]
- },
- "permissions": [
- {
- "name" : "collection-admin-read",
- "role" :null
- },
- {
- "name" : "collection-admin-edit",
- "role" : ["admin", "logsearch_user", "logfeeder_user", "atlas_user", "ranger_user"]
- },
- {
- "name":"read",
- "role": "dev"
- },
- {
- "collection": ["{{logsearch_service_logs_collection}}", "{{logsearch_audit_logs_collection}}", "history"],
- "role": ["admin", "logsearch_user", "logfeeder_user"],
- "name": "logsearch-manager",
- "path": "/*"
- },
- {
- "collection": ["vertex_index", "edge_index", "fulltext_index"],
- "role": ["admin", "atlas_user"],
- "name": "atlas-manager",
- "path": "/*"
- },
- {
- "collection": "{{ranger_solr_collection_name}}",
- "role": ["admin", "ranger_user", "ranger_audit_user"],
- "name": "ranger-manager",
- "path": "/*"
- }]
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
index 2232bb2..c25445c 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
@@ -134,10 +134,21 @@ def metadata(type='server'):
jaasFile=params.atlas_jaas_file if params.security_enabled else None
upload_conf_set('atlas_configs', jaasFile)
+ if params.security_enabled: # update permissions before creating the collections
+ solr_cloud_util.add_solr_roles(params.config,
+ roles = [params.infra_solr_role_atlas, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
+ new_service_principals = [params.atlas_jaas_principal])
+
create_collection('vertex_index', 'atlas_configs', jaasFile)
create_collection('edge_index', 'atlas_configs', jaasFile)
create_collection('fulltext_index', 'atlas_configs', jaasFile)
+ if params.security_enabled:
+ secure_znode(format('{infra_solr_znode}/configs/atlas_configs'), jaasFile)
+ secure_znode(format('{infra_solr_znode}/collections/vertex_index'), jaasFile)
+ secure_znode(format('{infra_solr_znode}/collections/edge_index'), jaasFile)
+ secure_znode(format('{infra_solr_znode}/collections/fulltext_index'), jaasFile)
+
File(params.atlas_hbase_setup,
group=params.user_group,
owner=params.hbase_user,
@@ -204,6 +215,15 @@ def create_collection(collection, config_set, jaasFile):
shards=params.atlas_solr_shards,
replication_factor = params.infra_solr_replication_factor)
+def secure_znode(znode, jaasFile):
+ import params
+ solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum,
+ solr_znode=znode,
+ jaas_file=jaasFile,
+ java64_home=params.java64_home, sasl_users=[params.atlas_jaas_principal])
+
+
+
@retry(times=10, sleep_time=5, err_class=Fail)
def check_znode():
import params
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
index 682fc9f..e270733 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
@@ -205,6 +205,9 @@ infra_solr_hosts = default("/clusterHostInfo/infra_solr_hosts", [])
infra_solr_replication_factor = 2 if len(infra_solr_hosts) > 1 else 1
atlas_solr_shards = default("/configurations/atlas-env/atlas_solr-shards", 1)
has_infra_solr = len(infra_solr_hosts) > 0
+infra_solr_role_atlas = default('configurations/infra-solr-security-json/infra_solr_role_atlas', 'atlas_user')
+infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
+infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user')
# zookeeper
zookeeper_hosts = config['clusterHostInfo']['zookeeper_hosts']
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
index bc8e351..d024146 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json
@@ -87,6 +87,9 @@
},
{
"name": "/KAFKA/KAFKA_BROKER/kafka_broker"
+ },
+ {
+ "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
}
]
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
index 49d1b10..60c8afb 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json
@@ -11,26 +11,29 @@
{
"name": "LOGSEARCH_SERVER",
"identities": [
- {
- "name": "logsearch",
- "principal": {
- "value": "logsearch/_HOST@${realm}",
- "type": "service",
- "configuration": "logsearch-env/logsearch_kerberos_principal"
- },
- "keytab": {
- "file": "${keytab_dir}/logsearch.service.keytab",
- "owner": {
- "name": "${logsearch-env/logsearch_user}",
- "access": "r"
- },
- "group": {
- "name": "${cluster-env/user_group}",
- "access": ""
+ {
+ "name": "logsearch",
+ "principal": {
+ "value": "logsearch/_HOST@${realm}",
+ "type": "service",
+ "configuration": "logsearch-env/logsearch_kerberos_principal"
},
- "configuration": "logsearch-env/logsearch_kerberos_keytab"
+ "keytab": {
+ "file": "${keytab_dir}/logsearch.service.keytab",
+ "owner": {
+ "name": "${logsearch-env/logsearch_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "logsearch-env/logsearch_kerberos_keytab"
+ }
+ },
+ {
+ "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
}
- }
]
},
{
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
index fecd802..a023f2f 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py
@@ -106,6 +106,11 @@ if 'infra-solr-env' in config['configurations']:
infra_solr_ssl_enabled = default('configurations/infra-solr-env/infra_solr_ssl_enabled', False)
infra_solr_jmx_port = config['configurations']['infra-solr-env']['infra_solr_jmx_port']
+infra_solr_role_logsearch = default('configurations/infra-solr-security-json/infra_solr_role_logsearch', 'logsearch_user')
+infra_solr_role_logfeeder = default('configurations/infra-solr-security-json/infra_solr_role_logfeeder', 'logfeeder_user')
+infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
+infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user')
+
_hostname_lowercase = config['hostname'].lower()
if security_enabled:
kinit_path_local = status_params.kinit_path_local
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
index ba91e20..f96bfd0 100644
--- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
+++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py
@@ -17,9 +17,12 @@ limitations under the License.
"""
+from resource_management.core.exceptions import Fail
from resource_management.core.resources.system import Directory, Execute, File
from resource_management.libraries.functions.format import format
from resource_management.core.source import InlineTemplate, Template
+from resource_management.libraries.functions import solr_cloud_util
+from resource_management.libraries.functions.decorator import retry
from resource_management.libraries.resources.properties_file import PropertiesFile
from resource_management.libraries.functions.security_commons import update_credential_provider_path, HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME
@@ -110,7 +113,24 @@ def setup_logsearch():
content=Template("logsearch_jaas.conf.j2"),
owner=params.logsearch_user
)
-
Execute(("chmod", "-R", "ugo+r", format("{logsearch_server_conf}/solr_configsets")),
sudo=True
)
+ check_znode()
+
+ if params.security_enabled and not params.logsearch_use_external_solr:
+ solr_cloud_util.add_solr_roles(params.config,
+ roles = [params.infra_solr_role_logsearch, params.infra_solr_role_ranger_admin, params.infra_solr_role_dev],
+ new_service_principals = [params.logsearch_kerberos_principal])
+ solr_cloud_util.add_solr_roles(params.config,
+ roles = [params.infra_solr_role_logfeeder, params.infra_solr_role_dev],
+ new_service_principals = [params.logfeeder_kerberos_principal])
+
+@retry(times=30, sleep_time=5, err_class=Fail)
+def check_znode():
+ import params
+ solr_cloud_util.check_znode(
+ zookeeper_quorum=params.logsearch_solr_zk_quorum,
+ solr_znode=params.logsearch_solr_zk_znode,
+ java64_home=params.java64_home,
+ retry=30, interval=5)
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
index 0b4532b..49cd98b 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
@@ -309,6 +309,9 @@ if stack_supports_infra_client and is_solrCloud_enabled:
solr_user = unix_user
if has_infra_solr and not is_external_solrCloud_enabled:
solr_user = default('/configurations/infra-solr-env/infra_solr_user', unix_user)
+ infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user')
+ infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user')
+ infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev')
custom_log4j = has_infra_solr and not is_external_solrCloud_enabled
ranger_audit_max_retention_days = config['configurations']['ranger-solr-configuration']['ranger_audit_max_retention_days']
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index ae49c4f..acb5385 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -19,6 +19,7 @@ limitations under the License.
"""
import os
import re
+from collections import OrderedDict
from resource_management.libraries.script import Script
from resource_management.libraries.functions.default import default
from resource_management.core.logger import Logger
@@ -669,6 +670,20 @@ def setup_ranger_audit_solr():
jaas_file=params.solr_jaas_file,
retry=30, interval=5)
+ if params.security_enabled and params.has_infra_solr \
+ and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
+
+ solr_cloud_util.add_solr_roles(params.config,
+ roles = [params.infra_solr_role_ranger_admin, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
+ new_service_principals = [params.ranger_admin_jaas_principal])
+ service_default_principals_map = OrderedDict([('hdfs', 'nn'), ('hbase', 'hbase'), ('hive', 'hive'), ('kafka', 'kafka'), ('kms', 'rangerkms'),
+ ('knox', 'knox'), ('nifi', 'nifi'), ('storm', 'storm'), ('yanr', 'yarn')])
+ service_principals = get_ranger_plugin_principals(service_default_principals_map)
+ solr_cloud_util.add_solr_roles(params.config,
+ roles = [params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
+ new_service_principals = service_principals)
+
+
solr_cloud_util.create_collection(
zookeeper_quorum = params.zookeeper_quorum,
solr_znode = params.solr_znode,
@@ -679,6 +694,11 @@ def setup_ranger_audit_solr():
replication_factor = int(params.replication_factor),
jaas_file = params.solr_jaas_file)
+ if params.security_enabled and params.has_infra_solr \
+ and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
+ secure_znode(format('{solr_znode}/configs/{ranger_solr_config_set}'), params.solr_jaas_file)
+ secure_znode(format('{solr_znode}/collections/{ranger_solr_collection_name}'), params.solr_jaas_file)
+
def setup_ranger_admin_passwd_change():
import params
@@ -695,6 +715,27 @@ def check_znode():
solr_znode=params.solr_znode,
java64_home=params.java_home)
+def secure_znode(znode, jaasFile):
+ import params
+ solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum,
+ solr_znode=znode,
+ jaas_file=jaasFile,
+ java64_home=params.java_home, sasl_users=[params.ranger_admin_jaas_principal])
+
+def get_ranger_plugin_principals(services_defaults_map):
+ """
+ Get ranger plugin user principals from service-default value maps using ranger-*-audit configurations
+ """
+ import params
+ user_principals = []
+ if len(services_defaults_map) < 1:
+ raise Exception("Services - defaults map parameter is missing.")
+
+ for key, default_value in services_defaults_map.iteritems():
+ user_principal = default(format("configurations/ranger-{key}-audit/xasecure.audit.jaas.Client.option.principal"), default_value)
+ user_principals.append(user_principal)
+ return user_principals
+
def setup_tagsync_ssl_configs():
import params
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
index 253e32e..c5b3201 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
@@ -72,6 +72,9 @@
"keytab": {
"configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.keyTab"
}
+ },
+ {
+ "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr"
}
]
},
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py b/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
index 1bbf75e..12f8412 100644
--- a/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
+++ b/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py
@@ -303,10 +303,18 @@ class TestMetadataServer(RMFTestCase):
action=['delete'],
create_parents=True)
+ self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/ambari-infra-solr.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/ambari-infra-solr.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"atlas@EXAMPLE.COM\": [\"atlas_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+ logoutput = True, tries = 30, try_sleep = 10)
+
self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection vertex_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection edge_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection fulltext_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
+ self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/configs/atlas_configs --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+ self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/vertex_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+ self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/edge_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+ self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/fulltext_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10")
+
def test_configure_default(self):
self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/metadata_server.py",
classname = "MetadataServer",
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.3/configs/secure.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.3/configs/secure.json b/ambari-server/src/test/python/stacks/2.3/configs/secure.json
index 4501b81..e2a3d1d 100644
--- a/ambari-server/src/test/python/stacks/2.3/configs/secure.json
+++ b/ambari-server/src/test/python/stacks/2.3/configs/secure.json
@@ -169,7 +169,9 @@
"infra_solr_znode": "/infra-solr",
"infra_solr_user": "solr",
"infra_solr_group": "solr",
- "infra_solr_client_log_dir" :"/var/log/ambari-infra-solr-client"
+ "infra_solr_client_log_dir" :"/var/log/ambari-infra-solr-client",
+ "infra_solr_kerberos_principal" : "infra-solr/c6401.ambari.apache.org@EXAMPLE.COM",
+ "infra_solr_kerberos_keytab" : "/etc/security/keytabs/ambari-infra-solr.keytab"
},
"infra-solr-client-log4j" : {
"infra_solr_client_log_dir" : "/var/log/ambari-infra-solr-client",
@@ -236,6 +238,9 @@
},
"ranger-env": {
"xml_configurations_supported" : "true"
+ },
+ "kerberos-env" : {
+ "realm" : "EXAMPLE.COM"
}
},
"configuration_attributes": {
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py b/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
index cd88fec..2de3fba 100644
--- a/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
+++ b/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py
@@ -95,11 +95,11 @@ class TestInfraSolr(RMFTestCase):
content = InlineTemplate(self.getConfig()['configurations']['infra-solr-log4j']['content'])
)
- self.assertResourceCalled('File', '/etc/ambari-infra-solr/conf/security.json',
+ self.assertResourceCalled('File', '/etc/ambari-infra-solr/conf/custom-security.json',
owner = 'solr',
group='hadoop',
content = InlineTemplate(self.getConfig()['configurations']['infra-solr-security-json']['content']),
- mode = 0644
+ mode = 0640
)
self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr --create-znode --retry 30 --interval 5')
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
index db9cbb9..587561a 100644
--- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
+++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py
@@ -139,7 +139,8 @@ class TestLogSearch(RMFTestCase):
self.assertResourceCalled('Execute', ('chmod', '-R', 'ugo+r', '/etc/ambari-logsearch-portal/conf/solr_configsets'),
sudo = True
)
-
+ self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr --check-znode --retry 30 --interval 5')
+
def test_configure_default(self):
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
index b01e7da..1b5d7ae 100644
--- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
+++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
@@ -80,6 +80,7 @@ class TestRangerAdmin(RMFTestCase):
self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*',
action=['delete'],
create_parents=True)
+
self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start',
@@ -165,8 +166,18 @@ class TestRangerAdmin(RMFTestCase):
self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*',
action=['delete'],
create_parents=True)
+
+ self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"rangeradmin@EXAMPLE.COM\": [\"ranger_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+ logoutput = True, tries = 30, try_sleep = 10)
+ self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H \'Content-type:application/json\' -d "
+ "\'{\"set-user-role\": {\"hbase@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"knox@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"rangerkms@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"kafka@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"hive@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nifi@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"storm@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"yarn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"]}}\' -s -o /dev/null -w\'%{http_code}\' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+ logoutput = True, tries = 30, try_sleep = 10)
+
self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/ambari-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
+ self.assertResourceCalled('Execute','ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /ambari-solr/configs/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+ self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /ambari-solr/collections/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+
self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start',
environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
not_if = 'ps -ef | grep proc_rangeradmin | grep -v grep',
http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
index 8dda363..fb1dd0e 100644
--- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
+++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
@@ -156,8 +156,17 @@ class TestRangerAdmin(RMFTestCase):
self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*',
action=['delete'],
create_parents=True)
+ self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"rangeradmin@EXAMPLE.COM\": [\"ranger_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+ logoutput = True, tries = 30, try_sleep = 10)
+ self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache.org@EXAMPLE.COM; ambari-sudo.sh curl -H \'Content-type:application/json\' -d "
+ "\'{\"set-user-role\": {\"hbase@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"knox@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"rangerkms@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"kafka@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"hive@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"nifi@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"storm@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"], \"yarn@EXAMPLE.COM\": [\"ranger_audit_user\", \"dev\"]}}\' -s -o /dev/null -w\'%{http_code}\' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200",
+ logoutput = True, tries = 30, try_sleep = 10)
+
self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10')
+ self.assertResourceCalled('Execute','ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/configs/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+ self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10')
+
self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start',
environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
not_if = 'ps -ef | grep proc_rangeradmin | grep -v grep',