You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ol...@apache.org on 2018/05/18 22:08:06 UTC

[ambari] branch trunk updated: [Ambari-23850] Use trustore details for Atlas/Ranger during collection creation (#1276)

This is an automated email from the ASF dual-hosted git repository.

oleewere pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 37475b1  [Ambari-23850] Use trustore details for Atlas/Ranger during collection creation (#1276)
37475b1 is described below

commit 37475b1ad3eb9a8f97da15012819fa8c564d6f79
Author: amerissa <am...@gmail.com>
AuthorDate: Fri May 18 18:08:02 2018 -0400

    [Ambari-23850] Use trustore details for Atlas/Ranger during collection creation (#1276)
    
    * When installing Atlas/Ranger with HTTPS ambari-infra (solr), the script does not account for the truststore. By default we should be picking up the truststore information from Ambari Infra. Failure to do so will result in PKIX error. It happens when installing fresh and SSL is preenabled
    
    * Revert "When installing Atlas/Ranger with HTTPS ambari-infra (solr), the script does not account for the truststore. By default we should be picking up the truststore information from Ambari Infra. Failure to do so will result in PKIX error. It happens when installing fresh and SSL is preenabled"
    
    This reverts commit 105434e0dac65b12c2ed80cadfdc9a57fab477f7.
    
    Reverting commit to push configuration changes down to clients instead of solr wrapper
    
    * When installing Atlas/Ranger with HTTPS ambari-infra (solr), the script does not account for the truststore. By default we should be picking up the truststore information from Ambari Infra. Failure to do so will result in PKIX error. It happens when installing fresh and SSL is preenabled. Update the ranger part to use ranger truststore and password, Atlas will use the policy manager truststore and password
    
    * Supply the truststore information to solr by default if they are defined. Will work for both internal and external solr
    
    * Add parameters for truststore and keystore with their passwords for atlas. Change Solr creation configs to use Atlas' truststore and password
    
    * fix truststore declaration
    
    * fix truststore declaration
    
    * fix truststore declaration
    
    * fix truststore declaration
    
    * JDK Location update for get creds password
---
 .../ATLAS/0.1.0.2.3/package/scripts/metadata.py    |  7 ++++++-
 .../ATLAS/0.1.0.2.3/package/scripts/params.py      | 17 +++++++++++++++-
 .../0.4.0/package/scripts/setup_ranger_xml.py      | 23 +++++++++++-----------
 3 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
index d78efe9..ac7ba42 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
@@ -25,6 +25,8 @@ from resource_management import StackFeature
 from resource_management.core.resources.system import Directory, File, Execute
 from resource_management.core.source import StaticFile, InlineTemplate, Template
 from resource_management.core.exceptions import Fail
+from resource_management.libraries.script.script import Script
+from resource_management.libraries.functions.default import default
 from resource_management.libraries.functions.format import format
 from resource_management.libraries.functions.decorator import retry
 from resource_management.libraries.functions import solr_cloud_util
@@ -245,7 +247,10 @@ def create_collection(collection, config_set, jaasFile):
       java64_home=params.ambari_java_home,
       jaas_file=jaasFile,
       shards=params.atlas_solr_shards,
-      replication_factor = params.infra_solr_replication_factor)
+      replication_factor = params.infra_solr_replication_factor,
+      trust_store_password =  params.truststore_password if params.credential_provider else None,
+      trust_store_type = "JKS" if params.credential_provider else None,
+      trust_store_location = params.truststore_location if params.credential_provider else None)
 
 def secure_znode(znode, jaasFile):
   import params
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
index 8ce94be..7a7dfaa 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
@@ -26,6 +26,9 @@ from resource_management.libraries.functions.version import format_stack_version
 from resource_management.libraries.script.script import Script
 from resource_management.libraries.functions.format import format
 from resource_management.libraries.functions.default import default
+from resource_management.core.utils import PasswordString
+from ambari_commons.credential_store_helper import get_password_from_credential_store
+
 
 # Local Imports
 from status_params import *
@@ -131,14 +134,19 @@ java64_home = config['ambariLevelParams']['java_home']
 ambari_java_home = default("/ambariLevelParams/ambari_java_home", java64_home)
 java_exec = format("{java64_home}/bin/java")
 env_sh_template = config['configurations']['atlas-env']['content']
+jdk_location = config['ambariLevelParams']['jdk_location']
+
 
 # credential provider
-credential_provider = format( "jceks://file@{conf_dir}/atlas-site.jceks")
+credential_provider = default("/configurations/application-properties/cert.stores.credential.provider.path", None)
 
 # command line args
 ssl_enabled = default("/configurations/application-properties/atlas.enableTLS", False)
 http_port = default("/configurations/application-properties/atlas.server.http.port", "21000")
 https_port = default("/configurations/application-properties/atlas.server.https.port", "21443")
+truststore_location = default("/configurations/application-properties/truststore.file", None)
+keystore_location = default("/configurations/application-properties/keystore.file", None)
+
 if ssl_enabled:
   metadata_port = https_port
   metadata_protocol = 'https'
@@ -421,3 +429,10 @@ if stack_supports_atlas_ranger_plugin and enable_ranger_atlas:
 # atlas admin login username password
 atlas_admin_username = config['configurations']['atlas-env']['atlas.admin.username']
 atlas_admin_password = config['configurations']['atlas-env']['atlas.admin.password']
+
+# Atlas Passwords Extracted From Credential Store
+if credential_provider:
+    default_credential_shell_lib_path = jdk_location
+    truststore_password = PasswordString(get_password_from_credential_store('truststore.password', credential_provider, os.path.join(default_credential_shell_lib_path, '*'), java64_home, jdk_location))
+    keystore_password = PasswordString(get_password_from_credential_store('keystore.password', credential_provider, os.path.join(default_credential_shell_lib_path, '*'), java64_home, jdk_location))
+    key_password = PasswordString(get_password_from_credential_store('password', credential_provider, os.path.join(default_credential_shell_lib_path, '*'), java64_home, jdk_location))
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index 0e7604d..edb6986 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -167,7 +167,7 @@ def setup_ranger_admin(upgrade_type=None):
 
     Link('/usr/bin/ranger-admin',
     to=format('{ranger_home}/ews/ranger-admin-services.sh'))
-  
+
   if default("/configurations/ranger-admin-site/ranger.authentication.method", "") == 'PAM':
     d = '/etc/pam.d'
     if os.path.isdir(d):
@@ -254,7 +254,7 @@ def setup_ranger_admin(upgrade_type=None):
 
 def setup_ranger_db(stack_version=None):
   import params
-  
+
   ranger_home = params.ranger_home
 
   if stack_version is not None:
@@ -275,7 +275,7 @@ def setup_ranger_db(stack_version=None):
   if params.create_db_dbuser:
     Logger.info('Setting up Ranger DB and DB User')
     dba_setup = format('ambari-python-wrap {ranger_home}/dba_script.py -q')
-    Execute(dba_setup, 
+    Execute(dba_setup,
             environment=env_dict,
             logoutput=True,
             user=params.unix_user,
@@ -284,7 +284,7 @@ def setup_ranger_db(stack_version=None):
     Logger.info('Separate DBA property not set. Assuming Ranger DB and DB User exists!')
 
   db_setup = format('ambari-python-wrap {ranger_home}/db_setup.py')
-  Execute(db_setup, 
+  Execute(db_setup,
           environment=env_dict,
           logoutput=True,
           user=params.unix_user,
@@ -303,7 +303,7 @@ def setup_java_patch(stack_version=None):
     env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home, 'LD_LIBRARY_PATH':params.ld_lib_path}
 
   setup_java_patch = format('ambari-python-wrap {ranger_home}/db_setup.py -javapatch')
-  Execute(setup_java_patch, 
+  Execute(setup_java_patch,
           environment=env_dict,
           logoutput=True,
           user=params.unix_user,
@@ -477,7 +477,7 @@ def setup_usersync(upgrade_type=None):
     group = params.unix_group,
     mode=0755
   )
-  
+
   Directory(format("{ranger_ugsync_conf}/"),
     owner = params.unix_user
   )
@@ -535,7 +535,7 @@ def setup_usersync(upgrade_type=None):
        group = params.unix_group,
        mode = 0640
   )
-  
+
   File([params.usersync_start, params.usersync_stop],
        owner = params.unix_user,
        group = params.unix_group
@@ -741,8 +741,6 @@ def setup_ranger_audit_solr():
       solr_cloud_util.add_solr_roles(params.config,
                                      roles = [params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
                                      new_service_principals = service_principals)
-
-
     solr_cloud_util.create_collection(
       zookeeper_quorum = params.zookeeper_quorum,
       solr_znode = params.solr_znode,
@@ -751,7 +749,10 @@ def setup_ranger_audit_solr():
       java64_home = params.ambari_java_home,
       shards = params.ranger_solr_shards,
       replication_factor = int(params.replication_factor),
-      jaas_file = params.solr_jaas_file)
+      jaas_file = params.solr_jaas_file,
+      trust_store_password = default('configurations/ranger-admin-site/ranger.truststore.file', None),
+      trust_store_type = "JKS" if default('configurations/ranger-admin-site/ranger.truststore.file', None) else None,
+      trust_store_location = default('configurations/ranger-admin-site/ranger.truststore.password', None))
 
     if params.security_enabled and params.has_infra_solr \
       and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
@@ -870,4 +871,4 @@ def update_password_configs():
   ModifyPropertiesFile(format("{ranger_home}/install.properties"),
     properties = password_configs,
     owner = params.unix_user,
-  )
\ No newline at end of file
+  )

-- 
To stop receiving notification emails like this one, please contact
oleewere@apache.org.