You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by jo...@apache.org on 2017/05/18 14:01:46 UTC
[05/24] ambari git commit: AMBARI-21032. HDP 3.0 TP - create service
definition for Knox with configs, kerberos, widgets, etc.(vbrodetsky)
AMBARI-21032. HDP 3.0 TP - create service definition for Knox with configs, kerberos, widgets, etc.(vbrodetsky)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/9adffcf7
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/9adffcf7
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/9adffcf7
Branch: refs/heads/branch-feature-AMBARI-12556
Commit: 9adffcf7a93d40ad727796a8a1686da0e6408893
Parents: 8141665
Author: Vitaly Brodetskyi <vb...@hortonworks.com>
Authored: Wed May 17 00:16:45 2017 +0300
Committer: Vitaly Brodetskyi <vb...@hortonworks.com>
Committed: Wed May 17 00:16:45 2017 +0300
----------------------------------------------------------------------
.../common-services/KNOX/0.5.0.3.0/alerts.json | 32 ++
.../0.5.0.3.0/configuration/admin-topology.xml | 97 ++++
.../0.5.0.3.0/configuration/gateway-log4j.xml | 110 +++++
.../0.5.0.3.0/configuration/gateway-site.xml | 71 +++
.../KNOX/0.5.0.3.0/configuration/knox-env.xml | 83 ++++
.../configuration/knoxsso-topology.xml | 126 +++++
.../KNOX/0.5.0.3.0/configuration/ldap-log4j.xml | 93 ++++
.../configuration/ranger-knox-audit.xml | 132 ++++++
.../ranger-knox-plugin-properties.xml | 132 ++++++
.../configuration/ranger-knox-policymgr-ssl.xml | 66 +++
.../configuration/ranger-knox-security.xml | 64 +++
.../KNOX/0.5.0.3.0/configuration/topology.xml | 174 +++++++
.../KNOX/0.5.0.3.0/configuration/users-ldif.xml | 140 ++++++
.../KNOX/0.5.0.3.0/kerberos.json | 81 ++++
.../common-services/KNOX/0.5.0.3.0/metainfo.xml | 109 +++++
.../package/files/validateKnoxStatus.py | 43 ++
.../KNOX/0.5.0.3.0/package/scripts/knox.py | 192 ++++++++
.../0.5.0.3.0/package/scripts/knox_gateway.py | 220 +++++++++
.../KNOX/0.5.0.3.0/package/scripts/knox_ldap.py | 59 +++
.../KNOX/0.5.0.3.0/package/scripts/params.py | 29 ++
.../0.5.0.3.0/package/scripts/params_linux.py | 457 +++++++++++++++++++
.../0.5.0.3.0/package/scripts/params_windows.py | 71 +++
.../0.5.0.3.0/package/scripts/service_check.py | 96 ++++
.../package/scripts/setup_ranger_knox.py | 121 +++++
.../0.5.0.3.0/package/scripts/status_params.py | 59 +++
.../KNOX/0.5.0.3.0/package/scripts/upgrade.py | 118 +++++
.../package/templates/input.config-knox.json.j2 | 60 +++
.../package/templates/krb5JAASLogin.conf.j2 | 30 ++
.../KNOX/0.5.0.3.0/role_command_order.json | 7 +
.../stacks/HDP/3.0/services/KNOX/metainfo.xml | 27 ++
30 files changed, 3099 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json
new file mode 100644
index 0000000..4986e04
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/alerts.json
@@ -0,0 +1,32 @@
+{
+ "KNOX": {
+ "service": [],
+ "KNOX_GATEWAY": [
+ {
+ "name": "knox_gateway_process",
+ "label": "Knox Gateway Process",
+ "description": "This host-level alert is triggered if the Knox Gateway cannot be determined to be up.",
+ "interval": 1,
+ "scope": "HOST",
+ "source": {
+ "type": "PORT",
+ "uri": "{{gateway-site/gateway.port}}",
+ "default_port": 8443,
+ "reporting": {
+ "ok": {
+ "text": "TCP OK - {0:.3f}s response on port {1}"
+ },
+ "warning": {
+ "text": "TCP OK - {0:.3f}s response on port {1}",
+ "value": 1.5
+ },
+ "critical": {
+ "text": "Connection failed: {0} to {1}:{2}",
+ "value": 5.0
+ }
+ }
+ }
+ }
+ ]
+ }
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml
new file mode 100644
index 0000000..3030364
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/admin-topology.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <!-- topology file -->
+ <property>
+ <name>content</name>
+ <display-name>admin-topology template</display-name>
+ <value>
+ <topology>
+
+ <gateway>
+
+ <provider>
+ <role>authentication</role>
+ <name>ShiroProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <name>sessionTimeout</name>
+ <value>30</value>
+ </param>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>ldap://{{knox_host_name}}:33389</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>authorization</role>
+ <name>AclsAuthz</name>
+ <enabled>true</enabled>
+ <param>
+ <name>knox.acl</name>
+ <value>admin;*;*</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+
+ </gateway>
+
+ <service>
+ <role>KNOX</role>
+ </service>
+
+ </topology>
+
+ </value>
+ <description>
+ The configuration specifies the Knox admin API configuration and access details. The authentication provider should be configured to match your deployment details.
+ </description>
+ <value-attributes>
+ <type>content</type>
+ <empty-value-valid>true</empty-value-valid>
+ <show-property-name>false</show-property-name>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml
new file mode 100644
index 0000000..6408f99
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-log4j.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="false">
+ <property>
+ <name>knox_gateway_log_maxfilesize</name>
+ <value>256</value>
+ <description>The maximum size of backup file before the log is rotated</description>
+ <display-name>Knox Gateway Log: backup file size</display-name>
+ <value-attributes>
+ <unit>MB</unit>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_gateway_log_maxbackupindex</name>
+ <value>20</value>
+ <description>The number of backup files</description>
+ <display-name>Knox Gateway Log: # of backup files</display-name>
+ <value-attributes>
+ <type>int</type>
+ <minimum>0</minimum>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>content</name>
+ <display-name>gateway-log4j template</display-name>
+ <value>
+
+ # Licensed to the Apache Software Foundation (ASF) under one
+ # or more contributor license agreements. See the NOTICE file
+ # distributed with this work for additional information
+ # regarding copyright ownership. The ASF licenses this file
+ # to you under the Apache License, Version 2.0 (the
+ # "License"); you may not use this file except in compliance
+ # with the License. You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+ app.log.dir=${launcher.dir}/../logs
+ app.log.file=${launcher.name}.log
+ app.audit.file=${launcher.name}-audit.log
+
+ log4j.rootLogger=ERROR, drfa
+
+ log4j.logger.org.apache.hadoop.gateway=INFO
+ #log4j.logger.org.apache.hadoop.gateway=DEBUG
+
+ #log4j.logger.org.eclipse.jetty=DEBUG
+ #log4j.logger.org.apache.shiro=DEBUG
+ #log4j.logger.org.apache.http=DEBUG
+ #log4j.logger.org.apache.http.client=DEBUG
+ #log4j.logger.org.apache.http.headers=DEBUG
+ #log4j.logger.org.apache.http.wire=DEBUG
+
+ log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+ log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+ log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n
+
+ log4j.appender.drfa=org.apache.log4j.DailyRollingFileAppender
+ log4j.appender.drfa.File=${app.log.dir}/${app.log.file}
+ log4j.appender.drfa.DatePattern=.yyyy-MM-dd
+ log4j.appender.drfa.layout=org.apache.log4j.PatternLayout
+ log4j.appender.drfa.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n
+ log4j.appender.drfa.MaxFileSize = {{knox_gateway_log_maxfilesize}}MB
+ log4j.appender.drfa.MaxBackupIndex = {{knox_gateway_log_maxbackupindex}}
+
+ log4j.logger.audit=INFO, auditfile
+ log4j.appender.auditfile=org.apache.log4j.DailyRollingFileAppender
+ log4j.appender.auditfile.File=${app.log.dir}/${app.audit.file}
+ log4j.appender.auditfile.Append = true
+ log4j.appender.auditfile.DatePattern = '.'yyyy-MM-dd
+ log4j.appender.auditfile.layout = org.apache.hadoop.gateway.audit.log4j.layout.AuditLayout
+
+ </value>
+ <description>
+ content for log4j.properties file for Knox.
+ </description>
+ <value-attributes>
+ <type>content</type>
+ <show-property-name>false</show-property-name>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml
new file mode 100644
index 0000000..2686dff
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/gateway-site.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!-- The default settings for Knox. -->
+<!-- Edit gateway-site.xml to change settings for your local -->
+<!-- install. -->
+<configuration supports_final="false">
+ <property>
+ <name>gateway.port</name>
+ <value>8443</value>
+ <description>The HTTP port for the Gateway.</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>gateway.path</name>
+ <value>gateway</value>
+ <description>The default context path for the gateway.</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>gateway.gateway.conf.dir</name>
+ <value>deployments</value>
+ <description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>gateway.hadoop.kerberos.secured</name>
+ <value>false</value>
+ <description>Boolean flag indicating whether the Hadoop cluster protected by Gateway is secured with Kerberos</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>java.security.krb5.conf</name>
+ <value>/etc/knox/conf/krb5.conf</value>
+ <description>Absolute path to krb5.conf file</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>java.security.auth.login.config</name>
+ <value>/etc/knox/conf/krb5JAASLogin.conf</value>
+ <description>Absolute path to JASS login config file</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>sun.security.krb5.debug</name>
+ <value>false</value>
+ <description>Boolean flag indicating whether to enable debug messages for krb5 authentication</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>gateway.websocket.feature.enabled</name>
+ <value>{{websocket_support}}</value>
+ <description>Enable this if you want websocket support</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml
new file mode 100644
index 0000000..e1ca45a
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knox-env.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <!-- knox-env.sh -->
+ <property require-input="true">
+ <name>knox_master_secret</name>
+ <value/>
+ <display-name>Knox Master Secret</display-name>
+ <property-type>PASSWORD</property-type>
+ <description>password to use as the master secret</description>
+ <value-attributes>
+ <type>password</type>
+ <editable-only-at-install>true</editable-only-at-install>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_user</name>
+ <display-name>Knox User</display-name>
+ <value>knox</value>
+ <property-type>USER</property-type>
+ <description>Knox Username.</description>
+ <value-attributes>
+ <type>user</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_group</name>
+ <display-name>Knox Group</display-name>
+ <value>knox</value>
+ <property-type>GROUP</property-type>
+ <description>Knox Group.</description>
+ <value-attributes>
+ <type>user</type>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_pid_dir</name>
+ <value>/var/run/knox</value>
+ <display-name>Knox PID dir</display-name>
+ <description>Knox PID dir.</description>
+ <value-attributes>
+ <type>directory</type>
+ <editable-only-at-install>true</editable-only-at-install>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_principal_name</name>
+ <description>Knox principal name</description>
+ <property-type>KERBEROS_PRINCIPAL</property-type>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_keytab_path</name>
+ <description>Knox keytab path</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml
new file mode 100644
index 0000000..1ea8601
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/knoxsso-topology.xml
@@ -0,0 +1,126 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <!-- topology file -->
+ <property>
+ <name>content</name>
+ <display-name>knoxsso-topology template</display-name>
+ <value>
+ <topology>
+ <gateway>
+ <provider>
+ <role>webappsec</role>
+ <name>WebAppSec</name>
+ <enabled>true</enabled>
+ <param><name>xframe.options.enabled</name><value>true</value></param>
+ </provider>
+
+ <provider>
+ <role>authentication</role>
+ <name>ShiroProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <name>sessionTimeout</name>
+ <value>30</value>
+ </param>
+ <param>
+ <name>redirectToUrl</name>
+ <value>/gateway/knoxsso/knoxauth/login.html</value>
+ </param>
+ <param>
+ <name>restrictedCookies</name>
+ <value>rememberme,WWW-Authenticate</value>
+ </param>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapContextFactory</name>
+ <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapContextFactory</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory</name>
+ <value>$ldapContextFactory</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>ldap://localhost:33389</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.authenticationCachingEnabled</name>
+ <value>false</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+ </gateway>
+
+ <application>
+ <name>knoxauth</name>
+ </application>
+
+ <service>
+ <role>KNOXSSO</role>
+ <param>
+ <name>knoxsso.cookie.secure.only</name>
+ <value>false</value>
+ </param>
+ <param>
+ <name>knoxsso.token.ttl</name>
+ <value>30000</value>
+ </param>
+ <param>
+ <name>knoxsso.redirect.whitelist.regex</name>
+ <value>^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
+ </param>
+ </service>
+
+ </topology>
+ </value>
+ <description>
+ The configuration specifies the KnoxSSO provider integration, cookie and token management details.
+ </description>
+ <value-attributes>
+ <type>content</type>
+ <empty-value-valid>true</empty-value-valid>
+ <show-property-name>false</show-property-name>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml
new file mode 100644
index 0000000..57e156c
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ldap-log4j.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software<display-name> template</display-name>
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="false">
+ <property>
+ <name>knox_ldap_log_maxfilesize</name>
+ <value>256</value>
+ <description>The maximum size of backup file before the log is rotated</description>
+ <display-name>Knox LDAP Log: backup file size</display-name>
+<value-attributes>
+ <unit>MB</unit>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>knox_ldap_log_maxbackupindex</name>
+ <value>20</value>
+ <description>The number of backup files</description>
+ <display-name>Knox LDAP Log: # of backup files</display-name>
+ <value-attributes>
+ <type>int</type>
+ <minimum>0</minimum>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>content</name>
+ <display-name>ldap-log4j template</display-name>
+ <value>
+ # Licensed to the Apache Software Foundation (ASF) under one
+ # or more contributor license agreements. See the NOTICE file
+ # distributed with this work for additional information
+ # regarding copyright ownership. The ASF licenses this file
+ # to you under the Apache License, Version 2.0 (the
+ # "License"); you may not use this file except in compliance
+ # with the License. You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+
+ app.log.dir=${launcher.dir}/../logs
+ app.log.file=${launcher.name}.log
+
+ log4j.rootLogger=ERROR, drfa
+ log4j.logger.org.apache.directory.server.ldap.LdapServer=INFO
+ log4j.logger.org.apache.directory=WARN
+
+ log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+ log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+ log4j.appender.stdout.layout.ConversionPattern=%d{yy/MM/dd HH:mm:ss} %p %c{2}: %m%n
+
+ log4j.appender.drfa=org.apache.log4j.DailyRollingFileAppender
+ log4j.appender.drfa.File=${app.log.dir}/${app.log.file}
+ log4j.appender.drfa.DatePattern=.yyyy-MM-dd
+ log4j.appender.drfa.layout=org.apache.log4j.PatternLayout
+ log4j.appender.drfa.layout.ConversionPattern=%d{ISO8601} %-5p %c{2} (%F:%M(%L)) - %m%n
+ log4j.appender.drfa.MaxFileSize = {{knox_ldap_log_maxfilesize}}MB
+ log4j.appender.drfa.MaxBackupIndex = {{knox_ldap_log_maxbackupindex}}
+
+ </value>
+ <description>
+ content for log4j.properties file for the demo LDAP that comes with Knox.
+ </description>
+ <value-attributes>
+ <type>content</type>
+ <show-property-name>false</show-property-name>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml
new file mode 100644
index 0000000..f3a0f99
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-audit.xml
@@ -0,0 +1,132 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <property>
+ <name>xasecure.audit.is.enabled</name>
+ <value>true</value>
+ <description>Is Audit enabled?</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>true</value>
+ <display-name>Audit to HDFS</display-name>
+ <description>Is Audit to HDFS enabled?</description>
+ <value-attributes>
+ <type>boolean</type>
+ </value-attributes>
+ <depends-on>
+ <property>
+ <type>ranger-env</type>
+ <name>xasecure.audit.destination.hdfs</name>
+ </property>
+ </depends-on>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>hdfs://NAMENODE_HOSTNAME:8020/ranger/audit</value>
+ <description>HDFS folder to write audit to, make sure the service user has requried permissions</description>
+ <depends-on>
+ <property>
+ <type>ranger-env</type>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ </property>
+ </depends-on>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
+ <value>/var/log/knox/audit/hdfs/spool</value>
+ <description>/var/log/knox/audit/hdfs/spool</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.solr</name>
+ <value>false</value>
+ <display-name>Audit to SOLR</display-name>
+ <description>Is Solr audit enabled?</description>
+ <value-attributes>
+ <type>boolean</type>
+ </value-attributes>
+ <depends-on>
+ <property>
+ <type>ranger-env</type>
+ <name>xasecure.audit.destination.solr</name>
+ </property>
+ </depends-on>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.solr.urls</name>
+ <value/>
+ <description>Solr URL</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <depends-on>
+ <property>
+ <type>ranger-admin-site</type>
+ <name>ranger.audit.solr.urls</name>
+ </property>
+ </depends-on>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.solr.zookeepers</name>
+ <value>NONE</value>
+ <description>Solr Zookeeper string</description>
+ <depends-on>
+ <property>
+ <type>ranger-admin-site</type>
+ <name>ranger.audit.solr.zookeepers</name>
+ </property>
+ </depends-on>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
+ <value>/var/log/knox/audit/solr/spool</value>
+ <description>/var/log/knox/audit/solr/spool</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.audit.provider.summary.enabled</name>
+ <value>false</value>
+ <display-name>Audit provider summary enabled</display-name>
+ <description>Enable Summary audit?</description>
+ <value-attributes>
+ <type>boolean</type>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+ <property>
+ <name>ranger.plugin.knox.ambari.cluster.name</name>
+ <value>{{cluster_name}}</value>
+ <description>Capture cluster name from where Ranger knox plugin is enabled.</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml
new file mode 100644
index 0000000..d8b9d54
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-plugin-properties.xml
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="true">
+ <property>
+ <name>policy_user</name>
+ <value>ambari-qa</value>
+ <display-name>Policy user for KNOX</display-name>
+ <description>This user must be system user and also present at Ranger admin portal</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>common.name.for.certificate</name>
+ <value/>
+ <description>Common name for certificate, this value should match what is specified in repo within ranger admin</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>ranger-knox-plugin-enabled</name>
+ <value>No</value>
+ <display-name>Enable Ranger for KNOX</display-name>
+ <description>Enable ranger knox plugin ?</description>
+ <depends-on>
+ <property>
+ <type>ranger-env</type>
+ <name>ranger-knox-plugin-enabled</name>
+ </property>
+ </depends-on>
+ <value-attributes>
+ <type>boolean</type>
+ <overridable>false</overridable>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>REPOSITORY_CONFIG_USERNAME</name>
+ <value>admin</value>
+ <display-name>Ranger repository config user</display-name>
+ <description>Used for repository creation on ranger admin</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>REPOSITORY_CONFIG_PASSWORD</name>
+ <value>admin-password</value>
+ <property-type>PASSWORD</property-type>
+ <display-name>Ranger repository config password</display-name>
+ <description>Used for repository creation on ranger admin</description>
+ <value-attributes>
+ <type>password</type>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+ <property>
+ <name>KNOX_HOME</name>
+ <value>/usr/hdp/current/knox-server</value>
+ <display-name>Knox Home</display-name>
+ <description>Knox home folder</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+
+
+ <property>
+ <name>external_admin_username</name>
+ <value></value>
+ <display-name>External Ranger admin username</display-name>
+ <description>Add ranger default admin username if want to communicate to external ranger</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+ <property>
+ <name>external_admin_password</name>
+ <value></value>
+ <display-name>External Ranger admin password</display-name>
+ <property-type>PASSWORD</property-type>
+ <description>Add ranger default admin password if want to communicate to external ranger</description>
+ <value-attributes>
+ <type>password</type>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+ <property>
+ <name>external_ranger_admin_username</name>
+ <value></value>
+ <display-name>External Ranger Ambari admin username</display-name>
+ <description>Add ranger default ambari admin username if want to communicate to external ranger</description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+ <property>
+ <name>external_ranger_admin_password</name>
+ <value></value>
+ <display-name>External Ranger Ambari admin password</display-name>
+ <property-type>PASSWORD</property-type>
+ <description>Add ranger default ambari admin password if want to communicate to external ranger</description>
+ <value-attributes>
+ <type>password</type>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml
new file mode 100644
index 0000000..bb0878f
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-policymgr-ssl.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore</name>
+ <value>/usr/hdp/current/knox-server/conf/ranger-plugin-keystore.jks</value>
+ <description>Java Keystore files</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore.password</name>
+ <value>myKeyFilePassword</value>
+ <property-type>PASSWORD</property-type>
+ <description>password for keystore</description>
+ <value-attributes>
+ <type>password</type>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore</name>
+ <value>/usr/hdp/current/knox-server/conf/ranger-plugin-truststore.jks</value>
+ <description>java truststore file</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore.password</name>
+ <value>changeit</value>
+ <property-type>PASSWORD</property-type>
+ <description>java truststore password</description>
+ <value-attributes>
+ <type>password</type>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
+ <value>jceks://file{{credential_file}}</value>
+ <description>java keystore credential file</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
+ <value>jceks://file{{credential_file}}</value>
+ <description>java truststore credential file</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml
new file mode 100644
index 0000000..37bda4c
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/ranger-knox-security.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <property>
+ <name>ranger.plugin.knox.service.name</name>
+ <value>{{repo_name}}</value>
+ <description>Name of the Ranger service containing policies for this Knox instance</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>ranger.plugin.knox.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminJersey2RESTClient</value>
+ <description>Class to retrieve policies from the source</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>ranger.plugin.knox.policy.rest.url</name>
+ <value>{{policymgr_mgr_url}}</value>
+ <description>URL to Ranger Admin</description>
+ <on-ambari-upgrade add="false"/>
+ <depends-on>
+ <property>
+ <type>admin-properties</type>
+ <name>policymgr_external_url</name>
+ </property>
+ </depends-on>
+ </property>
+ <property>
+ <name>ranger.plugin.knox.policy.rest.ssl.config.file</name>
+ <value>/usr/hdp/current/knox-server/conf/ranger-policymgr-ssl.xml</value>
+ <description>Path to the file containing SSL details to contact Ranger Admin</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>ranger.plugin.knox.policy.pollIntervalMs</name>
+ <value>30000</value>
+ <description>How often to poll for changes in policies?</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>ranger.plugin.knox.policy.cache.dir</name>
+ <value>/etc/ranger/{{repo_name}}/policycache</value>
+ <description>Directory where Ranger policies are cached after successful retrieval from the source</description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml
new file mode 100644
index 0000000..594ab18
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/topology.xml
@@ -0,0 +1,174 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <!-- topology file -->
+ <property>
+ <name>content</name>
+ <display-name>topology template</display-name>
+ <value>
+ <topology>
+
+ <gateway>
+
+ <provider>
+ <role>authentication</role>
+ <name>ShiroProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <name>sessionTimeout</name>
+ <value>30</value>
+ </param>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>ldap://{{knox_host_name}}:33389</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+
+ <provider>
+ <role>authorization</role>
+ <name>AclsAuthz</name>
+ <enabled>true</enabled>
+ </provider>
+
+ </gateway>
+
+ <service>
+ <role>NAMENODE</role>
+ <url>hdfs://{{namenode_host}}:{{namenode_rpc_port}}</url>
+ </service>
+
+ <service>
+ <role>JOBTRACKER</role>
+ <url>rpc://{{rm_host}}:{{jt_rpc_port}}</url>
+ </service>
+
+ <service>
+ <role>WEBHDFS</role>
+ {{webhdfs_service_urls}}
+ </service>
+
+ <service>
+ <role>WEBHCAT</role>
+ <url>http://{{webhcat_server_host}}:{{templeton_port}}/templeton</url>
+ </service>
+
+ <service>
+ <role>OOZIE</role>
+ <url>http://{{oozie_server_host}}:{{oozie_server_port}}/oozie</url>
+ </service>
+
+ <service>
+ <role>WEBHBASE</role>
+ <url>http://{{hbase_master_host}}:{{hbase_master_port}}</url>
+ </service>
+
+ <service>
+ <role>HIVE</role>
+ <url>http://{{hive_server_host}}:{{hive_http_port}}/{{hive_http_path}}</url>
+ </service>
+
+ <service>
+ <role>RESOURCEMANAGER</role>
+ <url>http://{{rm_host}}:{{rm_port}}/ws</url>
+ </service>
+
+ <service>
+ <role>DRUID-COORDINATOR-UI</role>
+ {{druid_coordinator_urls}}
+ </service>
+
+ <service>
+ <role>DRUID-COORDINATOR</role>
+ {{druid_coordinator_urls}}
+ </service>
+
+ <service>
+ <role>DRUID-OVERLORD-UI</role>
+ {{druid_overlord_urls}}
+ </service>
+
+ <service>
+ <role>DRUID-OVERLORD</role>
+ {{druid_overlord_urls}}
+ </service>
+
+ <service>
+ <role>DRUID-ROUTER</role>
+ {{druid_router_urls}}
+ </service>
+
+ <service>
+ <role>DRUID-BROKER</role>
+ {{druid_broker_urls}}
+ </service>
+
+ <service>
+ <role>ZEPPELINUI</role>
+ {{zeppelin_ui_urls}}
+ </service>
+
+ <service>
+ <role>ZEPPELINWS</role>
+ {{zeppelin_ws_urls}}
+ </service>
+
+ </topology>
+ </value>
+ <description>
+ The configuration specifies the Hadoop cluster services Knox will provide access to.
+ </description>
+ <value-attributes>
+ <type>content</type>
+ <empty-value-valid>true</empty-value-valid>
+ <show-property-name>false</show-property-name>
+ </value-attributes>
+ <depends-on>
+ <property>
+ <type>ranger-knox-plugin-properties</type>
+ <name>ranger-knox-plugin-enabled</name>
+ </property>
+ </depends-on>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml
new file mode 100644
index 0000000..eefa8c9
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/configuration/users-ldif.xml
@@ -0,0 +1,140 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration supports_final="false" supports_adding_forbidden="true">
+ <property>
+ <name>content</name>
+ <display-name>users-ldif template</display-name>
+ <value>
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 1
+
+# Please replace with site specific values
+dn: dc=hadoop,dc=apache,dc=org
+objectclass: organization
+objectclass: dcObject
+o: Hadoop
+dc: hadoop
+
+# Entry for a sample people container
+# Please replace with site specific values
+dn: ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: people
+
+# Entry for a sample end user
+# Please replace with site specific values
+dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Guest
+sn: User
+uid: guest
+userPassword:guest-password
+
+# entry for sample user admin
+dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: Admin
+sn: Admin
+uid: admin
+userPassword:admin-password
+
+# entry for sample user sam
+dn: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: sam
+sn: sam
+uid: sam
+userPassword:sam-password
+
+# entry for sample user tom
+dn: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:person
+objectclass:organizationalPerson
+objectclass:inetOrgPerson
+cn: tom
+sn: tom
+uid: tom
+userPassword:tom-password
+
+# create FIRST Level groups branch
+dn: ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass:organizationalUnit
+ou: groups
+description: generic groups branch
+
+# create the analyst group under groups
+dn: cn=analyst,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupofnames
+cn: analyst
+description:analyst group
+member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
+
+
+# create the scientist group under groups
+dn: cn=scientist,ou=groups,dc=hadoop,dc=apache,dc=org
+objectclass:top
+objectclass: groupofnames
+cn: scientist
+description: scientist group
+member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
+
+ </value>
+ <description>
+ content for users-ldif file for the demo LDAP that comes with Knox.
+ </description>
+ <value-attributes>
+ <type>content</type>
+ <empty-value-valid>true</empty-value-valid>
+ <show-property-name>false</show-property-name>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json
new file mode 100644
index 0000000..2d8aa0d
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/kerberos.json
@@ -0,0 +1,81 @@
+{
+ "services": [
+ {
+ "name": "KNOX",
+ "components": [
+ {
+ "name": "KNOX_GATEWAY",
+ "identities": [
+ {
+ "name": "knox_principal",
+ "principal": {
+ "value": "${knox-env/knox_user}/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "knox-env/knox_principal_name",
+ "local_username": "${knox-env/knox_user}"
+
+ },
+ "keytab": {
+ "file": "${keytab_dir}/knox.service.keytab",
+ "owner": {
+ "name": "${knox-env/knox_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "knox-env/knox_keytab_path"
+ }
+ },
+ {
+ "name": "/KNOX/KNOX_GATEWAY/knox_principal",
+ "principal": {
+ "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.principal"
+ },
+ "keytab": {
+ "configuration": "ranger-knox-audit/xasecure.audit.jaas.Client.option.keyTab"
+ }
+ }
+ ],
+ "configurations": [
+ {
+ "gateway-site": {
+ "gateway.hadoop.kerberos.secured": "true",
+ "java.security.krb5.conf": "/etc/krb5.conf"
+ }
+ },
+ {
+ "core-site": {
+ "hadoop.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}",
+ "hadoop.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}"
+ }
+ },
+ {
+ "webhcat-site": {
+ "webhcat.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}",
+ "webhcat.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}"
+ }
+ },
+ {
+ "oozie-site": {
+ "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.groups": "${hadoop-env/proxyuser_group}",
+ "oozie.service.ProxyUserService.proxyuser.${knox-env/knox_user}.hosts": "${clusterHostInfo/knox_gateway_hosts}"
+ }
+ },
+ {
+ "ranger-knox-audit": {
+ "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+ "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+ "xasecure.audit.jaas.Client.option.useKeyTab": "true",
+ "xasecure.audit.jaas.Client.option.storeKey": "false",
+ "xasecure.audit.jaas.Client.option.serviceName": "solr",
+ "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml
new file mode 100644
index 0000000..8954d0d
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/metainfo.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<metainfo>
+ <schemaVersion>2.0</schemaVersion>
+ <services>
+ <service>
+ <name>KNOX</name>
+ <displayName>Knox</displayName>
+ <comment>Provides a single point of authentication and access for Apache Hadoop services in a cluster</comment>
+ <version>0.5.0.3.0</version>
+ <components>
+ <component>
+ <name>KNOX_GATEWAY</name>
+ <displayName>Knox Gateway</displayName>
+ <category>MASTER</category>
+ <cardinality>1+</cardinality>
+ <versionAdvertised>true</versionAdvertised>
+ <commandScript>
+ <script>scripts/knox_gateway.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>1200</timeout>
+ </commandScript>
+ <logs>
+ <log>
+ <logId>knox_gateway</logId>
+ <primary>true</primary>
+ </log>
+ <log>
+ <logId>knox_cli</logId>
+ </log>
+ <log>
+ <logId>knox_ldap</logId>
+ </log>
+ </logs>
+ <customCommands>
+ <customCommand>
+ <name>STARTDEMOLDAP</name>
+ <commandScript>
+ <script>scripts/knox_gateway.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>600</timeout>
+ </commandScript>
+ </customCommand>
+ <customCommand>
+ <name>STOPDEMOLDAP</name>
+ <commandScript>
+ <script>scripts/knox_gateway.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>600</timeout>
+ </commandScript>
+ </customCommand>
+ </customCommands>
+ </component>
+ </components>
+
+ <osSpecifics>
+ <osSpecific>
+ <osFamily>redhat7,amazon2015,redhat6,suse11,suse12</osFamily>
+ <packages>
+ <package>
+ <name>knox_${stack_version}</name>
+ </package>
+ </packages>
+ </osSpecific>
+ <osSpecific>
+ <osFamily>debian7,ubuntu12,ubuntu14,ubuntu16</osFamily>
+ <packages>
+ <package>
+ <name>knox-${stack_version}</name>
+ </package>
+ </packages>
+ </osSpecific>
+ </osSpecifics>
+
+ <commandScript>
+ <script>scripts/service_check.py</script>
+ <scriptType>PYTHON</scriptType>
+ <timeout>300</timeout>
+ </commandScript>
+
+ <configuration-dependencies>
+ <config-type>gateway-site</config-type>
+ <config-type>gateway-log4j</config-type>
+ <config-type>topology</config-type>
+ <config-type>admin-topology</config-type>
+ <config-type>knoxsso-topology</config-type>
+ <config-type>ranger-knox-plugin-properties</config-type>
+ <config-type>ranger-knox-audit</config-type>
+ <config-type>ranger-knox-policymgr-ssl</config-type>
+ <config-type>ranger-knox-security</config-type>
+ </configuration-dependencies>
+ </service>
+ </services>
+</metainfo>
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py
new file mode 100644
index 0000000..257abfb
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/files/validateKnoxStatus.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+import optparse
+import socket
+
+#
+# Main.
+#
+def main():
+ parser = optparse.OptionParser(usage="usage: %prog [options]")
+ parser.add_option("-p", "--port", dest="port", help="Port for Knox process")
+ parser.add_option("-n", "--hostname", dest="hostname", help="Hostname of Knox Gateway component")
+
+ (options, args) = parser.parse_args()
+ timeout_seconds = 5
+ try:
+ s = socket.create_connection((options.hostname, int(options.port)),timeout=timeout_seconds)
+ print "Successfully connected to %s on port %s" % (options.hostname, options.port)
+ s.close()
+ except socket.error, e:
+ print "Connection to %s on port %s failed: %s" % (options.hostname, options.port, e)
+ exit(1)
+
+if __name__ == "__main__":
+ main()
+
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py
new file mode 100644
index 0000000..34b5643
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox.py
@@ -0,0 +1,192 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import os
+from resource_management.libraries.script.script import Script
+from resource_management.libraries.resources.xml_config import XmlConfig
+from resource_management.core.resources.service import ServiceConfig
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.functions.get_config import get_config
+from resource_management.libraries.resources.template_config import TemplateConfig
+from resource_management.core.resources.system import File, Execute, Directory
+from resource_management.core.shell import as_user
+from resource_management.core.source import InlineTemplate
+
+from ambari_commons import OSConst
+from ambari_commons.os_family_impl import OsFamilyFuncImpl, OsFamilyImpl
+
+from resource_management.libraries.functions.stack_features import check_stack_feature
+from resource_management.libraries.functions import StackFeature
+
+@OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY)
+def knox():
+ import params
+
+ XmlConfig("gateway-site.xml",
+ conf_dir=params.knox_conf_dir,
+ configurations=params.config['configurations']['gateway-site'],
+ configuration_attributes=params.config['configuration_attributes']['gateway-site'],
+ owner=params.knox_user
+ )
+
+ # Manually overriding service logon user & password set by the installation package
+ ServiceConfig(params.knox_gateway_win_service_name,
+ action="change_user",
+ username = params.knox_user,
+ password = Script.get_password(params.knox_user))
+
+ File(os.path.join(params.knox_conf_dir, "gateway-log4j.properties"),
+ owner=params.knox_user,
+ content=params.gateway_log4j
+ )
+
+ File(os.path.join(params.knox_conf_dir, "topologies", "default.xml"),
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.topology_template)
+ )
+
+ if params.admin_topology_template:
+ File(os.path.join(params.knox_conf_dir, "topologies", "admin.xml"),
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.admin_topology_template)
+ )
+
+ if params.version_formatted and check_stack_feature(StackFeature.KNOX_SSO_TOPOLOGY, params.version_formatted):
+ knoxsso_topology_template_content = get_config("knoxsso-topology")
+ if knoxsso_topology_template_content:
+ File(os.path.join(params.knox_conf_dir, "topologies", "knoxsso.xml"),
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.knoxsso_topology_template)
+ )
+
+ if params.security_enabled:
+ TemplateConfig( os.path.join(params.knox_conf_dir, "krb5JAASLogin.conf"),
+ owner = params.knox_user,
+ template_tag = None
+ )
+
+ if not os.path.isfile(params.knox_master_secret_path):
+ cmd = format('cmd /C {knox_client_bin} create-master --master {knox_master_secret!p}')
+ Execute(cmd)
+ cmd = format('cmd /C {knox_client_bin} create-cert --hostname {knox_host_name_in_cluster}')
+ Execute(cmd)
+
+@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT)
+def knox():
+ import params
+ Directory([params.knox_data_dir, params.knox_logs_dir, params.knox_pid_dir, params.knox_conf_dir, os.path.join(params.knox_conf_dir, "topologies")],
+ owner = params.knox_user,
+ group = params.knox_group,
+ create_parents = True,
+ cd_access = "a",
+ mode = 0755,
+ recursive_ownership = True,
+ )
+
+ XmlConfig("gateway-site.xml",
+ conf_dir=params.knox_conf_dir,
+ configurations=params.config['configurations']['gateway-site'],
+ configuration_attributes=params.config['configuration_attributes']['gateway-site'],
+ owner=params.knox_user,
+ group=params.knox_group,
+ )
+
+ File(format("{params.knox_conf_dir}/gateway-log4j.properties"),
+ mode=0644,
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.gateway_log4j)
+ )
+
+ File(format("{params.knox_conf_dir}/topologies/default.xml"),
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.topology_template)
+ )
+
+ if params.admin_topology_template:
+ File(format("{params.knox_conf_dir}/topologies/admin.xml"),
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.admin_topology_template)
+ )
+
+ if params.version_formatted and check_stack_feature(StackFeature.KNOX_SSO_TOPOLOGY, params.version_formatted):
+ knoxsso_topology_template_content = get_config("knoxsso-topology")
+ if knoxsso_topology_template_content:
+ File(os.path.join(params.knox_conf_dir, "topologies", "knoxsso.xml"),
+ group=params.knox_group,
+ owner=params.knox_user,
+ content=InlineTemplate(params.knoxsso_topology_template)
+ )
+
+ if params.security_enabled:
+ TemplateConfig( format("{knox_conf_dir}/krb5JAASLogin.conf"),
+ owner = params.knox_user,
+ template_tag = None
+ )
+
+ cmd = format('{knox_client_bin} create-master --master {knox_master_secret!p}')
+ master_secret_exist = as_user(format('test -f {knox_master_secret_path}'), params.knox_user)
+
+ Execute(cmd,
+ user=params.knox_user,
+ environment={'JAVA_HOME': params.java_home},
+ not_if=master_secret_exist,
+ )
+
+ cmd = format('{knox_client_bin} create-cert --hostname {knox_host_name_in_cluster}')
+ cert_store_exist = as_user(format('test -f {knox_cert_store_path}'), params.knox_user)
+
+ Execute(cmd,
+ user=params.knox_user,
+ environment={'JAVA_HOME': params.java_home},
+ not_if=cert_store_exist,
+ )
+
+
+@OsFamilyFuncImpl(os_family=OSConst.WINSRV_FAMILY)
+def update_knox_folder_permissions():
+ import params
+ Directory(params.knox_logs_dir,
+ owner = params.knox_user,
+ group = params.knox_group
+ )
+
+
+@OsFamilyFuncImpl(os_family=OsFamilyImpl.DEFAULT)
+def update_knox_logfolder_permissions():
+ """
+ Fix for the bug with rpm/deb packages. During installation of the package, they re-apply permissions to the
+ folders below; such behaviour will affect installations with non-standard user name/group and will put
+ cluster in non-working state
+ """
+ import params
+
+ Directory(params.knox_logs_dir,
+ owner = params.knox_user,
+ group = params.knox_group,
+ create_parents = True,
+ cd_access = "a",
+ mode = 0755,
+ recursive_ownership = True,
+ )
http://git-wip-us.apache.org/repos/asf/ambari/blob/9adffcf7/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py
new file mode 100644
index 0000000..8996d23
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/KNOX/0.5.0.3.0/package/scripts/knox_gateway.py
@@ -0,0 +1,220 @@
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import os
+
+from resource_management.libraries.script.script import Script
+from resource_management.libraries.functions.check_process_status import check_process_status
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.functions import conf_select, stack_select
+from resource_management.libraries.functions.constants import Direction
+from resource_management.libraries.functions.security_commons import build_expectations
+from resource_management.libraries.functions.security_commons import cached_kinit_executor
+from resource_management.libraries.functions.security_commons import validate_security_config_properties
+from resource_management.libraries.functions.security_commons import get_params_from_filesystem
+from resource_management.libraries.functions.security_commons import FILE_TYPE_XML
+from resource_management.libraries.functions.show_logs import show_logs
+from resource_management.core.resources.system import File, Execute, Link
+from resource_management.core.resources.service import Service
+from resource_management.core.logger import Logger
+
+
+from ambari_commons import OSConst, OSCheck
+from ambari_commons.os_family_impl import OsFamilyImpl
+
+if OSCheck.is_windows_family():
+ from resource_management.libraries.functions.windows_service_utils import check_windows_service_status
+
+import upgrade
+from knox import knox, update_knox_logfolder_permissions
+from knox_ldap import ldap
+from setup_ranger_knox import setup_ranger_knox
+
+
+class KnoxGateway(Script):
+ def get_component_name(self):
+ return "knox-server"
+
+ def install(self, env):
+ import params
+ env.set_params(params)
+ self.install_packages(env)
+
+ File(os.path.join(params.knox_conf_dir, 'topologies', 'sandbox.xml'),
+ action = "delete",
+ )
+
+ def configure(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+ knox()
+ ldap()
+
+ def configureldap(self, env):
+ import params
+ env.set_params(params)
+ ldap()
+
+
+
+@OsFamilyImpl(os_family=OSConst.WINSRV_FAMILY)
+class KnoxGatewayWindows(KnoxGateway):
+ def start(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+ self.configure(env)
+ # setup_ranger_knox(env)
+ Service(params.knox_gateway_win_service_name, action="start")
+
+ def stop(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+ Service(params.knox_gateway_win_service_name, action="stop")
+
+ def status(self, env):
+ import status_params
+ env.set_params(status_params)
+ check_windows_service_status(status_params.knox_gateway_win_service_name)
+
+ def startdemoldap(self, env):
+ import params
+ env.set_params(params)
+ self.configureldap(env)
+ Service(params.knox_ldap_win_service_name, action="start")
+
+ def stopdemoldap(self, env):
+ import params
+ env.set_params(params)
+ Service(params.knox_ldap_win_service_name, action="stop")
+
+
+
+@OsFamilyImpl(os_family=OsFamilyImpl.DEFAULT)
+class KnoxGatewayDefault(KnoxGateway):
+
+ def pre_upgrade_restart(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+
+ # backup the data directory to /tmp/knox-upgrade-backup/knox-data-backup.tar just in case
+ # something happens; Knox is interesting in that they re-generate missing files like
+ # keystores which can cause side effects if the upgrade goes wrong
+ if params.upgrade_direction and params.upgrade_direction == Direction.UPGRADE:
+ absolute_backup_dir = upgrade.backup_data()
+ Logger.info("Knox data was successfully backed up to {0}".format(absolute_backup_dir))
+
+ # <conf-selector-tool> will change the symlink to the conf folder.
+ conf_select.select(params.stack_name, "knox", params.version)
+ stack_select.select("knox-server", params.version)
+
+ # seed the new Knox data directory with the keystores of yesteryear
+ if params.upgrade_direction == Direction.UPGRADE:
+ upgrade.seed_current_data_directory()
+
+
+ def start(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+ self.configure(env)
+ daemon_cmd = format('{knox_bin} start')
+ no_op_test = format('ls {knox_pid_file} >/dev/null 2>&1 && ps -p `cat {knox_pid_file}` >/dev/null 2>&1')
+ setup_ranger_knox(upgrade_type=upgrade_type)
+ # Used to setup symlink, needed to update the knox managed symlink, in case of custom locations
+ if os.path.islink(params.knox_managed_pid_symlink):
+ Link(params.knox_managed_pid_symlink,
+ to = params.knox_pid_dir,
+ )
+
+ update_knox_logfolder_permissions()
+
+ try:
+ Execute(daemon_cmd,
+ user=params.knox_user,
+ environment={'JAVA_HOME': params.java_home},
+ not_if=no_op_test
+ )
+ except:
+ show_logs(params.knox_logs_dir, params.knox_user)
+ raise
+
+ def stop(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+ daemon_cmd = format('{knox_bin} stop')
+
+ update_knox_logfolder_permissions()
+
+ try:
+ Execute(daemon_cmd,
+ environment={'JAVA_HOME': params.java_home},
+ user=params.knox_user,
+ )
+ except:
+ show_logs(params.knox_logs_dir, params.knox_user)
+ raise
+
+ File(params.knox_pid_file,
+ action="delete",
+ )
+
+ def status(self, env):
+ import status_params
+ env.set_params(status_params)
+ check_process_status(status_params.knox_pid_file)
+
+ def startdemoldap(self, env):
+ import params
+ env.set_params(params)
+ self.configureldap(env)
+ daemon_cmd = format('{ldap_bin} start')
+ no_op_test = format('ls {ldap_pid_file} >/dev/null 2>&1 && ps -p `cat {ldap_pid_file}` >/dev/null 2>&1')
+ Execute(daemon_cmd,
+ user=params.knox_user,
+ environment={'JAVA_HOME': params.java_home},
+ not_if=no_op_test
+ )
+
+ def stopdemoldap(self, env):
+ import params
+ env.set_params(params)
+ self.configureldap(env)
+ daemon_cmd = format('{ldap_bin} stop')
+ Execute(daemon_cmd,
+ environment={'JAVA_HOME': params.java_home},
+ user=params.knox_user,
+ )
+ File(params.ldap_pid_file,
+ action = "delete"
+ )
+
+ def get_log_folder(self):
+ import params
+ return params.knox_logs_dir
+
+ def get_user(self):
+ import params
+ return params.knox_user
+
+ def get_pid_files(self):
+ import status_params
+ return [status_params.knox_pid_file]
+
+
+if __name__ == "__main__":
+ KnoxGateway().execute()