You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ga...@apache.org on 2016/04/25 15:58:34 UTC
ambari git commit: AMBARI-13349. Create all necessary keytabs and
principals for Ranger Service(Mugdha Varadkar via gautam)
Repository: ambari
Updated Branches:
refs/heads/trunk ab41bca8d -> b33b98059
AMBARI-13349. Create all necessary keytabs and principals for Ranger Service(Mugdha Varadkar via gautam)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b33b9805
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b33b9805
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b33b9805
Branch: refs/heads/trunk
Commit: b33b9805989ce31e790ad3f81b951f9cf7536955
Parents: ab41bca
Author: Gautam Borad <ga...@apache.org>
Authored: Mon Apr 25 19:07:53 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Mon Apr 25 19:28:24 2016 +0530
----------------------------------------------------------------------
.../libraries/functions/constants.py | 1 +
.../libraries/functions/stack_features.py | 5 +
.../alerts/alert_ranger_admin_passwd_check.py | 56 +++++----
.../RANGER/0.4.0/package/scripts/params.py | 6 +
.../0.4.0/package/scripts/setup_ranger_xml.py | 20 +++-
.../HDP/2.0.6/properties/stack_features.json | 5 +
.../stacks/HDP/2.5/services/RANGER/alerts.json | 76 ++++++++++++
.../RANGER/configuration/ranger-admin-site.xml | 77 ++++++++++++-
.../configuration/ranger-tagsync-site.xml | 18 +++
.../RANGER/configuration/ranger-ugsync-site.xml | 39 +++++++
.../HDP/2.5/services/RANGER/kerberos.json | 115 +++++++++++++++++++
11 files changed, 394 insertions(+), 24 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
index 935f589..8f27b48 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
@@ -79,3 +79,4 @@ class StackFeature:
HIVE_ENV_HEAPSIZE = "hive_env_heapsize"
RANGER_KMS_HSM_SUPPORT = "ranger_kms_hsm_support"
RANGER_LOG4J_SUPPORT = "ranger_log4j_support"
+ RANGER_KERBEROS_SUPPORT = "ranger_kerberos_support"
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-common/src/main/python/resource_management/libraries/functions/stack_features.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/stack_features.py b/ambari-common/src/main/python/resource_management/libraries/functions/stack_features.py
index 1ba8122..daa97de 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/stack_features.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/stack_features.py
@@ -228,6 +228,11 @@ _DEFAULT_STACK_FEATURES = {
"name": "ranger_log4j_support",
"description": "Ranger supporting log-4j properties (AMBARI-15681)",
"min_version": "2.5.0.0"
+ },
+ {
+ "name": "ranger_kerberos_support",
+ "description": "Ranger Kerberos support",
+ "min_version": "2.5.0.0"
}
]
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/alerts/alert_ranger_admin_passwd_check.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/alerts/alert_ranger_admin_passwd_check.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/alerts/alert_ranger_admin_passwd_check.py
index ad95980..a0a9162 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/alerts/alert_ranger_admin_passwd_check.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/alerts/alert_ranger_admin_passwd_check.py
@@ -23,6 +23,7 @@ import urllib2
import ambari_simplejson as json # simplejson is much faster comparing to Python 2.6 json module and has the same functions set.
import logging
from resource_management.core.environment import Environment
+from resource_management.libraries.script import Script
logger = logging.getLogger()
RANGER_ADMIN_URL = '{{admin-properties/policymgr_external_url}}'
@@ -30,6 +31,7 @@ ADMIN_USERNAME = '{{ranger-env/admin_username}}'
ADMIN_PASSWORD = '{{ranger-env/admin_password}}'
RANGER_ADMIN_USERNAME = '{{ranger-env/ranger_admin_username}}'
RANGER_ADMIN_PASSWORD = '{{ranger-env/ranger_admin_password}}'
+SECURITY_ENABLED = '{{cluster-env/security_enabled}}'
def get_tokens():
"""
@@ -38,7 +40,7 @@ def get_tokens():
:return tuple
"""
- return (RANGER_ADMIN_URL, ADMIN_USERNAME, ADMIN_PASSWORD, RANGER_ADMIN_USERNAME, RANGER_ADMIN_PASSWORD)
+ return (RANGER_ADMIN_URL, ADMIN_USERNAME, ADMIN_PASSWORD, RANGER_ADMIN_USERNAME, RANGER_ADMIN_PASSWORD, SECURITY_ENABLED)
def execute(configurations={}, parameters={}, host_name=None):
@@ -61,6 +63,9 @@ def execute(configurations={}, parameters={}, host_name=None):
admin_password = None
ranger_admin_username = None
ranger_admin_password = None
+ security_enabled = False
+
+ stack_is_hdp25_or_further = Script.is_stack_greater_or_equal("2.5")
if RANGER_ADMIN_URL in configurations:
ranger_link = configurations[RANGER_ADMIN_URL]
@@ -81,33 +86,40 @@ def execute(configurations={}, parameters={}, host_name=None):
if RANGER_ADMIN_PASSWORD in configurations:
ranger_admin_password = configurations[RANGER_ADMIN_PASSWORD]
+ if SECURITY_ENABLED in configurations:
+ security_enabled = str(configurations[SECURITY_ENABLED]).upper() == 'TRUE'
+
label = None
result_code = 'OK'
try:
- admin_http_code = check_ranger_login(ranger_auth_link, admin_username, admin_password)
- if admin_http_code == 200:
- get_user_code = get_ranger_user(ranger_get_user, admin_username, admin_password, ranger_admin_username)
- if get_user_code:
- user_http_code = check_ranger_login(ranger_auth_link, ranger_admin_username, ranger_admin_password)
- if user_http_code == 200:
- result_code = 'OK'
- label = 'Login Successful for users {0} and {1}'.format(admin_username, ranger_admin_username)
- elif user_http_code == 401:
- result_code = 'CRITICAL'
- label = 'User:{0} credentials on Ambari UI are not in sync with Ranger'.format(ranger_admin_username)
+ if security_enabled and stack_is_hdp25_or_further:
+ result_code = 'UNKNOWN'
+ label = 'This alert will get skipped for Ranger Admin on kerberos env'
+ else:
+ admin_http_code = check_ranger_login(ranger_auth_link, admin_username, admin_password)
+ if admin_http_code == 200:
+ get_user_code = get_ranger_user(ranger_get_user, admin_username, admin_password, ranger_admin_username)
+ if get_user_code:
+ user_http_code = check_ranger_login(ranger_auth_link, ranger_admin_username, ranger_admin_password)
+ if user_http_code == 200:
+ result_code = 'OK'
+ label = 'Login Successful for users {0} and {1}'.format(admin_username, ranger_admin_username)
+ elif user_http_code == 401:
+ result_code = 'CRITICAL'
+ label = 'User:{0} credentials on Ambari UI are not in sync with Ranger'.format(ranger_admin_username)
+ else:
+ result_code = 'WARNING'
+ label = 'Ranger Admin service is not reachable, please restart the service'
else:
- result_code = 'WARNING'
- label = 'Ranger Admin service is not reachable, please restart the service'
+ result_code = 'OK'
+ label = 'Login Successful for user: {0}. User:{1} user not yet synced with Ranger'.format(admin_username, ranger_admin_username)
+ elif admin_http_code == 401:
+ result_code = 'CRITICAL'
+ label = 'User:{0} credentials on Ambari UI are not in sync with Ranger'.format(admin_username)
else:
- result_code = 'OK'
- label = 'Login Successful for user: {0}. User:{1} user not yet synced with Ranger'.format(admin_username, ranger_admin_username)
- elif admin_http_code == 401:
- result_code = 'CRITICAL'
- label = 'User:{0} credentials on Ambari UI are not in sync with Ranger'.format(admin_username)
- else:
- result_code = 'WARNING'
- label = 'Ranger Admin service is not reachable, please restart the service'
+ result_code = 'WARNING'
+ label = 'Ranger Admin service is not reachable, please restart the service'
except Exception, e:
label = str(e)
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
index 5640124..59190fe 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
@@ -61,6 +61,7 @@ stack_supports_usersync_non_root = stack_version_formatted and check_stack_feat
stack_supports_ranger_tagsync = stack_version_formatted and check_stack_feature(StackFeature.RANGER_TAGSYNC_COMPONENT, stack_version_formatted)
stack_supports_ranger_audit_db = stack_version_formatted and check_stack_feature(StackFeature.RANGER_AUDIT_DB_SUPPORT, stack_version_formatted)
stack_supports_ranger_log4j = stack_version_formatted and check_stack_feature(StackFeature.RANGER_LOG4J_SUPPORT, stack_version_formatted)
+stack_supports_ranger_kerberos = stack_version_formatted and check_stack_feature(StackFeature.RANGER_KERBEROS_SUPPORT, stack_version_formatted)
downgrade_from_version = default("/commandParams/downgrade_from_version", None)
upgrade_direction = default("/commandParams/upgrade_direction", None)
@@ -233,3 +234,8 @@ tagsync_pid_file = format('{ranger_pid_dir}/tagsync.pid')
admin_log4j = config['configurations']['admin-log4j']['content']
usersync_log4j = config['configurations']['usersync-log4j']['content']
tagsync_log4j = config['configurations']['tagsync-log4j']['content']
+
+# ranger kerberos
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+namenode_hosts = default("/clusterHostInfo/namenode_host", [])
+has_namenode = len(namenode_hosts) > 0
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index 1fbe6bc..914d63d 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -173,6 +173,7 @@ def setup_ranger_admin(upgrade_type=None):
do_keystore_setup(upgrade_type=upgrade_type)
+ create_core_site_xml(ranger_conf)
def setup_ranger_db(stack_version=None):
import params
@@ -425,6 +426,8 @@ def setup_usersync(upgrade_type=None):
mode = 0640
)
+ create_core_site_xml(ranger_ugsync_conf)
+
def setup_tagsync(upgrade_type=None):
import params
@@ -517,10 +520,25 @@ def setup_tagsync(upgrade_type=None):
only_if=format("ls {tagsync_services_file}"),
sudo=True)
+ create_core_site_xml(ranger_tagsync_conf)
+
def ranger_credential_helper(lib_path, alias_key, alias_value, file_path):
import params
java_bin = format('{java_home}/bin/java')
file_path = format('jceks://file{file_path}')
cmd = (java_bin, '-cp', lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', alias_key, '-value', PasswordString(alias_value), '-provider', file_path)
- Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
\ No newline at end of file
+ Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+
+def create_core_site_xml(conf_dir):
+ import params
+
+ if params.stack_supports_ranger_kerberos and params.security_enabled and params.has_namenode:
+ XmlConfig("core-site.xml",
+ conf_dir=conf_dir,
+ configurations=params.config['configurations']['core-site'],
+ configuration_attributes=params.config['configuration_attributes']['core-site'],
+ owner=params.unix_user,
+ group=params.unix_group,
+ mode=0644
+ )
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
index 81015c3..733064e 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
@@ -205,6 +205,11 @@
"name": "ranger_log4j_support",
"description": "Ranger supporting log-4j properties (AMBARI-15681)",
"min_version": "2.5.0.0"
+ },
+ {
+ "name": "ranger_kerberos_support",
+ "description": "Ranger Kerberos support",
+ "min_version": "2.5.0.0"
}
]
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/alerts.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/alerts.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/alerts.json
new file mode 100644
index 0000000..f1f76e8
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/alerts.json
@@ -0,0 +1,76 @@
+{
+ "RANGER": {
+ "service": [],
+ "RANGER_ADMIN": [
+ {
+ "name": "ranger_admin_process",
+ "label": "Ranger Admin Process",
+ "description": "This host-level alert is triggered if the Ranger Admin Web UI is unreachable.",
+ "interval": 1,
+ "scope": "ANY",
+ "source": {
+ "type": "WEB",
+ "uri": {
+ "http": "{{admin-properties/policymgr_external_url}}",
+ "https": "{{admin-properties/policymgr_external_url}}",
+ "kerberos_keytab": "{{ranger-admin-site/ranger.spnego.kerberos.keytab}}",
+ "kerberos_principal": "{{ranger-admin-site/ranger.spnego.kerberos.principal}}",
+ "https_property": "{{ranger-admin-site/ranger.service.https.attrib.ssl.enabled}}",
+ "https_property_value": "true",
+ "connection_timeout": 5.0
+ },
+ "reporting": {
+ "ok": {
+ "text": "HTTP {0} response in {2:.3f}s"
+ },
+ "warning": {
+ "text": "HTTP {0} response from {1} in {2:.3f}s ({3})"
+ },
+ "critical": {
+ "text": "Connection failed to {1} ({3})"
+ }
+ }
+ }
+ },
+ {
+ "name": "ranger_admin_password_check",
+ "label": "Ranger Admin password check",
+ "description": "This alert is used to ensure that the Ranger Admin password in Ambari is correct.",
+ "interval": 30,
+ "scope": "ANY",
+ "source": {
+ "type": "SCRIPT",
+ "path": "RANGER/0.4.0/package/alerts/alert_ranger_admin_passwd_check.py",
+ "parameters": []
+ }
+ }
+ ],
+ "RANGER_USERSYNC": [
+ {
+ "name": "ranger_usersync_process",
+ "label": "Ranger Usersync Process",
+ "description": "This host-level alert is triggered if the Ranger Usersync cannot be determined to be up.",
+ "interval": 1,
+ "scope": "HOST",
+ "source": {
+ "type": "PORT",
+ "uri": "{{ranger-ugsync-site/ranger.usersync.port}}",
+ "default_port": 5151,
+ "reporting": {
+ "ok": {
+ "text": "TCP OK - {0:.3f}s response on port {1}"
+ },
+ "warning": {
+ "text": "TCP OK - {0:.3f}s response on port {1}",
+ "value": 1.5
+ },
+ "critical": {
+ "text": "Connection failed: {0} to {1}:{2}",
+ "value": 5.0
+ }
+ }
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-admin-site.xml
index d533dbc..1a5dd7c 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-admin-site.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-admin-site.xml
@@ -48,4 +48,79 @@
<deleted>true</deleted>
</property>
-</configuration>
\ No newline at end of file
+ <property>
+ <name>ranger.admin.kerberos.token.valid</name>
+ <value>30</value>
+ <description></description>
+ </property>
+
+ <property>
+ <name>ranger.admin.kerberos.cookie.domain</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.admin.kerberos.cookie.path</name>
+ <value>/</value>
+ <description></description>
+ </property>
+
+ <property>
+ <name>ranger.spnego.kerberos.principal</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.spnego.kerberos.keytab</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.admin.kerberos.principal</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.admin.kerberos.keytab</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.lookup.kerberos.principal</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.lookup.kerberos.keytab</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-tagsync-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-tagsync-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-tagsync-site.xml
index 9ffc59f..08f6235 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-tagsync-site.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-tagsync-site.xml
@@ -184,4 +184,22 @@
</value-attributes>
</property>
+ <property>
+ <name>ranger.tagsync.kerberos.principal</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.tagsync.kerberos.keytab</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-ugsync-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-ugsync-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-ugsync-site.xml
new file mode 100644
index 0000000..10ef1a8
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/configuration/ranger-ugsync-site.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<configuration>
+
+ <property>
+ <name>ranger.usersync.kerberos.principal</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+ <property>
+ <name>ranger.usersync.kerberos.keytab</name>
+ <value></value>
+ <description></description>
+ <value-attributes>
+ <empty-value-valid>true</empty-value-valid>
+ </value-attributes>
+ </property>
+
+</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/b33b9805/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/kerberos.json
new file mode 100644
index 0000000..cd34cd9
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/services/RANGER/kerberos.json
@@ -0,0 +1,115 @@
+{
+ "services": [
+ {
+ "name": "RANGER",
+ "identities": [
+ {
+ "name": "/spnego"
+ },
+ {
+ "name": "/smokeuser"
+ }
+ ],
+ "configurations": [
+ {
+ "ranger-admin-site": {
+ "ranger.admin.kerberos.cookie.domain": "{{ranger_host}}"
+ }
+ }
+ ],
+ "components": [
+ {
+ "name": "RANGER_ADMIN",
+ "identities": [
+ {
+ "name": "rangeradmin",
+ "principal": {
+ "value": "rangeradmin/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "ranger-admin-site/ranger.admin.kerberos.principal",
+ "local_username" : "${ranger-env/ranger_user}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/rangeradmin.service.keytab",
+ "owner": {
+ "name": "${ranger-env/ranger_user}",
+ "access": "r"
+ },
+ "configuration": "ranger-admin-site/ranger.admin.kerberos.keytab"
+ }
+ },
+ {
+ "name": "rangerlookup",
+ "principal": {
+ "value": "rangerlookup/_HOST@${realm}",
+ "configuration": "ranger-admin-site/ranger.lookup.kerberos.principal",
+ "type" : "service"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/rangerlookup.service.keytab",
+ "owner": {
+ "name": "${ranger-env/ranger_user}",
+ "access": "r"
+ },
+ "configuration": "ranger-admin-site/ranger.lookup.kerberos.keytab"
+ }
+ },
+ {
+ "name": "/spnego",
+ "principal": {
+ "configuration": "ranger-admin-site/ranger.spnego.kerberos.principal"
+ },
+ "keytab": {
+ "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab"
+ }
+ }
+ ]
+ },
+ {
+ "name": "RANGER_USERSYNC",
+ "identities": [
+ {
+ "name": "rangerusersync",
+ "principal": {
+ "value": "rangerusersync/_HOST@${realm}",
+ "type" : "service",
+ "configuration" : "ranger-ugsync-site/ranger.usersync.kerberos.principal",
+ "local_username" : "rangerusersync"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/rangerusersync.service.keytab",
+ "owner": {
+ "name": "${ranger-env/ranger_user}",
+ "access": "r"
+ },
+ "configuration": "ranger-ugsync-site/ranger.usersync.kerberos.keytab"
+ }
+ }
+ ]
+ },
+ {
+ "name": "RANGER_TAGSYNC",
+ "identities": [
+ {
+ "name": "rangertagsync",
+ "principal": {
+ "value": "rangertagsync/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "ranger-tagsync-site/ranger.tagsync.kerberos.principal",
+ "local_username" : "rangertagsync"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/rangertagsync.service.keytab",
+ "owner": {
+ "name": "${ranger-env/ranger_user}",
+ "access": "r"
+ },
+ "configuration": "ranger-tagsync-site/ranger.tagsync.kerberos.keytab"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file