You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by bo...@apache.org on 2015/10/06 08:08:16 UTC
[1/2] incubator-ranger git commit: RANGER-173: Utility scripts to
create HDFS audit folders and policies
Repository: incubator-ranger
Updated Branches:
refs/heads/master ea0872f69 -> 9cb055fc1
RANGER-173: Utility scripts to create HDFS audit folders and policies
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/ed27cecb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/ed27cecb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/ed27cecb
Branch: refs/heads/master
Commit: ed27cecb62fe4ec7f9855326b5a8d3632ca0a3c9
Parents: ea0872f
Author: Don Bosco Durai <bo...@apache.org>
Authored: Mon Oct 5 16:11:04 2015 -0700
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Mon Oct 5 23:07:58 2015 -0700
----------------------------------------------------------------------
.../create_hdfs_folders_for_audit_non_secure.sh | 66 +++++++++++++++++++
.../create_hdfs_folders_for_audit_secure.sh | 67 ++++++++++++++++++++
2 files changed, 133 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed27cecb/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
new file mode 100755
index 0000000..eec3a08
--- /dev/null
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
@@ -0,0 +1,66 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#Usage: Run this script as user hdfs.
+#Creating folders required for Apache Ranger auditing to HDFS.
+#Note 1: Use this script only for non-secure/kerberos environment
+#
+
+set -x
+hdfs dfs -mkdir -p /ranger/audit
+hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chmod 755 /ranger
+hdfs dfs -chmod 755 /ranger/audit
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
+
+hdfs dfs -mkdir -p /ranger/audit/hdfs
+hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
+
+hdfs dfs -mkdir -p /ranger/audit/hiveServer2
+hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
+
+hdfs dfs -mkdir -p /ranger/audit/kafka
+hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chmod -R 0700 /ranger/audit/kafka
+
+hdfs dfs -mkdir -p /ranger/audit/kms
+hdfs dfs -chown kms:kms /ranger/audit/kms
+hdfs dfs -chmod -R 0700 /ranger/audit/kms
+
+hdfs dfs -mkdir -p /ranger/audit/knox
+hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chmod -R 0700 /ranger/audit/knox
+
+hdfs dfs -mkdir -p /ranger/audit/solr
+hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chmod -R 0700 /ranger/audit/solr
+
+hdfs dfs -mkdir -p /ranger/audit/storm
+hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chmod -R 0700 /ranger/audit/storm
+
+hdfs dfs -mkdir -p /ranger/audit/yarn
+hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chmod -R 0700 /ranger/audit/yarn
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/ed27cecb/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
new file mode 100755
index 0000000..b15beee
--- /dev/null
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#Usage: Run this script as user hdfs.
+#Creating folders required for Apache Ranger auditing to HDFS.
+#Note 1: Use this script only for non-secure/kerberos environment
+#
+
+set -x
+hdfs dfs -mkdir -p /ranger/audit
+hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chmod 755 /ranger
+hdfs dfs -chmod 755 /ranger/audit
+
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
+
+hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
+hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
+
+hdfs dfs -mkdir -p /ranger/audit/hdfs
+hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
+
+hdfs dfs -mkdir -p /ranger/audit/hiveServer2
+hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
+
+hdfs dfs -mkdir -p /ranger/audit/kafka
+hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chmod -R 0700 /ranger/audit/kafka
+
+hdfs dfs -mkdir -p /ranger/audit/kms
+hdfs dfs -chown HTTP:HTTP /ranger/audit/kms
+hdfs dfs -chmod -R 0700 /ranger/audit/kms
+
+hdfs dfs -mkdir -p /ranger/audit/knox
+hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chmod -R 0700 /ranger/audit/knox
+
+hdfs dfs -mkdir -p /ranger/audit/solr
+hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chmod -R 0700 /ranger/audit/solr
+
+hdfs dfs -mkdir -p /ranger/audit/storm
+hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chmod -R 0700 /ranger/audit/storm
+
+hdfs dfs -mkdir -p /ranger/audit/yarn
+hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chmod -R 0700 /ranger/audit/yarn
[2/2] incubator-ranger git commit: RANGER-173: Applied review
feedback to use variables for user/group
Posted by bo...@apache.org.
RANGER-173: Applied review feedback to use variables for user/group
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9cb055fc
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9cb055fc
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9cb055fc
Branch: refs/heads/master
Commit: 9cb055fc1a2f568f5b5fa9ab8ca0db43c56cf096
Parents: ed27cec
Author: Don Bosco Durai <bo...@apache.org>
Authored: Mon Oct 5 21:44:03 2015 -0700
Committer: Don Bosco Durai <bo...@apache.org>
Committed: Mon Oct 5 23:07:59 2015 -0700
----------------------------------------------------------------------
.../create_hdfs_folders_for_audit_non_secure.sh | 42 ++++++++++++-------
.../create_hdfs_folders_for_audit_secure.sh | 44 +++++++++++++-------
2 files changed, 55 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9cb055fc/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
index eec3a08..ade46a7 100755
--- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_non_secure.sh
@@ -14,53 +14,65 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-#Usage: Run this script as user hdfs.
-#Creating folders required for Apache Ranger auditing to HDFS.
-#Note 1: Use this script only for non-secure/kerberos environment
-#
+#Usage: Run this script as user hdfs or the HDFS admin user.
+#This script creates the folders in HDFS required by Apache Ranger for writing Audit records
+#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "kms"
+#Note 2: Please update the below variables according to your environment
+
+HBASE_USER_GROUP=hbase:hbase
+HDFS_USER_GROUP=hdfs:hdfs
+HIVE_USER_GROUP=hive:hive
+KAFKA_USER_GROUP=kafka:kafka
+KMS_USER_GROUP=kms:kms
+KNOX_USER_GROUP=knox:knox
+SOLR_USER_GROUP=solr:solr
+STORM_USER_GROUP=storm:storm
+YARN_USER_GROUP=yarn:yarn
set -x
+#Create parent folder with rx permission
hdfs dfs -mkdir -p /ranger/audit
-hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit
hdfs dfs -chmod 755 /ranger
hdfs dfs -chmod 755 /ranger/audit
hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseMaster
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseRegional
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
hdfs dfs -mkdir -p /ranger/audit/hdfs
-hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit/hdfs
hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
hdfs dfs -mkdir -p /ranger/audit/hiveServer2
-hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chown $HIVE_USER_GROUP /ranger/audit/hiveServer2
hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
hdfs dfs -mkdir -p /ranger/audit/kafka
-hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chown $KAFKA_USER_GROUP /ranger/audit/kafka
hdfs dfs -chmod -R 0700 /ranger/audit/kafka
hdfs dfs -mkdir -p /ranger/audit/kms
-hdfs dfs -chown kms:kms /ranger/audit/kms
+hdfs dfs -chown $KMS_USER_GROUP /ranger/audit/kms
hdfs dfs -chmod -R 0700 /ranger/audit/kms
hdfs dfs -mkdir -p /ranger/audit/knox
-hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chown $KNOX_USER_GROUP /ranger/audit/knox
hdfs dfs -chmod -R 0700 /ranger/audit/knox
hdfs dfs -mkdir -p /ranger/audit/solr
-hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chown $SOLR_USER_GROUP /ranger/audit/solr
hdfs dfs -chmod -R 0700 /ranger/audit/solr
hdfs dfs -mkdir -p /ranger/audit/storm
-hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chown $STORM_USER_GROUP /ranger/audit/storm
hdfs dfs -chmod -R 0700 /ranger/audit/storm
hdfs dfs -mkdir -p /ranger/audit/yarn
-hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chown $YARN_USER_GROUP /ranger/audit/yarn
hdfs dfs -chmod -R 0700 /ranger/audit/yarn
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9cb055fc/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
----------------------------------------------------------------------
diff --git a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
index b15beee..12a4c93 100755
--- a/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
+++ b/security-admin/contrib/audit_hdfs_folders/create_hdfs_folders_for_audit_secure.sh
@@ -14,54 +14,66 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-#Usage: Run this script as user hdfs.
-#Creating folders required for Apache Ranger auditing to HDFS.
-#Note 1: Use this script only for non-secure/kerberos environment
-#
+#Usage: Run this script as user hdfs or the HDFS admin user.
+#This script creates the folders in HDFS required by Apache Ranger for writing Audit records
+#Note 1: Use this script only for non-kerberos environment. In non-kerberos environment, Ranger KMS writes the audit logs as user "HTTP"
+#Note 2: Please update the below variables according to your environment
+
+HBASE_USER_GROUP=hbase:hbase
+HDFS_USER_GROUP=hdfs:hdfs
+HIVE_USER_GROUP=hive:hive
+KAFKA_USER_GROUP=kafka:kafka
+KMS_USER_GROUP=HTTP:HTTP
+KNOX_USER_GROUP=knox:knox
+SOLR_USER_GROUP=solr:solr
+STORM_USER_GROUP=storm:storm
+YARN_USER_GROUP=yarn:yarn
set -x
+
+#Create parent folder with rx permission
hdfs dfs -mkdir -p /ranger/audit
-hdfs dfs -chown hdfs:hdfs /ranger/audit
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit
hdfs dfs -chmod 755 /ranger
hdfs dfs -chmod 755 /ranger/audit
-
hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseMaster
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseMaster
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseMaster
hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
-hdfs dfs -chown hbase:hbase /ranger/audit/hbaseRegional
+hdfs dfs -chown $HBASE_USER_GROUP /ranger/audit/hbaseRegional
hdfs dfs -chmod -R 0700 /ranger/audit/hbaseRegional
hdfs dfs -mkdir -p /ranger/audit/hdfs
-hdfs dfs -chown hdfs:hdfs /ranger/audit/hdfs
+hdfs dfs -chown $HDFS_USER_GROUP /ranger/audit/hdfs
hdfs dfs -chmod -R 0700 /ranger/audit/hdfs
hdfs dfs -mkdir -p /ranger/audit/hiveServer2
-hdfs dfs -chown hive:hive /ranger/audit/hiveServer2
+hdfs dfs -chown $HIVE_USER_GROUP /ranger/audit/hiveServer2
hdfs dfs -chmod -R 0700 /ranger/audit/hiveServer2
hdfs dfs -mkdir -p /ranger/audit/kafka
-hdfs dfs -chown kafka:kafka /ranger/audit/kafka
+hdfs dfs -chown $KAFKA_USER_GROUP /ranger/audit/kafka
hdfs dfs -chmod -R 0700 /ranger/audit/kafka
hdfs dfs -mkdir -p /ranger/audit/kms
-hdfs dfs -chown HTTP:HTTP /ranger/audit/kms
+hdfs dfs -chown $KMS_USER_GROUP /ranger/audit/kms
hdfs dfs -chmod -R 0700 /ranger/audit/kms
hdfs dfs -mkdir -p /ranger/audit/knox
-hdfs dfs -chown knox:knox /ranger/audit/knox
+hdfs dfs -chown $KNOX_USER_GROUP /ranger/audit/knox
hdfs dfs -chmod -R 0700 /ranger/audit/knox
hdfs dfs -mkdir -p /ranger/audit/solr
-hdfs dfs -chown solr:solr /ranger/audit/solr
+hdfs dfs -chown $SOLR_USER_GROUP /ranger/audit/solr
hdfs dfs -chmod -R 0700 /ranger/audit/solr
hdfs dfs -mkdir -p /ranger/audit/storm
-hdfs dfs -chown storm:storm /ranger/audit/storm
+hdfs dfs -chown $STORM_USER_GROUP /ranger/audit/storm
hdfs dfs -chmod -R 0700 /ranger/audit/storm
hdfs dfs -mkdir -p /ranger/audit/yarn
-hdfs dfs -chown yarn:yarn /ranger/audit/yarn
+hdfs dfs -chown $YARN_USER_GROUP /ranger/audit/yarn
hdfs dfs -chmod -R 0700 /ranger/audit/yarn
+