You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by jo...@apache.org on 2017/02/17 21:30:04 UTC
[06/15] ambari git commit: AMBARI-19915 Add Ranger KMS SSL properties
in ambari stack (mugdha)
AMBARI-19915 Add Ranger KMS SSL properties in ambari stack (mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/b5014253
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/b5014253
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/b5014253
Branch: refs/heads/branch-feature-AMBARI-20053
Commit: b5014253706c85cba77c781672443d94de3e5ef4
Parents: c395f69
Author: Mugdha Varadkar <mu...@apache.org>
Authored: Fri Feb 17 16:13:49 2017 +0530
Committer: Mugdha Varadkar <mu...@apache.org>
Committed: Fri Feb 17 16:26:25 2017 +0530
----------------------------------------------------------------------
.../libraries/functions/constants.py | 1 +
.../0.5.0.2.3/configuration/kms-env.xml | 10 +++
.../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py | 22 ++++++-
.../0.5.0.2.3/package/scripts/params.py | 8 ++-
.../HDP/2.0.6/properties/stack_features.json | 5 ++
.../stacks/HDP/2.3/upgrades/config-upgrade.xml | 7 ++
.../HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml | 4 ++
.../stacks/HDP/2.3/upgrades/upgrade-2.6.xml | 1 +
.../stacks/HDP/2.4/upgrades/config-upgrade.xml | 7 ++
.../HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml | 4 ++
.../stacks/HDP/2.4/upgrades/upgrade-2.6.xml | 1 +
.../stacks/HDP/2.5/upgrades/config-upgrade.xml | 7 ++
.../HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml | 4 ++
.../stacks/HDP/2.5/upgrades/upgrade-2.6.xml | 1 +
.../configuration/ranger-kms-site.xml | 68 +++++++++++++++++++
.../stacks/HDP/2.6/services/stack_advisor.py | 20 +++++-
.../stacks/2.5/RANGER_KMS/test_kms_server.py | 20 ++++++
.../stacks/2.6/common/test_stack_advisor.py | 69 ++++++++++++++++++++
18 files changed, 256 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
index c31b883..f553ad2 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
@@ -117,3 +117,4 @@ class StackFeature:
ATLAS_HDFS_SITE_ON_NAMENODE_HA='atlas_hdfs_site_on_namenode_ha'
HIVE_INTERACTIVE_GA_SUPPORT='hive_interactive_ga'
SECURE_RANGER_SSL_PASSWORD = "secure_ranger_ssl_password"
+ RANGER_KMS_SSL = "ranger_kms_ssl"
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml
index 7dea07f..e5c0673 100644
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml
@@ -58,6 +58,16 @@
<value>9292</value>
<description/>
<on-ambari-upgrade add="true"/>
+ <depends-on>
+ <property>
+ <type>ranger-kms-site</type>
+ <name>ranger.service.https.port</name>
+ </property>
+ <property>
+ <type>ranger-kms-site</type>
+ <name>ranger.service.https.attrib.ssl.enabled</name>
+ </property>
+ </depends-on>
</property>
<property>
<name>create_db_user</name>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
index 536ba76..1afe136 100755
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
@@ -140,6 +140,16 @@ def kms(upgrade_type=None):
create_parents = True
)
+ Directory("/etc/security/serverKeys",
+ create_parents = True,
+ cd_access = "a"
+ )
+
+ Directory("/etc/ranger/kms",
+ create_parents = True,
+ cd_access = "a"
+ )
+
copy_jdbc_connector()
File(format("/usr/lib/ambari-agent/{check_db_connection_jar_name}"),
@@ -270,6 +280,8 @@ def kms(upgrade_type=None):
do_keystore_setup(params.credential_provider_path, params.masterkey_alias, params.kms_master_key_password)
if params.stack_support_kms_hsm and params.enable_kms_hsm:
do_keystore_setup(params.credential_provider_path, params.hms_partition_alias, unicode(params.hms_partition_passwd))
+ if params.stack_supports_ranger_kms_ssl and params.ranger_kms_ssl_enabled:
+ do_keystore_setup(params.ranger_kms_cred_ssl_path, params.ranger_kms_ssl_keystore_alias, params.ranger_kms_ssl_passwd)
# remove plain-text password from xml configs
dbks_site_copy = {}
@@ -288,9 +300,17 @@ def kms(upgrade_type=None):
mode=0644
)
+ ranger_kms_site_copy = {}
+ ranger_kms_site_copy.update(params.config['configurations']['ranger-kms-site'])
+ if params.stack_supports_ranger_kms_ssl:
+ # remove plain-text password from xml configs
+ for prop in params.ranger_kms_site_password_properties:
+ if prop in ranger_kms_site_copy:
+ ranger_kms_site_copy[prop] = "_"
+
XmlConfig("ranger-kms-site.xml",
conf_dir=params.kms_conf_dir,
- configurations=params.config['configurations']['ranger-kms-site'],
+ configurations=ranger_kms_site_copy,
configuration_attributes=params.config['configuration_attributes']['ranger-kms-site'],
owner=params.kms_user,
group=params.kms_group,
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
index 8473160..dc830d5 100755
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
@@ -48,6 +48,7 @@ stack_support_kms_hsm = check_stack_feature(StackFeature.RANGER_KMS_HSM_SUPPORT,
stack_supports_ranger_kerberos = check_stack_feature(StackFeature.RANGER_KERBEROS_SUPPORT, version_for_stack_feature_checks)
stack_supports_pid = check_stack_feature(StackFeature.RANGER_KMS_PID_SUPPORT, version_for_stack_feature_checks)
stack_supports_ranger_audit_db = check_stack_feature(StackFeature.RANGER_AUDIT_DB_SUPPORT, version_for_stack_feature_checks)
+stack_supports_ranger_kms_ssl = check_stack_feature(StackFeature.RANGER_KMS_SSL, version_for_stack_feature_checks)
hadoop_conf_dir = conf_select.get_hadoop_conf_dir()
security_enabled = config['configurations']['cluster-env']['security_enabled']
@@ -279,4 +280,9 @@ if security_enabled:
plugin_audit_password_property = 'xasecure.audit.destination.db.password'
kms_plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
-dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']
\ No newline at end of file
+dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']
+ranger_kms_site_password_properties = ['ranger.service.https.attrib.keystore.pass']
+ranger_kms_cred_ssl_path = config['configurations']['ranger-kms-site']['ranger.credential.provider.path']
+ranger_kms_ssl_keystore_alias = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.keystore.credential.alias']
+ranger_kms_ssl_passwd = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.keystore.pass']
+ranger_kms_ssl_enabled = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.ssl.enabled']
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
index 5e173b7..bc2e7a7 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
@@ -387,6 +387,11 @@
"name": "secure_ranger_ssl_password",
"description": "Securing Ranger Admin and Usersync SSL and Trustore related passwords in jceks",
"min_version": "2.6.0.0"
+ },
+ {
+ "name": "ranger_kms_ssl",
+ "description": "Ranger KMS SSL properties in ambari stack",
+ "min_version": "2.6.0.0"
}
]
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml
index 478f9b4..ba155ab 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/config-upgrade.xml
@@ -338,6 +338,13 @@
<replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxFileSize = {{ranger_kms_audit_log_maxfilesize}}MB"/>
<replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxBackupIndex = {{ranger_kms_audit_log_maxbackupindex}}"/>
</definition>
+ <definition xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl">
+ <type>ranger-kms-site</type>
+ <transfer operation="delete" delete-key="ranger.https.attrib.keystore.file"
+ if-type="ranger-kms-site" if-key="ranger.service.https.attrib.keystore.file" if-key-state="present"/>
+ <transfer operation="delete" delete-key="ranger.service.https.attrib.clientAuth"
+ if-type="ranger-kms-site" if-key="ranger.service.https.attrib.client.auth" if-key-state="present"/>
+ </definition>
</changes>
</component>
</service>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
index d5ddeeb..e6a3c94 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml
@@ -556,6 +556,10 @@
</task>
</execute-stage>
+ <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS">
+ <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"/>
+ </execute-stage>
+
<!-- KNOX -->
<execute-stage service="KNOX" component="KNOX_GATEWAY" title="Apply config changes for Knox Gateway">
<task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_knox_audit_db"/>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
index 88486e6..7d8438f 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml
@@ -654,6 +654,7 @@
<pre-upgrade>
<task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db" />
<task xsi:type="configure" id="kms_log4j_parameterize" />
+ <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl" />
<task xsi:type="execute" hosts="any" sequential="true">
<summary>Upgrading Ranger KMS database schema</summary>
<script>scripts/kms_server.py</script>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml
index 18f5fa1..d19bb76 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/config-upgrade.xml
@@ -229,6 +229,13 @@
<replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxFileSize = {{ranger_kms_audit_log_maxfilesize}}MB"/>
<replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxBackupIndex = {{ranger_kms_audit_log_maxbackupindex}}"/>
</definition>
+ <definition xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl">
+ <type>ranger-kms-site</type>
+ <transfer operation="delete" delete-key="ranger.https.attrib.keystore.file"
+ if-type="ranger-kms-site" if-key="ranger.service.https.attrib.keystore.file" if-key-state="present"/>
+ <transfer operation="delete" delete-key="ranger.service.https.attrib.clientAuth"
+ if-type="ranger-kms-site" if-key="ranger.service.https.attrib.client.auth" if-key-state="present"/>
+ </definition>
</changes>
</component>
</service>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
index 94b19c6..69a894c 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml
@@ -563,6 +563,10 @@
</task>
</execute-stage>
+ <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS">
+ <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"/>
+ </execute-stage>
+
<!--ATLAS-->
<execute-stage service="ATLAS" component="ATLAS_SERVER" title="Parameterizing Atlas Log4J Properties">
<task xsi:type="configure" id="atlas_log4j_parameterize">
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
index 626bc63..0c9a8ea 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml
@@ -643,6 +643,7 @@
<pre-upgrade>
<task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db" />
<task xsi:type="configure" id="kms_log4j_parameterize" />
+ <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl" />
<task xsi:type="execute" hosts="any" sequential="true">
<summary>Upgrading Ranger KMS database schema</summary>
<script>scripts/kms_server.py</script>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml
index 15837df..7236186 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/config-upgrade.xml
@@ -270,6 +270,13 @@
<replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxFileSize = {{ranger_kms_audit_log_maxfilesize}}MB"/>
<replace key="content" find="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender" replace-with="log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
log4j.appender.kms-audit.MaxBackupIndex = {{ranger_kms_audit_log_maxbackupindex}}"/>
</definition>
+ <definition xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl">
+ <type>ranger-kms-site</type>
+ <transfer operation="delete" delete-key="ranger.https.attrib.keystore.file"
+ if-type="ranger-kms-site" if-key="ranger.service.https.attrib.keystore.file" if-key-state="present"/>
+ <transfer operation="delete" delete-key="ranger.service.https.attrib.clientAuth"
+ if-type="ranger-kms-site" if-key="ranger.service.https.attrib.client.auth" if-key-state="present"/>
+ </definition>
</changes>
</component>
</service>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
index 62991e6..4fb68ed 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/nonrolling-upgrade-2.6.xml
@@ -402,6 +402,10 @@
</task>
</execute-stage>
+ <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS">
+ <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl"/>
+ </execute-stage>
+
<!--ATLAS-->
<execute-stage service="ATLAS" component="ATLAS_SERVER" title="Parameterizing Atlas Log4J Properties">
<task xsi:type="configure" id="atlas_log4j_parameterize">
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
index 818a6c0..0a02734 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.5/upgrades/upgrade-2.6.xml
@@ -553,6 +553,7 @@
<component name="RANGER_KMS_SERVER">
<pre-upgrade>
<task xsi:type="configure" id="kms_log4j_parameterize" />
+ <task xsi:type="configure" id="hdp_2_6_0_0_remove_ranger_kms_duplicate_ssl" />
<task xsi:type="execute" hosts="any" sequential="true">
<summary>Upgrading Ranger KMS database schema</summary>
<script>scripts/kms_server.py</script>
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml
new file mode 100644
index 0000000..cd63e6e
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/RANGER_KMS/configuration/ranger-kms-site.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+ <property>
+ <name>ranger.service.https.attrib.keystore.file</name>
+ <value>/etc/security/serverKeys/ranger-kms-keystore.jks</value>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+ <property>
+ <name>ranger.service.https.attrib.client.auth</name>
+ <value>want</value>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+ <property>
+ <name>ranger.service.https.attrib.keystore.keyalias</name>
+ <value>rangerkms</value>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+ <property>
+ <name>ranger.service.https.attrib.keystore.pass</name>
+ <value>rangerkms</value>
+ <property-type>PASSWORD</property-type>
+ <value-attributes>
+ <type>password</type>
+ </value-attributes>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+ <property>
+ <name>ranger.credential.provider.path</name>
+ <value>/etc/ranger/kms/rangerkms.jceks</value>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+ <property>
+ <name>ranger.service.https.attrib.keystore.credential.alias</name>
+ <value>keyStoreCredentialAlias</value>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+ <property>
+ <name>ajp.enabled</name>
+ <value>false</value>
+ <on-ambari-upgrade add="false"/>
+ <description/>
+ </property>
+</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py
index 969c3dd..d8413b6 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/stack_advisor.py
@@ -33,7 +33,8 @@ class HDP26StackAdvisor(HDP25StackAdvisor):
"DRUID": self.recommendDruidConfigurations,
"ATLAS": self.recommendAtlasConfigurations,
"TEZ": self.recommendTezConfigurations,
- "RANGER": self.recommendRangerConfigurations
+ "RANGER": self.recommendRangerConfigurations,
+ "RANGER_KMS": self.recommendRangerKMSConfigurations
}
parentRecommendConfDict.update(childRecommendConfDict)
return parentRecommendConfDict
@@ -301,3 +302,20 @@ class HDP26StackAdvisor(HDP25StackAdvisor):
"Need to set ranger.usersync.group.searchenabled as true, as ranger.usersync.ldap.deltasync is enabled")})
return self.toConfigurationValidationProblems(validationItems, "ranger-ugsync-site")
+
+ def recommendRangerKMSConfigurations(self, configurations, clusterData, services, hosts):
+ super(HDP26StackAdvisor, self).recommendRangerKMSConfigurations(configurations, clusterData, services, hosts)
+ putRangerKmsEnvProperty = self.putProperty(configurations, "kms-env", services)
+
+ ranger_kms_ssl_enabled = False
+ ranger_kms_ssl_port = "9393"
+ if 'ranger-kms-site' in services['configurations'] and 'ranger.service.https.attrib.ssl.enabled' in services['configurations']['ranger-kms-site']['properties']:
+ ranger_kms_ssl_enabled = services['configurations']['ranger-kms-site']['properties']['ranger.service.https.attrib.ssl.enabled'].lower() == "true"
+
+ if 'ranger-kms-site' in services['configurations'] and 'ranger.service.https.port' in services['configurations']['ranger-kms-site']['properties']:
+ ranger_kms_ssl_port = services['configurations']['ranger-kms-site']['properties']['ranger.service.https.port']
+
+ if ranger_kms_ssl_enabled:
+ putRangerKmsEnvProperty("kms_port", ranger_kms_ssl_port)
+ else:
+ putRangerKmsEnvProperty("kms_port", "9292")
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
index c2fc270..6f41b6d 100644
--- a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
+++ b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
@@ -208,6 +208,16 @@ class TestRangerKMS(RMFTestCase):
create_parents = True
)
+ self.assertResourceCalled('Directory', '/etc/security/serverKeys',
+ create_parents = True,
+ cd_access = "a",
+ )
+
+ self.assertResourceCalled('Directory', '/etc/ranger/kms',
+ create_parents = True,
+ cd_access = "a",
+ )
+
self.assertResourceCalled('File', '/usr/hdp/current/ranger-kms/ews/webapp/lib/mysql-connector-java-old.jar',
action = ['delete'],
)
@@ -559,6 +569,16 @@ class TestRangerKMS(RMFTestCase):
create_parents = True
)
+ self.assertResourceCalled('Directory', '/etc/security/serverKeys',
+ create_parents = True,
+ cd_access = "a",
+ )
+
+ self.assertResourceCalled('Directory', '/etc/ranger/kms',
+ create_parents = True,
+ cd_access = "a",
+ )
+
self.assertResourceCalled('File', '/usr/hdp/current/ranger-kms/ews/webapp/lib/mysql-connector-java-old.jar',
action = ['delete'],
)
http://git-wip-us.apache.org/repos/asf/ambari/blob/b5014253/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py
index b7f8cbb..c15eaf1 100644
--- a/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py
+++ b/ambari-server/src/test/python/stacks/2.6/common/test_stack_advisor.py
@@ -780,6 +780,75 @@ class TestHDP26StackAdvisor(TestCase):
self.stackAdvisor.recommendRangerConfigurations(recommendedConfigurations, clusterData, services, None)
self.assertEquals(recommendedConfigurations, expected)
+ def test_recommendRangerKMSConfigurations(self):
+ clusterData = {}
+ services = {
+ "ambari-server-properties": {
+ "ambari-server.user": "root"
+ },
+ "Versions": {
+ "stack_version" : "2.6",
+ },
+ "services": [
+ {
+ "StackServices": {
+ "service_name": "RANGER_KMS",
+ "service_version": "0.7.0.2.6"
+ },
+ "components": [
+ {
+ "StackServiceComponents": {
+ "component_name": "RANGER_KMS_SERVER",
+ "hostnames": ["host1"]
+ }
+ }
+ ]
+ }
+ ],
+ "configurations": {
+ 'ranger-kms-site': {
+ 'properties': {
+ "ranger.service.https.attrib.ssl.enabled": "true",
+ "ranger.service.https.port": "9393"
+ }
+ }
+ }
+ }
+
+ expected = {
+ 'kms-site': {
+ 'properties': {},
+ 'property_attributes': {
+ 'hadoop.kms.proxyuser.HTTP.users': {'delete': 'true'},
+ 'hadoop.kms.proxyuser.root.hosts': {'delete': 'true'},
+ 'hadoop.kms.proxyuser.root.users': {'delete': 'true'},
+ 'hadoop.kms.proxyuser.HTTP.hosts': {'delete': 'true'}
+ }
+ },
+ 'core-site': {
+ 'properties': {}
+ },
+ 'kms-properties': {
+ 'properties': {}
+ },
+ 'ranger-kms-audit': {
+ 'properties': {}
+ },
+ 'kms-env': {
+ 'properties': {
+ 'kms_port': '9393'
+ }
+ },
+ 'dbks-site': {
+ 'properties': {}
+ }
+ }
+
+ recommendedConfigurations = {}
+
+ self.stackAdvisor.recommendRangerKMSConfigurations(recommendedConfigurations, clusterData, services, None)
+ self.assertEquals(recommendedConfigurations, expected)
+
def load_json(self, filename):
file = os.path.join(self.testDirectory, filename)
with open(file, 'rb') as f: