You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2021/12/30 11:22:18 UTC
[ranger] 01/03: RANGER-3488:Docker setup for Apache Ranger Knox plugin
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 35c8bc3923ad9961d9d5809f1269b586368b2330
Author: Ramesh Mani <rm...@apache.org>
AuthorDate: Sun Oct 24 21:25:23 2021 -0700
RANGER-3488:Docker setup for Apache Ranger Knox plugin
Signed-off-by: Ramesh Mani <rm...@apache.org>
(cherry picked from commit 5acc0a34e8f0c458e3d73b8a0f29aef050307ef6)
---
agents-installer/pom.xml | 10 ++
dev-support/ranger-docker/.dockerignore | 1 +
dev-support/ranger-docker/.env | 1 +
dev-support/ranger-docker/Dockerfile.ranger | 1 +
dev-support/ranger-docker/Dockerfile.ranger-base | 2 +
dev-support/ranger-docker/Dockerfile.ranger-knox | 49 ++++++
dev-support/ranger-docker/README.md | 6 +-
.../ranger-docker/docker-compose.ranger-knox.yml | 29 ++++
dev-support/ranger-docker/download-archives.sh | 1 +
.../ranger-docker/scripts/ranger-hadoop-mkdir.sh | 2 +
.../ranger-docker/scripts/ranger-hadoop-setup.sh | 4 +
.../ranger-docker/scripts/ranger-knox-expect.sh | 29 ++++
.../scripts/ranger-knox-plugin-install.properties | 76 +++++++++
.../ranger-docker/scripts/ranger-knox-sandbox.xml | 175 +++++++++++++++++++++
.../scripts/ranger-knox-service-dev_knox.py | 8 +
.../ranger-docker/scripts/ranger-knox-setup.sh | 32 ++++
dev-support/ranger-docker/scripts/ranger-knox.sh | 41 +++++
dev-support/ranger-docker/scripts/ranger.sh | 1 +
distro/src/main/assembly/knox-agent.xml | 3 +
knox-agent/pom.xml | 6 +
20 files changed, 474 insertions(+), 3 deletions(-)
diff --git a/agents-installer/pom.xml b/agents-installer/pom.xml
index 76c2961..eda7f70 100644
--- a/agents-installer/pom.xml
+++ b/agents-installer/pom.xml
@@ -33,5 +33,15 @@
<artifactId>commons-cli</artifactId>
<version>${commons.cli.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-compress</artifactId>
+ <version>${commons.compress.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ <version>${commons.cli.version}</version>
+ </dependency>
</dependencies>
</project>
diff --git a/dev-support/ranger-docker/.dockerignore b/dev-support/ranger-docker/.dockerignore
index e42d865..ff26d47 100644
--- a/dev-support/ranger-docker/.dockerignore
+++ b/dev-support/ranger-docker/.dockerignore
@@ -7,5 +7,6 @@
!dist/ranger-*-hive-plugin.tar.gz
!dist/ranger-*-hbase-plugin.tar.gz
!dist/ranger-*-kafka-plugin.tar.gz
+!dist/ranger-*-knox-plugin.tar.gz
!downloads/*
!scripts/*
diff --git a/dev-support/ranger-docker/.env b/dev-support/ranger-docker/.env
index 100ed71..7381fb2 100644
--- a/dev-support/ranger-docker/.env
+++ b/dev-support/ranger-docker/.env
@@ -11,3 +11,4 @@ HBASE_VERSION=2.2.6
HIVE_VERSION=3.1.2
HIVE_HADOOP_VERSION=3.1.1
KAFKA_VERSION=2.5.0
+KNOX_VERSION=1.4.0
diff --git a/dev-support/ranger-docker/Dockerfile.ranger b/dev-support/ranger-docker/Dockerfile.ranger
index 8940014..ad895dc 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger
+++ b/dev-support/ranger-docker/Dockerfile.ranger
@@ -29,6 +29,7 @@ COPY ./scripts/ranger-yarn-service-dev_yarn.py ${RANGER_SCRIPTS}/
COPY ./scripts/ranger-hive-service-dev_hive.py ${RANGER_SCRIPTS}/
COPY ./scripts/ranger-hbase-service-dev_hbase.py ${RANGER_SCRIPTS}/
COPY ./scripts/ranger-kafka-service-dev_kafka.py ${RANGER_SCRIPTS}/
+COPY ./scripts/ranger-knox-service-dev_knox.py ${RANGER_SCRIPTS}/
RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --directory=${RANGER_HOME} && \
ln -s ${RANGER_HOME}/ranger-${RANGER_VERSION}-admin ${RANGER_HOME}/admin && \
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-base b/dev-support/ranger-docker/Dockerfile.ranger-base
index 3fa657b..688eed4 100644
--- a/dev-support/ranger-docker/Dockerfile.ranger-base
+++ b/dev-support/ranger-docker/Dockerfile.ranger-base
@@ -45,6 +45,8 @@ RUN groupadd ranger && \
useradd -g hadoop -ms /bin/bash hive && \
useradd -g hadoop -ms /bin/bash hbase && \
useradd -g hadoop -ms /bin/bash kafka && \
+ groupadd knox && \
+ useradd -g knox -ms /bin/bash knox && \
mkdir -p /home/ranger/dist && \
mkdir -p /home/ranger/scripts && \
chown -R ranger:ranger /home/ranger && \
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-knox b/dev-support/ranger-docker/Dockerfile.ranger-knox
new file mode 100644
index 0000000..bc78af9
--- /dev/null
+++ b/dev-support/ranger-docker/Dockerfile.ranger-knox
@@ -0,0 +1,49 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ranger-base:latest
+
+ARG KNOX_VERSION
+ARG RANGER_VERSION
+
+
+COPY ./dist/version /home/ranger/dist/
+COPY ./dist/ranger-${RANGER_VERSION}-knox-plugin.tar.gz /home/ranger/dist/
+COPY ./downloads/knox-${KNOX_VERSION}.tar.gz /home/ranger/dist/
+
+COPY ./scripts/ranger-knox-setup.sh /home/ranger/scripts/
+COPY ./scripts/ranger-knox.sh /home/ranger/scripts/
+COPY ./scripts/ranger-knox-plugin-install.properties /home/ranger/scripts/
+COPY ./scripts/ranger-knox-expect.sh /home/ranger/scripts/
+COPY ./scripts/ranger-knox-sandbox.xml /home/ranger/scripts/
+
+RUN apt-get update && apt-get install -y expect && \
+ tar xvfz /home/ranger/dist/knox-${KNOX_VERSION}.tar.gz --directory=/opt/ && \
+ ln -s /opt/knox-${KNOX_VERSION} /opt/knox && \
+ rm -f /home/ranger/dist/knox-${KNOX_VERSION}.tar.gz && \
+ tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-knox-plugin.tar.gz --directory=/opt/ranger && \
+ ln -s /opt/ranger/ranger-${RANGER_VERSION}-knox-plugin /opt/ranger/ranger-knox-plugin && \
+ rm -f /home/ranger/dist/ranger-${RANGER_VERSION}-knox-plugin.tar.gz && \
+ cp -f /home/ranger/scripts/ranger-knox-plugin-install.properties /opt/ranger/ranger-knox-plugin/install.properties && \
+ cp -f /home/ranger/scripts/ranger-knox-sandbox.xml /opt/knox/conf/topologies/sandbox.xml
+
+ENV KNOX_HOME /opt/knox
+ENV PATH /usr/java/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/knox/bin
+
+RUN chmod a+rwx /home/ranger/scripts/ranger-knox-expect.sh
+RUN /home/ranger/scripts/ranger-knox-expect.sh
+
+ENTRYPOINT [ "/home/ranger/scripts/ranger-knox.sh" ]
diff --git a/dev-support/ranger-docker/README.md b/dev-support/ranger-docker/README.md
index 6fb9659..77ae0ac 100644
--- a/dev-support/ranger-docker/README.md
+++ b/dev-support/ranger-docker/README.md
@@ -30,7 +30,7 @@ Docker files in this folder create docker images and run them to build Apache Ra
3. Update environment variables in .env file, if necessary
-4. Execute following command to download necessary archives to setup Ranger/HDFS/Hive/HBase/Kafka services:
+4. Execute following command to download necessary archives to setup Ranger/HDFS/Hive/HBase/Kafka/Knox services:
./download-archives.sh
5. Build and deploy Apache Ranger in containers using docker-compose
@@ -41,8 +41,8 @@ Docker files in this folder create docker images and run them to build Apache Ra
Time taken to complete the build might vary (upto an hour), depending on status of ${HOME}/.m2 directory cache.
- 5.2. Execute following command to start Ranger, Ranger enabled HDFS/YARN/HBase/Kafka and dependent services (Solr, DB) in containers:
+ 5.2. Execute following command to start Ranger, Ranger enabled HDFS/YARN/HBase/Hive/Kafka/Knox and dependent services (Solr, DB) in containers:
- docker-compose -f docker-compose.ranger-base.yml -f docker-compose.ranger.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml up -d
+ docker-compose -f docker-compose.ranger-base.yml -f docker-compose.ranger.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-knox.yml up -d
6. Ranger Admin can be accessed at http://localhost:6080 (admin/rangerR0cks!)
diff --git a/dev-support/ranger-docker/docker-compose.ranger-knox.yml b/dev-support/ranger-docker/docker-compose.ranger-knox.yml
new file mode 100644
index 0000000..5e84617
--- /dev/null
+++ b/dev-support/ranger-docker/docker-compose.ranger-knox.yml
@@ -0,0 +1,29 @@
+version: '3'
+services:
+ ranger-knox:
+ build:
+ context: .
+ dockerfile: Dockerfile.ranger-knox
+ args:
+ - KNOX_VERSION=${KNOX_VERSION}
+ - RANGER_VERSION=${RANGER_VERSION}
+ image: ranger-knox
+ container_name: ranger-knox
+ hostname: ranger-knox.example.com
+ stdin_open: true
+ tty: true
+ networks:
+ - ranger
+ ports:
+ - "8443:8443"
+ depends_on:
+ ranger:
+ condition: service_started
+ ranger-zk:
+ condition: service_started
+ environment:
+ - KNOX_VERSION
+ - RANGER_VERSION
+
+networks:
+ ranger:
diff --git a/dev-support/ranger-docker/download-archives.sh b/dev-support/ranger-docker/download-archives.sh
index e107be0..e37cc0e 100755
--- a/dev-support/ranger-docker/download-archives.sh
+++ b/dev-support/ranger-docker/download-archives.sh
@@ -49,4 +49,5 @@ downloadIfNotPresent kafka_2.12-${KAFKA_VERSION}.tgz https://archive.apac
downloadIfNotPresent apache-hive-${HIVE_VERSION}-bin.tar.gz https://archive.apache.org/dist/hive/hive-${HIVE_VERSION}
downloadIfNotPresent hadoop-${HIVE_HADOOP_VERSION}.tar.gz https://archive.apache.org/dist/hadoop/common/hadoop-${HIVE_HADOOP_VERSION}
downloadIfNotPresent postgresql-42.2.16.jre7.jar https://search.maven.org/remotecontent?filepath=org/postgresql/postgresql/42.2.16.jre7
+downloadIfNotPresent knox-${KNOX_VERSION}.tar.gz https://archive.apache.org/dist/knox/${KNOX_VERSION}
diff --git a/dev-support/ranger-docker/scripts/ranger-hadoop-mkdir.sh b/dev-support/ranger-docker/scripts/ranger-hadoop-mkdir.sh
index de16245..09bbc49 100755
--- a/dev-support/ranger-docker/scripts/ranger-hadoop-mkdir.sh
+++ b/dev-support/ranger-docker/scripts/ranger-hadoop-mkdir.sh
@@ -23,6 +23,7 @@ ${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /ranger/audit/hbaseMaster
${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /ranger/audit/hbaseRegional
${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /ranger/audit/kafka
${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /ranger/audit/hiveServer2
+${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /ranger/audit/knox
${HADOOP_HOME}/bin/hdfs dfs -chown hdfs:hadoop /ranger/audit/hdfs
${HADOOP_HOME}/bin/hdfs dfs -chown yarn:hadoop /ranger/audit/yarn
@@ -30,6 +31,7 @@ ${HADOOP_HOME}/bin/hdfs dfs -chown hbase:hadoop /ranger/audit/hbaseMaster
${HADOOP_HOME}/bin/hdfs dfs -chown hbase:hadoop /ranger/audit/hbaseRegional
${HADOOP_HOME}/bin/hdfs dfs -chown kafka:hadoop /ranger/audit/kafka
${HADOOP_HOME}/bin/hdfs dfs -chown hive:hadoop /ranger/audit/hiveServer2
+${HADOOP_HOME}/bin/hdfs dfs -chown knox:hadoop /ranger/audit/knox
# setup directories for HBase
${HADOOP_HOME}/bin/hdfs dfs -mkdir /hbase
diff --git a/dev-support/ranger-docker/scripts/ranger-hadoop-setup.sh b/dev-support/ranger-docker/scripts/ranger-hadoop-setup.sh
index fa22613..10f04ac 100755
--- a/dev-support/ranger-docker/scripts/ranger-hadoop-setup.sh
+++ b/dev-support/ranger-docker/scripts/ranger-hadoop-setup.sh
@@ -39,6 +39,10 @@ cat <<EOF > ${HADOOP_HOME}/etc/hadoop/hdfs-site.xml
<name>dfs.replication</name>
<value>1</value>
</property>
+ <property>
+ <name>dfs.webhdfs.enabled</name>
+ <value>true</value>
+ </property>
</configuration>
EOF
diff --git a/dev-support/ranger-docker/scripts/ranger-knox-expect.sh b/dev-support/ranger-docker/scripts/ranger-knox-expect.sh
new file mode 100644
index 0000000..b0890d6
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-knox-expect.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env expect
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+
+spawn /opt/knox/bin/knoxcli.sh create-master --force
+
+expect "Enter master secret:"
+send "admin\r"
+
+expect "Enter master secret again:"
+send "admin\r"
+
+expect "Master secret has been persisted to disk."
\ No newline at end of file
diff --git a/dev-support/ranger-docker/scripts/ranger-knox-plugin-install.properties b/dev-support/ranger-docker/scripts/ranger-knox-plugin-install.properties
new file mode 100644
index 0000000..90ae0ba
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-knox-plugin-install.properties
@@ -0,0 +1,76 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+POLICY_MGR_URL=http://ranger:6080
+REPOSITORY_NAME=dev_knox
+COMPONENT_INSTALL_DIR_NAME=/opt/knox
+
+CUSTOM_USER=knox
+CUSTOM_GROUP=knox
+
+XAAUDIT.SOLR.IS_ENABLED=true
+XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
+XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
+XAAUDIT.SOLR.SOLR_URL=http://ranger-solr:8983/solr/ranger_audits
+
+# Following properties are needed to get past installation script! Please don't remove
+XAAUDIT.HDFS.IS_ENABLED=false
+XAAUDIT.HDFS.DESTINATION_DIRECTORY=/ranger/audit
+XAAUDIT.HDFS.DESTINTATION_FILE=hadoop
+XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
+XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
+XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/knox/audit
+XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/knox/audit/archive
+XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
+XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
+XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
+
+XAAUDIT.SOLR.ENABLE=true
+XAAUDIT.SOLR.URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/knox/audit/solr/spool
+
+XAAUDIT.ELASTICSEARCH.ENABLE=false
+XAAUDIT.ELASTICSEARCH.URL=NONE
+XAAUDIT.ELASTICSEARCH.USER=NONE
+XAAUDIT.ELASTICSEARCH.PASSWORD=NONE
+XAAUDIT.ELASTICSEARCH.INDEX=NONE
+XAAUDIT.ELASTICSEARCH.PORT=NONE
+XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
+
+XAAUDIT.HDFS.ENABLE=true
+XAAUDIT.HDFS.HDFS_DIR=hdfs://ranger-hadoop:9000/ranger/audit
+XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/hadoop/knox/audit/hdfs/spool
+
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+XAAUDIT.LOG4J.ENABLE=false
+XAAUDIT.LOG4J.IS_ASYNC=false
+XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE=10240
+XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS=30000
+XAAUDIT.LOG4J.DESTINATION.LOG4J=false
+XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit
+
+SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit
diff --git a/dev-support/ranger-docker/scripts/ranger-knox-sandbox.xml b/dev-support/ranger-docker/scripts/ranger-knox-sandbox.xml
new file mode 100644
index 0000000..c6ae986
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-knox-sandbox.xml
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<topology>
+
+ <gateway>
+
+ <provider>
+ <role>authentication</role>
+ <name>ShiroProvider</name>
+ <enabled>true</enabled>
+ <param>
+ <!--
+ session timeout in minutes, this is really idle timeout,
+ defaults to 30mins, if the property value is not defined,,
+ current client authentication would expire if client idles contiuosly for more than this value
+ -->
+ <name>sessionTimeout</name>
+ <value>30</value>
+ </param>
+ <param>
+ <name>main.ldapRealm</name>
+ <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
+ </param>
+ <param>
+ <name>main.ldapContextFactory</name>
+ <value>org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory</name>
+ <value>$ldapContextFactory</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.userDnTemplate</name>
+ <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.url</name>
+ <value>ldap://localhost:33389</value>
+ </param>
+ <param>
+ <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+ <value>simple</value>
+ </param>
+ <param>
+ <name>urls./**</name>
+ <value>authcBasic</value>
+ </param>
+ </provider>
+
+ <provider>
+ <role>authorization</role>
+ <name>AclsAuthz</name>
+ <enabled>true</enabled>
+ </provider>
+
+ <provider>
+ <role>identity-assertion</role>
+ <name>Default</name>
+ <enabled>true</enabled>
+ </provider>
+
+ <provider>
+ <role>hostmap</role>
+ <name>static</name>
+ <enabled>true</enabled>
+ <param>
+ <name>localhost</name>
+ <value>sandbox,sandbox.hortonworks.com</value>
+ </param>
+ </provider>
+
+ </gateway>
+
+ <service>
+ <role>NAMENODE</role>
+ <url>hdfs://ranger-hadoop.example.com:8020</url>
+ </service>
+
+ <service>
+ <role>JOBTRACKER</role>
+ <url>rpc://ranger-hadoop.example.com:8050</url>
+ </service>
+
+ <service>
+ <role>WEBHDFS</role>
+ <url>http://ranger-hadoop.example.com:9870/webhdfs</url>
+ </service>
+
+ <service>
+ <role>WEBHCAT</role>
+ <url>http://ranger-hive.example.com:50111/templeton</url>
+ </service>
+
+ <service>
+ <role>OOZIE</role>
+ <url>http://localhost:11000/oozie</url>
+ <param>
+ <name>replayBufferSize</name>
+ <value>8</value>
+ </param>
+ </service>
+
+ <service>
+ <role>WEBHBASE</role>
+ <url>http://ranger-hbase.example.com:60080</url>
+ <param>
+ <name>replayBufferSize</name>
+ <value>8</value>
+ </param>
+ </service>
+
+ <service>
+ <role>HIVE</role>
+ <url>http://ranger-hive.example.com:10001/cliservice</url>
+ <param>
+ <name>replayBufferSize</name>
+ <value>8</value>
+ </param>
+ </service>
+
+ <service>
+ <role>RESOURCEMANAGER</role>
+ <url>http://ranger-hadoop.example.com:8088/ws</url>
+ </service>
+
+ <service>
+ <role>DRUID-COORDINATOR-UI</role>
+ <url>http://localhost:8081</url>
+ </service>
+
+ <service>
+ <role>DRUID-COORDINATOR</role>
+ <url>http://localhost:8081</url>
+ </service>
+
+ <service>
+ <role>DRUID-BROKER</role>
+ <url>http://localhost:8082</url>
+ </service>
+
+ <service>
+ <role>DRUID-ROUTER</role>
+ <url>http://localhost:8082</url>
+ </service>
+
+ <service>
+ <role>DRUID-OVERLORD</role>
+ <url>http://localhost:8090</url>
+ </service>
+
+ <service>
+ <role>DRUID-OVERLORD-UI</role>
+ <url>http://localhost:8090</url>
+ </service>
+
+ <service>
+ <role>HUE</role>
+ <url>http://localhost:8889</url>
+ </service>
+</topology>
diff --git a/dev-support/ranger-docker/scripts/ranger-knox-service-dev_knox.py b/dev-support/ranger-docker/scripts/ranger-knox-service-dev_knox.py
new file mode 100644
index 0000000..dceea53
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-knox-service-dev_knox.py
@@ -0,0 +1,8 @@
+from apache_ranger.model.ranger_service import RangerService
+from apache_ranger.client.ranger_client import RangerClient
+
+ranger_client = RangerClient('http://ranger:6080', ('admin', 'rangerR0cks!'))
+
+service = RangerService({'name': 'dev_knox', 'type': 'knox', 'configs': {'username':'knox', 'password':'knox', 'knox.url': 'http://ranger-hadoop:8088'}})
+
+ranger_client.create_service(service)
diff --git a/dev-support/ranger-docker/scripts/ranger-knox-setup.sh b/dev-support/ranger-docker/scripts/ranger-knox-setup.sh
new file mode 100755
index 0000000..c5c9bca
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-knox-setup.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+cat <<EOF > /etc/ssh/ssh_config
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile=/dev/null
+EOF
+
+chown -R knox:knox /opt/knox/
+
+mkdir -p /opt/knox/logs
+chown -R knox:knox /opt/knox/
+chmod g+w /opt/knox/logs
+
+cd ${RANGER_HOME}/ranger-knox-plugin
+./enable-knox-plugin.sh
diff --git a/dev-support/ranger-docker/scripts/ranger-knox.sh b/dev-support/ranger-docker/scripts/ranger-knox.sh
new file mode 100755
index 0000000..7548ae6
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/ranger-knox.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+service ssh start
+
+if [ ! -e ${KNOX_HOME}/.setupDone ]
+then
+ su -c "ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa" knox
+ su -c "cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys" knox
+ su -c "chmod 0600 ~/.ssh/authorized_keys" knox
+
+ echo "ssh" > /etc/pdsh/rcmd_default
+
+ ${RANGER_SCRIPTS}/ranger-knox-setup.sh
+
+ touch ${KNOX_HOME}/.setupDone
+fi
+
+su -c "${KNOX_HOME}/bin/ldap.sh start" knox
+
+su -c "${KNOX_HOME}/bin/gateway.sh start" knox
+
+KNOX_GATEWAY_PID=`ps -ef | grep -v grep | grep -i "gateway.jar" | awk '{print $2}'`
+
+# prevent the container from exiting
+tail --pid=$KNOX_GATEWAY_PID -f /dev/null
diff --git a/dev-support/ranger-docker/scripts/ranger.sh b/dev-support/ranger-docker/scripts/ranger.sh
index 04ac7cb..e2c0ddb 100755
--- a/dev-support/ranger-docker/scripts/ranger.sh
+++ b/dev-support/ranger-docker/scripts/ranger.sh
@@ -43,6 +43,7 @@ then
python3 ${RANGER_SCRIPTS}/ranger-hive-service-dev_hive.py
python3 ${RANGER_SCRIPTS}/ranger-hbase-service-dev_hbase.py
python3 ${RANGER_SCRIPTS}/ranger-kafka-service-dev_kafka.py
+ python3 ${RANGER_SCRIPTS}/ranger-knox-service-dev_knox.py
fi
RANGER_ADMIN_PID=`ps -ef | grep -v grep | grep -i "org.apache.ranger.server.tomcat.EmbeddedServer" | awk '{print $2}'`
diff --git a/distro/src/main/assembly/knox-agent.xml b/distro/src/main/assembly/knox-agent.xml
index 0532e5a..095ae1a 100644
--- a/distro/src/main/assembly/knox-agent.xml
+++ b/distro/src/main/assembly/knox-agent.xml
@@ -54,6 +54,7 @@
<directoryMode>755</directoryMode>
<fileMode>644</fileMode>
<includes>
+ <include>com.sun.jersey:jersey-client:jar:${jersey-bundle.version}</include>
<include>org.apache.commons:commons-configuration2</include>
<include>com.google.code.gson:gson*</include>
<include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
@@ -99,6 +100,7 @@
<includes>
<include>commons-cli:commons-cli</include>
<include>commons-collections:commons-collections</include>
+ <include>org.apache.commons:commons-lang3:jar:${commons.lang3.version}</include>
<include>org.apache.commons:commons-configuration2:jar:${commons.configuration.version}</include>
<include>commons-io:commons-io:jar:${commons.io.version}</include>
<include>commons-lang:commons-lang</include>
@@ -110,6 +112,7 @@
<include>org.codehaus.woodstox:stax2-api</include>
<include>com.fasterxml.woodstox:woodstox-core</include>
<include>org.apache.htrace:htrace-core4</include>
+ <include>org.apache.commons:commons-compress:jar:${commons.compress.version}</include>
</includes>
</binaries>
</moduleSet>
diff --git a/knox-agent/pom.xml b/knox-agent/pom.xml
index 638d277..5248d89 100644
--- a/knox-agent/pom.xml
+++ b/knox-agent/pom.xml
@@ -57,6 +57,12 @@
<artifactId>jersey-client</artifactId>
</dependency>
<dependency>
+ <groupId>com.sun.jersey</groupId>
+ <artifactId>jersey-client</artifactId>
+ <type>jar</type>
+ <version>${jersey-bundle.version}</version>
+ </dependency>
+ <dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
</dependency>