You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by jo...@apache.org on 2017/02/17 21:30:03 UTC
[05/15] ambari git commit: AMBARI-19845 Secure Ranger passwords in
Ambari Stacks (mugdha)
AMBARI-19845 Secure Ranger passwords in Ambari Stacks (mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/c395f694
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/c395f694
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/c395f694
Branch: refs/heads/branch-feature-AMBARI-20053
Commit: c395f6948a1aa8bb62f65b3b7a1fe4c72f662762
Parents: 05c76ed
Author: Mugdha Varadkar <mu...@apache.org>
Authored: Fri Feb 17 15:53:43 2017 +0530
Committer: Mugdha Varadkar <mu...@apache.org>
Committed: Fri Feb 17 16:19:13 2017 +0530
----------------------------------------------------------------------
.../libraries/functions/constants.py | 1 +
.../functions/setup_ranger_plugin_xml.py | 23 ++++++-
.../RANGER/0.4.0/package/scripts/params.py | 18 ++++++
.../0.4.0/package/scripts/setup_ranger_xml.py | 67 ++++++++++++++++++--
.../0.5.0/configuration/ranger-admin-site.xml | 12 ++++
.../0.7.0/configuration/ranger-admin-site.xml | 31 +++++++++
.../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py | 29 ++++++++-
.../0.5.0.2.3/package/scripts/params.py | 4 ++
.../HDP/2.0.6/properties/stack_features.json | 5 ++
.../stacks/2.5/RANGER/test_ranger_admin.py | 16 ++++-
.../stacks/2.5/RANGER/test_ranger_usersync.py | 8 ++-
.../stacks/2.5/RANGER_KMS/test_kms_server.py | 50 +++++++++++++--
.../stacks/2.6/RANGER/test_ranger_admin.py | 40 +++++++++++-
.../stacks/2.6/RANGER/test_ranger_tagsync.py | 19 ++++--
.../2.6/configs/ranger-admin-default.json | 6 +-
15 files changed, 302 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
index 8fd5c8d..c31b883 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/constants.py
@@ -116,3 +116,4 @@ class StackFeature:
ATLAS_INSTALL_HOOK_PACKAGE_SUPPORT="atlas_install_hook_package_support"
ATLAS_HDFS_SITE_ON_NAMENODE_HA='atlas_hdfs_site_on_namenode_ha'
HIVE_INTERACTIVE_GA_SUPPORT='hive_interactive_ga'
+ SECURE_RANGER_SSL_PASSWORD = "secure_ranger_ssl_password"
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py
----------------------------------------------------------------------
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py b/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py
index a12116d..56c46dd 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py
@@ -131,9 +131,17 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar,
mode = 0644
)
+ # remove plain-text password from xml configs
+ plugin_audit_password_property = 'xasecure.audit.destination.db.password'
+ plugin_audit_properties_copy = {}
+ plugin_audit_properties_copy.update(plugin_audit_properties)
+
+ if plugin_audit_password_property in plugin_audit_properties_copy:
+ plugin_audit_properties_copy[plugin_audit_password_property] = "crypted"
+
XmlConfig(format('ranger-{service_name}-audit.xml'),
conf_dir=component_conf_dir,
- configurations=plugin_audit_properties,
+ configurations=plugin_audit_properties_copy,
configuration_attributes=plugin_audit_attributes,
owner = component_user,
group = component_group,
@@ -147,10 +155,19 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar,
group = component_group,
mode=0744)
+ # remove plain-text password from xml configs
+ plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+ plugin_policymgr_ssl_properties_copy = {}
+ plugin_policymgr_ssl_properties_copy.update(plugin_policymgr_ssl_properties)
+
+ for prop in plugin_password_properties:
+ if prop in plugin_policymgr_ssl_properties_copy:
+ plugin_policymgr_ssl_properties_copy[prop] = "crypted"
+
if str(service_name).lower() == 'yarn' :
XmlConfig("ranger-policymgr-ssl-yarn.xml",
conf_dir=component_conf_dir,
- configurations=plugin_policymgr_ssl_properties,
+ configurations=plugin_policymgr_ssl_properties_copy,
configuration_attributes=plugin_policymgr_ssl_attributes,
owner = component_user,
group = component_group,
@@ -158,7 +175,7 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar,
else:
XmlConfig("ranger-policymgr-ssl.xml",
conf_dir=component_conf_dir,
- configurations=plugin_policymgr_ssl_properties,
+ configurations=plugin_policymgr_ssl_properties_copy,
configuration_attributes=plugin_policymgr_ssl_attributes,
owner = component_user,
group = component_group,
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
index 49cd98b..0fae23e 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
@@ -73,6 +73,7 @@ stack_supports_ranger_admin_password_change = check_stack_feature(StackFeature.R
stack_supports_ranger_setup_db_on_start = check_stack_feature(StackFeature.RANGER_SETUP_DB_ON_START, version_for_stack_feature_checks)
stack_supports_ranger_tagsync_ssl_xml_support = check_stack_feature(StackFeature.RANGER_TAGSYNC_SSL_XML_SUPPORT, version_for_stack_feature_checks)
stack_supports_ranger_solr_configs = check_stack_feature(StackFeature.RANGER_SOLR_CONFIG_SUPPORT, version_for_stack_feature_checks)
+stack_supports_secure_ssl_password = check_stack_feature(StackFeature.SECURE_RANGER_SSL_PASSWORD, version_for_stack_feature_checks)
downgrade_from_version = default("/commandParams/downgrade_from_version", None)
upgrade_direction = default("/commandParams/upgrade_direction", None)
@@ -425,3 +426,20 @@ if is_hbase_ha_enabled:
if is_namenode_ha_enabled:
if not is_empty(config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled']):
ranger_hdfs_plugin_enabled = config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled'].lower() == 'yes'
+
+ranger_admin_password_properties = ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']
+ranger_usersync_password_properties = ['ranger.usersync.ldap.ldapbindpassword']
+ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+if stack_supports_secure_ssl_password:
+ ranger_admin_password_properties.extend(['ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password'])
+ ranger_usersync_password_properties.extend(['ranger.usersync.keystore.password', 'ranger.usersync.truststore.password'])
+
+ranger_auth_method = config['configurations']['ranger-admin-site']['ranger.authentication.method']
+ranger_ldap_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.binddn.credential.alias', 'ranger.ldap.bind.password')
+ranger_ad_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.ad.binddn.credential.alias', 'ranger.ldap.ad.bind.password')
+ranger_https_keystore_alias = default('/configurations/ranger-admin-site/ranger.service.https.attrib.keystore.credential.alias', 'keyStoreCredentialAlias')
+ranger_truststore_alias = default('/configurations/ranger-admin-site/ranger.truststore.alias', 'trustStoreAlias')
+https_enabled = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.ssl.enabled']
+http_enabled = config['configurations']['ranger-admin-site']['ranger.service.http.enabled']
+https_keystore_password = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.keystore.pass']
+truststore_password = config['configurations']['ranger-admin-site']['ranger.truststore.password']
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index acb5385..b3eb919 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -191,9 +191,17 @@ def setup_ranger_admin(upgrade_type=None):
only_if=format("ls {ranger_home}/ews/ranger-admin-services.sh"),
sudo=True)
+ # remove plain-text password from xml configs
+
+ ranger_admin_site_copy = {}
+ ranger_admin_site_copy.update(params.config['configurations']['ranger-admin-site'])
+ for prop in params.ranger_admin_password_properties:
+ if prop in ranger_admin_site_copy:
+ ranger_admin_site_copy[prop] = "_"
+
XmlConfig("ranger-admin-site.xml",
conf_dir=ranger_conf,
- configurations=params.config['configurations']['ranger-admin-site'],
+ configurations=ranger_admin_site_copy,
configuration_attributes=params.config['configuration_attributes']['ranger-admin-site'],
owner=params.unix_user,
group=params.unix_group,
@@ -321,6 +329,36 @@ def do_keystore_setup(upgrade_type=None):
mode = 0640
)
+ if params.ranger_auth_method.upper() == "LDAP":
+ ranger_credential_helper(params.cred_lib_path, params.ranger_ldap_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path)
+
+ File(params.ranger_credential_provider_path,
+ owner = params.unix_user,
+ group = params.unix_group,
+ mode = 0640
+ )
+
+ if params.ranger_auth_method.upper() == "ACTIVE_DIRECTORY":
+ ranger_credential_helper(params.cred_lib_path, params.ranger_ad_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path)
+
+ File(params.ranger_credential_provider_path,
+ owner = params.unix_user,
+ group = params.unix_group,
+ mode = 0640
+ )
+
+ if params.stack_supports_secure_ssl_password:
+ ranger_credential_helper(params.cred_lib_path, params.ranger_truststore_alias, params.truststore_password, params.ranger_credential_provider_path)
+
+ if params.https_enabled and not params.http_enabled:
+ ranger_credential_helper(params.cred_lib_path, params.ranger_https_keystore_alias, params.https_keystore_password, params.ranger_credential_provider_path)
+
+ File(params.ranger_credential_provider_path,
+ owner = params.unix_user,
+ group = params.unix_group,
+ mode = 0640
+ )
+
def password_validation(password):
import params
if password.strip() == "":
@@ -453,9 +491,16 @@ def setup_usersync(upgrade_type=None):
dst_file = format('{usersync_home}/conf/log4j.xml')
Execute(('cp', '-f', src_file, dst_file), sudo=True)
+ # remove plain-text password from xml configs
+ ranger_ugsync_site_copy = {}
+ ranger_ugsync_site_copy.update(params.config['configurations']['ranger-ugsync-site'])
+ for prop in params.ranger_usersync_password_properties:
+ if prop in ranger_ugsync_site_copy:
+ ranger_ugsync_site_copy[prop] = "_"
+
XmlConfig("ranger-ugsync-site.xml",
conf_dir=ranger_ugsync_conf,
- configurations=params.config['configurations']['ranger-ugsync-site'],
+ configurations=ranger_ugsync_site_copy,
configuration_attributes=params.config['configuration_attributes']['ranger-ugsync-site'],
owner=params.unix_user,
group=params.unix_group,
@@ -750,9 +795,16 @@ def setup_tagsync_ssl_configs():
mode=0775,
create_parents=True)
+ # remove plain-text password from xml configs
+ ranger_tagsync_policymgr_ssl_copy = {}
+ ranger_tagsync_policymgr_ssl_copy.update(params.config['configurations']['ranger-tagsync-policymgr-ssl'])
+ for prop in params.ranger_tagsync_password_properties:
+ if prop in ranger_tagsync_policymgr_ssl_copy:
+ ranger_tagsync_policymgr_ssl_copy[prop] = "_"
+
XmlConfig("ranger-policymgr-ssl.xml",
conf_dir=params.ranger_tagsync_conf,
- configurations=params.config['configurations']['ranger-tagsync-policymgr-ssl'],
+ configurations=ranger_tagsync_policymgr_ssl_copy,
configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-policymgr-ssl'],
owner=params.unix_user,
group=params.unix_group,
@@ -767,9 +819,16 @@ def setup_tagsync_ssl_configs():
mode = 0640
)
+ # remove plain-text password from xml configs
+ atlas_tagsync_ssl_copy = {}
+ atlas_tagsync_ssl_copy.update(params.config['configurations']['atlas-tagsync-ssl'])
+ for prop in params.ranger_tagsync_password_properties:
+ if prop in atlas_tagsync_ssl_copy:
+ atlas_tagsync_ssl_copy[prop] = "_"
+
XmlConfig("atlas-tagsync-ssl.xml",
conf_dir=params.ranger_tagsync_conf,
- configurations=params.config['configurations']['atlas-tagsync-ssl'],
+ configurations=atlas_tagsync_ssl_copy,
configuration_attributes=params.config['configuration_attributes']['atlas-tagsync-ssl'],
owner=params.unix_user,
group=params.unix_group,
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml
index c52924c..f2e23ce 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml
@@ -548,4 +548,16 @@
</value-attributes>
<on-ambari-upgrade add="true"/>
</property>
+ <property>
+ <name>ranger.ldap.binddn.credential.alias</name>
+ <value>ranger.ldap.bind.password</value>
+ <description></description>
+ <on-ambari-upgrade add="true"/>
+ </property>
+ <property>
+ <name>ranger.ldap.ad.binddn.credential.alias</name>
+ <value>ranger.ldap.ad.bind.password</value>
+ <description></description>
+ <on-ambari-upgrade add="true"/>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml
new file mode 100644
index 0000000..ebf8517
--- /dev/null
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration>
+ <property>
+ <name>ranger.truststore.alias</name>
+ <value>trustStoreAlias</value>
+ <description></description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+ <property>
+ <name>ranger.service.https.attrib.keystore.credential.alias</name>
+ <value>keyStoreCredentialAlias</value>
+ <description></description>
+ <on-ambari-upgrade add="false"/>
+ </property>
+</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
index 742cb93..536ba76 100755
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
@@ -271,9 +271,17 @@ def kms(upgrade_type=None):
if params.stack_support_kms_hsm and params.enable_kms_hsm:
do_keystore_setup(params.credential_provider_path, params.hms_partition_alias, unicode(params.hms_partition_passwd))
+ # remove plain-text password from xml configs
+ dbks_site_copy = {}
+ dbks_site_copy.update(params.config['configurations']['dbks-site'])
+
+ for prop in params.dbks_site_password_properties:
+ if prop in dbks_site_copy:
+ dbks_site_copy[prop] = "_"
+
XmlConfig("dbks-site.xml",
conf_dir=params.kms_conf_dir,
- configurations=params.config['configurations']['dbks-site'],
+ configurations=dbks_site_copy,
configuration_attributes=params.config['configuration_attributes']['dbks-site'],
owner=params.kms_user,
group=params.kms_group,
@@ -421,9 +429,16 @@ def enable_kms_plugin():
mode = 0644
)
+ # remove plain-text password from xml configs
+ plugin_audit_properties_copy = {}
+ plugin_audit_properties_copy.update(params.config['configurations']['ranger-kms-audit'])
+
+ if params.plugin_audit_password_property in plugin_audit_properties_copy:
+ plugin_audit_properties_copy[params.plugin_audit_password_property] = "crypted"
+
XmlConfig("ranger-kms-audit.xml",
conf_dir=params.kms_conf_dir,
- configurations=params.config['configurations']['ranger-kms-audit'],
+ configurations=plugin_audit_properties_copy,
configuration_attributes=params.config['configuration_attributes']['ranger-kms-audit'],
owner=params.kms_user,
group=params.kms_group,
@@ -437,9 +452,17 @@ def enable_kms_plugin():
group=params.kms_group,
mode=0744)
+ # remove plain-text password from xml configs
+ ranger_kms_policymgr_ssl_copy = {}
+ ranger_kms_policymgr_ssl_copy.update(params.config['configurations']['ranger-kms-policymgr-ssl'])
+
+ for prop in params.kms_plugin_password_properties:
+ if prop in ranger_kms_policymgr_ssl_copy:
+ ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
XmlConfig("ranger-policymgr-ssl.xml",
conf_dir=params.kms_conf_dir,
- configurations=params.config['configurations']['ranger-kms-policymgr-ssl'],
+ configurations=ranger_kms_policymgr_ssl_copy,
configuration_attributes=params.config['configuration_attributes']['ranger-kms-policymgr-ssl'],
owner=params.kms_user,
group=params.kms_group,
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
index 05e8881..8473160 100755
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py
@@ -276,3 +276,7 @@ if security_enabled:
spengo_keytab = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab']
spnego_principal = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal']
spnego_principal = spnego_principal.replace('_HOST', current_host.lower())
+
+plugin_audit_password_property = 'xasecure.audit.destination.db.password'
+kms_plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
index 0fd1766..5e173b7 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
+++ b/ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json
@@ -382,6 +382,11 @@
"name": "hive_interactive_ga",
"description": "Hive Interactive GA support",
"min_version": "2.6.0.0"
+ },
+ {
+ "name": "secure_ranger_ssl_password",
+ "description": "Securing Ranger Admin and Usersync SSL and Trustore related passwords in jceks",
+ "min_version": "2.6.0.0"
}
]
}
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
index 1b5d7ae..0d38876 100644
--- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
+++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py
@@ -293,11 +293,17 @@ class TestRangerAdmin(RMFTestCase):
sudo = True
)
+ ranger_admin_site_copy = {}
+ ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+ for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']:
+ if prop in ranger_admin_site_copy:
+ ranger_admin_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
owner = 'ranger',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-admin/conf',
- configurations = self.getConfig()['configurations']['ranger-admin-site'],
+ configurations = ranger_admin_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
mode = 0644
)
@@ -443,11 +449,17 @@ class TestRangerAdmin(RMFTestCase):
sudo = True
)
+ ranger_admin_site_copy = {}
+ ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+ for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']:
+ if prop in ranger_admin_site_copy:
+ ranger_admin_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
owner = 'ranger',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-admin/conf',
- configurations = self.getConfig()['configurations']['ranger-admin-site'],
+ configurations = ranger_admin_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
mode = 0644
)
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py
index 22e84fc..3f0d21b 100644
--- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py
+++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py
@@ -132,11 +132,17 @@ class TestRangerUsersync(RMFTestCase):
mode = 0644
)
+ ranger_ugsync_site_copy = {}
+ ranger_ugsync_site_copy.update(self.getConfig()['configurations']['ranger-ugsync-site'])
+ for prop in ['ranger.usersync.ldap.ldapbindpassword']:
+ if prop in ranger_ugsync_site_copy:
+ ranger_ugsync_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'ranger-ugsync-site.xml',
owner = 'ranger',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-usersync/conf',
- configurations = self.getConfig()['configurations']['ranger-ugsync-site'],
+ configurations = ranger_ugsync_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-ugsync-site'],
mode = 0644
)
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
index 57f9f34..c2fc270 100644
--- a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
+++ b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py
@@ -93,12 +93,18 @@ class TestRangerKMS(RMFTestCase):
mode = 0644
)
+ plugin_audit_properties_copy = {}
+ plugin_audit_properties_copy.update(self.getConfig()['configurations']['ranger-kms-audit'])
+
+ if 'xasecure.audit.destination.db.password' in plugin_audit_properties_copy:
+ plugin_audit_properties_copy['xasecure.audit.destination.db.password'] = "crypted"
+
self.assertResourceCalled('XmlConfig', 'ranger-kms-audit.xml',
mode = 0744,
owner = 'kms',
group = 'kms',
conf_dir = '/usr/hdp/current/ranger-kms/conf',
- configurations = self.getConfig()['configurations']['ranger-kms-audit'],
+ configurations = plugin_audit_properties_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-audit']
)
@@ -111,12 +117,19 @@ class TestRangerKMS(RMFTestCase):
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-security']
)
+ ranger_kms_policymgr_ssl_copy = {}
+ ranger_kms_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-kms-policymgr-ssl'])
+
+ for prop in ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']:
+ if prop in ranger_kms_policymgr_ssl_copy:
+ ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml',
mode = 0744,
owner = 'kms',
group = 'kms',
conf_dir = '/usr/hdp/current/ranger-kms/conf',
- configurations = self.getConfig()['configurations']['ranger-kms-policymgr-ssl'],
+ configurations = ranger_kms_policymgr_ssl_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-policymgr-ssl']
)
@@ -349,12 +362,18 @@ class TestRangerKMS(RMFTestCase):
mode = 0640
)
+ dbks_site_copy = {}
+ dbks_site_copy.update(self.getConfig()['configurations']['dbks-site'])
+ for prop in ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']:
+ if prop in dbks_site_copy:
+ dbks_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'dbks-site.xml',
mode=0644,
owner = 'kms',
group = 'kms',
conf_dir = '/usr/hdp/current/ranger-kms/conf',
- configurations = self.getConfig()['configurations']['dbks-site'],
+ configurations = dbks_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['dbks-site']
)
@@ -442,12 +461,18 @@ class TestRangerKMS(RMFTestCase):
mode = 0644
)
+ plugin_audit_properties_copy = {}
+ plugin_audit_properties_copy.update(self.getConfig()['configurations']['ranger-kms-audit'])
+
+ if 'xasecure.audit.destination.db.password' in plugin_audit_properties_copy:
+ plugin_audit_properties_copy['xasecure.audit.destination.db.password'] = "crypted"
+
self.assertResourceCalled('XmlConfig', 'ranger-kms-audit.xml',
mode = 0744,
owner = 'kms',
group = 'kms',
conf_dir = '/usr/hdp/current/ranger-kms/conf',
- configurations = self.getConfig()['configurations']['ranger-kms-audit'],
+ configurations = plugin_audit_properties_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-audit']
)
@@ -460,12 +485,19 @@ class TestRangerKMS(RMFTestCase):
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-security']
)
+ ranger_kms_policymgr_ssl_copy = {}
+ ranger_kms_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-kms-policymgr-ssl'])
+
+ for prop in ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']:
+ if prop in ranger_kms_policymgr_ssl_copy:
+ ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml',
mode = 0744,
owner = 'kms',
group = 'kms',
conf_dir = '/usr/hdp/current/ranger-kms/conf',
- configurations = self.getConfig()['configurations']['ranger-kms-policymgr-ssl'],
+ configurations = ranger_kms_policymgr_ssl_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-policymgr-ssl']
)
@@ -681,12 +713,18 @@ class TestRangerKMS(RMFTestCase):
mode = 0640
)
+ dbks_site_copy = {}
+ dbks_site_copy.update(self.getConfig()['configurations']['dbks-site'])
+ for prop in ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']:
+ if prop in dbks_site_copy:
+ dbks_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'dbks-site.xml',
mode=0644,
owner = 'kms',
group = 'kms',
conf_dir = '/usr/hdp/current/ranger-kms/conf',
- configurations = self.getConfig()['configurations']['dbks-site'],
+ configurations = dbks_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['dbks-site']
)
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
index fb1dd0e..ea3829e 100644
--- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
+++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py
@@ -336,11 +336,17 @@ class TestRangerAdmin(RMFTestCase):
sudo = True
)
+ ranger_admin_site_copy = {}
+ ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+ for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password', 'ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']:
+ if prop in ranger_admin_site_copy:
+ ranger_admin_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
owner = 'ranger',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-admin/conf',
- configurations = self.getConfig()['configurations']['ranger-admin-site'],
+ configurations = ranger_admin_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
mode = 0644
)
@@ -370,6 +376,18 @@ class TestRangerAdmin(RMFTestCase):
mode = 0640
)
+ self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'),
+ environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
+ logoutput=True,
+ sudo = True
+ )
+
+ self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks',
+ owner = 'ranger',
+ group = 'ranger',
+ mode = 0640
+ )
+
self.assertResourceCalled('XmlConfig', 'core-site.xml',
owner = 'ranger',
group = 'ranger',
@@ -496,11 +514,17 @@ class TestRangerAdmin(RMFTestCase):
sudo = True
)
+ ranger_admin_site_copy = {}
+ ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+ for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password', 'ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']:
+ if prop in ranger_admin_site_copy:
+ ranger_admin_site_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
owner = 'ranger',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-admin/conf',
- configurations = self.getConfig()['configurations']['ranger-admin-site'],
+ configurations = ranger_admin_site_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
mode = 0644
)
@@ -530,6 +554,18 @@ class TestRangerAdmin(RMFTestCase):
mode = 0640
)
+ self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'),
+ environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
+ logoutput=True,
+ sudo = True
+ )
+
+ self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks',
+ owner = 'ranger',
+ group = 'ranger',
+ mode = 0640
+ )
+
self.assertResourceCalled('XmlConfig', 'core-site.xml',
owner = 'ranger',
group = 'ranger',
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py
index bf5128e..0642428 100644
--- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py
+++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py
@@ -143,11 +143,18 @@ class TestRangerTagsync(RMFTestCase):
cd_access = 'a',
)
+ ranger_tagsync_policymgr_ssl_copy = {}
+ ranger_tagsync_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-tagsync-policymgr-ssl'])
+ ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+ for prop in ranger_tagsync_password_properties:
+ if prop in ranger_tagsync_policymgr_ssl_copy:
+ ranger_tagsync_policymgr_ssl_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml',
owner = 'ranger',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-tagsync/conf',
- configurations = self.getConfig()['configurations']['ranger-tagsync-policymgr-ssl'],
+ configurations = ranger_tagsync_policymgr_ssl_copy,
configuration_attributes = self.getConfig()['configuration_attributes']['ranger-tagsync-policymgr-ssl'],
mode = 0644,
)
@@ -188,17 +195,21 @@ class TestRangerTagsync(RMFTestCase):
mode = 0640,
)
+ atlas_tagsync_ssl_copy = {}
+ atlas_tagsync_ssl_copy.update(self.getConfig()['configurations']['atlas-tagsync-ssl'])
+ for prop in ranger_tagsync_password_properties:
+ if prop in atlas_tagsync_ssl_copy:
+ atlas_tagsync_ssl_copy[prop] = "_"
+
self.assertResourceCalled('XmlConfig', 'atlas-tagsync-ssl.xml',
group = 'ranger',
conf_dir = '/usr/hdp/current/ranger-tagsync/conf',
mode = 0644,
configuration_attributes = UnknownConfigurationMock(),
owner = 'ranger',
- configurations = self.getConfig()['configurations']['atlas-tagsync-ssl']
+ configurations = atlas_tagsync_ssl_copy
)
-
-
self.assertResourceCalled('Execute', (u'/usr/jdk64/jdk1.7.0_45/bin/java',
'-cp',
u'/usr/hdp/current/ranger-tagsync/lib/*',
http://git-wip-us.apache.org/repos/asf/ambari/blob/c395f694/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json b/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json
index 2c4815b..abe84ab 100644
--- a/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json
+++ b/ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json
@@ -326,7 +326,8 @@
"ranger.service.http.port": "6080",
"ranger.ldap.user.searchfilter": "(uid={0})",
"ranger.plugins.atlas.serviceuser": "atlas",
- "ranger.truststore.password": "changeit",
+ "ranger.truststore.password": "changeit",
+ "ranger.truststore.alias": "trustStoreAlias",
"ranger.ldap.bind.password": "{{ranger_usersync_ldap_ldapbindpassword}}",
"ranger.audit.solr.password": "NONE",
"ranger.audit.solr.zookeepers": "c6401.ambari.apache.org:2181/infra-solr",
@@ -364,7 +365,8 @@
"ranger.admin.kerberos.keytab": "",
"ranger.admin.kerberos.token.valid.seconds": "30",
"ranger.jpa.jdbc.driver": "com.mysql.jdbc.Driver",
- "ranger.unixauth.service.port": "5151"
+ "ranger.unixauth.service.port": "5151",
+ "ranger.service.https.attrib.keystore.credential.alias": "keyStoreCredentialAlias"
},
"ranger-hdfs-policymgr-ssl": {
"xasecure.policymgr.clientssl.keystore": "/usr/hdp/current/hadoop-client/conf/ranger-plugin-keystore.jks",