You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by bo...@apache.org on 2014/10/01 08:40:33 UTC
svn commit: r1628612 [3/6] - in /incubator/argus/site/trunk: ./ arguslogo/
css/ images/ images/logos/ images/profiles/ img/ js/
Added: incubator/argus/site/trunk/ch_XA-install.html
URL: http://svn.apache.org/viewvc/incubator/argus/site/trunk/ch_XA-install.html?rev=1628612&view=auto
==============================================================================
--- incubator/argus/site/trunk/ch_XA-install.html (added)
+++ incubator/argus/site/trunk/ch_XA-install.html Wed Oct 1 06:40:31 2014
@@ -0,0 +1,1043 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia
+ | Rendered using Apache Maven Fluido Skin 1.3.1
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140930" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Apache Argus - </title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.1.min.js"></script>
+
+
+ </head>
+ <body class="topBarDisabled">
+
+
+
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <a href="./" id="bannerLeft">
+ <img src="arguslogo/slide1.png" alt="Argus logo" width="400px" height="200px"/>
+ </a>
+ </div>
+ <div class="pull-right"> <div id="bannerRight">
+ <img src="" />
+ </div>
+ </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-09-30
+ <span class="divider">|</span>
+ </li>
+ <li id="projectVersion">Version: 0.4
+ </li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Introduction">
+ <i class="none"></i>
+ Introduction</a>
+ </li>
+
+ <li>
+
+ <a href="faq.html" title="FAQ">
+ <i class="none"></i>
+ FAQ</a>
+ </li>
+ <li class="nav-header">Resources</li>
+
+ <li>
+
+ <a href="wiki.html" title="Wiki">
+ <i class="none"></i>
+ Wiki</a>
+ </li>
+
+ <li>
+
+ <a href="http://www.apache.org/licenses/" class="externalLink" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+ <li class="nav-header">Project Information</li>
+
+ <li>
+
+ <a href="project-summary.html" title="Project Summary">
+ <i class="none"></i>
+ Project Summary</a>
+ </li>
+
+ <li>
+
+ <a href="mail-lists.html" title="Mailing Lists">
+ <i class="none"></i>
+ Mailing Lists</a>
+ </li>
+
+ <li>
+
+ <a href="team-list.html" title="Team">
+ <i class="none"></i>
+ Team</a>
+ </li>
+ </ul>
+
+
+
+ <hr />
+
+ <div id="poweredBy">
+ <div class="clear"></div>
+
+
+
+
+ <iframe src="http://www.facebook.com/plugins/like.php?href=http://argus.incubator.apache.org/&send=false&layout=box_count&show-faces=false&action=like&colorscheme=light"
+ scrolling="no" frameborder="0"
+ style="border:none; width:48px; height:63px; margin-top: 10px;" ></iframe>
+ <div class="clear"></div>
+
+
+
+ <div id="twitter">
+
+ <a href="https://twitter.com/apacheargus" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow apacheargus</a>
+ <script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
+
+ </div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Maven" class="builtBy">
+ <img class="builtBy" alt="Maven" src="http://maven.apache.org/images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+
+ Install the Argus
+ Administration Server
+ <p>Install the Argus
+ Administration on a Linux Server with at
+ least 2 GB memory available for the Argus
+ Administration web application. You can
+ install the Argus
+ Administration on a shared web application
+ host. When in a test environment, you can also install the
+ server on a node within the Hadoop cluster, such as the
+ NameNode. </p>
+
+ Configure SSL after deploying the server and agents
+ using the instructions in <link xlink:href="http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2-trunk/bk_HDPSecure_Admin/content/ch_ssl_setup-server.html">Configure SSL for Web UI and Server/Agent
+ Communications</link>.
+
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+
+ Before installing, ensure that you have met the
+ following prerequisites::
+
+
+ Hardware meets the minimum requirements, see
+ <link linkend="ch_XA-install-sysreq">System
+ Requirements</link>
+
+
+ Oracle Java JDK 7 is installed, see <link linkend="ch_XA-install-softreq">Software
+ Requirements</link>
+
+
+ MySQL Server and the root
+ account credentials (that is the ‘root’@’%’ user
+ id and password), see <link linkend="ch_XA-install-dbreq">Database
+ Requirements</link>
+
+
+ Root access to the hosts where you will be
+ installing Argus
+ Administration and/or the
+ agents
+
+
+ Download the JBDC driver for MySQL
+
+
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ Install the Argus
+ Administration server on a Linux
+ Server that has the following:
+
+
+ Linux Host with at least 2 GB memory
+ available for Argus
+ Administration Web
+ application
+
+
+ Operating System: CentOS/RedHat, Ubuntu, or
+ SuSe
+
+
+ 2 GB of memory
+
+
+ 10 GB disk space for HDP
+ Security Administration
+ logs
+
+
+ Hadoop cluster (HDP) 2.1 or higher
+
+
+
+ You can use a shared host for the
+ Argus
+ Administration server.
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ The Argus
+ Administration server requires:
+
+ MySQL Server (hosted on the same system)
+ or MySQL Client installed on the
+ Argus
+ Administration
+ host.
+
+
+ Oracle Java JDK version 7.x
+
+
+ MySQL connector (JDBC driver)
+
+
+ The Security Agents require:
+
+ MySQL connector (JDBC driver)
+
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ The Argus
+ Administration supports MySQL Server
+ to store Policy, Auditing, and User data.
+ Installing Argus
+ Administration requires the MySQL
+ server hostname and root account credentials. The
+ Argus
+ Administration installation script
+ creates the database and the db user automatically
+ using the information you specify in the properties
+ file.
+ After the installation of Argus
+ Administration server, the MySQL
+ database administrator must grant permission to the
+ database user to access and write remotely from the
+ NameNode, HiveServer2, and HBase Regional Servers
+ hosts.
+ <!-- <para>To install MySQL Server on
+ CentOS/Redhat:<programlisting>yum install mysql-server</programlisting></para>
+ <para>To install MySQL Client on
+ CentOS/Redhat:<programlisting>yum install mysql-client</programlisting></para> -->
+ </div>
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ During the installation process, you will set up the
+ authentication method for to the Argus
+ Administration Web UI. The Web UI supports the following
+ authentication methods:
+
+ Local Argus
+ Administration Web UI user
+ database: Users and their
+ credentials are stored in the Argus
+ Administration database, and managed manually
+ in the interface.
+
+
+ External
+ LDAP (supported services are
+ OpenLDAP or AD): Users authenticate against an
+ external LDAP service and their permission is
+ determined by their group membership. Requires
+ configuration during installation of the HDP
+ Security Administration tools.
+
+
+ External Unix
+ Server: Users authenticate
+ against an external Unix system using their
+ credentials for that remote Unix system.
+ Typically this is a server within the Hadoop
+ cluster. This also requires configuration
+ during both the installation of the HDP
+ Security Administration tools and the
+ installation of the Users and Groups
+ Synchronizer Agent on the remote Unix
+ System.
+
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+
+ Install the Argus
+ Administration server on a Linux host
+ with at least 2 GB memory available for the Web
+ application and at least 10 GB of diskspace for
+ Argus Administration
+ logs.
+
+ You can install the Argus
+ Administration on a shared web
+ application host. Before installing ensure that the
+ following prerequisites have been met, see <link linkend="ch_XA-install-prereq">Prerequisites</link>.
+
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ Perform the following steps on the HDP
+ Security Administration host.
+
+ Log on to the host as
+ root.
+
+
+ Copy the installation file and extract
+ as follows:
+
+ Create a temporary directory,
+ such as
+ /tmp/xasecure:mkdir /tmp/xasecure
+
+
+ Move the installation package
+ to the temporary directory.
+
+
+ Move the MySQL Connector Jar
+ file to the temporary directory.
+ Download the JAR from <link xlink:href="http://www.mysql.com/products/connector/" xlink:show="new">here</link>.
+
+
+ Extract the
+ contents:tar xvf $xasecureinstallation.tar
+
+
+ Go to the directory where you
+ extracted the installation
+ files:cd /tmp/xasecure/xasecure-$name-$build-version
+
+
+
+
+ Open the
+ install.properties
+ file for editing.
+
+
+ Define the parameters for the MySQL
+ database setup:
+
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Parameter
+ Value
+ Description
+
+ </thead>
+ <tbody>
+
+ MYSQL_BIN
+ mysql
+ Specify the command to
+ invoke MySQL. For example,
+ mysql. This
+ command is used by the script to
+ invoke MySQL and connect to the
+ database server.
+
+
+ MYSQL_CONNECTOR_JAR
+ $path-to-mysql-connector
+ Specify the absolute path on
+ the local host to the JDBC driver
+ for MySQL including filename.
+ Download the JAR from <link xlink:href="http://www.mysql.com/products/connector/" xlink:show="new">here</link>.
+ For example,
+ /tmp/xasecure/mysql-connector-java.jar
+
+
+ db_root_password
+ $root-password
+ The password for the root
+ MySQL account. Used by the
+ installation script to create the
+ HDP SA database and database
+ user.
+
+
+ db_host
+ $mysql-host
+ Host name of the system
+ running MySQL server.
+
+
+ db_user
+ $xadbuser
+ Specify a name for the user
+ account that the installer creates
+ and is then used to write to the
+ database.
+
+
+ db_name
+ $dbname
+ Specify a name for the
+ database that Installer creates
+ during installation.
+
+
+ db_password
+ $dbpassword
+ Specify a password for the
+ $xadbuser
+ account created by the installer
+ during installation.
+
+
+ audit_db_name
+ $auditdb
+ Specify a name for the audit
+ database created by the installer
+ during installation.
+
+
+ audit_db_user
+ $auditdbuser
+ Specify a name for the audit
+ database account created by the
+ installer during
+ installation.
+
+
+ audit_db_password
+ $auditdbupw
+ Specify the password for the
+ audit database account that the
+ installer sets during
+ installation.
+
+ </tbody>
+
+ </table>
+ During installation, the script logs
+ into the database, creates the HDP
+ Security database named in the properties
+ file, adds the user specified, and loads
+ the MySQL tables.
+
+ DO NOT create the Argus
+ database beforehand. If the database
+ you specify already exists the HDP
+ Security Administration tables are not
+ added.
+
+
+
+ Define the Argus Administration
+ Server URL, which is used Security Agents
+ and users accessing the interface for
+ Policies and Auditing:
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Parameter
+ Value
+ Description
+
+ </thead>
+ <tbody>
+
+ policymgr_external_url
+ $url
+ Specify the full URL to
+ access the HDP
+ Security
+ Administration Web
+ UI. For example,
+ http://pm-host:6080.
+
+
+ policymgr_http_enabled
+ $true-or-false
+ Specify
+ true to allow
+ access to the HDP
+ Security
+ Administration
+ Interface on HTTP or specify
+ false to only
+ allow HTTPS access to the
+ interface.
+
+ </tbody>
+
+ </table>
+
+
+ In the JAVA_HOME
+ parameter specify the path to the
+ directory that contains the Java bin, for
+ example:#------------------------- JAVA CONFIG - BEGIN ----------------------------------
+
+#
+# Java Home path
+#
+JAVA_HOME='/usr/lib/jvm/jre-1.7.0-openjdk.x86_64'
+
+#------------------------- JAVA CONFIG - END ----------------------------------
+
+
+
+ Use the following parameters and values
+ in all configurations:
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Parameter
+ Value
+ Description
+
+ </thead>
+ <tbody>
+
+ unix_user
+ xasecure
+ Parameter and value required
+ in all configurations.
+
+
+ unix_group
+ xasecure
+ Parameter and value required
+ in all configurations.
+
+ </tbody>
+
+ </table>
+
+
+ Use one of the following sets of
+ parameters to define the Authentication
+ for the Argus Administration Web UI:
+
+ Web UI administrators that
+ are manually defined in the HDP
+ Security Administration Web
+ UI:
+
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Parameter
+ Value
+ Description
+
+ </thead>
+ <tbody>
+
+ remoteLoginEnabled
+ false
+ Specify
+ false to manage
+ users in the Argus
+ Administration Web UI.
+
+ </tbody>
+
+ </table>
+
+
+ Web UI administrators
+ authenticated against an external
+ Unix Server:
+
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Parameter
+ Value
+ Description
+
+ </thead>
+ <tbody>
+
+ authentication_method
+ UNIX
+ Specify
+ UNIX to allow
+ users to sign in to the HDP
+ Security Administration Web UI
+ using their credentials from an
+ external Unix Server.
+
+
+ remoteLoginEnabled
+ true
+ Specify
+ true to enabled
+ remote login.
+
+
+ authServiceHostName
+ $usersync-hostname
+ Specify the remote Unix host name
+ Requires installation of the
+ UX-UserGroup Synchronizer.
+
+
+
+ authServicePort
+ $port
+ Listening port of the Unix
+ host where the UX-UserGroup
+ Synchronizer will be installed, the
+ default port is
+ 5151.
+
+ </tbody>
+
+ </table>
+
+ Requires installation of the
+ User and Group Synchronizer Agent
+ on the remote Unix Server.
+
+ The following is an example
+ allowing HDP Sandbox users to
+ access Argus Administration
+ Web UI:
+ # ------- UNIX User CONFIG ----------------
+#
+unix_user=xasecure
+unix_group=xasecure
+
+#
+# ------- UNIX User CONFIG - END ----------------
+#
+
+#
+# UNIX authentication service for Policy Manager
+#
+# PolicyManager can authenticate using UNIX username/password
+# The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package.
+# Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into policy manager
+#
+# ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished.
+#
+#LDAP|ACTIVE_DIRECTORY|UNIX|NONE
+authentication_method=UNIX
+remoteLoginEnabled=true
+authServiceHostName=sandbox
+authServicePort=5151
+
+
+ Web UI administrators
+ authenticated against an external
+ LDAP (either OpenLDAP or Active
+ Directory service):
+
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Parameter
+ Value
+ Description
+
+ </thead>
+ <tbody>
+
+ authentication_method
+ LDAP
+ Specify
+ LDAP to allow
+ users to sign in to the HDP
+ Security Administration Web UI
+ using their credentials from an
+ external LDAP service.
+
+
+ remoteLoginEnabled
+ true
+ Specify
+ true to enabled
+ remote login.
+
+
+ authServiceHostName
+ $usersync-hostname
+ Specify the LDAP service
+ host name or IP address.
+ Requires installation of the
+ UX-UserGroup Synchronizer.
+
+
+
+ authServicePort
+ $port
+ Listening port of the LDAP
+ service, default port is
+ 389.
+
+ </tbody>
+
+ </table>
+ The following is an example
+ of the configuration parameters for
+ OpenLDAP installed on HDP
+ Sandbox:# ------- UNIX User CONFIG ----------------
+#
+unix_user=xasecure
+unix_group=xasecure
+
+#
+# ------- UNIX User CONFIG - END ----------------
+#
+
+#
+# UNIX authentication service for Policy Manager
+#
+# PolicyManager can authenticate using UNIX username/password
+# The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package.
+# Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into policy manager
+#
+# ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished.
+#
+#LDAP|ACTIVE_DIRECTORY|UNIX|NONE
+authentication_method=LDAP
+remoteLoginEnabled=true
+authServiceHostName=sandbox
+authServicePort=389
+
+
+ <!-- <para>Saving TABLE FROM PRE-LDAP<table frame="all"><title>Argus Administration Server URL</title><tgroup cols="3"><colspec colname="c1" colnum="1" colwidth="1.0*"/><colspec colname="c2" colnum="2" colwidth="1.0*"/><colspec colname="c3" colnum="3" colwidth="1.0*"/><thead><row><entry>Parameter</entry><entry>Value</entry><entry>Description</entry></row></thead><tbody><row><entry><parameter>MYSQL_BIN</parameter></entry><entry>mysql</entry><entry>The command to invoke MySQL. For example, <literal>mysql</literal>.</entry></row><row><entry><parameter>MYSQL_CONNECTOR_JAR</parameter></entry><entry><replaceable>$path-to-mysql-connector</replaceable></entry><entry>Absolute path on the local host to the JDBC driver for mysql including filename.<footnote><para>Download the JAR from <link xlink:href="http://www.mysql.com/products/connector/" xlink:show="new">here</link>.</para></footnote> For example, <filename>/tmp/xasecure/mysql-connector-java.jar</filename></entry>
</row><row><entry><parameter>db_root_password</parameter></entry><entry><replaceable>$root-password</replaceable></entry><entry>The password for the root MySQL account. Used by the installation script to create the XASecure PM database and database user.</entry></row><row><entry><parameter>db_host</parameter></entry><entry><replaceable>$mysql-host</replaceable></entry><entry>Host name of the system running MySQL server.</entry></row><row><entry><parameter>db_user</parameter></entry><entry><replaceable>$xadbuser</replaceable></entry><entry>Specify a name for the user account that the installer creates and is then used to write to the database.</entry></row><row><entry><parameter>db_name</parameter></entry><entry><replaceable>$dbname</replaceable></entry><entry>Specify a name for the <productname>XASecure</productname> database that XASecure Installer creates during installation.</entry></row><row><entry><parameter>db_password</parameter></entry><entry><replaceable>$dbpassword</replac
eable></entry><entry>Specify a password for the <replaceable>$xadbuser</replaceable> account created by the XASecure installer during installation.</entry></row><row><entry><parameter>audit_db_name</parameter></entry><entry><replaceable>$auditdb</replaceable></entry><entry>Specify a name for the audit database created by the XASecure installer during installation.</entry></row><row><entry><parameter>audit_db_user</parameter></entry><entry><replaceable>$auditdbuser</replaceable></entry><entry>Specify a name for the audit database account created by the installer during installation.</entry></row><row><entry><parameter>audit_db_password</parameter></entry><entry><replaceable>$auditdbupw</replaceable></entry><entry>Specify the password for the audit database account that the installer sets during installation.</entry></row><row><entry><parameter>policymgr_external_url</parameter></entry><entry><replaceable>$url</replaceable></entry><entry>Specify the full URL to access the <productname
>Argus Administration</productname> Web UI. For example, <literal>http://pm-host:6080</literal>.</entry></row><row><entry><parameter>policymgr_http_enabled</parameter></entry><entry><replaceable>$true-or-false</replaceable></entry><entry>Specify <literal>true</literal> to allow access to the <productname>Argus Administration</productname> Interface on HTTP or specify <literal>false</literal> to only allow HTTPS access to the interface. </entry></row><row><entry><parameter>remoteLoginEnabled</parameter></entry><entry><replaceable>$true-or-false</replaceable></entry><entry>Specify <literal>true</literal> to allow users to sign in with their Unix<footnote><para>This requires installation of the User and Groups Synchronizer Agent.</para></footnote> or LDAP credentials. </entry></row><row><entry><parameter>authServiceHostName</parameter></entry><entry><replaceable>$usersync-hostname</replaceable></entry><entry>Specify the remote Unix host when <parameter>remoteLoginEnabled</parameter> is
set to true.<footnote><para>Requires installation of the UX-UserGroup Synchronizer.</para></footnote></entry></row><row><entry><parameter>authServicePort</parameter></entry><entry><replaceable>$port</replaceable></entry><entry>Listening port of the UX-UserGroup Synchronizer.</entry></row></tbody></tgroup></table></para> -->
+
+
+ Save the
+ install.properties
+ file.
+
+
+ The following example shows the HDP
+ Security Administration server
+ install.properties for a
+ system that does not allow remote login of Web UI
+ administrators:
+ #
+# This file provides list of deployment variables for the Policy Manager Web Application
+#
+#------------------------- MYSQL CONFIG - BEGIN ----------------------------------
+
+#
+# The executable path to be used to invoke command-line MYSQL
+#
+MYSQL_BIN='mysql'
+
+#
+# Location of mysql client library (please check the location of the jar file)
+#
+MYSQL_CONNECTOR_JAR=/usr/share/java/mysql-connector-java.jar
+
+#
+# MYSQL password for the MYSQL root user-id
+# **************************************************************************
+# ** If the password is left empty or not-defined here,
+# ** it will be prompted to enter the password during installation process
+# **************************************************************************
+#
+
+db_root_password=hadoop
+db_host=localhost
+
+#
+# MySQL UserId used for the XASecure schema
+#
+db_name=xasecure
+db_user=xaadmin
+db_password=hadoop
+
+#
+# MySQL UserId for storing auditlog infromation
+#
+# * audit_db can be same as the XASecure schema db
+# * audit_db must exists in the same ${db_host} as xaserver database ${db_name}
+# * audit_user must be a different user than db_user (as audit user has access to only audit tables)
+#
+audit_db_name=xasecure
+audit_db_user=xalogger
+audit_db_password=hadoop
+
+#------------------------- MYSQL CONFIG - END ----------------------------------
+
+#
+# ------- PolicyManager CONFIG ----------------
+#
+
+policymgr_external_url=http://localhost:6080
+policymgr_http_enabled=true
+
+#
+# ------- PolicyManager CONFIG - END ---------------
+#
+
+
+#
+# UNIX authentication service for Policy Manager
+#
+# PolicyManager can authenticate using UNIX username/password
+# The UNIX server specified here as authServiceHostName needs to be installed with xasecure-unix-ugsync package.
+# Once the service is installed on authServiceHostName, the UNIX username/password from the host <authServiceHostName> can be used to login into Policy Manager
+#
+# ** The installation of xasecure-unix-ugsync package can be installed after the policymanager installation is finished.
+#
+
+remoteLoginEnabled=false
+authServiceHostName=
+authServicePort=
+
+#
+# -----------------------------------------------------------
+#
+
+# ###### DO NOT MODIFY ANY VARIABLES BELOW #########################
+#
+# --- These deployment variables are not to be modified unless you understand the full impact of the changes
+#
+###################################################
+
+app_home=$PWD/app
+war_file=${PWD}/war/xa_portal.war
+TMPFILE=$PWD/.fi_tmp
+LOGFILE=$PWD/logfile
+LOGFILES="$LOGFILE"
+
+JAVA_BIN='java'
+JAVA_VERSION_REQUIRED='1.7'
+JAVA_ORACLE='Java(TM) SE Runtime Environment'
+
+db_create_user_file=${PWD}/db/create_dev_user.sql
+db_core_file=${PWD}/db/xa_core_db.sql
+db_assert_file=${PWD}/db/reset_asset.sql
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ After configuring the
+ install.properties file,
+ install the Argus
+ Administration server as
+ root:
+
+ Log on to the Linux system as root and
+ go to the directory where you extracted
+ the Argus
+ Administration
+ installation
+ files:cd /tmp/xasecure/xasecure-policymgr-$build-version
+
+
+ Run the installation
+ script:# ./install.sh
+
+
+ Once the install.sh execution
+ is complete, the Argus
+ Administration Web UI is accessible.
+ Using a web browser, go to the HDP
+ Security Administration application
+ at
+ http://$policymgr_host:6080.
+ If this is the first installation, sign in with the
+ default account,
+ admin\admin.
+
+ Change the admin user account
+ password as soon as possible.
+
+ </div>
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+
+ The Argus
+ Administration Interface default port is
+ 6080.
+ To sign in and change the password:
+
+ Open a browser and type
+ http://policymgr-host:6080
+ in the address bar.
+ The log in screen displays.
+
+
+
+
+
+
+
+ Enter the default account credentials. In
+ the first field enter admin
+ and in the second field
+ admin.
+
+
+ Click Sign
+ In.
+ The Argus
+ Administration Web UI Home
+ page displays.
+
+
+ In the upper right corner, click
+ admin >
+ Profile.
+ The Basic Info tab displays.
+
+
+
+
+
+
+ Information on the admin profile cannot
+ be changed.
+
+
+
+ Go the Password
+ tab, type the old password and the new one to
+ change the password.
+
+
+
+
+
+
+
+ Click
+ Save.
+
+
+ Log out and then back in using the new password.
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row-fluid">
+ <p >Copyright © 2014
+ <a href="http://www.apache.org/">Apache Software Foundation</a>.
+ All rights reserved.
+
+ </p>
+ </div>
+
+
+
+ </div>
+ </footer>
+ </body>
+</html>
Added: incubator/argus/site/trunk/ch_XA-policies.html
URL: http://svn.apache.org/viewvc/incubator/argus/site/trunk/ch_XA-policies.html?rev=1628612&view=auto
==============================================================================
--- incubator/argus/site/trunk/ch_XA-policies.html (added)
+++ incubator/argus/site/trunk/ch_XA-policies.html Wed Oct 1 06:40:31 2014
@@ -0,0 +1,386 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia
+ | Rendered using Apache Maven Fluido Skin 1.3.1
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140930" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Apache Argus - </title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.1.min.js"></script>
+
+
+ </head>
+ <body class="topBarDisabled">
+
+
+
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <a href="./" id="bannerLeft">
+ <img src="arguslogo/slide1.png" alt="Argus logo" width="400px" height="200px"/>
+ </a>
+ </div>
+ <div class="pull-right"> <div id="bannerRight">
+ <img src="" />
+ </div>
+ </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-09-30
+ <span class="divider">|</span>
+ </li>
+ <li id="projectVersion">Version: 0.4
+ </li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Introduction">
+ <i class="none"></i>
+ Introduction</a>
+ </li>
+
+ <li>
+
+ <a href="faq.html" title="FAQ">
+ <i class="none"></i>
+ FAQ</a>
+ </li>
+ <li class="nav-header">Resources</li>
+
+ <li>
+
+ <a href="wiki.html" title="Wiki">
+ <i class="none"></i>
+ Wiki</a>
+ </li>
+
+ <li>
+
+ <a href="http://www.apache.org/licenses/" class="externalLink" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+ <li class="nav-header">Project Information</li>
+
+ <li>
+
+ <a href="project-summary.html" title="Project Summary">
+ <i class="none"></i>
+ Project Summary</a>
+ </li>
+
+ <li>
+
+ <a href="mail-lists.html" title="Mailing Lists">
+ <i class="none"></i>
+ Mailing Lists</a>
+ </li>
+
+ <li>
+
+ <a href="team-list.html" title="Team">
+ <i class="none"></i>
+ Team</a>
+ </li>
+ </ul>
+
+
+
+ <hr />
+
+ <div id="poweredBy">
+ <div class="clear"></div>
+
+
+
+
+ <iframe src="http://www.facebook.com/plugins/like.php?href=http://argus.incubator.apache.org/&send=false&layout=box_count&show-faces=false&action=like&colorscheme=light"
+ scrolling="no" frameborder="0"
+ style="border:none; width:48px; height:63px; margin-top: 10px;" ></iframe>
+ <div class="clear"></div>
+
+
+
+ <div id="twitter">
+
+ <a href="https://twitter.com/apacheargus" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow apacheargus</a>
+ <script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
+
+ </div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Maven" class="builtBy">
+ <img class="builtBy" alt="Maven" src="http://maven.apache.org/images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+
+ Configure Policies
+ The Policy Manager is accessible from the main menu bar. The home page shows a list of
+ tools supported by Argus Administration server. Clicking a particular repository name
+ opens toward the Policy list for the repository.
+
+
+
+
+
+
+
+ <div class="section">
+<h2><a name="null"></a></h2>
+
+ Policies limit access to Hive and HBase repositories to White Listing users, that is
+ once a repository is created and the agent installed, only users who have been granted
+ permission can access the resources. The Security Agent intercepts requests to the
+ resource and checks the user against the policies of the repository and determines if
+ the user matches any rules that grant them access to the resource.
+ If no rules explicitly grant access, the following occurs:
+
+ HDFS: The request is passed through and
+ the user can access the resource if permitted to do so by the HDFS local
+ policies.
+
+
+ Hive and HBase : The request is
+ rejected.
+
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ Policies define who can access which resources within a Repository. Policies can only
+ be written for known Users and Groups, that is users and groups that have already been
+ defined in the Argus Administration Web UI, either by the User and Groups
+ Synchronizer or manually entered.
+ To add a Policy:
+
+ Click Policy Manager > Repository
+ Name > Add New Policy.
+ The Create Policy page displays.
+
+
+ Complete the Policy Details:
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+ <thead>
+
+ Field
+ Description
+
+ </thead>
+ <tbody>
+
+ HDFS: Resource Path or
+ Hive/HBase Tables and Columns
+ For HDFS, enter a comma separated list of paths for
+ the policy. For example,
+ /apps/tez/qa,/apps/tez/production.
+ For Hive and HBase, start typing the table name and
+ select the tables you want to add. In the path, you can
+ use regular expression to match multiple directory (or
+ table/column/column family names), for example,
+ /apps/tez/qa* matches all
+ subdirectories of /apps/tez that
+ being with 'qa'.
+
+
+ Description
+ Enter text that describes the policy, only visible
+ from the Policy Manager UI.
+
+
+ Recursive
+ Select Yes to grant permission to all subdirectories
+ of the specified path.
+
+
+ Audit Logging
+ Select Yes to log activity to the directory to the
+ Audit and Reporting facility of the Argus
+ Administration tools.
+
+ </tbody>
+
+ </table>
+
+
+ Complete the User and Group Details:
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+ <thead>
+
+ Field
+ Description
+
+ </thead>
+ <tbody>
+
+ Group Permission
+ Click the + sign to select a group from the Users and
+ Groups list. If the group is not listed, it must be
+ added to the server that the User and Group Synchronizer
+ polls for accounts. If the user or group was recently
+ added, it will appear after the next
+ sync_interval.
+
+
+ User Permission
+ Click the + sign to select a user from the Users and
+ Groups list. If the user is not listed, it must be added
+ to the server that the User and Group Synchronizer polls
+ for accounts. If the user or group was recently added,
+ it will appear after the next
+ sync_interval.
+
+
+ Policy Status
+ Select Enabled to enforce the Policy, or Disabled to
+ keep a copy of the Policy without enforcing it.
+
+ </tbody>
+
+ </table>
+
+
+ Click Save.
+
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ Removing a policy from the Web UI, removes the policy from both the Argus
+ Administration server and the corresponding agent on the Repository host.
+ To remove a Policy:
+
+ Click Policy Manager > Repository
+ Name .
+ The Policy list displays.
+
+
+ Click the trash icon at the end of the row.
+
+
+ The policy change synchronizes within a few seconds with the agent and is removed from
+ both the server and the agent.
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ Disabling a policy in the Web UI, removes the policy from the corresponding agent on
+ the Repository host.
+ To remove a Policy:
+
+ Click Policy Manager > Repository
+ Name .
+ The Policy list displays.
+
+
+ Click the Edit icon near the end of the row.
+
+
+ Change the Policy Status to Disabled.
+
+
+ Click Save.
+
+
+ The policy change synchronizes within a few seconds with the agent and is removed from
+ both the server and the agent.
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ You can disable only auditing (and leave the policy active). When auditing is
+ disabled, repository activity is no longer recorded by the Argus Administration
+ tools. Hadoop cluster logging still occurs and is available in the configuration
+ locations.
+ To disable auditing:
+
+ Click Policy Manager > Repository
+ Name .
+ The Policy list displays.
+
+
+ Click the Edit icon near the end of the row.
+
+
+ Change the Audit Logging to off.
+
+
+ Click Save.
+
+
+ The policy change synchronizes within a few seconds with the agent tops uploading
+ activity data to the server.
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row-fluid">
+ <p >Copyright © 2014
+ <a href="http://www.apache.org/">Apache Software Foundation</a>.
+ All rights reserved.
+
+ </p>
+ </div>
+
+
+
+ </div>
+ </footer>
+ </body>
+</html>
Added: incubator/argus/site/trunk/ch_XA-prereq.html
URL: http://svn.apache.org/viewvc/incubator/argus/site/trunk/ch_XA-prereq.html?rev=1628612&view=auto
==============================================================================
--- incubator/argus/site/trunk/ch_XA-prereq.html (added)
+++ incubator/argus/site/trunk/ch_XA-prereq.html Wed Oct 1 06:40:31 2014
@@ -0,0 +1,378 @@
+<!DOCTYPE html>
+<!--
+ | Generated by Apache Maven Doxia
+ | Rendered using Apache Maven Fluido Skin 1.3.1
+-->
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+ <head>
+ <meta charset="UTF-8" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <meta name="Date-Revision-yyyymmdd" content="20140930" />
+ <meta http-equiv="Content-Language" content="en" />
+ <title>Apache Argus - </title>
+ <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.1.min.css" />
+ <link rel="stylesheet" href="./css/site.css" />
+ <link rel="stylesheet" href="./css/print.css" media="print" />
+
+
+ <script type="text/javascript" src="./js/apache-maven-fluido-1.3.1.min.js"></script>
+
+
+ </head>
+ <body class="topBarDisabled">
+
+
+
+
+ <div class="container-fluid">
+ <div id="banner">
+ <div class="pull-left">
+ <a href="./" id="bannerLeft">
+ <img src="arguslogo/slide1.png" alt="Argus logo" width="400px" height="200px"/>
+ </a>
+ </div>
+ <div class="pull-right"> <div id="bannerRight">
+ <img src="" />
+ </div>
+ </div>
+ <div class="clear"><hr/></div>
+ </div>
+
+ <div id="breadcrumbs">
+ <ul class="breadcrumb">
+
+
+ <li id="publishDate">Last Published: 2014-09-30
+ <span class="divider">|</span>
+ </li>
+ <li id="projectVersion">Version: 0.4
+ </li>
+
+
+
+
+ </ul>
+ </div>
+
+
+ <div class="row-fluid">
+ <div id="leftColumn" class="span3">
+ <div class="well sidebar-nav">
+
+
+ <ul class="nav nav-list">
+ <li class="nav-header">Overview</li>
+
+ <li>
+
+ <a href="index.html" title="Introduction">
+ <i class="none"></i>
+ Introduction</a>
+ </li>
+
+ <li>
+
+ <a href="faq.html" title="FAQ">
+ <i class="none"></i>
+ FAQ</a>
+ </li>
+ <li class="nav-header">Resources</li>
+
+ <li>
+
+ <a href="wiki.html" title="Wiki">
+ <i class="none"></i>
+ Wiki</a>
+ </li>
+
+ <li>
+
+ <a href="http://www.apache.org/licenses/" class="externalLink" title="License">
+ <i class="none"></i>
+ License</a>
+ </li>
+ <li class="nav-header">Project Information</li>
+
+ <li>
+
+ <a href="project-summary.html" title="Project Summary">
+ <i class="none"></i>
+ Project Summary</a>
+ </li>
+
+ <li>
+
+ <a href="mail-lists.html" title="Mailing Lists">
+ <i class="none"></i>
+ Mailing Lists</a>
+ </li>
+
+ <li>
+
+ <a href="team-list.html" title="Team">
+ <i class="none"></i>
+ Team</a>
+ </li>
+ </ul>
+
+
+
+ <hr />
+
+ <div id="poweredBy">
+ <div class="clear"></div>
+
+
+
+
+ <iframe src="http://www.facebook.com/plugins/like.php?href=http://argus.incubator.apache.org/&send=false&layout=box_count&show-faces=false&action=like&colorscheme=light"
+ scrolling="no" frameborder="0"
+ style="border:none; width:48px; height:63px; margin-top: 10px;" ></iframe>
+ <div class="clear"></div>
+
+
+
+ <div id="twitter">
+
+ <a href="https://twitter.com/apacheargus" class="twitter-follow-button" data-show-count="true" data-align="left" data-size="medium" data-show-screen-name="true" data-lang="en">Follow apacheargus</a>
+ <script type="text/javascript">!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
+
+ </div>
+ <div class="clear"></div>
+ <div class="clear"></div>
+ <a href="http://maven.apache.org/" title="Maven" class="builtBy">
+ <img class="builtBy" alt="Maven" src="http://maven.apache.org/images/logos/maven-feather.png" />
+ </a>
+ </div>
+ </div>
+ </div>
+
+
+ <div id="bodyColumn" class="span9" >
+
+
+ Argus Administration Overview
+ The Argus Administration provides the following security
+ for Hadoop clusters:
+
+ Authorization: Restricts access to explicit data as follows:
+
+ Fine-grained access control for HDFS, Hive, and Hbase
+
+
+ Role-based policies
+
+
+ Component-level enforcement
+
+
+
+
+ Audit: Track and report on the following items in a central location:
+
+ Detailed access auditing for HDFS, Hive and Hbase
+
+
+ Admin action auditing
+
+
+
+
+ Centralized Security Policies:
+
+ UI to centrally manage security policies
+
+
+ Delegated administration
+
+
+ Automated policy synchronization
+
+
+
+
+ <div class="section">
+<h2><a name="null"></a></h2>
+
+ An Argus Administration deployment contains the
+ following components:
+
+
+
+
+
+
+
+ Argus Administration
+ server: A central location to manage all security policies for
+ Hadoop clusters, including access control, auditing, and reporting. It also
+ provides delegated administration features to enable administration of policies
+ for specific data to other users and groups.
+
+
+ User and Group Synchronizer: Synchronizes
+ user and group information between a UNIX server and the HDP
+ Security Administration server. Allows the Unix system users
+ on the host where the agent is installed to sign in to the Web UI with the same
+ credentials as the local host.
+
+
+ Security Agent for HDFS: Enforces the HDFS
+ access control based on the policies managed on the Argus
+ Administration server and provides audit and reporting HDFS
+ activity.
+
+
+ Security Agent for Hive: Enforces Hive
+ (HiveServer2) access control based on the policies managed on the
+ Argus Administration server and provides
+ audit and reporting for Hive activity.
+
+
+ Security Agent for
+ HBase: Enforces HBase access
+ control (via Hive2 service) based on the policies
+ managed on the Argus
+ Administration server and
+ provides audit and reporting for HBase activity.
+ Install an agent on the HBase Master and all HBase
+ Regional servers.
+
+
+ The following table shows the ports used by the Argus
+ Administration tools:
+
+
+<table border="0" class="table table-striped" frame="all">
+
+
+
+
+
+ <thead>
+
+ Component
+ Listening Port
+ Connection to Port
+
+ </thead>
+ <tbody>
+
+ Argus Administration server
+ 6080
+ Ensure agent hosts can connect to the HDP SA server on
+ port 6080.
+ (HTTP)
+ 3306 (JDBC/MySQL)
+
+
+ All Agents (HDFS, HBase and Hive)
+
+ 6080* (HTTP)
+
+
+ User and Group Synchronization Agent
+ 5151
+ Make sure Argus Administration server can connect
+ to port 5151 on the server were Unix Synchronization Service
+ is installed.
+ (Optional for remote Unix)
+ 3306 (JDBC/MySQL)
+
+
+ MySQL
+ 3306
+ Argus Administrator server and agent servers should
+ be able to connect to port 3306 on the server MySQL is
+ installed. The agents insert the audit logs directly into
+ the database
+
+ 3306
+
+ </tbody>
+
+ </table>
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+
+
+ Policy Enforcement: Security Agents run within the process of NameNode,
+ HiveServer2 and HBase Region Servers. It adds negligible overhead to the
+ existing policy check and enforcement. The Security Agents can handle more than
+ 50 simultaneous requests within less than 1.5 milliseconds.
+ Recommendation: Limit the number of policies by grouping resources together
+ and also where possible using wild cards or recursive options.
+
+
+ Audits (log uploads to the server) : The Security Agent logs all access logs
+ centrally to RDBMS. When MySQL is installed on a dedicated server with 4 Cores
+ and 16 GB RAM, XASecure can handle up to 6500 logs/second with 375 concurrent
+ requests. XASecure has inbuilt mechanism to log the event asynchronously without
+ affecting the runtime performance of the cluster. If there is a sudden surge of
+ event logs, XASecure will automatically buffer the logs and do deferred writing
+ to database. If the surge of access requests lasts for longer period, then
+ XASecure will throttle itself by discarding excess logs.
+ Recommendation: For high-end systems, it is recommend that the database is
+ properly tuned for memory caching and disk IO. It is also recommended to
+ appropriately partition the database and archive historical data on regular
+ intervals.
+
+
+ </div>
+
+<div class="section">
+<h2><a name="null"></a></h2>
+
+ The Argus Administration Suite is available to
+ download from Hortonworks <link xlink:href="http://hortonworks.com/hdp/addons/">Add-ons</link> page.
+ Download the components, as follows:
+
+ Argus Administration server: Required
+ for all deployments.
+
+
+ UX-UserGroup Synchronizer: Optional. Provides
+ Web UI authentication and automatically imports users and groups for
+ policies.
+
+
+ Security Agent for Hive: Only required if you
+ are managing access or auditing HiveServer2.
+
+
+ Security Agent for Hadoop: Only required if you
+ are managing access or auditing HDFS.
+
+
+ Security Agent for HBase: Only required if you
+ are managing access or auditing HBase.
+
+
+ </div>
+
+ </div>
+ </div>
+ </div>
+
+ <hr/>
+
+ <footer>
+ <div class="container-fluid">
+ <div class="row-fluid">
+ <p >Copyright © 2014
+ <a href="http://www.apache.org/">Apache Software Foundation</a>.
+ All rights reserved.
+
+ </p>
+ </div>
+
+
+
+ </div>
+ </footer>
+ </body>
+</html>