You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ga...@apache.org on 2015/10/28 09:14:51 UTC
ambari git commit: AMBARI-13488 : Add recommendation for
'hive.conf.restricted.list' property under hiveserver2-site (For Ranger
Plugin)
Repository: ambari
Updated Branches:
refs/heads/trunk deb782c79 -> e4c62592f
AMBARI-13488 : Add recommendation for 'hive.conf.restricted.list' property under hiveserver2-site (For Ranger Plugin)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e4c62592
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e4c62592
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e4c62592
Branch: refs/heads/trunk
Commit: e4c62592f7025bd5c8e67dd1bdfafee895afe7a6
Parents: deb782c
Author: Gautam Borad <ga...@apache.org>
Authored: Tue Oct 20 14:50:12 2015 +0530
Committer: Gautam Borad <ga...@apache.com>
Committed: Wed Oct 28 13:44:28 2015 +0530
----------------------------------------------------------------------
.../HIVE/configuration/hiveserver2-site.xml | 12 +++++++++++
.../stacks/HDP/2.2/services/stack_advisor.py | 22 ++++++++++++++++++++
.../stacks/HDP/2.3/services/stack_advisor.py | 16 ++++++++++++++
.../stacks/2.2/common/test_stack_advisor.py | 13 ++++++++----
4 files changed, 59 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml
index 12a78db..5a2f002 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml
@@ -71,4 +71,16 @@ limitations under the License.
</depends-on>
</property>
+ <property>
+ <name>hive.conf.restricted.list</name>
+ <value>hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role</value>
+ <description></description>
+ <depends-on>
+ <property>
+ <type>hive-env</type>
+ <name>hive_security_authorization</name>
+ </property>
+ </depends-on>
+ </property>
+
</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py
index 32e6be3..c813556 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py
@@ -429,6 +429,10 @@ class HDP22StackAdvisor(HDP21StackAdvisor):
("hiveserver2-site" not in services["configurations"]) or \
("hiveserver2-site" in services["configurations"] and "hive.security.authenticator.manager" in services["configurations"]["hiveserver2-site"]["properties"]):
putHiveServerPropertyAttribute("hive.security.authenticator.manager", "delete", "true")
+ if ("hive.conf.restricted.list" in configurations["hiveserver2-site"]["properties"]) or \
+ ("hiveserver2-site" not in services["configurations"]) or \
+ ("hiveserver2-site" in services["configurations"] and "hive.conf.restricted.list" in services["configurations"]["hiveserver2-site"]["properties"]):
+ putHiveServerPropertyAttribute("hive.conf.restricted.list", "delete", "true")
if "KERBEROS" not in servicesList: # Kerberos security depends on this property
putHiveSiteProperty("hive.security.authorization.enabled", "false")
else:
@@ -450,6 +454,7 @@ class HDP22StackAdvisor(HDP21StackAdvisor):
putHiveServerProperty("hive.security.authorization.enabled", "true")
putHiveServerProperty("hive.security.authorization.manager", "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory")
putHiveServerProperty("hive.security.authenticator.manager", "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator")
+ putHiveServerProperty("hive.conf.restricted.list", "hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role")
putHiveSiteProperty("hive.security.authorization.manager", "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory")
if sqlstdauth_class not in auth_manager_values:
auth_manager_values.append(sqlstdauth_class)
@@ -465,6 +470,7 @@ class HDP22StackAdvisor(HDP21StackAdvisor):
putHiveServerProperty("hive.security.authorization.enabled", "true")
putHiveServerProperty("hive.security.authorization.manager", "com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory")
putHiveServerProperty("hive.security.authenticator.manager", "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator")
+ putHiveServerProperty("hive.conf.restricted.list", "hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager")
putHiveSiteProperty("hive.server2.use.SSL", "false")
@@ -1154,6 +1160,22 @@ class HDP22StackAdvisor(HDP21StackAdvisor):
"item": self.getWarnItem(
"If Ranger Hive Plugin is enabled."\
" {0} under hiveserver2-site needs to be set to {1}".format(prop_name, prop_val))})
+ prop_name = 'hive.conf.restricted.list'
+ prop_vals = 'hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager'.split(',')
+ current_vals = []
+ missing_vals = []
+ if hive_server2 and prop_name in hive_server2:
+ current_vals = hive_server2[prop_name].split(',')
+ current_vals = [x.strip() for x in current_vals]
+
+ for val in prop_vals:
+ if not val in current_vals:
+ missing_vals.append(val)
+
+ if missing_vals:
+ validationItems.append({"config-name": prop_name,
+ "item": self.getWarnItem("If Ranger Hive Plugin is enabled."\
+ " {0} under hiveserver2-site needs to contain missing value {1}".format(prop_name, ','.join(missing_vals)))})
##Add stack validations for Ranger plugin disabled.
elif not ranger_plugin_enabled:
prop_name = 'hive.security.authorization.manager'
http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
index b3de283..1d1cdba 100644
--- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
+++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py
@@ -628,6 +628,22 @@ class HDP23StackAdvisor(HDP22StackAdvisor):
"item": self.getWarnItem(
"If Ranger Hive Plugin is enabled."\
" {0} under hiveserver2-site needs to be set to {1}".format(prop_name, prop_val))})
+ prop_name = 'hive.conf.restricted.list'
+ prop_vals = 'hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager'.split(',')
+ current_vals = []
+ missing_vals = []
+ if hive_server2 and prop_name in hive_server2:
+ current_vals = hive_server2[prop_name].split(',')
+ current_vals = [x.strip() for x in current_vals]
+
+ for val in prop_vals:
+ if not val in current_vals:
+ missing_vals.append(val)
+
+ if missing_vals:
+ validationItems.append({"config-name": prop_name,
+ "item": self.getWarnItem("If Ranger Hive Plugin is enabled."\
+ " {0} under hiveserver2-site needs to contain missing value {1}".format(prop_name, ','.join(missing_vals)))})
##Add stack validations for Ranger plugin disabled.
elif not ranger_plugin_enabled:
prop_name = 'hive.security.authorization.manager'
http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py
index 74d9b21..6b582c9 100644
--- a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py
+++ b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py
@@ -1049,7 +1049,8 @@ class TestHDP22StackAdvisor(TestCase):
},
'property_attributes': {
'hive.security.authorization.manager': {'delete': 'true'},
- 'hive.security.authenticator.manager': {'delete': 'true'}
+ 'hive.security.authenticator.manager': {'delete': 'true'},
+ 'hive.conf.restricted.list': {'delete': 'true'}
}
}
}
@@ -1146,7 +1147,8 @@ class TestHDP22StackAdvisor(TestCase):
"hiveserver2-site": {
"properties": {
"hive.security.authorization.manager": "",
- "hive.security.authenticator.manager": ""
+ "hive.security.authenticator.manager": "",
+ "hive.conf.restricted.list": ""
}
}
},
@@ -1220,7 +1222,8 @@ class TestHDP22StackAdvisor(TestCase):
"hiveserver2-site": {
"properties": {
"hive.security.authorization.manager": "",
- "hive.security.authenticator.manager": ""
+ "hive.security.authenticator.manager": "",
+ "hive.conf.restricted.list": ""
}
}
},
@@ -1290,6 +1293,7 @@ class TestHDP22StackAdvisor(TestCase):
expected["hiveserver2-site"]["properties"]["hive.security.authorization.enabled"]="true"
expected["hiveserver2-site"]["properties"]["hive.security.authorization.manager"]="org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory"
expected["hiveserver2-site"]["properties"]["hive.security.authenticator.manager"]="org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator"
+ expected["hiveserver2-site"]["properties"]["hive.conf.restricted.list"]="hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role"
self.stackAdvisor.recommendHIVEConfigurations(configurations, clusterData, services, hosts)
self.assertEquals(configurations, expected)
@@ -1382,6 +1386,7 @@ class TestHDP22StackAdvisor(TestCase):
expected["hiveserver2-site"]["properties"]["hive.security.authenticator.manager"] = "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator"
expected["hiveserver2-site"]["properties"]["hive.security.authorization.manager"] = "com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory"
expected["hiveserver2-site"]["properties"]["hive.security.authorization.enabled"] = "true"
+ expected["hiveserver2-site"]["properties"]["hive.conf.restricted.list"]="hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager"
self.stackAdvisor.recommendHIVEConfigurations(configurations, clusterData, services, hosts)
self.assertEquals(configurations['hiveserver2-site'], expected["hiveserver2-site"])
@@ -3142,7 +3147,7 @@ class TestHDP22StackAdvisor(TestCase):
}
# Test with ranger plugin enabled, validation fails
- res_expected = [{'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authorization.manager under hiveserver2-site needs to be set to com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory', 'type': 'configuration', 'config-name': 'hive.security.authorization.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authenticator.manager under hiveserver2-site needs to be set to org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator', 'type': 'configuration', 'config-name': 'hive.security.authenticator.manager', 'level': 'WARN'}]
+ res_expected = [{'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authorization.manager under hiveserver2-site needs to be set to com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory', 'type': 'configuration', 'config-name': 'hive.security.authorization.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authenticator.manager under hiveserver2-site needs to be set to org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator', 'type': 'configuration', 'config-name': 'hive.security.authenticator.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.conf.restricted.list under hiveserver2-site needs to contain missing value hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager', 'type': 'configuration', 'config-name': 'hive.con
f.restricted.list', 'level': 'WARN'}]
res = self.stackAdvisor.validateHiveServer2Configurations(properties, recommendedDefaults, configurations, services, {})
self.assertEquals(res, res_expected)