You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/04/29 06:36:44 UTC
[4/4] incubator-ranger git commit: RANGER-431: modified to work with
a consolidated configuration file
RANGER-431: modified to work with a consolidated configuration file
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/91d1e137
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/91d1e137
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/91d1e137
Branch: refs/heads/master
Commit: 91d1e137483a1c3739cf395f710ca5d37b20019d
Parents: 11bb55b
Author: sneethiraj <sn...@apache.org>
Authored: Tue Apr 28 23:38:53 2015 -0400
Committer: sneethiraj <sn...@apache.org>
Committed: Tue Apr 28 23:38:53 2015 -0400
----------------------------------------------------------------------
.../conf/ranger_webserver.properties | 44 -----
security-admin/scripts/setup.sh | 16 --
.../apache/ranger/common/RangerProperties.java | 160 +++++++++++++++++++
.../conf.dist/ranger-admin-default-site.xml | 2 +-
.../META-INF/contextXML/unix_bean_settings.xml | 10 +-
.../unixauth-config/unixauth.properties | 25 ---
src/main/assembly/admin-web.xml | 2 +-
.../config/UserGroupSyncConfig.java | 4 +
.../unix/jaas/RemoteUnixLoginModule.java | 15 +-
unixauthservice/scripts/install.properties | 15 +-
unixauthservice/scripts/setup.py | 16 +-
.../UnixAuthenticationService.java | 150 ++++++++++-------
12 files changed, 295 insertions(+), 164 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/embeddedwebserver/conf/ranger_webserver.properties
----------------------------------------------------------------------
diff --git a/embeddedwebserver/conf/ranger_webserver.properties b/embeddedwebserver/conf/ranger_webserver.properties
deleted file mode 100644
index ca98dee..0000000
--- a/embeddedwebserver/conf/ranger_webserver.properties
+++ /dev/null
@@ -1,44 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# Service Information
-#
-service.host=localhost
-http.service.port=6080
-service.shutdownPort=6085
-service.shutdownCommand=SHUTDOWN
-
-# Set ajp.enabled=true, if rnager-admin is behind an apache loadbalancer
-# and loadbalacner is listening on https for requuests from clients
-# and BalancerMember configuration in Apache is pointing to ajp protocol
-ajp.enabled=false
-
-#
-# SSL Connector Information
-#
-https.service.port=6182
-https.attrib.SSLEnabled=false
-https.attrib.sslProtocol=TLS
-https.attrib.clientAuth=false
-https.attrib.keyAlias=myKey
-https.attrib.keystorePass=xasecure
-https.attrib.keystoreFile=/etc/ranger/admin/keys/server.jks
-
-#
-# Access Log Information
-#
-accesslog.dateformat=yyyy-MM-dd
-accesslog.pattern=%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 3868ea2..14378cb 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -1163,10 +1163,6 @@ create_audit_db_user(){
do_unixauth_setup() {
- RANGER_JAAS_CONF_DIR="${INSTALL_DIR}/ews/webapp/WEB-INF/classes/conf/ranger_jaas"
-
- cp ./unixauth-config/* ${RANGER_JAAS_CONF_DIR}
-
ldap_file=$app_home/WEB-INF/classes/conf/ranger-admin-site.xml
if test -f $ldap_file; then
log "[I] $ldap_file file found"
@@ -1184,11 +1180,6 @@ do_unixauth_setup() {
else
log "[E] $ldap_file does not exists" ; exit 1;
fi
-
- owner=ranger
- group=ranger
- chown -R ${owner}:${group} ${RANGER_JAAS_CONF_DIR}
- chmod -R go-rwx ${RANGER_JAAS_CONF_DIR}
}
do_authentication_setup(){
@@ -1301,13 +1292,6 @@ setup_install_files(){
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
fi
- if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger_jaas ]; then
- log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger_jaas"
- mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger_jaas
- chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger_jaas
- chmod 700 ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger_jaas
- fi
-
if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib"
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/security-admin/src/main/java/org/apache/ranger/common/RangerProperties.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/RangerProperties.java b/security-admin/src/main/java/org/apache/ranger/common/RangerProperties.java
new file mode 100644
index 0000000..72fde46
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/common/RangerProperties.java
@@ -0,0 +1,160 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.common;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.HashMap;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.apache.log4j.Logger;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+public class RangerProperties extends HashMap<String,String> {
+
+ private static final long serialVersionUID = -4094378755892810987L;
+
+ private final Logger LOG = Logger.getLogger(RangerProperties.class) ;
+
+ private final String XMLCONFIG_FILENAME_DELIMITOR = ",";
+ private final String XMLCONFIG_PROPERTY_TAGNAME = "property" ;
+ private final String XMLCONFIG_NAME_TAGNAME = "name" ;
+ private final String XMLCONFIG_VALUE_TAGNAME = "value" ;
+
+ private String xmlConfigFileNames = null;
+
+ public RangerProperties(String xmlConfigFileNames) {
+ this.xmlConfigFileNames = xmlConfigFileNames;
+ initProperties();
+ }
+
+ private void initProperties() {
+
+ if (xmlConfigFileNames == null || xmlConfigFileNames.isEmpty())
+ return;
+
+ String[] fnList = xmlConfigFileNames
+ .split(XMLCONFIG_FILENAME_DELIMITOR);
+
+ for (String fn : fnList) {
+ try {
+ loadXMLConfig(fn) ;
+ }
+ catch(IOException ioe) {
+ LOG.error("Unable to load configuration from file: [" + fn + "]", ioe);
+ }
+ }
+
+ }
+
+ private void loadXMLConfig(String fileName) throws IOException {
+
+ try {
+ InputStream in = getFileInputStream(fileName);
+
+ if (in == null) {
+ return;
+ }
+
+ DocumentBuilderFactory xmlDocumentBuilderFactory = DocumentBuilderFactory
+ .newInstance();
+ xmlDocumentBuilderFactory.setIgnoringComments(true);
+ xmlDocumentBuilderFactory.setNamespaceAware(true);
+ DocumentBuilder xmlDocumentBuilder = xmlDocumentBuilderFactory
+ .newDocumentBuilder();
+ Document xmlDocument = xmlDocumentBuilder.parse(in);
+ xmlDocument.getDocumentElement().normalize();
+
+ NodeList nList = xmlDocument.getElementsByTagName(XMLCONFIG_PROPERTY_TAGNAME);
+
+ for (int temp = 0; temp < nList.getLength(); temp++) {
+
+ Node nNode = nList.item(temp);
+
+ if (nNode.getNodeType() == Node.ELEMENT_NODE) {
+
+ Element eElement = (Element) nNode;
+
+ String propertyName = "";
+ String propertyValue = "";
+
+ if (eElement.getElementsByTagName(XMLCONFIG_NAME_TAGNAME).item(0) != null) {
+ propertyName = eElement.getElementsByTagName(XMLCONFIG_NAME_TAGNAME).item(0).getTextContent().trim();
+ }
+
+ if (eElement.getElementsByTagName(XMLCONFIG_VALUE_TAGNAME).item(0) != null) {
+ propertyValue = eElement.getElementsByTagName(XMLCONFIG_VALUE_TAGNAME).item(0).getTextContent().trim();
+ }
+
+ if (get(propertyName) != null)
+ remove(propertyName) ;
+
+ if (propertyValue != null)
+ put(propertyName, propertyValue);
+
+ }
+ }
+ } catch (Throwable t) {
+ throw new IOException(t);
+ }
+ }
+
+ private InputStream getFileInputStream(String path)
+ throws FileNotFoundException {
+
+ InputStream ret = null;
+
+ File f = new File(path);
+
+ if (f.exists()) {
+ ret = new FileInputStream(f);
+ } else {
+ ret = getClass().getResourceAsStream(path);
+
+ if (ret == null) {
+ if (!path.startsWith("/")) {
+ ret = getClass().getResourceAsStream("/" + path);
+ }
+ }
+
+ if (ret == null) {
+ ret = ClassLoader.getSystemClassLoader().getResourceAsStream(
+ path);
+ if (ret == null) {
+ if (!path.startsWith("/")) {
+ ret = ClassLoader.getSystemResourceAsStream("/" + path);
+ }
+ }
+ }
+ }
+
+ return ret;
+ }
+
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index 1cc2866..7587076 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -225,7 +225,7 @@
</property>
<property>
<name>ranger.unixauth.service.hostname</name>
- <value>bigdata.xasecure.net</value>
+ <value>localhost</value>
</property>
<property>
<name>ranger.unixauth.service.port</name>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/security-admin/src/main/webapp/META-INF/contextXML/unix_bean_settings.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/META-INF/contextXML/unix_bean_settings.xml b/security-admin/src/main/webapp/META-INF/contextXML/unix_bean_settings.xml
index 0885aff..1aab7ba 100644
--- a/security-admin/src/main/webapp/META-INF/contextXML/unix_bean_settings.xml
+++ b/security-admin/src/main/webapp/META-INF/contextXML/unix_bean_settings.xml
@@ -14,6 +14,10 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
+<beans:bean id="rangerConfiguration" class="org.apache.ranger.common.RangerProperties">
+ <beans:constructor-arg value="ranger-admin-default-site.xml,ranger-admin-site.xml" />
+</beans:bean>
+
<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<beans:property name="configuration">
<beans:bean
@@ -28,11 +32,7 @@
<beans:constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</beans:constructor-arg>
- <beans:constructor-arg>
- <beans:map>
- <beans:entry key="configFile" value="unixauth.properties" />
- </beans:map>
- </beans:constructor-arg>
+ <beans:constructor-arg ref="rangerConfiguration" />
</beans:bean>
</beans:array>
</beans:entry>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/security-admin/unixauth-config/unixauth.properties
----------------------------------------------------------------------
diff --git a/security-admin/unixauth-config/unixauth.properties b/security-admin/unixauth-config/unixauth.properties
deleted file mode 100644
index 7047e58..0000000
--- a/security-admin/unixauth-config/unixauth.properties
+++ /dev/null
@@ -1,25 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-remoteLoginEnabled=true
-authServiceHostName=bigdata.xasecure.net
-authServicePort=5151
-#keyStore=keystore.jks
-#keyStorePassword=password
-#trustStore=cacerts
-#trustStorePassword=changeit
-sslEnabled=true
-debug=false
-serverCertValidation=false
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/src/main/assembly/admin-web.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/admin-web.xml b/src/main/assembly/admin-web.xml
index 3fd1f53..5886679 100644
--- a/src/main/assembly/admin-web.xml
+++ b/src/main/assembly/admin-web.xml
@@ -284,12 +284,12 @@
<outputDirectory>/ews/lib</outputDirectory>
<directory>embeddedwebserver/lib</directory>
</fileSet>
--->
<fileSet>
<outputDirectory>/unixauth-config</outputDirectory>
<directory>security-admin/unixauth-config</directory>
<fileMode>544</fileMode>
</fileSet>
+-->
<fileSet>
<outputDirectory>/db</outputDirectory>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index dcfa515..e079939 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -232,6 +232,10 @@ public class UserGroupSyncConfig {
.item(0).getTextContent().trim();
}
+ if (prop.get(propertyName) != null) {
+ prop.remove(propertyName) ;
+ }
+
prop.put(propertyName, propertyValue);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
----------------------------------------------------------------------
diff --git a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
index ece0a81..0dd549a 100644
--- a/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
+++ b/unixauthclient/src/main/java/org/apache/ranger/authentication/unix/jaas/RemoteUnixLoginModule.java
@@ -80,7 +80,7 @@ public class RemoteUnixLoginModule implements LoginModule {
private char[] password;
private Subject subject;
private CallbackHandler callbackHandler;
- private boolean debug = false;
+ private boolean debug = true ;
private String remoteHostName;
private int remoteHostAuthServicePort;
@@ -142,6 +142,7 @@ public class RemoteUnixLoginModule implements LoginModule {
this.callbackHandler = new ConsolePromptCallbackHandler();
}
+ /*
Properties config = null ;
String val = (String) options.get(REMOTE_UNIX_AUTHENICATION_CONFIG_FILE_PARAM);
@@ -219,7 +220,11 @@ public class RemoteUnixLoginModule implements LoginModule {
config = new Properties() ;
config.putAll(options);
}
-
+
+ */
+
+ Properties config = new Properties() ;
+ config.putAll(options) ;
initParams(config) ;
}
@@ -245,6 +250,9 @@ public class RemoteUnixLoginModule implements LoginModule {
if (val != null && (!val.equalsIgnoreCase("false"))) {
debug = true;
}
+ else {
+ debug = false ;
+ }
remoteHostName = (String) options.get(REMOTE_LOGIN_HOST_PARAM);
log("RemoteHostName:" + remoteHostName);
@@ -483,8 +491,7 @@ public class RemoteUnixLoginModule implements LoginModule {
}
}
} catch (Throwable t) {
- t.printStackTrace();
- throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " + remoteHostName + ":" + remoteHostAuthServicePort + ", Exception: " + t);
+ throw new LoginException("FAILED: unable to authenticate to AuthenticationService: " + remoteHostName + ":" + remoteHostAuthServicePort + ", Exception: [" + t + "]");
} finally {
log("Login of user String: {" + aUserName + "}, return from AuthServer: {" + ret + "}");
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/unixauthservice/scripts/install.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties
index 846a6ac..5215620 100644
--- a/unixauthservice/scripts/install.properties
+++ b/unixauthservice/scripts/install.properties
@@ -19,18 +19,18 @@
#
# POLICY_MGR_URL = http://policymanager.xasecure.net:6080
#
-POLICY_MGR_URL = http://localhost:6080
+POLICY_MGR_URL =
# sync source, only unix and ldap are supported at present
# defaults to unix
-SYNC_SOURCE = unix
+SYNC_SOURCE =
#
# Minumum Unix User-id to start SYNC.
# This should avoid creating UNIX system-level users in the Policy Manager
#
-MIN_UNIX_USER_ID_TO_SYNC = 1000
+MIN_UNIX_USER_ID_TO_SYNC = 500
# sync interval in minutes
# user, groups would be synced again at the end of each sync interval
@@ -39,9 +39,13 @@ MIN_UNIX_USER_ID_TO_SYNC = 1000
SYNC_INTERVAL =
#User and group for the usersync process
-unix_user=sneethiraj
-unix_group=staff
+unix_user=ranger
+unix_group=ranger
+#
+# The file where all credential is kept in cryptic format
+#
+CRED_KEYSTORE_FILENAME=/etc/ranger/usersync/conf/rangerusersync.jceks
# ---------------------------------------------------------------
# The following properties are relevant only if SYNC_SOURCE = ldap
@@ -62,7 +66,6 @@ SYNC_LDAP_BIND_DN =
# Must specify a value if SYNC_SOURCE is ldap
# unless anonymous search is allowed by the directory on users and group
SYNC_LDAP_BIND_PASSWORD =
-CRED_KEYSTORE_FILENAME=/usr/lib/xausersync/.jceks/xausersync.jceks
# search base for users and groups
# sample value would be dc=hadoop,dc=apache,dc=org
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index 26078be..4cb79ff 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -38,7 +38,7 @@ pidFolderName = '/var/run/ranger'
logFolderName = '/var/log/ranger'
initdDirName = '/etc/init.d'
-rangerBaseDirName = os.getcwd() #'/etc/ranger'
+rangerBaseDirName = '/etc/ranger'
usersyncBaseDirName = 'usersync'
confBaseDirName = 'conf'
confDistBaseDirName = 'conf.dist'
@@ -52,7 +52,7 @@ log4jFileName = 'log4j.xml'
install2xmlMapFileName = 'installprop2xml.properties'
templateFileName = 'ranger-ugsync-template.xml'
initdProgramName = 'ranger-usersync'
-PROP2ALIASMAP = { 'ranger.usersync.ldap.ldapbindpassword':'ldap.bind.password' ,
+PROP2ALIASMAP = { 'ranger.usersync.ldap.ldapbindpassword':'ranger.usersync.ldap.bindalias',
'ranger.usersync.keystore.password':'usersync.ssl.key.password',
'ranger.usersync.truststore.password':'usersync.ssl.truststore.password'}
@@ -145,8 +145,8 @@ def writeXMLUsingProperties(xmlTemplateFileName,prop,xmlOutputFileName):
name = config.find('name').text
if (name in prop.keys()):
config.find('value').text = prop[name]
- else:
- print "ERROR: key not found: %s" % (name)
+ #else:
+ # print "ERROR: key not found: %s" % (name)
if isfile(xmlOutputFileName):
archiveFile(xmlOutputFileName)
tree.write(xmlOutputFileName)
@@ -179,14 +179,18 @@ def convertInstallPropsToXML(props):
if (syncSource == SYNC_SOURCE_UNIX):
ret['ranger.usersync.source.impl.class'] = 'org.apache.ranger.unixusersync.process.UnixUserGroupBuilder'
if (SYNC_INTERVAL_NEW_KEY not in ret or len(str(ret[SYNC_INTERVAL_NEW_KEY])) == 0):
- ret[SYNC_INTERVAL_NEW_KEY] = '5'
+ ret[SYNC_INTERVAL_NEW_KEY] = "300000"
+ else:
+ ret[SYNC_INTERVAL_NEW_KEY] = int(ret[SYNC_INTERVAL_NEW_KEY]) * 60000
#for key in ret.keys():
# if (key.startswith("ranger.usersync.ldap") or key.startswith("ranger.usersync.group") or key.startswith("ranger.usersync.paged")):
# del ret[key]
elif (syncSource == SYNC_SOURCE_LDAP):
ret['ranger.usersync.source.impl.class'] = 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder'
if (SYNC_INTERVAL_NEW_KEY not in ret or len(str(ret[SYNC_INTERVAL_NEW_KEY])) == 0):
- ret[SYNC_INTERVAL_NEW_KEY] = '60'
+ ret[SYNC_INTERVAL_NEW_KEY] = "3600000"
+ else:
+ ret[SYNC_INTERVAL_NEW_KEY] = int(ret[SYNC_INTERVAL_NEW_KEY]) * 60000
else:
print "ERROR: Invalid value (%s) defined for %s in install.properties. Only valid values are %s" % (syncSource, SYNC_SOURCE_KEY,SYNC_SOURCE_LIST)
sys.exit(1)
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/91d1e137/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
----------------------------------------------------------------------
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index e9e5272..ff2838f 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -44,7 +44,9 @@ import javax.net.ssl.TrustManagerFactory;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.log4j.Logger;
+import org.apache.ranger.credentialapi.CredentialReader;
import org.apache.ranger.usergroupsync.UserGroupSync;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -59,15 +61,20 @@ public class UnixAuthenticationService {
private static final String SSL_ALGORITHM = "TLS" ;
private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "ranger.usersync.port" ;
+
private static final String SSL_KEYSTORE_PATH_PARAM = "ranger.usersync.keystore.file" ;
- private static final String SSL_KEYSTORE_PATH_PASSWORD_PARAM = "ranger.usersync.keystore.password" ;
private static final String SSL_TRUSTSTORE_PATH_PARAM = "ranger.usersync.truststore.file" ;
- private static final String SSL_TRUSTSTORE_PATH_PASSWORD_PARAM = "ranger.usersync.truststore.password" ;
+
+ private static final String SSL_KEYSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.key.password" ;
+ private static final String SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.truststore.password" ;
+
private static final String CRED_VALIDATOR_PROG = "ranger.usersync.passwordvalidator.path" ;
private static final String ADMIN_USER_LIST_PARAM = "admin.users" ;
private static final String ADMIN_ROLE_LIST_PARAM = "admin.roleNames" ;
private static final String SSL_ENABLED_PARAM = "ranger.usersync.ssl" ;
+ private static final String CREDSTORE_FILENAME_PARAM = "ranger.usersync.credstore.filename" ;
+
private String keyStorePath ;
private String keyStorePathPassword ;
private String trustStorePath ;
@@ -80,6 +87,11 @@ public class UnixAuthenticationService {
private boolean SSLEnabled = false ;
static private boolean enableUnixAuth = false;
+
+ private static final String[] UGSYNC_CONFIG_XML_FILES = { "ranger-ugsync-default.xml", "ranger-ugsync-site.xml" } ;
+ private static final String PROPERTY_ELEMENT_TAGNAME = "property" ;
+ private static final String NAME_ELEMENT_TAGNAME = "name" ;
+ private static final String VALUE_ELEMENT_TAGNAME = "value" ;
public static void main(String[] args) {
if (args.length > 0) {
@@ -133,65 +145,86 @@ public class UnixAuthenticationService {
//TODO: add more validation code
private void init() throws Throwable {
Properties prop = new Properties() ;
- InputStream in = getFileInputStream("ranger-ugsync-site.xml") ;
-
- if (in != null) {
- try {
-// prop.load(in);
- DocumentBuilderFactory xmlDocumentBuilderFactory = DocumentBuilderFactory
- .newInstance();
- xmlDocumentBuilderFactory.setIgnoringComments(true);
- xmlDocumentBuilderFactory.setNamespaceAware(true);
- DocumentBuilder xmlDocumentBuilder = xmlDocumentBuilderFactory
- .newDocumentBuilder();
- Document xmlDocument = xmlDocumentBuilder.parse(in);
- xmlDocument.getDocumentElement().normalize();
-
- NodeList nList = xmlDocument
- .getElementsByTagName("property");
-
- for (int temp = 0; temp < nList.getLength(); temp++) {
-
- Node nNode = nList.item(temp);
-
- if (nNode.getNodeType() == Node.ELEMENT_NODE) {
-
- Element eElement = (Element) nNode;
-
- String propertyName = "";
- String propertyValue = "";
- if (eElement.getElementsByTagName("name").item(
- 0) != null) {
- propertyName = eElement
- .getElementsByTagName("name")
- .item(0).getTextContent().trim();
- }
- if (eElement.getElementsByTagName("value")
- .item(0) != null) {
- propertyValue = eElement
- .getElementsByTagName("value")
- .item(0).getTextContent().trim();
+
+ for (String fn : UGSYNC_CONFIG_XML_FILES ) {
+
+ InputStream in = getFileInputStream(fn) ;
+
+ if (in != null) {
+ try {
+ DocumentBuilderFactory xmlDocumentBuilderFactory = DocumentBuilderFactory.newInstance();
+ xmlDocumentBuilderFactory.setIgnoringComments(true);
+ xmlDocumentBuilderFactory.setNamespaceAware(true);
+ DocumentBuilder xmlDocumentBuilder = xmlDocumentBuilderFactory.newDocumentBuilder();
+ Document xmlDocument = xmlDocumentBuilder.parse(in);
+ xmlDocument.getDocumentElement().normalize();
+
+ NodeList nList = xmlDocument.getElementsByTagName(PROPERTY_ELEMENT_TAGNAME);
+
+ for (int temp = 0; temp < nList.getLength(); temp++) {
+
+ Node nNode = nList.item(temp);
+
+ if (nNode.getNodeType() == Node.ELEMENT_NODE) {
+
+ Element eElement = (Element) nNode;
+
+ String propertyName = "";
+ String propertyValue = "";
+ if (eElement.getElementsByTagName(NAME_ELEMENT_TAGNAME).item(
+ 0) != null) {
+ propertyName = eElement
+ .getElementsByTagName(NAME_ELEMENT_TAGNAME)
+ .item(0).getTextContent().trim();
+ }
+ if (eElement.getElementsByTagName(VALUE_ELEMENT_TAGNAME)
+ .item(0) != null) {
+ propertyValue = eElement
+ .getElementsByTagName(VALUE_ELEMENT_TAGNAME)
+ .item(0).getTextContent().trim();
+ }
+
+ LOG.info("Adding Property:[" + propertyName + "] Value:["+ propertyValue + "]");
+ if (prop.get(propertyName) != null ) {
+ prop.remove(propertyName) ;
+ }
+ prop.put(propertyName, propertyValue);
}
-
- LOG.info("Adding Property:[" + propertyName + "] Value:"+ propertyValue);
- prop.put(propertyName, propertyValue);
-
}
}
- }
- finally {
- try {
- in.close();
- }
- catch(IOException ioe) {
- // Ignore IOE when closing streams
+ finally {
+ try {
+ in.close();
+ }
+ catch(IOException ioe) {
+ // Ignore IOE when closing streams
+ }
}
}
}
+
+ String credStoreFileName = prop.getProperty(CREDSTORE_FILENAME_PARAM) ;
+
keyStorePath = prop.getProperty(SSL_KEYSTORE_PATH_PARAM) ;
- keyStorePathPassword = prop.getProperty(SSL_KEYSTORE_PATH_PASSWORD_PARAM) ;
+
+ if (credStoreFileName == null) {
+ throw new RuntimeException("Credential file is not defined. param = [" + CREDSTORE_FILENAME_PARAM + "]") ;
+ }
+
+ File credFile = new File(credStoreFileName) ;
+
+ if (! credFile.exists()) {
+ throw new RuntimeException("Credential file [" + credStoreFileName + "]: does not exists." );
+ }
+
+ if ( ! credFile.canRead() ) {
+ throw new RuntimeException("Credential file [" + credStoreFileName + "]: can not be read." );
+ }
+
+ keyStorePathPassword = CredentialReader.getDecryptedString(credStoreFileName, SSL_KEYSTORE_PATH_PASSWORD_ALIAS) ;
+ trustStorePathPassword = CredentialReader.getDecryptedString(credStoreFileName,SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS) ;
+
trustStorePath = prop.getProperty(SSL_TRUSTSTORE_PATH_PARAM) ;
- trustStorePathPassword = prop.getProperty(SSL_TRUSTSTORE_PATH_PASSWORD_PARAM) ;
portNum = Integer.parseInt(prop.getProperty(REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM)) ;
String validatorProg = prop.getProperty(CRED_VALIDATOR_PROG) ;
if (validatorProg != null) {
@@ -236,7 +269,7 @@ public class UnixAuthenticationService {
KeyManager[] km = null ;
- if (keyStorePath != null) {
+ if (keyStorePath != null && ! keyStorePath.isEmpty()) {
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()) ;
InputStream in = null ;
@@ -244,6 +277,9 @@ public class UnixAuthenticationService {
in = getFileInputStream(keyStorePath) ;
try {
+ if (keyStorePathPassword == null) {
+ keyStorePathPassword = "" ;
+ }
ks.load(in, keyStorePathPassword.toCharArray());
}
finally {
@@ -262,7 +298,7 @@ public class UnixAuthenticationService {
KeyStore trustStoreKeyStore = null ;
- if (trustStorePath != null) {
+ if (trustStorePath != null && ! trustStorePath.isEmpty()) {
trustStoreKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()) ;
InputStream in = null ;
@@ -270,6 +306,9 @@ public class UnixAuthenticationService {
in = getFileInputStream(trustStorePath) ;
try {
+ if (trustStorePathPassword == null) {
+ trustStorePathPassword = "" ;
+ }
trustStoreKeyStore.load(in, trustStorePathPassword.toCharArray());
}
finally {
@@ -339,5 +378,4 @@ public class UnixAuthenticationService {
return ret ;
}
-
}