You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by nc...@apache.org on 2017/01/27 18:17:52 UTC
[41/49] ambari git commit: AMBARI-19725. Atlas deployment via Ambari
should configure Zookeeper ACLs and Auth scheme. (Attila Magyar via stoader)
AMBARI-19725. Atlas deployment via Ambari should configure Zookeeper ACLs and Auth scheme. (Attila Magyar via stoader)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/16c0b68e
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/16c0b68e
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/16c0b68e
Branch: refs/heads/branch-dev-patch-upgrade
Commit: 16c0b68e6c60c84bef37ba566bce7a2ba349dbff
Parents: 2be01fb
Author: Attila Magyar <am...@hortonworks.com>
Authored: Fri Jan 27 12:35:27 2017 +0100
Committer: Toader, Sebastian <st...@hortonworks.com>
Committed: Fri Jan 27 12:35:47 2017 +0100
----------------------------------------------------------------------
.../package/scripts/metadata_server.py | 13 ++-
.../ATLAS/0.1.0.2.3/package/scripts/params.py | 4 +
.../stacks/HDP/2.6/services/ATLAS/kerberos.json | 97 ++++++++++++++++++++
3 files changed, 113 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/16c0b68e/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py
index 36d990d..ad3270e 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py
@@ -37,7 +37,7 @@ from resource_management.libraries.functions.constants import StackFeature
from resource_management.core.resources.system import Directory
from resource_management.core.logger import Logger
from setup_ranger_atlas import setup_ranger_atlas
-
+from resource_management.core.resources.zkmigrator import ZkMigrator
class MetadataServer(Script):
@@ -152,6 +152,17 @@ class MetadataServer(Script):
File(params.pid_file, action="delete")
+ def disable_security(self, env):
+ import params
+ if not params.stack_supports_zk_security:
+ Logger.info("Stack doesn't support zookeeper security")
+ return
+ if not params.zookeeper_quorum:
+ Logger.info("No zookeeper connection string. Skipping reverting ACL")
+ return
+ zkmigrator = ZkMigrator(params.zookeeper_quorum, params.java_exec, params.java64_home, params.atlas_jaas_file, params.metadata_user)
+ zkmigrator.set_acls(params.zk_root if params.zk_root.startswith('/') else '/' + params.zk_root, 'world:anyone:crdwa')
+
def status(self, env):
import status_params
http://git-wip-us.apache.org/repos/asf/ambari/blob/16c0b68e/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
index afd6dde..682fc9f 100644
--- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
@@ -81,6 +81,9 @@ cluster_name = config['clusterName']
java_version = expect("/hostLevelParams/java_version", int)
+zk_root = default('/configurations/application-properties/atlas.server.ha.zookeeper.zkroot', '/apache_atlas')
+stack_supports_zk_security = check_stack_feature(StackFeature.SECURE_ZOOKEEPER, version_for_stack_feature_checks)
+
if security_enabled:
_hostname_lowercase = config['hostname'].lower()
_atlas_principal_name = config['configurations']['application-properties']['atlas.authentication.principal']
@@ -115,6 +118,7 @@ user_group = config['configurations']['cluster-env']['user_group']
# metadata env
java64_home = config['hostLevelParams']['java_home']
+java_exec = format("{java64_home}/bin/java")
env_sh_template = config['configurations']['atlas-env']['content']
# credential provider
http://git-wip-us.apache.org/repos/asf/ambari/blob/16c0b68e/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json
new file mode 100644
index 0000000..1cc581f
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json
@@ -0,0 +1,97 @@
+{
+ "services": [
+ {
+ "name": "ATLAS",
+ "configurations": [
+ {
+ "application-properties": {
+ "atlas.authentication.method.kerberos": "true",
+ "atlas.kafka.sasl.kerberos.service.name": "${kafka-env/kafka_user}",
+ "atlas.kafka.security.protocol": "PLAINTEXTSASL",
+ "atlas.jaas.KafkaClient.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+ "atlas.jaas.KafkaClient.loginModuleControlFlag": "required",
+ "atlas.jaas.KafkaClient.option.useKeyTab": "true",
+ "atlas.jaas.KafkaClient.option.storeKey": "true",
+ "atlas.jaas.KafkaClient.option.serviceName": "${kafka-env/kafka_user}",
+ "atlas.solr.kerberos.enable": "true",
+ "atlas.server.ha.zookeeper.acl" : "auth:"
+ }
+ },
+ {
+ "ranger-atlas-audit": {
+ "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+ "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+ "xasecure.audit.jaas.Client.option.useKeyTab": "true",
+ "xasecure.audit.jaas.Client.option.storeKey": "false",
+ "xasecure.audit.jaas.Client.option.serviceName": "solr",
+ "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true"
+ }
+ }
+ ],
+ "auth_to_local_properties" : [
+ "application-properties/atlas.authentication.method.kerberos.name.rules|new_lines_escaped"
+ ],
+ "components": [
+ {
+ "name": "ATLAS_SERVER",
+ "identities": [
+ {
+ "name": "atlas",
+ "principal": {
+ "value": "atlas/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "application-properties/atlas.jaas.KafkaClient.option.principal",
+ "local_username" : "${atlas-env/metadata_user}"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/atlas.service.keytab",
+ "owner": {
+ "name": "${atlas-env/metadata_user}",
+ "access": "r"
+ },
+ "group": {
+ "name": "${cluster-env/user_group}",
+ "access": ""
+ },
+ "configuration": "application-properties/atlas.jaas.KafkaClient.option.keyTab"
+ }
+ },
+ {
+ "name": "atlas_auth",
+ "reference": "/ATLAS/ATLAS_SERVER/atlas",
+ "principal": {
+ "configuration": "application-properties/atlas.authentication.principal"
+ },
+ "keytab": {
+ "configuration": "application-properties/atlas.authentication.keytab"
+ }
+ },
+ {
+ "name": "/spnego",
+ "principal": {
+ "value": "HTTP/_HOST@${realm}",
+ "configuration": "application-properties/atlas.authentication.method.kerberos.principal"
+ },
+ "keytab": {
+ "configuration": "application-properties/atlas.authentication.method.kerberos.keytab"
+ }
+ },
+ {
+ "name": "ranger_atlas_audit",
+ "reference": "/ATLAS/ATLAS_SERVER/atlas",
+ "principal": {
+ "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.principal"
+ },
+ "keytab": {
+ "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.keyTab"
+ }
+ },
+ {
+ "name": "/KAFKA/KAFKA_BROKER/kafka_broker"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}