You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ga...@apache.org on 2016/06/23 05:48:05 UTC

[2/2] ambari git commit: AMBARI-17330. Ambari changes to support kerberized Ranger tagsync(Mugdha Varadkar via gautam)

AMBARI-17330. Ambari changes to support kerberized Ranger tagsync(Mugdha Varadkar via gautam)


Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e5ff7fc7
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e5ff7fc7
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e5ff7fc7

Branch: refs/heads/trunk
Commit: e5ff7fc7e93c55f4422ce36e79d238c71fa82a28
Parents: 5d70458
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Jun 22 11:07:58 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Thu Jun 23 11:17:53 2016 +0530

----------------------------------------------------------------------
 .../RANGER/0.4.0/package/scripts/params.py           |  7 ++++++-
 .../0.6.0/configuration/ranger-tagsync-site.xml      | 13 ++-----------
 .../common-services/RANGER/0.6.0/kerberos.json       | 15 +++++++++++++++
 .../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py      |  1 -
 4 files changed, 23 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ambari/blob/e5ff7fc7/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
index 44fe3e3..ab5be74 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py
@@ -281,6 +281,12 @@ for host in config['clusterHostInfo']['zookeeper_hosts']:
   if index < len(config['clusterHostInfo']['zookeeper_hosts']):
     zookeeper_quorum += ","
 
+if security_enabled:
+  if has_ranger_tagsync:
+    ranger_tagsync_principal = config['configurations']['ranger-tagsync-site']['ranger.tagsync.kerberos.principal']
+    tagsync_jaas_principal = ranger_tagsync_principal.replace('_HOST', current_host.lower())
+    tagsync_keytab_path = config['configurations']['ranger-tagsync-site']['ranger.tagsync.kerberos.keytab']
+
 # logic to create core-site.xml if hdfs not installed
 if stack_supports_ranger_kerberos and not has_namenode:
   core_site_property = {
@@ -301,7 +307,6 @@ if stack_supports_ranger_kerberos and not has_namenode:
     ]
 
     if has_ranger_tagsync:
-      ranger_tagsync_principal = config['configurations']['ranger-tagsync-site']['ranger.tagsync.kerberos.principal']
       ranger_tagsync_bare_principal = get_bare_principal(ranger_tagsync_principal)
       rule_dict.append({'principal': ranger_tagsync_bare_principal, 'user': 'rangertagsync'})
 

http://git-wip-us.apache.org/repos/asf/ambari/blob/e5ff7fc7/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-tagsync-site.xml
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-tagsync-site.xml b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-tagsync-site.xml
index c5a575d..7985f58 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-tagsync-site.xml
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/configuration/ranger-tagsync-site.xml
@@ -120,9 +120,9 @@
     <on-ambari-upgrade add="true"/>
   </property>
   <property>
-    <name>ranger.tagsync.atlas.to.ranger.service.mapping</name>
+    <name>ranger.tagsync.source.atlasrest.username</name>
     <value/>
-    <description>Service Mapping</description>
+    <description></description>
     <value-attributes>
       <empty-value-valid>true</empty-value-valid>
     </value-attributes>
@@ -139,15 +139,6 @@
     <on-ambari-upgrade add="true"/>
   </property>
   <property>
-    <name>ranger.tagsync.atlas.custom.resource.mappers</name>
-    <value/>
-    <description/>
-    <value-attributes>
-      <empty-value-valid>true</empty-value-valid>
-    </value-attributes>
-    <on-ambari-upgrade add="true"/>
-  </property>
-  <property>
     <name>ranger.tagsync.kerberos.principal</name>
     <value/>
     <description/>

http://git-wip-us.apache.org/repos/asf/ambari/blob/e5ff7fc7/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
index cd34cd9..c633230 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json
@@ -107,6 +107,21 @@
                 "configuration": "ranger-tagsync-site/ranger.tagsync.kerberos.keytab"
               }
             }
+          ],
+          "configurations": [
+            {
+              "tagsync-application-properties": {
+                "atlas.jaas.KafkaClient.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+                "atlas.jaas.KafkaClient.loginModuleControlFlag": "required",
+                "atlas.jaas.KafkaClient.option.useKeyTab": "true",
+                "atlas.jaas.KafkaClient.option.storeKey": "true",
+                "atlas.jaas.KafkaClient.option.serviceName": "kafka",
+                "atlas.jaas.KafkaClient.option.keyTab": "{{tagsync_keytab_path}}",
+                "atlas.jaas.KafkaClient.option.principal": "{{tagsync_jaas_principal}}",
+                "atlas.kafka.sasl.kerberos.service.name": "kafka",
+                "atlas.kafka.security.protocol": "SASL_PLAINTEXT"
+              }
+            }
           ]
         }
       ]

http://git-wip-us.apache.org/repos/asf/ambari/blob/e5ff7fc7/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
index 61bdce0..5847984 100755
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
@@ -553,7 +553,6 @@ def check_ranger_service_support_kerberos():
   policymgr_mgr_url = params.policymgr_mgr_url
   if policymgr_mgr_url.endswith('/'):
     policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
-  policymgr_mgr_url = format('{policymgr_mgr_url}/login.jsp')
   ranger_adm_obj = RangeradminV2(url=policymgr_mgr_url)
   response_code = ranger_adm_obj.check_ranger_login_curl(params.kms_user, params.rangerkms_keytab, params.rangerkms_principal, policymgr_mgr_url, True)