You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by ga...@apache.org on 2016/04/19 09:20:07 UTC
ambari git commit: AMBARI-15878. Update code for creating jceks
credential for Ranger and Ranger Kms services (Mugdha Varadkar via gautam)
Repository: ambari
Updated Branches:
refs/heads/trunk 91122e4fc -> 6c192789f
AMBARI-15878. Update code for creating jceks credential for Ranger and Ranger Kms services (Mugdha Varadkar via gautam)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo
Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/6c192789
Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/6c192789
Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/6c192789
Branch: refs/heads/trunk
Commit: 6c192789fe8b6d99c97df35da36dbf70bb3f3144
Parents: 91122e4
Author: Gautam Borad <ga...@apache.org>
Authored: Thu Apr 14 14:20:38 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Tue Apr 19 12:49:54 2016 +0530
----------------------------------------------------------------------
.../0.4.0/package/scripts/setup_ranger_xml.py | 51 ++++++--------------
.../RANGER_KMS/0.5.0.2.3/package/scripts/kms.py | 6 ++-
2 files changed, 20 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ambari/blob/6c192789/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index f3f9c7e..9f31983 100644
--- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -230,17 +230,10 @@ def do_keystore_setup(upgrade_type=None):
ranger_home = params.ranger_home
cred_lib_path = params.cred_lib_path
- cred_setup_prefix = params.cred_setup_prefix
- if not is_empty(params.ranger_credential_provider_path):
- jceks_path = params.ranger_credential_provider_path
- cred_setup = cred_setup_prefix + ('-f', jceks_path, '-k', params.ranger_jpa_jdbc_credential_alias, '-v', PasswordString(params.ranger_ambari_db_password), '-c', '1')
+ if not is_empty(params.ranger_credential_provider_path):
+ ranger_credential_helper(cred_lib_path, params.ranger_jpa_jdbc_credential_alias, params.ranger_ambari_db_password, params.ranger_credential_provider_path)
- Execute(cred_setup,
- environment={'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME': params.java_home},
- logoutput=True,
- sudo=True
- )
File(params.ranger_credential_provider_path,
owner = params.unix_user,
group = params.unix_group,
@@ -248,13 +241,7 @@ def do_keystore_setup(upgrade_type=None):
)
if not is_empty(params.ranger_credential_provider_path) and (params.ranger_audit_source_type).lower() == 'db' and not is_empty(params.ranger_ambari_audit_db_password):
- jceks_path = params.ranger_credential_provider_path
- cred_setup = cred_setup_prefix + ('-f', jceks_path, '-k', params.ranger_jpa_audit_jdbc_credential_alias, '-v', PasswordString(params.ranger_ambari_audit_db_password), '-c', '1')
- Execute(cred_setup,
- environment={'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME': params.java_home},
- logoutput=True,
- sudo=True
- )
+ ranger_credential_helper(cred_lib_path, params.ranger_jpa_audit_jdbc_credential_alias, params.ranger_ambari_audit_db_password, params.ranger_credential_provider_path)
File(params.ranger_credential_provider_path,
owner = params.unix_user,
@@ -382,21 +369,14 @@ def setup_usersync(upgrade_type=None):
if os.path.isfile(params.cred_validator_file):
File(params.cred_validator_file, group=params.unix_group, mode=04555)
- cred_file = format('{ranger_home}/ranger_credential_helper.py')
- if os.path.isfile(format('{usersync_home}/ranger_credential_helper.py')):
- cred_file = format('{usersync_home}/ranger_credential_helper.py')
-
cred_lib = os.path.join(usersync_home,"lib","*")
- cred_setup_prefix = (cred_file, '-l', cred_lib)
- cred_setup = cred_setup_prefix + ('-f', params.ugsync_jceks_path, '-k', 'usersync.ssl.key.password', '-v', PasswordString(params.ranger_usersync_keystore_password), '-c', '1')
- Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+ ranger_credential_helper(cred_lib, 'usersync.ssl.key.password', params.ranger_usersync_keystore_password, params.ugsync_jceks_path)
- cred_setup = cred_setup_prefix + ('-f', params.ugsync_jceks_path, '-k', 'ranger.usersync.ldap.bindalias', '-v', PasswordString(params.ranger_usersync_ldap_ldapbindpassword), '-c', '1')
- Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+ if not is_empty(params.ranger_usersync_ldap_ldapbindpassword) and params.ug_sync_source == 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder':
+ ranger_credential_helper(cred_lib, 'ranger.usersync.ldap.bindalias', params.ranger_usersync_ldap_ldapbindpassword, params.ugsync_jceks_path)
- cred_setup = cred_setup_prefix + ('-f', params.ugsync_jceks_path, '-k', 'usersync.ssl.truststore.password', '-v', PasswordString(params.ranger_usersync_truststore_password), '-c', '1')
- Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+ ranger_credential_helper(cred_lib, 'usersync.ssl.truststore.password', params.ranger_usersync_truststore_password, params.ugsync_jceks_path)
File(params.ugsync_jceks_path,
owner = params.unix_user,
@@ -497,17 +477,10 @@ def setup_tagsync(upgrade_type=None):
Execute(('cp', '-f', src_file, dst_file), sudo=True)
File(tagsync_log4j_file, owner=params.unix_user, group=params.unix_group)
- cred_file = format('{ranger_home}/ranger_credential_helper.py')
- if os.path.isfile(format('{ranger_tagsync_home}/ranger_credential_helper.py')):
- cred_file = format('{ranger_tagsync_home}/ranger_credential_helper.py')
-
cred_lib = os.path.join(ranger_tagsync_home,"lib","*")
- cred_setup_prefix = (cred_file, '-l', cred_lib)
if not is_empty(params.tagsync_jceks_path) and not is_empty(params.ranger_tagsync_tagadmin_password) and params.tagsync_enabled:
- cred_setup = cred_setup_prefix + ('-f', params.tagsync_jceks_path, '-k', 'tagadmin.user.password', '-v', PasswordString(params.ranger_tagsync_tagadmin_password), '-c', '1')
- Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
-
+ ranger_credential_helper(cred_lib, 'tagadmin.user.password', params.ranger_tagsync_tagadmin_password, params.tagsync_jceks_path)
File(params.tagsync_jceks_path,
owner = params.unix_user,
group = params.unix_group,
@@ -522,3 +495,11 @@ def setup_tagsync(upgrade_type=None):
not_if=format("ls /usr/bin/ranger-tagsync"),
only_if=format("ls {tagsync_services_file}"),
sudo=True)
+
+def ranger_credential_helper(lib_path, alias_key, alias_value, file_path):
+ import params
+
+ java_bin = format('{java_home}/bin/java')
+ file_path = format('jceks://file{file_path}')
+ cmd = (java_bin, '-cp', lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', alias_key, '-value', PasswordString(alias_value), '-provider', file_path)
+ Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ambari/blob/6c192789/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
----------------------------------------------------------------------
diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
index dd91acf..f63d660 100755
--- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
+++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py
@@ -111,8 +111,10 @@ def do_keystore_setup(cred_provider_path, credential_alias, credential_password)
import params
if cred_provider_path is not None:
- cred_setup = params.cred_setup_prefix + ('-f', cred_provider_path, '-k', credential_alias, '-v', PasswordString(credential_password), '-c', '1')
- Execute(cred_setup,
+ java_bin = format('{java_home}/bin/java')
+ file_path = format('jceks://file{cred_provider_path}')
+ cmd = (java_bin, '-cp', params.cred_lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', credential_alias, '-value', PasswordString(credential_password), '-provider', file_path)
+ Execute(cmd,
environment={'JAVA_HOME': params.java_home},
logoutput=True,
sudo=True,