You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/05/25 16:38:03 UTC
[11/15] incubator-ranger git commit: RANGER-501 : Add solr audit
connectivity properties to Ranger Admin
RANGER-501 : Add solr audit connectivity properties to Ranger Admin
Signed-off-by: sneethiraj <sn...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0421271e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0421271e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0421271e
Branch: refs/heads/ranger-0.5
Commit: 0421271e2b891a7fe0ade809e0e41f720fafe62a
Parents: 6de1bbc
Author: Gautam Borad <gb...@gmail.com>
Authored: Thu May 21 20:26:05 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Fri May 22 09:31:48 2015 -0400
----------------------------------------------------------------------
security-admin/scripts/db_setup.py | 17 ++++--
security-admin/scripts/dba_script.py | 13 +++-
security-admin/scripts/install.properties | 5 +-
.../scripts/ranger-admin-site-template.xml | 2 +-
security-admin/scripts/setup.sh | 63 +++++++++++++++++---
security-admin/scripts/upgrade_admin.py | 2 +-
.../apache/ranger/common/PropertiesUtil.java | 19 ++++++
.../conf.dist/ranger-admin-default-site.xml | 6 +-
.../resources/conf.dist/ranger-admin-site.xml | 18 +++++-
9 files changed, 125 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index 6590eb2..e50421c 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -1263,6 +1263,14 @@ def main(argv):
log("[I] --------- Verifying Ranger DB connection ---------","info")
xa_sqlObj.check_connection(db_name, db_user, db_password)
+ if 'audit_store' in globalDict:
+ audit_store = globalDict['audit_store']
+ else:
+ audit_store = None
+
+ if audit_store is None or audit_store == "":
+ audit_store = "db"
+ audit_store=audit_store.lower()
if len(argv)==1:
log("[I] --------- Verifying Ranger DB tables ---------","info")
@@ -1278,10 +1286,11 @@ def main(argv):
xa_sqlObj.upgrade_db(db_name, db_user, db_password, xa_db_version_file)
log("[I] --------- Applying Ranger DB patches ---------","info")
xa_sqlObj.apply_patches(db_name, db_user, db_password, xa_patch_file)
- log("[I] --------- Starting Audit Operation ---------","info")
- audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit)
- log("[I] --------- Applying Audit DB patches ---------","info")
- audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit)
+ if audit_store == "db":
+ log("[I] --------- Starting Audit Operation ---------","info")
+ audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit)
+ log("[I] --------- Applying Audit DB patches ---------","info")
+ audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit)
# '''
if len(argv)>1:
for i in range(len(argv)):
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 9dfba94..c37edbc 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -1373,6 +1373,14 @@ def main(argv):
log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error")
sys.exit(1)
+ if 'audit_store' in globalDict:
+ audit_store = globalDict['audit_store']
+ else:
+ audit_store = None
+
+ if audit_store is None or audit_store == "":
+ audit_store = "db"
+ audit_store=audit_store.lower()
# Methods Begin
if DBA_MODE == "TRUE" :
if (dryMode==True):
@@ -1392,7 +1400,8 @@ def main(argv):
log("[I] ---------- Granting permission to Ranger Admin db user ----------","info")
xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
# Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same
- log("[I] ---------- Verifying/Creating audit user --------- ","info")
- audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
+ if audit_store == "db":
+ log("[I] ---------- Verifying/Creating audit user --------- ","info")
+ audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed.. ---------- ","info")
main(sys.argv)
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index 7490dd6..820d9c7 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -66,7 +66,10 @@ db_password=
audit_store=db
# * audit_solr_url URL to Solr. E.g. http://<solr_host>:6083/solr/ranger_audits
-audit_solr_url=
+audit_solr_urls=
+audit_solr_user=
+audit_solr_password=
+audit_solr_zookeepers=
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/ranger-admin-site-template.xml
----------------------------------------------------------------------
diff --git a/security-admin/scripts/ranger-admin-site-template.xml b/security-admin/scripts/ranger-admin-site-template.xml
index 2c0462d..001248f 100644
--- a/security-admin/scripts/ranger-admin-site-template.xml
+++ b/security-admin/scripts/ranger-admin-site-template.xml
@@ -157,7 +157,7 @@
<value></value>
</property>
<property>
- <name>ranger.solr.url</name>
+ <name>ranger.audit.solr.urls</name>
<value></value>
</property>
<property>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 4b5e6b9..12224c4 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -157,10 +157,13 @@ init_variables(){
getPropertyFromFile 'db_password' $PROPFILE db_password
if [ "${audit_store}" == "solr" ]
then
- getPropertyFromFile 'audit_solr_url' $PROPFILE audit_solr_url
+ getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls
+ getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user
+ getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password
+ getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers
else
- getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user
- getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password
+ getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user
+ getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password
fi
}
@@ -872,11 +875,11 @@ update_properties() {
fi
if [ "${audit_store}" == "solr" ]
- then
- propertyName=ranger.solr.url
- newPropertyValue=${audit_solr_url}
- updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
- fi
+ then
+ propertyName=ranger.audit.solr.urls
+ newPropertyValue=${audit_solr_urls}
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
propertyName=ranger.audit.source.type
newPropertyValue=${audit_store}
@@ -983,6 +986,50 @@ update_properties() {
updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
fi
fi
+ if [ "${audit_store}" == "solr" ]
+ then
+ if [ "${audit_solr_zookeepers}" != "" ]
+ then
+ propertyName=ranger.audit.solr.zookeepers
+ newPropertyValue=${audit_solr_zookeepers}
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+ if [ "${audit_solr_user}" != "" ] && [ "${audit_solr_password}" != "" ]
+ then
+ propertyName=ranger.solr.audit.user
+ newPropertyValue=${audit_solr_user}
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+ if [ "${keystore}" != "" ]
+ then
+ echo "Starting configuration for solr credentials:"
+ mkdir -p `dirname "${keystore}"`
+ audit_solr_password_alias=ranger.solr.password
+
+ $JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore
+
+ propertyName=ranger.solr.audit.credential.alias
+ newPropertyValue="${audit_solr_password_alias}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
+
+ propertyName=ranger.solr.audit.user.password
+ newPropertyValue="_"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ else
+ propertyName=ranger.solr.audit.user.password
+ newPropertyValue="${audit_solr_password}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if test -f $keystore; then
+ chown -R ${unix_user}:${unix_group} ${keystore}
+ else
+ propertyName=ranger.solr.audit.user.password
+ newPropertyValue="${audit_solr_password}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+ fi
+ fi
}
create_audit_db_user(){
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/upgrade_admin.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/upgrade_admin.py b/security-admin/scripts/upgrade_admin.py
index 823edc1..5c79192 100755
--- a/security-admin/scripts/upgrade_admin.py
+++ b/security-admin/scripts/upgrade_admin.py
@@ -107,7 +107,7 @@ config2xmlMAP = {
'xa.logs.base.dir':'ranger.logs.base.dir',
'xa.scheduler.enabled':'ranger.scheduler.enabled',
'xa.audit.store':'ranger.audit.source.type',
- 'audit_solr_url':'ranger.solr.url',
+ 'audit_solr_urls':'ranger.audit.solr.urls',
'auditDB.jdbc.dialect':'ranger.jpa.audit.jdbc.dialect',
'auditDB.jdbc.driver':'ranger.jpa.audit.jdbc.driver',
'auditDB.jdbc.url':'ranger.jpa.audit.jdbc.url',
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index 5549578..a0bfff4 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -133,6 +133,25 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
}
}
}
+ if(propertiesMap!=null && propertiesMap.containsKey("ranger.audit.source.type")){
+ String auditStore=propertiesMap.get("ranger.audit.source.type");
+ if(auditStore!=null && (auditStore.equalsIgnoreCase("solr"))){
+ if(propertiesMap!=null && propertiesMap.containsKey("ranger.credential.provider.path") && propertiesMap.containsKey("ranger.solr.audit.credential.alias")){
+ String path=propertiesMap.get("ranger.credential.provider.path");
+ String alias=propertiesMap.get("ranger.solr.audit.credential.alias");
+ if(path!=null && alias!=null){
+ String solrAuditPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim());
+ if(solrAuditPassword!=null&& !solrAuditPassword.trim().isEmpty() &&
+ !solrAuditPassword.trim().equalsIgnoreCase("none")){
+ propertiesMap.put("ranger.solr.audit.user.password", solrAuditPassword);
+ props.put("ranger.solr.audit.user.password", solrAuditPassword);
+ }else{
+ logger.info("Credential keystore password not applied for Solr ; clear text password shall be applicable");
+ }
+ }
+ }
+ }
+ }
super.processProperties(beanFactory, props);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index 0783f69..75d2490 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -431,5 +431,9 @@
<value>100</value>
<description></description>
</property>
-
+ <property>
+ <name>ranger.solr.audit.credential.alias</name>
+ <value>ranger.solr.password</value>
+ <description></description>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index d0a4fe4..2660e19 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -46,7 +46,7 @@
<description></description>
</property>
<property>
- <name>ranger.solr.url</name>
+ <name>ranger.audit.solr.urls</name>
<value>http://##solr_host##:6083/solr/ranger_audits</value>
<description></description>
</property>
@@ -202,5 +202,19 @@
<name>ranger.service.https.attrib.keystore.file</name>
<value>/etc/ranger/admin/keys/server.jks</value>
</property>
-
+ <property>
+ <name>ranger.solr.audit.user</name>
+ <value></value>
+ <description></description>
+ </property>
+ <property>
+ <name>ranger.solr.audit.user.password</name>
+ <value></value>
+ <description></description>
+ </property>
+ <property>
+ <name>ranger.audit.solr.zookeepers</name>
+ <value></value>
+ <description></description>
+ </property>
</configuration>