You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sn...@apache.org on 2015/05/22 15:47:54 UTC

incubator-ranger git commit: RANGER-501 : Add solr audit connectivity properties to Ranger Admin

Repository: incubator-ranger
Updated Branches:
  refs/heads/master 6de1bbc8f -> 0421271e2


RANGER-501 : Add solr audit connectivity properties to Ranger Admin

Signed-off-by: sneethiraj <sn...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0421271e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0421271e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0421271e

Branch: refs/heads/master
Commit: 0421271e2b891a7fe0ade809e0e41f720fafe62a
Parents: 6de1bbc
Author: Gautam Borad <gb...@gmail.com>
Authored: Thu May 21 20:26:05 2015 +0530
Committer: sneethiraj <sn...@apache.org>
Committed: Fri May 22 09:31:48 2015 -0400

----------------------------------------------------------------------
 security-admin/scripts/db_setup.py              | 17 ++++--
 security-admin/scripts/dba_script.py            | 13 +++-
 security-admin/scripts/install.properties       |  5 +-
 .../scripts/ranger-admin-site-template.xml      |  2 +-
 security-admin/scripts/setup.sh                 | 63 +++++++++++++++++---
 security-admin/scripts/upgrade_admin.py         |  2 +-
 .../apache/ranger/common/PropertiesUtil.java    | 19 ++++++
 .../conf.dist/ranger-admin-default-site.xml     |  6 +-
 .../resources/conf.dist/ranger-admin-site.xml   | 18 +++++-
 9 files changed, 125 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/db_setup.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/db_setup.py b/security-admin/scripts/db_setup.py
index 6590eb2..e50421c 100644
--- a/security-admin/scripts/db_setup.py
+++ b/security-admin/scripts/db_setup.py
@@ -1263,6 +1263,14 @@ def main(argv):
 	log("[I] --------- Verifying Ranger DB connection ---------","info")
 	xa_sqlObj.check_connection(db_name, db_user, db_password)
 
+	if 'audit_store' in globalDict:
+		audit_store = globalDict['audit_store']
+	else:
+		audit_store = None
+
+	if audit_store is None or audit_store == "":
+		audit_store = "db"
+	audit_store=audit_store.lower()
 	if len(argv)==1:
 
 		log("[I] --------- Verifying Ranger DB tables ---------","info")
@@ -1278,10 +1286,11 @@ def main(argv):
 			xa_sqlObj.upgrade_db(db_name, db_user, db_password, xa_db_version_file)
 		log("[I] --------- Applying Ranger DB patches ---------","info")
 		xa_sqlObj.apply_patches(db_name, db_user, db_password, xa_patch_file)
-		log("[I] --------- Starting Audit Operation ---------","info")
-		audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit)
-		log("[I] --------- Applying Audit DB patches ---------","info")
-		audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit)
+		if audit_store == "db":
+			log("[I] --------- Starting Audit Operation ---------","info")
+			audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_db_file, xa_access_audit)
+			log("[I] --------- Applying Audit DB patches ---------","info")
+			audit_sqlObj.apply_auditdb_patches(xa_sqlObj,xa_db_host, audit_db_host, db_name, audit_db_name, db_user, audit_db_user, db_password, audit_db_password, audit_patch_file, xa_access_audit)
 #	'''
 	if len(argv)>1:
 		for i in range(len(argv)):

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/dba_script.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/dba_script.py b/security-admin/scripts/dba_script.py
index 9dfba94..c37edbc 100644
--- a/security-admin/scripts/dba_script.py
+++ b/security-admin/scripts/dba_script.py
@@ -1373,6 +1373,14 @@ def main(argv):
 		log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error")
 		sys.exit(1)
 
+	if 'audit_store' in globalDict:
+		audit_store = globalDict['audit_store']
+	else:
+		audit_store = None
+
+	if audit_store is None or audit_store == "":
+		audit_store = "db"
+	audit_store=audit_store.lower()
 	# Methods Begin
 	if DBA_MODE == "TRUE" :
 		if (dryMode==True):
@@ -1392,7 +1400,8 @@ def main(argv):
 			log("[I] ---------- Granting permission to Ranger Admin db user ----------","info")
 			xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
 			# Ranger Admin DB Host AND Ranger Audit DB Host are Different OR Same
-			log("[I] ---------- Verifying/Creating audit user --------- ","info")
-			audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
+			if audit_store == "db":
+				log("[I] ---------- Verifying/Creating audit user --------- ","info")
+				audit_sqlObj.create_auditdb_user(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
 			log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed..  ---------- ","info")
 main(sys.argv)

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index 7490dd6..820d9c7 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -66,7 +66,10 @@ db_password=
 audit_store=db
 
 # * audit_solr_url URL to Solr. E.g. http://<solr_host>:6083/solr/ranger_audits
-audit_solr_url=
+audit_solr_urls=
+audit_solr_user=
+audit_solr_password=
+audit_solr_zookeepers=
 
 
 #

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/ranger-admin-site-template.xml
----------------------------------------------------------------------
diff --git a/security-admin/scripts/ranger-admin-site-template.xml b/security-admin/scripts/ranger-admin-site-template.xml
index 2c0462d..001248f 100644
--- a/security-admin/scripts/ranger-admin-site-template.xml
+++ b/security-admin/scripts/ranger-admin-site-template.xml
@@ -157,7 +157,7 @@
 		<value></value>
 	</property>
 	<property>
-		<name>ranger.solr.url</name>
+		<name>ranger.audit.solr.urls</name>
 		<value></value>
 	</property>
 	<property>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 4b5e6b9..12224c4 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -157,10 +157,13 @@ init_variables(){
 	getPropertyFromFile 'db_password' $PROPFILE db_password
 	if [ "${audit_store}" == "solr" ]
 	then
-	    getPropertyFromFile 'audit_solr_url' $PROPFILE audit_solr_url
+		getPropertyFromFile 'audit_solr_urls' $PROPFILE audit_solr_urls
+		getPropertyFromFile 'audit_solr_user' $PROPFILE audit_solr_user
+		getPropertyFromFile 'audit_solr_password' $PROPFILE audit_solr_password
+		getPropertyFromFile 'audit_solr_zookeepers' $PROPFILE audit_solr_zookeepers
 	else
-	    getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user
-	    getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password
+		getPropertyFromFile 'audit_db_user' $PROPFILE audit_db_user
+		getPropertyFromFile 'audit_db_password' $PROPFILE audit_db_password
 	fi
 }
 
@@ -872,11 +875,11 @@ update_properties() {
 	fi
 
 	if [ "${audit_store}" == "solr" ]
-        then
-			propertyName=ranger.solr.url
-                newPropertyValue=${audit_solr_url}
-			updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
-        fi
+	then
+		propertyName=ranger.audit.solr.urls
+		newPropertyValue=${audit_solr_urls}
+		updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+	fi
 
 	propertyName=ranger.audit.source.type
         newPropertyValue=${audit_store}
@@ -983,6 +986,50 @@ update_properties() {
 			updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
 	    fi
 	fi
+	if [ "${audit_store}" == "solr" ]
+	then
+		if [ "${audit_solr_zookeepers}" != "" ]
+		then
+			propertyName=ranger.audit.solr.zookeepers
+			newPropertyValue=${audit_solr_zookeepers}
+			updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+		fi
+		if [ "${audit_solr_user}" != "" ] && [ "${audit_solr_password}" != "" ]
+		then
+			propertyName=ranger.solr.audit.user
+			newPropertyValue=${audit_solr_user}
+			updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+
+			if [ "${keystore}" != "" ]
+			then
+				echo "Starting configuration for solr credentials:"
+				mkdir -p `dirname "${keystore}"`
+				audit_solr_password_alias=ranger.solr.password
+
+				$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "$audit_solr_password_alias" -value "$audit_solr_password" -provider jceks://file$keystore
+
+				propertyName=ranger.solr.audit.credential.alias
+				newPropertyValue="${audit_solr_password_alias}"
+				updatePropertyToFilePy $propertyName $newPropertyValue $to_file_default
+
+				propertyName=ranger.solr.audit.user.password
+				newPropertyValue="_"
+				updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+			else
+				propertyName=ranger.solr.audit.user.password
+				newPropertyValue="${audit_solr_password}"
+				updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+			fi
+
+			if test -f $keystore; then
+				chown -R ${unix_user}:${unix_group} ${keystore}
+			else
+				propertyName=ranger.solr.audit.user.password
+				newPropertyValue="${audit_solr_password}"
+				updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+			fi
+		fi
+	fi
 }
 
 create_audit_db_user(){

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/scripts/upgrade_admin.py
----------------------------------------------------------------------
diff --git a/security-admin/scripts/upgrade_admin.py b/security-admin/scripts/upgrade_admin.py
index 823edc1..5c79192 100755
--- a/security-admin/scripts/upgrade_admin.py
+++ b/security-admin/scripts/upgrade_admin.py
@@ -107,7 +107,7 @@ config2xmlMAP = {
 	'xa.logs.base.dir':'ranger.logs.base.dir',
 	'xa.scheduler.enabled':'ranger.scheduler.enabled',
 	'xa.audit.store':'ranger.audit.source.type',
-	'audit_solr_url':'ranger.solr.url',
+	'audit_solr_urls':'ranger.audit.solr.urls',
 	'auditDB.jdbc.dialect':'ranger.jpa.audit.jdbc.dialect',
 	'auditDB.jdbc.driver':'ranger.jpa.audit.jdbc.driver',
 	'auditDB.jdbc.url':'ranger.jpa.audit.jdbc.url',

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index 5549578..a0bfff4 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -133,6 +133,25 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer {
 			}
 		}
 	}
+	if(propertiesMap!=null && propertiesMap.containsKey("ranger.audit.source.type")){
+		String auditStore=propertiesMap.get("ranger.audit.source.type");
+		if(auditStore!=null && (auditStore.equalsIgnoreCase("solr"))){
+			if(propertiesMap!=null && propertiesMap.containsKey("ranger.credential.provider.path") && propertiesMap.containsKey("ranger.solr.audit.credential.alias")){
+				String path=propertiesMap.get("ranger.credential.provider.path");
+				String alias=propertiesMap.get("ranger.solr.audit.credential.alias");
+				if(path!=null && alias!=null){
+					String solrAuditPassword=CredentialReader.getDecryptedString(path.trim(), alias.trim());
+					if(solrAuditPassword!=null&& !solrAuditPassword.trim().isEmpty() &&
+							!solrAuditPassword.trim().equalsIgnoreCase("none")){
+						propertiesMap.put("ranger.solr.audit.user.password", solrAuditPassword);
+						props.put("ranger.solr.audit.user.password", solrAuditPassword);
+					}else{
+						logger.info("Credential keystore password not applied for Solr ; clear text password shall be applicable");
+					}
+				}
+			}
+		}
+	}
 	super.processProperties(beanFactory, props);
     }
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index 0783f69..75d2490 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -431,5 +431,9 @@
 		<value>100</value>
 		<description></description>
 	</property>
-
+	<property>
+		<name>ranger.solr.audit.credential.alias</name>
+		<value>ranger.solr.password</value>
+		<description></description>
+	</property>
 </configuration>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0421271e/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index d0a4fe4..2660e19 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -46,7 +46,7 @@
 		<description></description>
 	</property>
 	<property>
-		<name>ranger.solr.url</name>
+		<name>ranger.audit.solr.urls</name>
 		<value>http://##solr_host##:6083/solr/ranger_audits</value>
 		<description></description>
 	</property>
@@ -202,5 +202,19 @@
 		<name>ranger.service.https.attrib.keystore.file</name>
 		<value>/etc/ranger/admin/keys/server.jks</value>
 	</property>
-
+	<property>
+		<name>ranger.solr.audit.user</name>
+		<value></value>
+		<description></description>
+	</property>
+	<property>
+		<name>ranger.solr.audit.user.password</name>
+		<value></value>
+		<description></description>
+	</property>
+	<property>
+		<name>ranger.audit.solr.zookeepers</name>
+		<value></value>
+		<description></description>
+	</property>
 </configuration>