Repository: ambari Updated Branches: refs/heads/trunk deb782c79 -> e4c62592f
AMBARI-13488 : Add recommendation for 'hive.conf.restricted.list' property under hiveserver2-site (For Ranger Plugin) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/e4c62592 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/e4c62592 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/e4c62592 Branch: refs/heads/trunk Commit: e4c62592f7025bd5c8e67dd1bdfafee895afe7a6 Parents: deb782c Author: Gautam Borad <gau...@apache.org> Authored: Tue Oct 20 14:50:12 2015 +0530 Committer: Gautam Borad <gau...@apache.com> Committed: Wed Oct 28 13:44:28 2015 +0530 ---------------------------------------------------------------------- .../HIVE/configuration/hiveserver2-site.xml | 12 +++++++++++ .../stacks/HDP/2.2/services/stack_advisor.py | 22 ++++++++++++++++++++ .../stacks/HDP/2.3/services/stack_advisor.py | 16 ++++++++++++++ .../stacks/2.2/common/test_stack_advisor.py | 13 ++++++++---- 4 files changed, 59 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml index 12a78db..5a2f002 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/HIVE/configuration/hiveserver2-site.xml @@ -71,4 +71,16 @@ limitations under the License. </depends-on> </property> + <property> + <name>hive.conf.restricted.list</name> + <value>hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role</value> + <description></description> + <depends-on> + <property> + <type>hive-env</type> + <name>hive_security_authorization</name> + </property> + </depends-on> + </property> + </configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py index 32e6be3..c813556 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.2/services/stack_advisor.py @@ -429,6 +429,10 @@ class HDP22StackAdvisor(HDP21StackAdvisor): ("hiveserver2-site" not in services["configurations"]) or \ ("hiveserver2-site" in services["configurations"] and "hive.security.authenticator.manager" in services["configurations"]["hiveserver2-site"]["properties"]): putHiveServerPropertyAttribute("hive.security.authenticator.manager", "delete", "true") + if ("hive.conf.restricted.list" in configurations["hiveserver2-site"]["properties"]) or \ + ("hiveserver2-site" not in services["configurations"]) or \ + ("hiveserver2-site" in services["configurations"] and "hive.conf.restricted.list" in services["configurations"]["hiveserver2-site"]["properties"]): + putHiveServerPropertyAttribute("hive.conf.restricted.list", "delete", "true") if "KERBEROS" not in servicesList: # Kerberos security depends on this property putHiveSiteProperty("hive.security.authorization.enabled", "false") else: @@ -450,6 +454,7 @@ class HDP22StackAdvisor(HDP21StackAdvisor): putHiveServerProperty("hive.security.authorization.enabled", "true") putHiveServerProperty("hive.security.authorization.manager", "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory") putHiveServerProperty("hive.security.authenticator.manager", "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator") + putHiveServerProperty("hive.conf.restricted.list", "hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role") putHiveSiteProperty("hive.security.authorization.manager", "org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdConfOnlyAuthorizerFactory") if sqlstdauth_class not in auth_manager_values: auth_manager_values.append(sqlstdauth_class) @@ -465,6 +470,7 @@ class HDP22StackAdvisor(HDP21StackAdvisor): putHiveServerProperty("hive.security.authorization.enabled", "true") putHiveServerProperty("hive.security.authorization.manager", "com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory") putHiveServerProperty("hive.security.authenticator.manager", "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator") + putHiveServerProperty("hive.conf.restricted.list", "hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager") putHiveSiteProperty("hive.server2.use.SSL", "false") @@ -1154,6 +1160,22 @@ class HDP22StackAdvisor(HDP21StackAdvisor): "item": self.getWarnItem( "If Ranger Hive Plugin is enabled."\ " {0} under hiveserver2-site needs to be set to {1}".format(prop_name, prop_val))}) + prop_name = 'hive.conf.restricted.list' + prop_vals = 'hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager'.split(',') + current_vals = [] + missing_vals = [] + if hive_server2 and prop_name in hive_server2: + current_vals = hive_server2[prop_name].split(',') + current_vals = [x.strip() for x in current_vals] + + for val in prop_vals: + if not val in current_vals: + missing_vals.append(val) + + if missing_vals: + validationItems.append({"config-name": prop_name, + "item": self.getWarnItem("If Ranger Hive Plugin is enabled."\ + " {0} under hiveserver2-site needs to contain missing value {1}".format(prop_name, ','.join(missing_vals)))}) ##Add stack validations for Ranger plugin disabled. elif not ranger_plugin_enabled: prop_name = 'hive.security.authorization.manager' http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py index b3de283..1d1cdba 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/services/stack_advisor.py @@ -628,6 +628,22 @@ class HDP23StackAdvisor(HDP22StackAdvisor): "item": self.getWarnItem( "If Ranger Hive Plugin is enabled."\ " {0} under hiveserver2-site needs to be set to {1}".format(prop_name, prop_val))}) + prop_name = 'hive.conf.restricted.list' + prop_vals = 'hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager'.split(',') + current_vals = [] + missing_vals = [] + if hive_server2 and prop_name in hive_server2: + current_vals = hive_server2[prop_name].split(',') + current_vals = [x.strip() for x in current_vals] + + for val in prop_vals: + if not val in current_vals: + missing_vals.append(val) + + if missing_vals: + validationItems.append({"config-name": prop_name, + "item": self.getWarnItem("If Ranger Hive Plugin is enabled."\ + " {0} under hiveserver2-site needs to contain missing value {1}".format(prop_name, ','.join(missing_vals)))}) ##Add stack validations for Ranger plugin disabled. elif not ranger_plugin_enabled: prop_name = 'hive.security.authorization.manager' http://git-wip-us.apache.org/repos/asf/ambari/blob/e4c62592/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py index 74d9b21..6b582c9 100644 --- a/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py +++ b/ambari-server/src/test/python/stacks/2.2/common/test_stack_advisor.py @@ -1049,7 +1049,8 @@ class TestHDP22StackAdvisor(TestCase): }, 'property_attributes': { 'hive.security.authorization.manager': {'delete': 'true'}, - 'hive.security.authenticator.manager': {'delete': 'true'} + 'hive.security.authenticator.manager': {'delete': 'true'}, + 'hive.conf.restricted.list': {'delete': 'true'} } } } @@ -1146,7 +1147,8 @@ class TestHDP22StackAdvisor(TestCase): "hiveserver2-site": { "properties": { "hive.security.authorization.manager": "", - "hive.security.authenticator.manager": "" + "hive.security.authenticator.manager": "", + "hive.conf.restricted.list": "" } } }, @@ -1220,7 +1222,8 @@ class TestHDP22StackAdvisor(TestCase): "hiveserver2-site": { "properties": { "hive.security.authorization.manager": "", - "hive.security.authenticator.manager": "" + "hive.security.authenticator.manager": "", + "hive.conf.restricted.list": "" } } }, @@ -1290,6 +1293,7 @@ class TestHDP22StackAdvisor(TestCase): expected["hiveserver2-site"]["properties"]["hive.security.authorization.enabled"]="true" expected["hiveserver2-site"]["properties"]["hive.security.authorization.manager"]="org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory" expected["hiveserver2-site"]["properties"]["hive.security.authenticator.manager"]="org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator" + expected["hiveserver2-site"]["properties"]["hive.conf.restricted.list"]="hive.security.authenticator.manager,hive.security.authorization.manager,hive.users.in.admin.role" self.stackAdvisor.recommendHIVEConfigurations(configurations, clusterData, services, hosts) self.assertEquals(configurations, expected) @@ -1382,6 +1386,7 @@ class TestHDP22StackAdvisor(TestCase): expected["hiveserver2-site"]["properties"]["hive.security.authenticator.manager"] = "org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator" expected["hiveserver2-site"]["properties"]["hive.security.authorization.manager"] = "com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory" expected["hiveserver2-site"]["properties"]["hive.security.authorization.enabled"] = "true" + expected["hiveserver2-site"]["properties"]["hive.conf.restricted.list"]="hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager" self.stackAdvisor.recommendHIVEConfigurations(configurations, clusterData, services, hosts) self.assertEquals(configurations['hiveserver2-site'], expected["hiveserver2-site"]) @@ -3142,7 +3147,7 @@ class TestHDP22StackAdvisor(TestCase): } # Test with ranger plugin enabled, validation fails - res_expected = [{'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authorization.manager under hiveserver2-site needs to be set to com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory', 'type': 'configuration', 'config-name': 'hive.security.authorization.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authenticator.manager under hiveserver2-site needs to be set to org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator', 'type': 'configuration', 'config-name': 'hive.security.authenticator.manager', 'level': 'WARN'}] + res_expected = [{'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authorization.manager under hiveserver2-site needs to be set to com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizerFactory', 'type': 'configuration', 'config-name': 'hive.security.authorization.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.security.authenticator.manager under hiveserver2-site needs to be set to org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator', 'type': 'configuration', 'config-name': 'hive.security.authenticator.manager', 'level': 'WARN'}, {'config-type': 'hiveserver2-site', 'message': 'If Ranger Hive Plugin is enabled. hive.conf.restricted.list under hiveserver2-site needs to contain missing value hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager', 'type': 'configuration', 'config-name': 'hive.con f.restricted.list', 'level': 'WARN'}] res = self.stackAdvisor.validateHiveServer2Configurations(properties, recommendedDefaults, configurations, services, {}) self.assertEquals(res, res_expected)
