AMBARI-18834 Add Ranger proxy user under Ranger KMS config during stack upgrade (mugdha)
Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/d3c75557 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/d3c75557 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/d3c75557 Branch: refs/heads/branch-feature-AMBARI-18901 Commit: d3c75557ec7bc20fa9b2782137a6412aa09a8afb Parents: 68a881e Author: Mugdha Varadkar <mug...@apache.org> Authored: Wed Nov 23 10:55:03 2016 +0530 Committer: Mugdha Varadkar <mug...@apache.org> Committed: Tue Nov 29 09:31:12 2016 +0530 ---------------------------------------------------------------------- .../upgrades/RangerKmsProxyConfig.java | 95 +++++++++++++ .../HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml | 7 + .../HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml | 7 + .../stacks/HDP/2.3/upgrades/upgrade-2.5.xml | 11 ++ .../stacks/HDP/2.3/upgrades/upgrade-2.6.xml | 11 ++ .../HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml | 7 + .../HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml | 7 + .../stacks/HDP/2.4/upgrades/upgrade-2.5.xml | 11 ++ .../stacks/HDP/2.4/upgrades/upgrade-2.6.xml | 11 ++ .../upgrades/RangerKmsProxyConfigTest.java | 141 +++++++++++++++++++ 10 files changed, 308 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfig.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfig.java b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfig.java new file mode 100644 index 0000000..bb88f55 --- /dev/null +++ b/ambari-server/src/main/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfig.java @@ -0,0 +1,95 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ambari.server.serveraction.upgrades; + +import java.text.MessageFormat; +import java.util.Map; +import java.util.concurrent.ConcurrentMap; + +import org.apache.ambari.server.AmbariException; +import org.apache.ambari.server.actionmanager.HostRoleStatus; +import org.apache.ambari.server.agent.CommandReport; +import org.apache.ambari.server.serveraction.AbstractServerAction; +import org.apache.ambari.server.state.Cluster; +import org.apache.ambari.server.state.Clusters; +import org.apache.ambari.server.state.Config; +import org.apache.ambari.server.state.SecurityType; +import org.apache.commons.lang.StringUtils; + +import com.google.inject.Inject; + +/** +* Computes Ranger KMS Proxy properties in kms-site +*/ + +public class RangerKmsProxyConfig extends AbstractServerAction { + private static final String RANGER_ENV_CONFIG_TYPE = "ranger-env"; + private static final String RANGER_KMS_SITE_CONFIG_TYPE = "kms-site"; + + @Inject + private Clusters m_clusters; + + @Override + public CommandReport execute(ConcurrentMap<String, Object> requestSharedDataContext) + throws AmbariException, InterruptedException { + + String clusterName = getExecutionCommand().getClusterName(); + Cluster cluster = m_clusters.getCluster(clusterName); + String outputMsg = ""; + + Config rangerEnv = cluster.getDesiredConfigByType(RANGER_ENV_CONFIG_TYPE); + + if (null == rangerEnv) { + return createCommandReport(0, HostRoleStatus.COMPLETED, "{}", + MessageFormat.format("Config source type {0} not found, skipping adding properties to {1}.", RANGER_ENV_CONFIG_TYPE, RANGER_KMS_SITE_CONFIG_TYPE), ""); + } + + String rangerUserProp = "ranger_user"; + String rangerUser = rangerEnv.getProperties().get(rangerUserProp); + + if (null == rangerUser) { + return createCommandReport(0, HostRoleStatus.COMPLETED, "{}", + MessageFormat.format("Required user service user value from {0}/{1} not found, skipping adding properties to {2}.", RANGER_ENV_CONFIG_TYPE, rangerUserProp, RANGER_KMS_SITE_CONFIG_TYPE), ""); + } + + Config kmsSite = cluster.getDesiredConfigByType(RANGER_KMS_SITE_CONFIG_TYPE); + + if (null == kmsSite) { + return createCommandReport(0, HostRoleStatus.COMPLETED, "{}", + MessageFormat.format("Config type {0} not found, skipping adding properties to it.", RANGER_KMS_SITE_CONFIG_TYPE), ""); + } + + Map<String, String> targetValues = kmsSite.getProperties(); + if (cluster.getSecurityType() == SecurityType.KERBEROS) { + String userProp = "hadoop.kms.proxyuser." + rangerUser + ".users"; + String groupProp = "hadoop.kms.proxyuser." + rangerUser + ".groups"; + String hostProp = "hadoop.kms.proxyuser." + rangerUser + ".hosts"; + targetValues.put(userProp, "*"); + targetValues.put(groupProp, "*"); + targetValues.put(hostProp, "*"); + kmsSite.setProperties(targetValues); + kmsSite.persist(false); + outputMsg = outputMsg + MessageFormat.format("Successfully added properties to {0}", RANGER_KMS_SITE_CONFIG_TYPE); + } else { + outputMsg = outputMsg + MessageFormat.format("Kerberos not enable, not setting proxy properties to {0}", RANGER_KMS_SITE_CONFIG_TYPE); + } + + return createCommandReport(0, HostRoleStatus.COMPLETED, "{}", outputMsg, ""); + + } +} http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml index 04e4f3e..7a15e0e 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.5.xml @@ -435,6 +435,13 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db"/> </execute-stage> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Ranger Properties"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties</summary> + </task> + </execute-stage> + <!-- KNOX --> <execute-stage service="KNOX" component="KNOX_GATEWAY" title="Apply config changes for Knox Gateway"> <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_knox_audit_db"/> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml index 3233f7e..fe2598b 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/nonrolling-upgrade-2.6.xml @@ -436,6 +436,13 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db"/> </execute-stage> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Ranger Properties"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties</summary> + </task> + </execute-stage> + <!-- KNOX --> <execute-stage service="KNOX" component="KNOX_GATEWAY" title="Apply config changes for Knox Gateway"> <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_knox_audit_db"/> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml index 95c5f06..bbf5299 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.5.xml @@ -130,6 +130,17 @@ </service> </group> + <group xsi:type="cluster" name="UPDATE_RANGER_KMS_SITE" title="Update Ranger KMS Configuration"> + <direction>UPGRADE</direction> + <skippable>true</skippable> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Proxy Properties under kms-site"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties under kms-site</summary> + </task> + </execute-stage> + </group> + <group name="RANGER_KMS" title="Ranger_KMS"> <skippable>true</skippable> <supports-auto-skip-failure>false</supports-auto-skip-failure> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml index a01996a..c5fdc99 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.3/upgrades/upgrade-2.6.xml @@ -131,6 +131,17 @@ </service> </group> + <group xsi:type="cluster" name="UPDATE_RANGER_KMS_SITE" title="Update Ranger KMS Configuration"> + <direction>UPGRADE</direction> + <skippable>true</skippable> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Proxy Properties under kms-site"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties under kms-site</summary> + </task> + </execute-stage> + </group> + <group name="RANGER_KMS" title="Ranger_KMS"> <skippable>true</skippable> <supports-auto-skip-failure>false</supports-auto-skip-failure> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml index 05e2be1..a46ac9e 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.5.xml @@ -423,6 +423,13 @@ <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db"/> </execute-stage> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Ranger Properties"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties</summary> + </task> + </execute-stage> + <!-- SPARK --> <execute-stage service="SPARK" component="SPARK_JOBHISTORYSERVER" title="Apply config changes for Spark JobHistoryServer"> <task xsi:type="configure" id="hdp_2_5_0_0_spark_jobhistoryserver"/> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml index 1a26e59..6597cde 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/nonrolling-upgrade-2.6.xml @@ -418,6 +418,13 @@ <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Apply config changes for Ranger KMS Server"> <task xsi:type="configure" id="hdp_2_5_0_0_remove_ranger_kms_audit_db"/> </execute-stage> + + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Ranger Properties"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties</summary> + </task> + </execute-stage> </group> <!-- http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml index f0c6131..f5a5669 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.5.xml @@ -126,6 +126,17 @@ </service> </group> + <group xsi:type="cluster" name="UPDATE_RANGER_KMS_SITE" title="Update Ranger KMS Configuration"> + <direction>UPGRADE</direction> + <skippable>true</skippable> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Proxy Properties under kms-site"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties under kms-site</summary> + </task> + </execute-stage> + </group> + <group name="RANGER_KMS" title="Ranger_KMS"> <skippable>true</skippable> <supports-auto-skip-failure>false</supports-auto-skip-failure> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml index f520faf..406f38e 100644 --- a/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml +++ b/ambari-server/src/main/resources/stacks/HDP/2.4/upgrades/upgrade-2.6.xml @@ -131,6 +131,17 @@ </service> </group> + <group xsi:type="cluster" name="UPDATE_RANGER_KMS_SITE" title="Update Ranger KMS Configuration"> + <direction>UPGRADE</direction> + <skippable>true</skippable> + <execute-stage service="RANGER_KMS" component="RANGER_KMS_SERVER" title="Calculating Proxy Properties under kms-site"> + <condition xsi:type="security" type="kerberos"/> + <task xsi:type="server_action" class="org.apache.ambari.server.serveraction.upgrades.RangerKmsProxyConfig"> + <summary>Adding Ranger proxy user properties under kms-site</summary> + </task> + </execute-stage> + </group> + <group name="RANGER_KMS" title="Ranger_KMS"> <skippable>true</skippable> <supports-auto-skip-failure>false</supports-auto-skip-failure> http://git-wip-us.apache.org/repos/asf/ambari/blob/d3c75557/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfigTest.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfigTest.java b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfigTest.java new file mode 100644 index 0000000..e000c65 --- /dev/null +++ b/ambari-server/src/test/java/org/apache/ambari/server/serveraction/upgrades/RangerKmsProxyConfigTest.java @@ -0,0 +1,141 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.ambari.server.serveraction.upgrades; + +import static org.easymock.EasyMock.anyObject; +import static org.easymock.EasyMock.expect; +import static org.easymock.EasyMock.replay; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + +import org.apache.ambari.server.actionmanager.ExecutionCommandWrapper; +import org.apache.ambari.server.actionmanager.HostRoleCommand; +import org.apache.ambari.server.agent.CommandReport; +import org.apache.ambari.server.agent.ExecutionCommand; +import org.apache.ambari.server.state.Cluster; +import org.apache.ambari.server.state.Clusters; +import org.apache.ambari.server.state.SecurityType; +import org.apache.ambari.server.state.Config; +import org.apache.ambari.server.state.ConfigImpl; +import org.easymock.EasyMock; +import org.junit.Before; +import org.junit.Test; + +import com.google.inject.Injector; + + +public class RangerKmsProxyConfigTest { + private Injector m_injector; + private Clusters m_clusters; + private Field m_clusterField; + + @Before + public void setup() throws Exception { + m_injector = EasyMock.createMock(Injector.class); + m_clusters = EasyMock.createMock(Clusters.class); + Cluster cluster = EasyMock.createMock(Cluster.class); + + Config rangerEnv = new ConfigImpl("ranger-env") { + Map<String, String> mockProperties = new HashMap<String, String>() {{ + put("ranger_user", "ranger"); + }}; + + @Override + public Map<String, String> getProperties() { + return mockProperties; + } + }; + + Config kmsSite = new ConfigImpl("kms-site") { + Map<String, String> mockProperties = new HashMap<String, String>(); + @Override + public Map<String, String> getProperties() { + return mockProperties; + } + + @Override + public void setProperties(Map<String, String> properties) { + mockProperties.putAll(properties); + } + + @Override + public void persist(boolean newConfig) { + // no-op + } + }; + + expect(cluster.getDesiredConfigByType("ranger-env")).andReturn(rangerEnv).atLeastOnce(); + expect(cluster.getDesiredConfigByType("kms-site")).andReturn(kmsSite).atLeastOnce(); + expect(m_clusters.getCluster((String) anyObject())).andReturn(cluster).anyTimes(); + expect(m_injector.getInstance(Clusters.class)).andReturn(m_clusters).atLeastOnce(); + expect(cluster.getSecurityType()).andReturn(SecurityType.KERBEROS).anyTimes(); + + replay(m_injector, m_clusters, cluster); + + m_clusterField = RangerKmsProxyConfig.class.getDeclaredField("m_clusters"); + m_clusterField.setAccessible(true); + } + + @Test + public void testAction() throws Exception { + + Map<String, String> commandParams = new HashMap<String, String>(); + commandParams.put("clusterName", "c1"); + + ExecutionCommand executionCommand = new ExecutionCommand(); + executionCommand.setCommandParams(commandParams); + executionCommand.setClusterName("c1"); + + HostRoleCommand hrc = EasyMock.createMock(HostRoleCommand.class); + expect(hrc.getRequestId()).andReturn(1L).anyTimes(); + expect(hrc.getStageId()).andReturn(2L).anyTimes(); + expect(hrc.getExecutionCommandWrapper()).andReturn(new ExecutionCommandWrapper(executionCommand)).anyTimes(); + replay(hrc); + + RangerKmsProxyConfig action = new RangerKmsProxyConfig(); + m_clusterField.set(action, m_clusters); + + action.setExecutionCommand(executionCommand); + action.setHostRoleCommand(hrc); + + CommandReport report = action.execute(null); + assertNotNull(report); + + Cluster c = m_clusters.getCluster("c1"); + Config config = c.getDesiredConfigByType("kms-site"); + Map<String, String> map = config.getProperties(); + + assertTrue(map.containsKey("hadoop.kms.proxyuser.ranger.users")); + assertTrue(map.containsKey("hadoop.kms.proxyuser.ranger.groups")); + assertTrue(map.containsKey("hadoop.kms.proxyuser.ranger.hosts")); + + + assertEquals("*", map.get("hadoop.kms.proxyuser.ranger.users")); + assertEquals("*", map.get("hadoop.kms.proxyuser.ranger.groups")); + assertEquals("*", map.get("hadoop.kms.proxyuser.ranger.hosts")); + + report = action.execute(null); + assertNotNull(report); + + } +} \ No newline at end of file