Repository: ambari Updated Branches: refs/heads/trunk 2be01fbf1 -> 16c0b68e6
AMBARI-19725. Atlas deployment via Ambari should configure Zookeeper ACLs and Auth scheme. (Attila Magyar via stoader) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/16c0b68e Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/16c0b68e Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/16c0b68e Branch: refs/heads/trunk Commit: 16c0b68e6c60c84bef37ba566bce7a2ba349dbff Parents: 2be01fb Author: Attila Magyar <amag...@hortonworks.com> Authored: Fri Jan 27 12:35:27 2017 +0100 Committer: Toader, Sebastian <stoa...@hortonworks.com> Committed: Fri Jan 27 12:35:47 2017 +0100 ---------------------------------------------------------------------- .../package/scripts/metadata_server.py | 13 ++- .../ATLAS/0.1.0.2.3/package/scripts/params.py | 4 + .../stacks/HDP/2.6/services/ATLAS/kerberos.json | 97 ++++++++++++++++++++ 3 files changed, 113 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/16c0b68e/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py index 36d990d..ad3270e 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata_server.py @@ -37,7 +37,7 @@ from resource_management.libraries.functions.constants import StackFeature from resource_management.core.resources.system import Directory from resource_management.core.logger import Logger from setup_ranger_atlas import setup_ranger_atlas - +from resource_management.core.resources.zkmigrator import ZkMigrator class MetadataServer(Script): @@ -152,6 +152,17 @@ class MetadataServer(Script): File(params.pid_file, action="delete") + def disable_security(self, env): + import params + if not params.stack_supports_zk_security: + Logger.info("Stack doesn't support zookeeper security") + return + if not params.zookeeper_quorum: + Logger.info("No zookeeper connection string. Skipping reverting ACL") + return + zkmigrator = ZkMigrator(params.zookeeper_quorum, params.java_exec, params.java64_home, params.atlas_jaas_file, params.metadata_user) + zkmigrator.set_acls(params.zk_root if params.zk_root.startswith('/') else '/' + params.zk_root, 'world:anyone:crdwa') + def status(self, env): import status_params http://git-wip-us.apache.org/repos/asf/ambari/blob/16c0b68e/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py index afd6dde..682fc9f 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py @@ -81,6 +81,9 @@ cluster_name = config['clusterName'] java_version = expect("/hostLevelParams/java_version", int) +zk_root = default('/configurations/application-properties/atlas.server.ha.zookeeper.zkroot', '/apache_atlas') +stack_supports_zk_security = check_stack_feature(StackFeature.SECURE_ZOOKEEPER, version_for_stack_feature_checks) + if security_enabled: _hostname_lowercase = config['hostname'].lower() _atlas_principal_name = config['configurations']['application-properties']['atlas.authentication.principal'] @@ -115,6 +118,7 @@ user_group = config['configurations']['cluster-env']['user_group'] # metadata env java64_home = config['hostLevelParams']['java_home'] +java_exec = format("{java64_home}/bin/java") env_sh_template = config['configurations']['atlas-env']['content'] # credential provider http://git-wip-us.apache.org/repos/asf/ambari/blob/16c0b68e/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json b/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json new file mode 100644 index 0000000..1cc581f --- /dev/null +++ b/ambari-server/src/main/resources/stacks/HDP/2.6/services/ATLAS/kerberos.json @@ -0,0 +1,97 @@ +{ + "services": [ + { + "name": "ATLAS", + "configurations": [ + { + "application-properties": { + "atlas.authentication.method.kerberos": "true", + "atlas.kafka.sasl.kerberos.service.name": "${kafka-env/kafka_user}", + "atlas.kafka.security.protocol": "PLAINTEXTSASL", + "atlas.jaas.KafkaClient.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "atlas.jaas.KafkaClient.loginModuleControlFlag": "required", + "atlas.jaas.KafkaClient.option.useKeyTab": "true", + "atlas.jaas.KafkaClient.option.storeKey": "true", + "atlas.jaas.KafkaClient.option.serviceName": "${kafka-env/kafka_user}", + "atlas.solr.kerberos.enable": "true", + "atlas.server.ha.zookeeper.acl" : "auth:" + } + }, + { + "ranger-atlas-audit": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr", + "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true" + } + } + ], + "auth_to_local_properties" : [ + "application-properties/atlas.authentication.method.kerberos.name.rules|new_lines_escaped" + ], + "components": [ + { + "name": "ATLAS_SERVER", + "identities": [ + { + "name": "atlas", + "principal": { + "value": "atlas/_HOST@${realm}", + "type" : "service", + "configuration": "application-properties/atlas.jaas.KafkaClient.option.principal", + "local_username" : "${atlas-env/metadata_user}" + }, + "keytab": { + "file": "${keytab_dir}/atlas.service.keytab", + "owner": { + "name": "${atlas-env/metadata_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "application-properties/atlas.jaas.KafkaClient.option.keyTab" + } + }, + { + "name": "atlas_auth", + "reference": "/ATLAS/ATLAS_SERVER/atlas", + "principal": { + "configuration": "application-properties/atlas.authentication.principal" + }, + "keytab": { + "configuration": "application-properties/atlas.authentication.keytab" + } + }, + { + "name": "/spnego", + "principal": { + "value": "HTTP/_HOST@${realm}", + "configuration": "application-properties/atlas.authentication.method.kerberos.principal" + }, + "keytab": { + "configuration": "application-properties/atlas.authentication.method.kerberos.keytab" + } + }, + { + "name": "ranger_atlas_audit", + "reference": "/ATLAS/ATLAS_SERVER/atlas", + "principal": { + "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.keyTab" + } + }, + { + "name": "/KAFKA/KAFKA_BROKER/kafka_broker" + } + ] + } + ] + } + ] +}