Repository: ambari Updated Branches: refs/heads/trunk bfaaba2fa -> 347ba2a99
AMBARI-20013. Add Solr authorization settings during LogSearch/Atlas/Ranger startup (oleewere) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/347ba2a9 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/347ba2a9 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/347ba2a9 Branch: refs/heads/trunk Commit: 347ba2a9983d400cddf4d888e7f8c15d72b71d5a Parents: bfaaba2 Author: oleewere <oleew...@gmail.com> Authored: Mon Feb 13 18:34:50 2017 +0100 Committer: oleewere <oleew...@gmail.com> Committed: Thu Feb 16 20:18:59 2017 +0100 ---------------------------------------------------------------------- .../libraries/functions/solr_cloud_util.py | 110 ++++++++++++++++++- .../configuration/infra-solr-security-json.xml | 82 +++++++++++--- .../0.1.0/package/scripts/params.py | 9 +- .../0.1.0/package/scripts/setup_infra_solr.py | 17 ++- .../templates/infra-solr-security.json.j2 | 68 ++++++++++++ .../properties/infra-solr-security.json.j2 | 68 ------------ .../ATLAS/0.1.0.2.3/package/scripts/metadata.py | 20 ++++ .../ATLAS/0.1.0.2.3/package/scripts/params.py | 3 + .../ATLAS/0.7.0.2.5/kerberos.json | 3 + .../LOGSEARCH/0.5.0/kerberos.json | 39 ++++--- .../LOGSEARCH/0.5.0/package/scripts/params.py | 5 + .../0.5.0/package/scripts/setup_logsearch.py | 22 +++- .../RANGER/0.4.0/package/scripts/params.py | 3 + .../0.4.0/package/scripts/setup_ranger_xml.py | 41 +++++++ .../common-services/RANGER/0.6.0/kerberos.json | 3 + .../stacks/2.3/ATLAS/test_metadata_server.py | 8 ++ .../test/python/stacks/2.3/configs/secure.json | 7 +- .../stacks/2.4/AMBARI_INFRA/test_infra_solr.py | 4 +- .../stacks/2.4/LOGSEARCH/test_logsearch.py | 3 +- .../stacks/2.5/RANGER/test_ranger_admin.py | 11 ++ .../stacks/2.6/RANGER/test_ranger_admin.py | 9 ++ 21 files changed, 418 insertions(+), 117 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py ---------------------------------------------------------------------- diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py index 4628211..1eeb86b 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/solr_cloud_util.py @@ -17,12 +17,17 @@ limitations under the License. """ import random +import json +from random import randrange from ambari_commons.constants import AMBARI_SUDO_BINARY from ambari_jinja2 import Environment as JinjaEnvironment +from resource_management.libraries.functions import get_kinit_path from resource_management.libraries.functions.default import default from resource_management.libraries.functions.format import format from resource_management.core.resources.system import Directory, Execute, File from resource_management.core.source import StaticFile +from resource_management.core.shell import as_sudo +from resource_management.core.logger import Logger __all__ = ["upload_configuration_to_zk", "create_collection", "setup_kerberos", "set_cluster_prop", "setup_kerberos_plugin", "create_znode", "check_znode", "secure_solr_znode", "secure_znode"] @@ -163,13 +168,16 @@ def set_cluster_prop(zookeeper_quorum, solr_znode, prop_name, prop_value, java64 set_cluster_prop_cmd+=format(' --jaas-file {jaas_file}') Execute(set_cluster_prop_cmd) -def secure_znode(zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[]): +def secure_znode(config, zookeeper_quorum, solr_znode, jaas_file, java64_home, sasl_users=[], retry = 5 , interval = 10): """ - Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world. + Secure znode, set a list of sasl users acl to 'cdrwa', and set acl to 'r' only for the world. + Add infra-solr user by default if its available. """ solr_cli_prefix = __create_solr_cloud_cli_prefix(zookeeper_quorum, solr_znode, java64_home, True) - sasl_users_str = ",".join(str(x) for x in sasl_users) - secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str}') + if "infra-solr-env" in config['configurations']: + sasl_users.append(__get_name_from_principal(config['configurations']['infra-solr-env']['infra_solr_kerberos_principal'])) + sasl_users_str = ",".join(str(__get_name_from_principal(x)) for x in sasl_users) + secure_znode_cmd = format('{solr_cli_prefix} --secure-znode --jaas-file {jaas_file} --sasl-users {sasl_users_str} --retry {retry} --interval {interval}') Execute(secure_znode_cmd) @@ -243,3 +251,97 @@ def setup_solr_client(config, custom_log4j = True, custom_log_location = None, l mode=0664, content='' ) + +def __get_name_from_principal(principal): + if not principal: # return if empty + return principal + slash_split = principal.split('/') + if len(slash_split) == 2: + return slash_split[0] + else: + at_split = principal.split('@') + return at_split[0] + +def __remove_host_from_principal(principal, realm): + if not realm: + raise Exception("Realm parameter is missing.") + if not principal: + raise Exception("Principal parameter is missing.") + username=__get_name_from_principal(principal) + at_split = principal.split('@') + if len(at_split) == 2: + realm = at_split[1] + return format('{username}@{realm}') + +def __get_random_solr_host(actual_host, solr_hosts = []): + """ + Get a random solr host, use the actual one, if there is an installed infra solr there (helps blueprint installs) + If there is only one solr host on the cluster, use that. + """ + if not solr_hosts: + raise Exception("Solr hosts parameter is empty.") + if len(solr_hosts) == 1: + return solr_hosts[0] + if actual_host in solr_hosts: + return actual_host + else: + random_index = randrange(0, len(solr_hosts)) + return solr_hosts[random_index] + +def add_solr_roles(config, roles = [], new_service_principals = [], tries = 30, try_sleep = 10): + """ + Set user-role mappings based on roles and principal users for secured cluster. Use solr REST API to check is there any authoirzation enabled, + if it is then update the user-roles mapping for Solr (this will upgrade the solr_znode/security.json file). + In case of custom security.json is used for infra-solr, this step will be skipped. + """ + sudo = AMBARI_SUDO_BINARY + solr_hosts = default_config(config, "/clusterHostInfo/infra_solr_hosts", []) + security_enabled = config['configurations']['cluster-env']['security_enabled'] + solr_ssl_enabled = default_config(config, 'configurations/infra-solr-env/infra_solr_ssl_enabled', False) + solr_port = default_config(config, 'configurations/infra-solr-env/infra_solr_port', '8886') + kinit_path_local = get_kinit_path(default_config(config, '/configurations/kerberos-env/executable_search_paths', None)) + infra_solr_custom_security_json_content = None + + if 'infra-solr-security-json' in config['configurations']: + infra_solr_custom_security_json_content = config['configurations']['infra-solr-security-json']['content'] + + Logger.info(format("Adding {roles} roles to {new_service_principals} if infra-solr is installed.")) + if infra_solr_custom_security_json_content and str(infra_solr_custom_security_json_content).strip(): + Logger.info("Custom security.json is not empty for infra-solr, skip adding roles...") + elif security_enabled \ + and "infra-solr-env" in config['configurations'] \ + and solr_hosts is not None \ + and len(solr_hosts) > 0: + solr_protocol = "https" if solr_ssl_enabled else "http" + hostname = config['hostname'].lower() + solr_host = __get_random_solr_host(hostname, solr_hosts) + solr_url = format("{solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization") + solr_user_keytab = config['configurations']['infra-solr-env']['infra_solr_kerberos_keytab'] + solr_user_principal = config['configurations']['infra-solr-env']['infra_solr_kerberos_principal'].replace('_HOST', hostname) + solr_user_kinit_cmd = format("{kinit_path_local} -kt {solr_user_keytab} {solr_user_principal};") + solr_authorization_enabled_cmd=format("{sudo} {solr_user_kinit_cmd} {sudo} curl -k -s --negotiate -u : {solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization | grep authorization.enabled") + + if len(new_service_principals) > 0: + new_service_users = [] + + kerberos_realm = config['configurations']['kerberos-env']['realm'] + for new_service_user in new_service_principals: + new_service_users.append(__remove_host_from_principal(new_service_user, kerberos_realm)) + user_role_map = {} + + for new_service_user in new_service_users: + user_role_map[new_service_user] = roles + + Logger.info(format("New service users after removing fully qualified names: {new_service_users}")) + + set_user_role_map = {} + set_user_role_map['set-user-role'] = user_role_map + set_user_role_json = json.dumps(set_user_role_map) + + add_solr_role_cmd = format("{sudo} {solr_user_kinit_cmd} {sudo} curl -H 'Content-type:application/json' -d '{set_user_role_json}' -s -o /dev/null -w'%{{http_code}}' --negotiate -u: -k {solr_url} | grep 200") + + Logger.info(format("Check authorization enabled command: {solr_authorization_enabled_cmd} \nSet user-role settings command: {add_solr_role_cmd}")) + Execute(solr_authorization_enabled_cmd + " && "+ add_solr_role_cmd, + tries=tries, + try_sleep=try_sleep, + logoutput=True) http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml index e193a8c..e99d961 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml +++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/configuration/infra-solr-security-json.xml @@ -26,9 +26,12 @@ <display-name>Ranger audit service users</display-name> <value>{default_ranger_audit_users}</value> <description> - List of comma separated kerberos service users who can write into ranger audit collections if the cluster is secure. (atlas and rangeradmin supported by default) - Change values in that case of custom values are used for kerberos principals. (default_ranger_audit_users is resolved ranger-*-audit/xasecure.audit.jaas.Client.option.principal, - by default namenode, hbase, hive knox, kafka, ranger kms and nifi are supported, to change it you can edit the security content, + List of comma separated kerberos service users who can write into ranger audit collections if the cluster is + secure. (atlas and rangeradmin supported by default) + Change values in that case of custom values are used for kerberos principals. (default_ranger_audit_users is + resolved ranger-*-audit/xasecure.audit.jaas.Client.option.principal, + by default namenode, hbase, hive knox, kafka, ranger kms and nifi are supported, to change it you can edit the + security content, or add a new username next to the default value, e.g.: {default_ranger_audit_users},customuser) </description> <depends-on> @@ -68,20 +71,6 @@ <type>ranger-nifi-audit</type> <name>xasecure.audit.jaas.Client.option.principal</name> </property> - </depends-on> - <on-ambari-upgrade add="true"/> - </property> - <property> - <name>content</name> - <display-name>security.json template</display-name> - <description>This is the jinja template for security.json file on the solr znode (only used if the cluster is secure)</description> - <value/> - <property-type>VALUE_FROM_PROPERTY_FILE</property-type> - <value-attributes> - <property-file-name>infra-solr-security.json.j2</property-file-name> - <property-file-type>text</property-file-type> - </value-attributes> - <depends-on> <property> <type>application-properties</type> <name>atlas.authentication.principal</name> @@ -93,4 +82,63 @@ </depends-on> <on-ambari-upgrade add="true"/> </property> + <property> + <name>infra_solr_role_ranger_admin</name> + <display-name>Ranger admin role</display-name> + <value>ranger_admin_user</value> + <description>Ranger admin role, it allows users to create collection, and perform any action on ranger audit collection.</description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>infra_solr_role_ranger_audit</name> + <display-name>Ranger audit role</display-name> + <value>ranger_audit_user</value> + <description>Ranger audit role, it allows users to perform any action on ranger audit collection.</description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>infra_solr_role_atlas</name> + <display-name>Atlas role</display-name> + <value>atlas_user</value> + <description>Atlas role, it allows users to create collection, and perform any action on atlas collections.</description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>infra_solr_role_logsearch</name> + <display-name>Log Search role</display-name> + <value>logsearch_user</value> + <description>Log Search role, it allows users to create collection, and perform any action on Log Search collections.</description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>infra_solr_role_logfeeder</name> + <display-name>Log Feeder role</display-name> + <value>logfeeder_user</value> + <description>Log Feeder role, it allows users to perform any action on Log Search collections.</description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>infra_solr_role_dev</name> + <display-name>Dev role</display-name> + <value>dev</value> + <description>Dev role, it allows to perform any read action on any collection.</description> + <on-ambari-upgrade add="true"/> + </property> + <property> + <name>content</name> + <display-name>Custom security.json template</display-name> + <description> + This is the jinja template for custom security.json file on the solr znode + (only used if the cluster is secure and this property overrides the security.json which generated during solr + start). + </description> + <value> + </value> + <value-attributes> + <type>content</type> + <show-property-name>false</show-property-name> + <empty-value-valid>true</empty-value-valid> + </value-attributes> + <on-ambari-upgrade add="true"/> + </property> </configuration> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py index ab9aa61..acf420e 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/params.py @@ -129,7 +129,7 @@ if security_enabled: ranger_audit_principals.append(default('configurations/ranger-hive-audit/' + ranger_audit_principal_conf_key, 'hive')) ranger_audit_principals.append(default('configurations/ranger-knox-audit/' + ranger_audit_principal_conf_key, 'knox')) ranger_audit_principals.append(default('configurations/ranger-kafka-audit/' + ranger_audit_principal_conf_key, 'kafka')) - ranger_audit_principals.append(default('configurations/ranger-kms-audit/' + ranger_audit_principal_conf_key, 'kms')) + ranger_audit_principals.append(default('configurations/ranger-kms-audit/' + ranger_audit_principal_conf_key, 'rangerkms')) ranger_audit_principals.append(default('configurations/ranger-storm-audit/' + ranger_audit_principal_conf_key, 'storm')) ranger_audit_principals.append(default('configurations/ranger-yarn-audit/' + ranger_audit_principal_conf_key, 'yarn')) ranger_audit_principals.append(default('configurations/ranger-nifi-audit/' + ranger_audit_principal_conf_key, 'nifi')) @@ -160,3 +160,10 @@ logsearch_kerberos_service_user = get_name_from_principal(default('configuration logfeeder_kerberos_service_user = get_name_from_principal(default('configurations/logfeeder-env/logfeeder_kerberos_principal', 'logfeeder')) infra_solr_kerberos_service_user = get_name_from_principal(default('configurations/infra-solr-env/infra_solr_kerberos_principal', 'infra-solr')) +infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user') +infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user') +infra_solr_role_atlas = default('configurations/infra-solr-security-json/infra_solr_role_atlas', 'atlas_user') +infra_solr_role_logsearch = default('configurations/infra-solr-security-json/infra_solr_role_logsearch', 'logsearch_user') +infra_solr_role_logfeeder = default('configurations/infra-solr-security-json/infra_solr_role_logfeeder', 'logfeeder_user') +infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev') + http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py index 8d72f42..f3dbcf3 100644 --- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py +++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/scripts/setup_infra_solr.py @@ -72,13 +72,12 @@ def setup_infra_solr(name = None): group=params.user_group ) - security_json_file_location = format("{infra_solr_conf}/security.json") - - File(security_json_file_location, + custom_security_json_location = format("{infra_solr_conf}/custom-security.json") + File(custom_security_json_location, content=InlineTemplate(params.infra_solr_security_json_content), owner=params.infra_solr_user, group=params.user_group, - mode=0644 + mode=0640 ) jaas_file = params.infra_solr_jaas_file if params.security_enabled else None @@ -86,11 +85,21 @@ def setup_infra_solr(name = None): create_ambari_solr_znode() + security_json_file_location = custom_security_json_location \ + if params.infra_solr_security_json_content and str(params.infra_solr_security_json_content).strip() \ + else format("{infra_solr_conf}/security.json") # security.json file to upload + if params.security_enabled: File(format("{infra_solr_jaas_file}"), content=Template("infra_solr_jaas.conf.j2"), owner=params.infra_solr_user) + File(format("{infra_solr_conf}/security.json"), + content=Template("infra-solr-security.json.j2"), + owner=params.infra_solr_user, + group=params.user_group, + mode=0640) + solr_cloud_util.set_cluster_prop( zookeeper_quorum=params.zookeeper_quorum, solr_znode=params.infra_solr_znode, http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 new file mode 100644 index 0000000..65d38e9 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 @@ -0,0 +1,68 @@ +{# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +#} +{ + "authentication": { + "class": "org.apache.solr.security.KerberosPlugin" + }, + "authorization": { + "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin", + "user-role": { + "{{infra_solr_kerberos_service_user}}@{{kerberos_realm}}": "admin", + "{{logsearch_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_logsearch}}", "{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_dev}}"], + "{{logfeeder_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_logfeeder}}", "{{infra_solr_role_dev}}"], + "{{atlas_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_atlas}}", "{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"], +{% if infra_solr_ranger_audit_service_users %} +{% for ranger_audit_service_user in infra_solr_ranger_audit_service_users %} + "{{ranger_audit_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"], +{% endfor %} +{% endif %} + "{{ranger_admin_kerberos_service_user}}@{{kerberos_realm}}": ["{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_ranger_audit}}", "{{infra_solr_role_dev}}"] + }, + "permissions": [ + { + "name" : "collection-admin-read", + "role" :null + }, + { + "name" : "collection-admin-edit", + "role" : ["admin", "{{infra_solr_role_logsearch}}", "{{infra_solr_role_logfeeder}}", "{{infra_solr_role_atlas}}", "{{infra_solr_role_ranger_admin}}"] + }, + { + "name":"read", + "role": "{{infra_solr_role_dev}}" + }, + { + "collection": ["{{logsearch_service_logs_collection}}", "{{logsearch_audit_logs_collection}}", "history"], + "role": ["admin", "{{infra_solr_role_logsearch}}", "{{infra_solr_role_logfeeder}}"], + "name": "logsearch-manager", + "path": "/*" + }, + { + "collection": ["vertex_index", "edge_index", "fulltext_index"], + "role": ["admin", "{{infra_solr_role_atlas}}"], + "name": "atlas-manager", + "path": "/*" + }, + { + "collection": "{{ranger_solr_collection_name}}", + "role": ["admin", "{{infra_solr_role_ranger_admin}}", "{{infra_solr_role_ranger_audit}}"], + "name": "ranger-manager", + "path": "/*" + }] + } +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 b/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 deleted file mode 100644 index ed764f0..0000000 --- a/ambari-server/src/main/resources/common-services/AMBARI_INFRA/0.1.0/properties/infra-solr-security.json.j2 +++ /dev/null @@ -1,68 +0,0 @@ -{# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -#} -{ - "authentication": { - "class": "org.apache.solr.security.KerberosPlugin" - }, - "authorization": { - "class": "org.apache.ambari.infra.security.InfraRuleBasedAuthorizationPlugin", - "user-role": { - "{{infra_solr_kerberos_service_user}}@{{kerberos_realm}}": "admin", - "{{logsearch_kerberos_service_user}}@{{kerberos_realm}}": ["logsearch_user", "ranger_user", "dev"], - "{{logfeeder_kerberos_service_user}}@{{kerberos_realm}}": ["logfeeder_user", "dev"], - "{{atlas_kerberos_service_user}}@{{kerberos_realm}}": ["atlas_user", "ranger_audit_user", "dev"], -{% if infra_solr_ranger_audit_service_users %} -{% for ranger_audit_service_user in infra_solr_ranger_audit_service_users %} - "{{ranger_audit_service_user}}@{{kerberos_realm}}": ["ranger_audit_user", "dev"], -{% endfor %} -{% endif %} - "{{ranger_admin_kerberos_service_user}}@{{kerberos_realm}}": ["ranger_user", "ranger_audit_user", "dev"] - }, - "permissions": [ - { - "name" : "collection-admin-read", - "role" :null - }, - { - "name" : "collection-admin-edit", - "role" : ["admin", "logsearch_user", "logfeeder_user", "atlas_user", "ranger_user"] - }, - { - "name":"read", - "role": "dev" - }, - { - "collection": ["{{logsearch_service_logs_collection}}", "{{logsearch_audit_logs_collection}}", "history"], - "role": ["admin", "logsearch_user", "logfeeder_user"], - "name": "logsearch-manager", - "path": "/*" - }, - { - "collection": ["vertex_index", "edge_index", "fulltext_index"], - "role": ["admin", "atlas_user"], - "name": "atlas-manager", - "path": "/*" - }, - { - "collection": "{{ranger_solr_collection_name}}", - "role": ["admin", "ranger_user", "ranger_audit_user"], - "name": "ranger-manager", - "path": "/*" - }] - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py index 2232bb2..c25445c 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py @@ -134,10 +134,21 @@ def metadata(type='server'): jaasFile=params.atlas_jaas_file if params.security_enabled else None upload_conf_set('atlas_configs', jaasFile) + if params.security_enabled: # update permissions before creating the collections + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_atlas, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev], + new_service_principals = [params.atlas_jaas_principal]) + create_collection('vertex_index', 'atlas_configs', jaasFile) create_collection('edge_index', 'atlas_configs', jaasFile) create_collection('fulltext_index', 'atlas_configs', jaasFile) + if params.security_enabled: + secure_znode(format('{infra_solr_znode}/configs/atlas_configs'), jaasFile) + secure_znode(format('{infra_solr_znode}/collections/vertex_index'), jaasFile) + secure_znode(format('{infra_solr_znode}/collections/edge_index'), jaasFile) + secure_znode(format('{infra_solr_znode}/collections/fulltext_index'), jaasFile) + File(params.atlas_hbase_setup, group=params.user_group, owner=params.hbase_user, @@ -204,6 +215,15 @@ def create_collection(collection, config_set, jaasFile): shards=params.atlas_solr_shards, replication_factor = params.infra_solr_replication_factor) +def secure_znode(znode, jaasFile): + import params + solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum, + solr_znode=znode, + jaas_file=jaasFile, + java64_home=params.java64_home, sasl_users=[params.atlas_jaas_principal]) + + + @retry(times=10, sleep_time=5, err_class=Fail) def check_znode(): import params http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py index 682fc9f..e270733 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py @@ -205,6 +205,9 @@ infra_solr_hosts = default("/clusterHostInfo/infra_solr_hosts", []) infra_solr_replication_factor = 2 if len(infra_solr_hosts) > 1 else 1 atlas_solr_shards = default("/configurations/atlas-env/atlas_solr-shards", 1) has_infra_solr = len(infra_solr_hosts) > 0 +infra_solr_role_atlas = default('configurations/infra-solr-security-json/infra_solr_role_atlas', 'atlas_user') +infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev') +infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user') # zookeeper zookeeper_hosts = config['clusterHostInfo']['zookeeper_hosts'] http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json index bc8e351..d024146 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json @@ -87,6 +87,9 @@ }, { "name": "/KAFKA/KAFKA_BROKER/kafka_broker" + }, + { + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json index 49d1b10..60c8afb 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json @@ -11,26 +11,29 @@ { "name": "LOGSEARCH_SERVER", "identities": [ - { - "name": "logsearch", - "principal": { - "value": "logsearch/_HOST@${realm}", - "type": "service", - "configuration": "logsearch-env/logsearch_kerberos_principal" - }, - "keytab": { - "file": "${keytab_dir}/logsearch.service.keytab", - "owner": { - "name": "${logsearch-env/logsearch_user}", - "access": "r" - }, - "group": { - "name": "${cluster-env/user_group}", - "access": "" + { + "name": "logsearch", + "principal": { + "value": "logsearch/_HOST@${realm}", + "type": "service", + "configuration": "logsearch-env/logsearch_kerberos_principal" }, - "configuration": "logsearch-env/logsearch_kerberos_keytab" + "keytab": { + "file": "${keytab_dir}/logsearch.service.keytab", + "owner": { + "name": "${logsearch-env/logsearch_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "logsearch-env/logsearch_kerberos_keytab" + } + }, + { + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" } - } ] }, { http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py index fecd802..a023f2f 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/params.py @@ -106,6 +106,11 @@ if 'infra-solr-env' in config['configurations']: infra_solr_ssl_enabled = default('configurations/infra-solr-env/infra_solr_ssl_enabled', False) infra_solr_jmx_port = config['configurations']['infra-solr-env']['infra_solr_jmx_port'] +infra_solr_role_logsearch = default('configurations/infra-solr-security-json/infra_solr_role_logsearch', 'logsearch_user') +infra_solr_role_logfeeder = default('configurations/infra-solr-security-json/infra_solr_role_logfeeder', 'logfeeder_user') +infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev') +infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user') + _hostname_lowercase = config['hostname'].lower() if security_enabled: kinit_path_local = status_params.kinit_path_local http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py index ba91e20..f96bfd0 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/package/scripts/setup_logsearch.py @@ -17,9 +17,12 @@ limitations under the License. """ +from resource_management.core.exceptions import Fail from resource_management.core.resources.system import Directory, Execute, File from resource_management.libraries.functions.format import format from resource_management.core.source import InlineTemplate, Template +from resource_management.libraries.functions import solr_cloud_util +from resource_management.libraries.functions.decorator import retry from resource_management.libraries.resources.properties_file import PropertiesFile from resource_management.libraries.functions.security_commons import update_credential_provider_path, HADOOP_CREDENTIAL_PROVIDER_PROPERTY_NAME @@ -110,7 +113,24 @@ def setup_logsearch(): content=Template("logsearch_jaas.conf.j2"), owner=params.logsearch_user ) - Execute(("chmod", "-R", "ugo+r", format("{logsearch_server_conf}/solr_configsets")), sudo=True ) + check_znode() + + if params.security_enabled and not params.logsearch_use_external_solr: + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_logsearch, params.infra_solr_role_ranger_admin, params.infra_solr_role_dev], + new_service_principals = [params.logsearch_kerberos_principal]) + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_logfeeder, params.infra_solr_role_dev], + new_service_principals = [params.logfeeder_kerberos_principal]) + +@retry(times=30, sleep_time=5, err_class=Fail) +def check_znode(): + import params + solr_cloud_util.check_znode( + zookeeper_quorum=params.logsearch_solr_zk_quorum, + solr_znode=params.logsearch_solr_zk_znode, + java64_home=params.java64_home, + retry=30, interval=5) \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py index 0b4532b..49cd98b 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py @@ -309,6 +309,9 @@ if stack_supports_infra_client and is_solrCloud_enabled: solr_user = unix_user if has_infra_solr and not is_external_solrCloud_enabled: solr_user = default('/configurations/infra-solr-env/infra_solr_user', unix_user) + infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user') + infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user') + infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev') custom_log4j = has_infra_solr and not is_external_solrCloud_enabled ranger_audit_max_retention_days = config['configurations']['ranger-solr-configuration']['ranger_audit_max_retention_days'] http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py index ae49c4f..acb5385 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py @@ -19,6 +19,7 @@ limitations under the License. """ import os import re +from collections import OrderedDict from resource_management.libraries.script import Script from resource_management.libraries.functions.default import default from resource_management.core.logger import Logger @@ -669,6 +670,20 @@ def setup_ranger_audit_solr(): jaas_file=params.solr_jaas_file, retry=30, interval=5) + if params.security_enabled and params.has_infra_solr \ + and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos: + + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_ranger_admin, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev], + new_service_principals = [params.ranger_admin_jaas_principal]) + service_default_principals_map = OrderedDict([('hdfs', 'nn'), ('hbase', 'hbase'), ('hive', 'hive'), ('kafka', 'kafka'), ('kms', 'rangerkms'), + ('knox', 'knox'), ('nifi', 'nifi'), ('storm', 'storm'), ('yanr', 'yarn')]) + service_principals = get_ranger_plugin_principals(service_default_principals_map) + solr_cloud_util.add_solr_roles(params.config, + roles = [params.infra_solr_role_ranger_audit, params.infra_solr_role_dev], + new_service_principals = service_principals) + + solr_cloud_util.create_collection( zookeeper_quorum = params.zookeeper_quorum, solr_znode = params.solr_znode, @@ -679,6 +694,11 @@ def setup_ranger_audit_solr(): replication_factor = int(params.replication_factor), jaas_file = params.solr_jaas_file) + if params.security_enabled and params.has_infra_solr \ + and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos: + secure_znode(format('{solr_znode}/configs/{ranger_solr_config_set}'), params.solr_jaas_file) + secure_znode(format('{solr_znode}/collections/{ranger_solr_collection_name}'), params.solr_jaas_file) + def setup_ranger_admin_passwd_change(): import params @@ -695,6 +715,27 @@ def check_znode(): solr_znode=params.solr_znode, java64_home=params.java_home) +def secure_znode(znode, jaasFile): + import params + solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum, + solr_znode=znode, + jaas_file=jaasFile, + java64_home=params.java_home, sasl_users=[params.ranger_admin_jaas_principal]) + +def get_ranger_plugin_principals(services_defaults_map): + """ + Get ranger plugin user principals from service-default value maps using ranger-*-audit configurations + """ + import params + user_principals = [] + if len(services_defaults_map) < 1: + raise Exception("Services - defaults map parameter is missing.") + + for key, default_value in services_defaults_map.iteritems(): + user_principal = default(format("configurations/ranger-{key}-audit/xasecure.audit.jaas.Client.option.principal"), default_value) + user_principals.append(user_principal) + return user_principals + def setup_tagsync_ssl_configs(): import params http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json index 253e32e..c5b3201 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json @@ -72,6 +72,9 @@ "keytab": { "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.keyTab" } + }, + { + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py b/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py index 1bbf75e..12f8412 100644 --- a/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py +++ b/ambari-server/src/test/python/stacks/2.3/ATLAS/test_metadata_server.py @@ -303,10 +303,18 @@ class TestMetadataServer(RMFTestCase): action=['delete'], create_parents=True) + self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/ambari-infra-solr.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/ambari-infra-solr.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"at...@example.com\": [\"atlas_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200", + logoutput = True, tries = 30, try_sleep = 10) + self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection vertex_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10') self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection edge_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10') self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection fulltext_index --config-set atlas_configs --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10') + self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/configs/atlas_configs --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10") + self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/vertex_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10") + self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/edge_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10") + self.assertResourceCalled('Execute', "ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/fulltext_index --secure-znode --jaas-file /usr/hdp/current/atlas-server/conf/atlas_jaas.conf --sasl-users atlas,infra-solr --retry 5 --interval 10") + def test_configure_default(self): self.executeScript(self.COMMON_SERVICES_PACKAGE_DIR + "/scripts/metadata_server.py", classname = "MetadataServer", http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.3/configs/secure.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.3/configs/secure.json b/ambari-server/src/test/python/stacks/2.3/configs/secure.json index 4501b81..e2a3d1d 100644 --- a/ambari-server/src/test/python/stacks/2.3/configs/secure.json +++ b/ambari-server/src/test/python/stacks/2.3/configs/secure.json @@ -169,7 +169,9 @@ "infra_solr_znode": "/infra-solr", "infra_solr_user": "solr", "infra_solr_group": "solr", - "infra_solr_client_log_dir" :"/var/log/ambari-infra-solr-client" + "infra_solr_client_log_dir" :"/var/log/ambari-infra-solr-client", + "infra_solr_kerberos_principal" : "infra-solr/c6401.ambari.apache....@example.com", + "infra_solr_kerberos_keytab" : "/etc/security/keytabs/ambari-infra-solr.keytab" }, "infra-solr-client-log4j" : { "infra_solr_client_log_dir" : "/var/log/ambari-infra-solr-client", @@ -236,6 +238,9 @@ }, "ranger-env": { "xml_configurations_supported" : "true" + }, + "kerberos-env" : { + "realm" : "EXAMPLE.COM" } }, "configuration_attributes": { http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py b/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py index cd88fec..2de3fba 100644 --- a/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py +++ b/ambari-server/src/test/python/stacks/2.4/AMBARI_INFRA/test_infra_solr.py @@ -95,11 +95,11 @@ class TestInfraSolr(RMFTestCase): content = InlineTemplate(self.getConfig()['configurations']['infra-solr-log4j']['content']) ) - self.assertResourceCalled('File', '/etc/ambari-infra-solr/conf/security.json', + self.assertResourceCalled('File', '/etc/ambari-infra-solr/conf/custom-security.json', owner = 'solr', group='hadoop', content = InlineTemplate(self.getConfig()['configurations']['infra-solr-security-json']['content']), - mode = 0644 + mode = 0640 ) self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr --create-znode --retry 30 --interval 5') http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py index db9cbb9..587561a 100644 --- a/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py +++ b/ambari-server/src/test/python/stacks/2.4/LOGSEARCH/test_logsearch.py @@ -139,7 +139,8 @@ class TestLogSearch(RMFTestCase): self.assertResourceCalled('Execute', ('chmod', '-R', 'ugo+r', '/etc/ambari-logsearch-portal/conf/solr_configsets'), sudo = True ) - + self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr --check-znode --retry 30 --interval 5') + def test_configure_default(self): http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py index b01e7da..1b5d7ae 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py @@ -80,6 +80,7 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*', action=['delete'], create_parents=True) + self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10') self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start', @@ -165,8 +166,18 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*', action=['delete'], create_parents=True) + + self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"rangerad...@example.com\": [\"ranger_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200", + logoutput = True, tries = 30, try_sleep = 10) + self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -H \'Content-type:application/json\' -d " + "\'{\"set-user-role\": {\"hb...@example.com\": [\"ranger_audit_user\", \"dev\"], \"n...@example.com\": [\"ranger_audit_user\", \"dev\"], \"k...@example.com\": [\"ranger_audit_user\", \"dev\"], \"ranger...@example.com\": [\"ranger_audit_user\", \"dev\"], \"ka...@example.com\": [\"ranger_audit_user\", \"dev\"], \"h...@example.com\": [\"ranger_audit_user\", \"dev\"], \"n...@example.com\": [\"ranger_audit_user\", \"dev\"], \"st...@example.com\": [\"ranger_audit_user\", \"dev\"], \"y...@example.com\": [\"ranger_audit_user\", \"dev\"]}}\' -s -o /dev/null -w\'%{http_code}\' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200", + logoutput = True, tries = 30, try_sleep = 10) + self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/ambari-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10') + self.assertResourceCalled('Execute','ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /ambari-solr/configs/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10') + self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /ambari-solr/collections/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10') + self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start', environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'}, not_if = 'ps -ef | grep proc_rangeradmin | grep -v grep', http://git-wip-us.apache.org/repos/asf/ambari/blob/347ba2a9/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py index 8dda363..fb1dd0e 100644 --- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py +++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py @@ -156,8 +156,17 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalledRegexp('^Directory$', '^/tmp/solr_config_ranger_audits_0.[0-9]*', action=['delete'], create_parents=True) + self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -H 'Content-type:application/json' -d '{\"set-user-role\": {\"rangerad...@example.com\": [\"ranger_user\", \"ranger_audit_user\", \"dev\"]}}' -s -o /dev/null -w'%{http_code}' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200", + logoutput = True, tries = 30, try_sleep = 10) + self.assertResourceCalled('Execute', "ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -k -s --negotiate -u : http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep authorization.enabled && ambari-sudo.sh /usr/bin/kinit -kt /etc/security/keytabs/infra-solr.service.keytab infra-solr/c6401.ambari.apache....@example.com; ambari-sudo.sh curl -H \'Content-type:application/json\' -d " + "\'{\"set-user-role\": {\"hb...@example.com\": [\"ranger_audit_user\", \"dev\"], \"n...@example.com\": [\"ranger_audit_user\", \"dev\"], \"k...@example.com\": [\"ranger_audit_user\", \"dev\"], \"ranger...@example.com\": [\"ranger_audit_user\", \"dev\"], \"ka...@example.com\": [\"ranger_audit_user\", \"dev\"], \"h...@example.com\": [\"ranger_audit_user\", \"dev\"], \"n...@example.com\": [\"ranger_audit_user\", \"dev\"], \"st...@example.com\": [\"ranger_audit_user\", \"dev\"], \"y...@example.com\": [\"ranger_audit_user\", \"dev\"]}}\' -s -o /dev/null -w\'%{http_code}\' --negotiate -u: -k http://c6401.ambari.apache.org:8886/solr/admin/authorization | grep 200", + logoutput = True, tries = 30, try_sleep = 10) + self.assertResourceCalledRegexp('^Execute$', '^ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181/infra-solr --create-collection --collection ranger_audits --config-set ranger_audits --shards 1 --replication 1 --max-shards 1 --retry 5 --interval 10') + self.assertResourceCalled('Execute','ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/configs/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10') + self.assertResourceCalled('Execute', 'ambari-sudo.sh JAVA_HOME=/usr/jdk64/jdk1.7.0_45 /usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string c6401.ambari.apache.org:2181 --znode /infra-solr/collections/ranger_audits --secure-znode --jaas-file /usr/hdp/current/ranger-admin/conf/ranger_solr_jaas.conf --sasl-users rangeradmin,infra-solr --retry 5 --interval 10') + self.assertResourceCalled('Execute', '/usr/bin/ranger-admin-start', environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'}, not_if = 'ps -ef | grep proc_rangeradmin | grep -v grep',