Repository: ambari Updated Branches: refs/heads/trunk 0beb353a0 -> a8d1efc76
AMBARI-20152. Use storm user instead of nimbus user for ranger audit (oleewere) Project: http://git-wip-us.apache.org/repos/asf/ambari/repo Commit: http://git-wip-us.apache.org/repos/asf/ambari/commit/a8d1efc7 Tree: http://git-wip-us.apache.org/repos/asf/ambari/tree/a8d1efc7 Diff: http://git-wip-us.apache.org/repos/asf/ambari/diff/a8d1efc7 Branch: refs/heads/trunk Commit: a8d1efc76d799ff32304164406023efc3fc209f5 Parents: 0beb353 Author: oleewere <oleew...@gmail.com> Authored: Thu Feb 23 21:42:13 2017 +0100 Committer: oleewere <oleew...@gmail.com> Committed: Sat Feb 25 20:54:08 2017 +0100 ---------------------------------------------------------------------- .../server/upgrade/UpgradeCatalog250.java | 91 ++++++++ .../ATLAS/0.1.0.2.3/kerberos.json | 5 +- .../ATLAS/0.7.0.2.5/kerberos.json | 5 +- .../LOGSEARCH/0.5.0/kerberos.json | 5 +- .../common-services/RANGER/0.6.0/kerberos.json | 5 +- .../common-services/STORM/1.0.1/kerberos.json | 2 +- .../server/upgrade/UpgradeCatalog250Test.java | 79 +++++++ ...test_kerberos_descriptor_2_5_infra_solr.json | 217 +++++++++++++++++++ 8 files changed, 404 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java index b0243b7..d6ff241 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog250.java @@ -33,19 +33,30 @@ import java.util.concurrent.atomic.AtomicLong; import org.apache.ambari.server.AmbariException; import org.apache.ambari.server.actionmanager.CommandExecutionType; +import org.apache.ambari.server.collections.Predicate; +import org.apache.ambari.server.collections.functors.ContainsPredicate; import org.apache.ambari.server.configuration.Configuration; import org.apache.ambari.server.controller.AmbariManagementController; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.DBAccessor.DBColumnInfo; import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; import org.apache.ambari.server.orm.dao.AlertsDAO; +import org.apache.ambari.server.orm.dao.ArtifactDAO; import org.apache.ambari.server.orm.dao.DaoUtils; import org.apache.ambari.server.orm.entities.AlertCurrentEntity; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; import org.apache.ambari.server.orm.entities.AlertHistoryEntity; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; +import org.apache.ambari.server.state.kerberos.KerberosComponentDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosIdentityDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosKeytabDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -179,6 +190,7 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { updateRangerUrlConfigs(); addManageServiceAutoStartPermissions(); addManageAlertNotificationsPermissions(); + updateKerberosDescriptorArtifacts(); } /** @@ -436,6 +448,82 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { } } + /** + * {@inheritDoc} + */ + @Override + protected void updateKerberosDescriptorArtifact(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity) throws AmbariException { + if (artifactEntity != null) { + Map<String, Object> data = artifactEntity.getArtifactData(); + + if (data != null) { + final KerberosDescriptor kerberosDescriptor = new KerberosDescriptorFactory().createInstance(data); + + if (kerberosDescriptor != null) { + KerberosServiceDescriptor logSearchKerberosDescriptor = kerberosDescriptor.getService("LOGSEARCH"); + KerberosServiceDescriptor atlasKerberosDescriptor = kerberosDescriptor.getService("ATLAS"); + KerberosServiceDescriptor rangerKerberosDescriptor = kerberosDescriptor.getService("RANGER"); + addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, atlasKerberosDescriptor, "ATLAS_SERVER"); + addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, logSearchKerberosDescriptor, "LOGSEARCH_SERVER"); + addInfrSolrDescriptor(artifactDAO, artifactEntity, kerberosDescriptor, rangerKerberosDescriptor, "RANGER_ADMIN"); + KerberosServiceDescriptor stormKerberosDescriptor = kerberosDescriptor.getService("STORM"); + if (stormKerberosDescriptor != null) { + KerberosComponentDescriptor componentDescriptor = stormKerberosDescriptor.getComponent("NIMBUS"); + if (componentDescriptor != null) { + KerberosIdentityDescriptor origIdentityDescriptor = componentDescriptor.getIdentity("/STORM/NIMBUS/nimbus_server"); + if (origIdentityDescriptor != null) { + KerberosPrincipalDescriptor origPrincipalDescriptor = origIdentityDescriptor.getPrincipalDescriptor(); + KerberosPrincipalDescriptor newPrincipalDescriptor = new KerberosPrincipalDescriptor( + null, + null, + (origPrincipalDescriptor == null) ? + "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" : origPrincipalDescriptor.getConfiguration(), + null + ); + KerberosKeytabDescriptor origKeytabDescriptor = origIdentityDescriptor.getKeytabDescriptor(); + KerberosKeytabDescriptor newKeytabDescriptor = new KerberosKeytabDescriptor( + null, + null, + null, + null, + null, + (origKeytabDescriptor == null) ? + "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" : origKeytabDescriptor.getConfiguration(), + false); + componentDescriptor.removeIdentity("/STORM/NIMBUS/nimbus_server"); + componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/STORM/storm_components", null, newPrincipalDescriptor, newKeytabDescriptor, null)); + + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } + } + } + } + } + + /** + * Add /AMBARI-INFRA/INFRA_SOLR/infra-solr reference to specific service component + */ + private void addInfrSolrDescriptor(ArtifactDAO artifactDAO, ArtifactEntity artifactEntity, KerberosDescriptor kerberosDescriptor, + KerberosServiceDescriptor serviceDescriptor, String componentName) { + if (serviceDescriptor != null) { + KerberosComponentDescriptor componentDescriptor = serviceDescriptor.getComponent(componentName); + if (componentDescriptor != null) { + KerberosIdentityDescriptor origIdentityDescriptor = componentDescriptor.getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr"); + if (origIdentityDescriptor != null) { + LOG.info("/AMBARI_INFRA/INFRA_SOLR/infra-solr identity already exists in {} component", componentName); + } else { + Predicate predicate = ContainsPredicate.fromMap(Collections.<String, Object>singletonMap(ContainsPredicate.NAME, Arrays.asList("services", "AMBARI_INFRA"))); + componentDescriptor.putIdentity(new KerberosIdentityDescriptor("/AMBARI_INFRA/INFRA_SOLR/infra-solr",null, null, null, predicate)); + artifactEntity.setArtifactData(kerberosDescriptor.toMap()); + artifactDAO.merge(artifactEntity); + } + } + } + } + protected void updateTablesForZeppelinViewRemoval() throws SQLException { dbAccessor.executeQuery("DELETE from viewinstance WHERE view_name='ZEPPELIN{1.0.0}'", true); dbAccessor.executeQuery("DELETE from viewmain WHERE view_name='ZEPPELIN{1.0.0}'", true); @@ -1068,4 +1156,7 @@ public class UpgradeCatalog250 extends AbstractUpgradeCatalog { updateConfigurationPropertiesForCluster(cluster, configType, updateProperty, true, false); } } + + + } http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json index 0c25c95..4fe4d32 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/kerberos.json @@ -50,7 +50,10 @@ } }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json index d024146..e136bcf 100644 --- a/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json +++ b/ambari-server/src/main/resources/common-services/ATLAS/0.7.0.2.5/kerberos.json @@ -89,7 +89,10 @@ "name": "/KAFKA/KAFKA_BROKER/kafka_broker" }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] } http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json index 60c8afb..9e0f12d 100644 --- a/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/LOGSEARCH/0.5.0/kerberos.json @@ -32,7 +32,10 @@ } }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json index c5b3201..1fc8acf 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json +++ b/ambari-server/src/main/resources/common-services/RANGER/0.6.0/kerberos.json @@ -74,7 +74,10 @@ } }, { - "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr" + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } } ] }, http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json index fecef7c..fa2f6db 100644 --- a/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json +++ b/ambari-server/src/main/resources/common-services/STORM/1.0.1/kerberos.json @@ -106,7 +106,7 @@ } }, { - "name": "/STORM/NIMBUS/nimbus_server", + "name": "/STORM/storm_components", "principal": { "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" }, http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java index 274d7eb..39d8785 100644 --- a/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java +++ b/ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog250Test.java @@ -32,7 +32,9 @@ import static org.easymock.EasyMock.reset; import static org.easymock.EasyMock.verify; import static org.junit.Assert.assertTrue; +import java.io.File; import java.lang.reflect.Method; +import java.net.URL; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; @@ -54,10 +56,12 @@ import org.apache.ambari.server.controller.KerberosHelper; import org.apache.ambari.server.controller.MaintenanceStateHelper; import org.apache.ambari.server.orm.DBAccessor; import org.apache.ambari.server.orm.dao.AlertDefinitionDAO; +import org.apache.ambari.server.orm.dao.ArtifactDAO; import org.apache.ambari.server.orm.dao.PermissionDAO; import org.apache.ambari.server.orm.dao.ResourceTypeDAO; import org.apache.ambari.server.orm.dao.RoleAuthorizationDAO; import org.apache.ambari.server.orm.entities.AlertDefinitionEntity; +import org.apache.ambari.server.orm.entities.ArtifactEntity; import org.apache.ambari.server.orm.entities.PermissionEntity; import org.apache.ambari.server.orm.entities.ResourceTypeEntity; import org.apache.ambari.server.orm.entities.RoleAuthorizationEntity; @@ -65,6 +69,9 @@ import org.apache.ambari.server.state.Cluster; import org.apache.ambari.server.state.Clusters; import org.apache.ambari.server.state.Config; import org.apache.ambari.server.state.Service; +import org.apache.ambari.server.state.kerberos.KerberosDescriptor; +import org.apache.ambari.server.state.kerberos.KerberosDescriptorFactory; +import org.apache.ambari.server.state.kerberos.KerberosServiceDescriptor; import org.apache.ambari.server.state.stack.OsFamily; import org.easymock.Capture; import org.easymock.CaptureType; @@ -368,6 +375,7 @@ public class UpgradeCatalog250Test { Method updateYarnSite = UpgradeCatalog250.class.getDeclaredMethod("updateYarnSite"); Method updateAlerts = UpgradeCatalog250.class.getDeclaredMethod("updateStormAlerts"); Method removeAlertDuplicates = UpgradeCatalog250.class.getDeclaredMethod("removeAlertDuplicates"); + Method updateKerberosDescriptorArtifacts = AbstractUpgradeCatalog.class.getDeclaredMethod("updateKerberosDescriptorArtifacts"); UpgradeCatalog250 upgradeCatalog250 = createMockBuilder(UpgradeCatalog250.class) .addMockedMethod(updateAmsConfigs) @@ -387,6 +395,7 @@ public class UpgradeCatalog250Test { .addMockedMethod(updateYarnSite) .addMockedMethod(updateAlerts) .addMockedMethod(removeAlertDuplicates) + .addMockedMethod(updateKerberosDescriptorArtifacts) .createMock(); upgradeCatalog250.updateAMSConfigs(); @@ -440,6 +449,9 @@ public class UpgradeCatalog250Test { upgradeCatalog250.removeAlertDuplicates(); expectLastCall().once(); + upgradeCatalog250.updateKerberosDescriptorArtifacts(); + expectLastCall().once(); + replay(upgradeCatalog250); upgradeCatalog250.executeDMLUpdates(); @@ -1589,6 +1601,73 @@ public class UpgradeCatalog250Test { } @Test + public void testUpdateKerberosDescriptorArtifact() throws Exception { + final KerberosDescriptorFactory kerberosDescriptorFactory = new KerberosDescriptorFactory(); + + KerberosServiceDescriptor serviceDescriptor; + + URL systemResourceURL = ClassLoader.getSystemResource("kerberos/test_kerberos_descriptor_2_5_infra_solr.json"); + Assert.assertNotNull(systemResourceURL); + + final KerberosDescriptor kerberosDescriptorOrig = kerberosDescriptorFactory.createInstance(new File(systemResourceURL.getFile())); + + serviceDescriptor = kerberosDescriptorOrig.getService("LOGSEARCH"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("LOGSEARCH_SERVER")); + Assert.assertNotNull(serviceDescriptor.getComponent("LOGSEARCH_SERVER").getIdentity("logsearch")); + Assert.assertNotNull(serviceDescriptor.getComponent("LOGSEARCH_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + + serviceDescriptor = kerberosDescriptorOrig.getService("ATLAS"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("ATLAS_SERVER")); + + serviceDescriptor = kerberosDescriptorOrig.getService("RANGER"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("RANGER_ADMIN")); + + serviceDescriptor = kerberosDescriptorOrig.getService("STORM"); + Assert.assertNotNull(serviceDescriptor); + Assert.assertNotNull(serviceDescriptor.getComponent("NIMBUS")); + + UpgradeCatalog250 upgradeMock = createMockBuilder(UpgradeCatalog250.class).createMock(); + + + ArtifactEntity artifactEntity = createNiceMock(ArtifactEntity.class); + expect(artifactEntity.getArtifactData()) + .andReturn(kerberosDescriptorOrig.toMap()) + .once(); + + Capture<Map<String, Object>> updateData = Capture.newInstance(CaptureType.ALL); + artifactEntity.setArtifactData(capture(updateData)); + expectLastCall().times(3); + + ArtifactDAO artifactDAO = createNiceMock(ArtifactDAO.class); + expect(artifactDAO.merge(anyObject(ArtifactEntity.class))).andReturn(artifactEntity).times(3); + + replay(artifactEntity, artifactDAO, upgradeMock); + upgradeMock.updateKerberosDescriptorArtifact(artifactDAO, artifactEntity); + verify(artifactEntity, artifactDAO, upgradeMock); + + KerberosDescriptor atlasKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(0)); + KerberosDescriptor rangerKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(1)); + KerberosDescriptor stormKerberosDescriptorUpdated = new KerberosDescriptorFactory().createInstance(updateData.getValues().get(2)); + + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getIdentity("spnego")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH").getComponent("LOGSEARCH_SERVER")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("LOGSEARCH").getComponent("LOGSEARCH_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS").getComponent("ATLAS_SERVER")); + Assert.assertNotNull(atlasKerberosDescriptorUpdated.getService("ATLAS").getComponent("ATLAS_SERVER").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER")); + Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER").getComponent("RANGER_ADMIN")); + Assert.assertNotNull(rangerKerberosDescriptorUpdated.getService("RANGER").getComponent("RANGER_ADMIN").getIdentity("/AMBARI_INFRA/INFRA_SOLR/infra-solr")); + Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM")); + Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS")); + Assert.assertNotNull(stormKerberosDescriptorUpdated.getService("STORM").getComponent("NIMBUS").getIdentity("/STORM/storm_components")); + } + + @Test public void testCreateRoleAuthorizations() throws AmbariException, SQLException { EasyMockSupport easyMockSupport = new EasyMockSupport(); http://git-wip-us.apache.org/repos/asf/ambari/blob/a8d1efc7/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json new file mode 100644 index 0000000..172ad05 --- /dev/null +++ b/ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_2_5_infra_solr.json @@ -0,0 +1,217 @@ +{ + "properties": { + "realm": "${kerberos-env/realm}", + "keytab_dir": "/etc/security/keytabs" + }, + "identities": [ + { + "name": "spnego", + "principal": { + "value": "HTTP/_HOST@${realm}", + "type": "service" + }, + "keytab": { + "file": "${keytab_dir}/spnego.service.keytab", + "owner": { + "name": "root", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "r" + } + } + } + ], + "services": [ + { + "name": "ATLAS", + "identities": [ + { + "name": "/spnego" + } + ], + "components": [ + { + "name": "ATLAS_SERVER", + "identities": [ + { + "name": "atlas", + "principal": { + "value": "atlas/_HOST@${realm}", + "type" : "service", + "configuration": "application-properties/atlas.jaas.KafkaClient.option.principal", + "local_username" : "${atlas-env/metadata_user}" + }, + "keytab": { + "file": "${keytab_dir}/atlas.service.keytab", + "owner": { + "name": "${atlas-env/metadata_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "application-properties/atlas.jaas.KafkaClient.option.keyTab" + } + }, + { + "name": "ranger_atlas_audit", + "reference": "/ATLAS/ATLAS_SERVER/atlas", + "principal": { + "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-atlas-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + } + ] + }, + { + "name": "LOGSEARCH", + "identities": [ + { + "name": "/spnego" + } + ], + "components": [ + { + "name": "LOGSEARCH_SERVER", + "identities": [ + { + "name": "logsearch", + "principal": { + "value": "logsearch/_HOST@${realm}", + "type": "service", + "configuration": "logsearch-env/logsearch_kerberos_principal" + }, + "keytab": { + "file": "${keytab_dir}/logsearch.service.keytab", + "owner": { + "name": "${logsearch-env/logsearch_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "logsearch-env/logsearch_kerberos_keytab" + } + }, + { + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } + } + ] + } + ] + }, + { + "name": "RANGER", + "identities": [ + { + "name": "/spnego" + } + ], + "components": [ + { + "name": "RANGER_ADMIN", + "identities": [ + { + "name": "rangeradmin", + "principal": { + "value": "rangeradmin/_HOST@${realm}", + "type" : "service", + "configuration": "ranger-admin-site/ranger.admin.kerberos.principal", + "local_username" : "${ranger-env/ranger_user}" + }, + "keytab": { + "file": "${keytab_dir}/rangeradmin.service.keytab", + "owner": { + "name": "${ranger-env/ranger_user}", + "access": "r" + }, + "configuration": "ranger-admin-site/ranger.admin.kerberos.keytab" + } + }, + { + "name": "/spnego", + "keytab": { + "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab" + } + } + ] + } + ] + }, + { + "name": "STORM", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "storm_components", + "principal": { + "value": "${storm-env/storm_user}${principal_suffix}@${realm}", + "type": "user", + "configuration": "storm-env/storm_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/storm.headless.keytab", + "owner": { + "name": "${storm-env/storm_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "storm-env/storm_keytab" + } + } + ], + "components": [ + { + "name": "NIMBUS", + "identities": [ + { + "name": "nimbus_server", + "principal": { + "value": "nimbus/_HOST@${realm}", + "type": "service", + "configuration": "storm-env/nimbus_principal_name" + }, + "keytab": { + "file": "${keytab_dir}/nimbus.service.keytab", + "owner": { + "name": "${storm-env/storm_user}", + "access": "r" + }, + "group": { + "name": "${cluster-env/user_group}", + "access": "" + }, + "configuration": "storm-env/nimbus_keytab" + } + }, + { + "name": "/STORM/NIMBUS/nimbus_server", + "principal": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-storm-audit/xasecure.audit.jaas.Client.option.keyTab" + } + } + ] + } + ] + } + ] +} \ No newline at end of file