http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/configuration/usersync-log4j.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/configuration/usersync-log4j.xml b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/configuration/usersync-log4j.xml new file mode 100644 index 0000000..b5f2a7a --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/configuration/usersync-log4j.xml @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<configuration supports_adding_forbidden="false"> + <property> + <name>ranger_usersync_log_maxfilesize</name> + <value>256</value> + <description>The maximum size of backup file before the log is rotated</description> + <display-name>Ranger usersync Log: backup file size</display-name> + <value-attributes> + <unit>MB</unit> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>ranger_usersync_log_maxbackupindex</name> + <value>20</value> + <description>The number of backup files</description> + <display-name>Ranger usersync Log: # of backup files</display-name> + <value-attributes> + <type>int</type> + <minimum>0</minimum> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> + <property> + <name>content</name> + <display-name>usersync-log4j template</display-name> + <description>usersync-log4j.properties</description> + <value> +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +log4j.rootLogger = info,logFile + +# logFile +log4j.appender.logFile=org.apache.log4j.DailyRollingFileAppender +log4j.appender.logFile.file=${logdir}/usersync.log +log4j.appender.logFile.datePattern='.'yyyy-MM-dd +log4j.appender.logFile.layout=org.apache.log4j.PatternLayout +log4j.appender.logFile.layout.ConversionPattern=%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] - %m%n +log4j.appender.logFile.MaxFileSize = {{ranger_usersync_log_maxfilesize}}MB +log4j.appender.logFile.MaxBackupIndex = {{ranger_usersync_log_maxbackupindex}} + +# console +log4j.appender.console=org.apache.log4j.ConsoleAppender +log4j.appender.console.Target=System.out +log4j.appender.console.layout=org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern=%d{dd MMM yyyy HH:mm:ss} %5p %c{1} [%t] - %m%n + </value> + <value-attributes> + <type>content</type> + <show-property-name>false</show-property-name> + </value-attributes> + <on-ambari-upgrade add="false"/> + </property> +</configuration>
http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/kerberos.json ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/kerberos.json b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/kerberos.json new file mode 100644 index 0000000..1fc8acf --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/kerberos.json @@ -0,0 +1,153 @@ +{ + "services": [ + { + "name": "RANGER", + "identities": [ + { + "name": "/spnego" + }, + { + "name": "/smokeuser" + } + ], + "configurations": [ + { + "ranger-admin-site": { + "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "xasecure.audit.jaas.Client.loginModuleControlFlag": "required", + "xasecure.audit.jaas.Client.option.useKeyTab": "true", + "xasecure.audit.jaas.Client.option.storeKey": "false", + "xasecure.audit.jaas.Client.option.serviceName": "solr" + } + } + ], + "components": [ + { + "name": "RANGER_ADMIN", + "identities": [ + { + "name": "rangeradmin", + "principal": { + "value": "rangeradmin/_HOST@${realm}", + "type" : "service", + "configuration": "ranger-admin-site/ranger.admin.kerberos.principal", + "local_username" : "${ranger-env/ranger_user}" + }, + "keytab": { + "file": "${keytab_dir}/rangeradmin.service.keytab", + "owner": { + "name": "${ranger-env/ranger_user}", + "access": "r" + }, + "configuration": "ranger-admin-site/ranger.admin.kerberos.keytab" + } + }, + { + "name": "rangerlookup", + "principal": { + "value": "rangerlookup/_HOST@${realm}", + "configuration": "ranger-admin-site/ranger.lookup.kerberos.principal", + "type" : "service" + }, + "keytab": { + "file": "${keytab_dir}/rangerlookup.service.keytab", + "owner": { + "name": "${ranger-env/ranger_user}", + "access": "r" + }, + "configuration": "ranger-admin-site/ranger.lookup.kerberos.keytab" + } + }, + { + "name": "/spnego", + "keytab": { + "configuration": "ranger-admin-site/ranger.spnego.kerberos.keytab" + } + }, + { + "name": "/RANGER/RANGER_ADMIN/rangeradmin", + "principal": { + "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.principal" + }, + "keytab": { + "configuration": "ranger-admin-site/xasecure.audit.jaas.Client.option.keyTab" + } + }, + { + "name": "/AMBARI_INFRA/INFRA_SOLR/infra-solr", + "when" : { + "contains" : ["services", "AMBARI_INFRA"] + } + } + ] + }, + { + "name": "RANGER_USERSYNC", + "identities": [ + { + "name": "rangerusersync", + "principal": { + "value": "rangerusersync/_HOST@${realm}", + "type" : "service", + "configuration" : "ranger-ugsync-site/ranger.usersync.kerberos.principal", + "local_username" : "rangerusersync" + }, + "keytab": { + "file": "${keytab_dir}/rangerusersync.service.keytab", + "owner": { + "name": "${ranger-env/ranger_user}", + "access": "r" + }, + "configuration": "ranger-ugsync-site/ranger.usersync.kerberos.keytab" + } + } + ] + }, + { + "name": "RANGER_TAGSYNC", + "identities": [ + { + "name": "rangertagsync", + "principal": { + "value": "rangertagsync/_HOST@${realm}", + "type" : "service", + "configuration": "ranger-tagsync-site/ranger.tagsync.kerberos.principal", + "local_username" : "rangertagsync" + }, + "keytab": { + "file": "${keytab_dir}/rangertagsync.service.keytab", + "owner": { + "name": "${ranger-env/ranger_user}", + "access": "r" + }, + "configuration": "ranger-tagsync-site/ranger.tagsync.kerberos.keytab" + } + }, + { + "name": "/RANGER/RANGER_TAGSYNC/rangertagsync", + "principal": { + "configuration": "tagsync-application-properties/atlas.jaas.KafkaClient.option.principal" + }, + "keytab": { + "configuration": "tagsync-application-properties/atlas.jaas.KafkaClient.option.keyTab" + } + } + ], + "configurations": [ + { + "tagsync-application-properties": { + "atlas.jaas.KafkaClient.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule", + "atlas.jaas.KafkaClient.loginModuleControlFlag": "required", + "atlas.jaas.KafkaClient.option.useKeyTab": "true", + "atlas.jaas.KafkaClient.option.storeKey": "true", + "atlas.jaas.KafkaClient.option.serviceName": "kafka", + "atlas.kafka.sasl.kerberos.service.name": "kafka", + "atlas.kafka.security.protocol": "PLAINTEXTSASL" + } + } + ] + } + ] + } + ] +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/metainfo.xml ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/metainfo.xml b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/metainfo.xml new file mode 100644 index 0000000..c452f2e --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/metainfo.xml @@ -0,0 +1,177 @@ +<?xml version="1.0"?> +<!-- +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +--> +<metainfo> + <schemaVersion>2.0</schemaVersion> + <services> + <service> + <name>RANGER</name> + <displayName>Ranger</displayName> + <comment>Comprehensive security for Hadoop</comment> + <version>1.0.0.3.0</version> + <components> + + <component> + <name>RANGER_ADMIN</name> + <displayName>Ranger Admin</displayName> + <category>MASTER</category> + <cardinality>1+</cardinality> + <versionAdvertised>true</versionAdvertised> + <dependencies> + <dependency> + <name>AMBARI_INFRA/INFRA_SOLR_CLIENT</name> + <scope>host</scope> + <auto-deploy> + <enabled>true</enabled> + </auto-deploy> + </dependency> + </dependencies> + <commandScript> + <script>scripts/ranger_admin.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + <logs> + <log> + <logId>ranger_admin</logId> + <primary>true</primary> + </log> + <log> + <logId>ranger_dbpatch</logId> + </log> + </logs> + </component> + + <component> + <name>RANGER_TAGSYNC</name> + <displayName>Ranger Tagsync</displayName> + <category>SLAVE</category> + <cardinality>0-1</cardinality> + <versionAdvertised>true</versionAdvertised> + <commandScript> + <script>scripts/ranger_tagsync.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + <configuration-dependencies> + <config-type>ranger-tagsync-site</config-type> + <config-type>tagsync-application-properties</config-type> + <config-type>ranger-tagsync-policymgr-ssl</config-type> + <config-type>atlas-tagsync-ssl</config-type> + </configuration-dependencies> + </component> + + <component> + <name>RANGER_USERSYNC</name> + <displayName>Ranger Usersync</displayName> + <category>MASTER</category> + <cardinality>1</cardinality> + <versionAdvertised>true</versionAdvertised> + <auto-deploy> + <enabled>true</enabled> + <co-locate>RANGER/RANGER_ADMIN</co-locate> + </auto-deploy> + <commandScript> + <script>scripts/ranger_usersync.py</script> + <scriptType>PYTHON</scriptType> + <timeout>600</timeout> + </commandScript> + <logs> + <log> + <logId>ranger_usersync</logId> + <primary>true</primary> + </log> + </logs> + </component> + + </components> + <configuration-dependencies> + <config-type>admin-properties</config-type> + <config-type>ranger-admin-site</config-type> + <config-type>ranger-ugsync-site</config-type> + <config-type>admin-log4j</config-type> + <config-type>usersync-log4j</config-type> + <config-type>ranger-solr-configuration</config-type> + </configuration-dependencies> + + <commandScript> + <script>scripts/service_check.py</script> + <scriptType>PYTHON</scriptType> + <timeout>300</timeout> + </commandScript> + + <themes> + <theme> + <fileName>theme_version_1.json</fileName> + <default>true</default> + </theme> + </themes> + + <osSpecifics> + <osSpecific> + <osFamily>redhat7,amazon2015,redhat6,suse11,suse12</osFamily> + <packages> + <package> + <name>ranger_${stack_version}-admin</name> + </package> + <package> + <name>ranger_${stack_version}-usersync</name> + </package> + <package> + <name>ranger_${stack_version}-tagsync</name> + <condition>should_install_ranger_tagsync</condition> + </package> + <package> + <name>ambari-infra-solr-client</name> + <condition>should_install_infra_solr_client</condition> + </package> + </packages> + </osSpecific> + <osSpecific> + <osFamily>debian7,ubuntu12,ubuntu14,ubuntu16</osFamily> + <packages> + <package> + <name>ranger-${stack_version}-admin</name> + </package> + <package> + <name>ranger-${stack_version}-usersync</name> + </package> + <package> + <name>ranger-${stack_version}-tagsync</name> + <condition>should_install_ranger_tagsync</condition> + </package> + <package> + <name>ambari-infra-solr-client</name> + <condition>should_install_infra_solr_client</condition> + </package> + </packages> + </osSpecific> + </osSpecifics> + + <quickLinksConfigurations> + <quickLinksConfiguration> + <fileName>quicklinks.json</fileName> + <default>true</default> + </quickLinksConfiguration> + </quickLinksConfigurations> + + </service> + </services> +</metainfo> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/alerts/alert_ranger_admin_passwd_check.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/alerts/alert_ranger_admin_passwd_check.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/alerts/alert_ranger_admin_passwd_check.py new file mode 100644 index 0000000..8ea8070 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/alerts/alert_ranger_admin_passwd_check.py @@ -0,0 +1,195 @@ +#!/usr/bin/env python + +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +import base64 +import urllib2 +import ambari_simplejson as json # simplejson is much faster comparing to Python 2.6 json module and has the same functions set. +import logging +from resource_management.core.environment import Environment +from resource_management.libraries.script import Script +from resource_management.libraries.functions.stack_features import check_stack_feature +from resource_management.libraries.functions import StackFeature + +logger = logging.getLogger() +RANGER_ADMIN_URL = '{{admin-properties/policymgr_external_url}}' +ADMIN_USERNAME = '{{ranger-env/admin_username}}' +ADMIN_PASSWORD = '{{ranger-env/admin_password}}' +RANGER_ADMIN_USERNAME = '{{ranger-env/ranger_admin_username}}' +RANGER_ADMIN_PASSWORD = '{{ranger-env/ranger_admin_password}}' +SECURITY_ENABLED = '{{cluster-env/security_enabled}}' + +def get_tokens(): + """ + Returns a tuple of tokens in the format {{site/property}} that will be used + to build the dictionary passed into execute + + :return tuple + """ + return (RANGER_ADMIN_URL, ADMIN_USERNAME, ADMIN_PASSWORD, RANGER_ADMIN_USERNAME, RANGER_ADMIN_PASSWORD, SECURITY_ENABLED) + + +def execute(configurations={}, parameters={}, host_name=None): + """ + Returns a tuple containing the result code and a pre-formatted result label + + Keyword arguments: + configurations (dictionary): a mapping of configuration key to value + parameters (dictionary): a mapping of script parameter key to value + host_name (string): the name of this host where the alert is running + """ + + if configurations is None: + return (('UNKNOWN', ['There were no configurations supplied to the script.'])) + + ranger_link = None + ranger_auth_link = None + ranger_get_user = None + admin_username = None + admin_password = None + ranger_admin_username = None + ranger_admin_password = None + security_enabled = False + + stack_version_formatted = Script.get_stack_version() + stack_supports_ranger_kerberos = stack_version_formatted and check_stack_feature(StackFeature.RANGER_KERBEROS_SUPPORT, stack_version_formatted) + + if RANGER_ADMIN_URL in configurations: + ranger_link = configurations[RANGER_ADMIN_URL] + if ranger_link.endswith('/'): + ranger_link = ranger_link[:-1] + ranger_auth_link = '{0}/{1}'.format(ranger_link, 'service/public/api/repository/count') + ranger_get_user = '{0}/{1}'.format(ranger_link, 'service/xusers/users') + + if ADMIN_USERNAME in configurations: + admin_username = configurations[ADMIN_USERNAME] + + if ADMIN_PASSWORD in configurations: + admin_password = configurations[ADMIN_PASSWORD] + + if RANGER_ADMIN_USERNAME in configurations: + ranger_admin_username = configurations[RANGER_ADMIN_USERNAME] + + if RANGER_ADMIN_PASSWORD in configurations: + ranger_admin_password = configurations[RANGER_ADMIN_PASSWORD] + + if SECURITY_ENABLED in configurations: + security_enabled = str(configurations[SECURITY_ENABLED]).upper() == 'TRUE' + + label = None + result_code = 'OK' + + try: + if security_enabled and stack_supports_ranger_kerberos: + result_code = 'UNKNOWN' + label = 'This alert will get skipped for Ranger Admin on kerberos env' + else: + admin_http_code = check_ranger_login(ranger_auth_link, admin_username, admin_password) + if admin_http_code == 200: + get_user_code = get_ranger_user(ranger_get_user, admin_username, admin_password, ranger_admin_username) + if get_user_code: + user_http_code = check_ranger_login(ranger_auth_link, ranger_admin_username, ranger_admin_password) + if user_http_code == 200: + result_code = 'OK' + label = 'Login Successful for users {0} and {1}'.format(admin_username, ranger_admin_username) + elif user_http_code == 401: + result_code = 'CRITICAL' + label = 'User:{0} credentials on Ambari UI are not in sync with Ranger'.format(ranger_admin_username) + else: + result_code = 'WARNING' + label = 'Ranger Admin service is not reachable, please restart the service' + else: + result_code = 'OK' + label = 'Login Successful for user: {0}. User:{1} user not yet synced with Ranger'.format(admin_username, ranger_admin_username) + elif admin_http_code == 401: + result_code = 'CRITICAL' + label = 'User:{0} credentials on Ambari UI are not in sync with Ranger'.format(admin_username) + else: + result_code = 'WARNING' + label = 'Ranger Admin service is not reachable, please restart the service' + + except Exception, e: + label = str(e) + result_code = 'UNKNOWN' + logger.exception(label) + + return ((result_code, [label])) + +def check_ranger_login(ranger_auth_link, username, password): + """ + params ranger_auth_link: ranger login url + params username: user credentials + params password: user credentials + + return response code + """ + try: + usernamepassword = '{0}:{1}'.format(username, password) + base_64_string = base64.encodestring(usernamepassword).replace('\n', '') + request = urllib2.Request(ranger_auth_link) + request.add_header("Content-Type", "application/json") + request.add_header("Accept", "application/json") + request.add_header("Authorization", "Basic {0}".format(base_64_string)) + result = urllib2.urlopen(request, timeout=20) + response_code = result.getcode() + if response_code == 200: + response = json.loads(result.read()) + return response_code + except urllib2.HTTPError, e: + logger.exception("Error during Ranger service authentication. Http status code - {0}. {1}".format(e.code, e.read())) + return e.code + except urllib2.URLError, e: + logger.exception("Error during Ranger service authentication. {0}".format(e.reason)) + return None + except Exception, e: + return 401 + +def get_ranger_user(ranger_get_user, username, password, user): + """ + params ranger_get_user: ranger get user url + params username: user credentials + params password: user credentials + params user: user to be search + return Boolean if user exist or not + """ + try: + url = '{0}?name={1}'.format(ranger_get_user, user) + usernamepassword = '{0}:{1}'.format(username, password) + base_64_string = base64.encodestring(usernamepassword).replace('\n', '') + request = urllib2.Request(url) + request.add_header("Content-Type", "application/json") + request.add_header("Accept", "application/json") + request.add_header("Authorization", "Basic {0}".format(base_64_string)) + result = urllib2.urlopen(request, timeout=20) + response_code = result.getcode() + response = json.loads(result.read()) + if response_code == 200 and len(response['vXUsers']) > 0: + for xuser in response['vXUsers']: + if xuser['name'] == user: + return True + else: + return False + except urllib2.HTTPError, e: + logger.exception("Error getting user from Ranger service. Http status code - {0}. {1}".format(e.code, e.read())) + return False + except urllib2.URLError, e: + logger.exception("Error getting user from Ranger service. {0}".format(e.reason)) + return False + except Exception, e: + return False http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/params.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/params.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/params.py new file mode 100644 index 0000000..e121ccb --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/params.py @@ -0,0 +1,449 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +import os +from resource_management.libraries.script import Script +from resource_management.libraries.functions.version import format_stack_version +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions.default import default +from resource_management.libraries.functions.is_empty import is_empty +from resource_management.libraries.functions.constants import Direction +from resource_management.libraries.functions.stack_features import check_stack_feature +from resource_management.libraries.functions.stack_features import get_stack_feature_version +from resource_management.libraries.functions import StackFeature +from resource_management.libraries.functions.get_bare_principal import get_bare_principal + +# a map of the Ambari role to the component name +# for use with <stack-root>/current/<component> +SERVER_ROLE_DIRECTORY_MAP = { + 'RANGER_ADMIN' : 'ranger-admin', + 'RANGER_USERSYNC' : 'ranger-usersync', + 'RANGER_TAGSYNC' : 'ranger-tagsync' +} + +component_directory = Script.get_component_from_role(SERVER_ROLE_DIRECTORY_MAP, "RANGER_ADMIN") + +config = Script.get_config() +tmp_dir = Script.get_tmp_dir() +stack_root = Script.get_stack_root() + +stack_name = default("/hostLevelParams/stack_name", None) +version = default("/commandParams/version", None) + +stack_version_unformatted = config['hostLevelParams']['stack_version'] +stack_version_formatted = format_stack_version(stack_version_unformatted) + +upgrade_marker_file = format("{tmp_dir}/rangeradmin_ru.inprogress") + +xml_configurations_supported = config['configurations']['ranger-env']['xml_configurations_supported'] + +create_db_dbuser = config['configurations']['ranger-env']['create_db_dbuser'] + +# get the correct version to use for checking stack features +version_for_stack_feature_checks = get_stack_feature_version(config) + +stack_supports_rolling_upgrade = check_stack_feature(StackFeature.ROLLING_UPGRADE, version_for_stack_feature_checks) +stack_supports_config_versioning = check_stack_feature(StackFeature.CONFIG_VERSIONING, version_for_stack_feature_checks) +stack_supports_usersync_non_root = check_stack_feature(StackFeature.RANGER_USERSYNC_NON_ROOT, version_for_stack_feature_checks) +stack_supports_ranger_tagsync = check_stack_feature(StackFeature.RANGER_TAGSYNC_COMPONENT, version_for_stack_feature_checks) +stack_supports_ranger_audit_db = check_stack_feature(StackFeature.RANGER_AUDIT_DB_SUPPORT, version_for_stack_feature_checks) +stack_supports_ranger_log4j = check_stack_feature(StackFeature.RANGER_LOG4J_SUPPORT, version_for_stack_feature_checks) +stack_supports_ranger_kerberos = check_stack_feature(StackFeature.RANGER_KERBEROS_SUPPORT, version_for_stack_feature_checks) +stack_supports_usersync_passwd = check_stack_feature(StackFeature.RANGER_USERSYNC_PASSWORD_JCEKS, version_for_stack_feature_checks) +stack_supports_infra_client = check_stack_feature(StackFeature.RANGER_INSTALL_INFRA_CLIENT, version_for_stack_feature_checks) +stack_supports_pid = check_stack_feature(StackFeature.RANGER_PID_SUPPORT, version_for_stack_feature_checks) +stack_supports_ranger_admin_password_change = check_stack_feature(StackFeature.RANGER_ADMIN_PASSWD_CHANGE, version_for_stack_feature_checks) +stack_supports_ranger_setup_db_on_start = check_stack_feature(StackFeature.RANGER_SETUP_DB_ON_START, version_for_stack_feature_checks) +stack_supports_ranger_tagsync_ssl_xml_support = check_stack_feature(StackFeature.RANGER_TAGSYNC_SSL_XML_SUPPORT, version_for_stack_feature_checks) +stack_supports_ranger_solr_configs = check_stack_feature(StackFeature.RANGER_SOLR_CONFIG_SUPPORT, version_for_stack_feature_checks) +stack_supports_secure_ssl_password = check_stack_feature(StackFeature.SECURE_RANGER_SSL_PASSWORD, version_for_stack_feature_checks) + +downgrade_from_version = default("/commandParams/downgrade_from_version", None) +upgrade_direction = default("/commandParams/upgrade_direction", None) + +ranger_conf = '/etc/ranger/admin/conf' +ranger_ugsync_conf = '/etc/ranger/usersync/conf' +ranger_tagsync_home = format('{stack_root}/current/ranger-tagsync') +ranger_tagsync_conf = format('{stack_root}/current/ranger-tagsync/conf') +tagsync_bin = '/usr/bin/ranger-tagsync' +tagsync_services_file = format('{stack_root}/current/ranger-tagsync/ranger-tagsync-services.sh') +security_store_path = '/etc/security/serverKeys' +tagsync_etc_path = '/etc/ranger/tagsync/' +ranger_tagsync_credential_file= os.path.join(tagsync_etc_path,'rangercred.jceks') +atlas_tagsync_credential_file= os.path.join(tagsync_etc_path,'atlascred.jceks') +ranger_tagsync_keystore_password = config['configurations']['ranger-tagsync-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'] +ranger_tagsync_truststore_password = config['configurations']['ranger-tagsync-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'] +atlas_tagsync_keystore_password = config['configurations']['atlas-tagsync-ssl']['xasecure.policymgr.clientssl.keystore.password'] +atlas_tagsync_truststore_password = config['configurations']['atlas-tagsync-ssl']['xasecure.policymgr.clientssl.truststore.password'] + +if upgrade_direction == Direction.DOWNGRADE and version and not check_stack_feature(StackFeature.CONFIG_VERSIONING, version): + stack_supports_rolling_upgrade = True + stack_supports_config_versioning = False + +if upgrade_direction == Direction.DOWNGRADE and version and not check_stack_feature(StackFeature.RANGER_USERSYNC_NON_ROOT, version): + stack_supports_usersync_non_root = False + +if stack_supports_rolling_upgrade: + ranger_home = format('{stack_root}/current/ranger-admin') + ranger_conf = '/etc/ranger/admin/conf' + ranger_stop = '/usr/bin/ranger-admin-stop' + ranger_start = '/usr/bin/ranger-admin-start' + usersync_home = format('{stack_root}/current/ranger-usersync') + usersync_start = '/usr/bin/ranger-usersync-start' + usersync_stop = '/usr/bin/ranger-usersync-stop' + ranger_ugsync_conf = '/etc/ranger/usersync/conf' + +if stack_supports_config_versioning: + ranger_conf = format('{stack_root}/current/ranger-admin/conf') + ranger_ugsync_conf = format('{stack_root}/current/ranger-usersync/conf') + +if stack_supports_ranger_tagsync: + ranger_tagsync_home = format('{stack_root}/current/ranger-tagsync') + tagsync_bin = '/usr/bin/ranger-tagsync' + ranger_tagsync_conf = format('{stack_root}/current/ranger-tagsync/conf') + tagsync_services_file = format('{stack_root}/current/ranger-tagsync/ranger-tagsync-services.sh') + +usersync_services_file = format('{stack_root}/current/ranger-usersync/ranger-usersync-services.sh') + +java_home = config['hostLevelParams']['java_home'] +unix_user = config['configurations']['ranger-env']['ranger_user'] +unix_group = config['configurations']['ranger-env']['ranger_group'] +ranger_pid_dir = default("/configurations/ranger-env/ranger_pid_dir", "/var/run/ranger") +usersync_log_dir = default("/configurations/ranger-env/ranger_usersync_log_dir", "/var/log/ranger/usersync") +admin_log_dir = default("/configurations/ranger-env/ranger_admin_log_dir", "/var/log/ranger/admin") +ranger_admin_default_file = format('{ranger_conf}/ranger-admin-default-site.xml') +security_app_context_file = format('{ranger_conf}/security-applicationContext.xml') +ranger_ugsync_default_file = format('{ranger_ugsync_conf}/ranger-ugsync-default.xml') +usgsync_log4j_file = format('{ranger_ugsync_conf}/log4j.xml') +if stack_supports_ranger_log4j: + usgsync_log4j_file = format('{ranger_ugsync_conf}/log4j.properties') +cred_validator_file = format('{usersync_home}/native/credValidator.uexe') + +ambari_server_hostname = config['clusterHostInfo']['ambari_server_host'][0] + +db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower() +usersync_exturl = config['configurations']['admin-properties']['policymgr_external_url'] +if usersync_exturl.endswith('/'): + usersync_exturl = usersync_exturl.rstrip('/') +ranger_host = config['clusterHostInfo']['ranger_admin_hosts'][0] +ugsync_host = 'localhost' +usersync_host_info = config['clusterHostInfo']['ranger_usersync_hosts'] +if not is_empty(usersync_host_info) and len(usersync_host_info) > 0: + ugsync_host = config['clusterHostInfo']['ranger_usersync_hosts'][0] +ranger_external_url = config['configurations']['admin-properties']['policymgr_external_url'] +if ranger_external_url.endswith('/'): + ranger_external_url = ranger_external_url.rstrip('/') +ranger_db_name = config['configurations']['admin-properties']['db_name'] +ranger_auditdb_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits') + +sql_command_invoker = config['configurations']['admin-properties']['SQL_COMMAND_INVOKER'] +db_root_user = config['configurations']['admin-properties']['db_root_user'] +db_root_password = unicode(config['configurations']['admin-properties']['db_root_password']) +db_host = config['configurations']['admin-properties']['db_host'] +ranger_db_user = config['configurations']['admin-properties']['db_user'] +ranger_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger') +ranger_db_password = unicode(config['configurations']['admin-properties']['db_password']) + +#ranger-env properties +oracle_home = default("/configurations/ranger-env/oracle_home", "-") + +#For curl command in ranger to get db connector +jdk_location = config['hostLevelParams']['jdk_location'] +java_share_dir = '/usr/share/java' +jdbc_jar_name = None +previous_jdbc_jar_name = None +if db_flavor.lower() == 'mysql': + jdbc_jar_name = default("/hostLevelParams/custom_mysql_jdbc_name", None) + previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mysql_jdbc_name", None) + audit_jdbc_url = format('jdbc:mysql://{db_host}/{ranger_auditdb_name}') if stack_supports_ranger_audit_db else None + jdbc_dialect = "org.eclipse.persistence.platform.database.MySQLPlatform" +elif db_flavor.lower() == 'oracle': + jdbc_jar_name = default("/hostLevelParams/custom_oracle_jdbc_name", None) + previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_oracle_jdbc_name", None) + jdbc_dialect = "org.eclipse.persistence.platform.database.OraclePlatform" + colon_count = db_host.count(':') + if colon_count == 2 or colon_count == 0: + audit_jdbc_url = format('jdbc:oracle:thin:@{db_host}') if stack_supports_ranger_audit_db else None + else: + audit_jdbc_url = format('jdbc:oracle:thin:@//{db_host}') if stack_supports_ranger_audit_db else None +elif db_flavor.lower() == 'postgres': + jdbc_jar_name = default("/hostLevelParams/custom_postgres_jdbc_name", None) + previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_postgres_jdbc_name", None) + audit_jdbc_url = format('jdbc:postgresql://{db_host}/{ranger_auditdb_name}') if stack_supports_ranger_audit_db else None + jdbc_dialect = "org.eclipse.persistence.platform.database.PostgreSQLPlatform" +elif db_flavor.lower() == 'mssql': + jdbc_jar_name = default("/hostLevelParams/custom_mssql_jdbc_name", None) + previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_mssql_jdbc_name", None) + audit_jdbc_url = format('jdbc:sqlserver://{db_host};databaseName={ranger_auditdb_name}') if stack_supports_ranger_audit_db else None + jdbc_dialect = "org.eclipse.persistence.platform.database.SQLServerPlatform" +elif db_flavor.lower() == 'sqla': + jdbc_jar_name = default("/hostLevelParams/custom_sqlanywhere_jdbc_name", None) + previous_jdbc_jar_name = default("/hostLevelParams/previous_custom_sqlanywhere_jdbc_name", None) + audit_jdbc_url = format('jdbc:sqlanywhere:database={ranger_auditdb_name};host={db_host}') if stack_supports_ranger_audit_db else None + jdbc_dialect = "org.eclipse.persistence.platform.database.SQLAnywherePlatform" + +downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}") + +driver_curl_source = format("{jdk_location}/{jdbc_jar_name}") +driver_curl_target = format("{java_share_dir}/{jdbc_jar_name}") +previous_jdbc_jar = format("{java_share_dir}/{previous_jdbc_jar_name}") +if stack_supports_config_versioning: + driver_curl_target = format("{ranger_home}/ews/lib/{jdbc_jar_name}") + previous_jdbc_jar = format("{ranger_home}/ews/lib/{previous_jdbc_jar_name}") + +if db_flavor.lower() == 'sqla': + downloaded_custom_connector = format("{tmp_dir}/sqla-client-jdbc.tar.gz") + jar_path_in_archive = format("{tmp_dir}/sqla-client-jdbc/java/sajdbc4.jar") + libs_path_in_archive = format("{tmp_dir}/sqla-client-jdbc/native/lib64/*") + jdbc_libs_dir = format("{ranger_home}/native/lib64") + ld_lib_path = format("{jdbc_libs_dir}") + +#for db connection +check_db_connection_jar_name = "DBConnectionVerification.jar" +check_db_connection_jar = format("/usr/lib/ambari-agent/{check_db_connection_jar_name}") +ranger_jdbc_connection_url = config["configurations"]["ranger-admin-site"]["ranger.jpa.jdbc.url"] +ranger_jdbc_driver = config["configurations"]["ranger-admin-site"]["ranger.jpa.jdbc.driver"] + +ranger_credential_provider_path = config["configurations"]["ranger-admin-site"]["ranger.credential.provider.path"] +ranger_jpa_jdbc_credential_alias = config["configurations"]["ranger-admin-site"]["ranger.jpa.jdbc.credential.alias"] +ranger_ambari_db_password = unicode(config["configurations"]["admin-properties"]["db_password"]) + +ranger_jpa_audit_jdbc_credential_alias = default('/configurations/ranger-admin-site/ranger.jpa.audit.jdbc.credential.alias', 'rangeraudit') +ranger_ambari_audit_db_password = '' +if not is_empty(config["configurations"]["admin-properties"]["audit_db_password"]) and stack_supports_ranger_audit_db: + ranger_ambari_audit_db_password = unicode(config["configurations"]["admin-properties"]["audit_db_password"]) + +ugsync_jceks_path = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.credstore.filename"] +ugsync_cred_lib = os.path.join(usersync_home,"lib","*") +cred_lib_path = os.path.join(ranger_home,"cred","lib","*") +cred_setup_prefix = (format('{ranger_home}/ranger_credential_helper.py'), '-l', cred_lib_path) +ranger_audit_source_type = config["configurations"]["ranger-admin-site"]["ranger.audit.source.type"] + +ranger_usersync_keystore_password = unicode(config["configurations"]["ranger-ugsync-site"]["ranger.usersync.keystore.password"]) +ranger_usersync_ldap_ldapbindpassword = unicode(config["configurations"]["ranger-ugsync-site"]["ranger.usersync.ldap.ldapbindpassword"]) +ranger_usersync_truststore_password = unicode(config["configurations"]["ranger-ugsync-site"]["ranger.usersync.truststore.password"]) +ranger_usersync_keystore_file = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.keystore.file"] +default_dn_name = 'cn=unixauthservice,ou=authenticator,o=mycompany,c=US' + +ranger_admin_hosts = config['clusterHostInfo']['ranger_admin_hosts'] +is_ranger_ha_enabled = True if len(ranger_admin_hosts) > 1 else False +ranger_ug_ldap_url = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.ldap.url"] +ranger_ug_ldap_bind_dn = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.ldap.binddn"] +ranger_ug_ldap_user_searchfilter = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.ldap.user.searchfilter"] +ranger_ug_ldap_group_searchbase = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.group.searchbase"] +ranger_ug_ldap_group_searchfilter = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.group.searchfilter"] +ug_sync_source = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.source.impl.class"] +current_host = config['hostname'] +if current_host in ranger_admin_hosts: + ranger_host = current_host + +# ranger-tagsync +ranger_tagsync_hosts = default("/clusterHostInfo/ranger_tagsync_hosts", []) +has_ranger_tagsync = len(ranger_tagsync_hosts) > 0 + +tagsync_log_dir = default("/configurations/ranger-tagsync-site/ranger.tagsync.logdir", "/var/log/ranger/tagsync") +tagsync_jceks_path = config["configurations"]["ranger-tagsync-site"]["ranger.tagsync.keystore.filename"] +atlas_tagsync_jceks_path = config["configurations"]["ranger-tagsync-site"]["ranger.tagsync.source.atlasrest.keystore.filename"] +tagsync_application_properties = dict(config["configurations"]["tagsync-application-properties"]) if has_ranger_tagsync else None +tagsync_pid_file = format('{ranger_pid_dir}/tagsync.pid') +tagsync_cred_lib = os.path.join(ranger_tagsync_home, "lib", "*") + +ranger_usersync_log_maxfilesize = default('/configurations/usersync-log4j/ranger_usersync_log_maxfilesize',256) +ranger_usersync_log_maxbackupindex = default('/configurations/usersync-log4j/ranger_usersync_log_maxbackupindex',20) +ranger_tagsync_log_maxfilesize = default('/configurations/tagsync-log4j/ranger_tagsync_log_maxfilesize',256) +ranger_tagsync_log_number_of_backup_files = default('/configurations/tagsync-log4j/ranger_tagsync_log_number_of_backup_files',20) +ranger_xa_log_maxfilesize = default('/configurations/admin-log4j/ranger_xa_log_maxfilesize',256) +ranger_xa_log_maxbackupindex = default('/configurations/admin-log4j/ranger_xa_log_maxbackupindex',20) + +# ranger log4j.properties +admin_log4j = config['configurations']['admin-log4j']['content'] +usersync_log4j = config['configurations']['usersync-log4j']['content'] +tagsync_log4j = config['configurations']['tagsync-log4j']['content'] + +# ranger kerberos +security_enabled = config['configurations']['cluster-env']['security_enabled'] +namenode_hosts = default("/clusterHostInfo/namenode_host", []) +has_namenode = len(namenode_hosts) > 0 + +ugsync_policymgr_alias = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.policymgr.alias"] +ugsync_policymgr_keystore = config["configurations"]["ranger-ugsync-site"]["ranger.usersync.policymgr.keystore"] + +# ranger solr +audit_solr_enabled = default('/configurations/ranger-env/xasecure.audit.destination.solr', False) +ranger_solr_config_set = config['configurations']['ranger-env']['ranger_solr_config_set'] +ranger_solr_collection_name = config['configurations']['ranger-env']['ranger_solr_collection_name'] +ranger_solr_shards = config['configurations']['ranger-env']['ranger_solr_shards'] +replication_factor = config['configurations']['ranger-env']['ranger_solr_replication_factor'] +ranger_solr_conf = format('{ranger_home}/contrib/solr_for_audit_setup/conf') +infra_solr_hosts = default("/clusterHostInfo/infra_solr_hosts", []) +has_infra_solr = len(infra_solr_hosts) > 0 +is_solrCloud_enabled = default('/configurations/ranger-env/is_solrCloud_enabled', False) +is_external_solrCloud_enabled = default('/configurations/ranger-env/is_external_solrCloud_enabled', False) +solr_znode = '/ranger_audits' +if stack_supports_infra_client and is_solrCloud_enabled: + solr_znode = default('/configurations/ranger-admin-site/ranger.audit.solr.zookeepers', 'NONE') + if solr_znode != '' and solr_znode.upper() != 'NONE': + solr_znode = solr_znode.split('/') + if len(solr_znode) > 1 and len(solr_znode) == 2: + solr_znode = solr_znode[1] + solr_znode = format('/{solr_znode}') + if has_infra_solr and not is_external_solrCloud_enabled: + solr_znode = config['configurations']['infra-solr-env']['infra_solr_znode'] +solr_user = unix_user +if has_infra_solr and not is_external_solrCloud_enabled: + solr_user = default('/configurations/infra-solr-env/infra_solr_user', unix_user) + infra_solr_role_ranger_admin = default('configurations/infra-solr-security-json/infra_solr_role_ranger_admin', 'ranger_user') + infra_solr_role_ranger_audit = default('configurations/infra-solr-security-json/infra_solr_role_ranger_audit', 'ranger_audit_user') + infra_solr_role_dev = default('configurations/infra-solr-security-json/infra_solr_role_dev', 'dev') +custom_log4j = has_infra_solr and not is_external_solrCloud_enabled + +ranger_audit_max_retention_days = config['configurations']['ranger-solr-configuration']['ranger_audit_max_retention_days'] +ranger_audit_logs_merge_factor = config['configurations']['ranger-solr-configuration']['ranger_audit_logs_merge_factor'] +ranger_solr_config_content = config['configurations']['ranger-solr-configuration']['content'] + +# get comma separated list of zookeeper hosts +zookeeper_port = default('/configurations/zoo.cfg/clientPort', None) +zookeeper_hosts = default("/clusterHostInfo/zookeeper_hosts", []) +index = 0 +zookeeper_quorum = "" +for host in zookeeper_hosts: + zookeeper_quorum += host + ":" + str(zookeeper_port) + index += 1 + if index < len(zookeeper_hosts): + zookeeper_quorum += "," + +# solr kerberised +solr_jaas_file = None +is_external_solrCloud_kerberos = default('/configurations/ranger-env/is_external_solrCloud_kerberos', False) + +if security_enabled: + if has_ranger_tagsync: + ranger_tagsync_principal = config['configurations']['ranger-tagsync-site']['ranger.tagsync.kerberos.principal'] + if not is_empty(ranger_tagsync_principal) and ranger_tagsync_principal != '': + tagsync_jaas_principal = ranger_tagsync_principal.replace('_HOST', current_host.lower()) + tagsync_keytab_path = config['configurations']['ranger-tagsync-site']['ranger.tagsync.kerberos.keytab'] + + if stack_supports_ranger_kerberos: + ranger_admin_keytab = config['configurations']['ranger-admin-site']['ranger.admin.kerberos.keytab'] + ranger_admin_principal = config['configurations']['ranger-admin-site']['ranger.admin.kerberos.principal'] + if not is_empty(ranger_admin_principal) and ranger_admin_principal != '': + ranger_admin_jaas_principal = ranger_admin_principal.replace('_HOST', ranger_host.lower()) + if stack_supports_infra_client and is_solrCloud_enabled and is_external_solrCloud_enabled and is_external_solrCloud_kerberos: + solr_jaas_file = format('{ranger_home}/conf/ranger_solr_jaas.conf') + solr_kerberos_principal = ranger_admin_jaas_principal + solr_kerberos_keytab = ranger_admin_keytab + if stack_supports_infra_client and is_solrCloud_enabled and not is_external_solrCloud_enabled and not is_external_solrCloud_kerberos: + solr_jaas_file = format('{ranger_home}/conf/ranger_solr_jaas.conf') + solr_kerberos_principal = ranger_admin_jaas_principal + solr_kerberos_keytab = ranger_admin_keytab + +# logic to create core-site.xml if hdfs not installed +if stack_supports_ranger_kerberos and not has_namenode: + core_site_property = { + 'hadoop.security.authentication': 'kerberos' if security_enabled else 'simple' + } + + if security_enabled: + realm = 'EXAMPLE.COM' + ranger_admin_bare_principal = 'rangeradmin' + ranger_usersync_bare_principal = 'rangerusersync' + ranger_tagsync_bare_principal = 'rangertagsync' + + ranger_usersync_principal = config['configurations']['ranger-ugsync-site']['ranger.usersync.kerberos.principal'] + if not is_empty(ranger_admin_principal) and ranger_admin_principal != '': + ranger_admin_bare_principal = get_bare_principal(ranger_admin_principal) + if not is_empty(ranger_usersync_principal) and ranger_usersync_principal != '': + ranger_usersync_bare_principal = get_bare_principal(ranger_usersync_principal) + realm = config['configurations']['kerberos-env']['realm'] + + rule_dict = [ + {'principal': ranger_admin_bare_principal, 'user': unix_user}, + {'principal': ranger_usersync_bare_principal, 'user': 'rangerusersync'}, + ] + + if has_ranger_tagsync: + if not is_empty(ranger_tagsync_principal) and ranger_tagsync_principal != '': + ranger_tagsync_bare_principal = get_bare_principal(ranger_tagsync_principal) + rule_dict.append({'principal': ranger_tagsync_bare_principal, 'user': 'rangertagsync'}) + + core_site_auth_to_local_property = '' + for item in range(len(rule_dict)): + rule_line = 'RULE:[2:$1@$0]({0}@{1})s/.*/{2}/\n'.format(rule_dict[item]['principal'], realm, rule_dict[item]['user']) + core_site_auth_to_local_property = rule_line + core_site_auth_to_local_property + + core_site_auth_to_local_property = core_site_auth_to_local_property + 'DEFAULT' + core_site_property['hadoop.security.auth_to_local'] = core_site_auth_to_local_property + +upgrade_type = Script.get_upgrade_type(default("/commandParams/upgrade_type", "")) + +# ranger service pid +user_group = config['configurations']['cluster-env']['user_group'] +ranger_admin_pid_file = format('{ranger_pid_dir}/rangeradmin.pid') +ranger_usersync_pid_file = format('{ranger_pid_dir}/usersync.pid') + +# admin credential +admin_username = config['configurations']['ranger-env']['admin_username'] +admin_password = config['configurations']['ranger-env']['admin_password'] +default_admin_password = 'admin' + +ranger_is_solr_kerberised = "false" +if audit_solr_enabled and is_solrCloud_enabled: + # Check internal solrCloud + if security_enabled and not is_external_solrCloud_enabled: + ranger_is_solr_kerberised = "true" + # Check external solrCloud + if is_external_solrCloud_enabled and is_external_solrCloud_kerberos: + ranger_is_solr_kerberised = "true" + +hbase_master_hosts = default("/clusterHostInfo/hbase_master_hosts", []) +is_hbase_ha_enabled = True if len(hbase_master_hosts) > 1 else False +is_namenode_ha_enabled = True if len(namenode_hosts) > 1 else False +ranger_hbase_plugin_enabled = False +ranger_hdfs_plugin_enabled = False + + +if is_hbase_ha_enabled: + if not is_empty(config['configurations']['ranger-hbase-plugin-properties']['ranger-hbase-plugin-enabled']): + ranger_hbase_plugin_enabled = config['configurations']['ranger-hbase-plugin-properties']['ranger-hbase-plugin-enabled'].lower() == 'yes' +if is_namenode_ha_enabled: + if not is_empty(config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled']): + ranger_hdfs_plugin_enabled = config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled'].lower() == 'yes' + +ranger_admin_password_properties = ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password'] +ranger_usersync_password_properties = ['ranger.usersync.ldap.ldapbindpassword'] +ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password'] +if stack_supports_secure_ssl_password: + ranger_admin_password_properties.extend(['ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']) + ranger_usersync_password_properties.extend(['ranger.usersync.keystore.password', 'ranger.usersync.truststore.password']) + +ranger_auth_method = config['configurations']['ranger-admin-site']['ranger.authentication.method'] +ranger_ldap_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.binddn.credential.alias', 'ranger.ldap.bind.password') +ranger_ad_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.ad.binddn.credential.alias', 'ranger.ldap.ad.bind.password') +ranger_https_keystore_alias = default('/configurations/ranger-admin-site/ranger.service.https.attrib.keystore.credential.alias', 'keyStoreCredentialAlias') +ranger_truststore_alias = default('/configurations/ranger-admin-site/ranger.truststore.alias', 'trustStoreAlias') +https_enabled = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.ssl.enabled'] +http_enabled = config['configurations']['ranger-admin-site']['ranger.service.http.enabled'] +https_keystore_password = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.keystore.pass'] +truststore_password = config['configurations']['ranger-admin-site']['ranger.truststore.password'] + +# need this to capture cluster name for ranger tagsync +cluster_name = config['clusterName'] +ranger_ldap_bind_auth_password = config['configurations']['ranger-admin-site']['ranger.ldap.bind.password'] +ranger_ad_bind_auth_password = config['configurations']['ranger-admin-site']['ranger.ldap.ad.bind.password'] \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_admin.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_admin.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_admin.py new file mode 100644 index 0000000..bdf7661 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_admin.py @@ -0,0 +1,210 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.core.exceptions import Fail +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.libraries.functions import stack_select +from resource_management.libraries.functions import conf_select +from resource_management.libraries.functions.constants import Direction +from resource_management.libraries.script import Script +from resource_management.core.resources.system import Execute, File +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +from resource_management.core import shell +from ranger_service import ranger_service +from setup_ranger_xml import setup_ranger_audit_solr, setup_ranger_admin_passwd_change +from resource_management.libraries.functions import solr_cloud_util +from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING +from resource_management.libraries.functions.constants import Direction +from setup_ranger_xml import ranger +import upgrade +import os, errno + +class RangerAdmin(Script): + + def get_component_name(self): + return "ranger-admin" + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + # call config and setup db only in case of stack version < 2.6 + if not params.stack_supports_ranger_setup_db_on_start: + self.configure(env, setup_db=True) + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + + if upgrade_type == UPGRADE_TYPE_NON_ROLLING and params.upgrade_direction == Direction.UPGRADE: + if params.stack_supports_rolling_upgrade and not params.stack_supports_config_versioning and os.path.isfile(format('{ranger_home}/ews/stop-ranger-admin.sh')): + File(format('{ranger_home}/ews/stop-ranger-admin.sh'), + owner=params.unix_user, + group = params.unix_group + ) + + Execute(format('{params.ranger_stop}'), environment={'JAVA_HOME': params.java_home}, user=params.unix_user) + if params.stack_supports_pid: + File(params.ranger_admin_pid_file, + action = "delete" + ) + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + + upgrade.prestart(env, "ranger-admin") + + self.set_ru_rangeradmin_in_progress(params.upgrade_marker_file) + + def post_upgrade_restart(self,env, upgrade_type=None): + import params + env.set_params(params) + + if os.path.isfile(params.upgrade_marker_file): + os.remove(params.upgrade_marker_file) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + + # setup db only if in case stack version is > 2.6 + self.configure(env, upgrade_type=upgrade_type, setup_db=params.stack_supports_ranger_setup_db_on_start) + + if params.stack_supports_infra_client and params.audit_solr_enabled and params.is_solrCloud_enabled: + solr_cloud_util.setup_solr_client(params.config, custom_log4j = params.custom_log4j) + setup_ranger_audit_solr() + + ranger_service('ranger_admin') + + def status(self, env): + import status_params + + env.set_params(status_params) + + if status_params.stack_supports_pid: + check_process_status(status_params.ranger_admin_pid_file) + return + + cmd = 'ps -ef | grep proc_rangeradmin | grep -v grep' + code, output = shell.call(cmd, timeout=20) + + if code != 0: + if self.is_ru_rangeradmin_in_progress(status_params.upgrade_marker_file): + Logger.info('Ranger admin process not running - skipping as stack upgrade is in progress') + else: + Logger.debug('Ranger admin process not running') + raise ComponentIsNotRunning() + pass + + def configure(self, env, upgrade_type=None, setup_db=False): + import params + env.set_params(params) + + # set up db if we are not upgrading and setup_db is true + if setup_db and upgrade_type is None: + from setup_ranger_xml import setup_ranger_db + setup_ranger_db() + + ranger('ranger_admin', upgrade_type=upgrade_type) + + # set up java patches if we are not upgrading and setup_db is true + if setup_db and upgrade_type is None: + from setup_ranger_xml import setup_java_patch + setup_java_patch() + + if params.stack_supports_ranger_admin_password_change: + setup_ranger_admin_passwd_change() + + def set_ru_rangeradmin_in_progress(self, upgrade_marker_file): + config_dir = os.path.dirname(upgrade_marker_file) + try: + msg = "Starting Upgrade" + if (not os.path.exists(config_dir)): + os.makedirs(config_dir) + ofp = open(upgrade_marker_file, 'w') + ofp.write(msg) + ofp.close() + except OSError as exc: + if exc.errno == errno.EEXIST and os.path.isdir(config_dir): + pass + else: + raise + + def is_ru_rangeradmin_in_progress(self, upgrade_marker_file): + return os.path.isfile(upgrade_marker_file) + + def setup_ranger_database(self, env): + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_version = upgrade_stack[1] + + if params.upgrade_direction == Direction.UPGRADE: + Logger.info(format('Setting Ranger database schema, using version {stack_version}')) + + from setup_ranger_xml import setup_ranger_db + setup_ranger_db(stack_version=stack_version) + + def setup_ranger_java_patches(self, env): + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_version = upgrade_stack[1] + + if params.upgrade_direction == Direction.UPGRADE: + Logger.info(format('Applying Ranger java patches, using version {stack_version}')) + + from setup_ranger_xml import setup_java_patch + setup_java_patch(stack_version=stack_version) + + def set_pre_start(self, env): + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_name = upgrade_stack[0] + stack_version = upgrade_stack[1] + + stack_select.select("ranger-admin", stack_version) + conf_select.select(stack_name, "ranger-admin", stack_version) + + def get_log_folder(self): + import params + return params.admin_log_dir + + def get_user(self): + import params + return params.unix_user + +if __name__ == "__main__": + RangerAdmin().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_service.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_service.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_service.py new file mode 100644 index 0000000..a0ecfac --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_service.py @@ -0,0 +1,69 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management.libraries.functions.format import format +from resource_management.libraries.functions.show_logs import show_logs +from resource_management.core.resources.system import Execute + +def ranger_service(name, action=None): + import params + + env_dict = {'JAVA_HOME': params.java_home} + if params.db_flavor.lower() == 'sqla': + env_dict = {'JAVA_HOME': params.java_home, 'LD_LIBRARY_PATH': params.ld_lib_path} + + if name == 'ranger_admin': + no_op_test = format('ps -ef | grep proc_rangeradmin | grep -v grep') + try: + Execute(params.ranger_start, environment=env_dict, user=params.unix_user, not_if=no_op_test) + except: + show_logs(params.admin_log_dir, params.unix_user) + raise + elif name == 'ranger_usersync': + no_op_test = format('ps -ef | grep proc_rangerusersync | grep -v grep') + if params.stack_supports_usersync_non_root: + try: + Execute(params.usersync_start, + environment=env_dict, + not_if=no_op_test, + user=params.unix_user + ) + except: + show_logs(params.usersync_log_dir, params.unix_user) + raise + else: + # Usersync requires to be run as root for 2.2 + Execute((params.usersync_start,), + environment={'JAVA_HOME': params.java_home}, + not_if=no_op_test, + sudo=True + ) + elif name == 'ranger_tagsync' and params.stack_supports_ranger_tagsync: + no_op_test = format('ps -ef | grep proc_rangertagsync | grep -v grep') + cmd = format('{tagsync_services_file} start') + try: + Execute(cmd, + environment=env_dict, + user=params.unix_user, + not_if=no_op_test + ) + except: + show_logs(params.tagsync_log_dir, params.unix_user) + raise \ No newline at end of file http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_tagsync.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_tagsync.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_tagsync.py new file mode 100644 index 0000000..c1e32ba --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_tagsync.py @@ -0,0 +1,139 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.libraries.script import Script +from resource_management.libraries.functions import conf_select +from resource_management.libraries.functions import stack_select +from resource_management.core.resources.system import Execute, File +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +from resource_management.core import shell +from ranger_service import ranger_service +from setup_ranger_xml import ranger, ranger_credential_helper +from resource_management.core.exceptions import Fail +import upgrade + +class RangerTagsync(Script): + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + + ranger_credential_helper(params.tagsync_cred_lib, 'tagadmin.user.password', 'rangertagsync', params.tagsync_jceks_path) + File(params.tagsync_jceks_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + if params.stack_supports_ranger_tagsync_ssl_xml_support: + Logger.info("Stack support Atlas user for Tagsync, creating keystore for same.") + self.create_atlas_user_keystore(env) + else: + Logger.info("Stack does not support Atlas user for Tagsync, skipping keystore creation for same.") + + self.configure(env) + + def configure(self, env, upgrade_type=None): + import params + env.set_params(params) + ranger('ranger_tagsync', upgrade_type=upgrade_type) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + + self.configure(env, upgrade_type=upgrade_type) + ranger_service('ranger_tagsync') + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + + Execute(format('{tagsync_services_file} stop'), environment={'JAVA_HOME': params.java_home}, user=params.unix_user) + File(params.tagsync_pid_file, + action = "delete" + ) + + def status(self, env): + import status_params + env.set_params(status_params) + + check_process_status(status_params.tagsync_pid_file) + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + + if params.stack_supports_ranger_tagsync: + Logger.info("Executing Ranger Tagsync Stack Upgrade pre-restart") + conf_select.select(params.stack_name, "ranger-tagsync", params.version) + stack_select.select("ranger-tagsync", params.version) + + def get_component_name(self): + return "ranger-tagsync" + + def get_log_folder(self): + import params + return params.tagsync_log_dir + + def get_user(self): + import params + return params.unix_user + + def get_pid_files(self): + import status_params + return [status_params.tagsync_pid_file] + + def configure_atlas_user_for_tagsync(self, env): + Logger.info("Configuring Atlas user for Tagsync service.") + import params + env.set_params(params) + + upgrade_stack = stack_select._get_upgrade_stack() + if upgrade_stack is None: + raise Fail('Unable to determine the stack and stack version') + + stack_name = upgrade_stack[0] + stack_version = upgrade_stack[1] + + stack_select.select("ranger-tagsync", stack_version) + conf_select.select(stack_name, "ranger-tagsync", stack_version) + if params.stack_supports_ranger_tagsync_ssl_xml_support: + Logger.info("Upgrading Tagsync, stack support Atlas user for Tagsync, creating keystore for same.") + self.create_atlas_user_keystore(env) + else: + Logger.info("Upgrading Tagsync, stack does not support Atlas user for Tagsync, skipping keystore creation for same.") + + Logger.info("Configuring Atlas user for Tagsync service done.") + + def create_atlas_user_keystore(self,env): + import params + env.set_params(params) + ranger_credential_helper(params.tagsync_cred_lib, 'atlas.user.password', 'admin', params.atlas_tagsync_jceks_path) + File(params.atlas_tagsync_jceks_path, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + +if __name__ == "__main__": + RangerTagsync().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_usersync.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_usersync.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_usersync.py new file mode 100644 index 0000000..ca84528 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/ranger_usersync.py @@ -0,0 +1,120 @@ +#!/usr/bin/env python +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" +from resource_management.libraries.functions.check_process_status import check_process_status +from resource_management.libraries.script import Script +from resource_management.core.resources.system import Execute, File +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +from resource_management.core import shell +from ranger_service import ranger_service +from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING +from resource_management.libraries.functions.constants import Direction +from setup_ranger_xml import ranger +import upgrade +import os + +class RangerUsersync(Script): + + def install(self, env): + self.install_packages(env) + import params + env.set_params(params) + + if params.stack_supports_usersync_passwd: + from setup_ranger_xml import ranger_credential_helper + ranger_credential_helper(params.ugsync_cred_lib, params.ugsync_policymgr_alias, 'rangerusersync', params.ugsync_policymgr_keystore) + + File(params.ugsync_policymgr_keystore, + owner = params.unix_user, + group = params.unix_group, + mode = 0640 + ) + + self.configure(env) + + def configure(self, env, upgrade_type=None): + import params + env.set_params(params) + + ranger('ranger_usersync', upgrade_type=upgrade_type) + + def start(self, env, upgrade_type=None): + import params + env.set_params(params) + + self.configure(env, upgrade_type=upgrade_type) + ranger_service('ranger_usersync') + + def stop(self, env, upgrade_type=None): + import params + env.set_params(params) + + if upgrade_type == UPGRADE_TYPE_NON_ROLLING and params.upgrade_direction == Direction.UPGRADE: + if params.stack_supports_usersync_non_root and os.path.isfile(params.usersync_services_file): + File(params.usersync_services_file, + mode = 0755 + ) + Execute(('ln','-sf', format('{usersync_services_file}'),'/usr/bin/ranger-usersync'), + not_if=format("ls /usr/bin/ranger-usersync"), + only_if=format("ls {usersync_services_file}"), + sudo=True + ) + + Execute((params.usersync_stop,), environment={'JAVA_HOME': params.java_home}, sudo=True) + if params.stack_supports_pid: + File(params.ranger_usersync_pid_file, + action = "delete" + ) + + def status(self, env): + import status_params + env.set_params(status_params) + + if status_params.stack_supports_pid: + check_process_status(status_params.ranger_usersync_pid_file) + return + + cmd = 'ps -ef | grep proc_rangerusersync | grep -v grep' + code, output = shell.call(cmd, timeout=20) + + if code != 0: + Logger.debug('Ranger usersync process not running') + raise ComponentIsNotRunning() + pass + + def pre_upgrade_restart(self, env, upgrade_type=None): + import params + env.set_params(params) + upgrade.prestart(env, "ranger-usersync") + + def get_component_name(self): + return "ranger-usersync" + + def get_log_folder(self): + import params + return params.usersync_log_dir + + def get_user(self): + import params + return params.unix_user + +if __name__ == "__main__": + RangerUsersync().execute() http://git-wip-us.apache.org/repos/asf/ambari/blob/3dc51b0c/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/service_check.py ---------------------------------------------------------------------- diff --git a/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/service_check.py b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/service_check.py new file mode 100644 index 0000000..fb6af95 --- /dev/null +++ b/ambari-server/src/main/resources/common-services/RANGER/1.0.0.3.0/package/scripts/service_check.py @@ -0,0 +1,49 @@ +""" +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +""" + +from resource_management.libraries.script import Script +from resource_management.core.resources.system import Execute +from resource_management.core.exceptions import ComponentIsNotRunning +from resource_management.libraries.functions.format import format +from resource_management.core.logger import Logger +import os + + +class RangerServiceCheck(Script): + + def service_check(self, env): + import params + + env.set_params(params) + self.check_ranger_admin_service(params.ranger_external_url, params.upgrade_marker_file) + + def check_ranger_admin_service(self, ranger_external_url, upgrade_marker_file): + if (self.is_ru_rangeradmin_in_progress(upgrade_marker_file)): + Logger.info('Ranger admin process not running - skipping as stack upgrade is in progress') + else: + Execute(format("curl -s -o /dev/null -w'%{{http_code}}' --negotiate -u: -k {ranger_external_url}/login.jsp | grep 200"), + tries = 10, + try_sleep=3, + logoutput=True) + + def is_ru_rangeradmin_in_progress(self, upgrade_marker_file): + return os.path.isfile(upgrade_marker_file) + +if __name__ == "__main__": + RangerServiceCheck().execute()