This is an automated email from the ASF dual-hosted git repository.
oleewere pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/trunk by this push:
new 37475b1 [Ambari-23850] Use trustore details for Atlas/Ranger during
collection creation (#1276)
37475b1 is described below
commit 37475b1ad3eb9a8f97da15012819fa8c564d6f79
Author: amerissa <[email protected]>
AuthorDate: Fri May 18 18:08:02 2018 -0400
[Ambari-23850] Use trustore details for Atlas/Ranger during collection
creation (#1276)
* When installing Atlas/Ranger with HTTPS ambari-infra (solr), the script
does not account for the truststore. By default we should be picking up the
truststore information from Ambari Infra. Failure to do so will result in PKIX
error. It happens when installing fresh and SSL is preenabled
* Revert "When installing Atlas/Ranger with HTTPS ambari-infra (solr), the
script does not account for the truststore. By default we should be picking up
the truststore information from Ambari Infra. Failure to do so will result in
PKIX error. It happens when installing fresh and SSL is preenabled"
This reverts commit 105434e0dac65b12c2ed80cadfdc9a57fab477f7.
Reverting commit to push configuration changes down to clients instead of
solr wrapper
* When installing Atlas/Ranger with HTTPS ambari-infra (solr), the script
does not account for the truststore. By default we should be picking up the
truststore information from Ambari Infra. Failure to do so will result in PKIX
error. It happens when installing fresh and SSL is preenabled. Update the
ranger part to use ranger truststore and password, Atlas will use the policy
manager truststore and password
* Supply the truststore information to solr by default if they are defined.
Will work for both internal and external solr
* Add parameters for truststore and keystore with their passwords for
atlas. Change Solr creation configs to use Atlas' truststore and password
* fix truststore declaration
* fix truststore declaration
* fix truststore declaration
* fix truststore declaration
* JDK Location update for get creds password
---
.../ATLAS/0.1.0.2.3/package/scripts/metadata.py | 7 ++++++-
.../ATLAS/0.1.0.2.3/package/scripts/params.py | 17 +++++++++++++++-
.../0.4.0/package/scripts/setup_ranger_xml.py | 23 +++++++++++-----------
3 files changed, 34 insertions(+), 13 deletions(-)
diff --git
a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
index d78efe9..ac7ba42 100644
---
a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
+++
b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/metadata.py
@@ -25,6 +25,8 @@ from resource_management import StackFeature
from resource_management.core.resources.system import Directory, File, Execute
from resource_management.core.source import StaticFile, InlineTemplate,
Template
from resource_management.core.exceptions import Fail
+from resource_management.libraries.script.script import Script
+from resource_management.libraries.functions.default import default
from resource_management.libraries.functions.format import format
from resource_management.libraries.functions.decorator import retry
from resource_management.libraries.functions import solr_cloud_util
@@ -245,7 +247,10 @@ def create_collection(collection, config_set, jaasFile):
java64_home=params.ambari_java_home,
jaas_file=jaasFile,
shards=params.atlas_solr_shards,
- replication_factor = params.infra_solr_replication_factor)
+ replication_factor = params.infra_solr_replication_factor,
+ trust_store_password = params.truststore_password if
params.credential_provider else None,
+ trust_store_type = "JKS" if params.credential_provider else None,
+ trust_store_location = params.truststore_location if
params.credential_provider else None)
def secure_znode(znode, jaasFile):
import params
diff --git
a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
index 8ce94be..7a7dfaa 100644
---
a/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
+++
b/ambari-server/src/main/resources/common-services/ATLAS/0.1.0.2.3/package/scripts/params.py
@@ -26,6 +26,9 @@ from resource_management.libraries.functions.version import
format_stack_version
from resource_management.libraries.script.script import Script
from resource_management.libraries.functions.format import format
from resource_management.libraries.functions.default import default
+from resource_management.core.utils import PasswordString
+from ambari_commons.credential_store_helper import
get_password_from_credential_store
+
# Local Imports
from status_params import *
@@ -131,14 +134,19 @@ java64_home = config['ambariLevelParams']['java_home']
ambari_java_home = default("/ambariLevelParams/ambari_java_home", java64_home)
java_exec = format("{java64_home}/bin/java")
env_sh_template = config['configurations']['atlas-env']['content']
+jdk_location = config['ambariLevelParams']['jdk_location']
+
# credential provider
-credential_provider = format( "jceks://file@{conf_dir}/atlas-site.jceks")
+credential_provider =
default("/configurations/application-properties/cert.stores.credential.provider.path",
None)
# command line args
ssl_enabled =
default("/configurations/application-properties/atlas.enableTLS", False)
http_port =
default("/configurations/application-properties/atlas.server.http.port",
"21000")
https_port =
default("/configurations/application-properties/atlas.server.https.port",
"21443")
+truststore_location =
default("/configurations/application-properties/truststore.file", None)
+keystore_location =
default("/configurations/application-properties/keystore.file", None)
+
if ssl_enabled:
metadata_port = https_port
metadata_protocol = 'https'
@@ -421,3 +429,10 @@ if stack_supports_atlas_ranger_plugin and
enable_ranger_atlas:
# atlas admin login username password
atlas_admin_username =
config['configurations']['atlas-env']['atlas.admin.username']
atlas_admin_password =
config['configurations']['atlas-env']['atlas.admin.password']
+
+# Atlas Passwords Extracted From Credential Store
+if credential_provider:
+ default_credential_shell_lib_path = jdk_location
+ truststore_password =
PasswordString(get_password_from_credential_store('truststore.password',
credential_provider, os.path.join(default_credential_shell_lib_path, '*'),
java64_home, jdk_location))
+ keystore_password =
PasswordString(get_password_from_credential_store('keystore.password',
credential_provider, os.path.join(default_credential_shell_lib_path, '*'),
java64_home, jdk_location))
+ key_password =
PasswordString(get_password_from_credential_store('password',
credential_provider, os.path.join(default_credential_shell_lib_path, '*'),
java64_home, jdk_location))
diff --git
a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
index 0e7604d..edb6986 100644
---
a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
+++
b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py
@@ -167,7 +167,7 @@ def setup_ranger_admin(upgrade_type=None):
Link('/usr/bin/ranger-admin',
to=format('{ranger_home}/ews/ranger-admin-services.sh'))
-
+
if default("/configurations/ranger-admin-site/ranger.authentication.method",
"") == 'PAM':
d = '/etc/pam.d'
if os.path.isdir(d):
@@ -254,7 +254,7 @@ def setup_ranger_admin(upgrade_type=None):
def setup_ranger_db(stack_version=None):
import params
-
+
ranger_home = params.ranger_home
if stack_version is not None:
@@ -275,7 +275,7 @@ def setup_ranger_db(stack_version=None):
if params.create_db_dbuser:
Logger.info('Setting up Ranger DB and DB User')
dba_setup = format('ambari-python-wrap {ranger_home}/dba_script.py -q')
- Execute(dba_setup,
+ Execute(dba_setup,
environment=env_dict,
logoutput=True,
user=params.unix_user,
@@ -284,7 +284,7 @@ def setup_ranger_db(stack_version=None):
Logger.info('Separate DBA property not set. Assuming Ranger DB and DB User
exists!')
db_setup = format('ambari-python-wrap {ranger_home}/db_setup.py')
- Execute(db_setup,
+ Execute(db_setup,
environment=env_dict,
logoutput=True,
user=params.unix_user,
@@ -303,7 +303,7 @@ def setup_java_patch(stack_version=None):
env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home,
'LD_LIBRARY_PATH':params.ld_lib_path}
setup_java_patch = format('ambari-python-wrap {ranger_home}/db_setup.py
-javapatch')
- Execute(setup_java_patch,
+ Execute(setup_java_patch,
environment=env_dict,
logoutput=True,
user=params.unix_user,
@@ -477,7 +477,7 @@ def setup_usersync(upgrade_type=None):
group = params.unix_group,
mode=0755
)
-
+
Directory(format("{ranger_ugsync_conf}/"),
owner = params.unix_user
)
@@ -535,7 +535,7 @@ def setup_usersync(upgrade_type=None):
group = params.unix_group,
mode = 0640
)
-
+
File([params.usersync_start, params.usersync_stop],
owner = params.unix_user,
group = params.unix_group
@@ -741,8 +741,6 @@ def setup_ranger_audit_solr():
solr_cloud_util.add_solr_roles(params.config,
roles =
[params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
new_service_principals =
service_principals)
-
-
solr_cloud_util.create_collection(
zookeeper_quorum = params.zookeeper_quorum,
solr_znode = params.solr_znode,
@@ -751,7 +749,10 @@ def setup_ranger_audit_solr():
java64_home = params.ambari_java_home,
shards = params.ranger_solr_shards,
replication_factor = int(params.replication_factor),
- jaas_file = params.solr_jaas_file)
+ jaas_file = params.solr_jaas_file,
+ trust_store_password =
default('configurations/ranger-admin-site/ranger.truststore.file', None),
+ trust_store_type = "JKS" if
default('configurations/ranger-admin-site/ranger.truststore.file', None) else
None,
+ trust_store_location =
default('configurations/ranger-admin-site/ranger.truststore.password', None))
if params.security_enabled and params.has_infra_solr \
and not params.is_external_solrCloud_enabled and
params.stack_supports_ranger_kerberos:
@@ -870,4 +871,4 @@ def update_password_configs():
ModifyPropertiesFile(format("{ranger_home}/install.properties"),
properties = password_configs,
owner = params.unix_user,
- )
\ No newline at end of file
+ )
--
To stop receiving notification emails like this one, please contact
[email protected].
