def setup_ranger_kafka(): import params if params.enable_ranger_kafka: import sys, os script_path = os.path.realpath(__file__).split( '/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) from setup_ranger_plugin_xml import setup_ranger_plugin if params.retryAble: Logger.info( "Kafka: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "Kafka: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.xml_configurations_supported and params.enable_ranger_kafka and params.xa_audit_hdfs_is_enabled: if params.has_namenode: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/kafka", type="directory", action="create_on_execute", owner=params.kafka_user, group=params.kafka_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") setup_ranger_plugin( 'kafka', 'kafka', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java64_home, params.repo_name, params.kafka_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_kafka, conf_dict=params.conf_dir, component_user=params.kafka_user, component_group=params.user_group, cache_service_list=['kafka'], plugin_audit_properties=params.ranger_kafka_audit, plugin_audit_attributes=params.ranger_kafka_audit_attrs, plugin_security_properties=params.ranger_kafka_security, plugin_security_attributes=params.ranger_kafka_security_attrs, plugin_policymgr_ssl_properties=params.ranger_kafka_policymgr_ssl, plugin_policymgr_ssl_attributes=params. ranger_kafka_policymgr_ssl_attrs, component_list=['kafka-broker'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.kafka_jaas_principal if params.security_enabled else None, component_user_keytab=params.kafka_keytab_path if params.security_enabled else None) if params.enable_ranger_kafka: Execute(('cp', '-rf', params.setup_ranger_env_sh_source, params.setup_ranger_env_sh_target), not_if=format("test -f {setup_ranger_env_sh_target}"), sudo=True) File(params.setup_ranger_env_sh_target, owner=params.kafka_user, group=params.user_group, mode=0755) if params.enable_ranger_kafka and params.has_namenode and params.security_enabled: Logger.info( "Stack supports core-site.xml creation for Ranger plugin, creating create core-site.xml from namenode configuraitions" ) setup_core_site_for_required_plugins( component_user=params.kafka_user, component_group=params.user_group, create_core_site_path=params.conf_dir, config=params.config) else: Logger.info( "Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations" ) else: Logger.info('Ranger Kafka plugin is not enabled')
def setup_ranger_yarn(): import params if params.enable_ranger_yarn: import sys, os script_path = os.path.realpath(__file__).split('/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) from setup_ranger_plugin_xml import setup_ranger_plugin if params.retryAble: Logger.info("YARN: Setup ranger: command retry enables thus retrying if ranger admin is down !") else: Logger.info("YARN: Setup ranger: command retry not enabled thus skipping if ranger admin is down !") if params.xml_configurations_supported and params.enable_ranger_yarn and params.xa_audit_hdfs_is_enabled: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True ) params.HdfsResource("/ranger/audit/yarn", type="directory", action="create_on_execute", owner=params.yarn_user, group=params.yarn_user, mode=0700, recursive_chmod=True ) params.HdfsResource(None, action="execute") setup_ranger_plugin('hadoop', 'yarn', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java64_home, params.repo_name, params.yarn_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_yarn, conf_dict=params.hadoop_conf_dir, component_user=params.yarn_user, component_group=params.user_group, cache_service_list=['yarn'], plugin_audit_properties=params.config['configurations']['ranger-yarn-audit'], plugin_audit_attributes=params.config['configuration_attributes']['ranger-yarn-audit'], plugin_security_properties=params.config['configurations']['ranger-yarn-security'], plugin_security_attributes=params.config['configuration_attributes']['ranger-yarn-security'], plugin_policymgr_ssl_properties=params.config['configurations']['ranger-yarn-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config['configuration_attributes'][ 'ranger-yarn-policymgr-ssl'], component_list=['hadoop-yarn-resourcemanager'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params.stack_supports_ranger_kerberos, component_user_principal=params.rm_principal_name if params.security_enabled else None, component_user_keytab=params.rm_keytab if params.security_enabled else None ) else: Logger.info('Ranger Yarn plugin is not enabled')
def setup_ranger_hdfs(upgrade_type=None): import params if params.enable_ranger_hdfs: if params.retryAble: Logger.info( "HDFS: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "HDFS: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.is_hdfs_federation_enabled and params.is_namenode_host: if params.namenode_nameservice is not None and params.fs_default_name == format( "hdfs://{namenode_nameservice}"): update_ranger_hdfs_service_name() api_version = 'v2' setup_ranger_plugin_xml.setup_ranger_plugin( 'hadoop-client', 'hdfs', None, None, None, None, params.java_home, params.repo_name, params.hdfs_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_hdfs, conf_dict=params.hadoop_conf_dir, component_user=params.hdfs_user, component_group=params.user_group, cache_service_list=['hdfs'], plugin_audit_properties=params.config['configurations'] ['ranger-hdfs-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-hdfs-audit'], plugin_security_properties=params.config['configurations'] ['ranger-hdfs-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-hdfs-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-hdfs-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-hdfs-policymgr-ssl'], component_list=['hadoop-client'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version=api_version, skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.nn_principal_name if params.security_enabled else None, component_user_keytab=params.nn_keytab if params.security_enabled else None) else: Logger.info('Ranger Hdfs plugin is not enabled')
def setup_ranger_solr(): import params if params.has_ranger_admin and params.security_enabled: import sys, os script_path = os.path.realpath(__file__).split( '/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) from setup_ranger_plugin_xml import setup_ranger_plugin if params.retryAble: Logger.info( "Solr: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "Solr: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.xml_configurations_supported and params.enable_ranger_solr and params.xa_audit_hdfs_is_enabled: if params.has_namenode: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/solr", type="directory", action="create_on_execute", owner=params.solr_user, group=params.solr_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") File(os.path.join(params.stack_root, "ranger-solr-plugin", "ranger_credential_helper.py"), mode=0755) jar_files = os.listdir( os.path.join(params.stack_root, "ranger-solr-plugin/lib")) for jar_file in jar_files: plugin_dir = os.path.join(params.stack_root, "ranger-solr-plugin/lib", jar_file) Execute( ('ln', '-sf', plugin_dir, os.path.join(params.stack_root, "solr/server/solr-webapp/webapp/WEB-INF/lib", jar_file)), only_if=format('ls {plugin_dir}'), sudo=True) setup_ranger_plugin( 'solr-server', 'solr', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java64_home, params.repo_name, params.solr_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_solr, conf_dict=params.solr_conf, component_user=params.solr_user, component_group=params.user_group, cache_service_list=['solr'], plugin_audit_properties=params.ranger_solr_audit, plugin_audit_attributes=params.ranger_solr_audit_attrs, plugin_security_properties=params.ranger_solr_security, plugin_security_attributes=params.ranger_solr_security_attrs, plugin_policymgr_ssl_properties=params.ranger_solr_policymgr_ssl, plugin_policymgr_ssl_attributes=params. ranger_solr_policymgr_ssl_attrs, component_list=['solr'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.solr_kerberos_principal if params.security_enabled else None, component_user_keytab=params.solr_kerberos_keytab if params.security_enabled else None) properties_files = os.listdir(format('/etc/solr')) if params.security_enabled and params.enable_ranger_solr: solr_classes_dir = os.path.join( params.stack_root, "solr/server/solr-webapp/webapp/WEB-INF/classes") Directory(solr_classes_dir, owner=params.solr_user, group=params.user_group, ignore_failures=True) Execute(format('mkdir {solr_classes_dir}'), not_if=format('ls {solr_classes_dir}')) for properties_file in properties_files: Execute(('ln', '-sf', format('/etc/solr/{properties_file}'), os.path.join( params.stack_root, "solr/server/solr-webapp/webapp/WEB-INF/classes", properties_file)), only_if=format('ls /etc/solr/{properties_file}'), sudo=True) zk_port = ":" + params.zookeeper_port + "," if params.enable_ranger_solr: zookeeper_hosts_ip = zk_port.join( params.zookeeper_hosts_list) + ":" + params.zookeeper_port zookeeper_script = os.path.join( params.stack_root, "solr/server/scripts/cloud-scripts/zkcli.sh") set_solr_ranger_authorizer = format( '{zookeeper_script} -zkhost {zookeeper_hosts_ip} ' + '-cmd put /solr/security.json \'{{\"authentication":{{\"class\":\"org.apache.solr.security.KerberosPlugin\"}},\"authorization\":{{\"class\": ' + '\"org.apache.ranger.authorization.solr.authorizer.RangerSolrAuthorizer\"}}}}\'' ) Execute(set_solr_ranger_authorizer) else: Logger.info('Ranger admin not installed')
def setup_ranger_yarn(): import params if params.enable_ranger_yarn: if params.retryAble: Logger.info( "YARN: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "YARN: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.xa_audit_hdfs_is_enabled: try: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/yarn", type="directory", action="create_on_execute", owner=params.yarn_user, group=params.yarn_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") except Exception, err: Logger.exception( "Audit directory creation in HDFS for YARN Ranger plugin failed with error:\n{0}" .format(err)) setup_ranger_plugin( 'hadoop-yarn-resourcemanager', 'yarn', None, None, None, None, params.java64_home, params.repo_name, params.yarn_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_yarn, conf_dict=params.hadoop_conf_dir, component_user=params.yarn_user, component_group=params.user_group, cache_service_list=['yarn'], plugin_audit_properties=params.config['configurations'] ['ranger-yarn-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-yarn-audit'], plugin_security_properties=params.config['configurations'] ['ranger-yarn-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-yarn-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-yarn-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-yarn-policymgr-ssl'], component_list=['hadoop-yarn-resourcemanager'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.rm_principal_name if params.security_enabled else None, component_user_keytab=params.rm_keytab if params.security_enabled else None)
def setup_ranger_storm(upgrade_type=None): """ :param upgrade_type: Upgrade Type such as "rolling" or "nonrolling" """ import params if params.enable_ranger_storm and params.security_enabled: site_files_create_path = format( '{install_dir}/extlib-daemon/ranger-storm-plugin-impl/conf' ) Directory( site_files_create_path, owner=params.storm_user, group=params.user_group, mode=0775, create_parents=True, cd_access='a') if params.retryAble: Logger.info( "Storm: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "Storm: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.has_namenode and params.xa_audit_hdfs_is_enabled: try: params.HdfsResource( "/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource( "/ranger/audit/storm", type="directory", action="create_on_execute", owner=params.storm_user, group=params.storm_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") if params.is_ranger_kms_ssl_enabled: Logger.info( 'Ranger KMS is ssl enabled, configuring ssl-client for hdfs audits.' ) setup_configuration_file_for_required_plugins( component_user=params.storm_user, component_group=params.user_group, create_core_site_path=site_files_create_path, configurations=params.config['configurations'] ['ssl-client'], configuration_attributes=params. config['configurationAttributes']['ssl-client'], file_name='ssl-client.xml') else: Logger.info( 'Ranger KMS is not ssl enabled, skipping ssl-client for hdfs audits.' ) except Exception, err: Logger.exception( "Audit directory creation in HDFS for STORM Ranger plugin failed with error:\n{0}" .format(err)) api_version = 'v2' setup_ranger_plugin( 'storm-nimbus', 'storm', None, None, None, None, params.java64_home, params.repo_name, params.storm_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_storm, conf_dict=params.conf_dir, component_user=params.storm_user, component_group=params.user_group, cache_service_list=['storm'], plugin_audit_properties=params.config['configurations'] ['ranger-storm-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-storm-audit'], plugin_security_properties=params.config['configurations'] ['ranger-storm-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-storm-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-storm-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-storm-policymgr-ssl'], component_list=['storm-client', 'storm-nimbus'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, skip_if_rangeradmin_down=not params.retryAble, api_version=api_version, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.ranger_storm_principal if params.security_enabled else None, component_user_keytab=params.ranger_storm_keytab if params.security_enabled else None) if params.stack_supports_core_site_for_ranger_plugin and params.enable_ranger_storm and params.security_enabled: if params.has_namenode: mount_table_xml_inclusion_file_full_path = None mount_table_content = None if 'viewfs-mount-table' in params.config['configurations']: xml_inclusion_file_name = 'viewfs-mount-table.xml' mount_table = params.config['configurations'][ 'viewfs-mount-table'] if 'content' in mount_table and mount_table[ 'content'].strip(): mount_table_xml_inclusion_file_full_path = os.path.join( site_files_create_path, xml_inclusion_file_name) mount_table_content = mount_table['content'] Logger.info( "Stack supports core-site.xml creation for Ranger plugin and Namenode is installed, creating create core-site.xml from namenode configurations" ) setup_configuration_file_for_required_plugins( component_user=params.storm_user, component_group=params.user_group, create_core_site_path=site_files_create_path, configurations=params.config['configurations'] ['core-site'], configuration_attributes=params. config['configuration_attributes']['core-site'], file_name='core-site.xml', xml_include_file=mount_table_xml_inclusion_file_full_path, xml_include_file_content=mount_table_content) else: Logger.info( "Stack supports core-site.xml creation for Ranger plugin and Namenode is not installed, creating create core-site.xml from default configurations" ) setup_configuration_file_for_required_plugins( component_user=params.storm_user, component_group=params.user_group, create_core_site_path=site_files_create_path, configurations={ 'hadoop.security.authentication': 'kerberos' if params.security_enabled else 'simple' }, configuration_attributes={}, file_name='core-site.xml') if len(params.namenode_hosts) > 1: Logger.info( 'Ranger Storm plugin is enabled along with security and NameNode is HA , creating hdfs-site.xml' ) setup_configuration_file_for_required_plugins( component_user=params.storm_user, component_group=params.user_group, create_core_site_path=site_files_create_path, configurations=params.config['configurations'] ['hdfs-site'], configuration_attributes=params. config['configurationAttributes']['hdfs-site'], file_name='hdfs-site.xml') else: Logger.info( 'Ranger Storm plugin is not enabled or security is disabled, removing hdfs-site.xml' ) File( format('{site_files_create_path}/hdfs-site.xml'), action="delete") else: Logger.info( "Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations" )
def setup_ranger_knox(upgrade_type=None): import params if params.enable_ranger_knox: stack_version = None if upgrade_type is not None: stack_version = params.version if params.retryAble: Logger.info( "Knox: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "Knox: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) import sys, os script_path = os.path.realpath(__file__).split( '/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) if params.xml_configurations_supported and params.enable_ranger_knox and params.xa_audit_hdfs_is_enabled: if params.has_namenode: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/knox", type="directory", action="create_on_execute", owner=params.knox_user, group=params.knox_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") if params.namenode_hosts is not None and len( params.namenode_hosts) > 1: Logger.info( 'Ranger Knox plugin is enabled in NameNode HA environment along with audit to Hdfs enabled, creating hdfs-site.xml' ) XmlConfig("hdfs-site.xml", conf_dir=params.knox_conf_dir, configurations=params.config['configurations'] ['hdfs-site'], configuration_attributes=params. config['configuration_attributes']['hdfs-site'], owner=params.knox_user, group=params.knox_group, mode=0644) else: File(format('{knox_conf_dir}/hdfs-site.xml'), action="delete") if params.xml_configurations_supported: api_version = None if params.stack_supports_ranger_kerberos: api_version = 'v2' from setup_ranger_plugin_xml import setup_ranger_plugin setup_ranger_plugin( 'knox', 'knox', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java_home, params.repo_name, params.knox_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_knox, conf_dict=params.knox_conf_dir, component_user=params.knox_user, component_group=params.knox_group, cache_service_list=['knox'], plugin_audit_properties=params.config['configurations'] ['ranger-knox-audit'], plugin_audit_attributes=params. config['configuration_attributes']['ranger-knox-audit'], plugin_security_properties=params.config['configurations'] ['ranger-knox-security'], plugin_security_attributes=params. config['configuration_attributes']['ranger-knox-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-knox-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config[ 'configuration_attributes']['ranger-knox-policymgr-ssl'], component_list=['knox-server'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, stack_version_override=stack_version, skip_if_rangeradmin_down=not params.retryAble, api_version=api_version, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.knox_principal_name if params.security_enabled else None, component_user_keytab=params.knox_keytab_path if params.security_enabled else None) else: from setup_ranger_plugin import setup_ranger_plugin setup_ranger_plugin( 'knox', 'knox', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java_home, params.repo_name, params.knox_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_knox, conf_dict=params.knox_conf_dir, component_user=params.knox_user, component_group=params.knox_group, cache_service_list=['knox'], plugin_audit_properties=params.config['configurations'] ['ranger-knox-audit'], plugin_audit_attributes=params. config['configuration_attributes']['ranger-knox-audit'], plugin_security_properties=params.config['configurations'] ['ranger-knox-security'], plugin_security_attributes=params. config['configuration_attributes']['ranger-knox-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-knox-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config[ 'configuration_attributes']['ranger-knox-policymgr-ssl'], component_list=['knox-server'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, stack_version_override=stack_version, skip_if_rangeradmin_down=not params.retryAble) if params.stack_supports_core_site_for_ranger_plugin and params.enable_ranger_knox and params.has_namenode and params.security_enabled: Logger.info( "Stack supports core-site.xml creation for Ranger plugin, creating core-site.xml from namenode configuraitions" ) setup_core_site_for_required_plugins( component_user=params.knox_user, component_group=params.knox_group, create_core_site_path=params.knox_conf_dir, config=params.config) else: Logger.info( "Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations" ) else: Logger.info('Ranger Knox plugin is not enabled')
def setup_ranger_nifi(upgrade_type=None): import params, os if params.has_ranger_admin and params.enable_ranger_nifi: File(format( '{stack_root}/{service_name}/ext/ranger/scripts/ranger_credential_helper.py' ), owner=params.nifi_user, group=params.nifi_group, mode=0750) cred_lib_prefix_path = format( '{stack_root}/{service_name}/ext/ranger/install/lib/*') cred_setup_prefix_path = (format( '{stack_root}/{service_name}/ext/ranger/scripts/ranger_credential_helper.py' ), '-l', cred_lib_prefix_path) if params.retryAble: Logger.info( "nifi: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "nifi: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) # create ranger nifi audit directory if params.xa_audit_hdfs_is_enabled and params.has_namenode and params.has_hdfs_client_on_node and upgrade_type is None: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/nifi", type="directory", action="create_on_execute", owner=params.nifi_user, group=params.nifi_group, mode=0750, recursive_chmod=True) params.HdfsResource(None, action="execute") api_version = None if params.stack_supports_ranger_kerberos: api_version = 'v2' setup_ranger_plugin( 'nifi', params.service_name, None, None, None, None, params.java_home, params.repo_name, params.nifi_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_nifi, conf_dict=params.nifi_config_dir, component_user=params.nifi_user, component_group=params.nifi_group, cache_service_list=['nifi'], plugin_audit_properties=params.config['configurations'] ['ranger-nifi-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-nifi-audit'], plugin_security_properties=params.config['configurations'] ['ranger-nifi-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-nifi-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-nifi-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-nifi-policymgr-ssl'], component_list=[], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, skip_if_rangeradmin_down=not params.retryAble, api_version=api_version, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.ranger_nifi_principal if params.security_enabled else None, component_user_keytab=params.ranger_nifi_keytab if params.security_enabled else None, cred_lib_path_override=cred_lib_prefix_path, cred_setup_prefix_override=cred_setup_prefix_path) # change permissions of ranger xml that were written to 0400 File(os.path.join(params.nifi_config_dir, 'ranger-nifi-audit.xml'), owner=params.nifi_user, group=params.nifi_group, mode=0400) File(os.path.join(params.nifi_config_dir, 'ranger-nifi-security.xml'), owner=params.nifi_user, group=params.nifi_group, mode=0400) File(os.path.join(params.nifi_config_dir, 'ranger-policymgr-ssl.xml'), owner=params.nifi_user, group=params.nifi_group, mode=0400) else: Logger.info('Ranger admin not installed')
def setup_ranger_atlas(upgrade_type=None): import params if params.enable_ranger_atlas: import sys, os script_path = os.path.realpath(__file__).split('/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) from setup_ranger_plugin_xml import setup_ranger_plugin if params.retry_enabled: Logger.info("ATLAS: Setup ranger: command retry enables thus retrying if ranger admin is down !") else: Logger.info("ATLAS: Setup ranger: command retry not enabled thus skipping if ranger admin is down !") if params.enable_ranger_atlas and params.xa_audit_hdfs_is_enabled: if params.has_namenode: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.metadata_user, group=params.user_group, mode=0755, recursive_chmod=True ) params.HdfsResource("/ranger/audit/atlas", type="directory", action="create_on_execute", owner=params.metadata_user, group=params.user_group, mode=0700, recursive_chmod=True ) params.HdfsResource(None, action="execute") setup_ranger_plugin('atlas-server', 'atlas', None, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java64_home, params.repo_name, params.atlas_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_atlas, conf_dict=params.conf_dir, component_user=params.metadata_user, component_group=params.user_group, cache_service_list=['atlas'], plugin_audit_properties=params.config['configurations']['ranger-atlas-audit'], plugin_audit_attributes=params.config['configuration_attributes']['ranger-atlas-audit'], plugin_security_properties=params.config['configurations']['ranger-atlas-security'], plugin_security_attributes=params.config['configuration_attributes'][ 'ranger-atlas-security'], plugin_policymgr_ssl_properties=params.config['configurations'][ 'ranger-atlas-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config['configuration_attributes'][ 'ranger-atlas-policymgr-ssl'], component_list=['atlas-server'], audit_db_is_enabled=False, credential_file=params.credential_file, xa_audit_db_password=None, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retry_enabled, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params.stack_supports_ranger_kerberos, component_user_principal=params.atlas_jaas_principal if params.security_enabled else None, component_user_keytab=params.atlas_keytab_path if params.security_enabled else None) else: Logger.info('Ranger Atlas plugin is not enabled')
def setup_ranger_kafka(): import params if params.enable_ranger_kafka: if params.retryAble: Logger.info( "Kafka: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "Kafka: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.has_namenode and params.xa_audit_hdfs_is_enabled: try: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/kafka", type="directory", action="create_on_execute", owner=params.kafka_user, group=params.kafka_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") if params.is_ranger_kms_ssl_enabled: Logger.info( 'Ranger KMS is ssl enabled, configuring ssl-client for hdfs audits.' ) setup_configuration_file_for_required_plugins( component_user=params.kafka_user, component_group=params.user_group, create_core_site_path=params.conf_dir, configurations=params.config['configurations'] ['ssl-client'], configuration_attributes=params. config['configurationAttributes']['ssl-client'], file_name='ssl-client.xml') else: Logger.info( 'Ranger KMS is not ssl enabled, skipping ssl-client for hdfs audits.' ) except Exception, err: Logger.exception( "Audit directory creation in HDFS for KAFKA Ranger plugin failed with error:\n{0}" .format(err)) setup_ranger_plugin( 'kafka-broker', 'kafka', None, None, None, None, params.java64_home, params.repo_name, params.kafka_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_kafka, conf_dict=params.conf_dir, component_user=params.kafka_user, component_group=params.user_group, cache_service_list=['kafka'], plugin_audit_properties=params.ranger_kafka_audit, plugin_audit_attributes=params.ranger_kafka_audit_attrs, plugin_security_properties=params.ranger_kafka_security, plugin_security_attributes=params.ranger_kafka_security_attrs, plugin_policymgr_ssl_properties=params.ranger_kafka_policymgr_ssl, plugin_policymgr_ssl_attributes=params. ranger_kafka_policymgr_ssl_attrs, component_list=['kafka-broker'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.kerberos_security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.kafka_jaas_principal if params.kerberos_security_enabled else None, component_user_keytab=params.kafka_keytab_path if params.kerberos_security_enabled else None) if params.enable_ranger_kafka: Execute(('cp', '--remove-destination', params.setup_ranger_env_sh_source, params.setup_ranger_env_sh_target), not_if=format("test -f {setup_ranger_env_sh_target}"), sudo=True) File(params.setup_ranger_env_sh_target, owner=params.kafka_user, group=params.user_group, mode=0755) if params.stack_supports_core_site_for_ranger_plugin and params.enable_ranger_kafka and params.kerberos_security_enabled: # sometimes this is a link for missing directory, just remove link/file and create regular file. Execute( ('rm', '-f', os.path.join(params.conf_dir, "core-site.xml")), sudo=True) if params.has_namenode: Logger.info( "Stack supports core-site.xml creation for Ranger plugin and Namenode is installed, creating create core-site.xml from namenode configurations" ) setup_configuration_file_for_required_plugins( component_user=params.kafka_user, component_group=params.user_group, create_core_site_path=params.conf_dir, configurations=params.config['configurations'] ['core-site'], configuration_attributes=params. config['configurationAttributes']['core-site'], file_name='core-site.xml', xml_include_file=params. mount_table_xml_inclusion_file_full_path, xml_include_file_content=params.mount_table_content) else: Logger.info( "Stack supports core-site.xml creation for Ranger plugin and Namenode is not installed, creating create core-site.xml from default configurations" ) setup_configuration_file_for_required_plugins( component_user=params.kafka_user, component_group=params.user_group, create_core_site_path=params.conf_dir, configurations={ 'hadoop.security.authentication': 'kerberos' if params.kerberos_security_enabled else 'simple' }, configuration_attributes={}, file_name='core-site.xml') else: Logger.info( "Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations" )
def setup_ranger_atlas(upgrade_type=None): import params if params.enable_ranger_atlas: if params.retry_enabled: Logger.info( "ATLAS: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "ATLAS: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.has_namenode and params.xa_audit_hdfs_is_enabled: try: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.metadata_user, group=params.user_group, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/atlas", type="directory", action="create_on_execute", owner=params.metadata_user, group=params.user_group, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") if params.is_ranger_kms_ssl_enabled: Logger.info( 'Ranger KMS is ssl enabled, configuring ssl-client for hdfs audits.' ) setup_configuration_file_for_required_plugins( component_user=params.metadata_user, component_group=params.user_group, create_core_site_path=params.conf_dir, configurations=params.config['configurations'] ['ssl-client'], configuration_attributes=params. config['configurationAttributes']['ssl-client'], file_name='ssl-client.xml') else: Logger.info( 'Ranger KMS is not ssl enabled, skipping ssl-client for hdfs audits.' ) except Exception, err: Logger.exception( "Audit directory creation in HDFS for ATLAS Ranger plugin failed with error:\n{0}" .format(err)) setup_ranger_plugin( 'atlas-server', 'atlas', None, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java64_home, params.repo_name, params.atlas_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_atlas, conf_dict=params.conf_dir, component_user=params.metadata_user, component_group=params.user_group, cache_service_list=['atlas'], plugin_audit_properties=params.config['configurations'] ['ranger-atlas-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-atlas-audit'], plugin_security_properties=params.config['configurations'] ['ranger-atlas-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-atlas-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-atlas-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-atlas-policymgr-ssl'], component_list=['atlas-server'], audit_db_is_enabled=False, credential_file=params.credential_file, xa_audit_db_password=None, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version='v2', skip_if_rangeradmin_down=not params.retry_enabled, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.atlas_jaas_principal if params.security_enabled else None, component_user_keytab=params.atlas_keytab_path if params.security_enabled else None)
def setup_ranger_hdfs(upgrade_type=None): import params if params.enable_ranger_hdfs: stack_version = None if upgrade_type is not None: stack_version = params.version if params.retryAble: Logger.info("HDFS: Setup ranger: command retry enables thus retrying if ranger admin is down !") else: Logger.info("HDFS: Setup ranger: command retry not enabled thus skipping if ranger admin is down !") import sys, os script_path = os.path.realpath(__file__).split('/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) if params.xml_configurations_supported: from setup_ranger_plugin_xml import setup_ranger_plugin api_version = None if params.stack_supports_ranger_kerberos: api_version = 'v2' setup_ranger_plugin('hadoop', 'hdfs', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java_home, params.repo_name, params.hdfs_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_hdfs, conf_dict=params.hadoop_conf_dir, component_user=params.hdfs_user, component_group=params.user_group, cache_service_list=['hdfs'], plugin_audit_properties=params.config['configurations']['ranger-hdfs-audit'], plugin_audit_attributes=params.config['configuration_attributes']['ranger-hdfs-audit'], plugin_security_properties=params.config['configurations']['ranger-hdfs-security'], plugin_security_attributes=params.config['configuration_attributes'][ 'ranger-hdfs-security'], plugin_policymgr_ssl_properties=params.config['configurations'][ 'ranger-hdfs-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config['configuration_attributes'][ 'ranger-hdfs-policymgr-ssl'], component_list=['hadoop-client'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, api_version=api_version, stack_version_override=stack_version, skip_if_rangeradmin_down=not params.retryAble, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params.stack_supports_ranger_kerberos, component_user_principal=params.nn_principal_name if params.security_enabled else None, component_user_keytab=params.nn_keytab if params.security_enabled else None) else: from setup_ranger_plugin import setup_ranger_plugin setup_ranger_plugin('hadoop', 'hdfs', params.previous_jdbc_jar, params.downloaded_custom_connector, params.driver_curl_source, params.driver_curl_target, params.java_home, params.repo_name, params.hdfs_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_hdfs, conf_dict=params.hadoop_conf_dir, component_user=params.hdfs_user, component_group=params.user_group, cache_service_list=['hdfs'], plugin_audit_properties=params.config['configurations']['ranger-hdfs-audit'], plugin_audit_attributes=params.config['configuration_attributes']['ranger-hdfs-audit'], plugin_security_properties=params.config['configurations']['ranger-hdfs-security'], plugin_security_attributes=params.config['configuration_attributes'][ 'ranger-hdfs-security'], plugin_policymgr_ssl_properties=params.config['configurations'][ 'ranger-hdfs-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config['configuration_attributes'][ 'ranger-hdfs-policymgr-ssl'], component_list=['hadoop-client'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, stack_version_override=stack_version, skip_if_rangeradmin_down=not params.retryAble) if stack_version and params.upgrade_direction == Direction.UPGRADE: # when upgrading to stack remove_ranger_hdfs_plugin_env, this env file must be removed if check_stack_feature(StackFeature.REMOVE_RANGER_HDFS_PLUGIN_ENV, stack_version): source_file = os.path.join(params.hadoop_conf_dir, 'set-hdfs-plugin-env.sh') target_file = source_file + ".bak" Execute(("mv", source_file, target_file), sudo=True, only_if=format("test -f {source_file}")) else: Logger.info('Ranger Hdfs plugin is not enabled')
def setup_ranger_hive_interactive(upgrade_type=None): import params if params.enable_ranger_hive: stack_version = None if upgrade_type is not None: stack_version = params.version if params.retryAble: Logger.info("Hive2: Setup ranger: command retry enabled thus retrying if ranger admin is down !") else: Logger.info("Hive2: Setup ranger: command retry not enabled thus skipping if ranger admin is down !") if params.xml_configurations_supported and params.xa_audit_hdfs_is_enabled: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True ) params.HdfsResource("/ranger/audit/hive2", type="directory", action="create_on_execute", owner=params.hive_user, group=params.hive_user, mode=0700, recursive_chmod=True ) params.HdfsResource(None, action="execute") import sys, os script_path = os.path.realpath(__file__).split('/services')[0] + '/hooks/before-INSTALL/scripts/ranger' sys.path.append(script_path) from setup_ranger_plugin_xml import setup_ranger_plugin setup_ranger_plugin('hive-server2-hive2', 'hive', params.ranger_previous_jdbc_jar, params.ranger_downloaded_custom_connector, params.ranger_driver_curl_source, params.ranger_driver_curl_target, params.java64_home, params.repo_name, params.hive_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_hive, conf_dict=params.hive_server_interactive_conf_dir, component_user=params.hive_user, component_group=params.user_group, cache_service_list=['hive-server2-hive2'], plugin_audit_properties=params.config['configurations']['ranger-hive-audit'], plugin_audit_attributes=params.config['configuration_attributes']['ranger-hive-audit'], plugin_security_properties=params.config['configurations']['ranger-hive-security'], plugin_security_attributes=params.config['configuration_attributes'][ 'ranger-hive-security'], plugin_policymgr_ssl_properties=params.config['configurations'][ 'ranger-hive-policymgr-ssl'], plugin_policymgr_ssl_attributes=params.config['configuration_attributes'][ 'ranger-hive-policymgr-ssl'], component_list=['hive-client', 'hive-metastore', 'hive-server2', 'hive-server2-hive2'], audit_db_is_enabled=False, credential_file=params.credential_file, xa_audit_db_password=None, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, stack_version_override=stack_version, skip_if_rangeradmin_down=not params.retryAble, api_version='v2', is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params.stack_supports_ranger_kerberos, component_user_principal=params.hive_principal if params.security_enabled else None, component_user_keytab=params.hive_server2_keytab if params.security_enabled else None) else: Logger.info('Ranger Hive plugin is not enabled')
def setup_ranger_hbase(upgrade_type=None, service_name="hbase-master"): import params if params.enable_ranger_hbase: if params.retryAble: Logger.info( "HBase: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "HBase: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.xa_audit_hdfs_is_enabled and service_name == 'hbase-master': try: params.HdfsResource( "/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource( "/ranger/audit/hbaseMaster", type="directory", action="create_on_execute", owner=params.hbase_user, group=params.hbase_user, mode=0700, recursive_chmod=True) params.HdfsResource( "/ranger/audit/hbaseRegional", type="directory", action="create_on_execute", owner=params.hbase_user, group=params.hbase_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") except Exception, err: Logger.exception( "Audit directory creation in HDFS for HBASE Ranger plugin failed with error:\n{0}" .format(err)) api_version = 'v2' setup_ranger_plugin( 'hbase-client', 'hbase', None, None, None, None, params.java64_home, params.repo_name, params.hbase_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_hbase, conf_dict=params.hbase_conf_dir, component_user=params.hbase_user, component_group=params.user_group, cache_service_list=['hbaseMaster', 'hbaseRegional'], plugin_audit_properties=params.config['configurations'] ['ranger-hbase-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-hbase-audit'], plugin_security_properties=params.config['configurations'] ['ranger-hbase-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-hbase-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-hbase-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-hbase-policymgr-ssl'], component_list=[ 'hbase-client', 'hbase-master', 'hbase-regionserver' ], audit_db_is_enabled=False, credential_file=params.credential_file, xa_audit_db_password=None, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, skip_if_rangeradmin_down=not params.retryAble, api_version=api_version, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos if params.security_enabled else None, component_user_principal=params.ranger_hbase_principal if params.security_enabled else None, component_user_keytab=params.ranger_hbase_keytab if params.security_enabled else None)
def setup_ranger_knox(upgrade_type=None): import params if params.enable_ranger_knox: if params.retryAble: Logger.info( "Knox: Setup ranger: command retry enables thus retrying if ranger admin is down !" ) else: Logger.info( "Knox: Setup ranger: command retry not enabled thus skipping if ranger admin is down !" ) if params.xa_audit_hdfs_is_enabled: if params.has_namenode: try: params.HdfsResource("/ranger/audit", type="directory", action="create_on_execute", owner=params.hdfs_user, group=params.hdfs_user, mode=0755, recursive_chmod=True) params.HdfsResource("/ranger/audit/knox", type="directory", action="create_on_execute", owner=params.knox_user, group=params.knox_user, mode=0700, recursive_chmod=True) params.HdfsResource(None, action="execute") except Exception, err: Logger.exception( "Audit directory creation in HDFS for KNOX Ranger plugin failed with error:\n{0}" .format(err)) if params.namenode_hosts is not None and len( params.namenode_hosts) > 1: Logger.info( 'Ranger Knox plugin is enabled in NameNode HA environment along with audit to Hdfs enabled, creating hdfs-site.xml' ) XmlConfig("hdfs-site.xml", conf_dir=params.knox_conf_dir, configurations=params.config['configurations'] ['hdfs-site'], configuration_attributes=params. config['configurationAttributes']['hdfs-site'], owner=params.knox_user, group=params.knox_group, mode=0644) else: File(format('{knox_conf_dir}/hdfs-site.xml'), action="delete") api_version = 'v2' setup_ranger_plugin( 'knox-server', 'knox', None, None, None, None, params.java_home, params.repo_name, params.knox_ranger_plugin_repo, params.ranger_env, params.ranger_plugin_properties, params.policy_user, params.policymgr_mgr_url, params.enable_ranger_knox, conf_dict=params.knox_conf_dir, component_user=params.knox_user, component_group=params.knox_group, cache_service_list=['knox'], plugin_audit_properties=params.config['configurations'] ['ranger-knox-audit'], plugin_audit_attributes=params.config['configurationAttributes'] ['ranger-knox-audit'], plugin_security_properties=params.config['configurations'] ['ranger-knox-security'], plugin_security_attributes=params.config['configurationAttributes'] ['ranger-knox-security'], plugin_policymgr_ssl_properties=params.config['configurations'] ['ranger-knox-policymgr-ssl'], plugin_policymgr_ssl_attributes=params. config['configurationAttributes']['ranger-knox-policymgr-ssl'], component_list=['knox-server'], audit_db_is_enabled=params.xa_audit_db_is_enabled, credential_file=params.credential_file, xa_audit_db_password=params.xa_audit_db_password, ssl_truststore_password=params.ssl_truststore_password, ssl_keystore_password=params.ssl_keystore_password, skip_if_rangeradmin_down=not params.retryAble, api_version=api_version, is_security_enabled=params.security_enabled, is_stack_supports_ranger_kerberos=params. stack_supports_ranger_kerberos, component_user_principal=params.knox_principal_name if params.security_enabled else None, component_user_keytab=params.knox_keytab_path if params.security_enabled else None) if params.stack_supports_core_site_for_ranger_plugin and params.enable_ranger_knox and params.security_enabled: if params.has_namenode: Logger.info( "Stack supports core-site.xml creation for Ranger plugin and Namenode is installed, creating create core-site.xml from namenode configurations" ) setup_configuration_file_for_required_plugins( component_user=params.knox_user, component_group=params.knox_group, create_core_site_path=params.knox_conf_dir, configurations=params.config['configurations'] ['core-site'], configuration_attributes=params. config['configurationAttributes']['core-site'], file_name='core-site.xml', xml_include_file=params. mount_table_xml_inclusion_file_full_path, xml_include_file_content=params.mount_table_content) else: Logger.info( "Stack supports core-site.xml creation for Ranger plugin and Namenode is not installed, creating create core-site.xml from default configurations" ) setup_configuration_file_for_required_plugins( component_user=params.knox_user, component_group=params.knox_group, create_core_site_path=params.knox_conf_dir, configurations={ 'hadoop.security.authentication': 'kerberos' if params.security_enabled else 'simple' }, configuration_attributes={}, file_name='core-site.xml') else: Logger.info( "Stack does not support core-site.xml creation for Ranger plugin, skipping core-site.xml configurations" )