AMBARI-21650: Ranger Usersync process starts with older stack script during cross...
[ambari.git] / ambari-server / src / main / resources / common-services / RANGER / 0.4.0 / package / scripts / setup_ranger_xml.py
1 #!/usr/bin/env python
2 """
3 Licensed to the Apache Software Foundation (ASF) under one
4 or more contributor license agreements. See the NOTICE file
5 distributed with this work for additional information
6 regarding copyright ownership. The ASF licenses this file
7 to you under the Apache License, Version 2.0 (the
8 "License"); you may not use this file except in compliance
9 with the License. You may obtain a copy of the License at
10
11 http://www.apache.org/licenses/LICENSE-2.0
12
13 Unless required by applicable law or agreed to in writing, software
14 distributed under the License is distributed on an "AS IS" BASIS,
15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 See the License for the specific language governing permissions and
17 limitations under the License.
18
19 """
20 import os
21 import re
22 from resource_management.libraries.script import Script
23 from resource_management.libraries.functions.default import default
24 from resource_management.core.logger import Logger
25 from resource_management.core.resources.system import File, Directory, Execute, Link
26 from resource_management.core.source import DownloadSource, InlineTemplate, Template
27 from resource_management.libraries.resources.xml_config import XmlConfig
28 from resource_management.libraries.resources.modify_properties_file import ModifyPropertiesFile
29 from resource_management.libraries.resources.properties_file import PropertiesFile
30 from resource_management.core.exceptions import Fail
31 from resource_management.libraries.functions.decorator import retry
32 from resource_management.libraries.functions.format import format
33 from resource_management.libraries.functions.is_empty import is_empty
34 from resource_management.core.utils import PasswordString
35 from resource_management.core.shell import as_sudo
36 from resource_management.libraries.functions import solr_cloud_util
37 from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING
38 from resource_management.core.exceptions import ExecutionFailed
39
40 # This file contains functions used for setup/configure of Ranger Admin and Ranger Usersync.
41 # The design is to mimic what is done by the setup.sh script bundled by Ranger component currently.
42
43 def ranger(name=None, upgrade_type=None):
44 """
45 parameter name: name of ranger service component
46 """
47 if name == 'ranger_admin':
48 setup_ranger_admin(upgrade_type=upgrade_type)
49
50 if name == 'ranger_usersync':
51 setup_usersync(upgrade_type=upgrade_type)
52
53 if name == 'ranger_tagsync':
54 setup_tagsync(upgrade_type=upgrade_type)
55
56 def setup_ranger_admin(upgrade_type=None):
57 import params
58
59 if upgrade_type is None:
60 upgrade_type = Script.get_upgrade_type(default("/commandParams/upgrade_type", ""))
61
62 ranger_home = params.ranger_home
63 ranger_conf = params.ranger_conf
64
65 Directory(ranger_conf,
66 owner = params.unix_user,
67 group = params.unix_group,
68 create_parents = True
69 )
70
71 copy_jdbc_connector()
72
73 File(format("/usr/lib/ambari-agent/{check_db_connection_jar_name}"),
74 content = DownloadSource(format("{jdk_location}{check_db_connection_jar_name}")),
75 mode = 0644,
76 )
77
78 cp = format("{check_db_connection_jar}")
79 if params.db_flavor.lower() == 'sqla':
80 cp = cp + os.pathsep + format("{ranger_home}/ews/lib/sajdbc4.jar")
81 else:
82 cp = cp + os.pathsep + format("{driver_curl_target}")
83 cp = cp + os.pathsep + format("{ranger_home}/ews/lib/*")
84
85 db_connection_check_command = format(
86 "{java_home}/bin/java -cp {cp} org.apache.ambari.server.DBConnectionVerification '{ranger_jdbc_connection_url}' {ranger_db_user} {ranger_db_password!p} {ranger_jdbc_driver}")
87
88 env_dict = {}
89 if params.db_flavor.lower() == 'sqla':
90 env_dict = {'LD_LIBRARY_PATH':params.ld_lib_path}
91
92 Execute(db_connection_check_command, path='/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin', tries=5, try_sleep=10, environment=env_dict)
93
94 Execute(('ln','-sf', format('{ranger_home}/ews/webapp/WEB-INF/classes/conf'), format('{ranger_home}/conf')),
95 not_if=format("ls {ranger_home}/conf"),
96 only_if=format("ls {ranger_home}/ews/webapp/WEB-INF/classes/conf"),
97 sudo=True)
98
99 if upgrade_type is not None:
100 src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/ranger-admin-default-site.xml')
101 dst_file = format('{ranger_home}/conf/ranger-admin-default-site.xml')
102 Execute(('cp', '-f', src_file, dst_file), sudo=True)
103
104 src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/security-applicationContext.xml')
105 dst_file = format('{ranger_home}/conf/security-applicationContext.xml')
106
107 Execute(('cp', '-f', src_file, dst_file), sudo=True)
108
109 Directory(format('{ranger_home}/'),
110 owner = params.unix_user,
111 group = params.unix_group,
112 recursive_ownership = True,
113 )
114
115 Directory(params.ranger_pid_dir,
116 mode=0755,
117 owner = params.unix_user,
118 group = params.user_group,
119 cd_access = "a",
120 create_parents=True
121 )
122
123 if params.stack_supports_pid:
124 File(format('{ranger_conf}/ranger-admin-env-piddir.sh'),
125 content = format("export RANGER_PID_DIR_PATH={ranger_pid_dir}\nexport RANGER_USER={unix_user}"),
126 owner = params.unix_user,
127 group = params.unix_group,
128 mode=0755
129 )
130
131 Directory(params.admin_log_dir,
132 owner = params.unix_user,
133 group = params.unix_group,
134 create_parents = True,
135 cd_access='a',
136 mode=0755
137 )
138
139 File(format('{ranger_conf}/ranger-admin-env-logdir.sh'),
140 content = format("export RANGER_ADMIN_LOG_DIR={admin_log_dir}"),
141 owner = params.unix_user,
142 group = params.unix_group,
143 mode=0755
144 )
145
146 if os.path.isfile(params.ranger_admin_default_file):
147 File(params.ranger_admin_default_file, owner=params.unix_user, group=params.unix_group)
148 else:
149 Logger.warning('Required file {0} does not exist, copying the file to {1} path'.format(params.ranger_admin_default_file, ranger_conf))
150 src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/ranger-admin-default-site.xml')
151 dst_file = format('{ranger_home}/conf/ranger-admin-default-site.xml')
152 Execute(('cp', '-f', src_file, dst_file), sudo=True)
153 File(params.ranger_admin_default_file, owner=params.unix_user, group=params.unix_group)
154
155 if os.path.isfile(params.security_app_context_file):
156 File(params.security_app_context_file, owner=params.unix_user, group=params.unix_group)
157 else:
158 Logger.warning('Required file {0} does not exist, copying the file to {1} path'.format(params.security_app_context_file, ranger_conf))
159 src_file = format('{ranger_home}/ews/webapp/WEB-INF/classes/conf.dist/security-applicationContext.xml')
160 dst_file = format('{ranger_home}/conf/security-applicationContext.xml')
161 Execute(('cp', '-f', src_file, dst_file), sudo=True)
162 File(params.security_app_context_file, owner=params.unix_user, group=params.unix_group)
163
164 if upgrade_type is not None and params.stack_supports_config_versioning:
165 if os.path.islink('/usr/bin/ranger-admin'):
166 Link('/usr/bin/ranger-admin', action="delete")
167
168 Link('/usr/bin/ranger-admin',
169 to=format('{ranger_home}/ews/ranger-admin-services.sh'))
170
171 if default("/configurations/ranger-admin-site/ranger.authentication.method", "") == 'PAM':
172 d = '/etc/pam.d'
173 if os.path.isdir(d):
174 if os.path.isfile(os.path.join(d, 'ranger-admin')):
175 Logger.info('ranger-admin PAM file already exists.')
176 else:
177 File(format('{d}/ranger-admin'),
178 content=Template('ranger_admin_pam.j2'),
179 owner = params.unix_user,
180 group = params.unix_group,
181 mode=0644
182 )
183 if os.path.isfile(os.path.join(d, 'ranger-remote')):
184 Logger.info('ranger-remote PAM file already exists.')
185 else:
186 File(format('{d}/ranger-remote'),
187 content=Template('ranger_remote_pam.j2'),
188 owner = params.unix_user,
189 group = params.unix_group,
190 mode=0644
191 )
192 else:
193 Logger.error("Unable to use PAM authentication, /etc/pam.d/ directory does not exist.")
194
195 Execute(('ln','-sf', format('{ranger_home}/ews/ranger-admin-services.sh'),'/usr/bin/ranger-admin'),
196 not_if=format("ls /usr/bin/ranger-admin"),
197 only_if=format("ls {ranger_home}/ews/ranger-admin-services.sh"),
198 sudo=True)
199
200 # remove plain-text password from xml configs
201
202 ranger_admin_site_copy = {}
203 ranger_admin_site_copy.update(params.config['configurations']['ranger-admin-site'])
204 for prop in params.ranger_admin_password_properties:
205 if prop in ranger_admin_site_copy:
206 ranger_admin_site_copy[prop] = "_"
207
208 XmlConfig("ranger-admin-site.xml",
209 conf_dir=ranger_conf,
210 configurations=ranger_admin_site_copy,
211 configuration_attributes=params.config['configuration_attributes']['ranger-admin-site'],
212 owner=params.unix_user,
213 group=params.unix_group,
214 mode=0644)
215
216 Directory(os.path.join(ranger_conf,'ranger_jaas'),
217 mode=0700,
218 owner=params.unix_user,
219 group=params.unix_group,
220 )
221
222 if params.stack_supports_ranger_log4j:
223 File(format('{ranger_home}/ews/webapp/WEB-INF/log4j.properties'),
224 owner=params.unix_user,
225 group=params.unix_group,
226 content=InlineTemplate(params.admin_log4j),
227 mode=0644
228 )
229
230 do_keystore_setup(upgrade_type=upgrade_type)
231
232 create_core_site_xml(ranger_conf)
233
234 if params.stack_supports_ranger_kerberos and params.security_enabled:
235 if params.is_hbase_ha_enabled and params.ranger_hbase_plugin_enabled:
236 XmlConfig("hbase-site.xml",
237 conf_dir=ranger_conf,
238 configurations=params.config['configurations']['hbase-site'],
239 configuration_attributes=params.config['configuration_attributes']['hbase-site'],
240 owner=params.unix_user,
241 group=params.unix_group,
242 mode=0644
243 )
244
245 if params.is_namenode_ha_enabled and params.ranger_hdfs_plugin_enabled:
246 XmlConfig("hdfs-site.xml",
247 conf_dir=ranger_conf,
248 configurations=params.config['configurations']['hdfs-site'],
249 configuration_attributes=params.config['configuration_attributes']['hdfs-site'],
250 owner=params.unix_user,
251 group=params.unix_group,
252 mode=0644
253 )
254
255 def setup_ranger_db(stack_version=None):
256 import params
257
258 ranger_home = params.ranger_home
259 version = params.version
260 if stack_version is not None:
261 ranger_home = format("{stack_root}/{stack_version}/ranger-admin")
262 version = stack_version
263
264 copy_jdbc_connector(stack_version=version)
265
266 ModifyPropertiesFile(format("{ranger_home}/install.properties"),
267 properties = {'audit_store': params.ranger_audit_source_type},
268 owner = params.unix_user,
269 )
270
271 env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home}
272 if params.db_flavor.lower() == 'sqla':
273 env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home, 'LD_LIBRARY_PATH':params.ld_lib_path}
274
275 # User wants us to setup the DB user and DB?
276 if params.create_db_dbuser:
277 Logger.info('Setting up Ranger DB and DB User')
278 dba_setup = format('ambari-python-wrap {ranger_home}/dba_script.py -q')
279 Execute(dba_setup,
280 environment=env_dict,
281 logoutput=True,
282 user=params.unix_user,
283 )
284 else:
285 Logger.info('Separate DBA property not set. Assuming Ranger DB and DB User exists!')
286
287 db_setup = format('ambari-python-wrap {ranger_home}/db_setup.py')
288 Execute(db_setup,
289 environment=env_dict,
290 logoutput=True,
291 user=params.unix_user,
292 )
293
294
295 def setup_java_patch(stack_version=None):
296 import params
297
298 ranger_home = params.ranger_home
299 if stack_version is not None:
300 ranger_home = format("{stack_root}/{stack_version}/ranger-admin")
301
302 env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home}
303 if params.db_flavor.lower() == 'sqla':
304 env_dict = {'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME':params.java_home, 'LD_LIBRARY_PATH':params.ld_lib_path}
305
306 setup_java_patch = format('ambari-python-wrap {ranger_home}/db_setup.py -javapatch')
307 Execute(setup_java_patch,
308 environment=env_dict,
309 logoutput=True,
310 user=params.unix_user,
311 )
312
313
314 def do_keystore_setup(upgrade_type=None):
315 import params
316
317 ranger_home = params.ranger_home
318 cred_lib_path = params.cred_lib_path
319
320 if not is_empty(params.ranger_credential_provider_path):
321 ranger_credential_helper(cred_lib_path, params.ranger_jpa_jdbc_credential_alias, params.ranger_ambari_db_password, params.ranger_credential_provider_path)
322
323 File(params.ranger_credential_provider_path,
324 owner = params.unix_user,
325 group = params.unix_group,
326 mode = 0640
327 )
328
329 if not is_empty(params.ranger_credential_provider_path) and (params.ranger_audit_source_type).lower() == 'db' and not is_empty(params.ranger_ambari_audit_db_password):
330 ranger_credential_helper(cred_lib_path, params.ranger_jpa_audit_jdbc_credential_alias, params.ranger_ambari_audit_db_password, params.ranger_credential_provider_path)
331
332 File(params.ranger_credential_provider_path,
333 owner = params.unix_user,
334 group = params.unix_group,
335 mode = 0640
336 )
337
338 if params.ranger_auth_method.upper() == "LDAP":
339 ranger_ldap_auth_password = params.ranger_usersync_ldap_ldapbindpassword
340 if params.ranger_ldap_bind_auth_password != "{{ranger_usersync_ldap_ldapbindpassword}}":
341 ranger_ldap_auth_password = params.ranger_ldap_bind_auth_password
342
343 ranger_credential_helper(params.cred_lib_path, params.ranger_ldap_password_alias, ranger_ldap_auth_password, params.ranger_credential_provider_path)
344
345 File(params.ranger_credential_provider_path,
346 owner = params.unix_user,
347 group = params.unix_group,
348 mode = 0640
349 )
350
351 if params.ranger_auth_method.upper() == "ACTIVE_DIRECTORY":
352 ranger_ad_auth_password = params.ranger_usersync_ldap_ldapbindpassword
353 if params.ranger_ad_bind_auth_password != "{{ranger_usersync_ldap_ldapbindpassword}}":
354 ranger_ad_auth_password = params.ranger_ad_bind_auth_password
355
356 ranger_credential_helper(params.cred_lib_path, params.ranger_ad_password_alias, ranger_ad_auth_password, params.ranger_credential_provider_path)
357
358 File(params.ranger_credential_provider_path,
359 owner = params.unix_user,
360 group = params.unix_group,
361 mode = 0640
362 )
363
364 if params.stack_supports_secure_ssl_password:
365 ranger_credential_helper(params.cred_lib_path, params.ranger_truststore_alias, params.truststore_password, params.ranger_credential_provider_path)
366
367 if params.https_enabled and not params.http_enabled:
368 ranger_credential_helper(params.cred_lib_path, params.ranger_https_keystore_alias, params.https_keystore_password, params.ranger_credential_provider_path)
369
370 File(params.ranger_credential_provider_path,
371 owner = params.unix_user,
372 group = params.unix_group,
373 mode = 0640
374 )
375
376 def password_validation(password):
377 import params
378 if password.strip() == "":
379 raise Fail("Blank password is not allowed for Bind user. Please enter valid password.")
380 if re.search("[\\\`'\"]",password):
381 raise Fail("LDAP/AD bind password contains one of the unsupported special characters like \" ' \ `")
382 else:
383 Logger.info("password validated")
384
385 def copy_jdbc_connector(stack_version=None):
386 import params
387
388 if params.jdbc_jar_name is None and params.driver_curl_source.endswith("/None"):
389 error_message = format("{db_flavor} jdbc driver cannot be downloaded from {jdk_location}\nPlease run 'ambari-server setup --jdbc-db={db_flavor} --jdbc-driver={{path_to_jdbc}}' on ambari-server host.")
390 raise Fail(error_message)
391
392 if params.driver_curl_source and not params.driver_curl_source.endswith("/None"):
393 if params.previous_jdbc_jar and os.path.isfile(params.previous_jdbc_jar):
394 File(params.previous_jdbc_jar, action='delete')
395
396 File(params.downloaded_custom_connector,
397 content = DownloadSource(params.driver_curl_source),
398 mode = 0644
399 )
400
401 ranger_home = params.ranger_home
402 if stack_version is not None:
403 ranger_home = format("{stack_root}/{stack_version}/ranger-admin")
404
405 driver_curl_target = format("{ranger_home}/ews/lib/{jdbc_jar_name}")
406
407 if params.db_flavor.lower() == 'sqla':
408 Execute(('tar', '-xvf', params.downloaded_custom_connector, '-C', params.tmp_dir), sudo = True)
409
410 Execute(('cp', '--remove-destination', params.jar_path_in_archive, os.path.join(ranger_home, 'ews', 'lib')),
411 path=["/bin", "/usr/bin/"],
412 sudo=True)
413
414 File(os.path.join(ranger_home, 'ews', 'lib', 'sajdbc4.jar'), mode=0644)
415
416 Directory(params.jdbc_libs_dir,
417 cd_access="a",
418 create_parents=True)
419
420 Execute(as_sudo(['yes', '|', 'cp', params.libs_path_in_archive, params.jdbc_libs_dir], auto_escape=False),
421 path=["/bin", "/usr/bin/"])
422 else:
423 Execute(('cp', '--remove-destination', params.downloaded_custom_connector, os.path.join(ranger_home, 'ews', 'lib')),
424 path=["/bin", "/usr/bin/"],
425 sudo=True)
426
427 File(os.path.join(ranger_home, 'ews', 'lib',params.jdbc_jar_name), mode=0644)
428
429 ModifyPropertiesFile(format("{ranger_home}/install.properties"),
430 properties = params.config['configurations']['admin-properties'],
431 owner = params.unix_user,
432 )
433
434 if params.db_flavor.lower() == 'sqla':
435 ModifyPropertiesFile(format("{ranger_home}/install.properties"),
436 properties = {'SQL_CONNECTOR_JAR': format('{ranger_home}/ews/lib/sajdbc4.jar')},
437 owner = params.unix_user,
438 )
439 else:
440 ModifyPropertiesFile(format("{ranger_home}/install.properties"),
441 properties = {'SQL_CONNECTOR_JAR': format('{driver_curl_target}')},
442 owner = params.unix_user,
443 )
444
445 def setup_usersync(upgrade_type=None):
446 import params
447
448 usersync_home = params.usersync_home
449 ranger_home = params.ranger_home
450 ranger_ugsync_conf = params.ranger_ugsync_conf
451
452 if not is_empty(params.ranger_usersync_ldap_ldapbindpassword) and params.ug_sync_source == 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder':
453 password_validation(params.ranger_usersync_ldap_ldapbindpassword)
454
455 Directory(params.ranger_pid_dir,
456 mode=0755,
457 owner = params.unix_user,
458 group = params.user_group,
459 cd_access = "a",
460 create_parents=True
461 )
462
463 if params.stack_supports_pid:
464 File(format('{ranger_ugsync_conf}/ranger-usersync-env-piddir.sh'),
465 content = format("export USERSYNC_PID_DIR_PATH={ranger_pid_dir}\nexport UNIX_USERSYNC_USER={unix_user}"),
466 owner = params.unix_user,
467 group = params.unix_group,
468 mode=0755
469 )
470
471 Directory(params.usersync_log_dir,
472 owner = params.unix_user,
473 group = params.unix_group,
474 cd_access = 'a',
475 create_parents=True,
476 mode=0755,
477 recursive_ownership = True
478 )
479
480 File(format('{ranger_ugsync_conf}/ranger-usersync-env-logdir.sh'),
481 content = format("export logdir={usersync_log_dir}"),
482 owner = params.unix_user,
483 group = params.unix_group,
484 mode=0755
485 )
486
487 Directory(format("{ranger_ugsync_conf}/"),
488 owner = params.unix_user
489 )
490
491 if upgrade_type is not None:
492 src_file = format('{usersync_home}/conf.dist/ranger-ugsync-default.xml')
493 dst_file = format('{usersync_home}/conf/ranger-ugsync-default.xml')
494 Execute(('cp', '-f', src_file, dst_file), sudo=True)
495
496 if params.stack_supports_ranger_log4j:
497 File(format('{usersync_home}/conf/log4j.properties'),
498 owner=params.unix_user,
499 group=params.unix_group,
500 content=InlineTemplate(params.usersync_log4j),
501 mode=0644
502 )
503 elif upgrade_type is not None and not params.stack_supports_ranger_log4j:
504 src_file = format('{usersync_home}/conf.dist/log4j.xml')
505 dst_file = format('{usersync_home}/conf/log4j.xml')
506 Execute(('cp', '-f', src_file, dst_file), sudo=True)
507
508 # remove plain-text password from xml configs
509 ranger_ugsync_site_copy = {}
510 ranger_ugsync_site_copy.update(params.config['configurations']['ranger-ugsync-site'])
511 for prop in params.ranger_usersync_password_properties:
512 if prop in ranger_ugsync_site_copy:
513 ranger_ugsync_site_copy[prop] = "_"
514
515 XmlConfig("ranger-ugsync-site.xml",
516 conf_dir=ranger_ugsync_conf,
517 configurations=ranger_ugsync_site_copy,
518 configuration_attributes=params.config['configuration_attributes']['ranger-ugsync-site'],
519 owner=params.unix_user,
520 group=params.unix_group,
521 mode=0644)
522
523 if os.path.isfile(params.ranger_ugsync_default_file):
524 File(params.ranger_ugsync_default_file, owner=params.unix_user, group=params.unix_group)
525
526 if os.path.isfile(params.usgsync_log4j_file):
527 File(params.usgsync_log4j_file, owner=params.unix_user, group=params.unix_group)
528
529 if os.path.isfile(params.cred_validator_file):
530 File(params.cred_validator_file, group=params.unix_group, mode=04555)
531
532 ranger_credential_helper(params.ugsync_cred_lib, 'usersync.ssl.key.password', params.ranger_usersync_keystore_password, params.ugsync_jceks_path)
533
534 if not is_empty(params.ranger_usersync_ldap_ldapbindpassword) and params.ug_sync_source == 'org.apache.ranger.ldapusersync.process.LdapUserGroupBuilder':
535 ranger_credential_helper(params.ugsync_cred_lib, 'ranger.usersync.ldap.bindalias', params.ranger_usersync_ldap_ldapbindpassword, params.ugsync_jceks_path)
536
537 ranger_credential_helper(params.ugsync_cred_lib, 'usersync.ssl.truststore.password', params.ranger_usersync_truststore_password, params.ugsync_jceks_path)
538
539 File(params.ugsync_jceks_path,
540 owner = params.unix_user,
541 group = params.unix_group,
542 mode = 0640
543 )
544
545 File([params.usersync_start, params.usersync_stop],
546 owner = params.unix_user,
547 group = params.unix_group
548 )
549
550 File(params.usersync_services_file,
551 mode = 0755,
552 )
553
554 if upgrade_type is not None and params.stack_supports_config_versioning:
555 if os.path.islink('/usr/bin/ranger-usersync'):
556 Link('/usr/bin/ranger-usersync', action="delete")
557
558 Link('/usr/bin/ranger-usersync', to=params.usersync_services_file)
559
560 Execute(('ln','-sf', format('{usersync_services_file}'),'/usr/bin/ranger-usersync'),
561 not_if=format("ls /usr/bin/ranger-usersync"),
562 only_if=format("ls {usersync_services_file}"),
563 sudo=True)
564
565 if not os.path.isfile(params.ranger_usersync_keystore_file):
566 cmd = format("{java_home}/bin/keytool -genkeypair -keyalg RSA -alias selfsigned -keystore '{ranger_usersync_keystore_file}' -keypass {ranger_usersync_keystore_password!p} -storepass {ranger_usersync_keystore_password!p} -validity 3600 -keysize 2048 -dname '{default_dn_name}'")
567
568 Execute(cmd, logoutput=True, user = params.unix_user)
569
570 File(params.ranger_usersync_keystore_file,
571 owner = params.unix_user,
572 group = params.unix_group,
573 mode = 0640
574 )
575
576 create_core_site_xml(ranger_ugsync_conf)
577
578 def setup_tagsync(upgrade_type=None):
579 import params
580
581 ranger_tagsync_home = params.ranger_tagsync_home
582 ranger_home = params.ranger_home
583 ranger_tagsync_conf = params.ranger_tagsync_conf
584
585 Directory(format("{ranger_tagsync_conf}"),
586 owner = params.unix_user,
587 group = params.unix_group,
588 create_parents = True
589 )
590
591 Directory(params.ranger_pid_dir,
592 mode=0755,
593 create_parents=True,
594 owner = params.unix_user,
595 group = params.user_group,
596 cd_access = "a",
597 )
598
599 if params.stack_supports_pid:
600 File(format('{ranger_tagsync_conf}/ranger-tagsync-env-piddir.sh'),
601 content = format("export TAGSYNC_PID_DIR_PATH={ranger_pid_dir}\nexport UNIX_TAGSYNC_USER={unix_user}"),
602 owner = params.unix_user,
603 group = params.unix_group,
604 mode=0755
605 )
606
607 Directory(params.tagsync_log_dir,
608 create_parents = True,
609 owner = params.unix_user,
610 group = params.unix_group,
611 cd_access = "a",
612 mode=0755
613 )
614
615 File(format('{ranger_tagsync_conf}/ranger-tagsync-env-logdir.sh'),
616 content = format("export RANGER_TAGSYNC_LOG_DIR={tagsync_log_dir}"),
617 owner = params.unix_user,
618 group = params.unix_group,
619 mode=0755
620 )
621
622 XmlConfig("ranger-tagsync-site.xml",
623 conf_dir=ranger_tagsync_conf,
624 configurations=params.config['configurations']['ranger-tagsync-site'],
625 configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-site'],
626 owner=params.unix_user,
627 group=params.unix_group,
628 mode=0644)
629 if params.stack_supports_ranger_tagsync_ssl_xml_support:
630 Logger.info("Stack supports tagsync-ssl configurations, performing the same.")
631 setup_tagsync_ssl_configs()
632 else:
633 Logger.info("Stack doesnt support tagsync-ssl configurations, skipping the same.")
634
635 PropertiesFile(format('{ranger_tagsync_conf}/atlas-application.properties'),
636 properties = params.tagsync_application_properties,
637 mode=0755,
638 owner=params.unix_user,
639 group=params.unix_group
640 )
641
642 File(format('{ranger_tagsync_conf}/log4j.properties'),
643 owner=params.unix_user,
644 group=params.unix_group,
645 content=InlineTemplate(params.tagsync_log4j),
646 mode=0644
647 )
648
649 File(params.tagsync_services_file,
650 mode = 0755,
651 )
652
653 Execute(('ln','-sf', format('{tagsync_services_file}'),'/usr/bin/ranger-tagsync'),
654 not_if=format("ls /usr/bin/ranger-tagsync"),
655 only_if=format("ls {tagsync_services_file}"),
656 sudo=True)
657
658 create_core_site_xml(ranger_tagsync_conf)
659
660 def ranger_credential_helper(lib_path, alias_key, alias_value, file_path):
661 import params
662
663 java_bin = format('{java_home}/bin/java')
664 file_path = format('jceks://file{file_path}')
665 cmd = (java_bin, '-cp', lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', alias_key, '-value', PasswordString(alias_value), '-provider', file_path)
666 Execute(cmd, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
667
668 def create_core_site_xml(conf_dir):
669 import params
670
671 if params.stack_supports_ranger_kerberos:
672 if params.has_namenode:
673 XmlConfig("core-site.xml",
674 conf_dir=conf_dir,
675 configurations=params.config['configurations']['core-site'],
676 configuration_attributes=params.config['configuration_attributes']['core-site'],
677 owner=params.unix_user,
678 group=params.unix_group,
679 mode=0644
680 )
681 else:
682 Logger.warning('HDFS service not installed. Creating core-site.xml file.')
683 XmlConfig("core-site.xml",
684 conf_dir=conf_dir,
685 configurations=params.core_site_property,
686 configuration_attributes={},
687 owner=params.unix_user,
688 group=params.unix_group,
689 mode=0644
690 )
691
692 def setup_ranger_audit_solr():
693 import params
694
695 if params.security_enabled and params.stack_supports_ranger_kerberos:
696
697 if params.solr_jaas_file is not None:
698 File(format("{solr_jaas_file}"),
699 content=Template("ranger_solr_jaas_conf.j2"),
700 owner=params.unix_user
701 )
702 try:
703 check_znode()
704
705 if params.stack_supports_ranger_solr_configs:
706 Logger.info('Solr configrations supported,creating solr-configurations.')
707 File(format("{ranger_solr_conf}/solrconfig.xml"),
708 content=InlineTemplate(params.ranger_solr_config_content),
709 owner=params.unix_user,
710 group=params.unix_group,
711 mode=0644
712 )
713
714 solr_cloud_util.upload_configuration_to_zk(
715 zookeeper_quorum = params.zookeeper_quorum,
716 solr_znode = params.solr_znode,
717 config_set = params.ranger_solr_config_set,
718 config_set_dir = params.ranger_solr_conf,
719 tmp_dir = params.tmp_dir,
720 java64_home = params.ambari_java_home,
721 solrconfig_content = InlineTemplate(params.ranger_solr_config_content),
722 jaas_file=params.solr_jaas_file,
723 retry=30, interval=5
724 )
725
726 else:
727 Logger.info('Solr configrations not supported, skipping solr-configurations.')
728 solr_cloud_util.upload_configuration_to_zk(
729 zookeeper_quorum = params.zookeeper_quorum,
730 solr_znode = params.solr_znode,
731 config_set = params.ranger_solr_config_set,
732 config_set_dir = params.ranger_solr_conf,
733 tmp_dir = params.tmp_dir,
734 java64_home = params.ambari_java_home,
735 jaas_file=params.solr_jaas_file,
736 retry=30, interval=5)
737
738 if params.security_enabled and params.has_infra_solr \
739 and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
740
741 solr_cloud_util.add_solr_roles(params.config,
742 roles = [params.infra_solr_role_ranger_admin, params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
743 new_service_principals = [params.ranger_admin_jaas_principal])
744 service_default_principals_map = [('hdfs', 'nn'), ('hbase', 'hbase'), ('hive', 'hive'), ('kafka', 'kafka'), ('kms', 'rangerkms'),
745 ('knox', 'knox'), ('nifi', 'nifi'), ('storm', 'storm'), ('yanr', 'yarn')]
746 service_principals = get_ranger_plugin_principals(service_default_principals_map)
747 solr_cloud_util.add_solr_roles(params.config,
748 roles = [params.infra_solr_role_ranger_audit, params.infra_solr_role_dev],
749 new_service_principals = service_principals)
750
751
752 solr_cloud_util.create_collection(
753 zookeeper_quorum = params.zookeeper_quorum,
754 solr_znode = params.solr_znode,
755 collection = params.ranger_solr_collection_name,
756 config_set = params.ranger_solr_config_set,
757 java64_home = params.ambari_java_home,
758 shards = params.ranger_solr_shards,
759 replication_factor = int(params.replication_factor),
760 jaas_file = params.solr_jaas_file)
761
762 if params.security_enabled and params.has_infra_solr \
763 and not params.is_external_solrCloud_enabled and params.stack_supports_ranger_kerberos:
764 secure_znode(format('{solr_znode}/configs/{ranger_solr_config_set}'), params.solr_jaas_file)
765 secure_znode(format('{solr_znode}/collections/{ranger_solr_collection_name}'), params.solr_jaas_file)
766 except ExecutionFailed as execution_exception:
767 Logger.error('Error when configuring Solr for Ranger, Kindly check Solr/Zookeeper services to be up and running:\n {0}'.format(execution_exception))
768
769 def setup_ranger_admin_passwd_change():
770 import params
771
772 if params.admin_password != params.default_admin_password:
773 cmd = format('ambari-python-wrap {ranger_home}/db_setup.py -changepassword {admin_username} {default_admin_password!p} {admin_password!p}')
774 Logger.info('Updating admin password')
775 Execute(cmd, environment={'JAVA_HOME': params.java_home, 'RANGER_ADMIN_HOME': params.ranger_home}, user=params.unix_user)
776
777 @retry(times=10, sleep_time=5, err_class=Fail)
778 def check_znode():
779 import params
780 solr_cloud_util.check_znode(
781 zookeeper_quorum=params.zookeeper_quorum,
782 solr_znode=params.solr_znode,
783 java64_home=params.ambari_java_home)
784
785 def secure_znode(znode, jaasFile):
786 import params
787 solr_cloud_util.secure_znode(config=params.config, zookeeper_quorum=params.zookeeper_quorum,
788 solr_znode=znode,
789 jaas_file=jaasFile,
790 java64_home=params.ambari_java_home, sasl_users=[params.ranger_admin_jaas_principal])
791
792 def get_ranger_plugin_principals(services_defaults_tuple_list):
793 """
794 Get ranger plugin user principals from service-default value maps using ranger-*-audit configurations
795 """
796 import params
797 user_principals = []
798 if len(services_defaults_tuple_list) < 1:
799 raise Exception("Services - defaults map parameter is missing.")
800
801 for (service, default_value) in services_defaults_tuple_list:
802 user_principal = default(format("configurations/ranger-{service}-audit/xasecure.audit.jaas.Client.option.principal"), default_value)
803 user_principals.append(user_principal)
804 return user_principals
805
806
807 def setup_tagsync_ssl_configs():
808 import params
809 Directory(params.security_store_path,
810 cd_access="a",
811 create_parents=True)
812
813 Directory(params.tagsync_etc_path,
814 cd_access="a",
815 owner=params.unix_user,
816 group=params.unix_group,
817 mode=0775,
818 create_parents=True)
819
820 # remove plain-text password from xml configs
821 ranger_tagsync_policymgr_ssl_copy = {}
822 ranger_tagsync_policymgr_ssl_copy.update(params.config['configurations']['ranger-tagsync-policymgr-ssl'])
823 for prop in params.ranger_tagsync_password_properties:
824 if prop in ranger_tagsync_policymgr_ssl_copy:
825 ranger_tagsync_policymgr_ssl_copy[prop] = "_"
826
827 XmlConfig("ranger-policymgr-ssl.xml",
828 conf_dir=params.ranger_tagsync_conf,
829 configurations=ranger_tagsync_policymgr_ssl_copy,
830 configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-policymgr-ssl'],
831 owner=params.unix_user,
832 group=params.unix_group,
833 mode=0644)
834
835 ranger_credential_helper(params.tagsync_cred_lib, 'sslKeyStore', params.ranger_tagsync_keystore_password, params.ranger_tagsync_credential_file)
836 ranger_credential_helper(params.tagsync_cred_lib, 'sslTrustStore', params.ranger_tagsync_truststore_password, params.ranger_tagsync_credential_file)
837
838 File(params.ranger_tagsync_credential_file,
839 owner = params.unix_user,
840 group = params.unix_group,
841 mode = 0640
842 )
843
844 # remove plain-text password from xml configs
845 atlas_tagsync_ssl_copy = {}
846 atlas_tagsync_ssl_copy.update(params.config['configurations']['atlas-tagsync-ssl'])
847 for prop in params.ranger_tagsync_password_properties:
848 if prop in atlas_tagsync_ssl_copy:
849 atlas_tagsync_ssl_copy[prop] = "_"
850
851 XmlConfig("atlas-tagsync-ssl.xml",
852 conf_dir=params.ranger_tagsync_conf,
853 configurations=atlas_tagsync_ssl_copy,
854 configuration_attributes=params.config['configuration_attributes']['atlas-tagsync-ssl'],
855 owner=params.unix_user,
856 group=params.unix_group,
857 mode=0644)
858
859 ranger_credential_helper(params.tagsync_cred_lib, 'sslKeyStore', params.atlas_tagsync_keystore_password, params.atlas_tagsync_credential_file)
860 ranger_credential_helper(params.tagsync_cred_lib, 'sslTrustStore', params.atlas_tagsync_truststore_password, params.atlas_tagsync_credential_file)
861
862 File(params.atlas_tagsync_credential_file,
863 owner = params.unix_user,
864 group = params.unix_group,
865 mode = 0640
866 )
867 Logger.info("Configuring tagsync-ssl configurations done successfully.")
868
869 def update_password_configs():
870 import params
871
872 password_configs = {'db_root_password': '_', 'db_password': '_'}
873
874 if params.stack_supports_ranger_audit_db:
875 password_configs['audit_db_password'] = '_'
876
877 ModifyPropertiesFile(format("{ranger_home}/install.properties"),
878 properties = password_configs,
879 owner = params.unix_user,
880 )