diff options
author | Mugdha Varadkar <fimugdha@users.noreply.github.com> | 2018-05-31 14:01:42 +0530 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-31 14:01:42 +0530 |
commit | f2b946adfd21edc9b0ab07d6e6961fa2199cfb19 (patch) | |
tree | 96062db711500a1afac603ab2003d596003ab36c | |
parent | c8ab37d040abc1a397d73cb41e0d5e576bacf8bd (diff) |
AMBARI-23979 Updating ownership and permission of .crc file for Ranger service and Ranger plugin supported services (mugdha) (#1411)
9 files changed, 189 insertions, 62 deletions
diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py b/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py index af53714600..09b816c753 100644 --- a/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py +++ b/ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py @@ -223,6 +223,15 @@ def setup_ranger_plugin_keystore(service_name, audit_db_is_enabled, stack_versio mode = 0640 ) + dot_jceks_crc_file_path = os.path.join(os.path.dirname(credential_file), "." + os.path.basename(credential_file) + ".crc") + + File(dot_jceks_crc_file_path, + owner = component_user, + group = component_group, + only_if = format("test -e {dot_jceks_crc_file_path}"), + mode = 0640 + ) + def setup_configuration_file_for_required_plugins(component_user, component_group, create_core_site_path, configurations={}, configuration_attributes={}, file_name='core-site.xml', xml_include_file=None, xml_include_file_content=None): diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/ranger_tagsync.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/ranger_tagsync.py index b1a18199d4..2d91f3d3b4 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/ranger_tagsync.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/ranger_tagsync.py @@ -27,7 +27,7 @@ from resource_management.libraries.functions.format import format from resource_management.core.logger import Logger from resource_management.core import shell from ranger_service import ranger_service -from setup_ranger_xml import ranger, ranger_credential_helper +from setup_ranger_xml import ranger, ranger_credential_helper, update_dot_jceks_crc_ownership from resource_management.core.exceptions import Fail class RangerTagsync(Script): @@ -39,10 +39,14 @@ class RangerTagsync(Script): ranger_credential_helper(params.tagsync_cred_lib, 'tagadmin.user.password', 'rangertagsync', params.tagsync_jceks_path) File(params.tagsync_jceks_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 + owner = params.unix_user, + group = params.unix_group, + only_if = format("test -e {tagsync_jceks_path}"), + mode = 0640 ) + + update_dot_jceks_crc_ownership(credential_provider_path = params.tagsync_jceks_path, user = params.unix_user, group = params.unix_group) + if params.stack_supports_ranger_tagsync_ssl_xml_support: Logger.info("Stack support Atlas user for Tagsync, creating keystore for same.") self.create_atlas_user_keystore(env) @@ -136,10 +140,13 @@ class RangerTagsync(Script): env.set_params(params) ranger_credential_helper(params.tagsync_cred_lib, 'atlas.user.password', 'admin', params.atlas_tagsync_jceks_path) File(params.atlas_tagsync_jceks_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 + owner = params.unix_user, + group = params.unix_group, + only_if = format("test -e {atlas_tagsync_jceks_path}"), + mode = 0640 ) + update_dot_jceks_crc_ownership(credential_provider_path = params.atlas_tagsync_jceks_path, user = params.unix_user, group = params.unix_group) + if __name__ == "__main__": RangerTagsync().execute() diff --git a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py index 0e7604d578..815e647987 100644 --- a/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py +++ b/ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py @@ -315,24 +315,11 @@ def do_keystore_setup(upgrade_type=None): ranger_home = params.ranger_home cred_lib_path = params.cred_lib_path - if not is_empty(params.ranger_credential_provider_path): - ranger_credential_helper(cred_lib_path, params.ranger_jpa_jdbc_credential_alias, params.ranger_ambari_db_password, params.ranger_credential_provider_path) - - File(params.ranger_credential_provider_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) + ranger_credential_helper(cred_lib_path, params.ranger_jpa_jdbc_credential_alias, params.ranger_ambari_db_password, params.ranger_credential_provider_path) if not is_empty(params.ranger_credential_provider_path) and (params.ranger_audit_source_type).lower() == 'db' and not is_empty(params.ranger_ambari_audit_db_password): ranger_credential_helper(cred_lib_path, params.ranger_jpa_audit_jdbc_credential_alias, params.ranger_ambari_audit_db_password, params.ranger_credential_provider_path) - File(params.ranger_credential_provider_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) - if params.ranger_auth_method.upper() == "LDAP": ranger_ldap_auth_password = params.ranger_usersync_ldap_ldapbindpassword if params.ranger_ldap_bind_auth_password != "{{ranger_usersync_ldap_ldapbindpassword}}": @@ -340,12 +327,6 @@ def do_keystore_setup(upgrade_type=None): ranger_credential_helper(params.cred_lib_path, params.ranger_ldap_password_alias, ranger_ldap_auth_password, params.ranger_credential_provider_path) - File(params.ranger_credential_provider_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) - if params.ranger_auth_method.upper() == "ACTIVE_DIRECTORY": ranger_ad_auth_password = params.ranger_usersync_ldap_ldapbindpassword if params.ranger_ad_bind_auth_password != "{{ranger_usersync_ldap_ldapbindpassword}}": @@ -353,23 +334,20 @@ def do_keystore_setup(upgrade_type=None): ranger_credential_helper(params.cred_lib_path, params.ranger_ad_password_alias, ranger_ad_auth_password, params.ranger_credential_provider_path) - File(params.ranger_credential_provider_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) - if params.stack_supports_secure_ssl_password: ranger_credential_helper(params.cred_lib_path, params.ranger_truststore_alias, params.truststore_password, params.ranger_credential_provider_path) if params.https_enabled and not params.http_enabled: ranger_credential_helper(params.cred_lib_path, params.ranger_https_keystore_alias, params.https_keystore_password, params.ranger_credential_provider_path) - File(params.ranger_credential_provider_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) + File(params.ranger_credential_provider_path, + owner = params.unix_user, + group = params.unix_group, + only_if = format("test -e {ranger_credential_provider_path}"), + mode = 0640 + ) + + update_dot_jceks_crc_ownership(credential_provider_path = params.ranger_credential_provider_path, user = params.unix_user, group = params.unix_group) def password_validation(password): import params @@ -531,10 +509,13 @@ def setup_usersync(upgrade_type=None): ranger_credential_helper(params.ugsync_cred_lib, 'usersync.ssl.truststore.password', params.ranger_usersync_truststore_password, params.ugsync_jceks_path) File(params.ugsync_jceks_path, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 + owner = params.unix_user, + group = params.unix_group, + only_if = format("test -e {ugsync_jceks_path}"), + mode = 0640 ) + + update_dot_jceks_crc_ownership(credential_provider_path = params.ugsync_jceks_path, user = params.unix_user, group = params.unix_group) File([params.usersync_start, params.usersync_stop], owner = params.unix_user, @@ -620,6 +601,7 @@ def setup_tagsync(upgrade_type=None): owner=params.unix_user, group=params.unix_group, mode=0644) + if params.stack_supports_ranger_tagsync_ssl_xml_support: Logger.info("Stack supports tagsync-ssl configurations, performing the same.") setup_tagsync_ssl_configs() @@ -829,10 +811,13 @@ def setup_tagsync_ssl_configs(): ranger_credential_helper(params.tagsync_cred_lib, 'sslTrustStore', params.ranger_tagsync_truststore_password, params.ranger_tagsync_credential_file) File(params.ranger_tagsync_credential_file, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) + owner = params.unix_user, + group = params.unix_group, + only_if = format("test -e {ranger_tagsync_credential_file}"), + mode = 0640 + ) + + update_dot_jceks_crc_ownership(credential_provider_path = params.ranger_tagsync_credential_file, user = params.unix_user, group = params.unix_group) # remove plain-text password from xml configs atlas_tagsync_ssl_copy = {} @@ -853,10 +838,14 @@ def setup_tagsync_ssl_configs(): ranger_credential_helper(params.tagsync_cred_lib, 'sslTrustStore', params.atlas_tagsync_truststore_password, params.atlas_tagsync_credential_file) File(params.atlas_tagsync_credential_file, - owner = params.unix_user, - group = params.unix_group, - mode = 0640 - ) + owner = params.unix_user, + group = params.unix_group, + only_if = format("test -e {atlas_tagsync_credential_file}"), + mode = 0640 + ) + + update_dot_jceks_crc_ownership(credential_provider_path = params.atlas_tagsync_credential_file, user = params.unix_user, group = params.unix_group) + Logger.info("Configuring tagsync-ssl configurations done successfully.") def update_password_configs(): @@ -870,4 +859,15 @@ def update_password_configs(): ModifyPropertiesFile(format("{ranger_home}/install.properties"), properties = password_configs, owner = params.unix_user, + ) + +def update_dot_jceks_crc_ownership(credential_provider_path, user, group): + + dot_jceks_crc_file_path = os.path.join(os.path.dirname(credential_provider_path), "." + os.path.basename(credential_provider_path) + ".crc") + + File(dot_jceks_crc_file_path, + owner = user, + group = group, + only_if = format("test -e {dot_jceks_crc_file_path}"), + mode = 0640 )
\ No newline at end of file diff --git a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py index f487679667..c0d5aa1289 100755 --- a/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py +++ b/ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py @@ -125,6 +125,16 @@ def do_keystore_setup(cred_provider_path, credential_alias, credential_password) File(cred_provider_path, owner = params.kms_user, group = params.kms_group, + only_if = format('test -e {cred_provider_path}'), + mode = 0640 + ) + + dot_jceks_crc_file_path = os.path.join(os.path.dirname(cred_provider_path), "." + os.path.basename(cred_provider_path) + ".crc") + + File(dot_jceks_crc_file_path, + owner = params.kms_user, + group = params.kms_group, + only_if = format("test -e {dot_jceks_crc_file_path}"), mode = 0640 ) @@ -498,8 +508,18 @@ def enable_kms_plugin(): File(params.credential_file, owner = params.kms_user, group = params.kms_group, + only_if = format("test -e {credential_file}"), mode = 0640 - ) + ) + + dot_jceks_crc_file_path = os.path.join(os.path.dirname(params.credential_file), "." + os.path.basename(params.credential_file) + ".crc") + + File(dot_jceks_crc_file_path, + owner = params.kms_user, + group = params.kms_group, + only_if = format("test -e {dot_jceks_crc_file_path}"), + mode = 0640 + ) # create ranger kms audit directory if params.xa_audit_hdfs_is_enabled and params.has_namenode and params.has_hdfs_client_on_node: diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py index a03f785ad2..ef59a04d3b 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py @@ -340,6 +340,14 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /etc/ranger/admin/rangeradmin.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/admin/.rangeradmin.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /etc/ranger/admin/.rangeradmin.jceks.crc', mode = 0640 ) @@ -496,6 +504,14 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /etc/ranger/admin/rangeradmin.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/admin/.rangeradmin.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /etc/ranger/admin/.rangeradmin.jceks.crc', mode = 0640 ) diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py index 9eaae87b85..68a8928acd 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py @@ -177,6 +177,14 @@ class TestRangerUsersync(RMFTestCase): self.assertResourceCalled('File', '/usr/hdp/current/ranger-usersync/conf/ugsync.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /usr/hdp/current/ranger-usersync/conf/ugsync.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /usr/hdp/current/ranger-usersync/conf/.ugsync.jceks.crc', mode = 0640 ) diff --git a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py index 53d44c1514..201a303fc9 100644 --- a/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py +++ b/ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py @@ -157,6 +157,14 @@ class TestRangerKMS(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/c1_kms/cred.jceks', owner = 'kms', group = 'kms', + only_if = "test -e /etc/ranger/c1_kms/cred.jceks", + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/c1_kms/.cred.jceks.crc', + owner = 'kms', + group = 'kms', + only_if = "test -e /etc/ranger/c1_kms/.cred.jceks.crc", mode = 0640 ) @@ -427,6 +435,14 @@ class TestRangerKMS(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/kms/rangerkms.jceks', owner = 'kms', group = 'kms', + only_if = 'test -e /etc/ranger/kms/rangerkms.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/kms/.rangerkms.jceks.crc', + owner = 'kms', + group = 'kms', + only_if = 'test -e /etc/ranger/kms/.rangerkms.jceks.crc', mode = 0640 ) @@ -439,6 +455,14 @@ class TestRangerKMS(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/kms/rangerkms.jceks', owner = 'kms', group = 'kms', + only_if = 'test -e /etc/ranger/kms/rangerkms.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/kms/.rangerkms.jceks.crc', + owner = 'kms', + group = 'kms', + only_if = 'test -e /etc/ranger/kms/.rangerkms.jceks.crc', mode = 0640 ) @@ -601,6 +625,14 @@ class TestRangerKMS(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/c1_kms/cred.jceks', owner = 'kms', group = 'kms', + only_if = 'test -e /etc/ranger/c1_kms/cred.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/c1_kms/.cred.jceks.crc', + owner = 'kms', + group = 'kms', + only_if = 'test -e /etc/ranger/c1_kms/.cred.jceks.crc', mode = 0640 ) @@ -854,6 +886,14 @@ class TestRangerKMS(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/kms/rangerkms.jceks', owner = 'kms', group = 'kms', + only_if = 'test -e /etc/ranger/kms/rangerkms.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/kms/.rangerkms.jceks.crc', + owner = 'kms', + group = 'kms', + only_if = 'test -e /etc/ranger/kms/.rangerkms.jceks.crc', mode = 0640 ) @@ -866,6 +906,14 @@ class TestRangerKMS(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/kms/rangerkms.jceks', owner = 'kms', group = 'kms', + only_if = 'test -e /etc/ranger/kms/rangerkms.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/kms/.rangerkms.jceks.crc', + owner = 'kms', + group = 'kms', + only_if = 'test -e /etc/ranger/kms/.rangerkms.jceks.crc', mode = 0640 ) diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py index a8b08f4672..c3a44edc03 100644 --- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py +++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py @@ -380,12 +380,6 @@ class TestRangerAdmin(RMFTestCase): sudo = True ) - self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', - owner = 'ranger', - group = 'ranger', - mode = 0640 - ) - self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'), environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'}, logoutput=True, @@ -395,6 +389,14 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /etc/ranger/admin/rangeradmin.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/admin/.rangeradmin.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /etc/ranger/admin/.rangeradmin.jceks.crc', mode = 0640 ) @@ -558,12 +560,6 @@ class TestRangerAdmin(RMFTestCase): sudo = True ) - self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', - owner = 'ranger', - group = 'ranger', - mode = 0640 - ) - self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'), environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'}, logoutput=True, @@ -573,6 +569,14 @@ class TestRangerAdmin(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /etc/ranger/admin/rangeradmin.jceks', + mode = 0640 + ) + + self.assertResourceCalled('File', '/etc/ranger/admin/.rangeradmin.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /etc/ranger/admin/.rangeradmin.jceks.crc', mode = 0640 ) diff --git a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py index 1d1459ac0d..45774aea66 100644 --- a/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py +++ b/ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py @@ -192,6 +192,14 @@ class TestRangerTagsync(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/tagsync/rangercred.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /etc/ranger/tagsync/rangercred.jceks', + mode = 0640, + ) + + self.assertResourceCalled('File', '/etc/ranger/tagsync/.rangercred.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /etc/ranger/tagsync/.rangercred.jceks.crc', mode = 0640, ) @@ -243,9 +251,16 @@ class TestRangerTagsync(RMFTestCase): self.assertResourceCalled('File', '/etc/ranger/tagsync/atlascred.jceks', owner = 'ranger', group = 'ranger', + only_if = 'test -e /etc/ranger/tagsync/atlascred.jceks', mode = 0640, ) + self.assertResourceCalled('File', '/etc/ranger/tagsync/.atlascred.jceks.crc', + owner = 'ranger', + group = 'ranger', + only_if = 'test -e /etc/ranger/tagsync/.atlascred.jceks.crc', + mode = 0640, + ) self.assertResourceCalled('PropertiesFile', '/usr/hdp/current/ranger-tagsync/conf/atlas-application.properties', properties = self.getConfig()['configurations']['tagsync-application-properties'], |