diff --git a/ambari-common/src/main/python/resource_management/libraries/functions/ranger_functions.py b/ambari-common/src/main/python/resource_management/libraries/functions/ranger_functions.py
index 37503f0f909..32c1522a5e7 100644
--- a/ambari-common/src/main/python/resource_management/libraries/functions/ranger_functions.py
+++ b/ambari-common/src/main/python/resource_management/libraries/functions/ranger_functions.py
@@ -367,7 +367,7 @@ def create_ambari_admin_user(self,ambari_admin_username, ambari_admin_password,u
'Accept': 'application/json',
"Content-Type": "application/json"
}
- request = urllib.request.Request(url, data, headers)
+ request = urllib.request.Request(url, data.encode(), headers)
request.add_header("Authorization", "Basic {0}".format(base64string))
result = openurl(request, timeout=20)
response_code = result.getcode()
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_features.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_features.json
index 1b0f7b6e700..e60b17342d3 100644
--- a/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_features.json
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_features.json
@@ -60,6 +60,16 @@
"name": "ranger_install_infra_client",
"description": "Ambari Infra Service support",
"min_version": "2.5.0.0"
+ },
+ {
+ "name": "ranger_kms_ssl",
+ "description": "Ranger KMS SSL properties in ambari stack",
+ "min_version": "3.2.0"
+ },
+ {
+ "name": "ranger_kms_pid_support",
+ "description": "Ranger KMS Service support pid generation",
+ "min_version": "3.2.0"
}
]
}
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_packages.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_packages.json
index 4134d4433dc..07c44d8e60b 100644
--- a/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_packages.json
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.2.0/properties/stack_packages.json
@@ -524,6 +524,9 @@
"MAPREDUCE2": {
"packages": []
},
+ "RANGER_KMS": {
+ "packages": ["ranger-kms"]
+ },
"SPARK": {
"packages": [
"spark"
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/alerts.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/alerts.json
new file mode 100755
index 00000000000..05c3fe6e91e
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/alerts.json
@@ -0,0 +1,32 @@
+{
+ "RANGER_KMS": {
+ "service": [],
+ "RANGER_KMS_SERVER": [
+ {
+ "name": "ranger_kms_server_process",
+ "label": "Ranger KMS Server Process",
+ "description": "This host-level alert is triggered if the Ranger KMS Server cannot be determined to be up.",
+ "interval": 1,
+ "scope": "HOST",
+ "source": {
+ "type": "PORT",
+ "uri": "{{kms-env/kms_port}}",
+ "default_port": 9292,
+ "reporting": {
+ "ok": {
+ "text": "TCP OK - {0:.3f}s response on port {1}"
+ },
+ "warning": {
+ "text": "TCP OK - {0:.3f}s response on port {1}",
+ "value": 1.5
+ },
+ "critical": {
+ "text": "Connection failed: {0} to {1}:{2}",
+ "value": 5.0
+ }
+ }
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/dbks-site.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/dbks-site.xml
new file mode 100755
index 00000000000..43c3e13624a
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/dbks-site.xml
@@ -0,0 +1,317 @@
+
+
+
+
+ hadoop.kms.blacklist.DECRYPT_EEK
+ hdfs
+ Blacklist for decrypt EncryptedKey CryptoExtension operations
+
+
+
+ ranger.db.encrypt.key.password
+ _
+ PASSWORD
+
+ password
+
+ Password used for encrypting Master Key
+
+
+
+ ranger.ks.jpa.jdbc.url
+ JDBC connect string
+ jdbc:mysql://localhost
+ URL for Database
+
+ false
+
+
+
+ kms-properties
+ DB_FLAVOR
+
+
+ kms-properties
+ db_host
+
+
+ kms-properties
+ db_name
+
+
+
+
+
+ ranger.ks.jpa.jdbc.user
+ {{db_user}}
+ Database username used for operation
+
+
+
+ ranger.ks.jpa.jdbc.password
+ _
+ PASSWORD
+
+ password
+
+ Database user's password
+
+
+
+ ranger.ks.jpa.jdbc.credential.provider.path
+ /etc/ranger/kms/rangerkms.jceks
+ Credential provider path
+
+
+
+ ranger.ks.jpa.jdbc.credential.alias
+ ranger.ks.jdbc.password
+ Credential alias used for password
+
+
+
+ ranger.ks.masterkey.credential.alias
+ ranger.ks.masterkey.password
+ Credential alias used for masterkey
+
+
+
+ ranger.ks.jpa.jdbc.dialect
+ {{jdbc_dialect}}
+ Dialect used for database
+
+
+
+ ranger.ks.jpa.jdbc.driver
+ Driver class name for a JDBC Ranger KMS database
+ com.mysql.jdbc.Driver
+ Driver used for database
+
+ false
+
+
+
+ kms-properties
+ DB_FLAVOR
+
+
+
+
+
+ ranger.ks.jdbc.sqlconnectorjar
+ {{ews_lib_jar_path}}
+ Driver used for database
+
+
+
+ ranger.ks.hsm.type
+ HSM Type
+ LunaProvider
+
+ false
+ value-list
+
+
+ LunaProvider
+
+
+
+
+ HSM type
+
+
+
+ ranger.ks.hsm.enabled
+ HSM Enabled
+ false
+ Enable HSM ?
+
+ true
+ value-list
+ false
+
+
+ true
+
+
+
+ false
+
+
+
+ 1
+
+
+
+
+ ranger.ks.hsm.partition.name
+ HSM partition name. In case of HSM HA enter the group name
+ par19
+
+
+
+
+ ranger.ks.hsm.partition.password
+ _
+ PASSWORD
+
+ password
+
+ HSM partition password
+
+
+
+ ranger.ks.hsm.partition.password.alias
+ HSM partition password alias
+ ranger.kms.hsm.partition.password
+ HSM partition password alias
+
+
+
+ ranger.ks.kerberos.principal
+
+
+
+ true
+
+
+
+
+ ranger.ks.kerberos.keytab
+
+
+
+ true
+
+
+
+
+
+
+
+
+
+ ranger.kms.keysecure.enabled
+ Keysecure Enabled
+ false
+ Enable Keysecure ?
+
+ false
+ value-list
+
+
+ true
+
+
+
+ false
+
+
+
+ 1
+
+
+
+
+
+ ranger.kms.keysecure.UserPassword.Authentication
+ Enable Keysecure User Password Authentication
+ true
+ Enable Keysecure User Password Authentication ?
+
+ false
+ value-list
+
+
+ true
+
+
+
+ false
+
+
+
+ 1
+
+
+
+
+
+ ranger.kms.keysecure.masterkey.name
+ Keysecure MasterKey Name
+
+ Enter Keysecure MasterKey Name
+
+
+
+
+ ranger.kms.keysecure.login.username
+ Keysecure Login Username
+
+ Enter Keysecure Login Username
+
+
+
+
+ ranger.kms.keysecure.login.password
+ Keysecure Login Password
+
+ PASSWORD
+ Keysecure Login Password
+
+ password
+
+
+
+
+
+ ranger.kms.keysecure.login.password.alias
+ Keysecure Login Password Alias
+ ranger.ks.login.password
+ Enter Keysecure Login Password Alias
+
+
+
+
+ ranger.kms.keysecure.hostname
+ Keysecure Hostname
+
+ Enter Keysecure Hostname
+
+
+
+
+ ranger.kms.keysecure.masterkey.size
+ Keysecure Masterkey Size
+ 256
+ Enter Keysecure Masterkey Size
+
+
+
+
+ ranger.kms.keysecure.sunpkcs11.cfg.filepath
+ Keysecure sunpkcs11 cfg filepath
+
+ Enter Keysecure sunpkcs11 cfg filepath
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-env.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-env.xml
new file mode 100755
index 00000000000..f43e9a8f6e6
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-env.xml
@@ -0,0 +1,166 @@
+
+
+
+
+ kms_user
+ Kms User
+ kms
+ USER
+ Kms username
+
+ user
+ false
+
+
+ kms-env
+ kms_group
+
+
+ cluster-env
+ user_group
+
+
+
+
+
+
+ kms_group
+ Kms group
+ kms
+ GROUP
+ Kms group
+
+ user
+
+
+
+
+ kms_log_dir
+ Ranger KMS Log Dir
+ /var/log/ranger/kms
+
+
+ directory
+ false
+
+
+
+
+ kms_port
+ 9292
+
+
+
+
+ ranger-kms-site
+ ranger.service.https.port
+
+
+ ranger-kms-site
+ ranger.service.https.attrib.ssl.enabled
+
+
+
+
+ create_db_user
+ Setup Database and Database User
+ true
+ If set to Yes, Ambari will create and setup Ranger Database and Database User. This will require to specify Database Admin user and password
+
+ false
+ value-list
+
+
+ true
+
+
+
+ false
+
+
+
+ 1
+
+
+
+
+ hsm_partition_password
+ HSM partition password
+
+ PASSWORD
+
+ password
+
+ HSM partition password
+
+
+
+ ranger_kms_pid_dir
+ Ranger KMS PID Dir
+ /var/run/ranger_kms
+
+
+ directory
+ false
+ true
+
+
+
+
+ content
+ kms-env template
+ This is the jinja template for Ranger KMS env
+
+ VALUE_FROM_PROPERTY_FILE
+
+ kms-env.sh.j2
+ text
+
+
+
+
+ ranger_kms_privelege_user_jdbc_url
+ JDBC connect string for root user
+ JDBC connect string - auto populated based on other values. This is to be used by root user
+ jdbc:mysql://localhost
+
+ false
+
+
+
+ kms-properties
+ DB_FLAVOR
+
+
+ kms-properties
+ db_host
+
+
+
+
+
+ ranger_kms_max_heap_size
+ 1g
+ Ranger KMS max heap size.
+ Ranger KMS maximum heap size limit.
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-log4j.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-log4j.xml
new file mode 100755
index 00000000000..b88c7f22251
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-log4j.xml
@@ -0,0 +1,118 @@
+
+
+
+
+ ranger_kms_log_maxfilesize
+ 256
+ The maximum size of backup file before the log is rotated
+ Ranger-kms Log: backup file size
+
+ MB
+
+
+
+
+ ranger_kms_log_maxbackupindex
+ 20
+ The number of backup files
+ Ranger-kms Log: # of backup files
+
+ int
+ 0
+
+
+
+
+ ranger_kms_audit_log_maxfilesize
+ 256
+ The maximum size of backup file before the log is rotated
+ Ranger-kms Audit Log: backup file size
+
+ MB
+
+
+
+
+ ranger_kms_audit_log_maxbackupindex
+ 20
+ The number of backup files
+ Ranger-kms Audit Log: # of backup files
+
+ int
+ 0
+
+
+
+
+ content
+ kms-log4j template
+ kms-log4j.properties
+
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License. See accompanying LICENSE file.
+#
+
+# If the Java System property 'kms.log.dir' is not defined at KMS start up time
+# Setup sets its value to '${kms.home}/logs'
+
+log4j.appender.kms=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.kms.DatePattern='.'yyyy-MM-dd
+log4j.appender.kms.File=${kms.log.dir}/kms.log
+log4j.appender.kms.Append=true
+log4j.appender.kms.layout=org.apache.log4j.PatternLayout
+log4j.appender.kms.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n
+log4j.appender.kms.MaxFileSize={{ranger_kms_log_maxfilesize}}MB
+
+log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.kms-audit.DatePattern='.'yyyy-MM-dd
+log4j.appender.kms-audit.File=${kms.log.dir}/kms-audit.log
+log4j.appender.kms-audit.Append=true
+log4j.appender.kms-audit.layout=org.apache.log4j.PatternLayout
+log4j.appender.kms-audit.layout.ConversionPattern=%d{ISO8601} %m%n
+log4j.appender.kms-audit.MaxFileSize={{ranger_kms_audit_log_maxfilesize}}MB
+
+log4j.logger.kms-audit=INFO, kms-audit
+log4j.additivity.kms-audit=false
+
+log4j.logger=INFO, kms
+log4j.additivity.kms=false
+log4j.rootLogger=INFO, kms
+log4j.logger.org.apache.hadoop.conf=ERROR
+log4j.logger.org.apache.hadoop=INFO
+log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF
+
+
+ content
+ false
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-logback.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-logback.xml
new file mode 100644
index 00000000000..22312b0e7e6
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-logback.xml
@@ -0,0 +1,31 @@
+
+
+
+
+ content
+ kms-logback.xml template
+ This is the jinja template for ranger kms logback.xml file
+
+ VALUE_FROM_PROPERTY_FILE
+
+ kms-logback.xml.j2
+ xml
+
+
+
+
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-properties.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-properties.xml
new file mode 100755
index 00000000000..d2d4da559a0
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-properties.xml
@@ -0,0 +1,166 @@
+
+
+
+
+ REPOSITORY_CONFIG_USERNAME
+ Repository config username
+ keyadmin
+
+
+
+
+ REPOSITORY_CONFIG_PASSWORD
+ Repository config password
+ keyadmin
+ PASSWORD
+
+
+ password
+
+
+
+
+ DB_FLAVOR
+ DB FLAVOR
+ MYSQL
+ The database type to be used
+
+ false
+ value-list
+
+
+ MYSQL
+
+
+
+ ORACLE
+
+
+
+ POSTGRES
+
+
+
+ MSSQL
+
+
+
+ SQLA
+
+
+
+ 1
+
+
+
+
+ SQL_CONNECTOR_JAR
+ SQL connector jar
+ {{driver_curl_target}}
+ Location of DB client library (please check the location of the jar file)
+
+ false
+
+
+
+ kms-properties
+ DB_FLAVOR
+
+
+
+
+
+ db_root_user
+ Database Administrator (DBA) username
+ root
+ Database admin user. This user should have DBA permission to create the Ranger Database and Ranger Database User
+
+ false
+
+
+
+
+ db_root_password
+ Database Administrator (DBA) password
+
+ PASSWORD
+ Database password for the database admin username
+
+ password
+ false
+
+
+
+
+ db_host
+ Ranger KMS DB host
+
+ Database host
+
+ false
+
+
+
+
+ db_name
+ Ranger KMS DB name
+ rangerkms
+ Database name
+
+ false
+
+
+
+
+ db_user
+ Ranger KMS DB username
+ rangerkms
+ Database username used for the Ranger KMS schema
+
+ false
+
+
+
+
+ db_password
+ Ranger KMS DB password
+
+ PASSWORD
+ Database password for the Ranger KMS schema
+
+ password
+ false
+
+
+
+
+ KMS_MASTER_KEY_PASSWD
+ KMS master key password
+
+ PASSWORD
+
+
+ password
+ false
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-site.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-site.xml
new file mode 100755
index 00000000000..d84f0d25770
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/kms-site.xml
@@ -0,0 +1,107 @@
+
+
+
+
+ hadoop.kms.key.provider.uri
+ dbks://http@localhost:9292/kms
+ URI of the backing KeyProvider for the KMS.
+
+
+
+ hadoop.security.keystore.JavaKeyStoreProvider.password
+ none
+ If using the JavaKeyStoreProvider, the password for the keystore file.
+
+
+
+ hadoop.kms.cache.enable
+ true
+ Whether the KMS will act as a cache for the backing KeyProvider. When the cache is enabled, operations like getKeyVersion, getMetadata, and getCurrentKey will sometimes return cached data without consulting the backing KeyProvider. Cached values are flushed when keys are deleted or modified.
+
+
+
+
+ hadoop.kms.cache.timeout.ms
+ 600000
+ Expiry time for the KMS key version and key metadata cache, in milliseconds. This affects getKeyVersion and getMetadata.
+
+
+
+
+ hadoop.kms.current.key.cache.timeout.ms
+ 30000
+ Expiry time for the KMS current key cache, in milliseconds. This affects getCurrentKey operations.
+
+
+
+ hadoop.kms.audit.aggregation.window.ms
+ 10000
+ Duplicate audit log events within the aggregation window (specified in ms) are quashed to reduce log traffic. A single message for aggregated events is printed at the end of the window, along with a count of the number of aggregated events.
+
+
+
+ hadoop.kms.authentication.type
+ simple
+ Authentication type for the KMS. Can be either "simple" or "kerberos".
+
+
+
+
+ hadoop.kms.authentication.kerberos.name.rules
+ DEFAULT
+ Rules used to resolve Kerberos principal names.
+
+ multiLine
+
+
+
+
+ hadoop.kms.authentication.signer.secret.provider
+ random
+ Indicates how the secret to sign the authentication cookies will be stored. Options are 'random' (default), 'file' and 'zookeeper'. If using a setup with multiple KMS instances, 'zookeeper' should be used.
+
+
+
+
+ hadoop.kms.authentication.signer.secret.provider.zookeeper.path
+ /hadoop-kms/hadoop-auth-signature-secret
+ The Zookeeper ZNode path where the KMS instances will store and retrieve the secret from.
+
+
+
+ hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string
+ #HOSTNAME#:#PORT#,...
+ The Zookeeper connection string, a list of hostnames and port comma separated.
+
+
+
+ hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type
+ none
+ The Zookeeper authentication type, 'none' or 'sasl'. The 'none' is used for authentication using 'Client' loginContext & 'sasl' is used for authentication using 'ZKSignerSecretProviderClient' loginContext.
+
+
+
+ hadoop.kms.security.authorization.manager
+ org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-audit.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-audit.xml
new file mode 100755
index 00000000000..518120c9f54
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-audit.xml
@@ -0,0 +1,118 @@
+
+
+
+
+ xasecure.audit.is.enabled
+ true
+ Is Audit enabled?
+
+
+
+ xasecure.audit.destination.hdfs
+ true
+ Audit to HDFS
+ Is Audit to HDFS enabled?
+
+ boolean
+
+
+
+
+ xasecure.audit.destination.hdfs.dir
+ hdfs://NAMENODE_HOSTNAME:8020/ranger/audit
+ HDFS folder to write audit to, make sure the service user has requried permissions
+
+
+ core-site
+ fs.defaultFS
+
+
+
+
+
+ xasecure.audit.destination.hdfs.batch.filespool.dir
+ /var/log/ranger/kms/audit/hdfs/spool
+ /var/log/ranger/kms/audit/hdfs/spool
+
+
+
+ xasecure.audit.destination.solr
+ true
+ Audit to SOLR
+ Is Solr audit enabled?
+
+ boolean
+
+
+
+
+ xasecure.audit.destination.solr.batch.filespool.dir
+ /var/log/ranger/kms/audit/solr/spool
+ /var/log/ranger/kms/audit/solr/spool
+
+
+
+ xasecure.audit.provider.summary.enabled
+ false
+ Audit provider summary enabled
+ Enable Summary audit?
+
+ boolean
+
+
+
+
+ xasecure.audit.destination.solr.urls
+ {{ranger_audit_solr_urls}}
+ Solr URL
+
+ true
+
+
+
+ ranger-admin-site
+ ranger.audit.solr.urls
+
+
+
+
+
+ xasecure.audit.destination.solr.zookeepers
+ none
+ Solr Zookeeper string
+
+
+ ranger-admin-site
+ ranger.audit.solr.zookeepers
+
+
+
+
+
+ ranger.plugin.kms.ambari.cluster.name
+ {{cluster_name}}
+ Capture cluster name from where Ranger kms plugin is enabled.
+
+ true
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-policymgr-ssl.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-policymgr-ssl.xml
new file mode 100755
index 00000000000..fa5e7bfa7b6
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-policymgr-ssl.xml
@@ -0,0 +1,74 @@
+
+
+
+
+
+ xasecure.policymgr.clientssl.keystore.password
+ myKeyFilePassword
+ PASSWORD
+
+ password
+
+ password for keystore
+
+
+
+
+ xasecure.policymgr.clientssl.truststore.password
+ changeit
+ PASSWORD
+
+ password
+
+ java truststore password
+
+
+
+ xasecure.policymgr.clientssl.keystore.credential.file
+ jceks://file{{credential_file}}
+ java keystore credential file
+
+
+
+ xasecure.policymgr.clientssl.truststore.credential.file
+ jceks://file{{credential_file}}
+ java truststore credential file
+
+
+
+ xasecure.policymgr.clientssl.keystore
+
+ Java Keystore files
+
+ true
+
+
+
+
+ xasecure.policymgr.clientssl.truststore
+
+ java truststore file
+
+ true
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-security.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-security.xml
new file mode 100755
index 00000000000..13adcb43eb8
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-security.xml
@@ -0,0 +1,64 @@
+
+
+
+
+ ranger.plugin.kms.service.name
+ {{repo_name}}
+ Name of the Ranger service containing policies for this kms instance
+
+
+
+ ranger.plugin.kms.policy.source.impl
+ org.apache.ranger.admin.client.RangerAdminRESTClient
+ Class to retrieve policies from the source
+
+
+
+ ranger.plugin.kms.policy.rest.url
+ {{policymgr_mgr_url}}
+ URL to Ranger Admin
+
+
+
+ admin-properties
+ policymgr_external_url
+
+
+
+
+ ranger.plugin.kms.policy.rest.ssl.config.file
+ /etc/ranger/kms/conf/ranger-policymgr-ssl.xml
+ Path to the file containing SSL details to contact Ranger Admin
+
+
+
+ ranger.plugin.kms.policy.pollIntervalMs
+ 30000
+ How often to poll for changes in policies?
+
+
+
+ ranger.plugin.kms.policy.cache.dir
+ /etc/ranger/{{repo_name}}/policycache
+ Directory where Ranger policies are cached after successful retrieval from the source
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-site.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-site.xml
new file mode 100755
index 00000000000..8d0a351a65b
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/configuration/ranger-kms-site.xml
@@ -0,0 +1,110 @@
+
+
+
+
+ ranger.service.host
+ {{kms_host}}
+
+
+
+ ranger.service.http.port
+ {{kms_port}}
+
+
+
+ ranger.service.https.port
+ 9393
+
+
+
+ ranger.service.shutdown.port
+ 7085
+
+
+
+ ranger.contextName
+ /kms
+
+
+
+ xa.webapp.dir
+ ./webapp
+
+
+
+ ranger.service.https.attrib.ssl.enabled
+ false
+
+
+ boolean
+
+
+
+
+ ranger.service.https.attrib.keystore.file
+ /etc/security/serverKeys/ranger-kms-keystore.jks
+
+
+
+
+ ranger.service.https.attrib.client.auth
+ want
+
+
+
+
+ ranger.service.https.attrib.keystore.keyalias
+ rangerkms
+
+
+
+
+ ranger.service.https.attrib.keystore.pass
+ rangerkms
+ PASSWORD
+
+ password
+
+
+
+
+
+ ranger.credential.provider.path
+ /etc/ranger/kms/rangerkms.jceks
+
+
+
+
+ ranger.service.https.attrib.keystore.credential.alias
+ keyStoreCredentialAlias
+
+
+
+
+ ajp.enabled
+ false
+
+
+
+ boolean
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/kerberos.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/kerberos.json
new file mode 100755
index 00000000000..1ef4568728f
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/kerberos.json
@@ -0,0 +1,81 @@
+{
+ "services": [
+ {
+ "name": "RANGER_KMS",
+ "identities": [
+ {
+ "name": "ranger_kms_spnego",
+ "reference": "/spnego",
+ "keytab": {
+ "configuration": "kms-site/hadoop.kms.authentication.kerberos.keytab"
+ }
+ }
+ ],
+ "auth_to_local_properties" : [
+ "kms-site/hadoop.kms.authentication.kerberos.name.rules"
+ ],
+ "configurations": [
+ {
+ "kms-site": {
+ "hadoop.kms.authentication.type": "kerberos",
+ "hadoop.kms.authentication.kerberos.principal": "*"
+ }
+ },
+ {
+ "ranger-kms-audit": {
+ "xasecure.audit.jaas.Client.loginModuleName": "com.sun.security.auth.module.Krb5LoginModule",
+ "xasecure.audit.jaas.Client.loginModuleControlFlag": "required",
+ "xasecure.audit.jaas.Client.option.useKeyTab": "true",
+ "xasecure.audit.jaas.Client.option.storeKey": "false",
+ "xasecure.audit.jaas.Client.option.serviceName": "solr",
+ "xasecure.audit.destination.solr.force.use.inmemory.jaas.config": "true"
+ }
+ }
+ ],
+ "components": [
+ {
+ "name": "RANGER_KMS_SERVER",
+ "identities": [
+ {
+ "name": "ranger_kms_ranger_kms_server_spnego",
+ "reference": "/spnego",
+ "principal": {
+ "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal"
+ },
+ "keytab": {
+ "configuration": "kms-site/hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab"
+ }
+ },
+ {
+ "name": "rangerkms",
+ "principal": {
+ "value": "rangerkms/_HOST@${realm}",
+ "type" : "service",
+ "configuration": "dbks-site/ranger.ks.kerberos.principal",
+ "local_username" : "keyadmin"
+ },
+ "keytab": {
+ "file": "${keytab_dir}/rangerkms.service.keytab",
+ "owner": {
+ "name": "${kms-env/kms_user}",
+ "access": "r"
+ },
+ "configuration": "dbks-site/ranger.ks.kerberos.keytab"
+ }
+ },
+ {
+ "name": "ranger_kms_ranger_kms_server_rangerkms",
+ "reference": "/RANGER_KMS/RANGER_KMS_SERVER/rangerkms",
+ "principal": {
+ "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.principal"
+ },
+ "keytab": {
+ "configuration": "ranger-kms-audit/xasecure.audit.jaas.Client.option.keyTab"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/metainfo.xml b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/metainfo.xml
new file mode 100755
index 00000000000..378d06419a0
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/metainfo.xml
@@ -0,0 +1,127 @@
+
+
+
+ 2.0
+
+
+ RANGER_KMS
+ Ranger KMS
+ Key Management Server
+ 2.4.0
+
+
+
+ RANGER_KMS_SERVER
+ Ranger KMS Server
+ MASTER
+ 1+
+ true
+
+
+ PYTHON
+ 600
+
+
+
+ ranger_kms
+ true
+
+
+
+
+ HDFS/HDFS_CLIENT
+ host
+
+ true
+
+
+
+
+
+
+
+
+
+ redhat9,redhat8,redhat7,amazonlinux2,redhat6,suse11,suse12
+
+
+ ranger_${stack_version}-kms
+
+
+
+
+ debian7,debian9,ubuntu12,ubuntu14,ubuntu16,ubuntu18
+
+
+ ranger-${stack_version}-kms
+
+
+
+
+
+
+ kms-properties
+ kms-site
+ kms-log4j
+ kms-logback
+ dbks-site
+ ranger-kms-site
+ ranger-kms-audit
+ ranger-kms-policymgr-ssl
+ ranger-kms-security
+ kms-env
+ core-site
+ hdfs-site
+
+
+
+
+ PYTHON
+ 300
+
+
+
+ RANGER
+ HDFS
+
+
+
+
+ credentials.json
+ true
+
+
+ database.json
+ true
+
+
+ directories.json
+ true
+
+
+ theme_version_2.json
+ true
+
+
+
+
+
+
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms.py
new file mode 100755
index 00000000000..c4c9bc6f0cb
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms.py
@@ -0,0 +1,744 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import sys
+import fileinput
+import os
+import ambari_simplejson as json # simplejson is much faster comparing to Python 2.6 json module and has the same functions set.
+import urllib.request, urllib.error, urllib.parse, base64, http.client
+from io import StringIO as BytesIO
+from datetime import datetime
+from resource_management.core.resources.system import File, Directory, Execute
+from resource_management.libraries.resources.xml_config import XmlConfig
+from resource_management.libraries.resources.modify_properties_file import ModifyPropertiesFile
+from resource_management.core.source import DownloadSource, Template, InlineTemplate
+from resource_management.core.exceptions import Fail
+from resource_management.core.logger import Logger
+from resource_management.libraries.functions.is_empty import is_empty
+from resource_management.libraries.functions.default import default
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.functions.generate_logfeeder_input_config import generate_logfeeder_input_config
+from resource_management.libraries.functions.ranger_functions import Rangeradmin
+from resource_management.libraries.functions.ranger_functions_v2 import RangeradminV2
+from resource_management.libraries.functions.decorator import safe_retry
+from resource_management.core.utils import PasswordString
+from resource_management.core.shell import as_sudo
+import re
+import time
+import socket
+
+def password_validation(password, key):
+ import params
+ if password.strip() == "":
+ raise Fail("Blank password is not allowed for {0} property. Please enter valid password.".format(key))
+ if re.search("[\\\`'\"]",password):
+ raise Fail("{0} password contains one of the unsupported special characters like \" ' \ `".format(key))
+ else:
+ Logger.info("Password validated")
+
+def setup_kms_db(stack_version=None):
+ import params
+ ranger_kms_setup_marker = params.ranger_kms_setup_marker
+ if os.path.exists(ranger_kms_setup_marker):
+ return
+
+ if params.has_ranger_admin:
+
+ kms_home = params.kms_home
+
+ if stack_version is not None:
+ kms_home = format("{stack_root}/{stack_version}/ranger-kms")
+
+ password_validation(params.kms_master_key_password, 'KMS master key')
+
+ copy_jdbc_connector(kms_home)
+
+ env_dict = {'RANGER_KMS_HOME':kms_home, 'JAVA_HOME': params.java_home}
+ if params.db_flavor.lower() == 'sqla':
+ env_dict = {'RANGER_KMS_HOME':kms_home, 'JAVA_HOME': params.java_home, 'LD_LIBRARY_PATH':params.ld_library_path}
+
+ dba_setup = format('ambari-python-wrap {kms_home}/dba_script.py -q')
+ db_setup = format('ambari-python-wrap {kms_home}/db_setup.py')
+
+ if params.create_db_user:
+ Logger.info('Setting up Ranger KMS DB and DB User')
+ Execute(dba_setup, environment=env_dict, logoutput=True, user=params.kms_user, tries=5, try_sleep=10)
+ else:
+ Logger.info('Separate DBA property not set. Assuming Ranger KMS DB and DB User exists!')
+ Execute(db_setup, environment=env_dict, logoutput=True, user=params.kms_user, tries=5, try_sleep=10)
+
+ File(ranger_kms_setup_marker,
+ owner = params.kms_user,
+ group = params.kms_group,
+ mode = 0o640
+ )
+
+
+def setup_java_patch():
+ import params
+
+ if params.has_ranger_admin:
+
+ kms_home = params.kms_home
+ setup_java_patch = format('ambari-python-wrap {kms_home}/db_setup.py -javapatch')
+
+ env_dict = {'RANGER_KMS_HOME':kms_home, 'JAVA_HOME': params.java_home}
+ if params.db_flavor.lower() == 'sqla':
+ env_dict = {'RANGER_KMS_HOME':kms_home, 'JAVA_HOME': params.java_home, 'LD_LIBRARY_PATH':params.ld_library_path}
+
+ Execute(setup_java_patch, environment=env_dict, logoutput=True, user=params.kms_user, tries=5, try_sleep=10)
+
+ kms_lib_path = params.kms_lib_path
+ files = os.listdir(kms_lib_path)
+ hadoop_jar_files = []
+
+ for x in files:
+ if x.startswith('hadoop-common') and x.endswith('.jar'):
+ hadoop_jar_files.append(x)
+
+ if len(hadoop_jar_files) != 0:
+ for f in hadoop_jar_files:
+ Execute((format('{java_home}/bin/jar'),'-uf', format('{kms_lib_path}/{f}'), format('{kms_home}/ews/webapp/META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory')),
+ user=params.kms_user)
+
+ File(format('{kms_lib_path}/{f}'), owner=params.kms_user, group=params.kms_group)
+
+def do_keystore_setup(cred_provider_path, credential_alias, credential_password):
+ import params
+
+ if cred_provider_path is not None:
+ java_bin = format('{java_home}/bin/java')
+ file_path = format('jceks://file{cred_provider_path}')
+ cmd = (java_bin, '-cp', params.cred_lib_path, 'org.apache.ranger.credentialapi.buildks', 'create', credential_alias, '-value', PasswordString(credential_password), '-provider', file_path)
+ Execute(cmd,
+ environment={'JAVA_HOME': params.java_home},
+ logoutput=True,
+ sudo=True,
+ )
+
+ File(cred_provider_path,
+ owner = params.kms_user,
+ group = params.kms_group,
+ only_if = format("test -e {cred_provider_path}"),
+ mode = 0o640
+ )
+
+ dot_jceks_crc_file_path = os.path.join(os.path.dirname(cred_provider_path), "." + os.path.basename(cred_provider_path) + ".crc")
+
+ File(dot_jceks_crc_file_path,
+ owner = params.kms_user,
+ group = params.kms_group,
+ only_if = format("test -e {dot_jceks_crc_file_path}"),
+ mode = 0o640
+ )
+
+def kms(upgrade_type=None):
+ import params
+
+ if params.has_ranger_admin:
+
+ #ranger2.3.0
+ Directory(format('{kms_home}/ews/webapp/META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory'),
+ mode = 0o755,
+ owner = params.kms_user,
+ group = params.kms_group,
+ recursive_ownership = True,
+ create_parents = True
+ )
+
+ Directory(params.kms_conf_dir,
+ owner = params.kms_user,
+ group = params.kms_group,
+ create_parents = True
+ )
+
+ Directory("/etc/security/serverKeys",
+ create_parents = True,
+ cd_access = "a"
+ )
+
+ Directory("/etc/ranger/kms",
+ create_parents = True,
+ owner = params.kms_user,
+ group = params.kms_group
+ )
+
+ copy_jdbc_connector(params.kms_home)
+
+ File(format("/usr/lib/ambari-agent/{check_db_connection_jar_name}"),
+ content = DownloadSource(format("{jdk_location}/{check_db_connection_jar_name}")),
+ mode = 0o644,
+ )
+
+ cp = format("{check_db_connection_jar}")
+ if params.db_flavor.lower() == 'sqla':
+ cp = cp + os.pathsep + format("{params.kms_lib_path}/sajdbc4.jar")
+ else:
+ path_to_jdbc = format("{params.kms_lib_path}/{jdbc_jar_name}")
+ if not os.path.isfile(path_to_jdbc):
+ path_to_jdbc = format("{kms_home}/ews/lib/") + \
+ params.default_connectors_map[params.db_flavor.lower()] if params.db_flavor.lower() in params.default_connectors_map else None
+ if not os.path.isfile(path_to_jdbc):
+ path_to_jdbc = format("{params.kms_lib_path}/") + "*"
+ error_message = "Error! Sorry, but we can't find jdbc driver with default name " + params.default_connectors_map[params.db_flavor] + \
+ " in ranger kms lib dir. So, db connection check can fail. Please run 'ambari-server setup --jdbc-db={db_name} --jdbc-driver={path_to_jdbc} on server host.'"
+ Logger.error(error_message)
+
+ cp = cp + os.pathsep + path_to_jdbc
+
+ db_connection_check_command = format(
+ "{java_home}/bin/java -cp {cp} org.apache.ambari.server.DBConnectionVerification '{ranger_kms_jdbc_connection_url}' {db_user} {db_password!p} {ranger_kms_jdbc_driver}")
+
+ env_dict = {}
+ if params.db_flavor.lower() == 'sqla':
+ env_dict = {'LD_LIBRARY_PATH':params.ld_library_path}
+
+ Execute(db_connection_check_command, path='/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin', tries=5, try_sleep=10, environment=env_dict)
+
+ if params.xa_audit_db_is_enabled and params.driver_source is not None and not params.driver_source.endswith("/None"):
+ if params.xa_previous_jdbc_jar and os.path.isfile(params.xa_previous_jdbc_jar):
+ File(params.xa_previous_jdbc_jar, action='delete')
+
+ File(params.downloaded_connector_path,
+ content = DownloadSource(params.driver_source),
+ mode = 0o644
+ )
+
+ Execute(('cp', '--remove-destination', params.downloaded_connector_path, params.driver_target),
+ path=["/bin", "/usr/bin/"],
+ sudo=True)
+
+ File(params.driver_target, mode=0o644)
+
+ Directory(os.path.join(params.kms_home, 'ews', 'webapp', 'WEB-INF', 'classes', 'lib'),
+ mode=0o755,
+ owner=params.kms_user,
+ group=params.kms_group
+ )
+
+ Execute(('cp',format('{kms_home}/ranger-kms-initd'),'/etc/init.d/ranger-kms'),
+ not_if=format('ls /etc/init.d/ranger-kms'),
+ only_if=format('ls {kms_home}/ranger-kms-initd'),
+ sudo=True)
+
+ File('/etc/init.d/ranger-kms',
+ mode = 0o755
+ )
+
+ Directory(format('{kms_home}/'),
+ owner = params.kms_user,
+ group = params.kms_group,
+ recursive_ownership = True,
+ )
+
+ Directory(params.ranger_kms_pid_dir,
+ mode = 0o755,
+ owner = params.kms_user,
+ group = params.user_group,
+ cd_access = "a",
+ create_parents = True
+ )
+
+ Directory(params.kms_log_dir,
+ owner = params.kms_user,
+ group = params.kms_group,
+ cd_access = 'a',
+ create_parents = True,
+ mode = 0o755
+ )
+
+ generate_logfeeder_input_config('ranger-kms', Template("input.config-ranger-kms.json.j2", extra_imports=[default]))
+
+ File(format('{kms_conf_dir}/ranger-kms-env.sh'),
+ content = InlineTemplate(params.kms_env_content),
+ owner = params.kms_user,
+ group = params.kms_group,
+ mode = 0o755
+ )
+
+ Execute(('ln','-sf', format('{kms_home}/ranger-kms'),'/usr/bin/ranger-kms'),
+ not_if=format('ls /usr/bin/ranger-kms'),
+ only_if=format('ls {kms_home}/ranger-kms'),
+ sudo=True)
+
+ File('/usr/bin/ranger-kms', mode = 0o755)
+
+ Execute(('ln','-sf', format('{kms_home}/ranger-kms'),'/usr/bin/ranger-kms-services.sh'),
+ not_if=format('ls /usr/bin/ranger-kms-services.sh'),
+ only_if=format('ls {kms_home}/ranger-kms'),
+ sudo=True)
+
+ File('/usr/bin/ranger-kms-services.sh', mode = 0o755)
+
+ Execute(('ln','-sf', format('{kms_home}/ranger-kms-initd'),format('{kms_home}/ranger-kms-services.sh')),
+ not_if=format('ls {kms_home}/ranger-kms-services.sh'),
+ only_if=format('ls {kms_home}/ranger-kms-initd'),
+ sudo=True)
+
+ File(format('{kms_home}/ranger-kms-services.sh'), mode = 0o755)
+
+ do_keystore_setup(params.credential_provider_path, params.jdbc_alias, params.db_password)
+ do_keystore_setup(params.credential_provider_path, params.masterkey_alias, params.kms_master_key_password)
+ if params.stack_support_kms_hsm and params.enable_kms_hsm:
+ do_keystore_setup(params.credential_provider_path, params.hms_partition_alias, str(params.hms_partition_passwd))
+ if params.stack_supports_ranger_kms_ssl and params.ranger_kms_ssl_enabled:
+ do_keystore_setup(params.ranger_kms_cred_ssl_path, params.ranger_kms_ssl_keystore_alias, params.ranger_kms_ssl_passwd)
+ if params.enable_kms_keysecure and not is_empty(params.keysecure_login_password) and params.keysecure_login_password != "_":
+ do_keystore_setup(params.credential_provider_path, params.keysecure_login_password_alias, params.keysecure_login_password)
+
+ # remove plain-text password from xml configs
+ dbks_site_copy = {}
+ dbks_site_copy.update(params.config['configurations']['dbks-site'])
+
+ for prop in params.dbks_site_password_properties:
+ if prop in dbks_site_copy:
+ dbks_site_copy[prop] = "_"
+
+ XmlConfig("dbks-site.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=dbks_site_copy,
+ configuration_attributes=params.config['configurationAttributes']['dbks-site'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o644
+ )
+
+ ranger_kms_site_copy = {}
+ ranger_kms_site_copy.update(params.config['configurations']['ranger-kms-site'])
+ if params.stack_supports_ranger_kms_ssl:
+ # remove plain-text password from xml configs
+ for prop in params.ranger_kms_site_password_properties:
+ if prop in ranger_kms_site_copy:
+ ranger_kms_site_copy[prop] = "_"
+
+ XmlConfig("ranger-kms-site.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=ranger_kms_site_copy,
+ configuration_attributes=params.config['configurationAttributes']['ranger-kms-site'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o644
+ )
+
+ kms_site_copy = {}
+ kms_site_copy.update(params.config['configurations']['kms-site'])
+
+ if 'hadoop.kms.ha.authentication.kerberos.keytab' in kms_site_copy:
+ kms_site_copy['hadoop.kms.authentication.kerberos.keytab'] = kms_site_copy['hadoop.kms.ha.authentication.kerberos.keytab']
+
+ XmlConfig("kms-site.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=kms_site_copy,
+ configuration_attributes=params.config['configurationAttributes']['kms-site'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o644
+ )
+
+ File(os.path.join(params.kms_conf_dir, "kms-log4j.properties"),
+ owner=params.kms_user,
+ group=params.kms_group,
+ content=InlineTemplate(params.kms_log4j),
+ mode=0o644
+ )
+
+
+ File(format("{params.kms_conf_dir}/kms-logback.xml"),
+ content=InlineTemplate(params.kms_logback_content),
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o644
+ )
+
+ # core-site.xml linking required by setup for HDFS encryption
+ XmlConfig("core-site.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=params.config['configurations']['core-site'],
+ configuration_attributes=params.config['configurationAttributes']['core-site'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o644,
+ xml_include_file=params.mount_table_xml_inclusion_file_full_path
+ )
+
+ if params.mount_table_content:
+ File(params.mount_table_xml_inclusion_file_full_path,
+ owner=params.kms_user,
+ group=params.kms_group,
+ content=params.mount_table_content,
+ mode=0o644
+ )
+
+def copy_jdbc_connector(kms_home):
+ import params
+
+ path_to_jdbc = format("{params.kms_lib_path}/{jdbc_jar_name}")
+ if not os.path.isfile(path_to_jdbc):
+ path_to_jdbc = format("{params.kms_lib_path}/") + \
+ params.default_connectors_map[params.db_flavor.lower()] if params.db_flavor.lower() in params.default_connectors_map else None
+
+ if params.jdbc_jar_name is None and params.driver_curl_source.endswith("/None"):
+ error_message = f"Error! Sorry, but we can't find jdbc driver related to {params.db_flavor} database to download from {params.jdk_location}. \
+ Please run 'ambari-server setup --jdbc-db={params.db_name} --jdbc-driver={path_to_jdbc} on server host.'"
+ Logger.error(error_message)
+
+ if params.driver_curl_source and not params.driver_curl_source.endswith("/None"):
+ if params.previous_jdbc_jar and os.path.isfile(params.previous_jdbc_jar):
+ File(params.previous_jdbc_jar, action='delete')
+
+ driver_curl_target = format("{params.kms_lib_path}/{jdbc_jar_name}")
+
+ File(params.downloaded_custom_connector,
+ content = DownloadSource(params.driver_curl_source),
+ mode = 0o644
+ )
+
+
+ Directory(params.kms_lib_path,
+ mode=0o755
+ )
+
+ # Directory(os.path.join(kms_home, 'ews',"webapp" ,'lib'),
+ # mode=0o755
+ # )
+
+ if params.db_flavor.lower() == 'sqla':
+ Execute(('tar', '-xvf', params.downloaded_custom_connector, '-C', params.tmp_dir), sudo = True)
+
+ Execute(('cp', '--remove-destination', params.jar_path_in_archive, os.path.join(params.kms_lib_path, params.jdbc_jar_name)),
+ path=["/bin", "/usr/bin/"],
+ sudo=True)
+
+ Directory(params.jdbc_libs_dir,
+ cd_access="a",
+ create_parents=True)
+
+ Execute(as_sudo(['yes', '|', 'cp', params.libs_path_in_archive, params.jdbc_libs_dir], auto_escape=False),
+ path=["/bin", "/usr/bin/"])
+
+ File(os.path.join(params.kms_lib_path, 'sajdbc4.jar'), mode=0o644)
+ else:
+ Execute(('cp', '--remove-destination', params.downloaded_custom_connector, os.path.join(params.kms_lib_path, params.jdbc_jar_name)),
+ path=["/bin", "/usr/bin/"],
+ sudo=True)
+
+ File(os.path.join(params.kms_lib_path, params.jdbc_jar_name), mode=0o644)
+
+ ModifyPropertiesFile(format("{kms_home}/install.properties"),
+ properties = params.config['configurations']['kms-properties'],
+ owner = params.kms_user
+ )
+
+ if params.db_flavor.lower() == 'sqla':
+ ModifyPropertiesFile(format("{kms_home}/install.properties"),
+ properties = {'SQL_CONNECTOR_JAR': format('{params.kms_lib_path}/sajdbc4.jar')},
+ owner = params.kms_user,
+ )
+ else:
+ ModifyPropertiesFile(format("{kms_home}/install.properties"),
+ properties = {'SQL_CONNECTOR_JAR': format('{driver_curl_target}')},
+ owner = params.kms_user,
+ )
+
+def enable_kms_plugin():
+
+ import params
+
+ if params.has_ranger_admin:
+
+ ranger_flag = False
+
+ if params.stack_supports_ranger_kerberos and params.security_enabled:
+ if not is_empty(params.rangerkms_principal) and params.rangerkms_principal != '':
+ ranger_flag = check_ranger_service_support_kerberos(params.kms_user, params.rangerkms_keytab, params.rangerkms_principal)
+ else:
+ ranger_flag = check_ranger_service_support_kerberos(params.kms_user, params.spengo_keytab, params.spnego_principal)
+ else:
+ ranger_flag = check_ranger_service()
+
+ if not ranger_flag:
+ Logger.error('Error in Get/Create service for Ranger Kms.')
+
+ current_datetime = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+
+ File(format('{kms_conf_dir}/ranger-security.xml'),
+ owner = params.kms_user,
+ group = params.kms_group,
+ mode = 0o644,
+ content = format('\n{current_datetime}\n')
+ )
+
+ Directory([os.path.join('/etc', 'ranger', params.repo_name), os.path.join('/etc', 'ranger', params.repo_name, 'policycache')],
+ owner = params.kms_user,
+ group = params.kms_group,
+ mode=0o775,
+ create_parents = True
+ )
+
+ File(os.path.join('/etc', 'ranger', params.repo_name, 'policycache',format('kms_{repo_name}.json')),
+ owner = params.kms_user,
+ group = params.kms_group,
+ mode = 0o644
+ )
+
+ # remove plain-text password from xml configs
+ plugin_audit_properties_copy = {}
+ plugin_audit_properties_copy.update(params.config['configurations']['ranger-kms-audit'])
+
+ if params.plugin_audit_password_property in plugin_audit_properties_copy:
+ plugin_audit_properties_copy[params.plugin_audit_password_property] = "crypted"
+
+ XmlConfig("ranger-kms-audit.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=plugin_audit_properties_copy,
+ configuration_attributes=params.config['configurationAttributes']['ranger-kms-audit'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o744)
+
+ XmlConfig("ranger-kms-security.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=params.config['configurations']['ranger-kms-security'],
+ configuration_attributes=params.config['configurationAttributes']['ranger-kms-security'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o744)
+
+ # remove plain-text password from xml configs
+ ranger_kms_policymgr_ssl_copy = {}
+ ranger_kms_policymgr_ssl_copy.update(params.config['configurations']['ranger-kms-policymgr-ssl'])
+
+ for prop in params.kms_plugin_password_properties:
+ if prop in ranger_kms_policymgr_ssl_copy:
+ ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
+ XmlConfig("ranger-policymgr-ssl.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=ranger_kms_policymgr_ssl_copy,
+ configuration_attributes=params.config['configurationAttributes']['ranger-kms-policymgr-ssl'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o744)
+
+ if params.xa_audit_db_is_enabled:
+ cred_setup = params.cred_setup_prefix + ('-f', params.credential_file, '-k', 'auditDBCred', '-v', PasswordString(params.xa_audit_db_password), '-c', '1')
+ Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+
+ cred_setup = params.cred_setup_prefix + ('-f', params.credential_file, '-k', 'sslKeyStore', '-v', PasswordString(params.ssl_keystore_password), '-c', '1')
+ Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+
+ cred_setup = params.cred_setup_prefix + ('-f', params.credential_file, '-k', 'sslTrustStore', '-v', PasswordString(params.ssl_truststore_password), '-c', '1')
+ Execute(cred_setup, environment={'JAVA_HOME': params.java_home}, logoutput=True, sudo=True)
+
+ File(params.credential_file,
+ owner = params.kms_user,
+ group = params.kms_group,
+ only_if = format("test -e {credential_file}"),
+ mode = 0o640
+ )
+
+ dot_jceks_crc_file_path = os.path.join(os.path.dirname(params.credential_file), "." + os.path.basename(params.credential_file) + ".crc")
+
+ File(dot_jceks_crc_file_path,
+ owner = params.kms_user,
+ group = params.kms_group,
+ only_if = format("test -e {dot_jceks_crc_file_path}"),
+ mode = 0o640
+ )
+
+ # create ranger kms audit directory
+ if params.xa_audit_hdfs_is_enabled and params.has_namenode and params.has_hdfs_client_on_node:
+ try:
+ params.HdfsResource("/ranger/audit",
+ type="directory",
+ action="create_on_execute",
+ owner=params.hdfs_user,
+ group=params.hdfs_user,
+ mode=0o755,
+ recursive_chmod=True
+ )
+ params.HdfsResource("/ranger/audit/kms",
+ type="directory",
+ action="create_on_execute",
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o750,
+ recursive_chmod=True
+ )
+ params.HdfsResource(None, action="execute")
+ except Exception as err:
+ Logger.exception("Audit directory creation in HDFS for RANGER KMS Ranger plugin failed with error:\n{0}".format(err))
+
+ if params.xa_audit_hdfs_is_enabled and len(params.namenode_host) > 1:
+ Logger.info('Audit to Hdfs enabled in NameNode HA environment, creating hdfs-site.xml')
+ XmlConfig("hdfs-site.xml",
+ conf_dir=params.kms_conf_dir,
+ configurations=params.config['configurations']['hdfs-site'],
+ configuration_attributes=params.config['configurationAttributes']['hdfs-site'],
+ owner=params.kms_user,
+ group=params.kms_group,
+ mode=0o644
+ )
+ else:
+ File(format('{kms_conf_dir}/hdfs-site.xml'), action="delete")
+
+def setup_kms_jce():
+ import params
+
+ if params.jce_name is not None:
+ Directory(params.jce_source_dir,
+ create_parents = True
+ )
+
+ jce_target = format('{jce_source_dir}/{jce_name}')
+
+ File(jce_target,
+ content = DownloadSource(format('{jdk_location}/{jce_name}')),
+ mode = 0o644,
+ )
+
+ File([format("{java_home}/jre/lib/security/local_policy.jar"), format("{java_home}/jre/lib/security/US_export_policy.jar")],
+ action = "delete",
+ )
+
+ unzip_cmd = ("unzip", "-o", "-j", "-q", jce_target, "-d", format("{java_home}/jre/lib/security"))
+
+ Execute(unzip_cmd,
+ only_if = format("test -e {java_home}/jre/lib/security && test -f {jce_target}"),
+ path = ['/bin/','/usr/bin'],
+ sudo = True
+ )
+ else:
+ Logger.warning("Required jce policy zip is not available, need to setup manually")
+
+def check_ranger_service():
+ import params
+
+ policymgr_mgr_url = params.policymgr_mgr_url
+ if policymgr_mgr_url.endswith('/'):
+ policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
+ ranger_adm_obj = Rangeradmin(url=policymgr_mgr_url)
+ ambari_username_password_for_ranger = format("{ambari_ranger_admin}:{ambari_ranger_password}")
+ response_code = ranger_adm_obj.check_ranger_login_urllib2(policymgr_mgr_url)
+
+ if response_code is not None and response_code == 200:
+ user_resp_code = ranger_adm_obj.create_ambari_admin_user(params.ambari_ranger_admin, params.ambari_ranger_password, params.admin_uname_password)
+ if user_resp_code is not None and user_resp_code == 200:
+ get_repo_flag = get_repo(policymgr_mgr_url, params.repo_name, ambari_username_password_for_ranger)
+ if not get_repo_flag:
+ return create_repo(policymgr_mgr_url, json.dumps(params.kms_ranger_plugin_repo), ambari_username_password_for_ranger)
+ else:
+ return True
+ else:
+ return False
+ else:
+ Logger.error('Ranger service is not reachable')
+ return False
+
+@safe_retry(times=5, sleep_time=8, backoff_factor=1.5, err_class=Fail, return_on_fail=False)
+def create_repo(url, data, usernamepassword):
+ try:
+ base_url = url + '/service/public/v2/api/service'
+ base64string = base64.b64encode(usernamepassword.encode()).decode().replace('\n', '')
+ headers = {
+ 'Accept': 'application/json',
+ "Content-Type": "application/json"
+ }
+ request = urllib.request.Request(base_url, data.encode(), headers)
+ request.add_header("Authorization", "Basic {0}".format(base64string))
+ result = urllib.request.urlopen(request, timeout=20)
+ response_code = result.getcode()
+ response = json.loads(json.JSONEncoder().encode(result.read()))
+ if response_code == 200:
+ Logger.info('Repository created Successfully')
+ return True
+ else:
+ Logger.info('Repository not created')
+ return False
+ except urllib.error.URLError as e:
+ if isinstance(e, urllib.error.HTTPError):
+ raise Fail("Error creating service. Http status code - {0}. \n {1}".format(e.code, e.read()))
+ else:
+ raise Fail("Error creating service. Reason - {0}.".format(e.reason))
+ except socket.timeout as e:
+ raise Fail("Error creating service. Reason - {0}".format(e))
+
+@safe_retry(times=5, sleep_time=8, backoff_factor=1.5, err_class=Fail, return_on_fail=False)
+def get_repo(url, name, usernamepassword):
+ try:
+ base_url = url + '/service/public/v2/api/service?serviceName=' + name + '&serviceType=kms&isEnabled=true'
+ request = urllib.request.Request(base_url)
+ base64string = base64.b64encode(usernamepassword.encode()).decode().replace('\n', '')
+ request.add_header("Content-Type", "application/json")
+ request.add_header("Accept", "application/json")
+ request.add_header("Authorization", "Basic {0}".format(base64string))
+ result = urllib.request.urlopen(request, timeout=20)
+ response_code = result.getcode()
+ response = json.loads(result.read())
+ if response_code == 200 and len(response) > 0:
+ for repo in response:
+ if repo.get('name').lower() == name.lower() and 'name' in repo:
+ Logger.info('KMS repository exist')
+ return True
+ else:
+ Logger.info('KMS repository doesnot exist')
+ return False
+ else:
+ Logger.info('KMS repository doesnot exist')
+ return False
+ except urllib.error.URLError as e:
+ if isinstance(e, urllib.error.HTTPError):
+ raise Fail("Error getting {0} service. Http status code - {1}. \n {2}".format(name, e.code, e.read()))
+ else:
+ raise Fail("Error getting {0} service. Reason - {1}.".format(name, e.reason))
+ except socket.timeout as e:
+ raise Fail("Error creating service. Reason - {0}".format(e))
+
+def check_ranger_service_support_kerberos(user, keytab, principal):
+ import params
+
+ policymgr_mgr_url = params.policymgr_mgr_url
+ if policymgr_mgr_url.endswith('/'):
+ policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
+ ranger_adm_obj = RangeradminV2(url=policymgr_mgr_url)
+ response_code = ranger_adm_obj.check_ranger_login_curl(user, keytab, principal, policymgr_mgr_url, True)
+
+ if response_code is not None and response_code[0] == 200:
+ get_repo_name_response = ranger_adm_obj.get_repository_by_name_curl(user, keytab, principal, params.repo_name, 'kms', 'true', is_keyadmin = True)
+ if get_repo_name_response is not None:
+ Logger.info('KMS repository {0} exist'.format(get_repo_name_response['name']))
+ return True
+ else:
+ create_repo_response = ranger_adm_obj.create_repository_curl(user, keytab, principal, params.repo_name, json.dumps(params.kms_ranger_plugin_repo), None, is_keyadmin = True)
+ if create_repo_response is not None and len(create_repo_response) > 0:
+ return True
+ else:
+ return False
+ else:
+ Logger.error('Ranger service is not reachable')
+ return False
+
+def update_password_configs():
+ import params
+
+ ModifyPropertiesFile(format("{kms_home}/install.properties"),
+ properties = {'db_root_password': '_', 'db_password': '_', 'KMS_MASTER_KEY_PASSWD': '_', 'REPOSITORY_CONFIG_PASSWORD': '_'},
+ owner = params.kms_user,
+ )
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms_server.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms_server.py
new file mode 100755
index 00000000000..b07677e5b42
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms_server.py
@@ -0,0 +1,135 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+from resource_management.core.exceptions import Fail
+from resource_management.libraries.functions.check_process_status import check_process_status
+from resource_management.libraries.functions import stack_select
+from resource_management.libraries.functions import upgrade_summary
+from resource_management.libraries.functions.constants import Direction
+from resource_management.libraries.script import Script
+from resource_management.core.resources.system import Execute, File
+from resource_management.core.exceptions import ComponentIsNotRunning
+from resource_management.libraries.functions.format import format
+from resource_management.core.logger import Logger
+from resource_management.core import shell
+from resource_management.libraries.functions.default import default
+from kms_service import kms_service
+import upgrade
+import os
+import kms
+
+class KmsServer(Script):
+
+ def install(self, env):
+ self.install_packages(env)
+ import params
+ env.set_params(params)
+
+ # taking backup of install.properties file
+ Execute(('cp', '-f', format('{kms_home}/install.properties'), format('{kms_home}/install-backup.properties')),
+ not_if = format('ls {kms_home}/install-backup.properties'),
+ only_if = format('ls {kms_home}/install.properties'),
+ sudo = True
+ )
+
+ def stop(self, env, upgrade_type=None):
+ import params
+
+ env.set_params(params)
+ kms_service(action = 'stop', upgrade_type=upgrade_type)
+ if params.stack_supports_pid:
+ File(params.ranger_kms_pid_file,
+ action = "delete"
+ )
+
+ def start(self, env, upgrade_type=None):
+ import params
+
+ env.set_params(params)
+ self.configure(env)
+ kms.enable_kms_plugin()
+ kms.setup_kms_jce()
+ kms.update_password_configs()
+ kms_service(action = 'start', upgrade_type=upgrade_type)
+
+ def status(self, env):
+ import status_params
+ env.set_params(status_params)
+
+ if status_params.stack_supports_pid:
+ check_process_status(status_params.ranger_kms_pid_file)
+ return
+
+ cmd = 'ps -ef | grep proc_rangerkms | grep -v grep'
+ code, output = shell.call(cmd, timeout=20)
+ if code != 0:
+ Logger.debug('KMS process not running')
+ raise ComponentIsNotRunning()
+ pass
+
+ def configure(self, env):
+ import params
+ kms.setup_kms_db()
+ env.set_params(params)
+ kms.kms()
+ if not os.path.exists(params.ranger_kms_setup_marker):
+ kms.setup_java_patch()
+
+ def pre_upgrade_restart(self, env, upgrade_type=None):
+ import params
+ env.set_params(params)
+
+ upgrade.prestart(env)
+ kms.kms(upgrade_type=upgrade_type)
+ kms.setup_java_patch()
+
+ def post_upgrade_restart(self, env, upgrade_type = None):
+ import params
+ env.set_params(params)
+
+ if upgrade_type and params.upgrade_direction == Direction.UPGRADE and not params.stack_supports_multiple_env_sh_files:
+ files_name_list = ['ranger-kms-env-piddir.sh', 'ranger-kms-env-logdir.sh']
+ for file_name in files_name_list:
+ File(format("{kms_conf_dir}/{file_name}"),
+ action = "delete"
+ )
+
+ def setup_ranger_kms_database(self, env):
+ import params
+ env.set_params(params)
+
+ upgrade_stack = stack_select._get_upgrade_stack()
+ if upgrade_stack is None:
+ raise Fail('Unable to determine the stack and stack version')
+
+ stack_version = upgrade_stack[1]
+ target_version = upgrade_summary.get_target_version("RANGER_KMS", default_version = stack_version)
+ Logger.info(format('Setting Ranger KMS database schema, using version {target_version}'))
+ kms.setup_kms_db(stack_version = target_version)
+
+ def get_log_folder(self):
+ import params
+ return params.kms_log_dir
+
+ def get_user(self):
+ import params
+ return params.kms_user
+
+if __name__ == "__main__":
+ KmsServer().execute()
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms_service.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms_service.py
new file mode 100755
index 00000000000..2ff48c3e974
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms_service.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.core.resources.system import Execute, File
+from resource_management.core import shell
+from resource_management.libraries.functions.format import format
+from resource_management.core.exceptions import ComponentIsNotRunning
+from resource_management.core.logger import Logger
+from resource_management.libraries.functions.show_logs import show_logs
+from ambari_commons.constants import UPGRADE_TYPE_NON_ROLLING, UPGRADE_TYPE_ROLLING
+from resource_management.libraries.functions.constants import Direction
+import os
+
+def kms_service(action='start', upgrade_type=None):
+ import params
+
+ env_dict = {'JAVA_HOME': params.java_home}
+ if params.db_flavor.lower() == 'sqla':
+ env_dict = {'JAVA_HOME': params.java_home, 'LD_LIBRARY_PATH': params.ld_library_path}
+
+ if action == 'start':
+ no_op_test = format('ps -ef | grep proc_rangerkms | grep -v grep')
+ cmd = format('{kms_home}/ranger-kms start')
+ try:
+ Execute(cmd, not_if=no_op_test, environment=env_dict, user=format('{kms_user}'))
+ except:
+ show_logs(params.kms_log_dir, params.kms_user)
+ raise
+ elif action == 'stop':
+ if upgrade_type == UPGRADE_TYPE_NON_ROLLING and params.upgrade_direction == Direction.UPGRADE:
+ if os.path.isfile(format('{kms_home}/ranger-kms')):
+ File(format('{kms_home}/ranger-kms'),
+ owner=params.kms_user,
+ group = params.kms_group
+ )
+ cmd = format('{kms_home}/ranger-kms stop')
+ try:
+ Execute(cmd, environment=env_dict, user=format('{kms_user}'))
+ except:
+ show_logs(params.kms_log_dir, params.kms_user)
+ raise
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/params.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/params.py
new file mode 100755
index 00000000000..dd0ea26feb2
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/params.py
@@ -0,0 +1,375 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+import os
+from resource_management.libraries.functions import conf_select
+from resource_management.libraries.script import Script
+from resource_management.libraries.functions.version import format_stack_version
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.functions.default import default
+from resource_management.libraries.functions.stack_features import check_stack_feature
+from resource_management.libraries.functions.stack_features import get_stack_feature_version
+from resource_management.libraries.functions import StackFeature
+from resource_management.libraries.functions.get_bare_principal import get_bare_principal
+from resource_management.libraries.functions.is_empty import is_empty
+from resource_management.libraries.functions.setup_ranger_plugin_xml import generate_ranger_service_config
+from resource_management.libraries.resources.hdfs_resource import HdfsResource
+from resource_management.libraries.functions import stack_select
+from resource_management.libraries.functions import get_kinit_path
+from resource_management.core.exceptions import Fail
+
+config = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+stack_root = Script.get_stack_root()
+
+stack_name = default("/clusterLevelParams/stack_name", None)
+version = default("/commandParams/version", None)
+upgrade_direction = default("/commandParams/upgrade_direction", None)
+
+stack_version_unformatted = config['clusterLevelParams']['stack_version']
+stack_version_formatted = format_stack_version(stack_version_unformatted)
+
+# get the correct version to use for checking stack features
+version_for_stack_feature_checks = get_stack_feature_version(config)
+
+stack_supports_config_versioning = check_stack_feature(StackFeature.CONFIG_VERSIONING, version_for_stack_feature_checks)
+stack_support_kms_hsm = check_stack_feature(StackFeature.RANGER_KMS_HSM_SUPPORT, version_for_stack_feature_checks)
+stack_supports_ranger_kerberos = check_stack_feature(StackFeature.RANGER_KERBEROS_SUPPORT, version_for_stack_feature_checks)
+stack_supports_pid = check_stack_feature(StackFeature.RANGER_KMS_PID_SUPPORT, version_for_stack_feature_checks)
+stack_supports_ranger_audit_db = check_stack_feature(StackFeature.RANGER_AUDIT_DB_SUPPORT, version_for_stack_feature_checks)
+stack_supports_ranger_kms_ssl = check_stack_feature(StackFeature.RANGER_KMS_SSL, version_for_stack_feature_checks)
+stack_supports_multiple_env_sh_files = check_stack_feature(StackFeature.MULTIPLE_ENV_SH_FILES_SUPPORT, version_for_stack_feature_checks)
+
+hadoop_conf_dir = conf_select.get_hadoop_conf_dir()
+security_enabled = config['configurations']['cluster-env']['security_enabled']
+
+#if stack_supports_config_versioning:
+kms_home = format('{stack_root}/current/ranger-kms')
+kms_conf_dir = format('{stack_root}/current/ranger-kms/conf')
+ranger_kms_setup_marker = os.path.join(kms_conf_dir, "kms_setup")
+
+kms_lib_path = format('{kms_home}/ews/lib/')
+kms_log_dir = default("/configurations/kms-env/kms_log_dir", "/var/log/ranger/kms")
+java_home = config['ambariLevelParams']['java_home']
+kms_user = default("/configurations/kms-env/kms_user", "kms")
+kms_group = default("/configurations/kms-env/kms_group", "kms")
+
+ranger_kms_audit_log_maxfilesize = default('/configurations/kms-log4j/ranger_kms_audit_log_maxfilesize',256)
+ranger_kms_audit_log_maxbackupindex = default('/configurations/kms-log4j/ranger_kms_audit_log_maxbackupindex',20)
+ranger_kms_log_maxfilesize = default('/configurations/kms-log4j/ranger_kms_log_maxfilesize',256)
+ranger_kms_log_maxbackupindex = default('/configurations/kms-log4j/ranger_kms_log_maxbackupindex',20)
+
+jdk_location = config['ambariLevelParams']['jdk_location']
+kms_log4j = config['configurations']['kms-log4j']['content']
+
+# ranger host
+ranger_admin_hosts = config['clusterHostInfo']['ranger_admin_hosts']
+has_ranger_admin = len(ranger_admin_hosts) > 0
+ranger_kms_hosts = config['clusterHostInfo']['ranger_kms_server_hosts']
+if len(ranger_kms_hosts) > 1:
+ kms_hosts = ";".join(ranger_kms_hosts)
+else:
+ kms_hosts = ranger_kms_hosts[0]
+kms_port = config['configurations']['kms-env']['kms_port']
+
+create_db_user = config['configurations']['kms-env']['create_db_user']
+
+#kms properties
+db_flavor = (config['configurations']['kms-properties']['DB_FLAVOR']).lower()
+db_host = config['configurations']['kms-properties']['db_host']
+db_name = config['configurations']['kms-properties']['db_name']
+db_user = config['configurations']['kms-properties']['db_user']
+db_password = str(config['configurations']['kms-properties']['db_password'])
+kms_master_key_password = str(config['configurations']['kms-properties']['KMS_MASTER_KEY_PASSWD'])
+credential_provider_path = config['configurations']['dbks-site']['ranger.ks.jpa.jdbc.credential.provider.path']
+jdbc_alias = config['configurations']['dbks-site']['ranger.ks.jpa.jdbc.credential.alias']
+masterkey_alias = config['configurations']['dbks-site']['ranger.ks.masterkey.credential.alias']
+repo_name = str(config['clusterName']) + '_kms'
+repo_name_value = config['configurations']['ranger-kms-security']['ranger.plugin.kms.service.name']
+if not is_empty(repo_name_value) and repo_name_value != "{{repo_name}}":
+ repo_name = repo_name_value
+cred_lib_path = os.path.join(kms_home,"cred","lib","*")
+cred_setup_prefix = (format('{kms_home}/ranger_credential_helper.py'), '-l', cred_lib_path)
+credential_file = format('/etc/ranger/{repo_name}/cred.jceks')
+
+
+#kms logback
+kms_logback_content = config['configurations']['kms-logback']['content']
+
+# ranger kms ssl enabled config
+ranger_kms_ssl_enabled = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.ssl.enabled']
+url_scheme = "http"
+if ranger_kms_ssl_enabled:
+ url_scheme = "https"
+
+if has_ranger_admin:
+ policymgr_mgr_url = config['configurations']['admin-properties']['policymgr_external_url']
+ if 'admin-properties' in config['configurations'] and 'policymgr_external_url' in config['configurations']['admin-properties'] and policymgr_mgr_url.endswith('/'):
+ policymgr_mgr_url = policymgr_mgr_url.rstrip('/')
+ xa_audit_db_flavor = (config['configurations']['admin-properties']['DB_FLAVOR']).lower()
+ xa_audit_db_name = default('/configurations/admin-properties/audit_db_name', 'ranger_audits')
+ xa_audit_db_user = default('/configurations/admin-properties/audit_db_user', 'rangerlogger')
+ xa_audit_db_password = ''
+ if not is_empty(config['configurations']['admin-properties']['audit_db_password']) and stack_supports_ranger_audit_db:
+ xa_audit_db_password = config['configurations']['admin-properties']['audit_db_password']
+ xa_db_host = config['configurations']['admin-properties']['db_host']
+
+ admin_uname = config['configurations']['ranger-env']['admin_username']
+ admin_password = config['configurations']['ranger-env']['admin_password']
+ ambari_ranger_admin = config['configurations']['ranger-env']['ranger_admin_username']
+ ambari_ranger_password = config['configurations']['ranger-env']['ranger_admin_password']
+ admin_uname_password = format("{admin_uname}:{admin_password}")
+ ranger_audit_solr_urls = config['configurations']['ranger-admin-site']['ranger.audit.solr.urls']
+
+default_connectors_map = { "mssql":"sqljdbc4.jar",
+ "mysql":"mysql-connector-java.jar",
+ "postgres":"postgresql-jdbc.jar",
+ "oracle":"ojdbc.jar",
+ "sqla":"sajdbc4.jar"}
+
+java_share_dir = '/usr/share/java'
+jdbc_jar_name = None
+previous_jdbc_jar_name = None
+if db_flavor == 'mysql':
+ jdbc_jar_name = default("/ambariLevelParams/custom_mysql_jdbc_name", None)
+ previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_mysql_jdbc_name", None)
+ db_jdbc_url = format('jdbc:log4jdbc:mysql://{db_host}/{db_name}')
+ db_jdbc_driver = "com.mysql.jdbc.Driver"
+ jdbc_dialect = "org.eclipse.persistence.platform.database.MySQLPlatform"
+elif db_flavor == 'oracle':
+ jdbc_jar_name = default("/ambariLevelParams/custom_oracle_jdbc_name", None)
+ previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_oracle_jdbc_name", None)
+ colon_count = db_host.count(':')
+ if colon_count == 2 or colon_count == 0:
+ db_jdbc_url = format('jdbc:oracle:thin:@{db_host}')
+ else:
+ db_jdbc_url = format('jdbc:oracle:thin:@//{db_host}')
+ db_jdbc_driver = "oracle.jdbc.OracleDriver"
+ jdbc_dialect = "org.eclipse.persistence.platform.database.OraclePlatform"
+elif db_flavor == 'postgres':
+ jdbc_jar_name = default("/ambariLevelParams/custom_postgres_jdbc_name", None)
+ previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_postgres_jdbc_name", None)
+ db_jdbc_url = format('jdbc:postgresql://{db_host}/{db_name}')
+ db_jdbc_driver = "org.postgresql.Driver"
+ jdbc_dialect = "org.eclipse.persistence.platform.database.PostgreSQLPlatform"
+elif db_flavor == 'mssql':
+ jdbc_jar_name = default("/ambariLevelParams/custom_mssql_jdbc_name", None)
+ previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_mssql_jdbc_name", None)
+ db_jdbc_url = format('jdbc:sqlserver://{db_host};databaseName={db_name}')
+ db_jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
+ jdbc_dialect = "org.eclipse.persistence.platform.database.SQLServerPlatform"
+elif db_flavor == 'sqla':
+ jdbc_jar_name = default("/ambariLevelParams/custom_sqlanywhere_jdbc_name", None)
+ previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_sqlanywhere_jdbc_name", None)
+ db_jdbc_url = format('jdbc:sqlanywhere:database={db_name};host={db_host}')
+ db_jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver"
+ jdbc_dialect = "org.eclipse.persistence.platform.database.SQLAnywherePlatform"
+else: raise Fail(format("'{db_flavor}' db flavor not supported."))
+
+downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}")
+
+driver_curl_source = format("{jdk_location}/{jdbc_jar_name}")
+driver_curl_target = format("{kms_lib_path}/{jdbc_jar_name}")
+previous_jdbc_jar = format("{kms_lib_path}/{previous_jdbc_jar_name}")
+ews_lib_jar_path = format("{kms_lib_path}/{jdbc_jar_name}")
+
+if db_flavor == 'sqla':
+ downloaded_custom_connector = format("{tmp_dir}/sqla-client-jdbc.tar.gz")
+ jar_path_in_archive = format("{tmp_dir}/sqla-client-jdbc/java/sajdbc4.jar")
+ libs_path_in_archive = format("{tmp_dir}/sqla-client-jdbc/native/lib64/*")
+ jdbc_libs_dir = format("{kms_home}/native/lib64")
+ ld_library_path = format("{jdbc_libs_dir}")
+
+if has_ranger_admin:
+ xa_previous_jdbc_jar_name = None
+ if stack_supports_ranger_audit_db:
+ if xa_audit_db_flavor == 'mysql':
+ jdbc_jar = default("/ambariLevelParams/custom_mysql_jdbc_name", None)
+ xa_previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_mysql_jdbc_name", None)
+ audit_jdbc_url = format('jdbc:mysql://{xa_db_host}/{xa_audit_db_name}')
+ jdbc_driver = "com.mysql.jdbc.Driver"
+ elif xa_audit_db_flavor == 'oracle':
+ jdbc_jar = default("/ambariLevelParams/custom_oracle_jdbc_name", None)
+ xa_previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_oracle_jdbc_name", None)
+ colon_count = xa_db_host.count(':')
+ if colon_count == 2 or colon_count == 0:
+ audit_jdbc_url = format('jdbc:oracle:thin:@{xa_db_host}')
+ else:
+ audit_jdbc_url = format('jdbc:oracle:thin:@//{xa_db_host}')
+ jdbc_driver = "oracle.jdbc.OracleDriver"
+ elif xa_audit_db_flavor == 'postgres':
+ jdbc_jar = default("/ambariLevelParams/custom_postgres_jdbc_name", None)
+ xa_previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_postgres_jdbc_name", None)
+ audit_jdbc_url = format('jdbc:postgresql://{xa_db_host}/{xa_audit_db_name}')
+ jdbc_driver = "org.postgresql.Driver"
+ elif xa_audit_db_flavor == 'mssql':
+ jdbc_jar = default("/ambariLevelParams/custom_mssql_jdbc_name", None)
+ xa_previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_mssql_jdbc_name", None)
+ audit_jdbc_url = format('jdbc:sqlserver://{xa_db_host};databaseName={xa_audit_db_name}')
+ jdbc_driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver"
+ elif xa_audit_db_flavor == 'sqla':
+ jdbc_jar = default("/ambariLevelParams/custom_sqlanywhere_jdbc_name", None)
+ xa_previous_jdbc_jar_name = default("/ambariLevelParams/previous_custom_sqlanywhere_jdbc_name", None)
+ audit_jdbc_url = format('jdbc:sqlanywhere:database={xa_audit_db_name};host={xa_db_host}')
+ jdbc_driver = "sap.jdbc4.sqlanywhere.IDriver"
+ else: raise Fail(format("'{xa_audit_db_flavor}' db flavor not supported."))
+
+ downloaded_connector_path = format("{tmp_dir}/{jdbc_jar}") if stack_supports_ranger_audit_db else None
+ driver_source = format("{jdk_location}/{jdbc_jar}") if stack_supports_ranger_audit_db else None
+ driver_target = format("{kms_lib_path}/{jdbc_jar}") if stack_supports_ranger_audit_db else None
+ xa_previous_jdbc_jar = format("{kms_lib_path}/{previous_jdbc_jar_name}") if stack_supports_ranger_audit_db else None
+
+repo_config_username = config['configurations']['kms-properties']['REPOSITORY_CONFIG_USERNAME']
+repo_config_password = str(config['configurations']['kms-properties']['REPOSITORY_CONFIG_PASSWORD'])
+
+kms_plugin_config = {
+ 'username' : repo_config_username,
+ 'password' : repo_config_password,
+ 'provider' : format('kms://{url_scheme}@{kms_hosts}:{kms_port}/kms')
+}
+
+xa_audit_db_is_enabled = False
+if stack_supports_ranger_audit_db:
+ xa_audit_db_is_enabled = config['configurations']['ranger-kms-audit']['xasecure.audit.destination.db']
+ssl_keystore_password = str(config['configurations']['ranger-kms-policymgr-ssl']['xasecure.policymgr.clientssl.keystore.password'])
+ssl_truststore_password = str(config['configurations']['ranger-kms-policymgr-ssl']['xasecure.policymgr.clientssl.truststore.password'])
+
+#For SQLA explicitly disable audit to DB for Ranger
+if xa_audit_db_flavor == 'sqla':
+ xa_audit_db_is_enabled = False
+
+current_host = config['agentLevelParams']['hostname']
+if current_host in ranger_kms_hosts:
+ kms_host = current_host
+
+check_db_connection_jar_name = "DBConnectionVerification.jar"
+check_db_connection_jar = format("/usr/lib/ambari-agent/{check_db_connection_jar_name}")
+ranger_kms_jdbc_connection_url = config['configurations']['dbks-site']['ranger.ks.jpa.jdbc.url']
+ranger_kms_jdbc_driver = config['configurations']['dbks-site']['ranger.ks.jpa.jdbc.driver']
+
+jce_name = default("/ambariLevelParams/jce_name", None)
+jce_source_dir = format('{tmp_dir}/jce_dir')
+
+#kms hsm support
+enable_kms_hsm = default("/configurations/dbks-site/ranger.ks.hsm.enabled", False)
+hms_partition_alias = default("/configurations/dbks-site/ranger.ks.hsm.partition.password.alias", "ranger.kms.hsm.partition.password")
+hms_partition_passwd = default("/configurations/kms-env/hsm_partition_password", None)
+
+# kms kerberos from stack 2.5 onward
+rangerkms_bare_principal = 'rangerkms'
+
+if stack_supports_ranger_kerberos:
+ if security_enabled:
+ rangerkms_principal = config['configurations']['dbks-site']['ranger.ks.kerberos.principal']
+ rangerkms_keytab = config['configurations']['dbks-site']['ranger.ks.kerberos.keytab']
+ if not is_empty(rangerkms_principal) and rangerkms_principal != '':
+ rangerkms_bare_principal = get_bare_principal(rangerkms_principal)
+ rangerkms_principal = rangerkms_principal.replace('_HOST', kms_host.lower())
+ kms_plugin_config['policy.download.auth.users'] = format('keyadmin,{rangerkms_bare_principal}')
+
+custom_ranger_service_config = generate_ranger_service_config(config['configurations']['kms-properties'])
+if len(custom_ranger_service_config) > 0:
+ kms_plugin_config.update(custom_ranger_service_config)
+
+kms_ranger_plugin_repo = {
+ 'isEnabled' : 'true',
+ 'configs' : kms_plugin_config,
+ 'description' : 'kms repo',
+ 'name' : repo_name,
+ 'type' : 'kms'
+}
+
+# ranger kms pid
+user_group = config['configurations']['cluster-env']['user_group']
+ranger_kms_pid_dir = default("/configurations/kms-env/ranger_kms_pid_dir", "/var/run/ranger_kms")
+ranger_kms_pid_file = format('{ranger_kms_pid_dir}/rangerkms.pid')
+
+if security_enabled:
+ spengo_keytab = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab']
+ spnego_principal = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal']
+ spnego_principal = spnego_principal.replace('_HOST', current_host.lower())
+
+plugin_audit_password_property = 'xasecure.audit.destination.db.password'
+kms_plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password', 'ranger.kms.keysecure.login.password']
+ranger_kms_site_password_properties = ['ranger.service.https.attrib.keystore.pass']
+ranger_kms_cred_ssl_path = config['configurations']['ranger-kms-site']['ranger.credential.provider.path']
+ranger_kms_ssl_keystore_alias = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.keystore.credential.alias']
+ranger_kms_ssl_passwd = config['configurations']['ranger-kms-site']['ranger.service.https.attrib.keystore.pass']
+
+xa_audit_hdfs_is_enabled = default("/configurations/ranger-kms-audit/xasecure.audit.destination.hdfs", False)
+namenode_host = default("/clusterHostInfo/namenode_hosts", [])
+
+# need this to capture cluster name from where ranger kms plugin is enabled
+cluster_name = config['clusterName']
+
+has_namenode = len(namenode_host) > 0
+
+hdfs_user = default("/configurations/hadoop-env/hdfs_user", None)
+hdfs_user_keytab = default("/configurations/hadoop-env/hdfs_user_keytab", None)
+hdfs_principal_name = default("/configurations/hadoop-env/hdfs_principal_name", None)
+default_fs = default("/configurations/core-site/fs.defaultFS", None)
+hdfs_site = config['configurations']['hdfs-site'] if has_namenode else None
+hadoop_bin_dir = stack_select.get_hadoop_dir("bin") if has_namenode else None
+kinit_path_local = get_kinit_path(default('/configurations/kerberos-env/executable_search_paths', None))
+dfs_type = default("/clusterLevelParams/dfs_type", "")
+
+import functools
+# create partial functions with common arguments for every HdfsResource call
+# to create/delete hdfs directory/file/copyfromlocal we need to call params.HdfsResource in code
+HdfsResource = functools.partial(
+ HdfsResource,
+ user=hdfs_user,
+ security_enabled = security_enabled,
+ keytab = hdfs_user_keytab,
+ kinit_path_local = kinit_path_local,
+ hadoop_bin_dir = hadoop_bin_dir,
+ hadoop_conf_dir = hadoop_conf_dir,
+ principal_name = hdfs_principal_name,
+ hdfs_site = hdfs_site,
+ default_fs = default_fs,
+ dfs_type = dfs_type,
+)
+
+local_component_list = default("/localComponents", [])
+has_hdfs_client_on_node = 'HDFS_CLIENT' in local_component_list
+
+kms_env_content = config['configurations']['kms-env']['content']
+
+# zookeeper principal
+zookeeper_principal = default("/configurations/zookeeper-env/zookeeper_principal_name", "zookeeper@EXAMPLE.COM")
+zookeeper_principal_primary = get_bare_principal(zookeeper_principal)
+
+mount_table_xml_inclusion_file_full_path = None
+mount_table_content = None
+if 'viewfs-mount-table' in config['configurations']:
+ xml_inclusion_file_name = 'viewfs-mount-table.xml'
+ mount_table = config['configurations']['viewfs-mount-table']
+
+ if 'content' in mount_table and mount_table['content'].strip():
+ mount_table_xml_inclusion_file_full_path = os.path.join(kms_conf_dir, xml_inclusion_file_name)
+ mount_table_content = mount_table['content']
+
+# Ranger KMS Service maximum heap size configurations
+ranger_kms_max_heap_size=default('/configurations/kms-env/ranger_kms_max_heap_size','1g')
+
+# ranger kms keysecure support
+enable_kms_keysecure = default("/configurations/dbks-site/ranger.kms.keysecure.enabled", False)
+keysecure_login_password = config['configurations']['dbks-site']['ranger.kms.keysecure.login.password']
+keysecure_login_password_alias = config['configurations']['dbks-site']['ranger.kms.keysecure.login.password.alias']
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/service_check.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/service_check.py
new file mode 100755
index 00000000000..84e4e737d08
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/service_check.py
@@ -0,0 +1,41 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.libraries.script import Script
+from resource_management.core.logger import Logger
+from resource_management.core import shell
+from resource_management.core.exceptions import ComponentIsNotRunning
+
+
+class KmsServiceCheck(Script):
+ def service_check(self, env):
+ import params
+
+ env.set_params(params)
+ cmd = 'ps -ef | grep proc_rangerkms | grep -v grep'
+ code, output = shell.call(cmd, timeout=20)
+ if code == 0:
+ Logger.info('KMS process up and running')
+ else:
+ Logger.debug('KMS process not running')
+ raise ComponentIsNotRunning()
+
+if __name__ == "__main__":
+ KmsServiceCheck().execute()
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/status_params.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/status_params.py
new file mode 100755
index 00000000000..2f6f505d82d
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/status_params.py
@@ -0,0 +1,36 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.libraries.script import Script
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.functions.default import default
+from resource_management.libraries.functions.version import format_stack_version
+from resource_management.libraries.functions.stack_features import check_stack_feature
+from resource_management.libraries.functions import StackFeature
+
+config = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+
+stack_name = default("/clusterLevelParams/stack_name", None)
+stack_version_unformatted = config['clusterLevelParams']['stack_version']
+stack_version_formatted = format_stack_version(stack_version_unformatted)
+stack_supports_pid = stack_version_formatted and check_stack_feature(StackFeature.RANGER_KMS_PID_SUPPORT, stack_version_formatted)
+ranger_kms_pid_dir = default("/configurations/kms-env/ranger_kms_pid_dir", "/var/run/ranger_kms")
+ranger_kms_pid_file = format('{ranger_kms_pid_dir}/rangerkms.pid')
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/upgrade.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/upgrade.py
new file mode 100755
index 00000000000..465d54e5adf
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/upgrade.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+from resource_management.core.resources.system import Execute
+from resource_management.libraries.functions import conf_select
+from resource_management.libraries.functions import stack_select
+from resource_management.libraries.functions.format import format
+
+def prestart(env):
+ import params
+
+ if params.version and params.stack_supports_config_versioning:
+ stack_select.select_packages(params.version)
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/templates/input.config-ranger-kms.json.j2 b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/templates/input.config-ranger-kms.json.j2
new file mode 100755
index 00000000000..306fade7bae
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/templates/input.config-ranger-kms.json.j2
@@ -0,0 +1,48 @@
+{#
+ # Licensed to the Apache Software Foundation (ASF) under one
+ # or more contributor license agreements. See the NOTICE file
+ # distributed with this work for additional information
+ # regarding copyright ownership. The ASF licenses this file
+ # to you under the Apache License, Version 2.0 (the
+ # "License"); you may not use this file except in compliance
+ # with the License. You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ #}
+{
+ "input":[
+ {
+ "type":"ranger_kms",
+ "rowtype":"service",
+ "path":"{{default('/configurations/kms-env/kms_log_dir', '/var/log/ranger/kms')}}/kms.log"
+ }
+ ],
+ "filter":[
+ {
+ "filter":"grok",
+ "conditions":{
+ "fields":{
+ "type":[
+ "ranger_kms"
+ ]
+ }
+ },
+ "log4j_format":"%d{ISO8601} %-5p %c{1} - %m%n",
+ "multiline_pattern":"^(%{TIMESTAMP_ISO8601:logtime})",
+ "message_pattern":"(?m)^%{TIMESTAMP_ISO8601:logtime}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVACLASS:logger_name}%{SPACE}-%{SPACE}%{GREEDYDATA:log_message}",
+ "post_map_values":{
+ "logtime":{
+ "map_date":{
+ "target_date_pattern":"yyyy-MM-dd HH:mm:ss,SSS"
+ }
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/properties/kms-env.sh.j2 b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/properties/kms-env.sh.j2
new file mode 100755
index 00000000000..a3870a43c41
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/properties/kms-env.sh.j2
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Set Ranger KMS specific environment variables here.
+
+export JAVA_HOME={{java_home}}
+export RANGER_KMS_LOG_DIR={{kms_log_dir}}
+export RANGER_KMS_PID_DIR_PATH={{ranger_kms_pid_dir}}
+export KMS_USER={{kms_user}}
+ranger_kms_max_heap_size={{ranger_kms_max_heap_size}}
+{% if security_enabled %}
+export JAVA_OPTS=" ${JAVA_OPTS} -Dzookeeper.sasl.client.username={{zookeeper_principal_primary}} "
+{% endif %}
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/properties/kms-logback.xml.j2 b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/properties/kms-logback.xml.j2
new file mode 100644
index 00000000000..8364d30ced2
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/properties/kms-logback.xml.j2
@@ -0,0 +1,71 @@
+
+
+
+
+
+
+
+
+ true
+ ${kms.log.dir}/kms-audit-${hostname}-${user}.log
+
+ %d{ISO8601} %m%n
+
+
+ ${kms.log.dir}/kms-audit-${hostname}-${user}.log.%d{yyyy-MM-dd}
+ 15
+ true
+
+
+
+
+ false
+ ${kms.log.dir}/ranger_kms_metric_data_for_${metric.type}.log
+
+ %m%n
+
+
+
+
+
+
+ ${kms.log.dir}/ranger-kms-${hostname}-${user}.log
+ true
+
+ %d{ISO8601} %-5p [%t] %c{1} \(%F:%L\) - %m%n
+
+
+ ${kms.log.dir}/ranger-kms-${hostname}-${user}.log.%d{yyyy-MM-dd}
+ 15
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/role_command_order.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/role_command_order.json
new file mode 100755
index 00000000000..7ddab41960c
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/role_command_order.json
@@ -0,0 +1,7 @@
+{
+ "general_deps" : {
+ "_comment" : "dependencies for RANGER-KMS",
+ "RANGER_KMS_SERVER-START" : ["RANGER_ADMIN-START", "NAMENODE-START"],
+ "RANGER_KMS_SERVICE_CHECK-SERVICE_CHECK" : ["RANGER_KMS_SERVER-START"]
+ }
+}
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/service_advisor.py b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/service_advisor.py
new file mode 100755
index 00000000000..77a3fac5351
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/service_advisor.py
@@ -0,0 +1,407 @@
+#!/usr/bin/env ambari-python-wrap
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+"""
+
+# Python imports
+import imp
+import os
+import traceback
+import re
+import socket
+import fnmatch
+
+
+from resource_management.core.logger import Logger
+
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+STACKS_DIR = os.path.join(SCRIPT_DIR, '../../../../../stacks/')
+PARENT_FILE = os.path.join(STACKS_DIR, 'service_advisor.py')
+
+try:
+ if "BASE_SERVICE_ADVISOR" in os.environ:
+ PARENT_FILE = os.environ["BASE_SERVICE_ADVISOR"]
+ with open(PARENT_FILE, 'rb') as fp:
+ service_advisor = imp.load_module('service_advisor', fp, PARENT_FILE, ('.py', 'rb', imp.PY_SOURCE))
+except Exception as e:
+ traceback.print_exc()
+ print("Failed to load parent")
+
+DB_TYPE_DEFAULT_PORT_MAP = {"MYSQL":"3306", "ORACLE":"1521", "POSTGRES":"5432", "MSSQL":"1433", "SQLA":"2638"}
+
+class Ranger_KMSServiceAdvisor(service_advisor.ServiceAdvisor):
+
+ def __init__(self, *args, **kwargs):
+ self.as_super = super(Ranger_KMSServiceAdvisor, self)
+ self.as_super.__init__(*args, **kwargs)
+
+ # Always call these methods
+ self.modifyMastersWithMultipleInstances()
+ self.modifyCardinalitiesDict()
+ self.modifyHeapSizeProperties()
+ self.modifyNotValuableComponents()
+ self.modifyComponentsNotPreferableOnServer()
+ self.modifyComponentLayoutSchemes()
+
+ def modifyMastersWithMultipleInstances(self):
+ """
+ Modify the set of masters with multiple instances.
+ Must be overriden in child class.
+ """
+ # Nothing to do
+ pass
+
+ def modifyCardinalitiesDict(self):
+ """
+ Modify the dictionary of cardinalities.
+ Must be overriden in child class.
+ """
+ # Nothing to do
+ pass
+
+ def modifyHeapSizeProperties(self):
+ """
+ Modify the dictionary of heap size properties.
+ Must be overriden in child class.
+ """
+ pass
+
+ def modifyNotValuableComponents(self):
+ """
+ Modify the set of components whose host assignment is based on other services.
+ Must be overriden in child class.
+ """
+ # Nothing to do
+ pass
+
+ def modifyComponentsNotPreferableOnServer(self):
+ """
+ Modify the set of components that are not preferable on the server.
+ Must be overriden in child class.
+ """
+ # Nothing to do
+ pass
+
+ def modifyComponentLayoutSchemes(self):
+ """
+ Modify layout scheme dictionaries for components.
+ The scheme dictionary basically maps the number of hosts to
+ host index where component should exist.
+ Must be overriden in child class.
+ """
+
+ self.componentLayoutSchemes.update({'RANGER_KMS_SERVER': {3: 0, 6: 1, 31: 2, "else": 2}})
+
+ def getServiceComponentLayoutValidations(self, services, hosts):
+ """
+ Get a list of errors.
+ Must be overriden in child class.
+ """
+
+ return self.getServiceComponentCardinalityValidations(services, hosts, "RANGER_KMS")
+
+ def getServiceConfigurationRecommendations(self, configurations, clusterData, services, hosts):
+ """
+ Entry point.
+ Must be overriden in child class.
+ """
+ # Logger.info("Class: %s, Method: %s. Recommending Service Configurations." %
+ # (self.__class__.__name__, inspect.stack()[0][3]))
+
+ recommender = RangerKMSRecommender()
+ recommender.recommendRangerKMSConfigurationsFromHDP23(configurations, clusterData, services, hosts)
+ recommender.recommendRangerKMSConfigurationsFromHDP25(configurations, clusterData, services, hosts)
+ recommender.recommendRangerKMSConfigurationsFromHDP26(configurations, clusterData, services, hosts)
+ recommender.recommendRangerKMSConfigurationsFromHDP30(configurations, clusterData, services, hosts)
+
+ def getServiceConfigurationsValidationItems(self, configurations, recommendedDefaults, services, hosts):
+ """
+ Entry point.
+ Validate configurations for the service. Return a list of errors.
+ The code for this function should be the same for each Service Advisor.
+ """
+ # Logger.info("Class: %s, Method: %s. Validating Configurations." %
+ # (self.__class__.__name__, inspect.stack()[0][3]))
+
+ validator = RangerKMSValidator()
+ # Calls the methods of the validator using arguments,
+ # method(siteProperties, siteRecommendations, configurations, services, hosts)
+ return validator.validateListOfConfigUsingMethod(configurations, recommendedDefaults, services, hosts, validator.validators)
+
+ @staticmethod
+ def isKerberosEnabled(services, configurations):
+ """
+ Determines if security is enabled by testing the value of kms-site/hadoop.kms.authentication.type enabled.
+ If the property exists and is equal to "kerberos", then is it enabled; otherwise is it assumed to be
+ disabled.
+
+ :type services: dict
+ :param services: the dictionary containing the existing configuration values
+ :type configurations: dict
+ :param configurations: the dictionary containing the updated configuration values
+ :rtype: bool
+ :return: True or False
+ """
+ if configurations and "kms-site" in configurations and \
+ "hadoop.kms.authentication.type" in configurations["kms-site"]["properties"]:
+ return configurations["kms-site"]["properties"]["hadoop.kms.authentication.type"].lower() == "kerberos"
+ elif services and "kms-site" in services["configurations"] and \
+ "hadoop.kms.authentication.type" in services["configurations"]["kms-site"]["properties"]:
+ return services["configurations"]["kms-site"]["properties"]["hadoop.kms.authentication.type"].lower() == "kerberos"
+ else:
+ return False
+
+
+class RangerKMSRecommender(service_advisor.ServiceAdvisor):
+ """
+ RangerKMS Recommender suggests properties when adding the service for the first time or modifying configs via the UI.
+ """
+
+ def __init__(self, *args, **kwargs):
+ self.as_super = super(RangerKMSRecommender, self)
+ self.as_super.__init__(*args, **kwargs)
+
+ def recommendRangerKMSConfigurationsFromHDP23(self, configurations, clusterData, services, hosts):
+ servicesList = [service["StackServices"]["service_name"] for service in services["services"]]
+ putRangerKmsDbksProperty = self.putProperty(configurations, "dbks-site", services)
+ putRangerKmsProperty = self.putProperty(configurations, "kms-properties", services)
+ kmsEnvProperties = self.getSiteProperties(services['configurations'], 'kms-env')
+ putCoreSiteProperty = self.putProperty(configurations, "core-site", services)
+ putCoreSitePropertyAttribute = self.putPropertyAttribute(configurations, "core-site")
+ putRangerKmsAuditProperty = self.putProperty(configurations, "ranger-kms-audit", services)
+ security_enabled = Ranger_KMSServiceAdvisor.isKerberosEnabled(services, configurations)
+ putRangerKmsSiteProperty = self.putProperty(configurations, "kms-site", services)
+ putRangerKmsSitePropertyAttribute = self.putPropertyAttribute(configurations, "kms-site")
+
+ if 'kms-properties' in services['configurations'] and ('DB_FLAVOR' in services['configurations']['kms-properties']['properties']):
+
+ rangerKmsDbFlavor = services['configurations']["kms-properties"]["properties"]["DB_FLAVOR"]
+
+ if ('db_host' in services['configurations']['kms-properties']['properties']) and ('db_name' in services['configurations']['kms-properties']['properties']):
+
+ rangerKmsDbHost = services['configurations']["kms-properties"]["properties"]["db_host"]
+ rangerKmsDbName = services['configurations']["kms-properties"]["properties"]["db_name"]
+
+ ranger_kms_db_url_dict = {
+ 'MYSQL': {'ranger.ks.jpa.jdbc.driver': 'com.mysql.jdbc.Driver',
+ 'ranger.ks.jpa.jdbc.url': 'jdbc:mysql://' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + '/' + rangerKmsDbName},
+ 'ORACLE': {'ranger.ks.jpa.jdbc.driver': 'oracle.jdbc.driver.OracleDriver',
+ 'ranger.ks.jpa.jdbc.url': 'jdbc:oracle:thin:@' + self.getOracleDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost, rangerKmsDbName)},
+ 'POSTGRES': {'ranger.ks.jpa.jdbc.driver': 'org.postgresql.Driver',
+ 'ranger.ks.jpa.jdbc.url': 'jdbc:postgresql://' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + '/' + rangerKmsDbName},
+ 'MSSQL': {'ranger.ks.jpa.jdbc.driver': 'com.microsoft.sqlserver.jdbc.SQLServerDriver',
+ 'ranger.ks.jpa.jdbc.url': 'jdbc:sqlserver://' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + ';databaseName=' + rangerKmsDbName},
+ 'SQLA': {'ranger.ks.jpa.jdbc.driver': 'sap.jdbc4.sqlanywhere.IDriver',
+ 'ranger.ks.jpa.jdbc.url': 'jdbc:sqlanywhere:host=' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + ';database=' + rangerKmsDbName}
+ }
+
+ rangerKmsDbProperties = ranger_kms_db_url_dict.get(rangerKmsDbFlavor, ranger_kms_db_url_dict['MYSQL'])
+ for key in rangerKmsDbProperties:
+ putRangerKmsDbksProperty(key, rangerKmsDbProperties.get(key))
+
+ if kmsEnvProperties and self.checkSiteProperties(kmsEnvProperties, 'kms_user') and 'KERBEROS' in servicesList:
+ kmsUser = kmsEnvProperties['kms_user']
+ kmsUserOld = self.getOldValue(services, 'kms-env', 'kms_user')
+ self.put_proxyuser_value(kmsUser, '*', is_groups=True, services=services, configurations=configurations, put_function=putCoreSiteProperty)
+ if kmsUserOld is not None and kmsUser != kmsUserOld:
+ putCoreSitePropertyAttribute("hadoop.proxyuser.{0}.groups".format(kmsUserOld), 'delete', 'true')
+ services["forced-configurations"].append({"type" : "core-site", "name" : "hadoop.proxyuser.{0}.groups".format(kmsUserOld)})
+ services["forced-configurations"].append({"type" : "core-site", "name" : "hadoop.proxyuser.{0}.groups".format(kmsUser)})
+
+ if "HDFS" in servicesList:
+ if 'core-site' in services['configurations'] and ('fs.defaultFS' in services['configurations']['core-site']['properties']):
+ default_fs = services['configurations']['core-site']['properties']['fs.defaultFS']
+ putRangerKmsAuditProperty('xasecure.audit.destination.hdfs.dir', '{0}/{1}/{2}'.format(default_fs,'ranger','audit'))
+
+ required_services = [{'service' : 'YARN', 'config-type': 'yarn-env', 'property-name': 'yarn_user', 'proxy-category': ['hosts', 'users', 'groups']},
+ {'service' : 'SPARK', 'config-type': 'livy-env', 'property-name': 'livy_user', 'proxy-category': ['hosts', 'users', 'groups']}]
+
+ required_services_for_secure = [{'service' : 'HIVE', 'config-type': 'hive-env', 'property-name': 'hive_user', 'proxy-category': ['hosts', 'users']},
+ {'service' : 'OOZIE', 'config-type': 'oozie-env', 'property-name': 'oozie_user', 'proxy-category': ['hosts', 'users']}]
+
+ if security_enabled:
+ required_services.extend(required_services_for_secure)
+
+ # recommendations for kms proxy related properties
+ self.recommendKMSProxyUsers(configurations, services, hosts, required_services)
+
+ ambari_user = self.getAmbariUser(services)
+ if security_enabled:
+ # adding for ambari user
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.{0}.users'.format(ambari_user), '*')
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.{0}.hosts'.format(ambari_user), '*')
+ # adding for HTTP
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.HTTP.users', '*')
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.HTTP.hosts', '*')
+ else:
+ self.deleteKMSProxyUsers(configurations, services, hosts, required_services_for_secure)
+ # deleting ambari user proxy properties
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.hosts'.format(ambari_user), 'delete', 'true')
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.users'.format(ambari_user), 'delete', 'true')
+ # deleting HTTP proxy properties
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.HTTP.hosts', 'delete', 'true')
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.HTTP.users', 'delete', 'true')
+
+ def recommendRangerKMSConfigurationsFromHDP25(self, configurations, clusterData, services, hosts):
+
+ security_enabled = Ranger_KMSServiceAdvisor.isKerberosEnabled(services, configurations)
+ required_services = [{'service' : 'RANGER', 'config-type': 'ranger-env', 'property-name': 'ranger_user', 'proxy-category': ['hosts', 'users', 'groups']},
+ {'service' : 'SPARK2', 'config-type': 'livy2-env', 'property-name': 'livy2_user', 'proxy-category': ['hosts', 'users', 'groups']}]
+
+ if security_enabled:
+ # recommendations for kms proxy related properties
+ self.recommendKMSProxyUsers(configurations, services, hosts, required_services)
+ else:
+ self.deleteKMSProxyUsers(configurations, services, hosts, required_services)
+
+ def recommendRangerKMSConfigurationsFromHDP26(self, configurations, clusterData, services, hosts):
+ putRangerKmsEnvProperty = self.putProperty(configurations, "kms-env", services)
+
+ ranger_kms_ssl_enabled = False
+ ranger_kms_ssl_port = "9393"
+ if 'ranger-kms-site' in services['configurations'] and 'ranger.service.https.attrib.ssl.enabled' in services['configurations']['ranger-kms-site']['properties']:
+ ranger_kms_ssl_enabled = services['configurations']['ranger-kms-site']['properties']['ranger.service.https.attrib.ssl.enabled'].lower() == "true"
+
+ if 'ranger-kms-site' in services['configurations'] and 'ranger.service.https.port' in services['configurations']['ranger-kms-site']['properties']:
+ ranger_kms_ssl_port = services['configurations']['ranger-kms-site']['properties']['ranger.service.https.port']
+
+ if ranger_kms_ssl_enabled:
+ putRangerKmsEnvProperty("kms_port", ranger_kms_ssl_port)
+ else:
+ putRangerKmsEnvProperty("kms_port", "9292")
+
+ def recommendRangerKMSConfigurationsFromHDP30(self, configurations, clusterData, services, hosts):
+ putRangerKmsEnvProperty = self.putProperty(configurations, "kms-env", services)
+
+ if 'kms-properties' in services['configurations'] and ('DB_FLAVOR' in services['configurations']['kms-properties']['properties']) \
+ and ('db_host' in services['configurations']['kms-properties']['properties']):
+
+ rangerKmsDbFlavor = services['configurations']["kms-properties"]["properties"]["DB_FLAVOR"]
+ rangerKmsDbHost = services['configurations']["kms-properties"]["properties"]["db_host"]
+
+ ranger_kms_db_privelege_url_dict = {
+ 'MYSQL': {'ranger_kms_privelege_user_jdbc_url': 'jdbc:mysql://' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost)},
+ 'ORACLE': {'ranger_kms_privelege_user_jdbc_url': 'jdbc:oracle:thin:@' + self.getOracleDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost, None)},
+ 'POSTGRES': {'ranger_kms_privelege_user_jdbc_url': 'jdbc:postgresql://' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + '/postgres'},
+ 'MSSQL': {'ranger_kms_privelege_user_jdbc_url': 'jdbc:sqlserver://' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + ';'},
+ 'SQLA': {'ranger_kms_privelege_user_jdbc_url': 'jdbc:sqlanywhere:host=' + self.getDBConnectionHostPort(rangerKmsDbFlavor, rangerKmsDbHost) + ';'}
+ }
+
+ rangerKmsPrivelegeDbProperties = ranger_kms_db_privelege_url_dict.get(rangerKmsDbFlavor, ranger_kms_db_privelege_url_dict['MYSQL'])
+ for key in rangerKmsPrivelegeDbProperties:
+ putRangerKmsEnvProperty(key, rangerKmsPrivelegeDbProperties.get(key))
+
+ def getDBConnectionHostPort(self, db_type, db_host):
+ connection_string = ""
+ if db_type is None or db_type == "":
+ return connection_string
+ else:
+ colon_count = db_host.count(':')
+ if colon_count == 0:
+ if db_type in DB_TYPE_DEFAULT_PORT_MAP:
+ connection_string = db_host + ":" + DB_TYPE_DEFAULT_PORT_MAP[db_type]
+ else:
+ connection_string = db_host
+ elif colon_count == 1:
+ connection_string = db_host
+ elif colon_count == 2:
+ connection_string = db_host
+
+ return connection_string
+
+ def getOracleDBConnectionHostPort(self, db_type, db_host, rangerDbName):
+ connection_string = self.getDBConnectionHostPort(db_type, db_host)
+ colon_count = db_host.count(':')
+ if colon_count == 1 and '/' in db_host:
+ connection_string = "//" + connection_string
+ elif colon_count == 0 or colon_count == 1:
+ connection_string = "//" + connection_string + "/" + rangerDbName if rangerDbName else "//" + connection_string
+
+ return connection_string
+
+ def recommendKMSProxyUsers(self, configurations, services, hosts, requiredServices):
+ servicesList = [service["StackServices"]["service_name"] for service in services["services"]]
+ putRangerKmsSiteProperty = self.putProperty(configurations, "kms-site", services)
+ putRangerKmsSitePropertyAttribute = self.putPropertyAttribute(configurations, "kms-site")
+
+ if 'forced-configurations' not in services:
+ services["forced-configurations"] = []
+
+ for index in range(len(requiredServices)):
+ service = requiredServices[index]['service']
+ config_type = requiredServices[index]['config-type']
+ property_name = requiredServices[index]['property-name']
+ proxy_category = requiredServices[index]['proxy-category']
+
+ if service in servicesList:
+ if config_type in services['configurations'] and property_name in services['configurations'][config_type]['properties']:
+ service_user = services['configurations'][config_type]['properties'][property_name]
+ service_old_user = self.getOldValue(services, config_type, property_name)
+
+ if 'groups' in proxy_category:
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.{0}.groups'.format(service_user), '*')
+ if 'hosts' in proxy_category:
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.{0}.hosts'.format(service_user), '*')
+ if 'users' in proxy_category:
+ putRangerKmsSiteProperty('hadoop.kms.proxyuser.{0}.users'.format(service_user), '*')
+
+ if service_old_user is not None and service_user != service_old_user:
+ if 'groups' in proxy_category:
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.groups'.format(service_old_user), 'delete', 'true')
+ services["forced-configurations"].append({"type" : "kms-site", "name" : "hadoop.kms.proxyuser.{0}.groups".format(service_old_user)})
+ services["forced-configurations"].append({"type" : "kms-site", "name" : "hadoop.kms.proxyuser.{0}.groups".format(service_user)})
+ if 'hosts' in proxy_category:
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.hosts'.format(service_old_user), 'delete', 'true')
+ services["forced-configurations"].append({"type" : "kms-site", "name" : "hadoop.kms.proxyuser.{0}.hosts".format(service_old_user)})
+ services["forced-configurations"].append({"type" : "kms-site", "name" : "hadoop.kms.proxyuser.{0}.hosts".format(service_user)})
+ if 'users' in proxy_category:
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.users'.format(service_old_user), 'delete', 'true')
+ services["forced-configurations"].append({"type" : "kms-site", "name" : "hadoop.kms.proxyuser.{0}.users".format(service_old_user)})
+ services["forced-configurations"].append({"type" : "kms-site", "name" : "hadoop.kms.proxyuser.{0}.users".format(service_user)})
+
+ def deleteKMSProxyUsers(self, configurations, services, hosts, requiredServices):
+ servicesList = [service["StackServices"]["service_name"] for service in services["services"]]
+ putRangerKmsSitePropertyAttribute = self.putPropertyAttribute(configurations, "kms-site")
+
+ for index in range(len(requiredServices)):
+ service = requiredServices[index]['service']
+ config_type = requiredServices[index]['config-type']
+ property_name = requiredServices[index]['property-name']
+ proxy_category = requiredServices[index]['proxy-category']
+
+ if service in servicesList:
+ if config_type in services['configurations'] and property_name in services['configurations'][config_type]['properties']:
+ service_user = services['configurations'][config_type]['properties'][property_name]
+
+ if 'groups' in proxy_category:
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.groups'.format(service_user), 'delete', 'true')
+ if 'hosts' in proxy_category:
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.hosts'.format(service_user), 'delete', 'true')
+ if 'users' in proxy_category:
+ putRangerKmsSitePropertyAttribute('hadoop.kms.proxyuser.{0}.users'.format(service_user), 'delete', 'true')
+
+class RangerKMSValidator(service_advisor.ServiceAdvisor):
+ """
+ RangerKMS Validator checks the correctness of properties whenever the service is first added or the user attempts to
+ change configs via the UI.
+ """
+
+ def __init__(self, *args, **kwargs):
+ self.as_super = super(RangerKMSValidator, self)
+ self.as_super.__init__(*args, **kwargs)
+
+ self.validators = []
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/credentials.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/credentials.json
new file mode 100755
index 00000000000..d8da76f3028
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/credentials.json
@@ -0,0 +1,51 @@
+{
+ "name": "credentials",
+ "configuration": {
+ "layouts": [
+ {
+ "name": "credentials",
+ "tabs": [
+ {
+ "name": "credentials",
+ "layout": {
+ "sections": [
+ {
+ "name": "credentials",
+ "subsections": [
+ {
+ "name" : "subsection-ranger-kms-credential",
+ "display-name": "Ranger KMS master key password"
+ },
+ {
+ "name" : "subsection-ranger-kms-db-credential",
+ "display-name": "Ranger KMS DB Credentials"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "placement": {
+ "configuration-layout": "credentials",
+ "configs": [
+ {
+ "config": "kms-properties/KMS_MASTER_KEY_PASSWD",
+ "subsection-name": "subsection-ranger-kms-credential"
+ },
+ {
+ "config": "kms-properties/db_user",
+ "subsection-name": "subsection-ranger-kms-db-credential"
+ },
+ {
+ "config": "kms-properties/db_password",
+ "subsection-name": "subsection-ranger-kms-db-credential"
+ }
+ ]
+ },
+ "widgets": [
+ ]
+ }
+}
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/database.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/database.json
new file mode 100755
index 00000000000..cc15b5e91c8
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/database.json
@@ -0,0 +1,317 @@
+{
+ "name": "database",
+ "configuration": {
+ "placement": {
+ "configuration-layout": "database",
+ "configs": [
+ {
+ "config": "kms-properties/DB_FLAVOR",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "kms-properties/db_name",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.url",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "kms-properties/db_user",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "kms-properties/db_host",
+ "subsection-name": "subsection-kms-db-row1-col2"
+ },
+ {
+ "config": "kms-properties/SQL_CONNECTOR_JAR",
+ "subsection-name": "subsection-kms-db-row1-col2",
+ "depends-on" : [
+ {
+ "configs":[
+ "kms-properties/DB_FLAVOR"
+ ],
+ "if": "${kms-properties/DB_FLAVOR} === SQLA",
+ "then": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "subsection-name": "subsection-kms-db-row1-col2"
+ },
+ {
+ "config": "kms-properties/db_password",
+ "subsection-name": "subsection-kms-db-row1-col2"
+ },
+ {
+ "config" : "kms-env/create_db_user",
+ "subsection-name": "subsection-kms-create-db-user-row2-col"
+ },
+ {
+ "config": "kms-env/test_db_kms_connection",
+ "subsection-name": "subsection-kms-create-db-user-row2-col",
+ "property_value_attributes": {
+ "ui_only_property": true
+ },
+ "depends-on": [
+ {
+ "configs":[
+ "kms-env/create_db_user"
+ ],
+ "if": "${kms-env/create_db_user}",
+ "then": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "config": "kms-properties/db_root_user",
+ "subsection-name": "subsection-kms-db-root-user-row3-col1"
+ },
+ {
+ "config": "kms-env/ranger_kms_privelege_user_jdbc_url",
+ "subsection-name": "subsection-kms-db-root-user-row3-col1"
+ },
+ {
+ "config": "kms-properties/db_root_password",
+ "subsection-name": "subsection-kms-db-root-user-row3-col2"
+ },
+ {
+ "config": "kms-env/test_root_db_kms_connection",
+ "subsection-name": "subsection-kms-db-root-user-row3-col1",
+ "property_value_attributes": {
+ "ui_only_property": true
+ }
+ }
+ ]
+ },
+ "widgets": [
+ {
+ "config": "kms-properties/DB_FLAVOR",
+ "widget": {
+ "type": "combo"
+ }
+ },
+ {
+ "config": "kms-properties/db_user",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_name",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/SQL_CONNECTOR_JAR",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_root_user",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_host",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_password",
+ "widget": {
+ "type": "password"
+ }
+ },
+ {
+ "config": "kms-properties/db_root_password",
+ "widget": {
+ "type": "password"
+ }
+ },
+ {
+ "config": "kms-env/create_db_user",
+ "widget": {
+ "type": "toggle"
+ }
+ },
+ {
+ "config": "kms-env/test_db_kms_connection",
+ "widget": {
+ "type": "test-db-connection",
+ "display-name": "Test Connection",
+ "required-properties": {
+ "jdbc.driver.class": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "jdbc.driver.url": "dbks-site/ranger.ks.jpa.jdbc.url",
+ "db.connection.source.host": "ranger_kms-site/ranger_kms_server_hosts",
+ "db.type": "kms-properties/DB_FLAVOR",
+ "db.connection.destination.host": "kms-properties/db_host",
+ "db.connection.user": "kms-properties/db_user",
+ "db.connection.password": "kms-properties/db_password"
+ }
+ }
+ },
+ {
+ "config": "kms-env/test_root_db_kms_connection",
+ "widget": {
+ "type": "test-db-connection",
+ "display-name": "Test Connection",
+ "required-properties": {
+ "jdbc.driver.class": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "jdbc.driver.url": "kms-env/ranger_kms_privelege_user_jdbc_url",
+ "db.connection.source.host": "ranger_kms-site/ranger_kms_server_hosts",
+ "db.type": "kms-properties/DB_FLAVOR",
+ "db.connection.destination.host": "kms-properties/db_host",
+ "db.connection.user": "kms-properties/db_root_user",
+ "db.connection.password": "kms-properties/db_root_password"
+ }
+ }
+ },
+ {
+ "config": "kms-env/ranger_kms_privelege_user_jdbc_url",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "widget" : {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.url",
+ "widget": {
+ "type": "text-field"
+ }
+ }
+ ],
+ "layouts": [
+ {
+ "name": "database",
+ "tabs": [
+ {
+ "name": "ranger_kms_database",
+ "display-name": "Ranger KMS",
+ "layout": {
+ "tab-columns": "2",
+ "tab-rows": "2",
+ "sections": [
+ {
+ "name": "section-kms-db-settings",
+ "removed" : false,
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "3",
+ "column-span": "2",
+ "section-columns": "2",
+ "section-rows": "3",
+ "subsections": [
+ {
+ "name": "subsection-kms-db-row1-col1",
+ "display-name": "Ranger KMS DB",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ },
+ {
+ "name": "subsection-kms-db-row1-col2",
+ "row-index": "0",
+ "column-index": "1",
+ "row-span": "1",
+ "column-span": "1"
+ },
+ {
+ "name": "subsection-kms-create-db-user-row2-col",
+ "display-name": "Setup Database and Database User",
+ "row-index": "1",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "2"
+ },
+ {
+ "name": "subsection-kms-db-root-user-row3-col1",
+ "display-name": "Ranger KMS Root DB",
+ "row-index": "2",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "depends-on": [
+ {
+ "configs":[
+ "kms-env/create_db_user"
+ ],
+ "if": "${kms-env/create_db_user}",
+ "then": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "subsection-kms-db-root-user-row3-col2",
+ "row-index": "2",
+ "column-index": "1",
+ "row-span": "1",
+ "column-span": "1",
+ "depends-on": [
+ {
+ "configs":[
+ "kms-env/create_db_user"
+ ],
+ "if": "${kms-env/create_db_user}",
+ "then": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ]
+ }
+}
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/directories.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/directories.json
new file mode 100755
index 00000000000..230e62a21df
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/directories.json
@@ -0,0 +1,88 @@
+{
+ "name": "directories",
+ "description": "Directories theme for RANGER KMS service",
+ "configuration": {
+ "layouts": [
+ {
+ "name": "directories",
+ "tabs": [
+ {
+ "name": "directories",
+ "display-name": "Directories",
+ "layout": {
+ "tab-columns": "1",
+ "tab-rows": "2",
+ "sections": [
+ {
+ "name": "subsection-log-dirs",
+ "display-name": "LOG DIR",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "section-columns": "1",
+ "section-rows": "1",
+ "subsections": [
+ {
+ "name": "subsection-log-dirs",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ }
+ ]
+ },
+ {
+ "name": "subsection-pid-dirs",
+ "display-name": "PID DIR",
+ "row-index": "2",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "section-columns": "1",
+ "section-rows": "1",
+ "subsections": [
+ {
+ "name": "subsection-pid-dirs",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "placement": {
+ "configuration-layout": "directories",
+ "configs": [
+ {
+ "config": "kms-env/kms_log_dir",
+ "subsection-name": "subsection-log-dirs"
+ },
+ {
+ "config": "kms-env/ranger_kms_pid_dir",
+ "subsection-name": "subsection-pid-dirs"
+ }
+ ]
+ },
+ "widgets": [
+ {
+ "config": "kms-env/kms_log_dir",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-env/ranger_kms_pid_dir",
+ "widget": {
+ "type": "text-field"
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/theme_version_1.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/theme_version_1.json
new file mode 100755
index 00000000000..6c2b6bcc26a
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/theme_version_1.json
@@ -0,0 +1,442 @@
+{
+ "name": "default",
+ "description": "Default theme for Ranger KMS service",
+ "configuration": {
+ "layouts": [
+ {
+ "name": "default",
+ "tabs": [
+ {
+ "name": "db_settings",
+ "display-name": "Settings",
+ "layout": {
+ "tab-columns": "2",
+ "tab-rows": "2",
+ "sections": [
+ {
+ "name": "section-db-settings",
+ "display-name": "",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "4",
+ "column-span": "2",
+ "section-columns": "2",
+ "section-rows": "4",
+ "subsections": [
+ {
+ "name": "subsection-kms-db-row1-col1",
+ "display-name": "Ranger KMS DB",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ },
+ {
+ "name": "subsection-kms-db-row1-col2",
+ "row-index": "0",
+ "column-index": "1",
+ "row-span": "1",
+ "column-span": "1"
+ },
+ {
+ "name": "subsection-kms-create-db-user-row2-col",
+ "display-name": "Setup Database and Database User",
+ "row-index": "1",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "2"
+ },
+ {
+ "name": "subsection-kms-db-root-user-row3-col1",
+ "display-name": "Ranger KMS Root DB",
+ "row-index": "2",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "depends-on": [
+ {
+ "configs":[
+ "kms-env/create_db_user"
+ ],
+ "if": "${kms-env/create_db_user}",
+ "then": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "subsection-kms-db-root-user-row3-col2",
+ "row-index": "2",
+ "column-index": "1",
+ "row-span": "1",
+ "column-span": "1",
+ "depends-on": [
+ {
+ "configs":[
+ "kms-env/create_db_user"
+ ],
+ "if": "${kms-env/create_db_user}",
+ "then": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "subsection-kms-master-row4-col",
+ "display-name": "KMS Master Secret Password",
+ "row-index": "3",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "2"
+ }
+ ]
+ }
+ ]
+ }
+ },
+ {
+ "name": "kms_hsm",
+ "display-name": "KMS HSM",
+ "layout": {
+ "tab-columns": "1",
+ "tab-rows": "1",
+ "sections": [
+ {
+ "name": "section-kms-hms",
+ "display-name": "",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "2",
+ "column-span": "1",
+ "section-columns": "1",
+ "section-rows": "2",
+ "subsections": [
+ {
+ "name": "subsection-kms-hsm-row1-col1",
+ "display-name": "Ranger KMS HSM Enabled",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ },
+ {
+ "name": "subsection-kms-hsm-row2-col1",
+ "display-name": "Configuration Settings",
+ "row-index": "1",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "depends-on": [
+ {
+ "configs": [
+ "dbks-site/ranger.ks.hsm.enabled"
+ ],
+ "if": "${dbks-site/ranger.ks.hsm.enabled}",
+ "then": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ }
+ ]
+ }
+ ],
+ "placement": {
+ "configuration-layout": "default",
+ "configs": [
+ {
+ "config": "kms-properties/DB_FLAVOR",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "kms-properties/db_name",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.url",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "kms-properties/db_user",
+ "subsection-name": "subsection-kms-db-row1-col1"
+ },
+ {
+ "config": "kms-properties/db_host",
+ "subsection-name": "subsection-kms-db-row1-col2"
+ },
+ {
+ "config": "kms-properties/SQL_CONNECTOR_JAR",
+ "subsection-name": "subsection-kms-db-row1-col2",
+ "depends-on" : [
+ {
+ "configs":[
+ "kms-properties/DB_FLAVOR"
+ ],
+ "if": "${kms-properties/DB_FLAVOR} === SQLA",
+ "then": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "subsection-name": "subsection-kms-db-row1-col2"
+ },
+ {
+ "config": "kms-properties/db_password",
+ "subsection-name": "subsection-kms-db-row1-col2"
+ },
+ {
+ "config": "kms-properties/KMS_MASTER_KEY_PASSWD",
+ "subsection-name": "subsection-kms-master-row4-col"
+ },
+ {
+ "config" : "kms-env/create_db_user",
+ "subsection-name": "subsection-kms-create-db-user-row2-col"
+ },
+ {
+ "config": "kms-env/test_db_kms_connection",
+ "subsection-name": "subsection-kms-create-db-user-row2-col",
+ "property_value_attributes": {
+ "ui_only_property": true
+ },
+ "depends-on": [
+ {
+ "configs":[
+ "kms-env/create_db_user"
+ ],
+ "if": "${kms-env/create_db_user}",
+ "then": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "config": "kms-properties/db_root_user",
+ "subsection-name": "subsection-kms-db-root-user-row3-col1"
+ },
+ {
+ "config": "kms-env/ranger_kms_privelege_user_jdbc_url",
+ "subsection-name": "subsection-kms-db-root-user-row3-col1"
+ },
+ {
+ "config": "kms-properties/db_root_password",
+ "subsection-name": "subsection-kms-db-root-user-row3-col2"
+ },
+ {
+ "config": "kms-env/test_root_db_kms_connection",
+ "subsection-name": "subsection-kms-db-root-user-row3-col1",
+ "property_value_attributes": {
+ "ui_only_property": true
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.enabled",
+ "subsection-name": "subsection-kms-hsm-row1-col1"
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.type",
+ "subsection-name": "subsection-kms-hsm-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.partition.name",
+ "subsection-name": "subsection-kms-hsm-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.partition.password.alias",
+ "subsection-name": "subsection-kms-hsm-row2-col1"
+ },
+ {
+ "config": "kms-env/hsm_partition_password",
+ "subsection-name": "subsection-kms-hsm-row2-col1"
+ }
+ ]
+ },
+ "widgets": [
+ {
+ "config": "kms-properties/DB_FLAVOR",
+ "widget": {
+ "type": "combo"
+ }
+ },
+ {
+ "config": "kms-properties/db_user",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_name",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/SQL_CONNECTOR_JAR",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_root_user",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_host",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-properties/db_password",
+ "widget": {
+ "type": "password"
+ }
+ },
+ {
+ "config": "kms-properties/db_root_password",
+ "widget": {
+ "type": "password"
+ }
+ },
+ {
+ "config": "kms-properties/KMS_MASTER_KEY_PASSWD",
+ "widget": {
+ "type": "password"
+ }
+ },
+ {
+ "config": "kms-env/create_db_user",
+ "widget": {
+ "type": "toggle"
+ }
+ },
+ {
+ "config": "kms-env/test_db_kms_connection",
+ "widget": {
+ "type": "test-db-connection",
+ "display-name": "Test Connection",
+ "required-properties": {
+ "jdbc.driver.class": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "jdbc.driver.url": "dbks-site/ranger.ks.jpa.jdbc.url",
+ "db.connection.source.host": "ranger_kms-site/ranger_kms_server_hosts",
+ "db.type": "kms-properties/DB_FLAVOR",
+ "db.connection.destination.host": "kms-properties/db_host",
+ "db.connection.user": "kms-properties/db_user",
+ "db.connection.password": "kms-properties/db_password"
+ }
+ }
+ },
+ {
+ "config": "kms-env/test_root_db_kms_connection",
+ "widget": {
+ "type": "test-db-connection",
+ "display-name": "Test Connection",
+ "required-properties": {
+ "jdbc.driver.class": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "jdbc.driver.url": "kms-env/ranger_kms_privelege_user_jdbc_url",
+ "db.connection.source.host": "ranger_kms-site/ranger_kms_server_hosts",
+ "db.type": "kms-properties/DB_FLAVOR",
+ "db.connection.destination.host": "kms-properties/db_host",
+ "db.connection.user": "kms-properties/db_root_user",
+ "db.connection.password": "kms-properties/db_root_password"
+ }
+ }
+ },
+ {
+ "config": "kms-env/ranger_kms_privelege_user_jdbc_url",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.driver",
+ "widget" : {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.jpa.jdbc.url",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.enabled",
+ "widget": {
+ "type": "toggle"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.type",
+ "widget": {
+ "type": "combo"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.partition.name",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.ks.hsm.partition.password.alias",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "kms-env/hsm_partition_password",
+ "widget": {
+ "type": "password"
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/theme_version_2.json b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/theme_version_2.json
new file mode 100755
index 00000000000..93e948720b9
--- /dev/null
+++ b/ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/themes/theme_version_2.json
@@ -0,0 +1,156 @@
+{
+ "name": "default",
+ "configuration": {
+ "layouts": [{
+ "name": "default",
+ "tabs": [{
+ "name": "kms_keysecure",
+ "display-name": "KMS KEYSECURE",
+ "layout": {
+ "tab-columns": "1",
+ "tab-rows": "1",
+ "sections": [{
+ "name": "section-kms-keysecure",
+ "display-name": "",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "section-columns": "1",
+ "section-rows": "2",
+ "subsections": [{
+ "name": "subsection-kms-keysecure-row1-col1",
+ "display-name": "Ranger KMS Keysecure Enabled",
+ "row-index": "0",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1"
+ },
+ {
+ "name": "subsection-kms-keysecure-row2-col1",
+ "display-name": "Configuration Settings",
+ "row-index": "1",
+ "column-index": "0",
+ "row-span": "1",
+ "column-span": "1",
+ "depends-on": [{
+ "configs": [
+ "dbks-site/ranger.kms.keysecure.enabled"
+ ],
+ "if": "${dbks-site/ranger.kms.keysecure.enabled}",
+ "then": {
+ "property_value_attributes": {
+ "visible": true
+ }
+ },
+ "else": {
+ "property_value_attributes": {
+ "visible": false
+ }
+ }
+ }]
+ }
+ ]
+ }]
+ }
+ }]
+ }],
+ "placement": {
+ "configuration-layout": "default",
+ "configs": [
+ {
+ "config": "dbks-site/ranger.kms.keysecure.enabled",
+ "subsection-name": "subsection-kms-keysecure-row1-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.UserPassword.Authentication",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.masterkey.name",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.login.username",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.login.password",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.login.password.alias",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.hostname",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.masterkey.size",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.sunpkcs11.cfg.filepath",
+ "subsection-name": "subsection-kms-keysecure-row2-col1"
+ }
+ ]
+ },
+ "widgets": [
+ {
+ "config": "dbks-site/ranger.kms.keysecure.enabled",
+ "widget": {
+ "type": "toggle"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.UserPassword.Authentication",
+ "widget": {
+ "type": "toggle"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.masterkey.name",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.login.username",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.login.password",
+ "widget": {
+ "type": "password"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.login.password.alias",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.hostname",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.masterkey.size",
+ "widget": {
+ "type": "text-field"
+ }
+ },
+ {
+ "config": "dbks-site/ranger.kms.keysecure.sunpkcs11.cfg.filepath",
+ "widget": {
+ "type": "text-field"
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file