in ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms.py [0:0]
def kms(upgrade_type=None):
import params
if params.has_ranger_admin:
# ranger2.3.0
Directory(
format(
"{kms_home}/ews/webapp/META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory"
),
mode=0o755,
owner=params.kms_user,
group=params.kms_group,
recursive_ownership=True,
create_parents=True,
)
Directory(
params.kms_conf_dir,
owner=params.kms_user,
group=params.kms_group,
create_parents=True,
)
Directory("/etc/security/serverKeys", create_parents=True, cd_access="a")
Directory(
"/etc/ranger/kms",
create_parents=True,
owner=params.kms_user,
group=params.kms_group,
)
copy_jdbc_connector(params.kms_home)
File(
format("/usr/lib/ambari-agent/{check_db_connection_jar_name}"),
content=DownloadSource(format("{jdk_location}/{check_db_connection_jar_name}")),
mode=0o644,
)
cp = format("{check_db_connection_jar}")
if params.db_flavor.lower() == "sqla":
cp = cp + os.pathsep + format("{params.kms_lib_path}/sajdbc4.jar")
else:
path_to_jdbc = format("{params.kms_lib_path}/{jdbc_jar_name}")
if not os.path.isfile(path_to_jdbc):
path_to_jdbc = (
format("{kms_home}/ews/lib/")
+ params.default_connectors_map[params.db_flavor.lower()]
if params.db_flavor.lower() in params.default_connectors_map
else None
)
if not os.path.isfile(path_to_jdbc):
path_to_jdbc = format("{params.kms_lib_path}/") + "*"
error_message = (
"Error! Sorry, but we can't find jdbc driver with default name "
+ params.default_connectors_map[params.db_flavor]
+ " in ranger kms lib dir. So, db connection check can fail. Please run 'ambari-server setup --jdbc-db={db_name} --jdbc-driver={path_to_jdbc} on server host.'"
)
Logger.error(error_message)
cp = cp + os.pathsep + path_to_jdbc
db_connection_check_command = format(
"{ambari_java_home}/bin/java -cp {cp} org.apache.ambari.server.DBConnectionVerification '{ranger_kms_jdbc_connection_url}' {db_user} {db_password!p} {ranger_kms_jdbc_driver}"
)
env_dict = {}
if params.db_flavor.lower() == "sqla":
env_dict = {"LD_LIBRARY_PATH": params.ld_library_path}
Execute(
db_connection_check_command,
path="/usr/sbin:/sbin:/usr/local/bin:/bin:/usr/bin",
tries=5,
try_sleep=10,
environment=env_dict,
)
if (
params.xa_audit_db_is_enabled
and params.driver_source is not None
and not params.driver_source.endswith("/None")
):
if params.xa_previous_jdbc_jar and os.path.isfile(params.xa_previous_jdbc_jar):
File(params.xa_previous_jdbc_jar, action="delete")
File(
params.downloaded_connector_path,
content=DownloadSource(params.driver_source),
mode=0o644,
)
Execute(
(
"cp",
"--remove-destination",
params.downloaded_connector_path,
params.driver_target,
),
path=["/bin", "/usr/bin/"],
sudo=True,
)
File(params.driver_target, mode=0o644)
Directory(
os.path.join(params.kms_home, "ews", "webapp", "WEB-INF", "classes", "lib"),
mode=0o755,
owner=params.kms_user,
group=params.kms_group,
)
Execute(
("cp", format("{kms_home}/ranger-kms-initd"), "/etc/init.d/ranger-kms"),
not_if=format("ls /etc/init.d/ranger-kms"),
only_if=format("ls {kms_home}/ranger-kms-initd"),
sudo=True,
)
File("/etc/init.d/ranger-kms", mode=0o755)
Directory(
format("{kms_home}/"),
owner=params.kms_user,
group=params.kms_group,
recursive_ownership=True,
)
Directory(
params.ranger_kms_pid_dir,
mode=0o755,
owner=params.kms_user,
group=params.user_group,
cd_access="a",
create_parents=True,
)
Directory(
params.kms_log_dir,
owner=params.kms_user,
group=params.kms_group,
cd_access="a",
create_parents=True,
mode=0o755,
)
generate_logfeeder_input_config(
"ranger-kms", Template("input.config-ranger-kms.json.j2", extra_imports=[default])
)
File(
format("{kms_conf_dir}/ranger-kms-env.sh"),
content=InlineTemplate(params.kms_env_content),
owner=params.kms_user,
group=params.kms_group,
mode=0o755,
)
Execute(
("ln", "-sf", format("{kms_home}/ranger-kms"), "/usr/bin/ranger-kms"),
not_if=format("ls /usr/bin/ranger-kms"),
only_if=format("ls {kms_home}/ranger-kms"),
sudo=True,
)
File("/usr/bin/ranger-kms", mode=0o755)
Execute(
("ln", "-sf", format("{kms_home}/ranger-kms"), "/usr/bin/ranger-kms-services.sh"),
not_if=format("ls /usr/bin/ranger-kms-services.sh"),
only_if=format("ls {kms_home}/ranger-kms"),
sudo=True,
)
File("/usr/bin/ranger-kms-services.sh", mode=0o755)
Execute(
(
"ln",
"-sf",
format("{kms_home}/ranger-kms-initd"),
format("{kms_home}/ranger-kms-services.sh"),
),
not_if=format("ls {kms_home}/ranger-kms-services.sh"),
only_if=format("ls {kms_home}/ranger-kms-initd"),
sudo=True,
)
File(format("{kms_home}/ranger-kms-services.sh"), mode=0o755)
do_keystore_setup(
params.credential_provider_path, params.jdbc_alias, params.db_password
)
do_keystore_setup(
params.credential_provider_path,
params.masterkey_alias,
params.kms_master_key_password,
)
if params.stack_support_kms_hsm and params.enable_kms_hsm:
do_keystore_setup(
params.credential_provider_path,
params.hms_partition_alias,
str(params.hms_partition_passwd),
)
if params.stack_supports_ranger_kms_ssl and params.ranger_kms_ssl_enabled:
do_keystore_setup(
params.ranger_kms_cred_ssl_path,
params.ranger_kms_ssl_keystore_alias,
params.ranger_kms_ssl_passwd,
)
if (
params.enable_kms_keysecure
and not is_empty(params.keysecure_login_password)
and params.keysecure_login_password != "_"
):
do_keystore_setup(
params.credential_provider_path,
params.keysecure_login_password_alias,
params.keysecure_login_password,
)
# remove plain-text password from xml configs
dbks_site_copy = {}
dbks_site_copy.update(params.config["configurations"]["dbks-site"])
for prop in params.dbks_site_password_properties:
if prop in dbks_site_copy:
dbks_site_copy[prop] = "_"
XmlConfig(
"dbks-site.xml",
conf_dir=params.kms_conf_dir,
configurations=dbks_site_copy,
configuration_attributes=params.config["configurationAttributes"]["dbks-site"],
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
)
ranger_kms_site_copy = {}
ranger_kms_site_copy.update(params.config["configurations"]["ranger-kms-site"])
if params.stack_supports_ranger_kms_ssl:
# remove plain-text password from xml configs
for prop in params.ranger_kms_site_password_properties:
if prop in ranger_kms_site_copy:
ranger_kms_site_copy[prop] = "_"
XmlConfig(
"ranger-kms-site.xml",
conf_dir=params.kms_conf_dir,
configurations=ranger_kms_site_copy,
configuration_attributes=params.config["configurationAttributes"][
"ranger-kms-site"
],
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
)
kms_site_copy = {}
kms_site_copy.update(params.config["configurations"]["kms-site"])
if "hadoop.kms.ha.authentication.kerberos.keytab" in kms_site_copy:
kms_site_copy["hadoop.kms.authentication.kerberos.keytab"] = kms_site_copy[
"hadoop.kms.ha.authentication.kerberos.keytab"
]
XmlConfig(
"kms-site.xml",
conf_dir=params.kms_conf_dir,
configurations=kms_site_copy,
configuration_attributes=params.config["configurationAttributes"]["kms-site"],
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
)
File(
os.path.join(params.kms_conf_dir, "kms-log4j.properties"),
owner=params.kms_user,
group=params.kms_group,
content=InlineTemplate(params.kms_log4j),
mode=0o644,
)
File(
format("{params.kms_conf_dir}/kms-logback.xml"),
content=InlineTemplate(params.kms_logback_content),
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
)
# core-site.xml linking required by setup for HDFS encryption
XmlConfig(
"core-site.xml",
conf_dir=params.kms_conf_dir,
configurations=params.config["configurations"]["core-site"],
configuration_attributes=params.config["configurationAttributes"]["core-site"],
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
xml_include_file=params.mount_table_xml_inclusion_file_full_path,
)
if params.mount_table_content:
File(
params.mount_table_xml_inclusion_file_full_path,
owner=params.kms_user,
group=params.kms_group,
content=params.mount_table_content,
mode=0o644,
)