in ambari-server/src/main/resources/stacks/BIGTOP/3.3.0/services/RANGER_KMS/package/scripts/kms.py [0:0]
def enable_kms_plugin():
import params
if params.has_ranger_admin:
ranger_flag = False
if params.stack_supports_ranger_kerberos and params.security_enabled:
if not is_empty(params.rangerkms_principal) and params.rangerkms_principal != "":
ranger_flag = check_ranger_service_support_kerberos(
params.kms_user, params.rangerkms_keytab, params.rangerkms_principal
)
else:
ranger_flag = check_ranger_service_support_kerberos(
params.kms_user, params.spengo_keytab, params.spnego_principal
)
else:
ranger_flag = check_ranger_service()
if not ranger_flag:
Logger.error("Error in Get/Create service for Ranger Kms.")
current_datetime = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
File(
format("{kms_conf_dir}/ranger-security.xml"),
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
content=format("<ranger>\n<enabled>{current_datetime}</enabled>\n</ranger>"),
)
Directory(
[
os.path.join("/etc", "ranger", params.repo_name),
os.path.join("/etc", "ranger", params.repo_name, "policycache"),
],
owner=params.kms_user,
group=params.kms_group,
mode=0o775,
create_parents=True,
)
File(
os.path.join(
"/etc",
"ranger",
params.repo_name,
"policycache",
format("kms_{repo_name}.json"),
),
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
)
# remove plain-text password from xml configs
plugin_audit_properties_copy = {}
plugin_audit_properties_copy.update(
params.config["configurations"]["ranger-kms-audit"]
)
if params.plugin_audit_password_property in plugin_audit_properties_copy:
plugin_audit_properties_copy[params.plugin_audit_password_property] = "crypted"
XmlConfig(
"ranger-kms-audit.xml",
conf_dir=params.kms_conf_dir,
configurations=plugin_audit_properties_copy,
configuration_attributes=params.config["configurationAttributes"][
"ranger-kms-audit"
],
owner=params.kms_user,
group=params.kms_group,
mode=0o744,
)
XmlConfig(
"ranger-kms-security.xml",
conf_dir=params.kms_conf_dir,
configurations=params.config["configurations"]["ranger-kms-security"],
configuration_attributes=params.config["configurationAttributes"][
"ranger-kms-security"
],
owner=params.kms_user,
group=params.kms_group,
mode=0o744,
)
# remove plain-text password from xml configs
ranger_kms_policymgr_ssl_copy = {}
ranger_kms_policymgr_ssl_copy.update(
params.config["configurations"]["ranger-kms-policymgr-ssl"]
)
for prop in params.kms_plugin_password_properties:
if prop in ranger_kms_policymgr_ssl_copy:
ranger_kms_policymgr_ssl_copy[prop] = "crypted"
XmlConfig(
"ranger-policymgr-ssl.xml",
conf_dir=params.kms_conf_dir,
configurations=ranger_kms_policymgr_ssl_copy,
configuration_attributes=params.config["configurationAttributes"][
"ranger-kms-policymgr-ssl"
],
owner=params.kms_user,
group=params.kms_group,
mode=0o744,
)
if params.xa_audit_db_is_enabled:
cred_setup = params.cred_setup_prefix + (
"-f",
params.credential_file,
"-k",
"auditDBCred",
"-v",
PasswordString(params.xa_audit_db_password),
"-c",
"1",
)
Execute(
cred_setup,
environment={"JAVA_HOME": params.java_home},
logoutput=True,
sudo=True,
)
cred_setup = params.cred_setup_prefix + (
"-f",
params.credential_file,
"-k",
"sslKeyStore",
"-v",
PasswordString(params.ssl_keystore_password),
"-c",
"1",
)
Execute(
cred_setup, environment={"JAVA_HOME": params.java_home}, logoutput=True, sudo=True
)
cred_setup = params.cred_setup_prefix + (
"-f",
params.credential_file,
"-k",
"sslTrustStore",
"-v",
PasswordString(params.ssl_truststore_password),
"-c",
"1",
)
Execute(
cred_setup, environment={"JAVA_HOME": params.java_home}, logoutput=True, sudo=True
)
File(
params.credential_file,
owner=params.kms_user,
group=params.kms_group,
only_if=format("test -e {credential_file}"),
mode=0o640,
)
dot_jceks_crc_file_path = os.path.join(
os.path.dirname(params.credential_file),
"." + os.path.basename(params.credential_file) + ".crc",
)
File(
dot_jceks_crc_file_path,
owner=params.kms_user,
group=params.kms_group,
only_if=format("test -e {dot_jceks_crc_file_path}"),
mode=0o640,
)
# create ranger kms audit directory
if (
params.xa_audit_hdfs_is_enabled
and params.has_namenode
and params.has_hdfs_client_on_node
):
try:
params.HdfsResource(
"/ranger/audit",
type="directory",
action="create_on_execute",
owner=params.hdfs_user,
group=params.hdfs_user,
mode=0o755,
recursive_chmod=True,
)
params.HdfsResource(
"/ranger/audit/kms",
type="directory",
action="create_on_execute",
owner=params.kms_user,
group=params.kms_group,
mode=0o750,
recursive_chmod=True,
)
params.HdfsResource(None, action="execute")
except Exception as err:
Logger.exception(
f"Audit directory creation in HDFS for RANGER KMS Ranger plugin failed with error:\n{err}"
)
if params.xa_audit_hdfs_is_enabled and len(params.namenode_host) > 1:
Logger.info(
"Audit to Hdfs enabled in NameNode HA environment, creating hdfs-site.xml"
)
XmlConfig(
"hdfs-site.xml",
conf_dir=params.kms_conf_dir,
configurations=params.config["configurations"]["hdfs-site"],
configuration_attributes=params.config["configurationAttributes"]["hdfs-site"],
owner=params.kms_user,
group=params.kms_group,
mode=0o644,
)
else:
File(format("{kms_conf_dir}/hdfs-site.xml"), action="delete")