Ranger Atlas Plugin Configure

Ranger Atlas plugin runs inside Atlas Metadata server's JVM

module.exports = (service) ->
  options = service.options

Identities

  options.group = merge {}, service.deps.ranger_admin.options.group, options.group or {}
  options.user = merge {}, service.deps.ranger_admin.options.user, options.user or {}

Kerberos

  options.krb5 ?= {}
  options.krb5.enabled ?= service.deps.hadoop_core.options.core_site['hadoop.security.authentication'] is 'kerberos'
  options.krb5.realm ?= service.deps.krb5_client.options.etc_krb5_conf?.libdefaults?.default_realm
  # Admin Information
  options.krb5.admin = service.deps.krb5_client.options.admin[options.krb5.realm]

Access

  options.ranger_admin ?= service.deps.ranger_admin.options.admin
  options.ranger_ranger_hdfs_install ?= service.deps.ranger_hdfs[0].options.install
  options.atlas_user = service.deps.atlas.options.user
  options.atlas_group = service.deps.atlas.options.group
  options.hdfs_client = service.deps.hdfs_client[0]
  options.ranger_hdfs_install = service.deps.ranger_hdfs
  options.hdfs_krb5_user = service.deps.hadoop_core.options.hdfs.krb5_user

Plugin User

  options.plugin_user = 
    "name": options.atlas_user.name
    "firstName": ''
    "lastName": ''
    "emailAddress": ''
    "password": ''
    'userSource': 1
    'userRoleList': ['ROLE_USER']
    'groups': []
    'status': 1

Configuration

  options.install ?= {}
  options.install['PYTHON_COMMAND_INVOKER'] ?= 'python'
  # Should Atlas GRANT/REVOKE update XA policies?
  options.install['UPDATE_XAPOLICIES_ON_GRANT_REVOKE'] ?= 'true'
  options.install['CUSTOM_USER'] ?= "#{options.atlas_user.name}"
  options.install['CUSTOM_GROUP'] ?= "#{options.atlas_group.name}"
  options.conf_dir ?= service.deps.atlas.options.conf_dir

Admin properties

  options.install['POLICY_MGR_URL'] ?= service.deps.ranger_admin.options.install['policymgr_external_url']
  options.install['REPOSITORY_NAME'] ?= 'hadoop-ryba-atlas'

Service Definition

  options.service_repo ?=
    'name': options.install['REPOSITORY_NAME']
    'description': 'Atlas Repo'
    'type': 'atlas'
    'isEnabled': true
    'configs':
      # 'username': 'ranger_plugin_atlas'
      # 'password': 'RangerPluginAtlas123!'
      'username': service.deps.ranger_admin.options.plugins.principal
      'password': service.deps.ranger_admin.options.plugins.password
      'atlas.rest.address': service.deps.atlas.options.application.properties['atlas.rest.address']
      'policy.download.auth.users': "#{options.atlas_user.name}" #from ranger 0.6
      'tag.download.auth.users': "#{options.atlas_group.name}"

HDFS Storage

  options.install['XAAUDIT.HDFS.IS_ENABLED'] ?= 'true'
  if options.install['XAAUDIT.HDFS.IS_ENABLED'] is 'true'
    # migration: lucasbak 11102017
    # honored but not used by plugin
    # options.install['XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY'] ?= "#{service.deps.ranger_admin.options.conf_dir}/%app-type%/audit"
    # options.install['XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY'] ?= "#{service.deps.ranger_admin.options.conf_dir}/%app-type%/archive"
    options.install['XAAUDIT.HDFS.ENABLE'] ?= 'true'
    options.install['XAAUDIT.HDFS.HDFS_DIR'] ?= "#{options.hdfs_client.options.core_site['fs.defaultFS']}/#{options.user.name}/audit"
    options.install['XAAUDIT.HDFS.FILE_SPOOL_DIR'] ?= "#{service.deps.atlas.options.log_dir}/audit/hdfs/spool"
    options.install['XAAUDIT.HDFS.DESTINATION_DIRECTORY'] ?= "#{options.hdfs_client.options.core_site['fs.defaultFS']}/#{options.user.name}/audit/%app-type%/%time:yyyyMMdd%"
    options.install['XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY'] ?= '/var/log/ranger/%app-type%/audit'
    options.install['XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY'] ?= '/var/log/ranger/%app-type%/archive'
    options.install['XAAUDIT.HDFS.DESTINATION_FILE'] ?= '%hostname%-audit.log'
    options.install['XAAUDIT.HDFS.DESTINATION_FLUSH_INTERVAL_SECONDS'] ?= '900'
    options.install['XAAUDIT.HDFS.DESTINATION_ROLLOVER_INTERVAL_SECONDS'] ?= '86400'
    options.install['XAAUDIT.HDFS.DESTINATION _OPEN_RETRY_INTERVAL_SECONDS'] ?= '60'
    options.install['XAAUDIT.HDFS.LOCAL_BUFFER_FILE'] ?= '%time:yyyyMMdd-HHmm.ss%.log'
    options.install['XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS'] ?= '60'
    options.install['XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS'] ?= '600'
    options.install['XAAUDIT.HDFS.LOCAL_ARCHIVE _MAX_FILE_COUNT'] ?= '5'
    # AUDIT TO HDFS

HDFS Policy

  if options.install['XAAUDIT.HDFS.IS_ENABLED'] is 'true'
    throw Error 'HDFS Ranger Plugin required' unless options.ranger_hdfs_install
    options.policy_hdfs_audit ?=
      'name': "atlas-ranger-plugin-audit"
      'service': "#{options.ranger_hdfs_install['REPOSITORY_NAME']}"
      'repositoryType':"hdfs"
      'description': 'Atlas Ranger Plugin audit log policy'
      'isEnabled': true
      'isAuditEnabled': true
      'resources':
        'path':
          'isRecursive': 'true'
          'values': ['/ranger/audit/atlas']
          'isExcludes': false
      'policyItems': [
        'users': ["#{options.atlas_user.name}"]
        'groups': []
        'delegateAdmin': true
        'accesses': [
            "isAllowed": true
            "type": "read"
        ,
            "isAllowed": true
            "type": "write"
        ,
            "isAllowed": true
            "type": "execute"
        ]
        'conditions': []
      ]

Atlas Audit (database storage)

  #Deprecated
  options.install['XAAUDIT.DB.IS_ENABLED'] ?= 'false'
  if options.install['XAAUDIT.DB.IS_ENABLED'] is 'true'
    options.install['XAAUDIT.DB.FLAVOUR'] ?= 'MYSQL'
    switch options.install['XAAUDIT.DB.FLAVOUR']
      when 'MYSQL'
        options.install['SQL_CONNECTOR_JAR'] ?= '/usr/share/java/mysql-connector-java.jar'
        options.install['XAAUDIT.DB.HOSTNAME'] ?= service.deps.ranger_admin.options.install['db_host']
        options.install['XAAUDIT.DB.DATABASE_NAME'] ?= service.deps.ranger_admin.options.install['audit_db_name']
        options.install['XAAUDIT.DB.USER_NAME'] ?= service.deps.ranger_admin.options.install['audit_db_user']
        options.install['XAAUDIT.DB.PASSWORD'] ?= service.deps.ranger_admin.options.install['audit_db_password']
      when 'ORACLE'
        throw Error 'Ryba does not support ORACLE Based Ranger Installation'
      else
        throw Error "Apache Ranger does not support chosen DB FLAVOUR"
  else
      options.install['XAAUDIT.DB.HOSTNAME'] ?= 'NONE'
      options.install['XAAUDIT.DB.DATABASE_NAME'] ?= 'NONE'
      options.install['XAAUDIT.DB.USER_NAME'] ?= 'NONE'
      options.install['XAAUDIT.DB.PASSWORD'] ?= 'NONE'

Atlas Audit (to SOLR)

  if service.deps.ranger_admin.options.install['audit_store'] is 'solr'
    options.audit ?= {}
    options.install['XAAUDIT.SOLR.IS_ENABLED'] ?= 'true'
    options.install['XAAUDIT.SOLR.ENABLE'] ?= 'true'
    options.install['XAAUDIT.SOLR.URL'] ?= service.deps.ranger_admin.options.install['audit_solr_urls']
    options.install['XAAUDIT.SOLR.USER'] ?= service.deps.ranger_admin.options.install['audit_solr_user']
    options.install['XAAUDIT.SOLR.ZOOKEEPER'] ?= service.deps.ranger_admin.options.install['audit_solr_zookeepers']
    options.install['XAAUDIT.SOLR.PASSWORD'] ?= service.deps.ranger_admin.options.install['audit_solr_password']
    options.install['XAAUDIT.SOLR.FILE_SPOOL_DIR'] ?= "#{service.deps.atlas.options.log_dir}/audit/solr/spool"
    options.audit['xasecure.audit.destination.solr.force.use.inmemory.jaas.config'] ?= 'true'
    options.audit['xasecure.audit.jaas.inmemory.loginModuleName'] ?= 'com.sun.security.auth.module.Krb5LoginModule'
    options.audit['xasecure.audit.jaas.inmemory.loginModuleControlFlag'] ?= 'required'
    options.audit['xasecure.audit.jaas.inmemory.Client.option.useKeyTab'] ?= 'true'
    options.audit['xasecure.audit.jaas.inmemory.Client.option.debug'] ?= 'true'
    options.audit['xasecure.audit.jaas.inmemory.Client.option.doNotPrompt'] ?= 'yes'
    options.audit['xasecure.audit.jaas.inmemory.Client.option.storeKey'] ?= 'yes'
    options.audit['xasecure.audit.jaas.inmemory.Client.option.serviceName'] ?= 'solr'
    atlas_princ = service.deps.atlas.options.application.properties['atlas.authentication.principal'].replace '_HOST', service.deps.atlas.node.fqdn
    options.audit['xasecure.audit.jaas.inmemory.Client.option.principal'] ?= atlas_princ
    options.audit['xasecure.audit.jaas.inmemory.Client.option.keyTab'] ?= service.deps.atlas.options.application.properties['atlas.authentication.keytab']

Plugin Execution

Used only if SSL is enabled between Policy Admin Tool and Plugin

  if service.deps.ranger_admin.options.site['ranger.service.https.attrib.ssl.enabled'] is 'true'
    options.ssl = merge {}, service.deps.hadoop_core.options.ssl, options.ssl
    options.install['SSL_KEYSTORE_FILE_PATH'] ?= service.deps.hadoop_core.options.ssl_server['ssl.server.keystore.location']
    options.install['SSL_KEYSTORE_PASSWORD'] ?= service.deps.hadoop_core.options.ssl_server['ssl.server.keystore.password']
    options.install['SSL_TRUSTSTORE_FILE_PATH'] ?= service.deps.hadoop_core.options.ssl_server['ssl.server.truststore.location']
    options.install['SSL_TRUSTSTORE_PASSWORD'] ?= service.deps.hadoop_core.options.ssl_server['ssl.server.truststore.password']

Wait

  options.wait_ranger_admin = service.deps.ranger_admin.options.wait

Dependencies

{merge} = require '@nikitajs/core/lib/misc'

Ranger Atlas Plugin Configure

Identities

Kerberos

Access

Plugin User

Configuration

Admin properties

Service Definition

HDFS Storage

HDFS Policy

Atlas Audit (database storage)

Atlas Audit (to SOLR)

Plugin Execution

Wait

Dependencies

Quick Navigation

Contribute

Suggestions, problems, feedback?