我要评论
目录
一、简介
如下是ddp1.2.1默认有的rangeradmin, 我们需要将rangerusersync整合进来 ,实现将linux机器上的用户和组信息同步到rangeradmin的数据库中进行管理。
二、实现步骤
2.1 ranger-usersync包下载编译
ranger官网tar包下载
https://ranger.apache.org/download.html
自己编译 或者网上下载
参考文章:
apache ranger - download apache ranger?
https://juejin.cn/post/6844904159930482696
https://zhuanlan.zhihu.com/p/562012618
权限管理ranger详解_大数据权限管理利器 - ranger-csdn博客
2.2 构建压缩包
将ranger-usersync安装包集成到ranger组件中重新打包,如下是ranger admin包和ranger-usersync包。
# 解压ranger组件原有包
tar -zxvf ranger-2.1.0.tar.gz
cd ranger-2.1.0
# 将编译好的的sync安装包解压到当前目录
tar -zxvf ranger-2.1.0-usersync.tar.gz ./
cd ranger-2.1.0-usersync
vim ranger_usersync.sh#!/bin/bash
# 获取脚本当前目录
current_path=$(dirname "$0")
# 使用说明
usage="usage: $0 {start|stop|status|restart}"
start(){
echo "ranger usersync start"
sh "$current_path/ranger-usersync" start
if [ $? -eq 0 ]; then
echo "ranger usersync start success"
else
echo "ranger usersync start failed"
exit 1
fi
}
stop(){
echo "ranger usersync stop"
sh "$current_path/ranger-usersync" stop
if [ $? -eq 0 ]; then
echo "ranger usersync stop success"
else
echo "ranger usersync stop failed"
exit 1
fi
}
status(){
process_name="unixauthenticationservice"
# 使用 pgrep 命令检测进程是否存在
pgrep -f "$process_name" > /dev/null
if [ $? -eq 0 ]; then
echo "进程 $process_name 存在"
exit 0
else
echo "进程 $process_name 不存在"
exit 1
fi
}
restart(){
echo "ranger usersync restart"
sh "$current_path/ranger-usersync" restart
if [ $? -eq 0 ]; then
echo "ranger usersync restart success"
else
echo "ranger usersync restart failed"
exit 1
fi
}
# 处理参数
startstop=$1
case $startstop in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
restart
;;
*)
echo "$usage"
exit 1
;;
esac
echo "end $startstop ranger usersync"打包
tar -zcvf ranger-2.1.0.tar.gz ranger-2.1.0
md5sum ranger-2.1.0.tar.gz
echo '756fa828e02d8f890ca2165d237ef487' > ranger-2.1.0.tar.gz.md5
cp ranger-2.1.0.tar.gz ranger-2.1.0.tar.gz.md5 /opt/datasophon/ddp/packages/2.3 编辑元数据文件
ranger安装配置文件
vim /opt/datasophon/ddp/packages/datasophon-manager-1.2.1/conf/meta/ddp-1.2.1/ranger/service_ddl.json{
"name": "ranger",
"label": "ranger",
"description": "权限控制框架",
"version": "2.1.0",
"sortnum": 10,
"dependencies":[],
"packagename": "ranger-2.1.0.tar.gz",
"decompresspackagename": "ranger-2.1.0",
"roles": [
{
"name": "rangeradmin",
"label": "rangeradmin",
"roletype": "master",
"cardinality": "1",
"logfile": "/var/log/ranger/admin/ranger-admin-${host}-root.log",
"jmxport": 6081,
"sortnum": 1,
"startrunner": {
"timeout": "60",
"program": "bin/ranger_admin.sh",
"args": [
"start"
]
},
"stoprunner": {
"timeout": "600",
"program": "bin/ranger_admin.sh",
"args": [
"stop"
]
},
"statusrunner": {
"timeout": "60",
"program": "bin/ranger_admin.sh",
"args": [
"status"
]
},
"externallink": {
"name": "rangeradmin ui",
"label": "rangeradmin ui",
"url": "http://${host}:6080"
}
},
{
"name": "rangerusersync",
"label": "rangerusersync",
"roletype": "master",
"runas": {
"user": "root",
"group": "root"
},
"cardinality": "1",
"logfile": "ranger-2.1.0-usersync/logs/usersync-${host}-ranger.log",
"jmxport": "",
"sortnum": 2,
"startrunner": {
"timeout": "60",
"program": "ranger-2.1.0-usersync/ranger_usersync.sh",
"args": [
"start"
]
},
"stoprunner": {
"timeout": "600",
"program": "ranger-2.1.0-usersync/ranger_usersync.sh",
"args": [
"stop"
]
},
"statusrunner": {
"timeout": "60",
"program": "ranger-2.1.0-usersync/ranger_usersync.sh",
"args": [
"status"
]
},
"restartrunner": {
"timeout": "60",
"program": "ranger-2.1.0-usersync/ranger_usersync.sh",
"args": [
"restart"
]
}
}
],
"configwriter": {
"generators": [
{
"filename": "install.properties",
"configformat": "custom",
"templatename": "ranger-install.ftl",
"outputdirectory": "",
"includeparams": [
"rootpassword",
"dbhost",
"database",
"rangeruser",
"rangerpassword",
"rangeradminurl",
"enablehdfsplugin",
"enablehiveplugin",
"enablehbaseplugin",
"spnegoprincipal",
"spnegokeytab",
"adminprincipal",
"adminkeytab",
"hadoophome",
"rangerhome"
]
},
{
"filename": "install.properties1",
"configformat": "custom",
"templatename": "ranger-usersync-install.ftl",
"outputdirectory": "ranger-2.1.0-usersync",
"includeparams": [
"rangeradminurl",
"adminprincipal",
"adminkeytab",
"hadoophome",
"syncinterval"
]
}
]
},
"parameters": [
{
"name": "rootpassword",
"label": "数据库root用户密码",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "123456"
},
{
"name": "dbhost",
"label": "数据库地址",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "${apihost}"
},{
"name": "database",
"label": "数据库名",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "ranger"
},
{
"name": "rangeruser",
"label": "ranger数据库用户",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "ranger"
},{
"name": "rangerpassword",
"label": "ranger数据库密码",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "ranger"
},
{
"name": "rangeradminurl",
"label": "ranger访问地址",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "${rangeradminurl}"
},
{
"name": "enablehdfsplugin",
"label": "启用hdfs ranger插件",
"description": "",
"required": true,
"type": "switch",
"value": false,
"configurableinwizard": true,
"hidden": false,
"defaultvalue": false
},
{
"name": "enablehiveplugin",
"label": "启用hive ranger插件",
"description": "",
"required": true,
"type": "switch",
"value": false,
"configurableinwizard": true,
"hidden": false,
"defaultvalue": false
},
{
"name": "enablehbaseplugin",
"label": "启用hbase ranger插件",
"description": "",
"required": true,
"type": "switch",
"value": false,
"configurableinwizard": true,
"hidden": false,
"defaultvalue": false
},
{
"name": "enablekerberos",
"label": "开启kerberos认证",
"description": "开启kerberos认证",
"required": false,
"type": "switch",
"value": false,
"configurableinwizard": true,
"hidden": true,
"defaultvalue": false
},
{
"name": "spnegoprincipal",
"label": "spnego principal",
"description": "",
"configwithkerberos": true,
"required": false,
"configtype": "map",
"type": "input",
"value": "http/${host}@hadoop.com",
"configurableinwizard": true,
"hidden": true,
"defaultvalue": "http/${host}@hadoop.com"
},
{
"name": "spnegokeytab",
"label": "spnego keytab",
"description": "",
"configwithkerberos": true,
"required": false,
"configtype": "map",
"type": "input",
"value": "/etc/security/keytab/spnego.service.keytab",
"configurableinwizard": true,
"hidden": true,
"defaultvalue": "/etc/security/keytab/spnego.service.keytab"
},
{
"name": "adminprincipal",
"label": "ranger admin principal",
"description": "",
"configwithkerberos": true,
"required": false,
"configtype": "map",
"type": "input",
"value": "rangeradmin/${host}@hadoop.com",
"configurableinwizard": true,
"hidden": true,
"defaultvalue": "rangeradmin/${host}@hadoop.com"
},
{
"name": "adminkeytab",
"label": "ranger admin keytab",
"description": "",
"configwithkerberos": true,
"required": false,
"configtype": "map",
"type": "input",
"value": "/etc/security/keytab/rangeradmin.keytab",
"configurableinwizard": true,
"hidden": true,
"defaultvalue": "/etc/security/keytab/rangeradmin.keytab"
},
{
"name": "hadoophome",
"label": "hadoop_home",
"description": "",
"configwithkerberos": true,
"required": true,
"configtype": "map",
"type": "input",
"value": "${hadoop_home}",
"configurableinwizard": true,
"hidden": true,
"defaultvalue": "${hadoop_home}"
},
{
"name": "rangerhome",
"label": "ranger_home",
"description": "",
"required": true,
"configtype": "map",
"type": "input",
"value": "${ranger_home}",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "${ranger_home}"
},
{
"name": "syncinterval",
"label": "sync_interval",
"description": "usersync同步间隔时间,单位(分钟)",
"required": true,
"configtype": "map",
"type": "input",
"value": "1",
"configurableinwizard": true,
"hidden": false,
"defaultvalue": "1"
}
]
}
各worker元数据文件,已部署的路径:
vim /opt/datasophon/datasophon-worker/conf/templates/ranger-usersync-install.ftlranger配置文件 install.properties ,使用了 sync_source = unix
# licensed to the apache software foundation (asf) under one or more
# contributor license agreements. see the notice file distributed with
# this work for additional information regarding copyright ownership.
# the asf licenses this file to you under the apache license, version 2.0
# (the "license"); you may not use this file except in compliance with
# the license. you may obtain a copy of the license at
#
# http://www.apache.org/licenses/license-2.0
#
# unless required by applicable law or agreed to in writing, software
# distributed under the license is distributed on an "as is" basis,
# without warranties or conditions of any kind, either express or implied.
# see the license for the specific language governing permissions and
# limitations under the license.
# the base path for the usersync process
ranger_base_dir = /etc/ranger
#
# the following url should be the base url for connecting to the policy manager web application
# for example:
#
# policy_mgr_url = http://policymanager.xasecure.net:6080
#
policy_mgr_url = ${rangeradminurl}
# sync source, only unix and ldap are supported at present
# defaults to unix
sync_source = unix
#
# minimum unix user-id to start sync.
# this should avoid creating unix system-level users in the policy manager
#
min_unix_user_id_to_sync = 500
# minimum unix group-id to start sync.
# this should avoid creating unix system-level users in the policy manager
#
min_unix_group_id_to_sync = 500
# sync interval in minutes
# user, groups would be synced again at the end of each sync interval
# defaults to 5 if sync_source is unix
# defaults to 360 if sync_source is ldap
sync_interval = ${syncinterval}
#user and group for the usersync process
unix_user=ranger
unix_group=ranger
#change password of rangerusersync user. please note that this password should be as per rangerusersync user in ranger
rangerusersync_password=admin123
#set to run in kerberos environment
usersync_principal=<#if adminprincipal??>${adminprincipal}</#if>
usersync_keytab=<#if adminkeytab??>${adminkeytab}</#if>
hadoop_conf=${hadoophome}/etc/hadoop/conf
#
# the file where all credential is kept in cryptic format
#
cred_keystore_filename=/etc/ranger/usersync/conf/rangerusersync.jceks
# ssl authentication
auth_ssl_enabled=false
auth_ssl_keystore_file=/etc/ranger/usersync/conf/cert/unixauthservice.jks
auth_ssl_keystore_password=unix529p
auth_ssl_truststore_file=
auth_ssl_truststore_password=
# ---------------------------------------------------------------
# the following properties are relevant only if sync_source = ldap
# ---------------------------------------------------------------
# the below properties role_assignment_list_delimiter, users_groups_assignment_list_delimiter, username_groupname_assignment_list_delimiter,
#and group_based_role_assignment_rules can be used to assign role to ldap synced users and groups
#note all the delimiters should have different values and the delimiters should not contain characters that are allowed in username or groupname
# default value role_assignment_list_delimiter = &
role_assignment_list_delimiter = &
#default value users_groups_assignment_list_delimiter = :
users_groups_assignment_list_delimiter = :
#default value username_groupname_assignment_list_delimiter = ,
username_groupname_assignment_list_delimiter = ,
# with above mentioned delimiters a sample value would be role_sys_admin:u:username1,username2&role_sys_admin:g:groupname1,groupname2&role_key_admin:u:username&role_key_admin:g:groupname&role_user:u:username3,username4&role_user:g:groupname3
#&role_admin_auditor:u:username&role_key_admin_auditor:u:username&role_key_admin_auditor:g:groupname&role_admin_auditor:g:groupname
group_based_role_assignment_rules =
# url of source ldap
# a sample value would be: ldap://ldap.example.com:389
# must specify a value if sync_source is ldap
sync_ldap_url =
# ldap bind dn used to connect to ldap and query for users and groups
# a sample value would be cn=admin,ou=users,dc=hadoop,dc=apache,dc=org
# must specify a value if sync_source is ldap
sync_ldap_bind_dn =
# ldap bind password for the bind dn specified above
# please ensure read access to this file is limited to root, to protect the password
# must specify a value if sync_source is ldap
# unless anonymous search is allowed by the directory on users and group
sync_ldap_bind_password =
# ldap delta sync flag used to periodically sync users and groups based on the updates in the server
# please customize the value to suit your deployment
# default value is set to true when is sync_source is ldap
sync_ldap_deltasync =
# search base for users and groups
# sample value would be dc=hadoop,dc=apache,dc=org
sync_ldap_search_base =
# search base for users
# sample value would be ou=users,dc=hadoop,dc=apache,dc=org
# overrides value specified in sync_ldap_search_base
sync_ldap_user_search_base =
# search scope for the users, only base, one and sub are supported values
# please customize the value to suit your deployment
# default value: sub
sync_ldap_user_search_scope = sub
# objectclass to identify user entries
# please customize the value to suit your deployment
# default value: person
sync_ldap_user_object_class = person
# optional additional filter constraining the users selected for syncing
# a sample value would be (dept=eng)
# please customize the value to suit your deployment
# default value is empty
sync_ldap_user_search_filter =
# attribute from user entry that would be treated as user name
# please customize the value to suit your deployment
# default value: cn
sync_ldap_user_name_attribute = cn
# attribute from user entry whose values would be treated as
# group values to be pushed into policy manager database
# you could provide multiple attribute names separated by comma
# default value: memberof, ismemberof
sync_ldap_user_group_name_attribute = memberof,ismemberof
#
# usersync - case conversion flags
# possible values: none, lower, upper
sync_ldap_username_case_conversion=lower
sync_ldap_groupname_case_conversion=lower
#user sync log path
logdir=logs
#/var/log/ranger/usersync
# pid dir path
usersync_pid_dir_path=/var/run/ranger
# do we want to do ldapsearch to find groups instead of relying on user entry attributes
# valid values: true, false
# any value other than true would be treated as false
# default value: false
sync_group_search_enabled=
# do we want to do ldapsearch to find groups instead of relying on user entry attributes and
# sync memberships of those groups
# valid values: true, false
# any value other than true would be treated as false
# default value: false
sync_group_user_map_sync_enabled=
# search base for groups
# sample value would be ou=groups,dc=hadoop,dc=apache,dc=org
# overrides value specified in sync_ldap_search_base, sync_ldap_user_search_base
# if a value is not specified, takes the value of sync_ldap_search_base
# if sync_ldap_search_base is also not specified, takes the value of sync_ldap_user_search_base
sync_group_search_base=
# search scope for the groups, only base, one and sub are supported values
# please customize the value to suit your deployment
# default value: sub
sync_group_search_scope=
# objectclass to identify group entries
# please customize the value to suit your deployment
# default value: groupofnames
sync_group_object_class=
# optional additional filter constraining the groups selected for syncing
# a sample value would be (dept=eng)
# please customize the value to suit your deployment
# default value is empty
sync_ldap_group_search_filter=
# attribute from group entry that would be treated as group name
# please customize the value to suit your deployment
# default value: cn
sync_group_name_attribute=
# attribute from group entry that is list of members
# please customize the value to suit your deployment
# default value: member
sync_group_member_attribute_name=
# do we want to use paged results control during ldapsearch for user entries
# valid values: true, false
# any value other than true would be treated as false
# default value: true
# if the value is false, typical ad would not return more than 1000 entries
sync_paged_results_enabled=
# page size for paged results control
# search results would be returned page by page with the specified number of entries per page
# default value: 500
sync_paged_results_size=
#ldap context referral could be ignore or follow
sync_ldap_referral = ignore
# if you want to enable or disable jvm metrics for usersync process
# valid values: true, false
# any value other than true would be treated as false
# default value: false
# if the value is false, jvm metrics is not created
jvm_metrics_enabled=
# filename of jvm metrics created for usersync process
# default value: ranger_usersync_metric.json
jvm_metrics_filename=
#file directory for jvm metrics
# default value : logdir
jvm_metrics_filepath=
#frequency for jvm metrics to be updated
# default value : 10000 milliseconds
jvm_metrics_frequency_time_in_millis=
2.4 修改源码
com.datasophon.worker.strategy.rangeradminhandlerstrategy
/*
* licensed to the apache software foundation (asf) under one or more
* contributor license agreements. see the notice file distributed with
* this work for additional information regarding copyright ownership.
* the asf licenses this file to you under the apache license, version 2.0
* (the "license"); you may not use this file except in compliance with
* the license. you may obtain a copy of the license at
*
* http://www.apache.org/licenses/license-2.0
*
* unless required by applicable law or agreed to in writing, software
* distributed under the license is distributed on an "as is" basis,
* without warranties or conditions of any kind, either express or implied.
* see the license for the specific language governing permissions and
* limitations under the license.
*/
package com.datasophon.worker.strategy;
import cn.hutool.core.io.fileutil;
import com.datasophon.common.constants;
import com.datasophon.common.cache.cacheutils;
import com.datasophon.common.command.serviceroleoperatecommand;
import com.datasophon.common.enums.commandtype;
import com.datasophon.common.utils.execresult;
import com.datasophon.common.utils.shellutils;
import com.datasophon.worker.handler.servicehandler;
import com.datasophon.worker.utils.kerberosutils;
import java.util.arraylist;
public class rangeradminhandlerstrategy extends abstracthandlerstrategy implements servicerolestrategy {
public rangeradminhandlerstrategy(string servicename, string servicerolename) {
super(servicename, servicerolename);
}
@override
public execresult handler(serviceroleoperatecommand command) {
string workpath = constants.install_path + constants.slash + command.getdecompresspackagename();
execresult startresult = new execresult();
servicehandler servicehandler = new servicehandler(command.getservicename(), command.getservicerolename());
if (command.getenablekerberos()) {
logger.info("start to get ranger keytab file");
string hostname = cacheutils.getstring(constants.hostname);
kerberosutils.createkeytabdir();
if (!fileutil.exist("/etc/security/keytab/spnego.service.keytab")) {
kerberosutils.downloadkeytabfrommaster("http/" + hostname, "spnego.service.keytab");
}
if (!fileutil.exist("/etc/security/keytab/rangeradmin.keytab")) {
kerberosutils.downloadkeytabfrommaster("rangeradmin/" + hostname, "rangeradmin.keytab");
}
}
if (command.getcommandtype().equals(commandtype.install_service) && command.getservicerolename().equals("rangerusersync")) {
shellutils.exceshell("mv " + workpath + "/ranger-2.1.0-usersync/install.properties1 " + workpath + "/ranger-2.1.0-usersync/install.properties");
shellutils.exceshell("chmod 755 " + workpath + "/ranger-2.1.0-usersync/install.properties");
logger.info("setup ranger user sync");
arraylist<string> commands = new arraylist<>();
commands.add("sh");
commands.add("./setup.sh");
execresult execresult = shellutils.execwithstatus(workpath + "/ranger-2.1.0-usersync", commands, 300l, logger);
if (execresult.getexecresult()) {
logger.info("setup ranger user sync success");
} else {
logger.info("setup ranger user sync failed");
return execresult;
}
shellutils.exceshell("sed -i '/<name>ranger\\.usersync\\.enabled<\\/name>/{n;s/<value>false<\\/value>/<value>true<\\/value>/}' "
+ workpath +
"/ranger-2.1.0-usersync/conf/ranger-ugsync-site.xml");
startresult = servicehandler.start(command.getstartrunner(), command.getstatusrunner(),
command.getdecompresspackagename(), command.getrunas());
} else {
startresult = servicehandler.start(command.getstartrunner(), command.getstatusrunner(),
command.getdecompresspackagename(), command.getrunas());
}
return startresult;
}
}
com.datasophon.worker.strategy.servicerolestrategycontext
map.put("rangerusersync", new rangeradminhandlerstrategy("ranger", "rangerusersync"));datasophon-worker jar包更新
mv datasophon-worker-1.2.1.jar /opt/datasophon/datasophon-worker/lib/
三、重新安装
添加ranger服务
分配服务master角色
服务配置
选择"settings"我们可以看到linux 上的用户已同步成功。
发表评论