| #!/bin/bash |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # ------------------------------------------------------------------------------------- |
| # |
| # Ranger KMS Setup Script |
| # |
| # This script will install policymanager webapplication under tomcat and also, initialize the database with ranger users/tables. |
| |
| PROPFILE=$PWD/install.properties |
| propertyValue='' |
| |
| if [ ! -f ${PROPFILE} ] |
| then |
| echo "$PROPFILE file not found....!!"; |
| exit 1; |
| fi |
| |
| usage() { |
| [ "$*" ] && echo "$0: $*" |
| sed -n '/^##/,/^$/s/^## \{0,1\}//p' "$0" |
| exit 2 |
| } 2>/dev/null |
| |
| log() { |
| local prefix="$(date +%Y-%m-%d\ %H:%M:%S,%3N) " |
| echo "${prefix} $@" >> $LOGFILE |
| echo "${prefix} $@" |
| } |
| #eval `grep -v '^XAAUDIT.' ${PROPFILE} | grep -v '^$' | grep -v '^#'` |
| get_prop(){ |
| validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation |
| if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi |
| value=$(echo $validateProperty | cut -d "=" -f2-) |
| echo $value |
| } |
| |
| get_prop_or_default() { |
| validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation |
| |
| if test -z "$validateProperty" ; |
| then |
| value=$3 # default value |
| else |
| value=$(echo $validateProperty | cut -d "=" -f2-) |
| fi |
| |
| if [[ $1 == *password* ]] |
| then |
| echo $value |
| else |
| echo $value | tr -d \'\" |
| fi |
| } |
| |
| PYTHON_COMMAND_INVOKER=$(get_prop 'PYTHON_COMMAND_INVOKER' $PROPFILE) |
| DB_FLAVOR=$(get_prop 'DB_FLAVOR' $PROPFILE) |
| SQL_CONNECTOR_JAR=$(get_prop 'SQL_CONNECTOR_JAR' $PROPFILE) |
| db_root_user=$(get_prop 'db_root_user' $PROPFILE) |
| db_root_password=$(get_prop 'db_root_password' $PROPFILE) |
| db_host=$(get_prop 'db_host' $PROPFILE) |
| db_name=$(get_prop 'db_name' $PROPFILE) |
| db_user=$(get_prop 'db_user' $PROPFILE) |
| db_password=$(get_prop 'db_password' $PROPFILE) |
| db_ssl_enabled=$(get_prop 'db_ssl_enabled' $PROPFILE) |
| db_ssl_required=$(get_prop 'db_ssl_required' $PROPFILE) |
| db_ssl_verifyServerCertificate=$(get_prop 'db_ssl_verifyServerCertificate' $PROPFILE) |
| db_ssl_auth_type=$(get_prop 'db_ssl_auth_type' $PROPFILE) |
| db_ssl_certificate_file=$(get_prop 'db_ssl_certificate_file' $PROPFILE) |
| javax_net_ssl_trustStore_type=$(get_prop 'javax_net_ssl_trustStore_type' $PROPFILE) |
| javax_net_ssl_keyStore_type=$(get_prop 'javax_net_ssl_keyStore_type' $PROPFILE) |
| KMS_MASTER_KEY_PASSWD=$(get_prop 'KMS_MASTER_KEY_PASSWD' $PROPFILE) |
| unix_user=$(get_prop 'unix_user' $PROPFILE) |
| unix_user_pwd=$(get_prop 'unix_user_pwd' $PROPFILE) |
| unix_group=$(get_prop 'unix_group' $PROPFILE) |
| POLICY_MGR_URL=$(get_prop 'POLICY_MGR_URL' $PROPFILE) |
| REPOSITORY_NAME=$(get_prop 'REPOSITORY_NAME' $PROPFILE) |
| SSL_KEYSTORE_FILE_PATH=$(get_prop 'SSL_KEYSTORE_FILE_PATH' $PROPFILE) |
| SSL_KEYSTORE_PASSWORD=$(get_prop 'SSL_KEYSTORE_PASSWORD' $PROPFILE) |
| SSL_TRUSTSTORE_FILE_PATH=$(get_prop 'SSL_TRUSTSTORE_FILE_PATH' $PROPFILE) |
| SSL_TRUSTSTORE_PASSWORD=$(get_prop 'SSL_TRUSTSTORE_PASSWORD' $PROPFILE) |
| KMS_DIR=$(eval echo "$(get_prop 'KMS_DIR' $PROPFILE)") |
| app_home=$(eval echo "$(get_prop 'app_home' $PROPFILE)") |
| TMPFILE=$(eval echo "$(get_prop 'TMPFILE' $PROPFILE)") |
| LOGFILE=$(eval echo "$(get_prop 'LOGFILE' $PROPFILE)") |
| JAVA_BIN=$(get_prop 'JAVA_BIN' $PROPFILE) |
| JAVA_VERSION_REQUIRED=$(get_prop 'JAVA_VERSION_REQUIRED' $PROPFILE) |
| JAVA_ORACLE=$(get_prop 'JAVA_ORACLE' $PROPFILE) |
| java_opts=$(get_prop_or_default 'java_opts' $PROPFILE '') |
| mysql_core_file=$(get_prop 'mysql_core_file' $PROPFILE) |
| oracle_core_file=$(get_prop 'oracle_core_file' $PROPFILE) |
| postgres_core_file=$(get_prop 'postgres_core_file' $PROPFILE) |
| sqlserver_core_file=$(get_prop 'sqlserver_core_file' $PROPFILE) |
| sqlanywhere_core_file=$(get_prop 'sqlanywhere_core_file' $PROPFILE) |
| cred_keystore_filename=$(eval echo "$(get_prop 'cred_keystore_filename' $PROPFILE)") |
| KMS_BLACKLIST_DECRYPT_EEK=$(get_prop 'KMS_BLACKLIST_DECRYPT_EEK' $PROPFILE) |
| RANGER_KMS_LOG_DIR=$(eval echo "$(get_prop 'RANGER_KMS_LOG_DIR' $PROPFILE)") |
| RANGER_KMS_PID_DIR_PATH=$(eval echo "$(get_prop 'RANGER_KMS_PID_DIR_PATH' $PROPFILE)") |
| HSM_TYPE=$(get_prop 'HSM_TYPE' $PROPFILE) |
| HSM_ENABLED=$(get_prop 'HSM_ENABLED' $PROPFILE) |
| HSM_PARTITION_NAME=$(get_prop 'HSM_PARTITION_NAME' $PROPFILE) |
| HSM_PARTITION_PASSWORD=$(get_prop 'HSM_PARTITION_PASSWORD' $PROPFILE) |
| |
| KEYSECURE_ENABLED=$(get_prop 'KEYSECURE_ENABLED' $PROPFILE) |
| KEYSECURE_USER_PASSWORD_AUTHENTICATION=$(get_prop 'KEYSECURE_USER_PASSWORD_AUTHENTICATION' $PROPFILE) |
| KEYSECURE_MASTERKEY_NAME=$(get_prop 'KEYSECURE_MASTERKEY_NAME' $PROPFILE) |
| KEYSECURE_USERNAME=$(get_prop 'KEYSECURE_USERNAME' $PROPFILE) |
| KEYSECURE_PASSWORD=$(get_prop 'KEYSECURE_PASSWORD' $PROPFILE) |
| KEYSECURE_HOSTNAME=$(get_prop 'KEYSECURE_HOSTNAME' $PROPFILE) |
| KEYSECURE_MASTER_KEY_SIZE=$(get_prop 'KEYSECURE_MASTER_KEY_SIZE' $PROPFILE) |
| KEYSECURE_LIB_CONFIG_PATH=$(get_prop 'KEYSECURE_LIB_CONFIG_PATH' $PROPFILE) |
| |
| AZURE_KEYVAULT_ENABLED=$(get_prop 'AZURE_KEYVAULT_ENABLED' $PROPFILE) |
| AZURE_KEYVAULT_SSL_ENABLED=$(get_prop 'AZURE_KEYVAULT_SSL_ENABLED' $PROPFILE) |
| AZURE_CLIENT_ID=$(get_prop 'AZURE_CLIENT_ID' $PROPFILE) |
| AZURE_CLIENT_SECRET=$(get_prop 'AZURE_CLIENT_SECRET' $PROPFILE) |
| AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH=$(get_prop 'AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH' $PROPFILE) |
| AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD=$(get_prop 'AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD' $PROPFILE) |
| AZURE_MASTERKEY_NAME=$(get_prop 'AZURE_MASTERKEY_NAME' $PROPFILE) |
| AZURE_MASTER_KEY_TYPE=$(get_prop 'AZURE_MASTER_KEY_TYPE' $PROPFILE) |
| ZONE_KEY_ENCRYPTION_ALGO=$(get_prop 'ZONE_KEY_ENCRYPTION_ALGO' $PROPFILE) |
| AZURE_KEYVAULT_URL=$(get_prop 'AZURE_KEYVAULT_URL' $PROPFILE) |
| |
| AWS_KMS_ENABLED=$(get_prop 'AWS_KMS_ENABLED' $PROPFILE) |
| AWS_KMS_MASTERKEY_ID=$(get_prop 'AWS_KMS_MASTERKEY_ID' $PROPFILE) |
| AWS_CLIENT_ACCESSKEY=$(get_prop 'AWS_CLIENT_ACCESSKEY' $PROPFILE) |
| AWS_CLIENT_SECRETKEY=$(get_prop 'AWS_CLIENT_SECRETKEY' $PROPFILE) |
| AWS_CLIENT_REGION=$(get_prop 'AWS_CLIENT_REGION' $PROPFILE) |
| |
| IS_GCP_ENABLED=$(get_prop 'IS_GCP_ENABLED' $PROPFILE) |
| GCP_KEYRING_ID=$(get_prop 'GCP_KEYRING_ID' $PROPFILE) |
| GCP_CRED_JSON_FILE=$(get_prop 'GCP_CRED_JSON_FILE' $PROPFILE) |
| GCP_PROJECT_ID=$(get_prop 'GCP_PROJECT_ID' $PROPFILE) |
| GCP_LOCATION_ID=$(get_prop 'GCP_LOCATION_ID' $PROPFILE) |
| GCP_MASTER_KEY_NAME=$(get_prop 'GCP_MASTER_KEY_NAME' $PROPFILE) |
| |
| TENCENT_KMS_ENABLED=$(get_prop 'TENCENT_KMS_ENABLED' $PROPFILE) |
| TENCENT_MASTERKEY_ID=$(get_prop 'TENCENT_MASTERKEY_ID' $PROPFILE) |
| TENCENT_CLIENT_ID=$(get_prop 'TENCENT_CLIENT_ID' $PROPFILE) |
| TENCENT_CLIENT_SECRET=$(get_prop 'TENCENT_CLIENT_SECRET' $PROPFILE) |
| TENCENT_CLIENT_REGION=$(get_prop 'TENCENT_CLIENT_REGION' $PROPFILE) |
| |
| kms_principal=$(get_prop 'kms_principal' $PROPFILE) |
| kms_keytab=$(get_prop 'kms_keytab' $PROPFILE) |
| hadoop_conf=$(get_prop 'hadoop_conf' $PROPFILE) |
| |
| DB_HOST="${db_host}" |
| |
| ranger_kms_http_enabled=$(get_prop 'ranger_kms_http_enabled' $PROPFILE) |
| ranger_kms_https_keystore_file=$(get_prop 'ranger_kms_https_keystore_file' $PROPFILE) |
| ranger_kms_https_keystore_keyalias=$(get_prop 'ranger_kms_https_keystore_keyalias' $PROPFILE) |
| ranger_kms_https_keystore_password=$(get_prop 'ranger_kms_https_keystore_password' $PROPFILE) |
| |
| javax_net_ssl_keyStore=$(get_prop 'javax_net_ssl_keyStore' $PROPFILE) |
| javax_net_ssl_keyStorePassword=$(get_prop 'javax_net_ssl_keyStorePassword' $PROPFILE) |
| javax_net_ssl_trustStore=$(get_prop 'javax_net_ssl_trustStore' $PROPFILE) |
| javax_net_ssl_trustStorePassword=$(get_prop 'javax_net_ssl_trustStorePassword' $PROPFILE) |
| |
| check_ret_status(){ |
| if [ $1 -ne 0 ]; then |
| log "[E] $2"; |
| exit 1; |
| fi |
| } |
| |
| check_ret_status_for_groupadd(){ |
| # 9 is the response if the group exists |
| if [ $1 -ne 0 ] && [ $1 -ne 9 ]; then |
| log "[E] $2"; |
| exit 1; |
| fi |
| } |
| |
| is_command () { |
| log "[I] check if command $1 exists" |
| type "$1" >/dev/null |
| } |
| |
| get_distro(){ |
| log "[I] Checking distribution name.." |
| ver=$(cat /etc/*{issues,release,version} 2> /dev/null) |
| if [[ $(echo $ver | grep DISTRIB_ID) ]]; then |
| DIST_NAME=$(lsb_release -si) |
| else |
| DIST_NAME=$(echo $ver | cut -d ' ' -f 1 | sort -u | head -1) |
| fi |
| export $DIST_NAME |
| log "[I] Found distribution : $DIST_NAME" |
| |
| } |
| #Get Properties from File without erroring out if property is not there |
| #$1 -> propertyName $2 -> fileName $3 -> variableName $4 -> failIfNotFound |
| getPropertyFromFileNoExit(){ |
| validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation |
| if test -z "$validateProperty" ; then |
| log "[E] '$1' not found in $2 file while getting....!!"; |
| if [ $4 == "true" ] ; then |
| exit 1; |
| else |
| value="" |
| fi |
| else |
| value=$(echo $validateProperty | cut -d "=" -f2-) |
| fi |
| eval $3="'$value'" |
| } |
| #Get Properties from File |
| #$1 -> propertyName $2 -> fileName $3 -> variableName |
| getPropertyFromFile(){ |
| validateProperty=$(sed '/^\#/d' $2 | grep "^$1\s*=" | tail -n 1) # for validation |
| if test -z "$validateProperty" ; then log "[E] '$1' not found in $2 file while getting....!!"; exit 1; fi |
| value=$(echo $validateProperty | cut -d "=" -f2-) |
| eval $3="'$value'" |
| } |
| |
| #Update Properties to File |
| #$1 -> propertyName $2 -> newPropertyValue $3 -> fileName |
| updatePropertyToFile(){ |
| sed -i 's@^'$1'=[^ ]*$@'$1'='$2'@g' $3 |
| #validate=`sed -i 's/^'$1'=[^ ]*$/'$1'='$2'/g' $3` #for validation |
| validate=$(sed '/^\#/d' $3 | grep "^$1" | tail -n 1 | cut -d "=" -f2-) # for validation |
| #echo 'V1:'$validate |
| if test -z "$validate" ; then log "[E] '$1' not found in $3 file while Updating....!!"; exit 1; fi |
| log "[I] File $3 Updated successfully : {'$1'}" |
| } |
| |
| #Update Properties to File |
| #$1 -> propertyName $2 -> newPropertyValue $3 -> fileName |
| updatePropertyToFilePy(){ |
| $PYTHON_COMMAND_INVOKER update_property.py $1 $2 $3 |
| check_ret_status $? "Update property failed for: {'$1'}" |
| } |
| |
| check_user_pwd(){ |
| if [ -z "$1" ]; then |
| log "[E] The unix user password is empty. Please set user password."; |
| exit 1; |
| fi |
| } |
| |
| password_validation(){ |
| if [ -z "$1" ] |
| then |
| log "[I] Blank password is not allowed for" $2". Please enter valid password." |
| exit 1 |
| else |
| if [[ $1 =~ [\"\'\`\\\] ]] |
| then |
| log "[E]" $2 "password contains one of the unsupported special characters:\" ' \` \\" |
| exit 1 |
| else |
| log "[I]" $2 "password validated." |
| fi |
| fi |
| } |
| |
| init_variables(){ |
| curDt=`date '+%Y%m%d%H%M%S'` |
| |
| if [ -f ${PWD}/version ] |
| then |
| VERSION=`cat ${PWD}/version` |
| else |
| VERSION="0.5.0" |
| fi |
| |
| KMS_DIR=$PWD |
| |
| RANGER_KMS=ranger-kms |
| |
| INSTALL_DIR=${KMS_DIR} |
| |
| WEBAPP_ROOT=${INSTALL_DIR}/ews/webapp |
| |
| DB_FLAVOR=`echo $DB_FLAVOR | tr '[:lower:]' '[:upper:]'` |
| if [ "${DB_FLAVOR}" == "" ] |
| then |
| DB_FLAVOR="MYSQL" |
| fi |
| log "[I] DB_FLAVOR=${DB_FLAVOR}" |
| ########## HSM Config ########## |
| |
| propertyName=ranger.ks.hsm.enabled |
| HSM_ENABLED=`echo $HSM_ENABLED | tr '[:lower:]' '[:upper:]'` |
| password_validation "$KMS_MASTER_KEY_PASSWD" "KMS Master key" |
| |
| db_ssl_enabled=`echo $db_ssl_enabled | tr '[:upper:]' '[:lower:]'` |
| if [ "${db_ssl_enabled}" != "true" ] |
| then |
| db_ssl_enabled="false" |
| db_ssl_required="false" |
| db_ssl_verifyServerCertificate="false" |
| db_ssl_auth_type="2-way" |
| db_ssl_certificate_file='' |
| javax_net_ssl_trustStore_type='jks' |
| javax_net_ssl_keyStore_type='jks' |
| fi |
| if [ "${db_ssl_enabled}" == "true" ] |
| then |
| db_ssl_required=`echo $db_ssl_required | tr '[:upper:]' '[:lower:]'` |
| db_ssl_verifyServerCertificate=`echo $db_ssl_verifyServerCertificate | tr '[:upper:]' '[:lower:]'` |
| db_ssl_auth_type=`echo $db_ssl_auth_type | tr '[:upper:]' '[:lower:]'` |
| javax_net_ssl_trustStore_type=`echo $javax_net_ssl_trustStore_type | tr '[:upper:]' '[:lower:]'` |
| javax_net_ssl_keyStore_type=`echo $javax_net_ssl_keyStore_type | tr '[:upper:]' '[:lower:]'` |
| if [ "${db_ssl_required}" != "true" ] |
| then |
| db_ssl_required="false" |
| fi |
| if [ "${db_ssl_verifyServerCertificate}" != "true" ] |
| then |
| db_ssl_verifyServerCertificate="false" |
| fi |
| if [ "${db_ssl_auth_type}" != "1-way" ] |
| then |
| db_ssl_auth_type="2-way" |
| fi |
| if [ "${javax_net_ssl_trustStore_type}" == "" ] |
| then |
| javax_net_ssl_trustStore_type="jks" |
| fi |
| if [ "${javax_net_ssl_keyStore_type}" == "" ] |
| then |
| javax_net_ssl_keyStore_type="jks" |
| fi |
| fi |
| } |
| |
| |
| check_python_command() { |
| if is_command ${PYTHON_COMMAND_INVOKER} ; then |
| log "[I] '${PYTHON_COMMAND_INVOKER}' command found" |
| else |
| log "[E] '${PYTHON_COMMAND_INVOKER}' command not found" |
| exit 1; |
| fi |
| } |
| |
| run_dba_steps(){ |
| getPropertyFromFileNoExit 'setup_mode' $PROPFILE setup_mode false |
| if [ "x${setup_mode}x" == "xSeparateDBAx" ]; then |
| log "[I] Setup mode is set to SeparateDBA. Not Running DBA steps. Please run dba_script.py before running setup..!"; |
| else |
| log "[I] Setup mode is not set. Running DBA steps.."; |
| $PYTHON_COMMAND_INVOKER dba_script.py -q |
| fi |
| } |
| check_db_connector() { |
| log "[I] Checking ${DB_FLAVOR} CONNECTOR FILE : ${SQL_CONNECTOR_JAR}" |
| if test -f "$SQL_CONNECTOR_JAR"; then |
| log "[I] ${DB_FLAVOR} CONNECTOR FILE : $SQL_CONNECTOR_JAR file found" |
| else |
| log "[E] ${DB_FLAVOR} CONNECTOR FILE : $SQL_CONNECTOR_JAR does not exists" ; exit 1; |
| fi |
| } |
| check_java_version() { |
| #Check for JAVA_HOME |
| if [ "${JAVA_HOME}" == "" ] |
| then |
| log "[E] JAVA_HOME environment property not defined, aborting installation." |
| exit 1 |
| fi |
| |
| export JAVA_BIN=${JAVA_HOME}/bin/java |
| |
| if is_command ${JAVA_BIN} ; then |
| log "[I] '${JAVA_BIN}' command found" |
| else |
| log "[E] '${JAVA_BIN}' command not found" |
| exit 1; |
| fi |
| |
| version=$("$JAVA_BIN" -version 2>&1 | awk -F '"' '/version/ {print $2}') |
| major=`echo ${version} | cut -d. -f1` |
| minor=`echo ${version} | cut -d. -f2` |
| current_java_version="$major.$minor" |
| num_current_java_version=`echo $current_java_version|awk ' { printf("%3.2f\n", $0); } '` |
| JAVA_VERSION_REQUIRED=`echo $JAVA_VERSION_REQUIRED | awk '{gsub(/ /,"")}1'` |
| JAVA_VERSION_REQUIRED=`echo $JAVA_VERSION_REQUIRED | awk '{gsub(/'"'"'/,"")}1'` |
| num_required_java_version=`echo $JAVA_VERSION_REQUIRED|awk ' { printf("%3.2f\n", $0); } '` |
| if [ `echo "$num_current_java_version < $num_required_java_version" | bc` -eq 1 ];then |
| log "[E] The java version must be greater than or equal to $JAVA_VERSION_REQUIRED, the current java version is $version" |
| exit 1; |
| fi |
| if [[ ${JAVA_OPTS} == "" ]] ;then export JAVA_OPTS="${java_opts}" ;fi |
| } |
| |
| sanity_check_files() { |
| |
| if test -d $app_home; then |
| log "[I] $app_home folder found" |
| else |
| log "[E] $app_home does not exists" ; exit 1; |
| fi |
| if [ "${DB_FLAVOR}" == "MYSQL" ] |
| then |
| if test -f $mysql_core_file; then |
| log "[I] $mysql_core_file file found" |
| else |
| log "[E] $mysql_core_file does not exists" ; exit 1; |
| fi |
| fi |
| if [ "${DB_FLAVOR}" == "ORACLE" ] |
| then |
| if test -f ${oracle_core_file}; then |
| log "[I] ${oracle_core_file} file found" |
| else |
| log "[E] ${oracle_core_file} does not exists" ; exit 1; |
| fi |
| fi |
| if [ "${DB_FLAVOR}" == "POSTGRES" ] |
| then |
| if test -f ${postgres_core_file}; then |
| log "[I] ${postgres_core_file} file found" |
| else |
| log "[E] ${postgres_core_file} does not exists" ; exit 1; |
| fi |
| fi |
| if [ "${DB_FLAVOR}" == "MSSQL" ] |
| then |
| if test -f ${sqlserver_core_file}; then |
| log "[I] ${sqlserver_core_file} file found" |
| else |
| log "[E] ${sqlserver_core_file} does not exists" ; exit 1; |
| fi |
| fi |
| if [ "${DB_FLAVOR}" == "SQLA" ] |
| then |
| if [ "${LD_LIBRARY_PATH}" == "" ] |
| then |
| log "[E] LD_LIBRARY_PATH environment property not defined, aborting installation." |
| exit 1 |
| fi |
| if test -f ${sqlanywhere_core_file}; then |
| log "[I] ${sqlanywhere_core_file} file found" |
| else |
| log "[E] ${sqlanywhere_core_file} does not exists" ; exit 1; |
| fi |
| fi |
| } |
| |
| create_rollback_point() { |
| DATE=`date` |
| BAK_FILE=$APP-$VERSION.$DATE.bak |
| log "Creating backup file : $BAK_FILE" |
| cp "$APP" "$BAK_FILE" |
| } |
| |
| |
| copy_db_connector(){ |
| libfolder=$PWD/ews/lib |
| if [ ! -d ${libfolder} ] |
| then |
| log "Creating ${libfolder}" |
| mkdir -p ${libfolder} |
| fi |
| fn=`basename ${SQL_CONNECTOR_JAR}` |
| if [ ! -f ${libfolder}/${fn} ] |
| then |
| log "[I] Copying ${DB_FLAVOR} Connector to ${libfolder} "; |
| cp -f $SQL_CONNECTOR_JAR ${libfolder} |
| check_ret_status $? "Copying ${DB_FLAVOR} Connector to ${libfolder} failed" |
| log "[I] Copying ${DB_FLAVOR} Connector to ${libfolder} DONE"; |
| else |
| log "[I] Using already existing DB connector: ${libfolder}/${fn} "; |
| fi |
| } |
| |
| checkIfEmpty() { |
| if [ -z "$1" ] |
| then |
| log "[I] - Please provide valid value for '$2', Found : '$1'"; |
| exit 1 |
| else |
| log "[I] - '$2' validated"; |
| fi |
| } |
| |
| update_properties() { |
| newPropertyValue='' |
| echo "export JAVA_HOME=${JAVA_HOME}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/java_home.sh |
| chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/java_home.sh |
| |
| |
| to_file=$PWD/ews/webapp/WEB-INF/classes/conf/dbks-site.xml |
| if test -f $to_file; then |
| log "[I] $to_file file found" |
| else |
| log "[E] $to_file does not exists" ; exit 1; |
| fi |
| |
| if [ "${db_ssl_enabled}" != "" ] |
| then |
| propertyName=ranger.ks.db.ssl.enabled |
| newPropertyValue="${db_ssl_enabled}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.db.ssl.required |
| newPropertyValue="${db_ssl_required}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.db.ssl.verifyServerCertificate |
| newPropertyValue="${db_ssl_verifyServerCertificate}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.db.ssl.auth.type |
| newPropertyValue="${db_ssl_auth_type}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| if [ "${db_ssl_certificate_file}" != "" ] |
| then |
| propertyName=ranger.ks.db.ssl.certificateFile |
| newPropertyValue="${db_ssl_certificate_file}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| propertyName=ranger.truststore.file.type |
| newPropertyValue="${javax_net_ssl_trustStore_type}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.keystore.file.type |
| newPropertyValue="${javax_net_ssl_keyStore_type}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| if [ "${DB_FLAVOR}" == "MYSQL" ] |
| then |
| propertyName=ranger.ks.jpa.jdbc.url |
| newPropertyValue="jdbc:log4jdbc:mysql://${DB_HOST}/${db_name}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.dialect |
| newPropertyValue="org.eclipse.persistence.platform.database.MySQLPlatform" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.driver |
| newPropertyValue="net.sf.log4jdbc.DriverSpy" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| if [ "${DB_FLAVOR}" == "ORACLE" ] |
| then |
| propertyName=ranger.ks.jpa.jdbc.url |
| count=$(grep -o ":" <<< "$DB_HOST" | wc -l) |
| #if [[ ${count} -eq 2 ]] ; then |
| if [ ${count} -eq 2 ] || [ ${count} -eq 0 ]; then |
| #jdbc:oracle:thin:@[HOST][:PORT]:SID or #jdbc:oracle:thin:@GL |
| newPropertyValue="jdbc:oracle:thin:@${DB_HOST}" |
| else |
| #jdbc:oracle:thin:@//[HOST][:PORT]/SERVICE |
| newPropertyValue="jdbc:oracle:thin:@//${DB_HOST}" |
| fi |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.dialect |
| newPropertyValue="org.eclipse.persistence.platform.database.OraclePlatform" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.driver |
| newPropertyValue="oracle.jdbc.OracleDriver" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| if [ "${DB_FLAVOR}" == "POSTGRES" ] |
| then |
| if [ "${db_ssl_enabled}" == "true" ] |
| then |
| if test -f $db_ssl_certificate_file; then |
| propertyName=ranger.ks.jpa.jdbc.url |
| newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslrootcert=${db_ssl_certificate_file}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.ks.jpa.jdbc.url |
| newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}?ssl=true&sslmode=verify-full&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| else |
| propertyName=ranger.ks.jpa.jdbc.url |
| newPropertyValue="jdbc:postgresql://${DB_HOST}/${db_name}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| propertyName=ranger.ks.jpa.jdbc.dialect |
| newPropertyValue="org.eclipse.persistence.platform.database.PostgreSQLPlatform" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.driver |
| newPropertyValue="org.postgresql.Driver" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| if [ "${DB_FLAVOR}" == "MSSQL" ] |
| then |
| propertyName=ranger.ks.jpa.jdbc.url |
| newPropertyValue="jdbc:sqlserver://${DB_HOST};databaseName=${db_name}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.dialect |
| newPropertyValue="org.eclipse.persistence.platform.database.SQLServerPlatform" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.driver |
| newPropertyValue="com.microsoft.sqlserver.jdbc.SQLServerDriver" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| if [ "${DB_FLAVOR}" == "SQLA" ] |
| then |
| propertyName=ranger.ks.jpa.jdbc.url |
| newPropertyValue="jdbc:sqlanywhere:database=${db_name};host=${DB_HOST}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.dialect |
| newPropertyValue="org.eclipse.persistence.platform.database.SQLAnywherePlatform" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.driver |
| newPropertyValue="sap.jdbc4.sqlanywhere.IDriver" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| propertyName=ranger.ks.jpa.jdbc.user |
| newPropertyValue="${db_user}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| keystore="${cred_keystore_filename}" |
| |
| echo "Starting configuration for XA DB credentials:" |
| |
| MK_CREDENTIAL_ATTR="ranger.db.encrypt.key.password" |
| DB_CREDENTIAL_ATTR="ranger.ks.jpa.jdbc.password" |
| |
| MK_CREDENTIAL_ALIAS="ranger.ks.masterkey.password" |
| DB_CREDENTIAL_ALIAS="ranger.ks.jpa.jdbc.credential.alias" |
| |
| HSM_PARTITION_PASSWD="ranger.ks.hsm.partition.password" |
| HSM_PARTITION_PASSWORD_ALIAS="ranger.kms.hsm.partition.password" |
| |
| KEYSECURE_PASSWD="ranger.kms.keysecure.login.password" |
| KEYSECURE_PASSWORD_ALIAS="ranger.ks.login.password" |
| |
| AZURE_CLIENT_SEC="ranger.kms.azure.client.secret" |
| AZURE_CLIENT_SECRET_ALIAS="ranger.ks.azure.client.secret" |
| |
| AWS_CLIENT_SEC="ranger.kms.aws.client.secretkey" |
| AWS_CLIENT_SECRET_ALIAS="ranger.ks.aws.client.secretkey" |
| |
| TENCENT_CLIENT_SEC="ranger.kms.tencent.client.secret" |
| TENCENT_CLIENT_SECRET_ALIAS="ranger.ks.tencent.client.secret" |
| |
| |
| HSM_ENABLED=`echo $HSM_ENABLED | tr '[:lower:]' '[:upper:]'` |
| KEYSECURE_ENABLED=`echo $KEYSECURE_ENABLED | tr '[:lower:]' '[:upper:]'` |
| AZURE_KEYVAULT_ENABLED=`echo $AZURE_KEYVAULT_ENABLED | tr '[:lower:]' '[:upper:]'` |
| AWS_KMS_ENABLED=`echo $AWS_KMS_ENABLED | tr '[:lower:]' '[:upper:]'` |
| IS_GCP_ENABLED=`echo $IS_GCP_ENABLED | tr '[:lower:]' '[:upper:]'` |
| TENCENT_KMS_ENABLED=`echo $TENCENT_KMS_ENABLED | tr '[:lower:]' '[:upper:]'` |
| |
| if [ "${keystore}" != "" ] |
| then |
| mkdir -p `dirname "${keystore}"` |
| |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${DB_CREDENTIAL_ALIAS}" -v "${db_password}" -c 1 |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${MK_CREDENTIAL_ALIAS}" -v "${KMS_MASTER_KEY_PASSWD}" -c 1 |
| #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${DB_CREDENTIAL_ALIAS}" -value "$db_password" -provider jceks://file$keystore |
| #$JAVA_HOME/bin/java -cp "cred/lib/*" org.apache.ranger.credentialapi.buildks create "${MK_CREDENTIAL_ALIAS}" -value "${KMS_MASTER_KEY_PASSWD}" -provider jceks://file$keystore |
| |
| if [ "${HSM_ENABLED}" == "TRUE" ] |
| then |
| password_validation "$HSM_PARTITION_PASSWORD" "HSM Partition Password" |
| |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${HSM_PARTITION_PASSWORD_ALIAS}" -v "${HSM_PARTITION_PASSWORD}" -c 1 |
| |
| propertyName=ranger.ks.hsm.partition.password.alias |
| newPropertyValue="${HSM_PARTITION_PASSWORD_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.hsm.partition.password |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| if [ "${KEYSECURE_ENABLED}" == "TRUE" ] |
| then |
| checkIfEmpty "$KEYSECURE_PASSWORD" "KEYSECURE User Password" |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${KEYSECURE_PASSWORD_ALIAS}" -v "${KEYSECURE_PASSWORD}" -c 1 |
| |
| propertyName=ranger.kms.keysecure.login.password.alias |
| newPropertyValue="${KEYSECURE_PASSWORD_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.login.password |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| if [ "${AZURE_KEYVAULT_ENABLED}" == "TRUE" ] |
| then |
| checkIfEmpty "$AZURE_CLIENT_SECRET" "Azure Client Secret" |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${AZURE_CLIENT_SECRET_ALIAS}" -v "${AZURE_CLIENT_SECRET}" -c 1 |
| |
| propertyName=ranger.kms.azure.client.secret.alias |
| newPropertyValue="${AZURE_CLIENT_SECRET_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.client.secret |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| # if $AWS_CLIENT_ACCESSKEY is set, then $AWS_CLIENT_SECRETKEY must be set |
| if [ "$AWS_KMS_ENABLED" == "TRUE" -a -n "$AWS_CLIENT_ACCESSKEY" ] |
| then |
| checkIfEmpty "$AWS_CLIENT_SECRETKEY" "AWS Client SecretKey" |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${AWS_CLIENT_SECRET_ALIAS}" -v "${AWS_CLIENT_SECRETKEY}" -c 1 |
| |
| propertyName=ranger.kms.aws.client.secretkey.alias |
| newPropertyValue="${AWS_CLIENT_SECRET_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.aws.client.secretkey |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| if [ "$TENCENT_KMS_ENABLED" == "TRUE" ] |
| then |
| checkIfEmpty "$TENCENT_CLIENT_SECRET" "Tencent Client Secret" |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "${TENCENT_CLIENT_SECRET_ALIAS}" -v "${TENCENT_CLIENT_SECRET}" -c 1 |
| |
| propertyName=ranger.kms.tencent.client.secret.alias |
| newPropertyValue="${TENCENT_CLIENT_SECRET_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.tencent.client.secret |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| propertyName=ranger.ks.jpa.jdbc.credential.alias |
| newPropertyValue="${DB_CREDENTIAL_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.credential.provider.path |
| newPropertyValue="${keystore}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.jpa.jdbc.password |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.masterkey.credential.alias |
| newPropertyValue="${MK_CREDENTIAL_ALIAS}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.db.encrypt.key.password |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName="${DB_CREDENTIAL_ATTR}" |
| newPropertyValue="${db_password}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${MK_CREDENTIAL_ATTR}" |
| newPropertyValue="${KMS_MASTER_KEY_PASSWD}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${HSM_PARTITION_PASSWD}" |
| newPropertyValue="${HSM_PARTITION_PASSWORD}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${KEYSECURE_PASSWD}" |
| newPropertyValue="${KEYSECURE_PASSWORD}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${AZURE_CLIENT_SEC}" |
| newPropertyValue="${AZURE_CLIENT_SECRET}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${AWS_CLIENT_SEC}" |
| newPropertyValue="${AWS_CLIENT_SECRETKEY}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${TENCENT_CLIENT_SEC}" |
| newPropertyValue="${TENCENT_CLIENT_SECRET}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| |
| if test -f $keystore; then |
| #echo "$keystore found." |
| chown -R ${unix_user}:${unix_group} ${keystore} |
| chmod 640 ${keystore} |
| else |
| #echo "$keystore not found. so clear text password" |
| |
| propertyName="${DB_CREDENTIAL_ATTR}" |
| newPropertyValue="${db_password}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${MK_CREDENTIAL_ATTR}" |
| newPropertyValue="${KMS_MASTER_KEY_PASSWD}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName="${HSM_PARTITION_PASSWD}" |
| newPropertyValue="${HSM_PARTITION_PASSWORD}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| propertyName=hadoop.kms.blacklist.DECRYPT_EEK |
| newPropertyValue="${KMS_BLACKLIST_DECRYPT_EEK}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| ########### KERBEROS CONFIG ############ |
| |
| if [ "${kms_principal}" != "" ] |
| then |
| propertyName=ranger.ks.kerberos.principal |
| newPropertyValue="${kms_principal}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| if [ "${kms_keytab}" != "" ] |
| then |
| propertyName=ranger.ks.kerberos.keytab |
| newPropertyValue="${kms_keytab}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| ########### HSM CONFIG ################# |
| |
| |
| if [ "${HSM_ENABLED}" != "TRUE" ] |
| then |
| propertyName=ranger.ks.hsm.enabled |
| newPropertyValue="false" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.ks.hsm.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.hsm.type |
| newPropertyValue="${HSM_TYPE}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.ks.hsm.partition.name |
| newPropertyValue="${HSM_PARTITION_NAME}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| ########### SAFENET KEYSECURE CONFIG ################# |
| |
| |
| if [ "${KEYSECURE_ENABLED}" != "TRUE" ] |
| then |
| propertyName=ranger.kms.keysecure.enabled |
| newPropertyValue="false" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.kms.keysecure.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.UserPassword.Authentication |
| newPropertyValue="${KEYSECURE_USER_PASSWORD_AUTHENTICATION}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.masterkey.name |
| newPropertyValue="${KEYSECURE_MASTERKEY_NAME}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.login.username |
| newPropertyValue="${KEYSECURE_USERNAME}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.hostname |
| newPropertyValue="${KEYSECURE_HOSTNAME}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.masterkey.size |
| newPropertyValue="${KEYSECURE_MASTER_KEY_SIZE}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.keysecure.sunpkcs11.cfg.filepath |
| newPropertyValue="${KEYSECURE_LIB_CONFIG_PATH}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| |
| ########### AZURE KEY VAULT ################# |
| |
| |
| if [ "${AZURE_KEYVAULT_ENABLED}" != "TRUE" ] |
| then |
| propertyName=ranger.kms.azurekeyvault.enabled |
| newPropertyValue="false" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.kms.azurekeyvault.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.keyvault.ssl.enabled |
| newPropertyValue="${AZURE_KEYVAULT_SSL_ENABLED}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.client.id |
| newPropertyValue="${AZURE_CLIENT_ID}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.keyvault.certificate.path |
| newPropertyValue="${AZURE_AUTH_KEYVAULT_CERTIFICATE_PATH}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.keyvault.certificate.password |
| newPropertyValue="${AZURE_AUTH_KEYVAULT_CERTIFICATE_PASSWORD}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| |
| propertyName=ranger.kms.azure.masterkey.name |
| newPropertyValue="${AZURE_MASTERKEY_NAME}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.masterkey.type |
| newPropertyValue="${AZURE_MASTER_KEY_TYPE}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azure.zonekey.encryption.algorithm |
| newPropertyValue="${ZONE_KEY_ENCRYPTION_ALGO}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.azurekeyvault.url |
| newPropertyValue="${AZURE_KEYVAULT_URL}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| |
| ########### AWS KEY VAULT ################# |
| |
| |
| if [ "${AWS_KMS_ENABLED}" != "TRUE" ] |
| then |
| propertyName=ranger.kms.awskms.enabled |
| newPropertyValue="false" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.kms.awskms.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.awskms.masterkey.id |
| newPropertyValue="${AWS_KMS_MASTERKEY_ID}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.aws.client.accesskey |
| newPropertyValue="${AWS_CLIENT_ACCESSKEY}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.aws.client.region |
| newPropertyValue="${AWS_CLIENT_REGION}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| ########### RANGER GCP ################# |
| if [ "${IS_GCP_ENABLED}" != "TRUE" ] |
| then |
| propertyName=ranger.kms.gcp.enabled |
| newPropertyValue="false" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.kms.gcp.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.gcp.keyring.id |
| newPropertyValue="${GCP_KEYRING_ID}" |
| checkIfEmpty "$newPropertyValue" "GCP_KEYRING_ID" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.gcp.cred.file |
| newPropertyValue="${GCP_CRED_JSON_FILE}" |
| if [ "${newPropertyValue: -5}" != ".json" ] |
| then |
| echo "Error - GCP Credential file must be in a json format, Provided file : ${newPropertyValue}"; |
| exit 1 |
| fi |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.gcp.project.id |
| newPropertyValue="${GCP_PROJECT_ID}" |
| checkIfEmpty "$newPropertyValue" "GCP_PROJECT_ID" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.gcp.location.id |
| newPropertyValue="${GCP_LOCATION_ID}" |
| checkIfEmpty "$newPropertyValue" "GCP_LOCATION_ID" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.gcp.masterkey.name |
| newPropertyValue="${GCP_MASTER_KEY_NAME}" |
| checkIfEmpty "$newPropertyValue" "GCP_MASTER_KEY_NAME" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| fi |
| |
| ########### TENCENT KEY VAULT ################# |
| |
| |
| if [ "${TENCENT_KMS_ENABLED}" != "TRUE" ] |
| then |
| propertyName=ranger.kms.tencentkms.enabled |
| newPropertyValue="false" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| else |
| propertyName=ranger.kms.tencentkms.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.tencent.client.id |
| newPropertyValue="${TENCENT_CLIENT_ID}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.tencent.client.region |
| newPropertyValue="${TENCENT_CLIENT_REGION}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| propertyName=ranger.kms.tencent.masterkey.id |
| newPropertyValue="${TENCENT_MASTERKEY_ID}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file |
| |
| fi |
| |
| to_file_kms_site=$PWD/ews/webapp/WEB-INF/classes/conf/ranger-kms-site.xml |
| if test -f $to_file_kms_site; then |
| log "[I] $to_file_kms_site file found" |
| else |
| log "[E] $to_file_kms_site does not exists" ; exit 1; |
| fi |
| |
| propertyName=ranger.service.http.enabled |
| newPropertyValue="${ranger_kms_http_enabled}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| if [ "${ranger_kms_http_enabled}" == "false" ] |
| then |
| if [ "${ranger_kms_https_keystore_keyalias}" == "" ] |
| then |
| ranger_kms_https_keystore_keyalias=rangerkms |
| fi |
| if [ "${ranger_kms_https_keystore_file}" != "" ] && [ "${ranger_kms_https_keystore_password}" != "" ] |
| then |
| propertyName=ranger.service.https.attrib.ssl.enabled |
| newPropertyValue="true" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| |
| propertyName=ranger.service.https.attrib.client.auth |
| newPropertyValue="want" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| |
| propertyName=ranger.service.https.attrib.keystore.file |
| newPropertyValue="${ranger_kms_https_keystore_file}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| |
| propertyName=ranger.service.https.attrib.keystore.keyalias |
| newPropertyValue="${ranger_kms_https_keystore_keyalias}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| |
| policymgr_https_keystore_credential_alias=keyStoreCredentialAlias |
| propertyName=ranger.service.https.attrib.keystore.credential.alias |
| newPropertyValue="${policymgr_https_keystore_credential_alias}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| |
| propertyName=ranger.credential.provider.path |
| newPropertyValue="${keystore}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| |
| if [ "${keystore}" != "" ] |
| then |
| propertyName=ranger.service.https.attrib.keystore.pass |
| newPropertyValue="_" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| $PYTHON_COMMAND_INVOKER ranger_credential_helper.py -l "cred/lib/*" -f "$keystore" -k "$policymgr_https_keystore_credential_alias" -v "$ranger_kms_https_keystore_password" -c 1 |
| else |
| propertyName=ranger.service.https.attrib.keystore.pass |
| newPropertyValue="${ranger_kms_https_keystore_password}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| fi |
| if test -f $keystore; then |
| chown -R ${unix_user}:${unix_group} ${keystore} |
| chmod 640 ${keystore} |
| else |
| propertyName=ranger.service.https.attrib.keystore.pass |
| newPropertyValue="${ranger_kms_https_keystore_password}" |
| updatePropertyToFilePy $propertyName $newPropertyValue $to_file_kms_site |
| fi |
| fi |
| fi |
| } |
| |
| #===================================================================== |
| |
| setup_unix_user_group(){ |
| log "[I] Setting up UNIX user : ${unix_user} and group: ${unix_group}"; |
| #create group if it does not exist |
| egrep "^$unix_group" /etc/group >& /dev/null |
| if [ $? -ne 0 ] |
| then |
| groupadd ${unix_group} |
| check_ret_status_for_groupadd $? "Creating group ${unix_group} failed" |
| fi |
| |
| #create user if it does not exists |
| id -u ${unix_user} > /dev/null 2>&1 |
| if [ $? -ne 0 ] |
| then |
| check_user_pwd ${unix_user_pwd} |
| log "[I] Creating new user and adding to group"; |
| useradd ${unix_user} -g ${unix_group} -m |
| check_ret_status $? "useradd ${unix_user} failed" |
| |
| passwdtmpfile=passwd.tmp |
| if [ -f "$passwdtmpfile" ]; then |
| rm -rf ${passwdtmpfile} |
| fi |
| cat> ${passwdtmpfile} << EOF |
| ${unix_user}:${unix_user_pwd} |
| EOF |
| chpasswd < ${passwdtmpfile} |
| rm -rf ${passwdtmpfile} |
| else |
| useringroup=`id ${unix_user}` |
| useringrouparr=(${useringroup// / }) |
| if [[ ${useringrouparr[1]} =~ "(${unix_group})" ]] |
| then |
| log "[I] the ${unix_user} user already exists and belongs to group ${unix_group}" |
| else |
| log "[I] User already exists, adding it to group ${unix_group}" |
| usermod -g ${unix_group} ${unix_user} |
| fi |
| fi |
| |
| log "[I] Setting up UNIX user : ${unix_user} and group: ${unix_group} DONE"; |
| } |
| |
| setup_install_files(){ |
| |
| log "[I] Setting up installation files and directory"; |
| |
| if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then |
| log "[I] Copying ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist ${WEBAPP_ROOT}/WEB-INF/classes/conf" |
| mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf |
| cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf |
| fi |
| if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then |
| chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf |
| chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf/ |
| fi |
| |
| if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then |
| log "[I] Creating ${WEBAPP_ROOT}/WEB-INF/classes/lib" |
| mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/lib |
| fi |
| if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then |
| chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib |
| fi |
| |
| echo "export RANGER_HADOOP_CONF_DIR=${hadoop_conf}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-hadoopconfdir.sh |
| chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-hadoopconfdir.sh |
| |
| hadoop_conf_file=${hadoop_conf}/core-site.xml |
| ranger_hadoop_conf_file=${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml |
| |
| if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then |
| chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf |
| if [ "${hadoop_conf}" == "" ] |
| then |
| log "[WARN] Property hadoop_conf not found. Creating blank core-site.xml." |
| echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml |
| else |
| if [ -f ${hadoop_conf_file} ]; then |
| ln -sf ${hadoop_conf_file} ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml |
| else |
| log "[WARN] core-site.xml file not found in provided hadoop_conf path. Creating blank core-site.xml" |
| echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml |
| fi |
| fi |
| fi |
| |
| if [ -d /etc/init.d ]; then |
| log "[I] Setting up init.d" |
| cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS} |
| chmod ug+rx /etc/init.d/${RANGER_KMS} |
| |
| if [ -d /etc/rc2.d ] |
| then |
| RC_DIR=/etc/rc2.d |
| log "[I] Creating script S88${RANGER_KMS}/K90${RANGER_KMS} in $RC_DIR directory .... " |
| rm -f $RC_DIR/S88${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/S88${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| fi |
| |
| if [ -d /etc/rc3.d ] |
| then |
| RC_DIR=/etc/rc3.d |
| log "[I] Creating script S88${RANGER_KMS}/K90${RANGER_KMS} in $RC_DIR directory .... " |
| rm -f $RC_DIR/S88${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/S88${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| fi |
| |
| # SUSE has rc2.d and rc3.d under /etc/rc.d |
| if [ -d /etc/rc.d/rc2.d ] |
| then |
| RC_DIR=/etc/rc.d/rc2.d |
| log "[I] Creating script S88${RANGER_KMS}/K90${RANGER_KMS} in $RC_DIR directory .... " |
| rm -f $RC_DIR/S88${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/S88${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| fi |
| if [ -d /etc/rc.d/rc3.d ] |
| then |
| RC_DIR=/etc/rc.d/rc3.d |
| log "[I] Creating script S88${RANGER_KMS}/K90${RANGER_KMS} in $RC_DIR directory .... " |
| rm -f $RC_DIR/S88${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/S88${RANGER_KMS} |
| ln -s /etc/init.d/${RANGER_KMS} $RC_DIR/K90${RANGER_KMS} |
| fi |
| fi |
| if [ -f /etc/init.d/${RANGER_KMS} ]; then |
| if [ "${unix_user}" != "" ]; then |
| sed 's/^LINUX_USER=.*$/LINUX_USER='${unix_user}'/g' -i /etc/init.d/${RANGER_KMS} |
| fi |
| fi |
| |
| if [ -z "${RANGER_KMS_LOG_DIR}" ] || [ ${RANGER_KMS_LOG_DIR} == ${KMS_DIR} ]; then |
| RANGER_KMS_LOG_DIR=${KMS_DIR}/ews/logs; |
| fi |
| if [ ! -d ${RANGER_KMS_LOG_DIR} ]; then |
| log "[I] ${RANGER_KMS_LOG_DIR} Ranger KMS Log folder" |
| mkdir -p ${RANGER_KMS_LOG_DIR} |
| fi |
| if [ -d ${RANGER_KMS_LOG_DIR} ]; then |
| chown -R ${unix_user} ${RANGER_KMS_LOG_DIR} |
| fi |
| echo "export RANGER_KMS_LOG_DIR=${RANGER_KMS_LOG_DIR}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-logdir.sh |
| chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-logdir.sh |
| |
| if [ -z "${RANGER_KMS_PID_DIR_PATH}" ] |
| then |
| RANGER_KMS_PID_DIR_PATH=/var/run/ranger_kms |
| fi |
| if [ ! -d ${RANGER_KMS_PID_DIR_PATH} ]; then |
| log "[I] Creating KMS PID folder: ${RANGER_KMS_PID_DIR_PATH}" |
| mkdir -p ${RANGER_KMS_PID_DIR_PATH} |
| if [ ! $? = "0" ];then |
| log "Make $RANGER_KMS_PID_DIR_PATH failure....!!"; |
| exit 1; |
| fi |
| fi |
| |
| chown -R ${unix_user} ${RANGER_KMS_PID_DIR_PATH} |
| |
| echo "export RANGER_KMS_PID_DIR_PATH=${RANGER_KMS_PID_DIR_PATH}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-piddir.sh |
| echo "export KMS_USER=${unix_user}" >> ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-piddir.sh |
| chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-piddir.sh |
| |
| if [ "${db_ssl_verifyServerCertificate}" == "true" ] |
| then |
| if [ "${db_ssl_auth_type}" == "1-way" ] |
| then |
| DB_SSL_PARAM="' -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '" |
| else |
| DB_SSL_PARAM="' -Djavax.net.ssl.keyStore=${javax_net_ssl_keyStore} -Djavax.net.ssl.keyStorePassword=${javax_net_ssl_keyStorePassword} -Djavax.net.ssl.keyStoreType={javax_net_ssl_keyStore_type} -Djavax.net.ssl.trustStore=${javax_net_ssl_trustStore} -Djavax.net.ssl.trustStorePassword=${javax_net_ssl_trustStorePassword} -Djavax.net.ssl.trustStoreType=${javax_net_ssl_trustStore_type} '" |
| fi |
| echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh |
| chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh |
| else |
| if [ -f ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh ]; then |
| DB_SSL_PARAM="" |
| echo "export DB_SSL_PARAM=${DB_SSL_PARAM}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh |
| chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-dbsslparam.sh |
| fi |
| fi |
| log "[I] Setting up installation files and directory DONE"; |
| |
| if [ ! -f ${INSTALL_DIR}/rpm ]; then |
| if [ -d ${INSTALL_DIR} ] |
| then |
| chown -R ${unix_user}:${unix_group} ${INSTALL_DIR} |
| chown -R ${unix_user}:${unix_group} ${INSTALL_DIR}/* |
| fi |
| fi |
| |
| # Copy ranger-kms-services to /usr/bin |
| if [ ! \( -e /usr/bin/ranger-kms \) ] |
| then |
| ln -sf ${INSTALL_DIR}/ranger-kms /usr/bin/ranger-kms |
| chmod ug+rx /usr/bin/ranger-kms |
| fi |
| |
| if [ ! \( -e /usr/bin/ranger-kms-services.sh \) ] |
| then |
| ln -sf ${INSTALL_DIR}/ranger-kms /usr/bin/ranger-kms-services.sh |
| chmod ug+rx /usr/bin/ranger-kms-services.sh |
| fi |
| |
| if [ ! \( -e ${INSTALL_DIR}/ranger-kms-services.sh \) ] |
| then |
| ln -sf ${INSTALL_DIR}/ranger-kms-initd ${INSTALL_DIR}/ranger-kms-services.sh |
| chmod ug+rx ${INSTALL_DIR}/ranger-kms-services.sh |
| fi |
| if [ ! -d /var/log/ranger/kms ]; then |
| mkdir -p /var/log/ranger/kms |
| if [ -d ews/logs ]; then |
| cp -r ews/logs/* /var/log/ranger/kms |
| fi |
| fi |
| if [ -d /var/log/ranger/kms ]; then |
| chmod 755 /var/log/ranger/kms |
| chown -R $unix_user:$unix_group /var/log/ranger/kms |
| fi |
| } |
| |
| log " --------- Running Ranger KMS Application Install Script --------- " |
| log "[I] uname=`uname`" |
| log "[I] hostname=`hostname`" |
| init_variables |
| get_distro |
| check_java_version |
| check_db_connector |
| setup_unix_user_group |
| setup_install_files |
| sanity_check_files |
| copy_db_connector |
| check_python_command |
| run_dba_steps |
| if [ "$?" == "0" ] |
| then |
| $PYTHON_COMMAND_INVOKER db_setup.py |
| else |
| exit 1 |
| fi |
| if [ "$?" == "0" ] |
| then |
| update_properties |
| $PYTHON_COMMAND_INVOKER db_setup.py -javapatch |
| else |
| log "[E] DB schema setup failed! Please contact Administrator." |
| exit 1 |
| fi |
| |
| ./enable-kms-plugin.sh |
| if [ "$?" != "0" ] |
| then |
| exit 1 |
| fi |
| echo "Installation of Ranger KMS is completed." |