Google Git
Sign in
apache / ranger / refs/heads/ranger-1.0 / . / security-admin / scripts / restrict_permissions.py
blob: 1ce54a563ed9408a0264daa130e41cdd12180a57 [file] [log] [blame]
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License. See accompanying LICENSE file.
#
import os
import re
import sys
import errno
import shlex
import logging
import subprocess
import platform
import fileinput
import getpass
from os.path import basename
from subprocess import Popen,PIPE
from datetime import date
from datetime import datetime
globalDict = {}
os_name = platform.system()
os_name = os_name.upper()
def check_output(query):
if os_name == "LINUX":
p = subprocess.Popen(shlex.split(query), stdout=subprocess.PIPE)
elif os_name == "WINDOWS":
p = subprocess.Popen(query, stdout=subprocess.PIPE, shell=True)
output = p.communicate ()[0]
return output
def log(msg,type):
if type == 'info':
logging.info(" %s",msg)
if type == 'debug':
logging.debug(" %s",msg)
if type == 'warning':
logging.warning(" %s",msg)
if type == 'exception':
logging.exception(" %s",msg)
if type == 'error':
logging.error(" %s",msg)
def populate_global_dict():
global globalDict
read_config_file = open(os.path.join(os.getcwd(),'install.properties'))
for each_line in read_config_file.read().split('\n') :
each_line = each_line.strip();
if len(each_line) == 0:
continue
elif each_line[0] == "#":
continue
if re.search('=', each_line):
key , value = each_line.split("=",1)
key = key.strip()
if 'PASSWORD' in key:
jceks_file_path = os.path.join(os.getenv('RANGER_HOME'), 'jceks','ranger_db.jceks')
statuscode,value = call_keystore(library_path,key,'',jceks_file_path,'get')
if statuscode == 1:
value = ''
value = value.strip()
globalDict[key] = value
def logFile(msg):
if globalDict["dryMode"]==True:
logFileName=globalDict["dryModeOutputFile"]
if logFileName !="":
if os.path.isfile(logFileName):
if os.access(logFileName, os.W_OK):
with open(logFileName, "a") as f:
f.write(msg+"\n")
f.close()
else:
print("Unable to open file "+logFileName+" in write mode, Check file permissions.")
sys.exit()
else:
print(logFileName+" is Invalid input file name! Provide valid file path to write DBA scripts:")
sys.exit()
else:
print("Invalid input! Provide file path to write DBA scripts:")
sys.exit()
class BaseDB(object):
def check_connection(self, db_name, db_user, db_password):
log("[I] ---------- Verifying DB connection ----------", "info")
def auditdb_operation(self, xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE, dryMode):
log("[I] ---------- set audit user permissions ----------", "info")
class MysqlConf(BaseDB):
def __init__(self, host,SQL_CONNECTOR_JAR,JAVA_BIN):
self.host = host
self.SQL_CONNECTOR_JAR = SQL_CONNECTOR_JAR
self.JAVA_BIN = JAVA_BIN
def get_jisql_cmd(self, user, password ,db_name):
path = os.getcwd()
if os_name == "LINUX":
jisql_cmd = "%s -cp %s:jisql/lib/* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim -c \;" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, self.host, db_name, user, password)
elif os_name == "WINDOWS":
self.JAVA_BIN = self.JAVA_BIN.strip("'")
jisql_cmd = "%s -cp %s;%s\jisql\\lib\\* org.apache.util.sql.Jisql -driver mysqlconj -cstring jdbc:mysql://%s/%s -u %s -p %s -noheader -trim" %(self.JAVA_BIN, self.SQL_CONNECTOR_JAR, path, self.host, db_name, user, password)
return jisql_cmd
def verify_user(self, root_user, db_root_password, host, db_user, get_cmd,dryMode):
if dryMode == False:
log("[I] Verifying user " + db_user+ " for Host "+ host, "info")
if os_name == "LINUX":
query = get_cmd + " -query \"select user from mysql.user where user='%s' and host='%s';\"" %(db_user,host)
elif os_name == "WINDOWS":
query = get_cmd + " -query \"select user from mysql.user where user='%s' and host='%s';\" -c ;" %(db_user,host)
output = check_output(query)
if output.strip(db_user + " |"):
return True
else:
return False
def check_connection(self, db_name, db_user, db_password):
#log("[I] Checking connection..", "info")
get_cmd = self.get_jisql_cmd(db_user, db_password, db_name)
if os_name == "LINUX":
query = get_cmd + " -query \"SELECT version();\""
elif os_name == "WINDOWS":
query = get_cmd + " -query \"SELECT version();\" -c ;"
output = check_output(query)
if output.strip('Production |'):
#log("[I] Checking connection passed.", "info")
return True
else:
log("[E] Can't establish db connection.. Exiting.." ,"error")
sys.exit(1)
def verify_db(self, root_user, db_root_password, db_name,dryMode):
if dryMode == False:
log("[I] Verifying database " + db_name , "info")
get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql')
if os_name == "LINUX":
query = get_cmd + " -query \"show databases like '%s';\"" %(db_name)
elif os_name == "WINDOWS":
query = get_cmd + " -query \"show databases like '%s';\" -c ;" %(db_name)
output = check_output(query)
if output.strip(db_name + " |"):
return True
else:
return False
def revoke_permissions(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode):
hosts_arr =["%", "localhost"]
if is_revoke:
for host in hosts_arr:
if dryMode == False:
log("[I] Revoking *.* privileges of user '"+db_user+"'@'"+host+"'" , "info")
get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql')
if os_name == "LINUX":
query = get_cmd + " -query \"REVOKE ALL PRIVILEGES,GRANT OPTION FROM '%s'@'%s';\"" %(db_user, host)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
query = get_cmd + " -query \"REVOKE ALL PRIVILEGES,GRANT OPTION FROM '%s'@'%s';\" -c ;" %(db_user, host)
ret = subprocess.call(query)
if ret == 0:
if os_name == "LINUX":
query = get_cmd + " -query \"FLUSH PRIVILEGES;\""
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
query = get_cmd + " -query \"FLUSH PRIVILEGES;\" -c ;"
ret = subprocess.call(query)
if ret != 0:
sys.exit(1)
else:
sys.exit(1)
else:
logFile("REVOKE ALL PRIVILEGES,GRANT OPTION FROM '%s'@'%s';" %(db_user, host))
logFile("FLUSH PRIVILEGES;")
def grant_xa_db_user(self, root_user, db_name, db_user, db_password, db_root_password, is_revoke,dryMode):
hosts_arr =["%", "localhost"]
for host in hosts_arr:
if dryMode == False:
log("[I] Granting all privileges to user '"+db_user+"'@'"+host+"' on db '"+db_name+"'" , "info")
get_cmd = self.get_jisql_cmd(root_user, db_root_password, 'mysql')
if os_name == "LINUX":
query = get_cmd + " -query \"grant all privileges on %s.* to '%s'@'%s' with grant option;\"" %(db_name,db_user, host)
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
query = get_cmd + " -query \"grant all privileges on %s.* to '%s'@'%s' with grant option;\" -c ;" %(db_name,db_user, host)
ret = subprocess.call(query)
if ret == 0:
log("[I] FLUSH PRIVILEGES.." , "info")
if os_name == "LINUX":
query = get_cmd + " -query \"FLUSH PRIVILEGES;\""
ret = subprocess.call(shlex.split(query))
elif os_name == "WINDOWS":
query = get_cmd + " -query \"FLUSH PRIVILEGES;\" -c ;"
ret = subprocess.call(query)
if ret == 0:
log("[I] Privileges granted to '" + db_user + "'@'"+host+"' on '"+db_name+"'", "info")
else:
log("[E] Granting privileges to '" +db_user+ "'@'"+host+"' failed on '"+db_name+"'", "error")
sys.exit(1)
else:
log("[E] Granting privileges to '" +db_user+ "'@'"+host+"' failed on '"+db_name+"'", "error")
sys.exit(1)
else:
logFile("grant all privileges on %s.* to '%s'@'%s' with grant option;" %(db_name,db_user, host))
logFile("FLUSH PRIVILEGES;")
def grant_audit_db_user(self, db_user, audit_db_name, audit_db_user, audit_db_password, db_password,TABLE_NAME,dryMode):
hosts_arr =["%", "localhost"]
for host in hosts_arr:
if dryMode == False:
log("[I] Granting insert privileges to '"+ audit_db_user + "'@'"+host+"' on table '"+ audit_db_name+"."+TABLE_NAME+"'" , "info")
get_cmd = self.get_jisql_cmd(db_user, db_password, audit_db_name)
if os_name == "LINUX":
query = get_cmd + " -query \"GRANT INSERT ON %s.%s to '%s'@'%s';\"" %(audit_db_name,TABLE_NAME,audit_db_user,host)
ret = subprocess.call(shlex.split(query))
if os_name == "WINDOWS":
query = get_cmd + " -query \"GRANT INSERT ON %s.%s to '%s'@'%s';\"" %(audit_db_name,TABLE_NAME,audit_db_user,host)
ret = subprocess.call(query)
if ret == 0:
log("[I] Insert Privileges granted to '" + audit_db_user+ "'@'"+host+"' on table '"+ audit_db_name+"."+TABLE_NAME+"'", "info")
else:
log("[E] Granting insert privileges to '" +audit_db_user+ "'@'"+host+"' failed on table '"+ audit_db_name+"."+TABLE_NAME+"'", "error")
sys.exit(1)
else:
logFile("GRANT INSERT ON %s.%s to '%s'@'%s';" %(audit_db_name,TABLE_NAME,audit_db_user,host))
logFile("FLUSH PRIVILEGES;")
def auditdb_operation(self, xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode):
is_revoke=True
if db_user != audit_db_user:
if dryMode == False:
log("[I] ---------- Revoking permissions from Ranger Audit db user ----------","info")
self.revoke_permissions(audit_db_root_user, audit_db_name, audit_db_user, audit_db_password, audit_db_root_password, is_revoke,dryMode)
if dryMode == False:
log("[I] ---------- Granting permissions to Ranger Admin db user on Audit DB ----------","info")
self.grant_xa_db_user(audit_db_root_user, audit_db_name, db_user, db_password, audit_db_root_password, is_revoke,dryMode)
self.grant_audit_db_user(db_user, audit_db_name, audit_db_user, audit_db_password, db_password,'xa_access_audit',dryMode)
def main(argv):
FORMAT = '%(asctime)-15s %(message)s'
logging.basicConfig(format=FORMAT, level=logging.DEBUG)
DBA_MODE = 'TRUE'
quiteMode = False
dryMode=False
is_revoke=True
if len(argv) > 1:
for i in range(len(argv)):
if str(argv[i]) == "-q":
quiteMode = True
populate_global_dict()
if str(argv[i]) == "-d":
index=i+1
try:
dba_sql_file=str(argv[index])
if dba_sql_file == "":
log("[E] Invalid input! Provide file path to write Grant/Revoke sql scripts:","error")
sys.exit(1)
except IndexError:
log("[E] Invalid input! Provide file path to write Grant/Revoke sql scripts:","error")
sys.exit(1)
if not dba_sql_file == "":
if not os.path.exists(dba_sql_file):
log("[I] Creating File:"+dba_sql_file,"info")
open(dba_sql_file, 'w').close()
else:
log("[I] File "+dba_sql_file+ " is available.","info")
if os.path.isfile(dba_sql_file):
dryMode=True
globalDict["dryMode"]=True
globalDict["dryModeOutputFile"]=dba_sql_file
else:
log("[E] Invalid file Name! Unable to find file:"+dba_sql_file,"error")
sys.exit(1)
log("[I] Running Grant/Revoke sql script. QuiteMode:" + str(quiteMode),"info")
if (quiteMode):
JAVA_BIN=globalDict['JAVA_BIN']
else:
if os.environ['JAVA_HOME'] == "":
log("[E] ---------- JAVA_HOME environment property not defined, aborting installation. ----------", "error")
sys.exit(1)
JAVA_BIN=os.path.join(os.environ['JAVA_HOME'],'bin','java')
if os_name == "WINDOWS" :
JAVA_BIN = JAVA_BIN+'.exe'
if os.path.isfile(JAVA_BIN):
pass
else :
while os.path.isfile(JAVA_BIN) == False:
log("Enter java executable path: :","info")
JAVA_BIN=raw_input()
log("[I] Using Java:" + str(JAVA_BIN),"info")
if (quiteMode):
XA_DB_FLAVOR=globalDict['DB_FLAVOR']
AUDIT_DB_FLAVOR=globalDict['DB_FLAVOR']
else:
XA_DB_FLAVOR=''
while XA_DB_FLAVOR == "":
log("Enter db flavour{MYSQL} :","info")
XA_DB_FLAVOR=raw_input()
AUDIT_DB_FLAVOR = XA_DB_FLAVOR
XA_DB_FLAVOR = XA_DB_FLAVOR.upper()
AUDIT_DB_FLAVOR = AUDIT_DB_FLAVOR.upper()
log("[I] DB FLAVOR:" + str(XA_DB_FLAVOR),"info")
if (quiteMode):
CONNECTOR_JAR=globalDict['SQL_CONNECTOR_JAR']
else:
if XA_DB_FLAVOR == "MYSQL":
log("Enter JDBC connector file for :"+XA_DB_FLAVOR,"info")
CONNECTOR_JAR=raw_input()
while os.path.isfile(CONNECTOR_JAR) == False:
log("JDBC connector file "+CONNECTOR_JAR+" does not exist, Please enter connector path :","error")
CONNECTOR_JAR=raw_input()
else:
log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error")
sys.exit(1)
if (quiteMode):
xa_db_host = globalDict['db_host']
audit_db_host = globalDict['db_host']
else:
xa_db_host=''
while xa_db_host == "":
log("Enter DB Host :","info")
xa_db_host=raw_input()
audit_db_host=xa_db_host
log("[I] DB Host:" + str(xa_db_host),"info")
if (quiteMode):
xa_db_root_user = globalDict['db_root_user']
xa_db_root_password = globalDict['db_root_password']
else:
xa_db_root_user=''
while xa_db_root_user == "":
log("Enter db root user:","info")
xa_db_root_user=raw_input()
log("Enter db root password:","info")
xa_db_root_password = getpass.getpass("Enter db root password:")
if (quiteMode):
db_name = globalDict['db_name']
else:
db_name = ''
while db_name == "":
log("Enter DB Name :","info")
db_name=raw_input()
if (quiteMode):
db_user = globalDict['db_user']
else:
db_user=''
while db_user == "":
log("Enter db user name:","info")
db_user=raw_input()
if (quiteMode):
db_password = globalDict['db_password']
else:
db_password=''
while db_password == "":
log("Enter db user password:","info")
db_password = getpass.getpass("Enter db user password:")
if (quiteMode):
audit_db_name = globalDict['audit_db_name']
else:
audit_db_name=''
while audit_db_name == "":
log("Enter audit db name:","info")
audit_db_name = raw_input()
if (quiteMode):
audit_db_user = globalDict['audit_db_user']
else:
audit_db_user=''
while audit_db_user == "":
log("Enter audit user name:","info")
audit_db_user = raw_input()
if (quiteMode):
audit_db_password = globalDict['audit_db_password']
else:
audit_db_password=''
while audit_db_password == "":
log("Enter audit db user password:","info")
audit_db_password = getpass.getpass("Enter audit db user password:")
audit_db_root_user = xa_db_root_user
audit_db_root_password = xa_db_root_password
mysql_dbversion_catalog = os.path.join('db','mysql','create_dbversion_catalog.sql')
mysql_core_file = os.path.join('db','mysql','xa_core_db.sql')
mysql_audit_file = os.path.join('db','mysql','xa_audit_db.sql')
mysql_patches = os.path.join('db','mysql','patches')
x_db_version = 'x_db_version_h'
xa_access_audit = 'xa_access_audit'
x_user = 'x_portal_user'
if XA_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
xa_sqlObj = MysqlConf(xa_db_host, MYSQL_CONNECTOR_JAR, JAVA_BIN)
xa_db_version_file = os.path.join(os.getcwd(),mysql_dbversion_catalog)
xa_db_core_file = os.path.join(os.getcwd(),mysql_core_file)
xa_patch_file = os.path.join(os.getcwd(),mysql_patches)
else:
log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error")
sys.exit(1)
if AUDIT_DB_FLAVOR == "MYSQL":
MYSQL_CONNECTOR_JAR=CONNECTOR_JAR
audit_sqlObj = MysqlConf(audit_db_host,MYSQL_CONNECTOR_JAR,JAVA_BIN)
audit_db_file = os.path.join(os.getcwd(),mysql_audit_file)
else:
log("[E] ---------- NO SUCH SUPPORTED DB FLAVOUR.. ----------", "error")
sys.exit(1)
# Methods Begin
if DBA_MODE == "TRUE" :
if (dryMode==True):
log("[I] Dry run mode:"+str(dryMode),"info")
log("[I] Logging Grant/Revoke sql script in file:"+str(globalDict["dryModeOutputFile"]),"info")
now = datetime.now()
logFile("=========="+now.strftime('%Y-%m-%d %H:%M:%S')+"==========\n")
xa_sqlObj.revoke_permissions(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
logFile("========================================\n")
if (dryMode==False):
log("[I] ---------- Revoking permissions from Ranger Admin db user ----------","info")
xa_sqlObj.revoke_permissions(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
log("[I] ---------- Granting permissions to Ranger Admin db user ----------","info")
xa_sqlObj.grant_xa_db_user(xa_db_root_user, db_name, db_user, db_password, xa_db_root_password, is_revoke,dryMode)
log("[I] ---------- Starting Ranger Audit db user operations ---------- ","info")
audit_sqlObj.auditdb_operation(xa_db_host, audit_db_host, db_name, audit_db_name, xa_db_root_user, audit_db_root_user, db_user, audit_db_user, xa_db_root_password, audit_db_root_password, db_password, audit_db_password, DBA_MODE,dryMode)
log("[I] ---------- Ranger Policy Manager DB and User Creation Process Completed.. ---------- ","info")
main(sys.argv)