Last active
November 25, 2021 17:00
-
-
Save abajwa-hw/2b59db1a850406616d4583f44bad0a78 to your computer and use it in GitHub Desktop.
Automation to setup Ranger users and policies for HDF
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Run this script on Ranger host to | |
# 1. create users in format $host.openstacklocal@apache.nifi e.g. abajwa-hdf-qe-bp-1.openstacklocal@apache.nifi | |
# 2. create Ranger policies for above Nifi users: | |
# a) read policy for /flow | |
# b) read/write policies for /proxy | |
export admin=${admin:-nifiadmin} | |
export cluster=${cluster:-HDF} | |
export hosts=${hosts:-myhost1 myhost2 myhost3} | |
export realm=$realm | |
if [ -n "$realm" ]; then | |
export realm=@$realm | |
fi | |
service="$cluster"_nifi | |
users="$admin $hosts" | |
for user in $users | |
do | |
tee payload > /dev/null << EOF | |
{ | |
"name": "$user$realm", | |
"password": "BadPass#1", | |
"firstName":"$user", | |
"lastName":"", | |
"emailAddress":"", | |
"status": "1", | |
"userRoleList": ["ROLE_USER"], | |
"groupIdList":["1"] | |
} | |
EOF | |
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/xusers/secure/users -d @payload | |
/bin/rm -f payload | |
done | |
echo "Attempting to create /* policy for $admin" | |
tee payload > /dev/null << EOF | |
{ | |
"policyType": "0", | |
"name": "/*", | |
"isEnabled": "true", | |
"isAuditEnabled": "true", | |
"description": "", | |
"resources": | |
{ | |
"nifi-resource": | |
{ | |
"values":["/*"], | |
"isRecursive":"", | |
"isExcludes":false | |
} | |
}, | |
"policyItems": | |
[{ | |
"users":["$admin$realm"], | |
"accesses":[{"type":"READ", "isAllowed":true}, {"type":"WRITE", "isAllowed":true}] | |
}], | |
"denyPolicyItems":[], | |
"allowExceptions":[], | |
"denyExceptions":[], | |
"service":"$service" | |
} | |
EOF | |
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload | |
users="" | |
for host in $hosts | |
do | |
user="$host$realm" | |
if [ -z "$users" ] | |
then | |
users=\"$user\" | |
else | |
users=$users,\"$user\" | |
fi | |
done | |
echo "Attempting to create /flow policy for $users" | |
tee payload > /dev/null << EOF | |
{ | |
"policyType": "0", | |
"name": "/flow", | |
"isEnabled": "true", | |
"isAuditEnabled": "true", | |
"description": "", | |
"resources": | |
{ | |
"nifi-resource": | |
{ | |
"values":["/flow"], | |
"isRecursive":"", | |
"isExcludes":false | |
} | |
}, | |
"policyItems": | |
[{ | |
"users":[$users], | |
"accesses":[{"type":"READ", "isAllowed":true}] | |
}], | |
"denyPolicyItems":[], | |
"allowExceptions":[], | |
"denyExceptions":[], | |
"service":"$service" | |
} | |
EOF | |
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload | |
echo "Attempting to create /proxy policy for $users" | |
tee payload > /dev/null << EOF | |
{ | |
"policyType": "0", | |
"name": "/proxy", | |
"isEnabled": "true", | |
"isAuditEnabled": "true", | |
"description": "", | |
"resources": | |
{ | |
"nifi-resource": | |
{ | |
"values":["/proxy"], | |
"isRecursive":"", | |
"isExcludes":false | |
} | |
}, | |
"policyItems": | |
[{ | |
"users":[$users], | |
"accesses":[{"type":"READ", "isAllowed":true}, {"type":"WRITE", "isAllowed":true}] | |
}], | |
"denyPolicyItems":[], | |
"allowExceptions":[], | |
"denyExceptions":[], | |
"service":"$service" | |
} | |
EOF | |
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload | |
tee payload > /dev/null << EOF | |
{ | |
"policyType": "0", | |
"name": "/data/*", | |
"isEnabled": "true", | |
"isAuditEnabled": "true", | |
"description": "", | |
"resources": | |
{ | |
"nifi-resource": | |
{ | |
"values":["/data/*"], | |
"isRecursive":"", | |
"isExcludes":false | |
} | |
}, | |
"policyItems": | |
[{ | |
"users":[$users], | |
"accesses":[{"type":"READ", "isAllowed":true}, {"type":"WRITE", "isAllowed":true}] | |
}], | |
"denyPolicyItems":[], | |
"allowExceptions":[], | |
"denyExceptions":[], | |
"service":"$service" | |
} | |
EOF | |
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment