Skip to content

Instantly share code, notes, and snippets.

@abajwa-hw

abajwa-hw/setup_ranger_for_HDF.sh

Last active November 25, 2021 17:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save abajwa-hw/2b59db1a850406616d4583f44bad0a78 to your computer and use it in GitHub Desktop.
Save abajwa-hw/2b59db1a850406616d4583f44bad0a78 to your computer and use it in GitHub Desktop.
Download ZIP
Automation to setup Ranger users and policies for HDF
Raw
setup_ranger_for_HDF.sh
# Run this script on Ranger host to
# 1. create users in format $host.openstacklocal@apache.nifi e.g. abajwa-hdf-qe-bp-1.openstacklocal@apache.nifi
# 2. create Ranger policies for above Nifi users:
# a) read policy for /flow
# b) read/write policies for /proxy
export admin=${admin:-nifiadmin}
export cluster=${cluster:-HDF}
export hosts=${hosts:-myhost1 myhost2 myhost3}
export realm=$realm
if [ -n "$realm" ]; then
export realm=@$realm
fi
service="$cluster"_nifi
users="$admin $hosts"
for user in $users
do
tee payload > /dev/null << EOF
{
"name": "$user$realm",
"password": "BadPass#1",
"firstName":"$user",
"lastName":"",
"emailAddress":"",
"status": "1",
"userRoleList": ["ROLE_USER"],
"groupIdList":["1"]
}
EOF
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/xusers/secure/users -d @payload
/bin/rm -f payload
done
echo "Attempting to create /* policy for $admin"
tee payload > /dev/null << EOF
{
"policyType": "0",
"name": "/*",
"isEnabled": "true",
"isAuditEnabled": "true",
"description": "",
"resources":
{
"nifi-resource":
{
"values":["/*"],
"isRecursive":"",
"isExcludes":false
}
},
"policyItems":
[{
"users":["$admin$realm"],
"accesses":[{"type":"READ", "isAllowed":true}, {"type":"WRITE", "isAllowed":true}]
}],
"denyPolicyItems":[],
"allowExceptions":[],
"denyExceptions":[],
"service":"$service"
}
EOF
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload
users=""
for host in $hosts
do
user="$host$realm"
if [ -z "$users" ]
then
users=\"$user\"
else
users=$users,\"$user\"
fi
done
echo "Attempting to create /flow policy for $users"
tee payload > /dev/null << EOF
{
"policyType": "0",
"name": "/flow",
"isEnabled": "true",
"isAuditEnabled": "true",
"description": "",
"resources":
{
"nifi-resource":
{
"values":["/flow"],
"isRecursive":"",
"isExcludes":false
}
},
"policyItems":
[{
"users":[$users],
"accesses":[{"type":"READ", "isAllowed":true}]
}],
"denyPolicyItems":[],
"allowExceptions":[],
"denyExceptions":[],
"service":"$service"
}
EOF
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload
echo "Attempting to create /proxy policy for $users"
tee payload > /dev/null << EOF
{
"policyType": "0",
"name": "/proxy",
"isEnabled": "true",
"isAuditEnabled": "true",
"description": "",
"resources":
{
"nifi-resource":
{
"values":["/proxy"],
"isRecursive":"",
"isExcludes":false
}
},
"policyItems":
[{
"users":[$users],
"accesses":[{"type":"READ", "isAllowed":true}, {"type":"WRITE", "isAllowed":true}]
}],
"denyPolicyItems":[],
"allowExceptions":[],
"denyExceptions":[],
"service":"$service"
}
EOF
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload
tee payload > /dev/null << EOF
{
"policyType": "0",
"name": "/data/*",
"isEnabled": "true",
"isAuditEnabled": "true",
"description": "",
"resources":
{
"nifi-resource":
{
"values":["/data/*"],
"isRecursive":"",
"isExcludes":false
}
},
"policyItems":
[{
"users":[$users],
"accesses":[{"type":"READ", "isAllowed":true}, {"type":"WRITE", "isAllowed":true}]
}],
"denyPolicyItems":[],
"allowExceptions":[],
"denyExceptions":[],
"service":"$service"
}
EOF
curl -i -u admin:admin -H 'Content-Type: application/json' -X POST http://localhost:6080/service/plugins/policies -d @payload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment