AMBARI-19845 Secure Ranger passwords in Ambari Stacks (mugdha)

ambari-common/src/main/python/resource_management/libraries/functions/constants.py

@@ -116,3 +116,4 @@ class StackFeature:
   ATLAS_INSTALL_HOOK_PACKAGE_SUPPORT="atlas_install_hook_package_support"
   ATLAS_HDFS_SITE_ON_NAMENODE_HA='atlas_hdfs_site_on_namenode_ha'
   HIVE_INTERACTIVE_GA_SUPPORT='hive_interactive_ga'
+  SECURE_RANGER_SSL_PASSWORD = "secure_ranger_ssl_password"

ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py

@@ -131,9 +131,17 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar,
         mode = 0644
       )
 
+    # remove plain-text password from xml configs
+    plugin_audit_password_property = 'xasecure.audit.destination.db.password'
+    plugin_audit_properties_copy = {}
+    plugin_audit_properties_copy.update(plugin_audit_properties)
+
+    if plugin_audit_password_property in plugin_audit_properties_copy:
+      plugin_audit_properties_copy[plugin_audit_password_property] = "crypted"
+
     XmlConfig(format('ranger-{service_name}-audit.xml'),
       conf_dir=component_conf_dir,
-      configurations=plugin_audit_properties,
+      configurations=plugin_audit_properties_copy,
       configuration_attributes=plugin_audit_attributes,
       owner = component_user,
       group = component_group,
@@ -147,10 +155,19 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar,
       group = component_group,
       mode=0744)
 
+    # remove plain-text password from xml configs
+    plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+    plugin_policymgr_ssl_properties_copy = {}
+    plugin_policymgr_ssl_properties_copy.update(plugin_policymgr_ssl_properties)
+
+    for prop in plugin_password_properties:
+      if prop in plugin_policymgr_ssl_properties_copy:
+        plugin_policymgr_ssl_properties_copy[prop] = "crypted"
+
     if str(service_name).lower() == 'yarn' :
       XmlConfig("ranger-policymgr-ssl-yarn.xml",
         conf_dir=component_conf_dir,
-        configurations=plugin_policymgr_ssl_properties,
+        configurations=plugin_policymgr_ssl_properties_copy,
         configuration_attributes=plugin_policymgr_ssl_attributes,
         owner = component_user,
         group = component_group,
@@ -158,7 +175,7 @@ def setup_ranger_plugin(component_select_name, service_name, previous_jdbc_jar,
     else:
       XmlConfig("ranger-policymgr-ssl.xml",
         conf_dir=component_conf_dir,
-        configurations=plugin_policymgr_ssl_properties,
+        configurations=plugin_policymgr_ssl_properties_copy,
         configuration_attributes=plugin_policymgr_ssl_attributes,
         owner = component_user,
         group = component_group,

ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/params.py

@@ -73,6 +73,7 @@ stack_supports_ranger_admin_password_change = check_stack_feature(StackFeature.R
 stack_supports_ranger_setup_db_on_start = check_stack_feature(StackFeature.RANGER_SETUP_DB_ON_START, version_for_stack_feature_checks)
 stack_supports_ranger_tagsync_ssl_xml_support = check_stack_feature(StackFeature.RANGER_TAGSYNC_SSL_XML_SUPPORT, version_for_stack_feature_checks)
 stack_supports_ranger_solr_configs = check_stack_feature(StackFeature.RANGER_SOLR_CONFIG_SUPPORT, version_for_stack_feature_checks)
+stack_supports_secure_ssl_password = check_stack_feature(StackFeature.SECURE_RANGER_SSL_PASSWORD, version_for_stack_feature_checks)
 
 downgrade_from_version = default("/commandParams/downgrade_from_version", None)
 upgrade_direction = default("/commandParams/upgrade_direction", None)
@@ -425,3 +426,20 @@ if is_hbase_ha_enabled:
 if is_namenode_ha_enabled:
   if not is_empty(config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled']):
     ranger_hdfs_plugin_enabled = config['configurations']['ranger-hdfs-plugin-properties']['ranger-hdfs-plugin-enabled'].lower() == 'yes'
+
+ranger_admin_password_properties = ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']
+ranger_usersync_password_properties = ['ranger.usersync.ldap.ldapbindpassword']
+ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+if stack_supports_secure_ssl_password:
+  ranger_admin_password_properties.extend(['ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password'])
+  ranger_usersync_password_properties.extend(['ranger.usersync.keystore.password', 'ranger.usersync.truststore.password'])
+
+ranger_auth_method = config['configurations']['ranger-admin-site']['ranger.authentication.method']
+ranger_ldap_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.binddn.credential.alias', 'ranger.ldap.bind.password')
+ranger_ad_password_alias = default('/configurations/ranger-admin-site/ranger.ldap.ad.binddn.credential.alias', 'ranger.ldap.ad.bind.password')
+ranger_https_keystore_alias = default('/configurations/ranger-admin-site/ranger.service.https.attrib.keystore.credential.alias', 'keyStoreCredentialAlias')
+ranger_truststore_alias = default('/configurations/ranger-admin-site/ranger.truststore.alias', 'trustStoreAlias')
+https_enabled = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.ssl.enabled']
+http_enabled = config['configurations']['ranger-admin-site']['ranger.service.http.enabled']
+https_keystore_password = config['configurations']['ranger-admin-site']['ranger.service.https.attrib.keystore.pass']
+truststore_password = config['configurations']['ranger-admin-site']['ranger.truststore.password']

ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py

@@ -173,9 +173,17 @@ def setup_ranger_admin(upgrade_type=None):
     only_if=format("ls {ranger_home}/ews/ranger-admin-services.sh"),
     sudo=True)
 
+  # remove plain-text password from xml configs
+
+  ranger_admin_site_copy = {}
+  ranger_admin_site_copy.update(params.config['configurations']['ranger-admin-site'])
+  for prop in params.ranger_admin_password_properties:
+    if prop in ranger_admin_site_copy:
+      ranger_admin_site_copy[prop] = "_"
+
   XmlConfig("ranger-admin-site.xml",
     conf_dir=ranger_conf,
-    configurations=params.config['configurations']['ranger-admin-site'],
+    configurations=ranger_admin_site_copy,
     configuration_attributes=params.config['configuration_attributes']['ranger-admin-site'],
     owner=params.unix_user,
     group=params.unix_group,
@@ -303,6 +311,36 @@ def do_keystore_setup(upgrade_type=None):
       mode = 0640
     )
 
+  if params.ranger_auth_method.upper() == "LDAP":
+    ranger_credential_helper(params.cred_lib_path, params.ranger_ldap_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path)
+
+    File(params.ranger_credential_provider_path,
+      owner = params.unix_user,
+      group = params.unix_group,
+      mode = 0640
+    )
+
+  if params.ranger_auth_method.upper() == "ACTIVE_DIRECTORY":
+    ranger_credential_helper(params.cred_lib_path, params.ranger_ad_password_alias, params.ranger_usersync_ldap_ldapbindpassword, params.ranger_credential_provider_path)
+
+    File(params.ranger_credential_provider_path,
+      owner = params.unix_user,
+      group = params.unix_group,
+      mode = 0640
+    )
+
+  if params.stack_supports_secure_ssl_password:
+    ranger_credential_helper(params.cred_lib_path, params.ranger_truststore_alias, params.truststore_password, params.ranger_credential_provider_path)
+
+    if params.https_enabled and not params.http_enabled:
+      ranger_credential_helper(params.cred_lib_path, params.ranger_https_keystore_alias, params.https_keystore_password, params.ranger_credential_provider_path)
+
+    File(params.ranger_credential_provider_path,
+      owner = params.unix_user,
+      group = params.unix_group,
+      mode = 0640
+    )
+
 def password_validation(password):
   import params
   if password.strip() == "":
@@ -435,9 +473,16 @@ def setup_usersync(upgrade_type=None):
     dst_file = format('{usersync_home}/conf/log4j.xml')
     Execute(('cp', '-f', src_file, dst_file), sudo=True)
 
+  # remove plain-text password from xml configs
+  ranger_ugsync_site_copy = {}
+  ranger_ugsync_site_copy.update(params.config['configurations']['ranger-ugsync-site'])
+  for prop in params.ranger_usersync_password_properties:
+    if prop in ranger_ugsync_site_copy:
+      ranger_ugsync_site_copy[prop] = "_"
+
   XmlConfig("ranger-ugsync-site.xml",
     conf_dir=ranger_ugsync_conf,
-    configurations=params.config['configurations']['ranger-ugsync-site'],
+    configurations=ranger_ugsync_site_copy,
     configuration_attributes=params.config['configuration_attributes']['ranger-ugsync-site'],
     owner=params.unix_user,
     group=params.unix_group,
@@ -732,9 +777,16 @@ def setup_tagsync_ssl_configs():
             mode=0775,
             create_parents=True)
 
+  # remove plain-text password from xml configs
+  ranger_tagsync_policymgr_ssl_copy = {}
+  ranger_tagsync_policymgr_ssl_copy.update(params.config['configurations']['ranger-tagsync-policymgr-ssl'])
+  for prop in params.ranger_tagsync_password_properties:
+    if prop in ranger_tagsync_policymgr_ssl_copy:
+      ranger_tagsync_policymgr_ssl_copy[prop] = "_"
+
   XmlConfig("ranger-policymgr-ssl.xml",
             conf_dir=params.ranger_tagsync_conf,
-            configurations=params.config['configurations']['ranger-tagsync-policymgr-ssl'],
+            configurations=ranger_tagsync_policymgr_ssl_copy,
             configuration_attributes=params.config['configuration_attributes']['ranger-tagsync-policymgr-ssl'],
             owner=params.unix_user,
             group=params.unix_group,
@@ -749,9 +801,16 @@ def setup_tagsync_ssl_configs():
        mode = 0640
        )
 
+  # remove plain-text password from xml configs
+  atlas_tagsync_ssl_copy = {}
+  atlas_tagsync_ssl_copy.update(params.config['configurations']['atlas-tagsync-ssl'])
+  for prop in params.ranger_tagsync_password_properties:
+    if prop in atlas_tagsync_ssl_copy:
+      atlas_tagsync_ssl_copy[prop] = "_"
+
   XmlConfig("atlas-tagsync-ssl.xml",
             conf_dir=params.ranger_tagsync_conf,
-            configurations=params.config['configurations']['atlas-tagsync-ssl'],
+            configurations=atlas_tagsync_ssl_copy,
             configuration_attributes=params.config['configuration_attributes']['atlas-tagsync-ssl'],
             owner=params.unix_user,
             group=params.unix_group,

ambari-server/src/main/resources/common-services/RANGER/0.5.0/configuration/ranger-admin-site.xml

@@ -542,4 +542,16 @@
     </value-attributes>
     <on-ambari-upgrade add="true"/>
   </property>
+  <property>
+    <name>ranger.ldap.binddn.credential.alias</name>
+    <value>ranger.ldap.bind.password</value>
+    <description></description>
+    <on-ambari-upgrade add="true"/>
+  </property>
+  <property>
+    <name>ranger.ldap.ad.binddn.credential.alias</name>
+    <value>ranger.ldap.ad.bind.password</value>
+    <description></description>
+    <on-ambari-upgrade add="true"/>
+  </property>
 </configuration>

ambari-server/src/main/resources/common-services/RANGER/0.7.0/configuration/ranger-admin-site.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+  <property>
+    <name>ranger.truststore.alias</name>
+    <value>trustStoreAlias</value>
+    <description></description>
+    <on-ambari-upgrade add="false"/>
+  </property>
+  <property>
+    <name>ranger.service.https.attrib.keystore.credential.alias</name>
+    <value>keyStoreCredentialAlias</value>
+    <description></description>
+    <on-ambari-upgrade add="false"/>
+  </property>
+</configuration>

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py

@@ -271,9 +271,17 @@ def kms(upgrade_type=None):
     if params.stack_support_kms_hsm and params.enable_kms_hsm:
       do_keystore_setup(params.credential_provider_path, params.hms_partition_alias, unicode(params.hms_partition_passwd))
 
+    # remove plain-text password from xml configs
+    dbks_site_copy = {}
+    dbks_site_copy.update(params.config['configurations']['dbks-site'])
+
+    for prop in params.dbks_site_password_properties:
+      if prop in dbks_site_copy:
+        dbks_site_copy[prop] = "_"
+
     XmlConfig("dbks-site.xml",
       conf_dir=params.kms_conf_dir,
-      configurations=params.config['configurations']['dbks-site'],
+      configurations=dbks_site_copy,
       configuration_attributes=params.config['configuration_attributes']['dbks-site'],
       owner=params.kms_user,
       group=params.kms_group,
@@ -421,9 +429,16 @@ def enable_kms_plugin():
       mode = 0644        
     )
 
+    # remove plain-text password from xml configs
+    plugin_audit_properties_copy = {}
+    plugin_audit_properties_copy.update(params.config['configurations']['ranger-kms-audit'])
+
+    if params.plugin_audit_password_property in plugin_audit_properties_copy:
+      plugin_audit_properties_copy[params.plugin_audit_password_property] = "crypted"
+
     XmlConfig("ranger-kms-audit.xml",
       conf_dir=params.kms_conf_dir,
-      configurations=params.config['configurations']['ranger-kms-audit'],
+      configurations=plugin_audit_properties_copy,
       configuration_attributes=params.config['configuration_attributes']['ranger-kms-audit'],
       owner=params.kms_user,
       group=params.kms_group,
@@ -437,9 +452,17 @@ def enable_kms_plugin():
       group=params.kms_group,
       mode=0744)
 
+    # remove plain-text password from xml configs
+    ranger_kms_policymgr_ssl_copy = {}
+    ranger_kms_policymgr_ssl_copy.update(params.config['configurations']['ranger-kms-policymgr-ssl'])
+
+    for prop in params.kms_plugin_password_properties:
+      if prop in ranger_kms_policymgr_ssl_copy:
+        ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
     XmlConfig("ranger-policymgr-ssl.xml",
       conf_dir=params.kms_conf_dir,
-      configurations=params.config['configurations']['ranger-kms-policymgr-ssl'],
+      configurations=ranger_kms_policymgr_ssl_copy,
       configuration_attributes=params.config['configuration_attributes']['ranger-kms-policymgr-ssl'],
       owner=params.kms_user,
       group=params.kms_group,

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py

@@ -276,3 +276,7 @@ if security_enabled:
   spengo_keytab = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab']
   spnego_principal = config['configurations']['kms-site']['hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal']
   spnego_principal = spnego_principal.replace('_HOST', current_host.lower())
+
+plugin_audit_password_property = 'xasecure.audit.destination.db.password'
+kms_plugin_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+dbks_site_password_properties = ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']

ambari-server/src/main/resources/stacks/HDP/2.0.6/properties/stack_features.json

@@ -382,6 +382,11 @@
       "name": "hive_interactive_ga",
       "description": "Hive Interactive GA support",
       "min_version": "2.6.0.0"
+    },
+    {
+      "name": "secure_ranger_ssl_password",
+      "description": "Securing Ranger Admin and Usersync SSL and Trustore related passwords in jceks",
+      "min_version": "2.6.0.0"
     }
   ]
 }

ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_admin.py

@@ -293,11 +293,17 @@ class TestRangerAdmin(RMFTestCase):
       sudo = True
     )
 
+    ranger_admin_site_copy = {}
+    ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+    for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']:
+      if prop in ranger_admin_site_copy:
+        ranger_admin_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
       owner = 'ranger',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-admin/conf',
-      configurations = self.getConfig()['configurations']['ranger-admin-site'],
+      configurations = ranger_admin_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
       mode = 0644
     )
@@ -443,11 +449,17 @@ class TestRangerAdmin(RMFTestCase):
       sudo = True
     )
 
+    ranger_admin_site_copy = {}
+    ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+    for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password']:
+      if prop in ranger_admin_site_copy:
+        ranger_admin_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
       owner = 'ranger',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-admin/conf',
-      configurations = self.getConfig()['configurations']['ranger-admin-site'],
+      configurations = ranger_admin_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
       mode = 0644
     )

ambari-server/src/test/python/stacks/2.5/RANGER/test_ranger_usersync.py

@@ -132,11 +132,17 @@ class TestRangerUsersync(RMFTestCase):
       mode = 0644
     )
 
+    ranger_ugsync_site_copy = {}
+    ranger_ugsync_site_copy.update(self.getConfig()['configurations']['ranger-ugsync-site'])
+    for prop in ['ranger.usersync.ldap.ldapbindpassword']:
+      if prop in ranger_ugsync_site_copy:
+        ranger_ugsync_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'ranger-ugsync-site.xml',
       owner = 'ranger',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-usersync/conf',
-      configurations = self.getConfig()['configurations']['ranger-ugsync-site'],
+      configurations = ranger_ugsync_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-ugsync-site'],
       mode = 0644
     )

ambari-server/src/test/python/stacks/2.5/RANGER_KMS/test_kms_server.py

@@ -93,12 +93,18 @@ class TestRangerKMS(RMFTestCase):
       mode = 0644
     )
 
+    plugin_audit_properties_copy = {}
+    plugin_audit_properties_copy.update(self.getConfig()['configurations']['ranger-kms-audit'])
+
+    if 'xasecure.audit.destination.db.password' in plugin_audit_properties_copy:
+      plugin_audit_properties_copy['xasecure.audit.destination.db.password'] = "crypted"
+
     self.assertResourceCalled('XmlConfig', 'ranger-kms-audit.xml',
       mode = 0744,
       owner = 'kms',
       group = 'kms',
       conf_dir = '/usr/hdp/current/ranger-kms/conf',
-      configurations = self.getConfig()['configurations']['ranger-kms-audit'],
+      configurations = plugin_audit_properties_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-audit']
     )
 
@@ -111,12 +117,19 @@ class TestRangerKMS(RMFTestCase):
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-security']
     )
 
+    ranger_kms_policymgr_ssl_copy = {}
+    ranger_kms_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-kms-policymgr-ssl'])
+
+    for prop in ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']:
+      if prop in ranger_kms_policymgr_ssl_copy:
+        ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
     self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml',
       mode = 0744,
       owner = 'kms',
       group = 'kms',
       conf_dir = '/usr/hdp/current/ranger-kms/conf',
-      configurations = self.getConfig()['configurations']['ranger-kms-policymgr-ssl'],
+      configurations = ranger_kms_policymgr_ssl_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-policymgr-ssl']
     )
 
@@ -349,12 +362,18 @@ class TestRangerKMS(RMFTestCase):
       mode = 0640
     )
 
+    dbks_site_copy = {}
+    dbks_site_copy.update(self.getConfig()['configurations']['dbks-site'])
+    for prop in ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']:
+      if prop in dbks_site_copy:
+        dbks_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'dbks-site.xml',
       mode=0644,
       owner = 'kms',
       group = 'kms',
       conf_dir = '/usr/hdp/current/ranger-kms/conf',
-      configurations = self.getConfig()['configurations']['dbks-site'],
+      configurations = dbks_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['dbks-site']
     )
 
@@ -442,12 +461,18 @@ class TestRangerKMS(RMFTestCase):
       mode = 0644
     )
 
+    plugin_audit_properties_copy = {}
+    plugin_audit_properties_copy.update(self.getConfig()['configurations']['ranger-kms-audit'])
+
+    if 'xasecure.audit.destination.db.password' in plugin_audit_properties_copy:
+      plugin_audit_properties_copy['xasecure.audit.destination.db.password'] = "crypted"
+
     self.assertResourceCalled('XmlConfig', 'ranger-kms-audit.xml',
       mode = 0744,
       owner = 'kms',
       group = 'kms',
       conf_dir = '/usr/hdp/current/ranger-kms/conf',
-      configurations = self.getConfig()['configurations']['ranger-kms-audit'],
+      configurations = plugin_audit_properties_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-audit']
     )
 
@@ -460,12 +485,19 @@ class TestRangerKMS(RMFTestCase):
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-security']
     )
 
+    ranger_kms_policymgr_ssl_copy = {}
+    ranger_kms_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-kms-policymgr-ssl'])
+
+    for prop in ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']:
+      if prop in ranger_kms_policymgr_ssl_copy:
+        ranger_kms_policymgr_ssl_copy[prop] = "crypted"
+
     self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml',
       mode = 0744,
       owner = 'kms',
       group = 'kms',
       conf_dir = '/usr/hdp/current/ranger-kms/conf',
-      configurations = self.getConfig()['configurations']['ranger-kms-policymgr-ssl'],
+      configurations = ranger_kms_policymgr_ssl_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-kms-policymgr-ssl']
     )
 
@@ -681,12 +713,18 @@ class TestRangerKMS(RMFTestCase):
       mode = 0640
     )
 
+    dbks_site_copy = {}
+    dbks_site_copy.update(self.getConfig()['configurations']['dbks-site'])
+    for prop in ['ranger.db.encrypt.key.password', 'ranger.ks.jpa.jdbc.password', 'ranger.ks.hsm.partition.password']:
+      if prop in dbks_site_copy:
+        dbks_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'dbks-site.xml',
       mode=0644,
       owner = 'kms',
       group = 'kms',
       conf_dir = '/usr/hdp/current/ranger-kms/conf',
-      configurations = self.getConfig()['configurations']['dbks-site'],
+      configurations = dbks_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['dbks-site']
     )
 

ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_admin.py

@@ -336,11 +336,17 @@ class TestRangerAdmin(RMFTestCase):
       sudo = True
     )
 
+    ranger_admin_site_copy = {}
+    ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+    for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password', 'ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']:
+      if prop in ranger_admin_site_copy:
+        ranger_admin_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
       owner = 'ranger',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-admin/conf',
-      configurations = self.getConfig()['configurations']['ranger-admin-site'],
+      configurations = ranger_admin_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
       mode = 0644
     )
@@ -370,6 +376,18 @@ class TestRangerAdmin(RMFTestCase):
       mode = 0640
     )
 
+    self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'),
+      environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
+      logoutput=True,
+      sudo = True
+    )
+
+    self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks',
+      owner = 'ranger',
+      group = 'ranger',
+      mode = 0640
+    )
+
     self.assertResourceCalled('XmlConfig', 'core-site.xml',
       owner = 'ranger',
       group = 'ranger',
@@ -496,11 +514,17 @@ class TestRangerAdmin(RMFTestCase):
       sudo = True
     )
 
+    ranger_admin_site_copy = {}
+    ranger_admin_site_copy.update(self.getConfig()['configurations']['ranger-admin-site'])
+    for prop in ['ranger.jpa.jdbc.password', 'ranger.jpa.audit.jdbc.password', 'ranger.ldap.bind.password', 'ranger.ldap.ad.bind.password', 'ranger.service.https.attrib.keystore.pass', 'ranger.truststore.password']:
+      if prop in ranger_admin_site_copy:
+        ranger_admin_site_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'ranger-admin-site.xml',
       owner = 'ranger',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-admin/conf',
-      configurations = self.getConfig()['configurations']['ranger-admin-site'],
+      configurations = ranger_admin_site_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-admin-site'],
       mode = 0644
     )
@@ -530,6 +554,18 @@ class TestRangerAdmin(RMFTestCase):
       mode = 0640
     )
 
+    self.assertResourceCalled('Execute', ('/usr/jdk64/jdk1.7.0_45/bin/java', '-cp', '/usr/hdp/current/ranger-admin/cred/lib/*', 'org.apache.ranger.credentialapi.buildks', 'create', 'trustStoreAlias', '-value', 'changeit', '-provider', 'jceks://file/etc/ranger/admin/rangeradmin.jceks'),
+      environment = {'JAVA_HOME': u'/usr/jdk64/jdk1.7.0_45'},
+      logoutput=True,
+      sudo = True
+    )
+
+    self.assertResourceCalled('File', '/etc/ranger/admin/rangeradmin.jceks',
+      owner = 'ranger',
+      group = 'ranger',
+      mode = 0640
+    )
+
     self.assertResourceCalled('XmlConfig', 'core-site.xml',
       owner = 'ranger',
       group = 'ranger',

ambari-server/src/test/python/stacks/2.6/RANGER/test_ranger_tagsync.py

@@ -143,11 +143,18 @@ class TestRangerTagsync(RMFTestCase):
       cd_access = 'a',
     )
 
+    ranger_tagsync_policymgr_ssl_copy = {}
+    ranger_tagsync_policymgr_ssl_copy.update(self.getConfig()['configurations']['ranger-tagsync-policymgr-ssl'])
+    ranger_tagsync_password_properties = ['xasecure.policymgr.clientssl.keystore.password', 'xasecure.policymgr.clientssl.truststore.password']
+    for prop in ranger_tagsync_password_properties:
+      if prop in ranger_tagsync_policymgr_ssl_copy:
+        ranger_tagsync_policymgr_ssl_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'ranger-policymgr-ssl.xml',
       owner = 'ranger',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-tagsync/conf',
-      configurations = self.getConfig()['configurations']['ranger-tagsync-policymgr-ssl'],
+      configurations = ranger_tagsync_policymgr_ssl_copy,
       configuration_attributes = self.getConfig()['configuration_attributes']['ranger-tagsync-policymgr-ssl'],
       mode = 0644,
     )
@@ -188,17 +195,21 @@ class TestRangerTagsync(RMFTestCase):
       mode = 0640,
     )
 
+    atlas_tagsync_ssl_copy = {}
+    atlas_tagsync_ssl_copy.update(self.getConfig()['configurations']['atlas-tagsync-ssl'])
+    for prop in ranger_tagsync_password_properties:
+      if prop in atlas_tagsync_ssl_copy:
+        atlas_tagsync_ssl_copy[prop] = "_"
+
     self.assertResourceCalled('XmlConfig', 'atlas-tagsync-ssl.xml',
       group = 'ranger',
       conf_dir = '/usr/hdp/current/ranger-tagsync/conf',
       mode = 0644,
       configuration_attributes = UnknownConfigurationMock(),
       owner = 'ranger',
-      configurations = self.getConfig()['configurations']['atlas-tagsync-ssl']
+      configurations = atlas_tagsync_ssl_copy
     )
 
-
-
     self.assertResourceCalled('Execute', (u'/usr/jdk64/jdk1.7.0_45/bin/java',
       '-cp',
       u'/usr/hdp/current/ranger-tagsync/lib/*',

ambari-server/src/test/python/stacks/2.6/configs/ranger-admin-default.json

@@ -326,7 +326,8 @@
             "ranger.service.http.port": "6080", 
             "ranger.ldap.user.searchfilter": "(uid={0})", 
             "ranger.plugins.atlas.serviceuser": "atlas", 
-            "ranger.truststore.password": "changeit", 
+            "ranger.truststore.password": "changeit",
+            "ranger.truststore.alias": "trustStoreAlias",
             "ranger.ldap.bind.password": "{{ranger_usersync_ldap_ldapbindpassword}}", 
             "ranger.audit.solr.password": "NONE", 
             "ranger.audit.solr.zookeepers": "c6401.ambari.apache.org:2181/infra-solr",
@@ -364,7 +365,8 @@
             "ranger.admin.kerberos.keytab": "", 
             "ranger.admin.kerberos.token.valid.seconds": "30", 
             "ranger.jpa.jdbc.driver": "com.mysql.jdbc.Driver", 
-            "ranger.unixauth.service.port": "5151"
+            "ranger.unixauth.service.port": "5151",
+            "ranger.service.https.attrib.keystore.credential.alias": "keyStoreCredentialAlias"
         }, 
         "ranger-hdfs-policymgr-ssl": {
             "xasecure.policymgr.clientssl.keystore": "/usr/hdp/current/hadoop-client/conf/ranger-plugin-keystore.jks",