AMBARI-10523 : Add support of Ranger KMS to Ambari (Gautam Borad via jluniya)

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/alerts.json

@@ -0,0 +1,32 @@
+{
+  "RANGER_KMS": {
+    "service": [],
+    "RANGER_KMS_SERVER": [
+      {
+        "name": "ranger_kms_server_process",
+        "label": "Ranger KMS Server Process",
+        "description": "This host-level alert is triggered if the Ranger KMS Server cannot be determined to be up.",
+        "interval": 1,
+        "scope": "HOST",
+        "source": {
+          "type": "PORT",
+          "uri": "{{kms-env/kms_port}}",
+          "default_port": 9292,
+          "reporting": {
+            "ok": {
+              "text": "TCP OK - {0:.3f}s response on port {1}"
+            },
+            "warning": {
+              "text": "TCP OK - {0:.3f}s response on port {1}",
+              "value": 1.5
+            },
+            "critical": {
+              "text": "Connection failed: {0} to {1}:{2}",
+              "value": 5.0
+            }
+          }
+        }
+      }
+    ]
+  }
+}

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-acls.xml

@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+
+  <property>
+    <name>hadoop.kms.acl.CREATE</name>
+    <value>*</value>
+    <description>ACL for create-key operations. If the user is not in the GET ACL, the key material is not returned as part of the response.
+    </description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.DELETE</name>
+    <value>*</value>
+    <description>ACL for delete-key operations.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.ROLLOVER</name>
+    <value>*</value>
+    <description>ACL for rollover-key operations. If the user does is not in the GET ACL, the key material is not returned as part of the response.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.GET</name>
+    <value>*</value>
+    <description>ACL for get-key-version and get-current-key operations.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.GET_KEYS</name>
+    <value>*</value>
+    <description>ACL for get-keys operations.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.GET_METADATA</name>
+    <value>*</value>
+    <description>ACL for get-key-metadata and get-keys-metadata operations.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.SET_KEY_MATERIAL</name>
+    <value>*</value>
+    <description>Complementary ACL for CREATE and ROLLOVER operations to allow the client to provide the key material when creating or rolling a key.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.GENERATE_EEK</name>
+    <value>*</value>
+    <description>ACL for generateEncryptedKey CryptoExtension operations.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.acl.DECRYPT_EEK</name>
+    <value>*</value>
+    <description>ACL for decryptEncryptedKey CryptoExtension operations.</description>
+  </property>
+
+  <property>
+    <name>default.key.acl.MANAGEMENT</name>
+    <value>*</value>
+    <description>default ACL for MANAGEMENT operations for all key acls that are not explicitly defined.</description>
+  </property>
+
+  <property>
+    <name>default.key.acl.GENERATE_EEK</name>
+    <value>*</value>
+    <description>default ACL for GENERATE_EEK operations for all key acls that are not explicitly defined.</description>
+  </property>
+
+  <property>
+    <name>default.key.acl.DECRYPT_EEK</name>
+    <value>*</value>
+    <description>default ACL for DECRYPT_EEK operations for all key acls that are not explicitly defined.</description>
+  </property>
+
+  <property>
+    <name>default.key.acl.READ</name>
+    <value>*</value>
+    <description>default ACL for READ operations for all key acls that are not explicitly defined.</description>
+  </property>
+
+</configuration>

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-env.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+
+  <property>
+    <name>kms_user</name>
+    <value>kms</value>
+    <property-type>USER</property-type>
+    <description>Kms username</description>
+  </property>
+
+  <property>
+    <name>kms_group</name>
+    <value>kms</value>
+    <property-type>GROUP</property-type>
+    <description>Kms group</description>
+  </property>
+
+  <property>
+    <name>kms_log_dir</name>
+    <value>/var/log/ranger/kms</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>kms_port</name>
+    <value>9292</value>
+    <description></description>
+  </property>
+
+</configuration>  

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-log4j.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+
+  <property>
+    <name>content</name>
+    <description>kms-log4j.properties</description>
+    <value>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License. See accompanying LICENSE file.
+#
+
+# If the Java System property 'kms.log.dir' is not defined at KMS start up time
+# Setup sets its value to '${kms.home}/logs'
+
+log4j.appender.kms=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.kms.DatePattern='.'yyyy-MM-dd
+log4j.appender.kms.File=${kms.log.dir}/kms.log
+log4j.appender.kms.Append=true
+log4j.appender.kms.layout=org.apache.log4j.PatternLayout
+log4j.appender.kms.layout.ConversionPattern=%d{ISO8601} %-5p %c{1} - %m%n
+
+log4j.appender.kms-audit=org.apache.log4j.DailyRollingFileAppender
+log4j.appender.kms-audit.DatePattern='.'yyyy-MM-dd
+log4j.appender.kms-audit.File=${kms.log.dir}/kms-audit.log
+log4j.appender.kms-audit.Append=true
+log4j.appender.kms-audit.layout=org.apache.log4j.PatternLayout
+log4j.appender.kms-audit.layout.ConversionPattern=%d{ISO8601} %m%n
+
+log4j.logger.kms-audit=INFO, kms-audit
+log4j.additivity.kms-audit=false
+
+log4j.rootLogger=ALL, kms
+log4j.logger.org.apache.hadoop.conf=ERROR
+log4j.logger.org.apache.hadoop=INFO
+log4j.logger.com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator=OFF        
+    </value>        
+  </property>     
+
+</configuration>  

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-properties.xml

@@ -0,0 +1,269 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+
+  <property>
+    <name>REPOSITORY_CONFIG_USERNAME</name>
+    <value>kms</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>REPOSITORY_CONFIG_PASSWORD</name>
+    <value>kms</value>
+    <property-type>PASSWORD</property-type>
+    <description></description>
+  </property>  
+
+  <property>
+    <name>DB_FLAVOR</name>
+    <value>MYSQL</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>SQL_COMMAND_INVOKER</name>
+    <value>'mysql'</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>SQL_CONNECTOR_JAR</name>
+    <value>/usr/share/java/mysql-connector-java.jar</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>db_root_user</name>
+    <value>root</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>db_root_password</name>
+    <value>vagrant</value>
+    <property-type>PASSWORD</property-type>
+    <description></description>
+  </property>
+
+  <property>
+    <name>db_host</name>
+    <value>localhost</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>db_name</name>
+    <value>rangerkms</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>db_user</name>
+    <value>rangerkms</value>
+    <description></description>
+  </property>   
+
+  <property>
+    <name>db_password</name>
+    <value>rangerkms</value>
+    <property-type>PASSWORD</property-type>
+    <description></description>
+  </property>
+
+  <property>
+    <name>KMS_MASTER_KEY_PASSWD</name>
+    <value>Str0ngPassw0rd</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>POLICY_MGR_URL</name>
+    <value>http://localhost:6080</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>REPOSITORY_NAME</name>
+    <value>kms_repo</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.DB.IS_ENABLED</name>
+    <value>true</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.DB.FLAVOUR</name>
+    <value>MYSQL</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.DB.HOSTNAME</name>
+    <value>localhost</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.DB.DATABASE_NAME</name>
+    <value>ranger_audit</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.DB.USER_NAME</name>
+    <value>rangerlogger</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.DB.PASSWORD</name>
+    <value>rangerlogger</value>
+    <property-type>PASSWORD</property-type>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.SOLR.IS_ENABLED</name>
+    <value>false</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.SOLR.MAX_QUEUE_SIZE</name>
+    <value>1</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS</name>
+    <value>1000</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.SOLR.SOLR_URL</name>
+    <value>http://localhost:6083/solr/ranger_audits</value>
+    <description></description>
+  </property>   
+
+  <property>
+    <name>XAAUDIT.HDFS.IS_ENABLED</name>
+    <value>false</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.DESTINATION_DIRECTORY</name>
+    <value>hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY</name>
+    <value>__REPLACE__LOG_DIR/hadoop/%app-type%/audit</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY</name>
+    <value>__REPLACE__LOG_DIR/hadoop/%app-type%/audit/archive</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.DESTINTATION_FILE</name>
+    <value>%hostname%-audit.log</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS</name>
+    <value>900</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS</name>
+    <value>86400</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS</name>
+    <value>60</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.LOCAL_BUFFER_FILE</name>
+    <value>%time:yyyyMMdd-HHmm.ss%.log</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS</name>
+    <value>60</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS</name>
+    <value>600</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT</name>
+    <value>10</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>SSL_KEYSTORE_FILE_PATH</name>
+    <value>/etc/hadoop/conf/ranger-plugin-keystore.jks</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>SSL_KEYSTORE_PASSWORD</name>
+    <value>myKeyFilePassword</value>
+    <property-type>PASSWORD</property-type>
+    <description></description>
+  </property>
+
+  <property>
+    <name>SSL_TRUSTSTORE_FILE_PATH</name>
+    <value>/etc/hadoop/conf/ranger-plugin-truststore.jks</value>
+    <description></description>
+  </property>
+
+  <property>
+    <name>SSL_TRUSTSTORE_PASSWORD</name>
+    <value>changeit</value>
+    <property-type>PASSWORD</property-type>
+    <description></description>
+  </property>             
+
+</configuration>  

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/configuration/kms-site.xml

@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<configuration>
+
+  <property>
+    <name>hadoop.kms.key.provider.uri</name>
+    <value>dbks://http@localhost:9292/kms</value>
+    <description>URI of the backing KeyProvider for the KMS.</description>
+  </property>
+
+  <property>
+    <name>hadoop.security.keystore.JavaKeyStoreProvider.password</name>
+    <value>none</value>
+    <description>If using the JavaKeyStoreProvider, the password for the keystore file.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.cache.enable</name>
+    <value>true</value>
+    <description>Whether the KMS will act as a cache for the backing KeyProvider. When the cache is enabled, operations like getKeyVersion, getMetadata, and getCurrentKey will sometimes return cached data without consulting the backing KeyProvider. Cached values are flushed when keys are deleted or modified.
+    </description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.cache.timeout.ms</name>
+    <value>600000</value>
+    <description>Expiry time for the KMS key version and key metadata cache, in milliseconds. This affects getKeyVersion and getMetadata.
+    </description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.current.key.cache.timeout.ms</name>
+    <value>30000</value>
+    <description>Expiry time for the KMS current key cache, in milliseconds. This affects getCurrentKey operations.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.audit.aggregation.window.ms</name>
+    <value>10000</value>
+    <description>Duplicate audit log events within the aggregation window (specified in ms) are quashed to reduce log traffic. A single message for aggregated events is printed at the end of the window, along with a count of the number of aggregated events.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.type</name>
+    <value>simple</value>
+    <description>Authentication type for the KMS. Can be either &quot;simple&quot; or &quot;kerberos&quot;.
+    </description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.kerberos.keytab</name>
+    <value>${user.home}/kms.keytab</value>
+    <description>Path to the keytab with credentials for the configured Kerberos principal.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.kerberos.principal</name>
+    <value>HTTP/localhost</value>
+    <description>The Kerberos principal to use for the HTTP endpoint. The principal must start with 'HTTP/' as per the Kerberos HTTP SPNEGO specification.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.kerberos.name.rules</name>
+    <value>DEFAULT</value>
+    <description>Rules used to resolve Kerberos principal names.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.signer.secret.provider</name>
+    <value>random</value>
+    <description>Indicates how the secret to sign the authentication cookies will be stored. Options are 'random' (default), 'string' and 'zookeeper'. If using a setup with multiple KMS instances, 'zookeeper' should be used.
+    </description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.path</name>
+    <value>/hadoop-kms/hadoop-auth-signature-secret</value>
+    <description>The Zookeeper ZNode path where the KMS instances will store and retrieve the secret from.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string</name>
+    <value>#HOSTNAME#:#PORT#,...</value>
+    <description>The Zookeeper connection string, a list of hostnames and port comma separated.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.auth.type</name>
+    <value>kerberos</value>
+    <description>The Zookeeper authentication type, 'none' or 'sasl' (Kerberos).</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.keytab</name>
+    <value>/etc/hadoop/conf/kms.keytab</value>
+    <description>The absolute path for the Kerberos keytab with the credentials to connect to Zookeeper.</description>
+  </property>
+
+  <property>
+    <name>hadoop.kms.authentication.signer.secret.provider.zookeeper.kerberos.principal</name>
+    <value>kms/#HOSTNAME#</value>
+    <description>The Kerberos service principal used to connect to Zookeeper.</description>
+  </property>
+  
+  <property>
+    <name>hadoop.kms.security.authorization.manager</name>
+    <value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>
+    <description></description>
+  </property>
+
+</configuration>

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/metainfo.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<metainfo>
+  <schemaVersion>2.0</schemaVersion>
+  <services>
+    <service>
+      <name>RANGER_KMS</name>
+      <displayName>Ranger KMS</displayName>
+      <comment>Key Management Server</comment>
+      <version>0.5.0.2.3</version>
+      <components>
+          
+        <component>
+          <name>RANGER_KMS_SERVER</name>
+          <displayName>Ranger KMS Server</displayName>
+          <category>MASTER</category>
+          <cardinality>1+</cardinality>
+          <versionAdvertised>true</versionAdvertised>
+          <commandScript>
+            <script>scripts/kms_server.py</script>
+            <scriptType>PYTHON</scriptType>
+            <timeout>600</timeout>
+          </commandScript>
+        </component>
+
+      </components>              
+
+      <osSpecifics>
+        <osSpecific>
+          <osFamily>redhat7,redhat6,suse11</osFamily>
+          <packages>
+            <package>
+              <name>ranger_2_3_*-kms</name>                                
+            </package>                           
+          </packages>                        
+        </osSpecific>
+        <osSpecific>
+          <osFamily>debian7,ubuntu12,ubuntu14</osFamily>
+          <packages>
+            <package>
+              <name>ranger-2-3-.*-kms</name>                                
+            </package>                           
+          </packages>                        
+        </osSpecific>
+      </osSpecifics>
+
+      <configuration-dependencies>
+        <config-type>kms-properties</config-type>                
+        <config-type>kms-acls</config-type>
+        <config-type>kms-site</config-type>
+        <config-type>kms-log4j</config-type>        
+      </configuration-dependencies>
+
+      <commandScript>
+        <script>scripts/service_check.py</script>
+        <scriptType>PYTHON</scriptType>
+        <timeout>300</timeout>        
+      </commandScript>
+
+    </service>
+  </services>
+</metainfo>

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py

@@ -0,0 +1,255 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+import sys
+import fileinput
+import os
+import json
+import urllib2, base64, httplib
+from StringIO import StringIO as BytesIO
+from resource_management.core.resources.system import File, Directory, Execute
+from resource_management.libraries.resources.xml_config import XmlConfig
+from resource_management.core.source import DownloadSource
+from resource_management.core.exceptions import Fail
+from resource_management.core.logger import Logger
+from resource_management.libraries.functions.format import format
+from resource_management.core.shell import as_sudo
+from resource_management.libraries.functions.ranger_functions import Rangeradmin
+
+def kms():
+  import params
+
+  if params.has_ranger_admin:
+
+    File(params.downloaded_custom_connector,
+      content = DownloadSource(params.driver_curl_source)
+    )
+
+    Directory(params.java_share_dir,
+      mode=0755
+    )
+
+    if not os.path.isfile(params.driver_curl_target):
+      Execute(('cp', '--remove-destination', params.downloaded_custom_connector, params.driver_curl_target),
+              path=["/bin", "/usr/bin/"],
+              sudo=True)
+
+    XmlConfig("kms-acls.xml",
+      conf_dir=params.kms_config_dir,
+      configurations=params.config['configurations']['kms-acls'],
+      configuration_attributes=params.config['configuration_attributes']['kms-acls'],
+      owner=params.kms_user,
+      group=params.kms_group
+    )
+
+    XmlConfig("kms-site.xml",
+      conf_dir=params.kms_config_dir,
+      configurations=params.config['configurations']['kms-site'],
+      configuration_attributes=params.config['configuration_attributes']['kms-site'],
+      owner=params.kms_user,
+      group=params.kms_group
+    )
+
+    File(os.path.join(params.kms_config_dir, "kms-log4j.properties"),
+      owner=params.kms_user,
+      group=params.kms_group,
+      content=params.kms_log4j
+    )
+
+    repo_data = kms_repo_properties()
+
+    ranger_adm_obj = Rangeradmin(url=params.policymgr_mgr_url)
+    response_code, response_recieved = ranger_adm_obj.check_ranger_login_urllib2(params.policymgr_mgr_url + '/login.jsp', 'test:test')
+    if response_code is not None and response_code == 200:
+      ambari_ranger_admin, ambari_ranger_password = ranger_adm_obj.create_ambari_admin_user(params.ambari_ranger_admin, params.ambari_ranger_password, params.admin_uname_password)
+      ambari_username_password_for_ranger = ambari_ranger_admin + ':' + ambari_ranger_password
+    else:
+      raise Fail('Ranger service is not started on given host')      
+
+    if ambari_ranger_admin != '' and ambari_ranger_password != '':  
+      get_repo_flag = get_repo(params.policymgr_mgr_url, params.repo_name, ambari_username_password_for_ranger)
+      if not get_repo_flag:
+        create_repo(params.policymgr_mgr_url, repo_data, ambari_username_password_for_ranger)
+    else:
+      raise Fail('Ambari admin username and password not available')
+
+    file_path = format('{kms_home}/install.properties')
+    ranger_kms_dict = ranger_kms_properties()
+    write_properties_to_file(file_path, ranger_kms_dict)
+
+    env_dict = {'JAVA_HOME': params.java_home, 'RANGER_HOME': params.kms_home}
+    setup_sh = format("cd {kms_home} && ") + as_sudo([format('{kms_home}/setup.sh')])
+    Execute(setup_sh, environment=env_dict, logoutput=True)
+  
+
+def write_properties_to_file(file_path, value):
+  for key in value:
+    modify_config(file_path, key, value[key])
+
+def modify_config(filepath, variable, setting):
+  var_found = False
+  already_set = False
+  V=str(variable)
+  S=str(setting)
+  # use quotes if setting has spaces #
+  if ' ' in S:
+    S = '%s' % S
+
+  for line in fileinput.input(filepath, inplace = 1):
+    # process lines that look like config settings #
+    if not line.lstrip(' ').startswith('#') and '=' in line:
+      _infile_var = str(line.split('=')[0].rstrip(' '))
+      _infile_set = str(line.split('=')[1].lstrip(' ').rstrip())
+      # only change the first matching occurrence #
+      if var_found == False and _infile_var.rstrip(' ') == V:
+        var_found = True
+        # don't change it if it is already set #
+        if _infile_set.lstrip(' ') == S:
+          already_set = True
+        else:
+          line = "%s=%s\n" % (V, S)
+
+    sys.stdout.write(line)
+
+  # Append the variable if it wasn't found #
+  if not var_found:
+    with open(filepath, "a") as f:
+      f.write("%s=%s\n" % (V, S))
+  elif already_set == True:
+    pass
+  else:
+    pass
+
+  return
+
+def ranger_kms_properties():
+  import params
+
+  ranger_kms_properties = dict()
+
+  ranger_kms_properties['DB_FLAVOR'] = params.db_flavor
+  ranger_kms_properties['SQL_COMMAND_INVOKER'] = params.sql_command_invoker
+  ranger_kms_properties['SQL_CONNECTOR_JAR'] = params.sql_connector_jar
+  ranger_kms_properties['db_root_user'] = params.db_root_user
+  ranger_kms_properties['db_root_password'] = params.db_root_password
+  ranger_kms_properties['db_host'] = params.db_host
+  ranger_kms_properties['db_name'] = params.db_name
+  ranger_kms_properties['db_user'] = params.db_user
+  ranger_kms_properties['db_password'] = params.db_password
+  ranger_kms_properties['KMS_MASTER_KEY_PASSWD'] = params.kms_master_key_password
+
+  ranger_kms_properties['POLICY_MGR_URL'] = params.policymgr_mgr_url
+  ranger_kms_properties['REPOSITORY_NAME'] = params.repo_name
+
+  ranger_kms_properties['XAAUDIT.DB.IS_ENABLED'] = str(params.db_enabled).lower()
+  ranger_kms_properties['XAAUDIT.DB.FLAVOUR'] = params.xa_audit_db_flavor
+  ranger_kms_properties['XAAUDIT.DB.DATABASE_NAME'] = params.xa_audit_db_name
+  ranger_kms_properties['XAAUDIT.DB.USER_NAME'] = params.xa_audit_db_user
+  ranger_kms_properties['XAAUDIT.DB.PASSWORD'] = params.xa_audit_db_password
+  ranger_kms_properties['XAAUDIT.DB.HOSTNAME'] = params.xa_db_host
+
+  ranger_kms_properties['XAAUDIT.SOLR.IS_ENABLED'] = str(params.solr_enabled).lower()
+  ranger_kms_properties['XAAUDIT.SOLR.MAX_QUEUE_SIZE'] = params.solr_max_queue_size
+  ranger_kms_properties['XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS'] = params.solr_max_flush_interval
+  ranger_kms_properties['XAAUDIT.SOLR.SOLR_URL'] = params.solr_url
+
+  ranger_kms_properties['XAAUDIT.HDFS.IS_ENABLED'] = str(params.hdfs_enabled).lower()
+  ranger_kms_properties['XAAUDIT.HDFS.DESTINATION_DIRECTORY'] = params.hdfs_dest_dir
+  ranger_kms_properties['XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY'] = params.hdfs_buffer_dir
+  ranger_kms_properties['XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY'] = params.hdfs_archive_dir
+  ranger_kms_properties['XAAUDIT.HDFS.DESTINTATION_FILE'] = params.hdfs_dest_file
+  ranger_kms_properties['XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS'] = params.hdfs_dest_flush_int_sec
+  ranger_kms_properties['XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS'] = params.hdfs_dest_rollover_int_sec
+  ranger_kms_properties['XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS'] = params.hdfs_dest_open_retry_int_sec
+  ranger_kms_properties['XAAUDIT.HDFS.LOCAL_BUFFER_FILE'] = params.hdfs_buffer_file
+  ranger_kms_properties['XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS'] = params.hdfs_buffer_flush_int_sec
+  ranger_kms_properties['XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS'] = params.hdfs_buffer_rollover_int_sec
+  ranger_kms_properties['XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT'] = params.hdfs_archive_max_file_count
+
+  ranger_kms_properties['SSL_KEYSTORE_FILE_PATH'] = params.ssl_keystore_file
+  ranger_kms_properties['SSL_KEYSTORE_PASSWORD'] = params.ssl_keystore_password
+  ranger_kms_properties['SSL_TRUSTSTORE_FILE_PATH'] = params.ssl_truststore_file
+  ranger_kms_properties['SSL_TRUSTSTORE_PASSWORD'] = params.ssl_truststore_password
+
+  return ranger_kms_properties
+
+def kms_repo_properties():
+  import params
+
+  config_dict = dict()
+  config_dict['username'] = 'kms'
+  config_dict['password'] = 'kms'
+  config_dict['provider'] = 'http://' + params.kms_host_name + ':9292/kms'
+  
+  repo= dict()
+  repo['isEnabled'] = "true"
+  repo['configs'] = config_dict
+  repo['description'] = "kms repo"
+  repo['name'] = params.repo_name
+  repo['type'] = "kms"
+
+  data = json.dumps(repo)
+
+  return data
+
+def create_repo(url, data, usernamepassword):
+  try:
+    base_url = url + '/service/public/v2/api/service'
+    base64string = base64.encodestring('{0}'.format(usernamepassword)).replace('\n', '')
+    headers = {
+      'Accept': 'application/json',
+      "Content-Type": "application/json"
+    }
+    request = urllib2.Request(base_url, data, headers)
+    request.add_header("Authorization", "Basic {0}".format(base64string))
+    result = urllib2.urlopen(request)
+    response_code = result.getcode()
+    response = json.loads(json.JSONEncoder().encode(result.read()))
+    if response_code == 200:
+      Logger.info('Repository created Successfully')
+    else:
+      Logger.info('Repository not created')
+  except urllib2.URLError, e:
+    raise Fail('Repository creation failed, {0}'.format(str(e)))  
+
+def get_repo(url, name, usernamepassword):
+  try:
+    base_url = url + '/service/public/v2/api/service?serviceName=' + name + '&serviceType=kms&isEnabled=true'
+    request = urllib2.Request(base_url)
+    base64string = base64.encodestring(usernamepassword).replace('\n', '')
+    request.add_header("Content-Type", "application/json")
+    request.add_header("Accept", "application/json")
+    request.add_header("Authorization", "Basic {0}".format(base64string))
+    result = urllib2.urlopen(request)
+    response_code = result.getcode()
+    response = json.loads(result.read())
+    if response_code == 200 and len(response) > 0:
+      for repo in response:
+        if repo.get('name') == name and repo.has_key('name'):
+          Logger.info('KMS repository exist')
+          return True
+        else:
+          Logger.info('KMS repository doesnot exist')
+          return False
+    else:
+      Logger.info('KMS repository doesnot exist')
+      return False
+  except urllib2.URLError, e:
+    raise Fail('Get repository failed, {0}'.format(str(e))) 

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms_server.py

@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+from resource_management.libraries.script import Script
+from resource_management.core.resources.system import Execute
+from resource_management.core.exceptions import ComponentIsNotRunning
+from resource_management.libraries.functions.format import format
+from resource_management.core.logger import Logger
+from resource_management.core import shell
+from kms import kms
+from kms_service import kms_service
+
+class KmsServer(Script):
+
+  def install(self, env):
+    self.install_packages(env)
+    self.configure(env)
+
+  def stop(self, env, rolling_restart=False):
+    import params
+
+    env.set_params(params)
+    kms_service(action = 'stop')
+
+  def start(self, env, rolling_restart=False):
+    import params
+
+    env.set_params(params)
+    self.configure(env)
+    kms_service(action = 'start')
+
+  def status(self, env):
+    kms_service(action = 'status')
+
+  def configure(self, env):
+    import params
+
+    env.set_params(params)
+    kms()
+
+if __name__ == "__main__":
+  KmsServer().execute()

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms_service.py

@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.core.resources.system import Execute
+from resource_management.core import shell
+from resource_management.libraries.functions.format import format
+from resource_management.core.exceptions import ComponentIsNotRunning
+from resource_management.core.logger import Logger
+
+def kms_service(action='start'):
+  import params
+
+  if action == 'start':
+    no_op_test = format('ps -ef | grep proc_rangerkms | grep -v grep')
+    cmd = format('{kms_home}/ranger-kms-services.sh start')
+    Execute(cmd, not_if=no_op_test)
+  elif action == 'stop':
+    ps_cmd = "ps -ef | grep proc_rangerkms | grep -v grep | awk '{print $2}'"
+    return_code, output = shell.call(ps_cmd, timeout=20)
+    pid = output.strip()
+    cmd = format('kill -9 {pid}')
+    Execute(cmd)
+  elif action == 'status':
+    cmd = 'ps -ef | grep proc_rangerkms | grep -v grep'
+    code, output = shell.call(cmd, timeout=20)
+    if code != 0:
+      Logger.debug('KMS process not running')
+      raise ComponentIsNotRunning()
+    pass

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/params.py

@@ -0,0 +1,112 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+from resource_management.libraries.script import Script
+from resource_management.libraries.functions.version import format_hdp_stack_version, compare_versions
+from resource_management.libraries.functions.format import format
+from resource_management.libraries.functions.default import default
+
+config  = Script.get_config()
+tmp_dir = Script.get_tmp_dir()
+
+stack_name = default("/hostLevelParams/stack_name", None)
+version = default("/commandParams/version", None)
+
+stack_version_unformatted = str(config['hostLevelParams']['stack_version'])
+hdp_stack_version = format_hdp_stack_version(stack_version_unformatted)
+
+stack_is_hdp23_or_further = hdp_stack_version != "" and compare_versions(hdp_stack_version, '2.3') >= 0
+
+if stack_is_hdp23_or_further:
+  kms_home = '/usr/hdp/current/ranger-kms'
+  kms_config_dir = '/usr/hdp/current/ranger-kms/ews/webapp/config'
+  
+
+java_home = config['hostLevelParams']['java_home']
+kms_user  = default("/configurations/kms-env/kms_user", "kms")
+kms_group = default("/configurations/kms-env/kms_group", "kms")
+
+jdk_location = config['hostLevelParams']['jdk_location']
+kms_log4j = config['configurations']['kms-log4j']['content']
+
+# ranger host
+ranger_admin_hosts = default("/clusterHostInfo/ranger_admin_hosts", [])
+has_ranger_admin = len(ranger_admin_hosts) > 0
+
+#kms properties
+db_flavor = default("/configurations/kms-properties/DB_FLAVOR", "MYSQL")
+sql_command_invoker = default("/configurations/kms-properties/SQL_COMMAND_INVOKER", "mysql")
+sql_connector_jar = default("/configurations/kms-properties/SQL_CONNECTOR_JAR", "/usr/share/java/mysql-connector-java.jar")
+db_root_user = default("/configurations/kms-properties/db_root_user", "root")
+db_root_password = unicode(default("/configurations/kms-properties/db_root_password", " "))
+db_host = default("/configurations/kms-properties/db_host", "localhost")
+db_name = default("/configurations/kms-properties/db_name", "ranger")
+db_user = default("/configurations/kms-properties/db_user", "rangeradmin")
+db_password = unicode(default("/configurations/kms-properties/db_password", "rangeradmin"))
+kms_master_key_password = default("/configurations/kms-properties/KMS_MASTER_KEY_PASSWD", "Str0ngPassw0rd")
+policymgr_mgr_url = default("/configurations/kms-properties/POLICY_MGR_URL", "http://localhost:6080")
+repo_name = default("/configurations/kms-properties/REPOSITORY_NAME", "kms_repo")
+xa_audit_db_flavor = default("/configurations/kms-properties/XAAUDIT.DB.FLAVOUR", "MYSQL")
+xa_audit_db_name = default("/configurations/kms-properties/XAAUDIT.DB.DATABASE_NAME", "ranger_audit")
+xa_audit_db_user = default("/configurations/kms-properties/XAAUDIT.DB.USER_NAME", "rangerlogger")
+xa_audit_db_password = default("/configurations/kms-properties/XAAUDIT.DB.PASSWORD", "rangerlogger")
+xa_db_host = default("/configurations/kms-properties/XAAUDIT.DB.HOSTNAME", "localhost")
+db_enabled = default("/configurations/kms-properties/XAAUDIT.DB.IS_ENABLED", "false")
+hdfs_enabled = default("/configurations/kms-properties/XAAUDIT.HDFS.IS_ENABLED", "false")
+hdfs_dest_dir = default("/configurations/kms-properties/XAAUDIT.HDFS.DESTINATION_DIRECTORY", "hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/app-type/time:yyyyMMdd")
+hdfs_buffer_dir = default("/configurations/kms-properties/XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY", "__REPLACE__LOG_DIR/hadoop/app-type/audit")
+hdfs_archive_dir = default("/configurations/kms-properties/XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY", "__REPLACE__LOG_DIR/hadoop/app-type/audit/archive")
+hdfs_dest_file = default("/configurations/kms-properties/XAAUDIT.HDFS.DESTINTATION_FILE", "hostname-audit.log")
+hdfs_dest_flush_int_sec = default("/configurations/kms-properties/XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS", "900")
+hdfs_dest_rollover_int_sec = default("/configurations/kms-properties/XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS", "86400")
+hdfs_dest_open_retry_int_sec = default("/configurations/kms-properties/XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS", "60")
+hdfs_buffer_file = default("/configurations/kms-properties/XAAUDIT.HDFS.LOCAL_BUFFER_FILE", "time:yyyyMMdd-HHmm.ss.log")
+hdfs_buffer_flush_int_sec = default("/configurations/kms-properties/XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS", "60")
+hdfs_buffer_rollover_int_sec = default("/configurations/kms-properties/XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS", "600")
+hdfs_archive_max_file_count = default("/configurations/kms-properties/XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT", "10")
+ssl_keystore_file = default("/configurations/kms-properties/SSL_KEYSTORE_FILE_PATH", "/etc/hadoop/conf/ranger-plugin-keystore.jks")
+ssl_keystore_password = default("/configurations/kms-properties/SSL_KEYSTORE_PASSWORD", "myKeyFilePassword")
+ssl_truststore_file = default("/configurations/kms-properties/SSL_TRUSTSTORE_FILE_PATH", "/etc/hadoop/conf/ranger-plugin-truststore.jks")
+ssl_truststore_password = default("/configurations/kms-properties/SSL_TRUSTSTORE_PASSWORD", "changeit")
+solr_enabled = default("/configurations/kms-properties/XAAUDIT.SOLR.IS_ENABLED", "false")
+solr_max_queue_size = default("/configurations/kms-properties/XAAUDIT.SOLR.MAX_QUEUE_SIZE", "1")
+solr_max_flush_interval = default("/configurations/kms-properties/XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS", "1000")
+solr_url = default("/configurations/kms-properties/XAAUDIT.SOLR.SOLR_URL", "http://localhost:6083/solr/ranger_audits")
+
+repo_config_username = default("/configurations/kms-properties/REPOSITORY_CONFIG_USERNAME", "kms")
+repo_config_password = default("/configurations/kms-properties/REPOSITORY_CONFIG_PASSWORD", "kms")
+
+kms_host_name = config['clusterHostInfo']['ranger_kms_server_hosts'][0]
+
+admin_uname = default("/configurations/ranger-env/admin_username", "admin")
+admin_password = default("/configurations/ranger-env/admin_password", "admin")
+admin_uname_password = format("{admin_uname}:{admin_password}")
+
+ambari_ranger_admin = default("/configurations/ranger-env/ranger_admin_username", "amb_ranger_admin")
+ambari_ranger_password = default("/configurations/ranger-env/ranger_admin_password", "ambari123")
+
+java_share_dir = '/usr/share/java'
+if db_flavor and db_flavor.lower() == 'mysql':
+  jdbc_symlink_name = "mysql-jdbc-driver.jar"
+  jdbc_jar_name = "mysql-connector-java.jar"
+
+downloaded_custom_connector = format("{tmp_dir}/{jdbc_jar_name}")
+
+driver_curl_source = format("{jdk_location}/{jdbc_symlink_name}")
+driver_curl_target = format("{java_share_dir}/{jdbc_jar_name}")

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/service_check.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python
+"""
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+"""
+
+from resource_management.libraries.script import Script
+from resource_management.core.logger import Logger
+from resource_management.core import shell
+from resource_management.core.exceptions import ComponentIsNotRunning
+
+
+class KmsServiceCheck(Script):
+  def service_check(self, env):
+    import params
+
+    env.set_params(params)
+    cmd = 'ps -ef | grep proc_rangerkms | grep -v grep'
+    code, output = shell.call(cmd, timeout=20)
+    if code == 0:
+      Logger.info('KMS process up and running')
+    else:
+      Logger.debug('KMS process not running')
+      raise ComponentIsNotRunning()
+
+if __name__ == "__main__":
+  KmsServiceCheck().execute()

ambari-server/src/main/resources/stacks/HDP/2.3/role_command_order.json

@@ -3,6 +3,8 @@
   "_comment" : "blockedRole-blockedCommand: [blockerRole1-blockerCommand1, blockerRole2-blockerCommand2, ...]",
   "general_deps" : {
     "_comment" : "dependencies for all cases",
-    "MAHOUT_SERVICE_CHECK-SERVICE_CHECK": ["NODEMANAGER-START", "RESOURCEMANAGER-START"]
+    "MAHOUT_SERVICE_CHECK-SERVICE_CHECK": ["NODEMANAGER-START", "RESOURCEMANAGER-START"],
+    "RANGER_KMS_SERVER-START" : ["RANGER_ADMIN-START"],
+    "RANGER_KMS_SERVICE_CHECK-SERVICE_CHECK" : ["RANGER_KMS_SERVER-START"]
   }
 }

ambari-server/src/main/resources/stacks/HDP/2.3/services/RANGER_KMS/metainfo.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+-->
+<metainfo>
+  <schemaVersion>2.0</schemaVersion>
+  <services>
+    <service>
+      <name>RANGER_KMS</name>
+      <extends>common-services/RANGER_KMS/0.5.0.2.3</extends>
+    </service>
+  </services>
+</metainfo>