AMBARI-12782. Handle file permissions for jceks file in umask 027 (Gautam Borad via alejandro)

ambari-common/src/main/python/resource_management/libraries/functions/setup_ranger_plugin_xml.py

@@ -30,7 +30,7 @@ from resource_management.libraries.functions.get_hdp_version import get_hdp_vers
 from resource_management.core.logger import Logger
 from resource_management.core.source import DownloadSource, InlineTemplate
 from resource_management.libraries.functions.ranger_functions_v2 import RangeradminV2
-
+from resource_management.core.utils import PasswordString
 
 def setup_ranger_plugin(component_select_name, service_name,
                         component_downloaded_custom_connector, component_driver_curl_source,
@@ -97,7 +97,8 @@ def setup_ranger_plugin(component_select_name, service_name,
       owner = component_user,
       group = component_group,
       mode=0775,
-      recursive = True
+      recursive = True,
+      cd_access = 'a'
     )
 
     for cache_service in cache_service_list:
@@ -168,19 +169,20 @@ def setup_ranger_plugin_keystore(service_name, audit_db_is_enabled, hdp_version,
                                 ssl_truststore_password, ssl_keystore_password, component_user, component_group, java_home):
 
   cred_lib_path = format('/usr/hdp/{hdp_version}/ranger-{service_name}-plugin/install/lib/*')
-  cred_setup_prefix = format('python /usr/hdp/{hdp_version}/ranger-{service_name}-plugin/ranger_credential_helper.py -l "{cred_lib_path}"')
+  cred_setup_prefix = (format('/usr/hdp/{hdp_version}/ranger-{service_name}-plugin/ranger_credential_helper.py'), '-l', cred_lib_path)
 
   if audit_db_is_enabled:
-    cred_setup = format('{cred_setup_prefix} -f {credential_file} -k "auditDBCred" -v {xa_audit_db_password!p} -c 1')
-    Execute(cred_setup, environment={'JAVA_HOME': java_home}, logoutput=True)
+    cred_setup = cred_setup_prefix + ('-f', credential_file, '-k', 'auditDBCred', '-v', PasswordString(xa_audit_db_password), '-c', '1')
+    Execute(cred_setup, environment={'JAVA_HOME': java_home}, logoutput=True, sudo=True)
 
-  cred_setup = format('{cred_setup_prefix} -f {credential_file} -k "sslKeyStore" -v {ssl_keystore_password!p} -c 1')
-  Execute(cred_setup, environment={'JAVA_HOME': java_home}, logoutput=True)
+  cred_setup = cred_setup_prefix + ('-f', credential_file, '-k', 'sslKeyStore', '-v', PasswordString(ssl_keystore_password), '-c', '1')
+  Execute(cred_setup, environment={'JAVA_HOME': java_home}, logoutput=True, sudo=True)
 
-  cred_setup = format('{cred_setup_prefix} -f {credential_file} -k "sslTrustStore" -v {ssl_truststore_password!p} -c 1')
-  Execute(cred_setup, environment={'JAVA_HOME': java_home}, logoutput=True)
+  cred_setup = cred_setup_prefix + ('-f', credential_file, '-k', 'sslTrustStore', '-v', PasswordString(ssl_truststore_password), '-c', '1')
+  Execute(cred_setup, environment={'JAVA_HOME': java_home}, logoutput=True, sudo=True)
 
   File(credential_file,
     owner = component_user,
-    group = component_group
+    group = component_group,
+    mode = 0640
   )

ambari-server/src/main/resources/common-services/RANGER/0.4.0/package/scripts/setup_ranger_xml.py

@@ -195,12 +195,13 @@ def do_keystore_setup(rolling_upgrade=False):
     )
     File(params.ranger_credential_provider_path,
       owner = params.unix_user,
-      group = params.unix_group
+      group = params.unix_group,
+      mode = 0640
     )
 
   if not is_empty(params.ranger_credential_provider_path) and (params.ranger_audit_source_type).lower() == 'db' and not is_empty(params.ranger_ambari_audit_db_password):
     jceks_path = params.ranger_credential_provider_path
-    cred_setup = cred_setup_prefix + ('-f', jceks_path, '-k', params.ranger_jpa_audit_jdbc_credential_alias, '-v', PasswordString(params.ranger_ambari_db_password), '-c', '1')
+    cred_setup = cred_setup_prefix + ('-f', jceks_path, '-k', params.ranger_jpa_audit_jdbc_credential_alias, '-v', PasswordString(params.ranger_ambari_audit_db_password), '-c', '1')
     Execute(cred_setup, 
             environment={'RANGER_ADMIN_HOME':ranger_home, 'JAVA_HOME': params.java_home}, 
             logoutput=True, 
@@ -209,7 +210,8 @@ def do_keystore_setup(rolling_upgrade=False):
 
     File(params.ranger_credential_provider_path,
       owner = params.unix_user,
-      group = params.unix_group
+      group = params.unix_group,
+      mode = 0640
     )
 
  
@@ -253,7 +255,8 @@ def setup_usersync():
 
   File(params.ugsync_jceks_path,
        owner = params.unix_user,
-       group = params.unix_group
+       group = params.unix_group,
+       mode = 0640
   )
   
   File([params.usersync_start, params.usersync_stop],
@@ -277,5 +280,6 @@ def setup_usersync():
 
     File(params.ranger_usersync_keystore_file,
         owner = params.unix_user,
-        group = params.unix_group
+        group = params.unix_group,
+        mode = 0640
     )

ambari-server/src/main/resources/common-services/RANGER_KMS/0.5.0.2.3/package/scripts/kms.py

@@ -112,7 +112,8 @@ def do_keystore_setup(cred_provider_path, credential_alias, credential_password)
 
     File(cred_provider_path,
       owner = params.kms_user,
-      group = params.kms_group
+      group = params.kms_group,
+      mode = 0640
     )
 
 def kms():
@@ -291,7 +292,9 @@ def enable_kms_plugin():
 
     File(params.credential_file,
       owner = params.kms_user,
-      group = params.kms_group)
+      group = params.kms_group,
+      mode = 0640
+      )
   
 
 def create_repo(url, data, usernamepassword):