RANGER-5451: Docker setup update to configure Ranger authorization in Solr (#810)

Author: mneethiraj

.github/workflows/ci.yml

@@ -119,6 +119,7 @@ jobs:
           mv ranger-*-usersync.tar.gz dev-support/ranger-docker/dist
           mv ranger-*-tagsync.tar.gz dev-support/ranger-docker/dist
           mv ranger-*-kms.tar.gz dev-support/ranger-docker/dist
+          mv ranger-*-solr-plugin.tar.gz dev-support/ranger-docker/dist
           mv version dev-support/ranger-docker/dist
           rm -f ranger-*.tar.gz # clean up workspace
 

dev-support/ranger-docker/.dockerignore

@@ -13,5 +13,6 @@
 !dist/ranger-*-knox-plugin.tar.gz
 !dist/ranger-*-trino-plugin.tar.gz
 !dist/ranger-*-ozone-plugin.tar.gz
+!dist/ranger-*-solr-plugin.tar.gz
 !downloads/*
 !scripts/*

dev-support/ranger-docker/.env

@@ -48,7 +48,8 @@ USERSYNC_VERSION=3.0.0-SNAPSHOT
 TAGSYNC_VERSION=3.0.0-SNAPSHOT
 
 # Solr Configuration
-SOLR_VERSION=8.11.2
+SOLR_VERSION=8.11.3
+SOLR_PLUGIN_VERSION=3.0.0-SNAPSHOT
 
 # Zookeeper Configuration
 ZK_VERSION=3.9.2

dev-support/ranger-docker/Dockerfile.ranger-solr

@@ -17,13 +17,15 @@
 ARG SOLR_VERSION
 FROM solr:${SOLR_VERSION}
 
+ARG SOLR_PLUGIN_VERSION
+
 VOLUME /etc/keytabs
 
-# Copy audit config set
 USER 0
 
 RUN apt update && DEBIAN_FRONTEND="noninteractive" apt-get install -y krb5-user
 
+# Copy audit config set
 RUN mkdir -p /opt/solr/server/solr/configsets/ranger_audits/conf /home/ranger/scripts
 
 COPY ./scripts/solr/solr-ranger_audits/* /opt/solr/server/solr/configsets/ranger_audits/conf/
@@ -37,5 +39,18 @@ COPY ./scripts/kdc/krb5.conf             /etc/krb5.conf
 RUN chown -R solr:solr /opt/solr/server/solr/configsets/ranger_audits/
 RUN chmod +x /home/ranger/scripts/ranger-solr.sh /home/ranger/scripts/wait_for_keytab.sh /home/ranger/scripts/wait_for_testusers_keytab.sh
 
+# Copy Ranger plugin
+RUN mkdir -p /opt/ranger /home/ranger/dist /home/ranger/scripts
+
+COPY ./dist/ranger-${SOLR_PLUGIN_VERSION}-solr-plugin.tar.gz /home/ranger/dist/
+COPY ./scripts/solr/core-site.xml                            /home/ranger/scripts/
+COPY ./scripts/solr/ranger-solr-plugin-install.properties    /home/ranger/scripts/
+
+RUN tar xvfz /home/ranger/dist/ranger-${SOLR_PLUGIN_VERSION}-solr-plugin.tar.gz --directory=/opt/ranger && \
+    ln -s /opt/ranger/ranger-${SOLR_PLUGIN_VERSION}-solr-plugin /opt/ranger/ranger-solr-plugin && \
+    rm -f /home/ranger/dist/ranger-${SOLR_PLUGIN_VERSION}-solr-plugin.tar.gz && \
+    cp -f /home/ranger/scripts/ranger-solr-plugin-install.properties /opt/ranger/ranger-solr-plugin/install.properties && \
+    chown -R solr:solr /opt/ranger
+
 ENTRYPOINT [ "/home/ranger/scripts/ranger-solr.sh" ]
 CMD ["solr-foreground"]

dev-support/ranger-docker/docker-compose.ranger.yml

@@ -98,6 +98,7 @@ services:
       dockerfile: Dockerfile.ranger-solr
       args:
         - SOLR_VERSION=${SOLR_VERSION}
+        - SOLR_PLUGIN_VERSION=${SOLR_PLUGIN_VERSION}
         - KERBEROS_ENABLED=${KERBEROS_ENABLED}
     image: ranger-solr
     container_name: ranger-solr

dev-support/ranger-docker/scripts/admin/create-ranger-services.py

@@ -117,7 +117,16 @@ def service_not_exists(service):
                                    'userstore.download.auth.users': 'ozone',
                                    'ranger.plugin.ozone.policy.refresh.synchronous':'true'}})
 
-services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone]
+solr = RangerService({'name': 'dev_solr', 'type': 'solr',
+                     'configs': {'username': 'solr', 'password': 'rangerR0cks!',
+                                 'solr.url': 'http://ranger-solr.rangernw:8983',
+                                 'policy.download.auth.users': 'solr',
+                                 'tag.download.auth.users': 'solr',
+                                 'userstore.download.auth.users': 'solr',
+                                 'ranger.plugin.super.users': 'solr',
+                                 'ranger.plugin.solr.policy.refresh.synchronous':'true'}})
+
+services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone, solr]
 for service in services:
     try:
         if service_not_exists(service):

dev-support/ranger-docker/scripts/kdc/entrypoint.sh

@@ -99,6 +99,7 @@ function create_keytabs() {
 
   create_principal_and_keytab knox ranger-knox
 
+  create_principal_and_keytab solr ranger-solr
   create_principal_and_keytab HTTP ranger-solr
 
   create_principal_and_keytab zookeeper ranger-zk

dev-support/ranger-docker/scripts/solr/core-site.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+  <property>
+    <name>hadoop.security.authentication</name>
+    <value>kerberos</value>
+  </property>
+</configuration>

dev-support/ranger-docker/scripts/solr/ranger-solr-plugin-install.properties

@@ -0,0 +1,92 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+POLICY_MGR_URL=http://ranger:6080
+REPOSITORY_NAME=dev_solr
+COMPONENT_INSTALL_DIR_NAME=/opt/solr/server
+UGI_INITIALIZE=true
+UGI_LOGIN_TYPE=jaas
+UGI_JAAS_APPCONFIG=Client
+
+XAAUDIT.SOLR.IS_ENABLED=true
+XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
+XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
+XAAUDIT.SOLR.SOLR_URL=http://ranger-solr:8983/solr/ranger_audits
+
+# Following properties are needed to get past installation script! Please don't remove
+XAAUDIT.HDFS.IS_ENABLED=false
+XAAUDIT.HDFS.DESTINATION_DIRECTORY=/ranger/audit
+XAAUDIT.HDFS.DESTINTATION_FILE=solr
+XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
+XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
+XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/solr/audit
+XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/solr/audit/archive
+XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
+XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
+XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
+
+XAAUDIT.SOLR.ENABLE=true
+XAAUDIT.SOLR.URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/solr/audit/solr/spool
+XAAUDIT.SOLR.USE_INMEMORY_JAAS_CFG=true
+
+XAAUDIT.JAAS.CLIENT.LOGIN_MODULE_NAME=com.sun.security.auth.module.Krb5LoginModule
+XAAUDIT.JAAS.CLIENT.LOGIN_MODULE_CONTROL_FLAG=required
+XAAUDIT.JAAS.CLIENT.OPTION.USE_KEY_TAB=true
+XAAUDIT.JAAS.CLIENT.OPTION.STORE_KEY=true
+XAAUDIT.JAAS.CLIENT.OPTION.USE_TICKET_CACHE=true
+XAAUDIT.JAAS.CLIENT.OPTION.SERVICE_NAME=solr
+XAAUDIT.JAAS.CLIENT.OPTION.KEY_TAB=/etc/keytabs/solr.keytab
+XAAUDIT.JAAS.CLIENT.OPTION.PRINCIPAL=solr/ranger-solr.rangernw@EXAMPLE.COM
+
+XAAUDIT.ELASTICSEARCH.ENABLE=false
+XAAUDIT.ELASTICSEARCH.URL=NONE
+XAAUDIT.ELASTICSEARCH.USER=NONE
+XAAUDIT.ELASTICSEARCH.PASSWORD=NONE
+XAAUDIT.ELASTICSEARCH.INDEX=NONE
+XAAUDIT.ELASTICSEARCH.PORT=NONE
+XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
+
+XAAUDIT.HDFS.ENABLE=true
+XAAUDIT.HDFS.HDFS_DIR=hdfs://ranger-hadoop:9000/ranger/audit
+XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/solr/audit/hdfs/spool
+
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+XAAUDIT.LOG4J.ENABLE=false
+XAAUDIT.LOG4J.IS_ASYNC=false
+XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE=10240
+XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS=30000
+XAAUDIT.LOG4J.DESTINATION.LOG4J=false
+XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit
+
+XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=false
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM_PREFIX=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.REGION=NONE
+
+SSL_KEYSTORE_FILE_PATH=/etc/solr/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/solr/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit

dev-support/ranger-docker/scripts/solr/ranger-solr.sh

@@ -18,19 +18,12 @@
 
 SOLR_INSTALL_DIR=/opt/solr
 
-if [ ! -e ${SOLR_INSTALL_DIR}/.setupDone ]
-then
-  if [ "${KERBEROS_ENABLED}" == "true" ]
-  then
-    ${RANGER_SCRIPTS}/wait_for_keytab.sh HTTP.keytab
-    ${RANGER_SCRIPTS}/wait_for_testusers_keytab.sh
-  fi
-
-  touch "${SOLR_INSTALL_DIR}"/.setupDone
-fi
-
 if [ "${KERBEROS_ENABLED}" == "true" ]
 then
+  /home/ranger/scripts/wait_for_keytab.sh HTTP.keytab
+  /home/ranger/scripts/wait_for_keytab.sh solr.keytab
+  /home/ranger/scripts/wait_for_testusers_keytab.sh
+
   JAAS_CONFIG="-Djava.security.auth.login.config=/opt/solr/server/etc/jaas.conf"
   JAAS_APPNAME="-Dsolr.kerberos.jaas.appname=Client"
   KRB5_CONF="-Djava.security.krb5.conf=/etc/krb5.conf"
@@ -45,4 +38,14 @@ DEFAULT"
   export SOLR_AUTHENTICATION_OPTS="${JAAS_CONFIG} ${JAAS_APPNAME} ${KRB5_CONF} ${KERBEROS_KEYTAB} ${KERBEROS_PRINCIPAL} ${COOKIE_DOMAIN} ${KERBEROS_NAME_RULES}"
 fi
 
+if [ ! -e ${SOLR_INSTALL_DIR}/.setupDone ]
+then
+  cd /opt/ranger/ranger-solr-plugin
+  ./enable-solr-plugin.sh
+
+  cp /home/ranger/scripts/core-site.xml /opt/solr/server/resources/
+
+  touch "${SOLR_INSTALL_DIR}"/.setupDone
+fi
+
 su -p -c "export PATH=${PATH} && /opt/docker-solr/scripts/docker-entrypoint.sh $*" solr