RANGER-3658: Docker setup updated to run Ranger containers with range…

…r user identity
apache · Mar 9, 2022 · 63ae590 · 63ae590
1 parent 63704db
commit 63ae590
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 22 deletions.
diff --git a/dev-support/ranger-docker/Dockerfile.ranger b/dev-support/ranger-docker/Dockerfile.ranger
@@ -36,4 +36,6 @@ RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-admin.tar.gz --directory
     mkdir -p /usr/share/java/ && \
     mv /home/ranger/dist/postgresql-42.2.16.jre7.jar /usr/share/java/postgresql.jar
 
+USER ranger
+
 ENTRYPOINT [ "/home/ranger/scripts/ranger.sh" ]
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-tagsync b/dev-support/ranger-docker/Dockerfile.ranger-tagsync
@@ -34,6 +34,15 @@ RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-tagsync.tar.gz --directo
     mkdir -p /var/run/ranger && \
     mkdir -p /var/log/ranger/tagsync && \
     ln -s /usr/bin/python3 /usr/bin/python && \
-    chown -R ranger:ranger ${RANGER_HOME}/tagsync/ /var/run/ranger/ /var/log/ranger/
+    mkdir -p /etc/ranger && \
+    touch /etc/init.d/ranger-tagsync && \
+    ln -s /etc/init.d/ranger-tagsync /etc/rc2.d/S99ranger-tagsync && \
+    ln -s /etc/init.d/ranger-tagsync /etc/rc2.d/K00ranger-tagsync && \
+    ln -s /etc/init.d/ranger-tagsync /etc/rc3.d/S99ranger-tagsync && \
+    ln -s /etc/init.d/ranger-tagsync /etc/rc3.d/K00ranger-tagsync && \
+    ln -s ${RANGER_HOME}/tagsync/ranger-tagsync-services.sh /usr/bin/ranger-tagsync-services.sh && \
+    chown -R ranger:ranger ${RANGER_HOME}/tagsync/ /var/run/ranger/ /var/log/ranger/ /etc/ranger /etc/init.d/ranger-tagsync
+
+USER ranger
 
 ENTRYPOINT [ "/home/ranger/scripts/ranger-tagsync.sh" ]
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-usersync b/dev-support/ranger-docker/Dockerfile.ranger-usersync
@@ -31,6 +31,15 @@ RUN tar xvfz /home/ranger/dist/ranger-${RANGER_VERSION}-usersync.tar.gz --direct
     mkdir -p /var/run/ranger && \
     mkdir -p /var/log/ranger/usersync && \
     ln -s /usr/bin/python3 /usr/bin/python && \
-    chown -R ranger:ranger ${RANGER_HOME}/usersync/ /var/run/ranger/ /var/log/ranger/
+    mkdir -p /etc/ranger && \
+    touch /etc/init.d/ranger-usersync && \
+    ln -s /etc/init.d/ranger-usersync /etc/rc2.d/S99ranger-usersync && \
+    ln -s /etc/init.d/ranger-usersync /etc/rc2.d/K00ranger-usersync && \
+    ln -s /etc/init.d/ranger-usersync /etc/rc3.d/S99ranger-usersync && \
+    ln -s /etc/init.d/ranger-usersync /etc/rc3.d/K00ranger-usersync && \
+    ln -s ${RANGER_HOME}/usersync/ranger-usersync-services.sh /usr/bin/ranger-usersync && \
+    chown -R ranger:ranger ${RANGER_HOME}/usersync/ /var/run/ranger/ /var/log/ranger/ /etc/ranger /etc/init.d/ranger-usersync
+
+USER ranger
 
 ENTRYPOINT [ "/home/ranger/scripts/ranger-usersync.sh" ]
diff --git a/dev-support/ranger-docker/scripts/ranger-tagsync.sh b/dev-support/ranger-docker/scripts/ranger-tagsync.sh
@@ -31,7 +31,7 @@ then
   touch ${RANGER_HOME}/.setupDone
 fi
 
-su -c "cd ${RANGER_HOME}/tagsync && ./ranger-tagsync-services.sh start" ranger
+cd ${RANGER_HOME}/tagsync && ./ranger-tagsync-services.sh start
 
 RANGER_TAGSYNC_PID=`ps -ef  | grep -v grep | grep -i "org.apache.ranger.tagsync.process.TagSynchronizer" | awk '{print $2}'`
 

diff --git a/dev-support/ranger-docker/scripts/ranger-usersync.sh b/dev-support/ranger-docker/scripts/ranger-usersync.sh
@@ -31,7 +31,7 @@ then
   touch ${RANGER_HOME}/.setupDone
 fi
 
-su -c "cd ${RANGER_HOME}/usersync && ./start.sh" ranger
+cd ${RANGER_HOME}/usersync && ./start.sh
 
 RANGER_USERSYNC_PID=`ps -ef  | grep -v grep | grep -i "org.apache.ranger.authentication.UnixAuthenticationService" | awk '{print $2}'`
 

diff --git a/dev-support/ranger-docker/scripts/ranger.sh b/dev-support/ranger-docker/scripts/ranger.sh
@@ -26,12 +26,12 @@ fi
 
 if [ "${SETUP_RANGER}" == "true" ]
 then
-  su -c "cd ${RANGER_HOME}/admin && ./setup.sh" ranger
+  cd ${RANGER_HOME}/admin && ./setup.sh
 
   touch ${RANGER_HOME}/.setupDone
 fi
 
-su -c "cd ${RANGER_HOME}/admin && ./ews/ranger-admin-services.sh start" ranger
+cd ${RANGER_HOME}/admin && ./ews/ranger-admin-services.sh start
 
 if [ "${SETUP_RANGER}" == "true" ]
 then

diff --git a/tagsync/scripts/setup.py b/tagsync/scripts/setup.py
@@ -318,16 +318,14 @@ def initializeInitD():
 				for  prefix in initPrefixList:
 					scriptFn = prefix + initdProgramName
 					scriptName = join(rcDir, scriptFn)
-					if isfile(scriptName):
-						os.remove(scriptName)
+					if not (isfile(scriptName) or os.path.islink(scriptName)):
+						os.symlink(initdFn,scriptName)
 					#print "+ ln -sf %s %s" % (initdFn, scriptName)
-					os.symlink(initdFn,scriptName)
 		tagSyncScriptName = "ranger-tagsync-services.sh"
 		localScriptName = os.path.abspath(join(installPropDirName,tagSyncScriptName))
 		ubinScriptName = join("/usr/bin",tagSyncScriptName)
-		if isfile(ubinScriptName) or os.path.islink(ubinScriptName):
-			os.remove(ubinScriptName)
-		os.symlink(localScriptName,ubinScriptName)
+		if not (isfile(ubinScriptName) or os.path.islink(ubinScriptName)):
+			os.symlink(localScriptName,ubinScriptName)
 
 def write_env_files(exp_var_name, log_path, file_name):
         final_path = "{0}/{1}".format(confBaseDirName,file_name)

diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
@@ -343,15 +343,13 @@ def initializeInitD(ownerName):
                 for prefix in initPrefixList:
                     scriptFn = prefix + initdProgramName
                     scriptName = join(rcDir, scriptFn)
-                    if isfile(scriptName) or os.path.islink(scriptName):
-                        os.remove(scriptName)
-                    os.symlink(initdFn, scriptName)
+                    if not (isfile(scriptName) or os.path.islink(scriptName)):
+                        os.symlink(initdFn, scriptName)
         userSyncScriptName = "ranger-usersync-services.sh"
         localScriptName = os.path.abspath(join(RANGER_USERSYNC_HOME, userSyncScriptName))
         ubinScriptName = join("/usr/bin", initdProgramName)
-        if isfile(ubinScriptName) or os.path.islink(ubinScriptName):
-            os.remove(ubinScriptName)
-        os.symlink(localScriptName, ubinScriptName)
+        if not (isfile(ubinScriptName) or os.path.islink(ubinScriptName)):
+            os.symlink(localScriptName, ubinScriptName)
 
 
 def createJavaKeystoreForSSL(fn, passwd):
@@ -575,15 +573,21 @@ def main():
                 os.chmod(fn, 0o750)
 
     if isfile(nativeAuthProgramName):
-        os.chown(nativeAuthProgramName, rootOwnerId, groupId)
-        os.chmod(nativeAuthProgramName, 0o750)
+        try:
+                os.chown(nativeAuthProgramName, rootOwnerId, groupId)
+                os.chmod(nativeAuthProgramName, 0o750)
+        except PermissionError:
+                print("WARNING: chmod(4550), chown(%s:%s) failed for Unix Authentication Program (%s) " % ("root", groupName, nativeAuthProgramName))
     else:
         print("WARNING: Unix Authentication Program (%s) is not available for setting chmod(4550), chown(%s:%s) " % (
         nativeAuthProgramName, "root", groupName))
 
     if isfile(pamAuthProgramName):
-        os.chown(pamAuthProgramName, rootOwnerId, groupId)
-        os.chmod(pamAuthProgramName, 0o750)
+        try:
+                os.chown(pamAuthProgramName, rootOwnerId, groupId)
+                os.chmod(pamAuthProgramName, 0o750)
+        except PermissionError:
+                print("WARNING: chmod(0o750), chown(%s:%s) failed for Unix Authentication Program (%s) " % ("root", groupName, pamAuthProgramName))
     else:
         print("WARNING: Unix Authentication Program (%s) is not available for setting chmod(4550), chown(%s:%s) " % (
         pamAuthProgramName, "root", groupName))