RANGER-5386: Docker setup updated to use latest Trino release (apache#719)

Author: mneethiraj

dev-support/ranger-docker/.env

@@ -66,8 +66,7 @@ OZONE_RUNNER_IMAGE=apache/ozone-runner
 OZONE_RUNNER_VERSION=20230615-1
 
 # Trino Configuration
-TRINO_VERSION=435
-TRINO_PLUGIN_VERSION=3.0.0-SNAPSHOT
+TRINO_VERSION=latest
 
 # Debug Configuration
 DEBUG_ADMIN=false

dev-support/ranger-docker/Dockerfile.ranger-trino

@@ -17,58 +17,6 @@
 ARG TRINO_VERSION
 FROM trinodb/trino:${TRINO_VERSION}
 
-# trino base image layer has undergone changes in base os image with time.
-##########################################
-#   Trino Versions  |      OS Layer      #
-#    359 - 369      |     centos 11      #
-#    370 - 389      |       ubi8         #
-#    390 - 391      |    azul openjdk    #
-#       392         |       ubi8         #
-#    393 - 431      |   eclipse-temurin  #
-#    432 - current  |       ubi9         #
-##########################################
-
-USER root
-
-ARG TRINO_VERSION
-ARG TRINO_PLUGIN_VERSION
-ENV PLUGIN_DIR=ranger-${TRINO_PLUGIN_VERSION}-trino-plugin
-
-RUN mkdir -p /home/ranger/dist /home/ranger/scripts /opt/ranger
-
-COPY ./dist/version                                              /home/ranger/dist
-COPY ./dist/ranger-${TRINO_PLUGIN_VERSION}-trino-plugin.tar.gz   /home/ranger/dist
-COPY ./scripts/ranger-trino.sh                                   /home/ranger/scripts
-COPY ./scripts/ranger-trino-setup.sh                             /home/ranger/scripts
-COPY ./scripts/ranger-trino-plugin-install.properties            /home/ranger/scripts
-
-RUN if [ $TRINO_VERSION -ge 370 ] && [ $TRINO_VERSION -lt 390 ] || [ $TRINO_VERSION -eq 392 ]; then\
-        dnf install -y initscripts;\
-        dnf install -y openssh-clients;\
-        dnf install -y openssh-server;\
-        dnf install -y sudo;\
-    elif [ $TRINO_VERSION -ge 432 ]; then\
-        microdnf install -y gzip;\
-        microdnf install -y initscripts;\
-        microdnf install -y openssh-clients;\
-        microdnf install -y openssh-server;\
-        microdnf install -y sudo;\
-    else\
-        apt-get update; DEBIAN_FRONTEND="noninteractive" apt-get -y install ssh sudo;\
-    fi
-
-RUN tar xvfz /home/ranger/dist/${PLUGIN_DIR}.tar.gz --directory=/opt/ranger && \
-    ln -s /opt/ranger/${PLUGIN_DIR} /opt/ranger/ranger-trino-plugin && \
-    rm -f /home/ranger/dist/${PLUGIN_DIR}.tar.gz && \
-    cp -f /home/ranger/scripts/ranger-trino-plugin-install.properties /opt/ranger/ranger-trino-plugin/install.properties && \
-    chown -R trino:trino /home/ranger /opt/ranger && \
-    chown root:root /home/ranger/scripts /home/ranger/scripts/ranger-trino-setup.sh && \
-    chmod 744 /home/ranger/scripts/ranger-trino-setup.sh /home/ranger/scripts/ranger-trino.sh
-
-# enable trino user to execute setup script as root
-RUN echo "trino  ALL=(ALL) NOPASSWD:/home/ranger/scripts/ranger-trino-setup.sh" > /etc/sudoers.d/trino
-
-
 USER trino
 
-ENTRYPOINT ["/home/ranger/scripts/ranger-trino.sh"]
+COPY ./config/trino/*  /etc/trino/

dev-support/ranger-docker/config/trino/access-control.properties

@@ -0,0 +1,4 @@
+access-control.name=ranger
+
+ranger.service.name=dev_trino
+ranger.plugin.config.resource=/etc/trino/ranger-trino-security.xml,/etc/trino/ranger-trino-audit.xml,/etc/trino/ranger-policymgr-ssl.xml

dev-support/ranger-docker/config/trino/catalog/hive.properties

@@ -0,0 +1,4 @@
+connector.name=hive
+hive.metastore.uri=thrift://ranger-hive.rangernw:9083
+fs.hadoop.enabled=true
+hive.config.resources=/etc/trino/core-site.xml

dev-support/ranger-docker/config/trino/ranger-policymgr-ssl.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+	<!--  The following properties are used for 2-way SSL client server validation -->
+	<property>
+		<name>xasecure.policymgr.clientssl.keystore</name>
+		<value>hadoopdev-clientcert.jks</value>
+		<description> 
+			Java Keystore files 
+		</description>
+	</property>
+	<property>
+		<name>xasecure.policymgr.clientssl.truststore</name>
+		<value>cacerts-xasecure.jks</value>
+		<description> 
+			java truststore file
+		</description>
+	</property>
+    <property>
+		<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
+		<value>jceks://file/tmp/keystore-hadoopdev-ssl.jceks</value>
+		<description> 
+			java  keystore credential file
+		</description>
+	</property>
+	<property>
+		<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
+		<value>jceks://file/tmp/truststore-hadoopdev-ssl.jceks</value>
+		<description> 
+			java  truststore credential file
+		</description>
+	</property>
+</configuration>

dev-support/ranger-docker/config/trino/ranger-trino-audit.xml

@@ -0,0 +1,95 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+    <property>
+        <name>xasecure.audit.is.enabled</name>
+        <value>true</value>
+    </property>
+
+    <!-- Log4j audit provider configuration -->
+    <property>
+        <name>xasecure.audit.destination.log4j</name>
+        <value>false</value>
+    </property>
+
+
+    <!-- Solr audit provider configuration -->
+    <property>
+        <name>xasecure.audit.destination.solr</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.solr.urls</name>
+        <value>http://ranger-solr.rangernw:8983/solr/ranger_audits</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.solr.user</name>
+        <value>NONE</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.solr.password</name>
+        <value>NONE</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.solr.batch.filespool.dir</name>
+        <value>/var/log/hive/audit/solr/spool</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.solr.force.use.inmemory.jaas.config</name>
+        <value>false</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.loginModuleName</name>
+        <value>com.sun.security.auth.module.Krb5LoginModule</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.loginModuleControlFlag</name>
+        <value>required</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.option.useKeyTab</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.option.storeKey</name>
+        <value>true</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.option.useTicketCache</name>
+        <value>false</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.option.serviceName</name>
+        <value>trino</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.option.keyTab</name>
+        <value>/usr/lib/trino/plugin/ranger/trino.keytab</value>
+    </property>
+    <property>
+        <name>xasecure.audit.jaas.Client.option.principal</name>
+        <value>trino/ranger-trino.rangernw@EXAMPLE.COM</value>
+    </property>
+</configuration>
+

dev-support/ranger-docker/config/trino/ranger-trino-security.xml

@@ -0,0 +1,89 @@
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+  <property>
+    <name>ranger.plugin.trino.service.name</name>
+    <value>dev_trino</value>
+    <description>
+      Name of the Ranger service containing policies for this Trino instance
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.source.impl</name>
+    <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+    <description>
+      Class to retrieve policies from the source
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.rest.url</name>
+    <value>http://ranger:6080</value>
+    <description>
+      URL to Ranger Admin
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.rest.ssl.config.file</name>
+    <value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value>
+    <description>
+      Path to the file containing SSL details to contact Ranger Admin
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.pollIntervalMs</name>
+    <value>30000</value>
+    <description>
+      How often to poll for changes in policies?
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.rest.client.connection.timeoutMs</name>
+    <value>30000</value>
+    <description>
+      RangerRestClient Connection Timeout in Milli Seconds
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.rest.client.read.timeoutMs</name>
+    <value>30000</value>
+    <description>
+      RangerRestClient read Timeout in Milli Seconds
+    </description>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.policy.cache.dir</name>
+    <value>/tmp</value>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.use.rangerGroups</name>
+    <value>true</value>
+  </property>
+
+  <property>
+    <name>ranger.plugin.trino.use.only.rangerGroups</name>
+    <value>true</value>
+  </property>
+</configuration>

dev-support/ranger-docker/docker-compose.ranger-trino.yml

@@ -4,10 +4,9 @@ services:
       context: .
       dockerfile: Dockerfile.ranger-trino
       args:
-        - TRINO_PLUGIN_VERSION=${TRINO_PLUGIN_VERSION}
         - TRINO_VERSION=${TRINO_VERSION}
     image: ranger-trino
-    hostname: ranger-trino
+    hostname: trino
     container_name: ranger-trino
     stdin_open: true
     tty: true
@@ -19,7 +18,6 @@ services:
       ranger:
         condition: service_started
     environment:
-      - TRINO_PLUGIN_VERSION
       - TRINO_VERSION
 
 networks:

dev-support/ranger-docker/scripts/core-site.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<configuration>
+  <property>
+    <name>fs.defaultFS</name>
+    <value>hdfs://ranger-hadoop.rangernw:9000</value>
+  </property>
+</configuration>