HDP2.5 / Ambari 2.5 のAmbari Infra (solr)のRetention Periodを変更する

NOTE: This won't change any exisiting documents, only newly created after reload.

0) Login to the Ambari Infra node and become "infra-solr" user

1) Check the location (path)
/usr/hdp/current/zookeeper-client/bin/zkCli.sh -server ${_ZKHOST}

2) Get the xml file
/usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost ${_ZKHOST} -cmd get /infra-solr/configs/ranger_audits/solrconfig.xml > ./solrconfig.xml

3) Modify ./solrconfig.xml
    <processor class="solr.DefaultValueUpdateProcessorFactory">
        <str name="fieldName">_ttl_</str>
        <str name="value">+90DAYS</str>
    </processor>

4) Upload
# If Kerberos
export SOLR_ZK_CREDS_AND_ACLS=" -Djava.security.auth.login.config=/etc/ambari-infra-solr/conf/infra_solr_jaas.conf"
/usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -zkhost ${_ZKHOST} -cmd putfile /infra-solr/configs/ranger_audits/solrconfig.xml ./solrconfig.xml


# or edit zkcli.sh:
PATH=$JAVA_HOME/bin:$PATH $JVM $SOLR_ZK_CREDS_AND_ACLS -Djava.security.auth.login.config=/etc/ambari-infra-solr/conf/infra_solr_jaas.conf -Dlog4j.configuration=$log4j_config \
-classpath "$sdir/../../solr-webapp/webapp/WEB-INF/lib/*:$sdir/../../lib/ext/*" org.apache.solr.cloud.ZkCLI ${1+"$@"}

5) Reload
curl -iL "http://`hostname -f`:8886/solr/admin/cores?action=RELOAD&core=ranger_audits_shard1_replica1"
NOTE: ranger_audits_shard1_replica1 can be different.

TODO: any CLI command?
/usr/lib/ambari-infra-solr-client/solrCloudCli.sh --zookeeper-connect-string ${_ZKHOST} --znode /infra-solr --jaas-file /etc/ambari-infra-solr/conf/infra_solr_jaas.conf

6) Check!
curl -iL "http://`hostname -f`:8886/solr/ranger_audits_shard1_replica1/select?q=*%3A*&sort=_version_+desc&start=1&rows=10&wt=json&indent=true"


NOTE: (need to test but) to change the default retention period, editing /var/lib/ambari-server/resources/common-services/RANGER/0.7.0/properties/ranger-solrconfig.xml.j2 ? (and/or agent cache)

HDP 2.5 Ambari 2.5 以降のAmbari-InfraでWeb UIのKerberos認証（SPNEGO?）を無効にする

SolrCloudが必要（Standaloneモードではうまくいかなかった）

基本的には、Ambari 2.4.xでの方法とほぼ同じ：
https://community.hortonworks.com/articles/108020/how-to-disable-spnego-authentication-for-solr.html

具体的には、setup_solr_kerberos_auth.pyの代わりに/var/lib/ambari-server/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 と、それに該当するキャッシュ/var/lib/ambari-agent/cache/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 を変更する。
また、infra-solr-env templateのSOLR_AUTHENTICATION_OPTSラインから、-DauthenticationPlugin=org.apache.solr.security.KerberosPluginを削除する。

Authenticationだけでなく、Authorizationもからにする必要あり。

cp -p /var/lib/ambari-server/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2 /var/lib/ambari-server/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2.bak
echo '{}' > /var/lib/ambari-server/resources/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2
echo '{}' > /var/lib/ambari-agent/cache/common-services/AMBARI_INFRA/0.1.0/package/templates/infra-solr-security.json.j2

補足：
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.5/bk_security/content/manually_updating_ambari_solr_audit_settings.html

Verify that the Ranger audit logs are being passed to Solr by opening one of the following URLs in a web browser:
http://{RANGER_HOST_NAME}:6080/index.html#!/reports/audit/bigData
For HDP Search's Solr Instance:
http:{SOLR_HOST}:8983/solr/ranger_audits
For Ambari Infra's Solr Instance:

http:{SOLR_HOST}:8886/solr/ranger_audits

https://cwiki.apache.org/confluence/display/solr/Hadoop+Authentication+Plugin

補足2:
AmbariからAtlasが起動しなくなる可能性あり
/usr/lib/ambari-agent/lib/resource_management/libraries/functions/solr_cloud_util.py
/usr/lib/ambari-server/lib/resource_management/libraries/functions/solr_cloud_util.py

[root@sandbox ~]# grep -F /solr/admin/authorization /usr/lib/ambari-server/lib/resource_management/libraries/functions/solr_cloud_util.py
    solr_url = format("{solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization")
    solr_authorization_enabled_cmd=format("{sudo} {solr_user_kinit_cmd} {sudo} curl -k -s --negotiate -u : {solr_protocol}://{solr_host}:{solr_port}/solr/admin/authorization | grep authorization.enabled")