You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2022/08/10 19:11:58 UTC

[ranger] branch master updated: RANGER-3848: Enable auto-renew for kerberos in Java client

This is an automated email from the ASF dual-hosted git repository.

rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new a064f8d91 RANGER-3848: Enable auto-renew for kerberos in Java client
a064f8d91 is described below

commit a064f8d91e13dc2566552a208b2d76aea41375a0
Author: Abhishek Kumar <ab...@gmail.com>
AuthorDate: Tue Aug 2 15:56:16 2022 -0700

    RANGER-3848: Enable auto-renew for kerberos in Java client
    
    Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
 .../org/apache/ranger/audit/provider/MiscUtil.java | 39 ++++++++++++++++++++++
 .../main/java/org/apache/ranger/RangerClient.java  | 24 ++++++-------
 2 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
index b69e27693..1e5d1d8d8 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
@@ -786,6 +786,45 @@ public class MiscUtil {
 
 	}
 
+	public static void loginWithKeyTab(String keytab, String principal, String nameRules) {
+		if (logger.isDebugEnabled()) {
+			logger.debug("==> MiscUtil.loginWithKeyTab() keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules);
+		}
+
+		if (keytab == null || principal == null) {
+			logger.error("Failed to login as keytab or principal is null!");
+			return;
+		}
+
+		String[]             spnegoPrincipals;
+		UserGroupInformation ugi;
+
+		try {
+			if (principal.equals("*")) {
+				spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*"));
+				if (spnegoPrincipals.length == 0) {
+					logger.error("No principals found in keytab= " + keytab);
+				}
+			} else {
+				spnegoPrincipals = new String[] { principal };
+			}
+
+			if (nameRules != null) {
+				KerberosName.setRules(nameRules);
+			}
+
+			logger.info("Creating UGI from keytab directly. keytab= " + keytab + ", principal= " + spnegoPrincipals[0]);
+			ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], keytab);
+			MiscUtil.setUGILoginUser(ugi, null);
+		} catch (Exception e) {
+			logger.error("Failed to login with given keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules, e);
+		}
+
+		if (logger.isDebugEnabled()) {
+			logger.debug("<== MiscUtil.loginWithKeyTab()");
+		}
+	}
+
 	static class LogHistory {
 		long lastLogTime = 0;
 		int counter = 0;
diff --git a/intg/src/main/java/org/apache/ranger/RangerClient.java b/intg/src/main/java/org/apache/ranger/RangerClient.java
index f92116d36..e4e3a57ad 100644
--- a/intg/src/main/java/org/apache/ranger/RangerClient.java
+++ b/intg/src/main/java/org/apache/ranger/RangerClient.java
@@ -19,6 +19,8 @@
 package org.apache.ranger;
 
 import com.sun.jersey.api.client.GenericType;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -28,14 +30,11 @@ import org.apache.ranger.plugin.model.*;
 import org.apache.ranger.admin.client.datatype.RESTResponse;
 import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
 import org.apache.ranger.plugin.util.RangerRESTClient;
-import org.apache.hadoop.security.SecureClientLogin;
 
-import javax.security.auth.Subject;
 import java.security.PrivilegedAction;
 import javax.ws.rs.HttpMethod;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-import java.io.IOException;
 import java.net.URI;
 import java.util.*;
 
@@ -143,19 +142,15 @@ public class RangerClient {
 
 
     private final RangerRESTClient restClient;
-    private boolean isSecureMode = false;
-    private Subject sub = null;
+    private boolean isSecureMode     = false;
+    private UserGroupInformation ugi = null;
 
     private void authInit(String authType, String username, String password) {
         if (AUTH_KERBEROS.equalsIgnoreCase(authType)) {
-            if (SecureClientLogin.isKerberosCredentialExists(username, password)) {
-                isSecureMode = true;
-                try {
-                    sub = SecureClientLogin.loginUserFromKeytab(username, password);
-                } catch (IOException e) {
-                    LOG.error(e.getMessage());
-                }
-            } else LOG.error("Authentication credentials missing/invalid");
+            isSecureMode = true;
+            MiscUtil.loginWithKeyTab(password, username, null);
+            ugi = MiscUtil.getUGILoginUser();
+            LOG.info("RangerClient.authInit() UGI user: " + ugi.getUserName() + " principal: " + username);
         } else {
             restClient.setBasicAuthInfo(username, password);
         }
@@ -464,7 +459,8 @@ public class RangerClient {
         }
 
         if (isSecureMode) {
-            clientResponse = Subject.doAs(sub, (PrivilegedAction<ClientResponse>) () -> {
+            ugi = MiscUtil.getUGILoginUser();
+            clientResponse = ugi.doAs((PrivilegedAction<ClientResponse>) () -> {
                 try {
                     return invokeREST(api,params,request);
                 } catch (RangerServiceException e) {