You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2022/08/10 19:11:58 UTC
[ranger] branch master updated: RANGER-3848: Enable auto-renew for kerberos in Java client
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new a064f8d91 RANGER-3848: Enable auto-renew for kerberos in Java client
a064f8d91 is described below
commit a064f8d91e13dc2566552a208b2d76aea41375a0
Author: Abhishek Kumar <ab...@gmail.com>
AuthorDate: Tue Aug 2 15:56:16 2022 -0700
RANGER-3848: Enable auto-renew for kerberos in Java client
Signed-off-by: Ramesh Mani <rm...@cloudera.com>
---
.../org/apache/ranger/audit/provider/MiscUtil.java | 39 ++++++++++++++++++++++
.../main/java/org/apache/ranger/RangerClient.java | 24 ++++++-------
2 files changed, 49 insertions(+), 14 deletions(-)
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
index b69e27693..1e5d1d8d8 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java
@@ -786,6 +786,45 @@ public class MiscUtil {
}
+ public static void loginWithKeyTab(String keytab, String principal, String nameRules) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("==> MiscUtil.loginWithKeyTab() keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules);
+ }
+
+ if (keytab == null || principal == null) {
+ logger.error("Failed to login as keytab or principal is null!");
+ return;
+ }
+
+ String[] spnegoPrincipals;
+ UserGroupInformation ugi;
+
+ try {
+ if (principal.equals("*")) {
+ spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*"));
+ if (spnegoPrincipals.length == 0) {
+ logger.error("No principals found in keytab= " + keytab);
+ }
+ } else {
+ spnegoPrincipals = new String[] { principal };
+ }
+
+ if (nameRules != null) {
+ KerberosName.setRules(nameRules);
+ }
+
+ logger.info("Creating UGI from keytab directly. keytab= " + keytab + ", principal= " + spnegoPrincipals[0]);
+ ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], keytab);
+ MiscUtil.setUGILoginUser(ugi, null);
+ } catch (Exception e) {
+ logger.error("Failed to login with given keytab= " + keytab + "principal= " + principal + "nameRules= " + nameRules, e);
+ }
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("<== MiscUtil.loginWithKeyTab()");
+ }
+ }
+
static class LogHistory {
long lastLogTime = 0;
int counter = 0;
diff --git a/intg/src/main/java/org/apache/ranger/RangerClient.java b/intg/src/main/java/org/apache/ranger/RangerClient.java
index f92116d36..e4e3a57ad 100644
--- a/intg/src/main/java/org/apache/ranger/RangerClient.java
+++ b/intg/src/main/java/org/apache/ranger/RangerClient.java
@@ -19,6 +19,8 @@
package org.apache.ranger;
import com.sun.jersey.api.client.GenericType;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -28,14 +30,11 @@ import org.apache.ranger.plugin.model.*;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.apache.ranger.plugin.util.RangerRESTClient;
-import org.apache.hadoop.security.SecureClientLogin;
-import javax.security.auth.Subject;
import java.security.PrivilegedAction;
import javax.ws.rs.HttpMethod;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
-import java.io.IOException;
import java.net.URI;
import java.util.*;
@@ -143,19 +142,15 @@ public class RangerClient {
private final RangerRESTClient restClient;
- private boolean isSecureMode = false;
- private Subject sub = null;
+ private boolean isSecureMode = false;
+ private UserGroupInformation ugi = null;
private void authInit(String authType, String username, String password) {
if (AUTH_KERBEROS.equalsIgnoreCase(authType)) {
- if (SecureClientLogin.isKerberosCredentialExists(username, password)) {
- isSecureMode = true;
- try {
- sub = SecureClientLogin.loginUserFromKeytab(username, password);
- } catch (IOException e) {
- LOG.error(e.getMessage());
- }
- } else LOG.error("Authentication credentials missing/invalid");
+ isSecureMode = true;
+ MiscUtil.loginWithKeyTab(password, username, null);
+ ugi = MiscUtil.getUGILoginUser();
+ LOG.info("RangerClient.authInit() UGI user: " + ugi.getUserName() + " principal: " + username);
} else {
restClient.setBasicAuthInfo(username, password);
}
@@ -464,7 +459,8 @@ public class RangerClient {
}
if (isSecureMode) {
- clientResponse = Subject.doAs(sub, (PrivilegedAction<ClientResponse>) () -> {
+ ugi = MiscUtil.getUGILoginUser();
+ clientResponse = ugi.doAs((PrivilegedAction<ClientResponse>) () -> {
try {
return invokeREST(api,params,request);
} catch (RangerServiceException e) {