You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by bhavik patel <bh...@gmail.com> on 2020/06/15 08:51:29 UTC
Review Request 72591: RANGER-2861 : Support username and keytab to
authenticate ES service to use as an Ranger Audit Store
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/
-----------------------------------------------------------
Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2861
https://issues.apache.org/jira/browse/RANGER-2861
Repository: ranger
Description
-------
Currently, Ranger admin support only Basic Authentication for ES as an Audit Store, also required to support username and keytab.
Diffs
-----
agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java bda582a
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java PRE-CREATION
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java PRE-CREATION
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java PRE-CREATION
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java PRE-CREATION
distro/src/main/assembly/admin-web.xml a632011
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java 886091e
security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java a060877
Diff: https://reviews.apache.org/r/72591/diff/1/
Testing
-------
After setting the ES username and passowrd(keytab) in install.properties ranger admin is able to read audit logs from ES also ranger plugins able to write the logs to ES.
Thanks,
bhavik patel
Re: Review Request 72591: RANGER-2861 : Support username and keytab to
authenticate ES service to use as an Ranger Audit Store
Posted by Pradeep Agrawal <pr...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/#review221166
-----------------------------------------------------------
Ship it!
Ship It!
- Pradeep Agrawal
On July 6, 2020, 5:42 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72591/
> -----------------------------------------------------------
>
> (Updated July 6, 2020, 5:42 a.m.)
>
>
> Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2861
> https://issues.apache.org/jira/browse/RANGER-2861
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently, Ranger admin support only Basic Authentication for ES as an Audit Store, also required to support username and keytab.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java bda582a
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java PRE-CREATION
> distro/src/main/assembly/admin-web.xml a632011
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java 886091e
> security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java a060877
>
>
> Diff: https://reviews.apache.org/r/72591/diff/2/
>
>
> Testing
> -------
>
> After setting the ES username and passowrd(keytab) in install.properties ranger admin is able to read audit logs from ES also ranger plugins able to write the logs to ES.
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 72591: RANGER-2861 : Support username and keytab to
authenticate ES service to use as an Ranger Audit Store
Posted by Pradeep Agrawal <pr...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/#review221167
-----------------------------------------------------------
Ship it!
Ship It!
- Pradeep Agrawal
On July 6, 2020, 5:42 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72591/
> -----------------------------------------------------------
>
> (Updated July 6, 2020, 5:42 a.m.)
>
>
> Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2861
> https://issues.apache.org/jira/browse/RANGER-2861
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently, Ranger admin support only Basic Authentication for ES as an Audit Store, also required to support username and keytab.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java bda582a
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java PRE-CREATION
> distro/src/main/assembly/admin-web.xml a632011
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java 886091e
> security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java a060877
>
>
> Diff: https://reviews.apache.org/r/72591/diff/2/
>
>
> Testing
> -------
>
> After setting the ES username and passowrd(keytab) in install.properties ranger admin is able to read audit logs from ES also ranger plugins able to write the logs to ES.
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 72591: RANGER-2861 : Support username and keytab to
authenticate ES service to use as an Ranger Audit Store
Posted by bhavik patel <bh...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/
-----------------------------------------------------------
(Updated July 6, 2020, 5:42 a.m.)
Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2861
https://issues.apache.org/jira/browse/RANGER-2861
Repository: ranger
Description
-------
Currently, Ranger admin support only Basic Authentication for ES as an Audit Store, also required to support username and keytab.
Diffs (updated)
-----
agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java bda582a
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java PRE-CREATION
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java PRE-CREATION
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java PRE-CREATION
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java PRE-CREATION
distro/src/main/assembly/admin-web.xml a632011
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java 886091e
security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java a060877
Diff: https://reviews.apache.org/r/72591/diff/2/
Changes: https://reviews.apache.org/r/72591/diff/1-2/
Testing
-------
After setting the ES username and passowrd(keytab) in install.properties ranger admin is able to read audit logs from ES also ranger plugins able to write the logs to ES.
Thanks,
bhavik patel
Re: Review Request 72591: RANGER-2861 : Support username and keytab to
authenticate ES service to use as an Ranger Audit Store
Posted by bhavik patel <bh...@gmail.com>.
> On June 16, 2020, 5:31 a.m., Pradeep Agrawal wrote:
> > agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java
> > Lines 48 (patched)
> > <https://reviews.apache.org/r/72591/diff/1/?file=2234588#file2234588line48>
> >
> > if any code is referred/copied from somewhere please mention that in RR description
This is the custom Utility class and getKerberosCredentials method I have referred from here: https://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/part5.html
- bhavik
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/#review221009
-----------------------------------------------------------
On July 6, 2020, 5:42 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72591/
> -----------------------------------------------------------
>
> (Updated July 6, 2020, 5:42 a.m.)
>
>
> Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2861
> https://issues.apache.org/jira/browse/RANGER-2861
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently, Ranger admin support only Basic Authentication for ES as an Audit Store, also required to support username and keytab.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java bda582a
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java PRE-CREATION
> distro/src/main/assembly/admin-web.xml a632011
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java 886091e
> security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java a060877
>
>
> Diff: https://reviews.apache.org/r/72591/diff/2/
>
>
> Testing
> -------
>
> After setting the ES username and passowrd(keytab) in install.properties ranger admin is able to read audit logs from ES also ranger plugins able to write the logs to ES.
>
>
> Thanks,
>
> bhavik patel
>
>
Re: Review Request 72591: RANGER-2861 : Support username and keytab to
authenticate ES service to use as an Ranger Audit Store
Posted by Pradeep Agrawal <pr...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72591/#review221009
-----------------------------------------------------------
agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
Line 23 (original), 23 (patched)
<https://reviews.apache.org/r/72591/#comment309777>
Avoid * imports
agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
Lines 27 (patched)
<https://reviews.apache.org/r/72591/#comment309778>
avoid lang3 StringUtils
agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
Lines 196 (patched)
<https://reviews.apache.org/r/72591/#comment309783>
not sure it should be e or e.getCause() here. Please confirm
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java
Lines 30 (patched)
<https://reviews.apache.org/r/72591/#comment309779>
Avoid * imports
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java
Lines 48 (patched)
<https://reviews.apache.org/r/72591/#comment309784>
if any code is referred/copied from somewhere please mention that in RR description
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java
Lines 83 (patched)
<https://reviews.apache.org/r/72591/#comment309780>
throw new RuntimeException(e);
agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java
Lines 93 (patched)
<https://reviews.apache.org/r/72591/#comment309781>
sorround under condition if logger debug is enabled, same at the other places also in this file
security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java
Lines 22 (patched)
<https://reviews.apache.org/r/72591/#comment309782>
avoid this import
- Pradeep Agrawal
On June 15, 2020, 8:51 a.m., bhavik patel wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72591/
> -----------------------------------------------------------
>
> (Updated June 15, 2020, 8:51 a.m.)
>
>
> Review request for ranger, Attila Bukor, Ankita Sinha, Bolke de Bruin, Don Bosco Durai, bhavik patel, Colm O hEigeartaigh, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nitin Galave, pengjianhua, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2861
> https://issues.apache.org/jira/browse/RANGER-2861
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Currently, Ranger admin support only Basic Authentication for ES as an Audit Store, also required to support username and keytab.
>
>
> Diffs
> -----
>
> agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java bda582a
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/CredentialsProviderUtil.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/AbstractJaasConf.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KerberosCredentialsProvider.java PRE-CREATION
> agents-cred/src/main/java/org/apache/ranger/authorization/credutils/kerberos/KeytabJaasConf.java PRE-CREATION
> distro/src/main/assembly/admin-web.xml a632011
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java 886091e
> security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java a060877
>
>
> Diff: https://reviews.apache.org/r/72591/diff/1/
>
>
> Testing
> -------
>
> After setting the ES username and passowrd(keytab) in install.properties ranger admin is able to read audit logs from ES also ranger plugins able to write the logs to ES.
>
>
> Thanks,
>
> bhavik patel
>
>