You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ankita Sinha <an...@freestoneinfotech.com> on 2016/04/20 13:41:29 UTC
Re: Review Request 44754: Enable kerberos client communication to
ranger admin
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44754/
-----------------------------------------------------------
(Updated April 20, 2016, 11:41 a.m.)
Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
Changes
-------
1. Updated patch with review comments recommendation by Madhan.
2. Added the Tag Download new API for Secure Environment.
Bugs: RANGER-867
https://issues.apache.org/jira/browse/RANGER-867
Repository: ranger
Description
-------
**Problem Statement :**
Currently Ranger admin REST API supports only basic authentication.
In case of Kerberized environments, kerberos based auth should be also supported.
** Proposed solution :**
1. Have added a new Filter which will be called after Knox SSO in filter chain. To add kerberos related confgiration have added Properties related to Kerberos in install.properties and have updated setup.sh script for setting the kerberos related properties to update ranger-admin-site.xml.
Diffs (updated)
-----
agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java ba0c443
agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java bd2b749
agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java 6cb289f
agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java df69e2a
agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b7416b4
agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java cf81d1f
agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java ad113fe
agents-common/src/main/resources/resourcenamemap.properties d9b4d71
embeddedwebserver/pom.xml 9772075
embeddedwebserver/scripts/ranger-admin-services.sh 92016b6
embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java d49ea61
hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java bc4f05a
plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java 061f95c
plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java 94eaba4
plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java 007b97b
security-admin/scripts/install.properties 4070259
security-admin/scripts/setup.sh 832932c
security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java 3647bb1
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 2980e51
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 21ed686
security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 16b00cd
security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java c461e83
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 96ddf3f
security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java 144a408
security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b7c1b59
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java c999f86
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java c69ceed
security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java 919f814
security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java daf732e
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java PRE-CREATION
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java PRE-CREATION
security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b2ec9de
security-admin/src/main/resources/conf.dist/security-applicationContext.xml 2f711ad
security-admin/src/main/resources/resourcenamemap.properties 201c0fa
security-admin/src/main/webapp/META-INF/applicationContext.xml c1a9387
security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 083c777
src/main/assembly/admin-web.xml ca68ac6
src/main/assembly/usersync.xml b032a1d
storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java 74170fe
storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java 5d008e7
storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java a16fce1
tagsync/conf/templates/installprop2xml.properties a6840b0
tagsync/conf/templates/ranger-tagsync-template.xml bad71bd
tagsync/scripts/install.properties b6665d1
tagsync/scripts/ranger-tagsync-services.sh add42ee
tagsync/scripts/setup.py 59cb5c8
tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java 9588d66
tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java 2fd5ea1
ugsync/pom.xml 1106e30
ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java f54b24a
ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 20466ab
unixauthservice/scripts/install.properties f206d0a
unixauthservice/scripts/ranger-usersync-services.sh 9cd5ee2
unixauthservice/scripts/setup.py 8bb3bf0
unixauthservice/scripts/templates/installprop2xml.properties 77b8eac
unixauthservice/scripts/templates/ranger-ugsync-template.xml 2bf5562
Diff: https://reviews.apache.org/r/44754/diff/
Testing
-------
**Testing Done(With patch) :**
1. Tested in Secure Environment with Ranger Admin running with type Kerberos through CURL and UI.
2. Tested in Secure Environment with Ranger Admin running with type Kerberos with different Ranger authorization user roles.
3. Tested in Secure Environment with Ranger Admin running with type Simple through CURL and UI.
4. Tested in Secure Environment with Ranger Admin running with type Simple with different Ranger authorization user roles.
Thanks,
Ankita Sinha
Re: Review Request 44754: Enable kerberos client communication to
ranger admin
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44754/#review129858
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On April 20, 2016, 11:41 a.m., Ankita Sinha wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44754/
> -----------------------------------------------------------
>
> (Updated April 20, 2016, 11:41 a.m.)
>
>
> Review request for ranger, Alok Lal, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-867
> https://issues.apache.org/jira/browse/RANGER-867
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Statement :**
>
> Currently Ranger admin REST API supports only basic authentication.
> In case of Kerberized environments, kerberos based auth should be also supported.
>
> ** Proposed solution :**
>
> 1. Have added a new Filter which will be called after Knox SSO in filter chain. To add kerberos related confgiration have added Properties related to Kerberos in install.properties and have updated setup.sh script for setting the kerberos related properties to update ranger-admin-site.xml.
>
>
> Diffs
> -----
>
> agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java ba0c443
> agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java bd2b749
> agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java 6cb289f
> agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java df69e2a
> agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b7416b4
> agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java cf81d1f
> agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java ad113fe
> agents-common/src/main/resources/resourcenamemap.properties d9b4d71
> embeddedwebserver/pom.xml 9772075
> embeddedwebserver/scripts/ranger-admin-services.sh 92016b6
> embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java d49ea61
> hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java bc4f05a
> plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java 061f95c
> plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java 94eaba4
> plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java 007b97b
> security-admin/scripts/install.properties 4070259
> security-admin/scripts/setup.sh 832932c
> security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java 3647bb1
> security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 2980e51
> security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 21ed686
> security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java 16b00cd
> security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java c461e83
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 96ddf3f
> security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java 144a408
> security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b7c1b59
> security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java c999f86
> security-admin/src/main/java/org/apache/ranger/rest/TagREST.java c69ceed
> security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java 919f814
> security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java daf732e
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java PRE-CREATION
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java PRE-CREATION
> security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b2ec9de
> security-admin/src/main/resources/conf.dist/security-applicationContext.xml 2f711ad
> security-admin/src/main/resources/resourcenamemap.properties 201c0fa
> security-admin/src/main/webapp/META-INF/applicationContext.xml c1a9387
> security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java 083c777
> src/main/assembly/admin-web.xml ca68ac6
> src/main/assembly/usersync.xml b032a1d
> storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java 74170fe
> storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java 5d008e7
> storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java a16fce1
> tagsync/conf/templates/installprop2xml.properties a6840b0
> tagsync/conf/templates/ranger-tagsync-template.xml bad71bd
> tagsync/scripts/install.properties b6665d1
> tagsync/scripts/ranger-tagsync-services.sh add42ee
> tagsync/scripts/setup.py 59cb5c8
> tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java 9588d66
> tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java 2fd5ea1
> ugsync/pom.xml 1106e30
> ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java f54b24a
> ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java 20466ab
> unixauthservice/scripts/install.properties f206d0a
> unixauthservice/scripts/ranger-usersync-services.sh 9cd5ee2
> unixauthservice/scripts/setup.py 8bb3bf0
> unixauthservice/scripts/templates/installprop2xml.properties 77b8eac
> unixauthservice/scripts/templates/ranger-ugsync-template.xml 2bf5562
>
> Diff: https://reviews.apache.org/r/44754/diff/
>
>
> Testing
> -------
>
> **Testing Done(With patch) :**
>
> 1. Tested in Secure Environment with Ranger Admin running with type Kerberos through CURL and UI.
> 2. Tested in Secure Environment with Ranger Admin running with type Kerberos with different Ranger authorization user roles.
> 3. Tested in Secure Environment with Ranger Admin running with type Simple through CURL and UI.
> 4. Tested in Secure Environment with Ranger Admin running with type Simple with different Ranger authorization user roles.
>
>
> Thanks,
>
> Ankita Sinha
>
>