You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/11/23 02:07:27 UTC
[ranger] branch master updated: RANGER-3522: Improve Tagsync authentication error reporting
This is an automated email from the ASF dual-hosted git repository.
abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3f82858 RANGER-3522: Improve Tagsync authentication error reporting
3f82858 is described below
commit 3f82858760e01ed186a2b3055c95b9cdd343db4b
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Mon Nov 22 17:44:44 2021 -0800
RANGER-3522: Improve Tagsync authentication error reporting
---
.../ranger/tagsync/process/TagSynchronizer.java | 45 ++++++++++++----------
1 file changed, 25 insertions(+), 20 deletions(-)
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
index c723b0f..9800566 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
@@ -398,34 +398,39 @@ public class TagSynchronizer {
LOG.debug("nameRules=" + nameRules);
}
}
- final boolean isKerberized = !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab);
+ final boolean isKerberized = !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS);
if (isKerberized) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Trying to get kerberos identitiy");
- }
+ LOG.info("Configured for Kerberos Authentication");
- UserGroupInformation kerberosIdentity;
+ if (SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+ LOG.error("Invalid Kerberos principal and/or keytab specified. Failed to initialize Kerberos identity");
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Trying to get kerberos identity");
+ }
- try {
- UserGroupInformation.loginUserFromKeytab(principal, keytab);
- kerberosIdentity = UserGroupInformation.getLoginUser();
- if (kerberosIdentity != null) {
- props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY, kerberosIdentity.getUserName());
- if (LOG.isDebugEnabled()) {
- LOG.debug("Got UGI, user:[" + kerberosIdentity.getUserName() + "]");
+ UserGroupInformation kerberosIdentity;
+
+ try {
+ UserGroupInformation.loginUserFromKeytab(principal, keytab);
+ kerberosIdentity = UserGroupInformation.getLoginUser();
+ if (kerberosIdentity != null) {
+ props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY, kerberosIdentity.getUserName());
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Got UGI, user:[" + kerberosIdentity.getUserName() + "]");
+ }
+ ret = true;
+ } else {
+ LOG.error("KerberosIdentity is null!");
}
- ret = true;
- } else {
- LOG.error("KerberosIdentity is null!");
+ } catch (IOException exception) {
+ LOG.error("Failed to get UGI from principal:[" + principal + "], and keytab:[" + keytab + "]", exception);
}
- } catch (IOException exception) {
- LOG.error("Failed to get UGI from principal:[" + principal + "], and keytab:[" + keytab + "]", exception);
}
} else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Not configured for Kerberos Authentication");
- }
+ LOG.info("Not configured for Kerberos Authentication");
+
props.remove(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY);
ret = true;