You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2021/11/23 02:07:27 UTC
[ranger] branch master updated: RANGER-3522: Improve Tagsync authentication error reporting

This is an automated email from the ASF dual-hosted git repository.

abhay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 3f82858  RANGER-3522: Improve Tagsync authentication error reporting
3f82858 is described below

commit 3f82858760e01ed186a2b3055c95b9cdd343db4b
Author: Abhay Kulkarni <ab...@apache.org>
AuthorDate: Mon Nov 22 17:44:44 2021 -0800

    RANGER-3522: Improve Tagsync authentication error reporting
---
 .../ranger/tagsync/process/TagSynchronizer.java    | 45 ++++++++++++----------
 1 file changed, 25 insertions(+), 20 deletions(-)

diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
index c723b0f..9800566 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSynchronizer.java
@@ -398,34 +398,39 @@ public class TagSynchronizer {
 				LOG.debug("nameRules=" + nameRules);
 			}
 		}
-		final boolean isKerberized = !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab);
+		final boolean isKerberized = !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS);
 
 		if (isKerberized) {
-			if (LOG.isDebugEnabled()) {
-				LOG.debug("Trying to get kerberos identitiy");
-			}
+			LOG.info("Configured for Kerberos Authentication");
 
-			UserGroupInformation kerberosIdentity;
+			if (SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+				LOG.error("Invalid Kerberos principal and/or keytab specified. Failed to initialize Kerberos identity");
+			} else {
+				if (LOG.isDebugEnabled()) {
+					LOG.debug("Trying to get kerberos identity");
+				}
 
-			try {
-				UserGroupInformation.loginUserFromKeytab(principal, keytab);
-				kerberosIdentity = UserGroupInformation.getLoginUser();
-				if (kerberosIdentity != null) {
-					props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY, kerberosIdentity.getUserName());
-					if (LOG.isDebugEnabled()) {
-						LOG.debug("Got UGI, user:[" + kerberosIdentity.getUserName() + "]");
+				UserGroupInformation kerberosIdentity;
+
+				try {
+					UserGroupInformation.loginUserFromKeytab(principal, keytab);
+					kerberosIdentity = UserGroupInformation.getLoginUser();
+					if (kerberosIdentity != null) {
+						props.put(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY, kerberosIdentity.getUserName());
+						if (LOG.isDebugEnabled()) {
+							LOG.debug("Got UGI, user:[" + kerberosIdentity.getUserName() + "]");
+						}
+						ret = true;
+					} else {
+						LOG.error("KerberosIdentity is null!");
 					}
-					ret = true;
-				} else {
-					LOG.error("KerberosIdentity is null!");
+				} catch (IOException exception) {
+					LOG.error("Failed to get UGI from principal:[" + principal + "], and keytab:[" + keytab + "]", exception);
 				}
-			} catch (IOException exception) {
-				LOG.error("Failed to get UGI from principal:[" + principal + "], and keytab:[" + keytab + "]", exception);
 			}
 		} else {
-			if (LOG.isDebugEnabled()) {
-				LOG.debug("Not configured for Kerberos Authentication");
-			}
+			LOG.info("Not configured for Kerberos Authentication");
+
 			props.remove(TagSyncConfig.TAGSYNC_KERBEROS_IDENTITY);
 
 			ret = true;