You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by co...@apache.org on 2017/06/06 09:12:18 UTC
ranger git commit: RANGER-1630 - StormClient doesn't decrypt password
Repository: ranger
Updated Branches:
refs/heads/master 208acf8ec -> c7ad5012b
RANGER-1630 - StormClient doesn't decrypt password
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/c7ad5012
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/c7ad5012
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/c7ad5012
Branch: refs/heads/master
Commit: c7ad5012be0c6542eae5eff57f29538a0d4498ad
Parents: 208acf8
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Jun 6 10:11:04 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Jun 6 10:11:04 2017 +0100
----------------------------------------------------------------------
.../services/storm/client/StormClient.java | 145 ++++++++++---------
1 file changed, 75 insertions(+), 70 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/c7ad5012/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
index b72a9a2..46e370e 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
@@ -40,6 +40,7 @@ import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.log4j.Logger;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.util.PasswordUtils;
import org.apache.ranger.services.storm.client.json.model.Topology;
import org.apache.ranger.services.storm.client.json.model.TopologyListResponse;
@@ -50,13 +51,13 @@ import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
public class StormClient {
-
+
private static final Logger LOG = Logger.getLogger(StormClient.class);
private static final String EXPECTED_MIME_TYPE = "application/json";
-
+
private static final String TOPOLOGY_LIST_API_ENDPOINT = "/api/v1/topology/summary";
-
+
private static final String errMessage = " You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
+ "resource names. Check ranger_admin.log for more info.";
@@ -69,14 +70,14 @@ public class StormClient {
String nameRules;
public StormClient(String aStormUIUrl, String aUserName, String aPassword, String lookupPrincipal, String lookupKeytab, String nameRules) {
-
+
this.stormUIUrl = aStormUIUrl;
this.userName = aUserName;
this.password = aPassword;
this.lookupPrincipal = lookupPrincipal;
this.lookupKeytab = lookupKeytab;
this.nameRules = nameRules;
-
+
if (LOG.isDebugEnabled()) {
LOG.debug("Storm Client is build with url [" + aStormUIUrl + "] user: [" + aUserName + "], password: [" + "" + "]");
}
@@ -88,7 +89,6 @@ public class StormClient {
if (LOG.isDebugEnabled()) {
LOG.debug("Getting Storm topology list for topologyNameMatching : " + topologyNameMatching);
}
- final String errMsg = errMessage;
PrivilegedAction<ArrayList<String>> topologyListGetter = new PrivilegedAction<ArrayList<String>>() {
@Override
@@ -166,7 +166,7 @@ public class StormClient {
+ EXPECTED_MIME_TYPE + "] URL : " + stormUIUrl + " - got null response.";
LOG.error(msgDesc);
HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMsg, null, null);
+ hdpException.generateResponseDataMap(false, msgDesc, msgDesc + errMessage, null, null);
throw hdpException;
}
} catch (HadoopException he) {
@@ -176,7 +176,7 @@ public class StormClient {
HadoopException hdpException = new HadoopException(msgDesc, t);
LOG.error(msgDesc, t);
- hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMsg, null, null);
+ hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + errMessage, null, null);
throw hdpException;
} finally {
if (response != null) {
@@ -223,66 +223,9 @@ public class StormClient {
return ret;
}
-
+
public static <T> T executeUnderKerberos(String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules,
PrivilegedAction<T> action) throws IOException {
-
- final String errMsg = errMessage;
- class MySecureClientLoginConfiguration extends
- javax.security.auth.login.Configuration {
-
- private String userName;
- private String password;
-
- MySecureClientLoginConfiguration(String aUserName,
- String password) {
- this.userName = aUserName;
- this.password = password;
- }
-
- @Override
- public AppConfigurationEntry[] getAppConfigurationEntry(
- String appName) {
-
- Map<String, String> kerberosOptions = new HashMap<String, String>();
- kerberosOptions.put("principal", this.userName);
- kerberosOptions.put("debug", "true");
- kerberosOptions.put("useKeyTab", "false");
- kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, this.userName);
- kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, this.password);
- kerberosOptions.put("doNotPrompt", "false");
- kerberosOptions.put("useFirstPass", "true");
- kerberosOptions.put("tryFirstPass", "false");
- kerberosOptions.put("storeKey", "true");
- kerberosOptions.put("refreshKrb5Config", "true");
-
- AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = null;
- AppConfigurationEntry KERBEROS_PWD_SAVER = null;
- try {
- KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(
- KerberosUtil.getKrb5LoginModuleName(),
- AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
- kerberosOptions);
- KERBEROS_PWD_SAVER = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);
-
- } catch (IllegalArgumentException e) {
- String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList.";
- HadoopException hdpException = new HadoopException(msgDesc,
- e);
- LOG.error(msgDesc, e);
-
- hdpException.generateResponseDataMap(false,
- BaseClient.getMessage(e), msgDesc + errMsg, null,
- null);
- throw hdpException;
- }
-
- LOG.debug("getAppConfigurationEntry():" + kerberosOptions.get("principal"));
-
- return new AppConfigurationEntry[] { KERBEROS_PWD_SAVER, KEYTAB_KERBEROS_LOGIN };
- }
-
- };
T ret = null;
@@ -306,7 +249,7 @@ public class StormClient {
LOG.debug("executeUnderKerberos():Creating Context..");
loginContext = new LoginContext("hadoop-keytab-kerberos", subject,
null, loginConf);
-
+
LOG.debug("executeUnderKerberos():Logging in..");
loginContext.login();
LOG.info("Init Login: using username/password");
@@ -322,7 +265,7 @@ public class StormClient {
LOG.error(msgDesc, le);
hdpException.generateResponseDataMap(false,
- BaseClient.getMessage(le), msgDesc + errMsg, null, null);
+ BaseClient.getMessage(le), msgDesc + errMessage, null, null);
throw hdpException;
} catch (SecurityException se) {
String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList.";
@@ -330,7 +273,7 @@ public class StormClient {
LOG.error(msgDesc, se);
hdpException.generateResponseDataMap(false,
- BaseClient.getMessage(se), msgDesc + errMsg, null, null);
+ BaseClient.getMessage(se), msgDesc + errMessage, null, null);
throw hdpException;
} finally {
@@ -441,6 +384,68 @@ public class StormClient {
}
return resultList;
}
-
+
+ private static class MySecureClientLoginConfiguration extends javax.security.auth.login.Configuration {
+
+ private String userName;
+ private String password;
+
+ MySecureClientLoginConfiguration(String aUserName, String password) {
+ this.userName = aUserName;
+ String decryptedPwd = null;
+ try {
+ decryptedPwd = PasswordUtils.decryptPassword(password);
+ } catch(Exception ex) {
+ LOG.info("Password decryption failed; trying Storm connection with received password string");
+ decryptedPwd = null;
+ } finally {
+ if (decryptedPwd == null) {
+ decryptedPwd = password;
+ }
+ }
+ this.password = decryptedPwd;
+ }
+
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
+
+ Map<String, String> kerberosOptions = new HashMap<String, String>();
+ kerberosOptions.put("principal", this.userName);
+ kerberosOptions.put("debug", "true");
+ kerberosOptions.put("useKeyTab", "false");
+ kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, this.userName);
+ kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, this.password);
+ kerberosOptions.put("doNotPrompt", "false");
+ kerberosOptions.put("useFirstPass", "true");
+ kerberosOptions.put("tryFirstPass", "false");
+ kerberosOptions.put("storeKey", "true");
+ kerberosOptions.put("refreshKrb5Config", "true");
+
+ AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = null;
+ AppConfigurationEntry KERBEROS_PWD_SAVER = null;
+ try {
+ KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(),
+ AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
+ kerberosOptions);
+ KERBEROS_PWD_SAVER = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(),
+ LoginModuleControlFlag.REQUIRED, kerberosOptions);
+
+ } catch (IllegalArgumentException e) {
+ String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList.";
+ HadoopException hdpException = new HadoopException(msgDesc, e);
+ LOG.error(msgDesc, e);
+
+ hdpException.generateResponseDataMap(false,
+ BaseClient.getMessage(e), msgDesc + errMessage, null,
+ null);
+ throw hdpException;
+ }
+
+ LOG.debug("getAppConfigurationEntry():" + kerberosOptions.get("principal"));
+
+ return new AppConfigurationEntry[] { KERBEROS_PWD_SAVER, KEYTAB_KERBEROS_LOGIN };
+ }
+
+ };
}