You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2016/05/23 18:06:39 UTC
[1/2] incubator-ranger git commit: RANGER-990 : Automate setting
Proxy User in Ranger KMS
Repository: incubator-ranger
Updated Branches:
refs/heads/master 0102cdbde -> be7465968
RANGER-990 : Automate setting Proxy User in Ranger KMS
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/88d82ae1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/88d82ae1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/88d82ae1
Branch: refs/heads/master
Commit: 88d82ae173cc0bd0ba78cc79b6d0b8cf728beabc
Parents: 0102cdb
Author: Ankita Sinha <an...@freestoneinfotech.com>
Authored: Thu May 19 15:20:15 2016 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Mon May 23 14:05:48 2016 -0400
----------------------------------------------------------------------
.../ranger/server/tomcat/EmbeddedServer.java | 80 ++++++++++++--------
kms/config/kms-webapp/kms-site.xml | 6 +-
.../org/apache/hadoop/crypto/key/RangerHSM.java | 43 ++++++-----
.../filter/RangerKRBAuthenticationFilter.java | 2 +
.../filter/RangerSSOAuthenticationFilter.java | 2 +-
5 files changed, 77 insertions(+), 56 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
----------------------------------------------------------------------
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 19e944b..a74f8d1 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -214,40 +214,54 @@ public class EmbeddedServer {
lce.printStackTrace();
}
- String keytab = getConfig(ADMIN_USER_KEYTAB);
-// String principal = getConfig(ADMIN_USER_PRINCIPAL);
- String principal = null;
- try {
- principal = SecureClientLogin.getPrincipal(getConfig(ADMIN_USER_PRINCIPAL), hostName);
- } catch (IOException ignored) {
- // do nothing
- }
- String nameRules = getConfig(ADMIN_NAME_RULES);
- if(getConfig(AUTHENTICATION_TYPE) != null && getConfig(AUTHENTICATION_TYPE).trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
- try{
- LOG.info("Provided Kerberos Credential : Principal = "+principal+" and Keytab = "+keytab);
- Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ;
- Subject.doAs(sub, new PrivilegedAction<Void>() {
- @Override
- public Void run() {
- try{
- LOG.info("Starting Server using kerberos crendential");
- server.start();
- server.getServer().await();
- shutdownServer();
- }catch (LifecycleException e) {
- LOG.severe("Tomcat Server failed to start:" + e.toString());
- e.printStackTrace();
- }catch (Exception e) {
- LOG.severe("Tomcat Server failed to start:" + e.toString());
- e.printStackTrace();
+ if(getConfig("logdir") != null){
+ String keytab = getConfig(ADMIN_USER_KEYTAB);
+ // String principal = getConfig(ADMIN_USER_PRINCIPAL);
+ String principal = null;
+ try {
+ principal = SecureClientLogin.getPrincipal(getConfig(ADMIN_USER_PRINCIPAL), hostName);
+ } catch (IOException ignored) {
+ // do nothing
+ }
+ String nameRules = getConfig(ADMIN_NAME_RULES);
+ if(getConfig(AUTHENTICATION_TYPE) != null && getConfig(AUTHENTICATION_TYPE).trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ try{
+ LOG.info("Provided Kerberos Credential : Principal = "+principal+" and Keytab = "+keytab);
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ;
+ Subject.doAs(sub, new PrivilegedAction<Void>() {
+ @Override
+ public Void run() {
+ try{
+ LOG.info("Starting Server using kerberos crendential");
+ server.start();
+ server.getServer().await();
+ shutdownServer();
+ }catch (LifecycleException e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }catch (Exception e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }
+ return null;
}
- return null;
- }
- });
- }catch(Exception e){
- LOG.severe("Tomcat Server failed to start:" + e.toString());
- e.printStackTrace();
+ });
+ }catch(Exception e){
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }
+ }else{
+ try{
+ server.start();
+ server.getServer().await();
+ shutdownServer();
+ } catch (LifecycleException e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ } catch (Exception e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }
}
}else{
try{
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/kms/config/kms-webapp/kms-site.xml
----------------------------------------------------------------------
diff --git a/kms/config/kms-webapp/kms-site.xml b/kms/config/kms-webapp/kms-site.xml
index a2c4af3..5f2575a 100644
--- a/kms/config/kms-webapp/kms-site.xml
+++ b/kms/config/kms-webapp/kms-site.xml
@@ -176,17 +176,17 @@
</property>
<property>
- <name>hadoop.kms.proxyuser.rangeradmin.groups</name>
+ <name>hadoop.kms.proxyuser.ranger.groups</name>
<value>*</value>
</property>
<property>
- <name>hadoop.kms.proxyuser.rangeradmin.hosts</name>
+ <name>hadoop.kms.proxyuser.ranger.hosts</name>
<value>*</value>
</property>
<property>
- <name>hadoop.kms.proxyuser.rangeradmin.users</name>
+ <name>hadoop.kms.proxyuser.ranger.users</name>
<value>*</value>
</property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
index 6ab91d9..b937f0c 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java
@@ -69,6 +69,7 @@ public class RangerHSM implements RangerKMSMKI {
logger.debug("Loading HSM tokenlabel : "+partitionName);
myStore = KeyStore.getInstance("Luna");
myStore.load(is1, passwd.toCharArray());
+ if(myStore == null){ logger.error("Luna not found. Please verify the Ranger KMS HSM configuration setup."); }
} catch (KeyStoreException kse) {
logger.error("Unable to create keystore object : "+kse.getMessage());
} catch (NoSuchAlgorithmException nsae) {
@@ -82,7 +83,7 @@ public class RangerHSM implements RangerKMSMKI {
@Override
public boolean generateMasterKey(String password) throws Throwable {
- if(myStore.size() < 1){
+ if(myStore != null && myStore.size() < 1){
KeyGenerator keyGen = null;
SecretKey aesKey = null;
try {
@@ -103,28 +104,32 @@ public class RangerHSM implements RangerKMSMKI {
@Override
public String getMasterKey(String password) throws Throwable {
- try {
- logger.debug("Searching for Ranger Master Key in Luna Keystore");
- boolean result = myStore.containsAlias(alias);
- if (result == true) {
- logger.debug("Ranger Master Key is present in Keystore");
- SecretKey key = (SecretKey)myStore.getKey(alias, password.toCharArray());
- String masterKey = Base64.encode(key.getEncoded()) ;
- return masterKey;
- }
- } catch (Exception e) {
- logger.error("getMasterKey : Exception searching for Ranger Master Key - " + e.getMessage());
- }
+ if(myStore != null){
+ try {
+ logger.debug("Searching for Ranger Master Key in Luna Keystore");
+ boolean result = myStore.containsAlias(alias);
+ if (result == true) {
+ logger.debug("Ranger Master Key is present in Keystore");
+ SecretKey key = (SecretKey)myStore.getKey(alias, password.toCharArray());
+ String masterKey = Base64.encode(key.getEncoded()) ;
+ return masterKey;
+ }
+ } catch (Exception e) {
+ logger.error("getMasterKey : Exception searching for Ranger Master Key - " + e.getMessage());
+ }
+ }
return null;
}
public boolean setMasterKey(String password, byte[] key){
- try {
- Key aesKey = new SecretKeySpec(key, MK_CIPHER);
- myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null);
- return true;
- } catch (KeyStoreException e) {
- logger.error("setMasterKey : Exception while setting Master Key - " + e.getMessage());
+ if(myStore != null){
+ try {
+ Key aesKey = new SecretKeySpec(key, MK_CIPHER);
+ myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null);
+ return true;
+ } catch (KeyStoreException e) {
+ logger.error("setMasterKey : Exception while setting Master Key - " + e.getMessage());
+ }
}
return false;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
index c58c987..4439be1 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -69,6 +69,7 @@ import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
@@ -224,6 +225,7 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
String authtype = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
HttpServletRequest httpRequest = (HttpServletRequest)request;
if(isSpnegoEnable(authtype)){
+ KerberosName.setRules(PropertiesUtil.getProperty(NAME_RULES, "DEFAULT"));
Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
String userName = null;
Cookie[] cookie = httpRequest.getCookies();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index 9d5680d..4ebf972 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -412,7 +412,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
public SSOAuthenticationProperties getJwtProperties() {
String providerUrl = PropertiesUtil.getProperty(JWT_AUTH_PROVIDER_URL);
- if (providerUrl != null) {
+ if (providerUrl != null && PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false)) {
String publicKeyPath = PropertiesUtil.getProperty(JWT_PUBLIC_KEY);
if (publicKeyPath == null) {
LOG.error("Public key pem not specified for SSO auth provider {}. SSO auth will be disabled.",providerUrl);
[2/2] incubator-ranger git commit: RANGER-839: Changed to httpclient
version to 4.3.6 as 4.5.2 has some issues on hadoop common. Also removed old
commons-httpclient dependencies in security admin & ugsync modules
Posted by ve...@apache.org.
RANGER-839: Changed to httpclient version to 4.3.6 as 4.5.2 has some issues on hadoop common. Also removed old commons-httpclient dependencies in security admin & ugsync modules
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/be746596
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/be746596
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/be746596
Branch: refs/heads/master
Commit: be74659686ffffbd31146242825385280df07342
Parents: 88d82ae
Author: Sailaja Polavarapu <sp...@hortonworks.com>
Authored: Mon May 23 09:57:15 2016 -0700
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Mon May 23 14:06:20 2016 -0400
----------------------------------------------------------------------
pom.xml | 3 +--
security-admin/pom.xml | 9 ++++-----
src/main/assembly/usersync.xml | 2 +-
ugsync/pom.xml | 5 -----
.../org/apache/ranger/usersync/util/UserSyncUtil.java | 10 +++++-----
5 files changed, 11 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be746596/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d6aa833..327f30c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -140,7 +140,6 @@
<commons.configuration.version>1.10</commons.configuration.version>
<commons.dbcp.version>1.4</commons.dbcp.version>
<commons.digester.version>2.1</commons.digester.version>
- <commons.httpclient.version>3.1</commons.httpclient.version>
<commons.io.version>2.4</commons.io.version>
<commons.lang.version>2.6</commons.lang.version>
<commons.logging.version>1.2</commons.logging.version>
@@ -164,7 +163,7 @@
<hbase.version>1.1.3</hbase.version>
<hive.version>2.1.0-SNAPSHOT</hive.version>
<htrace-core.version>3.1.0-incubating</htrace-core.version>
- <httpcomponents.httpclient.version>4.5.1</httpcomponents.httpclient.version>
+ <httpcomponents.httpclient.version>4.3.6</httpcomponents.httpclient.version>
<httpcomponents.httpcore.version>4.4.3</httpcomponents.httpcore.version>
<httpcomponents.httpmime.version>4.5.1</httpcomponents.httpmime.version>
<jackson.version>1.9.13</jackson.version>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be746596/security-admin/pom.xml
----------------------------------------------------------------------
diff --git a/security-admin/pom.xml b/security-admin/pom.xml
index 9f4ecbe..25980fc 100644
--- a/security-admin/pom.xml
+++ b/security-admin/pom.xml
@@ -113,11 +113,6 @@
<version>${tomcat.embed.version}</version>
</dependency>
<dependency>
- <groupId>commons-httpclient</groupId>
- <artifactId>commons-httpclient</artifactId>
- <version>${commons.httpclient.version}</version>
- </dependency>
- <dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>${commons.io.version}</version>
@@ -336,6 +331,10 @@
<artifactId>hadoop-common</artifactId>
<version>${hadoop-common.version}</version>
<exclusions>
+ <exclusion>
+ <groupId>commons-httpclient</groupId>
+ <artifactId>commons-httpclient</artifactId>
+ </exclusion>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>*</artifactId>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be746596/src/main/assembly/usersync.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml
index e60aae0..2f7bea7 100644
--- a/src/main/assembly/usersync.xml
+++ b/src/main/assembly/usersync.xml
@@ -51,7 +51,7 @@
<include>org.apache.ranger:ranger-util</include>
<include>commons-io:commons-io:jar:${commons.io.version}</include>
<include>org.apache.htrace:htrace-core</include>
- <include>commons-httpclient:commons-httpclient</include>
+ <include>org.apache.httpcomponents:httpclient:jar:${httpcomponents.httpclient.version}</include>
<include>commons-codec:commons-codec</include>
<include>org.apache.ranger:ranger-plugins-common</include>
</includes>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be746596/ugsync/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/pom.xml b/ugsync/pom.xml
index f18043c..489cb7c 100644
--- a/ugsync/pom.xml
+++ b/ugsync/pom.xml
@@ -102,11 +102,6 @@
<artifactId>junit</artifactId>
</dependency>
<dependency>
- <groupId>commons-httpclient</groupId>
- <artifactId>commons-httpclient</artifactId>
- <version>${commons.httpclient.version}</version>
- </dependency>
- <dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>${commons.codec.version}</version>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/be746596/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java b/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java
index 050419d..1ac2da2 100644
--- a/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java
+++ b/ugsync/src/main/java/org/apache/ranger/usersync/util/UserSyncUtil.java
@@ -19,18 +19,18 @@
package org.apache.ranger.usersync.util;
-import org.apache.commons.httpclient.URIException;
-import org.apache.commons.httpclient.util.URIUtil;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
public class UserSyncUtil {
- public static String encodeURIParam(String s) throws URIException {
+ public static String encodeURIParam(String s) throws UnsupportedEncodingException {
String ret = null;
try {
- ret = URIUtil.encodeQuery(s);
- } catch (URIException e) {
+ ret = URLEncoder.encode(s, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
throw e;
}