You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/12/04 02:34:43 UTC
[1/6] incubator-ranger git commit: RANGER-754:Ranger YARN Plugin
lookup and test connection should support SPENGO enabled HTTP Authentication
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy 42b040e67 -> f00c4ebe0
RANGER-754:Ranger YARN Plugin lookup and test connection should support SPENGO enabled HTTP Authentication
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/90b7f0ba
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/90b7f0ba
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/90b7f0ba
Branch: refs/heads/tag-policy
Commit: 90b7f0ba3f4bfa16060709e643b48a017ff43863
Parents: 0dadcd1
Author: rmani <rm...@hortonworks.com>
Authored: Wed Dec 2 15:31:37 2015 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Wed Dec 2 15:31:37 2015 -0800
----------------------------------------------------------------------
.../plugin/client/HadoopConfigHolder.java | 62 +++--
.../service-defs/ranger-servicedef-yarn.json | 35 ++-
.../ranger/services/yarn/client/YarnClient.java | 228 ++++++++++---------
.../services/yarn/client/YarnConnectionMgr.java | 18 +-
.../services/yarn/client/YarnResourceMgr.java | 14 +-
5 files changed, 217 insertions(+), 140 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/90b7f0ba/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
index f95e10e..9d14ae6 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
@@ -22,6 +22,7 @@
import java.io.IOException;
import java.io.InputStream;
import java.util.*;
+import java.util.Map.Entry;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -96,6 +97,7 @@ public class HadoopConfigHolder {
dataSource2HadoopConfigHolder.put(aDatasourceName, ret) ;
}
}
+
return ret ;
}
@@ -265,14 +267,15 @@ public class HadoopConfigHolder {
userName = prop.getProperty(RANGER_LOGIN_USER_NAME_PROP) ;
keyTabFile = prop.getProperty(RANGER_LOGIN_KEYTAB_FILE_PROP) ;
password = prop.getProperty(RANGER_LOGIN_PASSWORD) ;
-
- if ( getHadoopSecurityAuthentication() != null) {
- isKerberosAuth = ( getHadoopSecurityAuthentication().equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD));
+
+ String hadoopSecurityAuthenticationn = getHadoopSecurityAuthentication();
+
+ if ( hadoopSecurityAuthenticationn != null) {
+ isKerberosAuth = ( hadoopSecurityAuthenticationn.equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD));
}
else {
isKerberosAuth = (userName != null) && (userName.indexOf("@") > -1) ;
}
-
}
}
@@ -342,21 +345,26 @@ public class HadoopConfigHolder {
}
public String getHadoopSecurityAuthentication() {
- Properties repoParam = null ;
String ret = null;
-
- HashMap<String,Properties> resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ;
-
- if ( resourceName2PropertiesMap != null) {
- repoParam=resourceName2PropertiesMap.get(DEFAULT_RESOURCE_NAME);
+ String sectionName = RANGER_SECTION_NAME;
+
+ if ( defaultConfigFile != null) {
+ sectionName = defaultConfigFile;
+ }
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("==> HadoopConfigHolder.getHadoopSecurityAuthentication( " + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + ")" );
}
+
+ ret = getProperties(sectionName,HADOOP_SECURITY_AUTHENTICATION);
- if ( repoParam != null ) {
- ret = (String)repoParam.get(HADOOP_SECURITY_AUTHENTICATION);
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("<== HadoopConfigHolder.getHadoopSecurityAuthentication(" + " DataSource : " + sectionName + " Property : " + HADOOP_SECURITY_AUTHENTICATION + " Value : " + ret + ")" );
}
+
return ret;
- }
-
+ }
+
public String getUserName() {
return userName;
}
@@ -377,6 +385,32 @@ public class HadoopConfigHolder {
return rangerInternalPropertyKeys;
}
+
+ private String getProperties(String sectionName, String property) {
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("==> HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + ")" );
+ }
+
+ Properties repoParam = null ;
+ String ret = null;
+
+ HashMap<String,Properties> resourceName2PropertiesMap = dataSource2ResourceListMap.get(this.getDatasourceName()) ;
+
+ if ( resourceName2PropertiesMap != null) {
+ repoParam=resourceName2PropertiesMap.get(sectionName);
+ }
+
+ if ( repoParam != null ) {
+ ret = (String)repoParam.get(property);
+ }
+
+ if ( LOG.isDebugEnabled() ) {
+ LOG.debug("<== HadoopConfigHolder.getProperties( " + " DataSource : " + sectionName + " Property : " + property + " Value : " + ret);
+ }
+
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/90b7f0ba/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
index ff1f39f..ff93dfe 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-yarn.json
@@ -82,6 +82,19 @@
{
"itemId": 4,
+ "name": "hadoop.security.authentication",
+ "type": "enum",
+ "subType": "authnType",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Authentication Type",
+ "defaultValue": "simple"
+ },
+
+ {
+ "itemId": 5,
"name": "commonNameForCertificate",
"type": "string",
"mandatory": false,
@@ -90,11 +103,31 @@
"uiHint":"",
"label": "Common Name for Certificate"
}
+
],
"enums":
[
-
+ {
+ "itemId": 1,
+ "name": "authnType",
+ "elements":
+ [
+ {
+ "itemId": 1,
+ "name": "simple",
+ "label": "Simple"
+ },
+
+ {
+ "itemId": 2,
+ "name": "kerberos",
+ "label": "Kerberos"
+ }
+ ],
+
+ "defaultIndex": 0
+ }
],
"contextEnrichers":
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/90b7f0ba/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
index fc07760..0f3ed89 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnClient.java
@@ -19,6 +19,9 @@
package org.apache.ranger.services.yarn.client;
+import java.net.Authenticator;
+import java.net.PasswordAuthentication;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -26,6 +29,7 @@ import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
+import javax.security.auth.Subject;
import org.apache.commons.io.FilenameUtils;
import org.apache.log4j.Logger;
@@ -40,7 +44,7 @@ import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
-public class YarnClient {
+public class YarnClient extends BaseClient {
public static final Logger LOG = Logger.getLogger(YarnClient.class) ;
@@ -57,16 +61,27 @@ public class YarnClient {
String userName;
String password;
- public YarnClient(String yarnQueueUrl, String yarnUserName, String yarnPassWord) {
-
- this.yarnQUrl = yarnQueueUrl;
- this.userName = yarnUserName ;
- this.password = yarnPassWord;
+ public YarnClient(String serviceName, Map<String, String> configs) {
+
+ super(serviceName,configs,"yarn-client") ;
+
+ this.yarnQUrl = configs.get("yarn.url");
+ this.userName = configs.get("username");
+ this.password = configs.get("password");
+ if (this.yarnQUrl == null || this.yarnQUrl.isEmpty()) {
+ LOG.error("No value found for configuration 'yarn.url'. YARN resource lookup will fail");
+ }
+ if (this.userName == null || this.userName.isEmpty()) {
+ LOG.error("No value found for configuration 'usename'. YARN resource lookup will fail");
+ }
+ if (this.password == null || this.password.isEmpty()) {
+ LOG.error("No value found for configuration 'password'. YARN resource lookup will fail");
+ }
+
if (LOG.isDebugEnabled()) {
- LOG.debug("Yarn Client is build with url [" + yarnQueueUrl + "] user: [" + yarnPassWord + "], password: [" + "" + "]");
+ LOG.debug("Yarn Client is build with url [" + this.yarnQUrl + "] user: [" + this.userName + "], password: [" + "*********" + "]");
}
-
}
public List<String> getQueueList(final String queueNameMatching, final List<String> existingQueueList) {
@@ -74,107 +89,122 @@ public class YarnClient {
if (LOG.isDebugEnabled()) {
LOG.debug("Getting Yarn queue list for queueNameMatching : " + queueNameMatching);
}
- final String errMsg = errMessage;
+ final String errMsg = errMessage;
List<String> ret = null;
-
- Callable<List<String>> yarnQueueListGetter = new Callable<List<String>>() {
+
+ Callable<List<String>> callableYarnQListGetter = new Callable<List<String>>() {
+
@Override
public List<String> call() {
-
- List<String> lret = new ArrayList<String>();
-
- String url = yarnQUrl + YARN_LIST_API_ENDPOINT ;
-
- Client client = null ;
- ClientResponse response = null ;
-
- try {
- client = Client.create() ;
-
- WebResource webResource = client.resource(url);
-
- response = webResource.accept(EXPECTED_MIME_TYPE)
- .get(ClientResponse.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("getQueueList():calling " + url);
- }
-
- if (response != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getQueueList():response.getStatus()= " + response.getStatus());
- }
- if (response.getStatus() == 200) {
- String jsonString = response.getEntity(String.class);
- Gson gson = new GsonBuilder().setPrettyPrinting().create();
- YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class);
- if (yarnQResponse != null) {
- List<String> yarnQueueList = yarnQResponse.getQueueNames();
- if (yarnQueueList != null) {
- for ( String yarnQueueName : yarnQueueList) {
- if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) {
- continue;
- }
- if (queueNameMatching == null || queueNameMatching.isEmpty()
- || yarnQueueName.startsWith(queueNameMatching)) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName);
+ List<String> yarnQueueListGetter = null;
+
+ Subject subj = getLoginSubject();
+
+ if (subj != null) {
+ yarnQueueListGetter = Subject.doAs(subj, new PrivilegedAction<List<String>>() {
+
+ @Override
+ public List<String> run() {
+
+ List<String> lret = new ArrayList<String>();
+
+ String url = yarnQUrl + YARN_LIST_API_ENDPOINT ;
+
+ Client client = null ;
+
+ ClientResponse response = null ;
+
+ try {
+ client = Client.create() ;
+
+ WebResource webResource = client.resource(url);
+
+ response = webResource.accept(EXPECTED_MIME_TYPE)
+ .get(ClientResponse.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getQueueList():calling " + url);
+ }
+
+ if (response != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getQueueList():response.getStatus()= " + response.getStatus());
+ }
+ if (response.getStatus() == 200) {
+ String jsonString = response.getEntity(String.class);
+ Gson gson = new GsonBuilder().setPrettyPrinting().create();
+ YarnSchedulerResponse yarnQResponse = gson.fromJson(jsonString, YarnSchedulerResponse.class);
+ if (yarnQResponse != null) {
+ List<String> yarnQueueList = yarnQResponse.getQueueNames();
+ if (yarnQueueList != null) {
+ for ( String yarnQueueName : yarnQueueList) {
+ if ( existingQueueList != null && existingQueueList.contains(yarnQueueName)) {
+ continue;
+ }
+ if (queueNameMatching == null || queueNameMatching.isEmpty()
+ || yarnQueueName.startsWith(queueNameMatching)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getQueueList():Adding yarnQueue " + yarnQueueName);
+ }
+ lret.add(yarnQueueName) ;
+ }
}
- lret.add(yarnQueueName) ;
}
}
- }
+ } else{
+ LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list");
+ String jsonString = response.getEntity(String.class);
+ LOG.info(jsonString);
+ lret = null;
}
- } else{
- LOG.info("getQueueList():response.getStatus()= " + response.getStatus() + " for URL " + url + ", so returning null list");
- String jsonString = response.getEntity(String.class);
- LOG.info(jsonString);
+ } else {
+ lret = null;
+ String msgDesc = "Unable to get a valid response for "
+ + "expected mime type : [" + EXPECTED_MIME_TYPE
+ + "] URL : " + url + " - got null response.";
+ LOG.error(msgDesc);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ throw hdpException;
+ }
+ } catch (HadoopException he) {
lret = null;
+ throw he;
+ } catch (Throwable t) {
+ lret = null;
+ String msgDesc = "Exception while getting Yarn Queue List."
+ + " URL : " + url;
+ HadoopException hdpException = new HadoopException(msgDesc,
+ t);
+
+ LOG.error(msgDesc, t);
+
+ hdpException.generateResponseDataMap(false,
+ BaseClient.getMessage(t), msgDesc + errMsg, null,
+ null);
+ throw hdpException;
+
+ } finally {
+ if (response != null) {
+ response.close();
+ }
+
+ if (client != null) {
+ client.destroy();
+ }
}
- } else {
- lret = null;
- String msgDesc = "Unable to get a valid response for "
- + "expected mime type : [" + EXPECTED_MIME_TYPE
- + "] URL : " + url + " - got null response.";
- LOG.error(msgDesc);
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc,
- msgDesc + errMsg, null, null);
- throw hdpException;
- }
- } catch (HadoopException he) {
- lret = null;
- throw he;
- } catch (Throwable t) {
- lret = null;
- String msgDesc = "Exception while getting Yarn Queue List."
- + " URL : " + url;
- HadoopException hdpException = new HadoopException(msgDesc,
- t);
-
- LOG.error(msgDesc, t);
-
- hdpException.generateResponseDataMap(false,
- BaseClient.getMessage(t), msgDesc + errMsg, null,
- null);
- throw hdpException;
-
- } finally {
- if (response != null) {
- response.close();
- }
-
- if (client != null) {
- client.destroy();
+ return lret ;
}
+ } );
}
- return lret ;
- }
- } ;
+ return yarnQueueListGetter;
+ }
+ };
try {
- ret = timedTask(yarnQueueListGetter, 5, TimeUnit.SECONDS);
+ ret = timedTask(callableYarnQListGetter, 5, TimeUnit.SECONDS);
} catch ( Throwable t) {
LOG.error("Unable to get Yarn Queue list from [" + yarnQUrl + "]", t) ;
String msgDesc = "Unable to get a valid response for "
@@ -243,12 +273,7 @@ public class YarnClient {
+ errMsg, null, null);
throw hdpException;
} else {
- String yarnUrl = configs.get("yarn.url");
- String yarnUserName = configs.get("username");
- String yarnPassWord = configs.get("password");
- yarnClient = new YarnClient (yarnUrl, yarnUserName,
- yarnPassWord);
-
+ yarnClient = new YarnClient (serviceName, configs);
}
return yarnClient;
}
@@ -299,5 +324,4 @@ public class YarnClient {
TimeUnit timeUnit) throws Exception {
return callableObj.call();
}
-
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/90b7f0ba/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
index e2cc2ef..1d39998 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnConnectionMgr.java
@@ -19,25 +19,17 @@
package org.apache.ranger.services.yarn.client;
+import java.util.Map;
+
import org.apache.log4j.Logger;
public class YarnConnectionMgr {
public static final Logger LOG = Logger.getLogger(YarnConnectionMgr.class);
-
- public static YarnClient getYarnClient(final String yarnURL, String userName, String password) {
- YarnClient yarnClient = null;
- if (yarnURL == null || yarnURL.isEmpty()) {
- LOG.error("Can not create YarnClient: yarnURL is empty");
- } else if (userName == null || userName.isEmpty()) {
- LOG.error("Can not create YarnClient: YarnuserName is empty");
- } else if (password == null || password.isEmpty()) {
- LOG.error("Can not create YarnClient: YarnPassWord is empty");
- } else {
- yarnClient = new YarnClient(yarnURL, userName, password);
- }
- return yarnClient;
+
+ public static YarnClient getYarnClient(String serviceName, Map<String, String> configs) {
+ return new YarnClient(serviceName, configs);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/90b7f0ba/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
----------------------------------------------------------------------
diff --git a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
index 95d29c0..97fdf19 100644
--- a/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
+++ b/plugin-yarn/src/main/java/org/apache/ranger/services/yarn/client/YarnResourceMgr.java
@@ -65,23 +65,17 @@ public class YarnResourceMgr {
} else {
yarnQueueName = userInput;
}
-
-
+
if (configs == null || configs.isEmpty()) {
LOG.error("Connection Config is empty");
-
} else {
-
- String url = configs.get("yarn.url");
- String username = configs.get("username");
- String password = configs.get("password");
- resultList = getYarnResource(url, username, password,yarnQueueName,yarnQueueList) ;
+ resultList = getYarnResource(serviceName, configs, yarnQueueName,yarnQueueList) ;
}
return resultList ;
}
- public static List<String> getYarnResource(String url, String username, String password,String yarnQueueName, List<String> yarnQueueList) {
- final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(url, username, password);
+ public static List<String> getYarnResource(String serviceName, Map<String, String> configs, String yarnQueueName, List<String> yarnQueueList) {
+ final YarnClient yarnClient = YarnConnectionMgr.getYarnClient(serviceName, configs);
List<String> topologyList = null;
if (yarnClient != null) {
synchronized(yarnClient) {
[4/6] incubator-ranger git commit: RANGER-762: Unit test for hive
tag-policy fails
Posted by ma...@apache.org.
RANGER-762: Unit test for hive tag-policy fails
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/cd234cd6
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/cd234cd6
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/cd234cd6
Branch: refs/heads/tag-policy
Commit: cd234cd617090f1a23e61e78bfe17219e54a2eca
Parents: 10d755a
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Wed Dec 2 11:37:38 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Dec 3 11:27:44 2015 -0800
----------------------------------------------------------------------
.../resources/policyengine/test_policyengine_tag_hive.json | 6 ------
1 file changed, 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/cd234cd6/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
----------------------------------------------------------------------
diff --git a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
index cb07b17..0893f44 100644
--- a/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
+++ b/agents-common/src/test/resources/policyengine/test_policyengine_tag_hive.json
@@ -126,12 +126,6 @@
}
],
"contextEnrichers": [
- {
- "itemId": 1,
- "name" : "TagEnricher",
- "enricher" : "org.apache.ranger.plugin.contextenricher.RangerTagEnricher",
- "enricherOptions" : {"tagRetrieverClassName":"org.apache.ranger.plugin.contextenricher.RangerAdminTagRetriever", "tagRefresherPollingInterval":60000, "dataFile":"/etc/ranger/data/resourceTags.txt"}
- }
],
"policyConditions": [
{
[3/6] incubator-ranger git commit: RANGER-759 : Fix Ranger Knox SSO
logout/session expired issues
Posted by ma...@apache.org.
RANGER-759 : Fix Ranger Knox SSO logout/session expired issues
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/10d755ac
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/10d755ac
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/10d755ac
Branch: refs/heads/tag-policy
Commit: 10d755acd15d4b7a604571838559eca0e9f44150
Parents: af8377f
Author: Gautam Borad <ga...@apache.org>
Authored: Wed Dec 2 14:23:10 2015 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Thu Dec 3 09:02:08 2015 +0530
----------------------------------------------------------------------
.../CustomLogoutSuccessHandler.java | 2 ++
.../RangerAuthenticationEntryPoint.java | 1 +
.../filter/RangerSSOAuthenticationFilter.java | 33 ++++++++++++++------
.../webapp/scripts/views/common/ProfileBar.js | 25 ++++++++-------
4 files changed, 39 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
index 6a91834..237fb50 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/CustomLogoutSuccessHandler.java
@@ -43,6 +43,8 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {
+ request.getServletContext().removeAttribute(request.getRequestedSessionId());
+
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("X-Frame-Options", "DENY");
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
index 0b61498..b3d59eb 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/authentication/RangerAuthenticationEntryPoint.java
@@ -133,6 +133,7 @@ public class RangerAuthenticationEntryPoint extends
if(requestURL.contains(RangerSSOAuthenticationFilter.LOCAL_LOGIN_URL)){
if (request.getSession() != null)
request.getSession().setAttribute("locallogin","true");
+ request.getServletContext().setAttribute(request.getSession().getId(), "locallogin");
}
super.commence(request, response, authException);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
index af3c58a..f79db6b 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
@@ -108,26 +108,37 @@ public class RangerSSOAuthenticationFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)throws IOException, ServletException {
+ HttpServletRequest httpRequest = (HttpServletRequest)servletRequest;
+ if (httpRequest.getRequestedSessionId() != null && !httpRequest.isRequestedSessionIdValid())
+ {
+ if(httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()) != null && httpRequest.getServletContext().getAttribute(httpRequest.getRequestedSessionId()).toString().equals("locallogin")){
+ ssoEnabled = false;
+ httpRequest.getSession().setAttribute("locallogin","true");
+ httpRequest.getServletContext().removeAttribute(httpRequest.getRequestedSessionId());
+ }
+ }
+
RangerSecurityContext context = RangerContextHolder.getSecurityContext();
UserSessionBase session = context != null ? context.getUserSession() : null;
ssoEnabled = session != null ? session.isSSOEnabled() : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
- String userAgent = ((HttpServletRequest)servletRequest).getHeader("User-Agent");
- if(((HttpServletRequest) servletRequest).getSession() != null){
- if(((HttpServletRequest) servletRequest).getSession().getAttribute("locallogin") != null){
+ String userAgent = httpRequest.getHeader("User-Agent");
+ if(httpRequest.getSession() != null){
+ if(httpRequest.getSession().getAttribute("locallogin") != null){
ssoEnabled = false;
servletRequest.setAttribute("ssoEnabled", false);
filterChain.doFilter(servletRequest, servletResponse);
return;
}
- }
+ }
+
//If sso is enable and request is not for local login and is from browser then it will go inside and try for knox sso authentication
- if (ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
+ if (ssoEnabled && !httpRequest.getRequestURI().contains(LOCAL_LOGIN_URL) && isWebUserAgent(userAgent)) {
//if jwt properties are loaded and is current not authenticated then it will go for sso authentication
+ //Note : Need to remove !isAuthenticated() after knoxsso solve the bug from cross-origin script
if (jwtProperties != null && !isAuthenticated()) {
- HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
- String serializedJWT = getJWTFromCookie(httpServletRequest);
+ String serializedJWT = getJWTFromCookie(httpRequest);
// if we get the hadoop-jwt token from the cookies then will process it further
if (serializedJWT != null) {
SignedJWT jwtToken = null;
@@ -144,9 +155,11 @@ public class RangerSSOAuthenticationFilter implements Filter {
if (userName != null && !userName.trim().isEmpty()) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_SYS_ADMIN"));
+ grantedAuths.add(new SimpleGrantedAuthority("ROLE_KEY_ADMIN"));
final UserDetails principal = new User(userName, "",grantedAuths);
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
- WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpServletRequest);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
authenticationProvider.setSsoEnabled(ssoEnabled);
@@ -158,7 +171,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
}
// if the token is not valid then redirect to knox sso
else {
- String ssourl = constructLoginURL(httpServletRequest);
+ String ssourl = constructLoginURL(httpRequest);
if(LOG.isDebugEnabled())
LOG.debug("SSO URL = " + ssourl);
httpServletResponse.sendRedirect(ssourl);
@@ -169,7 +182,7 @@ public class RangerSSOAuthenticationFilter implements Filter {
}
// if the jwt token is not available then redirect it to knox sso
else {
- String ssourl = constructLoginURL(httpServletRequest);
+ String ssourl = constructLoginURL(httpRequest);
if(LOG.isDebugEnabled())
LOG.debug("SSO URL = " + ssourl);
httpServletResponse.sendRedirect(ssourl);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/10d755ac/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
index 0bb9648..c6301c3 100644
--- a/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
+++ b/security-admin/src/main/webapp/scripts/views/common/ProfileBar.js
@@ -49,10 +49,10 @@ define(function(require){
events: function() {
var events = {};
//events['change ' + this.ui.input] = 'onInputChange';
- events['click ' + this.ui.logout] = 'onLogout';
+ events['click ' + this.ui.logout] = 'checkKnoxSSO';
return events;
},
- onLogout : function(){
+ onLogout : function(checksso){
var url = 'security-admin-web/logout.html',
that = this;
$.ajax({
@@ -62,8 +62,15 @@ define(function(require){
"cache-control" : "no-cache"
},
success : function() {
- that.checkKnoxSSO()
-// window.location.replace('login.jsp');
+ if(!_.isUndefined(checksso) && checksso){
+ if(checksso == 'false'){
+ window.location.replace('locallogin');
+ }else{
+ window.location.replace('');
+ }
+ } else {
+ window.location.replace('login.jsp');
+ }
},
error : function(jqXHR, textStatus, err ) {
}
@@ -71,7 +78,7 @@ define(function(require){
});
},
checkKnoxSSO : function(){
- var url = 'service/plugins/checksso';
+ var that =this, url = 'service/plugins/checksso';
$.ajax({
url : url,
type : 'GET',
@@ -79,19 +86,13 @@ define(function(require){
"cache-control" : "no-cache"
},
success : function(resp) {
- console.log(resp)
- if(!_.isUndefined(resp) && resp){
- window.location.replace('');
- } else {
- window.location.replace('login.jsp');
- }
+ that.onLogout(resp);
},
error : function(jqXHR, textStatus, err ) {
if( jqXHR.status == 419 ){
window.location.replace('login.jsp');
}
}
-
});
},
/**
[2/6] incubator-ranger git commit: Merge branch 'master' of
https://git-wip-us.apache.org/repos/asf/incubator-ranger
Posted by ma...@apache.org.
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/incubator-ranger
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/af8377f2
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/af8377f2
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/af8377f2
Branch: refs/heads/tag-policy
Commit: af8377f27d281c5c769d8ee0ede6e3e441658c30
Parents: 90b7f0b a733b7c
Author: rmani <rm...@hortonworks.com>
Authored: Wed Dec 2 15:32:12 2015 -0800
Committer: rmani <rm...@hortonworks.com>
Committed: Wed Dec 2 15:32:12 2015 -0800
----------------------------------------------------------------------
.../RangerAbstractConditionEvaluator.java | 3 +
.../RangerConditionEvaluator.java | 1 -
.../contextenricher/RangerTagEnricher.java | 50 +-
.../ranger/plugin/model/RangerTagDef.java | 1 +
.../policyengine/RangerPolicyEngineImpl.java | 62 +-
.../policyengine/RangerPolicyRepository.java | 25 +
.../RangerAbstractPolicyEvaluator.java | 6 +-
.../RangerAbstractPolicyItemEvaluator.java | 9 +-
.../RangerCachedPolicyEvaluator.java | 26 +-
.../RangerDefaultPolicyEvaluator.java | 96 ++-
.../RangerDefaultPolicyItemEvaluator.java | 40 +-
.../RangerOptimizedPolicyEvaluator.java | 79 ++-
.../RangerPolicyItemEvaluator.java | 2 +
.../RangerAbstractResourceMatcher.java | 6 +-
.../ranger/plugin/store/AbstractTagStore.java | 45 ++
.../apache/ranger/plugin/store/TagStore.java | 1 +
.../ranger/plugin/util/PolicyRefresher.java | 11 +-
.../plugin/policyengine/TestPolicyEngine.java | 2 +-
.../src/test/resources/log4j.properties | 35 --
agents-common/src/test/resources/log4j.xml | 53 ++
kms/scripts/dba_script.py | 8 +-
kms/scripts/exportKeysToJCEKS.sh | 19 +
kms/scripts/importJCEKSKeys.sh | 2 +-
.../hadoop/crypto/key/Ranger2JKSUtil.java | 134 +++++
.../hadoop/crypto/key/RangerKeyStore.java | 40 +-
.../kafka/authorizer/RangerKafkaAuthorizer.java | 7 +-
pom.xml | 2 +-
.../kafka/authorizer/RangerKafkaAuthorizer.java | 22 +-
security-admin/.gitignore | 2 -
security-admin/scripts/dba_script.py | 26 +-
security-admin/scripts/install.properties | 23 +-
security-admin/scripts/setup.sh | 110 ++--
.../ranger/biz/RangerPolicyRetriever.java | 7 +-
.../apache/ranger/biz/RangerTagDBRetriever.java | 597 +++++++++++++++++++
.../java/org/apache/ranger/biz/TagDBStore.java | 24 +-
.../java/org/apache/ranger/biz/UserMgr.java | 67 ++-
.../java/org/apache/ranger/biz/XUserMgr.java | 51 +-
.../ranger/db/XXServiceResourceElementDao.java | 12 +
.../db/XXServiceResourceElementValueDao.java | 25 +
.../org/apache/ranger/db/XXTagAttributeDao.java | 23 +
.../apache/ranger/db/XXTagAttributeDefDao.java | 23 +
.../java/org/apache/ranger/db/XXTagDefDao.java | 13 +
.../org/apache/ranger/rest/ServiceREST.java | 198 +++---
.../ranger/rest/ServiceTagsProcessor.java | 27 +-
.../handler/RangerAuthenticationProvider.java | 28 +-
.../java/org/apache/ranger/solr/SolrMgr.java | 2 +-
.../resources/META-INF/jpa_named_queries.xml | 77 ++-
.../conf.dist/security-applicationContext.xml | 1 -
.../src/test/resources/log4j.properties | 35 --
security-admin/src/test/resources/log4j.xml | 53 ++
src/main/assembly/kms.xml | 1 +
.../ldapconfigcheck/scripts/run.sh | 8 +-
.../ldapconfigcheck/CommandLineOptions.java | 14 +-
.../process/LdapUserGroupBuilder.java | 388 ++++++------
unixauthservice/scripts/setup.py | 4 +-
55 files changed, 2014 insertions(+), 612 deletions(-)
----------------------------------------------------------------------
[6/6] incubator-ranger git commit: Merge branch 'master' into
tag-policy
Posted by ma...@apache.org.
Merge branch 'master' into tag-policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/f00c4ebe
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/f00c4ebe
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/f00c4ebe
Branch: refs/heads/tag-policy
Commit: f00c4ebe014766d1c045f0114c606b83db4881e0
Parents: 42b040e 87d97cd
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu Dec 3 16:44:47 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Dec 3 16:44:47 2015 -0800
----------------------------------------------------------------------
.../plugin/client/HadoopConfigHolder.java | 62 +++--
.../RangerDefaultPolicyEvaluator.java | 4 +-
.../ranger/plugin/store/AbstractTagStore.java | 37 +--
.../service-defs/ranger-servicedef-yarn.json | 35 ++-
.../test_policyengine_tag_hive.json | 6 -
.../ranger/services/yarn/client/YarnClient.java | 228 ++++++++++---------
.../services/yarn/client/YarnConnectionMgr.java | 18 +-
.../services/yarn/client/YarnResourceMgr.java | 14 +-
.../CustomLogoutSuccessHandler.java | 2 +
.../RangerAuthenticationEntryPoint.java | 1 +
.../filter/RangerSSOAuthenticationFilter.java | 33 ++-
.../webapp/scripts/views/common/ProfileBar.js | 25 +-
12 files changed, 279 insertions(+), 186 deletions(-)
----------------------------------------------------------------------
[5/6] incubator-ranger git commit: RANGER-753: Fixed a potential NPE
introduced in Optimize Tag Download Performance
Posted by ma...@apache.org.
RANGER-753: Fixed a potential NPE introduced in Optimize Tag Download Performance
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/87d97cd1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/87d97cd1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/87d97cd1
Branch: refs/heads/tag-policy
Commit: 87d97cd14903b1bada33225081ec67d0ea6079da
Parents: cd234cd
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Thu Dec 3 14:33:13 2015 -0800
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu Dec 3 16:36:38 2015 -0800
----------------------------------------------------------------------
.../RangerDefaultPolicyEvaluator.java | 4 ++-
.../ranger/plugin/store/AbstractTagStore.java | 37 +++++++++++---------
2 files changed, 23 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/87d97cd1/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
index 77fdb90..93fbcd4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyevaluator/RangerDefaultPolicyEvaluator.java
@@ -71,7 +71,9 @@ public class RangerDefaultPolicyEvaluator extends RangerAbstractPolicyEvaluator
}
StringBuffer perfTagBuffer = new StringBuffer();
- perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
+ if (policy != null) {
+ perfTagBuffer.append("policyId=").append(policy.getId()).append(", policyName=").append(policy.getName());
+ }
perfTag = perfTagBuffer.toString();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/87d97cd1/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
index f22a87a..43d2254 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/AbstractTagStore.java
@@ -113,32 +113,35 @@ public abstract class AbstractTagStore implements TagStore {
List<RangerServiceResource> serviceResources = getServiceResourcesByService(serviceName);
- Set<Long> tagsToDelete = new HashSet<Long>();
+ if (serviceResources != null) {
+ Set<Long> tagsToDelete = new HashSet<Long>();
- for (RangerServiceResource serviceResource : serviceResources) {
- Long resourceId = serviceResource.getId();
- List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId);
+ for (RangerServiceResource serviceResource : serviceResources) {
+ Long resourceId = serviceResource.getId();
- if (isResourePrivateTag) {
+ List<RangerTagResourceMap> tagResourceMapsForService = getTagResourceMapsForResourceId(resourceId);
+
+ if (isResourePrivateTag) {
+ for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
+ Long tagId = tagResourceMap.getTagId();
+ RangerTag tag = getTag(tagId);
+ tagsToDelete.add(tag.getId());
+ }
+ }
for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
- Long tagId = tagResourceMap.getTagId();
- RangerTag tag = getTag(tagId);
- tagsToDelete.add(tag.getId());
+ deleteTagResourceMap(tagResourceMap.getId());
}
}
- for (RangerTagResourceMap tagResourceMap : tagResourceMapsForService) {
- deleteTagResourceMap(tagResourceMap.getId());
- }
- }
- for (RangerServiceResource serviceResource : serviceResources) {
- deleteServiceResource(serviceResource.getId());
- }
+ for (RangerServiceResource serviceResource : serviceResources) {
+ deleteServiceResource(serviceResource.getId());
+ }
- for (Long tagId : tagsToDelete) {
- deleteTag(tagId);
+ for (Long tagId : tagsToDelete) {
+ deleteTag(tagId);
+ }
}
if (LOG.isDebugEnabled()) {