You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2016/04/21 08:20:16 UTC
[1/3] incubator-ranger git commit: RANGER-867 : Add Kerberos support
for ranger admin and clients
Repository: incubator-ranger
Updated Branches:
refs/heads/master 981f01a7a -> 8614032c9
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
----------------------------------------------------------------------
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
index 9588d66..b547b8f 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
@@ -21,12 +21,16 @@ package org.apache.ranger.tagsync.process;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Logger;
import java.io.*;
import java.net.URL;
+import java.net.UnknownHostException;
import java.util.Enumeration;
import java.util.Properties;
+
+//import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.credentialapi.CredentialReader;
public class TagSyncConfig extends Configuration {
@@ -76,8 +80,23 @@ public class TagSyncConfig extends Configuration {
private static final int DEFAULT_TAGSYNC_TAGADMIN_CONNECTION_CHECK_INTERVAL = 2000;
+ private static final String AUTH_TYPE = "hadoop.security.authentication";
+ private static final String NAME_RULES = "hadoop.security.auth_to_local";
+ private static final String TAGSYNC_KERBEROS_PRICIPAL = "ranger.tagsync.kerberos.principal";
+ private static final String TAGSYNC_KERBEROS_KEYTAB = "ranger.tagsync.kerberos.keytab";
+
+ private static final String CORE_SITE_FILE = "core-site.xml";
+ private static String LOCAL_HOSTNAME = "unknown" ;
private Properties props;
+ static {
+ try {
+ LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
+ } catch (UnknownHostException e) {
+ LOCAL_HOSTNAME = "unknown" ;
+ }
+ }
+
public static TagSyncConfig getInstance() {
TagSyncConfig newConfig = new TagSyncConfig();
return newConfig;
@@ -289,6 +308,29 @@ public class TagSyncConfig extends Configuration {
static public String getCustomAtlasResourceMappers(Properties prop) {
return prop.getProperty(TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS_PROP);
}
+
+ static public String getAuthenticationType(Properties prop){
+ return prop.getProperty(AUTH_TYPE, "simple");
+ }
+
+ static public String getNameRules(Properties prop){
+ return prop.getProperty(NAME_RULES, "DEFAULT");
+ }
+
+ static public String getKerberosPrincipal(Properties prop){
+// return prop.getProperty(TAGSYNC_KERBEROS_PRICIPAL);
+ String principal = null;
+ try {
+ return SecureClientLogin.getPrincipal(prop.getProperty(TAGSYNC_KERBEROS_PRICIPAL, ""), LOCAL_HOSTNAME);
+ } catch (IOException ignored) {
+ // do nothing
+ }
+ return principal;
+ }
+
+ static public String getKerberosKeytab(Properties prop){
+ return prop.getProperty(TAGSYNC_KERBEROS_KEYTAB, "");
+ }
static public long getTagAdminConnectionCheckInterval(Properties prop) {
long ret = DEFAULT_TAGSYNC_TAGADMIN_CONNECTION_CHECK_INTERVAL;
@@ -310,8 +352,9 @@ public class TagSyncConfig extends Configuration {
private void init() {
+ readConfigFile(CORE_SITE_FILE);
readConfigFile(DEFAULT_CONFIG_FILE);
- readConfigFile(CONFIG_FILE);
+ readConfigFile(CONFIG_FILE);
props = getProps();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
----------------------------------------------------------------------
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
index 2fd5ea1..dfc3fdb 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
@@ -26,17 +26,19 @@ import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.tagsync.model.TagSink;
import org.apache.ranger.plugin.util.RangerRESTClient;
import org.apache.ranger.plugin.util.SearchFilter;
import org.apache.ranger.plugin.util.ServiceTags;
import org.apache.ranger.tagsync.process.TagSyncConfig;
-
+import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
+
+import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Properties;
-
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.LinkedBlockingQueue;
@@ -51,11 +53,18 @@ public class TagAdminRESTSink implements TagSink, Runnable {
private static final String REST_URL_IMPORT_SERVICETAGS_RESOURCE = REST_PREFIX + MODULE_PREFIX + "/importservicetags/";
+ private static final String AUTH_TYPE_KERBEROS = "kerberos";
+
private long rangerAdminConnectionCheckInterval;
private RangerRESTClient tagRESTClient = null;
private BlockingQueue<UploadWorkItem> uploadWorkItems;
+
+ private String authenticationType;
+ private String principal;
+ private String keytab;
+ private String nameRules;
private Thread myThread = null;
@@ -72,6 +81,10 @@ public class TagAdminRESTSink implements TagSink, Runnable {
String userName = TagSyncConfig.getTagAdminUserName(properties);
String password = TagSyncConfig.getTagAdminPassword(properties);
rangerAdminConnectionCheckInterval = TagSyncConfig.getTagAdminConnectionCheckInterval(properties);
+ authenticationType = TagSyncConfig.getAuthenticationType(properties);
+ nameRules = TagSyncConfig.getNameRules(properties);
+ principal = TagSyncConfig.getKerberosPrincipal(properties);
+ keytab = TagSyncConfig.getKerberosKeytab(properties);
if (LOG.isDebugEnabled()) {
LOG.debug("restUrl=" + restUrl);
@@ -82,7 +95,9 @@ public class TagAdminRESTSink implements TagSink, Runnable {
if (StringUtils.isNotBlank(restUrl)) {
tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile);
- tagRESTClient.setBasicAuthInfo(userName, password);
+ if(!(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))){
+ tagRESTClient.setBasicAuthInfo(userName, password);
+ }
uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>();
ret = true;
@@ -119,6 +134,35 @@ public class TagAdminRESTSink implements TagSink, Runnable {
}
private ServiceTags doUpload(ServiceTags serviceTags) throws Exception {
+ if(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ try{
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ;
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Using Principal = "+ principal + ", keytab = "+keytab);
+ }
+ final ServiceTags serviceTag = serviceTags;
+ ServiceTags ret = Subject.doAs(sub, new PrivilegedAction<ServiceTags>() {
+ @Override
+ public ServiceTags run() {
+ try{
+ return uploadServiceTags(serviceTag);
+ }catch (Exception e) {
+ LOG.error("Upload of service-tags failed with message ", e);
+ }
+ return null;
+ }
+ });
+ return ret;
+ }catch(Exception e){
+ LOG.error("Upload of service-tags failed with message ", e);
+ }
+ return null;
+ }else{
+ return uploadServiceTags(serviceTags);
+ }
+ }
+
+ private ServiceTags uploadServiceTags(ServiceTags serviceTags) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> doUpload()");
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/pom.xml b/ugsync/pom.xml
index 1106e30..6ff21ca 100644
--- a/ugsync/pom.xml
+++ b/ugsync/pom.xml
@@ -141,6 +141,11 @@
<artifactId>commons-io</artifactId>
<version>${commons.io.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
<build>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index f54b24a..9321e6e 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -53,6 +53,8 @@ public class UserGroupSyncConfig {
public static final String DEFAULT_CONFIG_FILE = "ranger-ugsync-default-site.xml" ;
+ private static final String CORE_SITE_CONFIG_FILE = "core-site.xml";
+
public static final String UGSYNC_ENABLED_PROP = "ranger.usersync.enabled" ;
public static final String UGSYNC_PM_URL_PROP = "ranger.usersync.policymanager.baseURL" ;
@@ -235,8 +237,9 @@ public class UserGroupSyncConfig {
}
private void init() {
+ readConfigFile(CORE_SITE_CONFIG_FILE);
readConfigFile(CONFIG_FILE);
- readConfigFile(DEFAULT_CONFIG_FILE);
+ readConfigFile(DEFAULT_CONFIG_FILE);
}
private void readConfigFile(String fileName) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index 20466ab..068c9df 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -22,9 +22,11 @@
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
+import java.io.IOException;
import java.io.InputStream;
import java.net.UnknownHostException;
import java.security.KeyStore;
+import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
@@ -38,8 +40,10 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.Subject;
import javax.ws.rs.core.MediaType;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
@@ -69,6 +73,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class) ;
+ private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
+ private String AUTH_KERBEROS = "kerberos";
+ private static final String PRINCIPAL = "ranger.usersync.kerberos.principal";
+ private static final String KEYTAB = "ranger.usersync.kerberos.keytab";
+ private static final String NAME_RULE = "hadoop.security.auth_to_local";
+
public static final String PM_USER_LIST_URI = "/service/xusers/users/" ; // GET
private static final String PM_ADD_USER_URI = "/service/xusers/users/" ; // POST
private static final String PM_ADD_USER_GROUP_INFO_URI = "/service/xusers/users/userinfo" ; // POST
@@ -84,6 +94,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
private static final String PM_ADD_LOGIN_USER_URI = "/service/users/default" ; // POST
private static final String GROUP_SOURCE_EXTERNAL ="1";
+
private static String LOCAL_HOSTNAME = "unknown" ;
private String recordsToPullPerCall = "1000" ;
private boolean isMockRun = false ;
@@ -108,11 +119,14 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
private HostnameVerifier hv = null ;
private SSLContext sslContext = null ;
-
+ private String authenticationType = null;
+ String principal;
+ String keytab;
+ String nameRules;
static {
try {
- LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getHostName();
+ LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
} catch (UnknownHostException e) {
LOCAL_HOSTNAME = "unknown" ;
}
@@ -148,18 +162,56 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
trustStoreFilepwd = config.getSSLTrustStorePathPassword() ;
keyStoreType = KeyStore.getDefaultType() ;
trustStoreType = KeyStore.getDefaultType() ;
-
+ authenticationType = config.getProperty(AUTHENTICATION_TYPE,"simple");
+ try {
+ principal = SecureClientLogin.getPrincipal(config.getProperty(PRINCIPAL,""), LOCAL_HOSTNAME);
+ } catch (IOException ignored) {
+ // do nothing
+ }
+ keytab = config.getProperty(KEYTAB,"");
+ nameRules = config.getProperty(NAME_RULE,"DEFAULT");
buildUserGroupInfo() ;
}
private void buildUserGroupInfo() throws Throwable {
- buildGroupList();
- buildUserList();
- buildUserGroupLinkList() ;
- rebuildUserGroupMap() ;
- if (LOG.isDebugEnabled()) {
- this.print();
- }
+ if(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> Kerberos Environment : Principal is " + principal + " and Keytab is " + keytab);
+ }
+ }
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+ try {
+ LOG.info("Using principal = " + principal + " and keytab = " + keytab);
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ Subject.doAs(sub, new PrivilegedAction<Void>() {
+ @Override
+ public Void run() {
+ try {
+ buildGroupList();
+ buildUserList();
+ buildUserGroupLinkList() ;
+ rebuildUserGroupMap() ;
+ if (LOG.isDebugEnabled()) {
+ // this.print();
+ }
+ } catch (Exception e) {
+ LOG.error("Failed to build Group List : ", e);
+ }
+ return null;
+ }
+ });
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
+ }
+ } else {
+ buildGroupList();
+ buildUserList();
+ buildUserGroupLinkList() ;
+ rebuildUserGroupMap() ;
+ if (LOG.isDebugEnabled()) {
+ this.print();
+ }
+ }
}
private String getURL(String uri) {
@@ -341,46 +393,46 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
-
private void buildGroupList() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList");
+ }
+ Client c = getClient() ;
- Client c = getClient() ;
-
- int totalCount = 100 ;
- int retrievedCount = 0 ;
-
- while (retrievedCount < totalCount) {
-
- WebResource r = c.resource(getURL(PM_GROUP_LIST_URI))
- .queryParam("pageSize", recordsToPullPerCall)
- .queryParam("startIndex", String.valueOf(retrievedCount)) ;
-
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ int totalCount = 100 ;
+ int retrievedCount = 0 ;
+
+ while (retrievedCount < totalCount) {
+ WebResource r = c.resource(getURL(PM_GROUP_LIST_URI))
+ .queryParam("pageSize", recordsToPullPerCall)
+ .queryParam("startIndex", String.valueOf(retrievedCount)) ;
+
+ String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
- LOG.debug("RESPONSE: [" + response + "]") ;
+ LOG.debug("RESPONSE: [" + response + "]") ;
- Gson gson = new GsonBuilder().create() ;
-
- GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class) ;
-
- totalCount = groupList.getTotalCount() ;
-
- if (groupList.getXgroupInfoList() != null) {
- xgroupList.addAll(groupList.getXgroupInfoList()) ;
- retrievedCount = xgroupList.size() ;
+ Gson gson = new GsonBuilder().create() ;
- for(XGroupInfo g : groupList.getXgroupInfoList()) {
- LOG.debug("GROUP: Id:" + g.getId() + ", Name: " + g.getName() + ", Description: " + g.getDescription()) ;
- }
- }
- }
+ GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class) ;
+
+ totalCount = groupList.getTotalCount() ;
+
+ if (groupList.getXgroupInfoList() != null) {
+ xgroupList.addAll(groupList.getXgroupInfoList());
+ retrievedCount = xgroupList.size();
+ for (XGroupInfo g : groupList.getXgroupInfoList()) {
+ LOG.debug("GROUP: Id:" + g.getId() + ", Name: "+ g.getName() + ", Description: "+ g.getDescription());
+ }
+ }
+ }
}
-
private void buildUserList() {
-
- Client c = getClient() ;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserList");
+ }
+ Client c = getClient() ;
int totalCount = 100 ;
int retrievedCount = 0 ;
@@ -410,12 +462,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
}
-
}
-
private void buildUserGroupLinkList() {
-
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserGroupLinkList");
+ }
Client c = getClient() ;
int totalCount = 100 ;
@@ -446,14 +498,13 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
}
-
}
-
-
+
private UserGroupInfo addUserGroupInfo(String userName, List<String> groups){
-
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo " + userName + " and groups");
+ }
UserGroupInfo ret = null;
-
XUserInfo user = null;
LOG.debug("INFO: addPMXAUser(" + userName + ")" ) ;
@@ -467,7 +518,32 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
if (! isMockRun ) {
addXUserGroupInfo(user, groups) ;
}
-
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ try {
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ final UserGroupInfo result = ret;
+ ret = Subject.doAs(sub, new PrivilegedAction<UserGroupInfo>() {
+ @Override
+ public UserGroupInfo run() {
+ try {
+ return getUsergroupInfo(result);
+ } catch (Exception e) {
+ LOG.error("Failed to add User Group Info : ", e);
+ }
+ return null;
+ }
+ });
+ return ret;
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
+ }
+ return null;
+ }else{
+ return getUsergroupInfo(ret);
+ }
+ }
+
+ private UserGroupInfo getUsergroupInfo(UserGroupInfo ret) {
Client c = getClient();
WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI));
@@ -495,13 +571,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
- return ret;
+ return ret;
}
- private void addUserGroupInfo(UserGroupInfo usergroupInfo){
-
- UserGroupInfo ret = null;
-
+ private void getUserGroupInfo(UserGroupInfo ret, UserGroupInfo usergroupInfo) {
Client c = getClient();
WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI));
@@ -530,6 +603,35 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
}
+
+ private void addUserGroupInfo(UserGroupInfo usergroupInfo){
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo");
+ }
+ UserGroupInfo ret = null;
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+ try {
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ final UserGroupInfo result = ret;
+ final UserGroupInfo ugInfo = usergroupInfo;
+ Subject.doAs(sub, new PrivilegedAction<Void>() {
+ @Override
+ public Void run() {
+ try {
+ getUserGroupInfo(result, ugInfo);
+ } catch (Exception e) {
+ LOG.error("Failed to add User Group Info : ", e);
+ }
+ return null;
+ }
+ });
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
+ }
+ } else {
+ getUserGroupInfo(ret, usergroupInfo);
+ }
+ }
private XUserInfo addXUserInfo(String aUserName) {
@@ -609,11 +711,31 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
- private void delXUserGroupInfo(XUserInfo aUserInfo, List<String> aGroupList) {
+ private void delXUserGroupInfo(final XUserInfo aUserInfo, List<String> aGroupList) {
for(String groupName : aGroupList) {
- XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ;
+ final XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ;
if (group != null) {
- delXUserGroupInfo(aUserInfo, group) ;
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+ try {
+ LOG.info("Using principal = " + principal + " and keytab = " + keytab);
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ Subject.doAs(sub, new PrivilegedAction<Void>() {
+ @Override
+ public Void run() {
+ try {
+ delXUserGroupInfo(aUserInfo, group);
+ } catch (Exception e) {
+ LOG.error("Failed to build Group List : ", e);
+ }
+ return null;
+ }
+ });
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
+ }
+ } else {
+ delXUserGroupInfo(aUserInfo, group);
+ }
}
}
}
@@ -650,19 +772,44 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
-
private MUserInfo addMUser(String aUserName) {
-
- MUserInfo ret = null ;
-
- MUserInfo userInfo = new MUserInfo() ;
+ MUserInfo ret = null;
+ MUserInfo userInfo = new MUserInfo();
userInfo.setLoginId(aUserName);
userInfo.setFirstName(aUserName);
userInfo.setLastName(aUserName);
userInfo.setEmailAddress(aUserName + "@" + LOCAL_HOSTNAME);
-
- Client c = getClient() ;
+
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+ try {
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ final MUserInfo result = ret;
+ final MUserInfo userInfoFinal = userInfo;
+ ret = Subject.doAs(sub, new PrivilegedAction<MUserInfo>() {
+ @Override
+ public MUserInfo run() {
+ try {
+ return getMUser(userInfoFinal, result);
+ } catch (Exception e) {
+ LOG.error("Failed to add User : ", e);
+ }
+ return null;
+ }
+ });
+ return ret;
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
+ }
+ return null;
+ } else {
+ return getMUser(userInfo, ret);
+ }
+ }
+
+
+ private MUserInfo getMUser(MUserInfo userInfo, MUserInfo ret) {
+ Client c = getClient() ;
WebResource r = c.resource(getURL(PM_ADD_LOGIN_USER_URI)) ;
@@ -679,10 +826,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
LOG.debug("MUser Creation successful " + ret);
return ret ;
-
-
}
-
private synchronized Client getClient() {
@@ -771,16 +915,18 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
ret = Client.create(cc);
}
- if(ret!=null){
- String username = config.getPolicyMgrUserName();
- String password = config.getPolicyMgrPassword();
- if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){
- username=config.getDefaultPolicyMgrUserName();
- password=config.getDefaultPolicyMgrPassword();
- }
- if(username!=null && password!=null){
- ret.addFilter(new HTTPBasicAuthFilter(username, password));
- }
+ if(!(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))){
+ if(ret!=null){
+ String username = config.getPolicyMgrUserName();
+ String password = config.getPolicyMgrPassword();
+ if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){
+ username=config.getDefaultPolicyMgrUserName();
+ password=config.getDefaultPolicyMgrPassword();
+ }
+ if(username!=null && password!=null){
+ ret.addFilter(new HTTPBasicAuthFilter(username, password));
+ }
+ }
}
return ret ;
}
@@ -832,7 +978,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
}
}
- private XGroupInfo addGroupInfo(String groupName){
+ private XGroupInfo addGroupInfo(final String groupName){
XGroupInfo ret = null;
XGroupInfo group = null;
@@ -840,6 +986,34 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
if (! isMockRun) {
group = addXGroupInfo(groupName) ;
}
+ if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal,keytab)) {
+ try {
+ LOG.info("Using principal = " + principal + " and keytab = " + keytab);
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ final XGroupInfo groupInfo = group;
+ ret = Subject.doAs(sub, new PrivilegedAction<XGroupInfo>() {
+ @Override
+ public XGroupInfo run() {
+ try {
+ return getAddedGroupInfo(groupInfo);
+ } catch (Exception e) {
+ LOG.error("Failed to build Group List : ", e);
+ }
+ return null;
+ }
+ });
+ return ret;
+ } catch (Exception e) {
+ LOG.error("Failed to Authenticate Using given Principal and Keytab : ", e);
+ }
+ return null;
+ } else {
+ return getAddedGroupInfo(group);
+ }
+ }
+
+ private XGroupInfo getAddedGroupInfo(XGroupInfo group){
+ XGroupInfo ret = null;
Client c = getClient();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/install.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties
index f206d0a..f4fd4c0 100644
--- a/unixauthservice/scripts/install.properties
+++ b/unixauthservice/scripts/install.properties
@@ -42,6 +42,10 @@ SYNC_INTERVAL =
unix_user=ranger
unix_group=ranger
+#Set to run in kerberos environment
+usersync_principal=
+usersync_keytab=
+hadoop_conf=/etc/hadoop/conf
#
# The file where all credential is kept in cryptic format
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/ranger-usersync-services.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/ranger-usersync-services.sh b/unixauthservice/scripts/ranger-usersync-services.sh
index 9cd5ee2..ed3c936 100644
--- a/unixauthservice/scripts/ranger-usersync-services.sh
+++ b/unixauthservice/scripts/ranger-usersync-services.sh
@@ -47,7 +47,7 @@ if [ "${action}" == "START" ]; then
export PATH=$JAVA_HOME/bin:$PATH
fi
- cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf"
+ cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf:${RANGER_USERSYNC_HADOOP_CONF_DIR}/*"
if [ -f $pidf ]; then
PID=`cat $pidf`
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index 8bb3bf0..1f46546 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -86,6 +86,8 @@ SYNC_LDAP_BIND_PASSWORD_KEY = 'ranger.usersync.ldap.ldapbindpassword'
credUpdateClassName = 'org.apache.ranger.credentialapi.buildks'
#credUpdateClassName = 'com.hortonworks.credentialapi.buildks'
ENV_LOGDIR_FILE = 'ranger-usersync-env-logdir.sh'
+hadoopConfFileName = 'core-site.xml'
+ENV_HADOOP_CONF_FILE = "ranger-usersync-env-hadoopconfdir.sh"
RANGER_USERSYNC_HOME = os.getenv("RANGER_USERSYNC_HOME")
@@ -307,18 +309,31 @@ def createJavaKeystoreForSSL(fn,passwd):
sys.exit(1)
return ret
-def write_env_files(log_path):
- final_path = "{0}/{1}".format(confBaseDirName,ENV_LOGDIR_FILE)
+def write_env_files(exp_var_name, log_path, file_name):
+ final_path = "{0}/{1}".format(confBaseDirName,file_name)
if not os.path.isfile(final_path):
- print "Creating %s file" % ENV_LOGDIR_FILE
+ print "Creating %s file" % file_name
f = open(final_path, "w")
- f.write("export logdir={0}".format(log_path))
+ f.write("export {0}={1}".format(exp_var_name,log_path))
f.close()
def main():
populate_global_dict()
logFolderName = globalDict['logdir']
+ hadoop_conf = globalDict['hadoop_conf']
+
+ hadoop_conf_full_path = os.path.join(hadoop_conf, hadoopConfFileName)
+ usersync_conf_full_path = os.path.join(usersyncBaseDirFullName,confBaseDirName,hadoopConfFileName)
+ if not isfile(hadoop_conf_full_path):
+ print "WARN: core-site.xml file not found in provided hadoop conf path..."
+ f = open(usersync_conf_full_path, "w")
+ f.write("<configuration></configuration>")
+ f.close()
+ else:
+ if os.path.islink(usersync_conf_full_path):
+ os.remove(usersync_conf_full_path)
+
if logFolderName.lower() == "$pwd" or logFolderName == "" :
logFolderName = os.path.join(os.getcwd(),"logs")
ugsyncLogFolderName = logFolderName
@@ -485,8 +500,14 @@ def main():
else:
print "WARNING: Unix Authentication Program (%s) is not available for setting chmod(4550), chown(%s:%s) " % (nativeAuthProgramName, "root", groupName)
- write_env_files(logFolderName);
+ write_env_files("logdir", logFolderName, ENV_LOGDIR_FILE);
+ write_env_files("RANGER_USERSYNC_HADOOP_CONF_DIR", hadoop_conf, ENV_HADOOP_CONF_FILE);
os.chown(os.path.join(confBaseDirName, ENV_LOGDIR_FILE),ownerId,groupId)
os.chmod(os.path.join(confBaseDirName, ENV_LOGDIR_FILE),0755)
+ os.chown(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),ownerId,groupId)
+ os.chmod(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),0755)
+
+ if isfile(hadoop_conf_full_path):
+ os.symlink(hadoop_conf_full_path, usersync_conf_full_path)
main()
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/templates/installprop2xml.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/templates/installprop2xml.properties b/unixauthservice/scripts/templates/installprop2xml.properties
index 77b8eac..a78157e 100644
--- a/unixauthservice/scripts/templates/installprop2xml.properties
+++ b/unixauthservice/scripts/templates/installprop2xml.properties
@@ -49,3 +49,5 @@ AUTH_SSL_TRUSTSTORE_FILE = ranger.usersync.truststore.file
AUTH_SSL_TRUSTSTORE_PASSWORD = ranger.usersync.truststore.password
AUTH_SSL_ENABLED = ranger.usersync.enabled
SYNC_LDAP_REFERRAL = ranger.usersync.ldap.referral
+usersync_principal= ranger.usersync.kerberos.principal
+usersync_keytab= ranger.usersync.kerberos.keytab
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/templates/ranger-ugsync-template.xml
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
index 2bf5562..d32ef33 100644
--- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml
+++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
@@ -185,4 +185,12 @@
<name>ranger.usersync.ldap.referral</name>
<value></value>
</property>
+ <property>
+ <name>ranger.usersync.kerberos.principal</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.usersync.kerberos.keytab</name>
+ <value></value>
+ </property>
</configuration>
[3/3] incubator-ranger git commit: RANGER-867 : Add Kerberos support
for ranger admin and clients
Posted by ga...@apache.org.
RANGER-867 : Add Kerberos support for ranger admin and clients
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/8614032c
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/8614032c
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/8614032c
Branch: refs/heads/master
Commit: 8614032c909dd5599fedc35c8f4b80f71b3a950d
Parents: 981f01a
Author: Ankita Sinha <an...@freestoneinfotech.com>
Authored: Wed Apr 20 14:35:46 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Thu Apr 21 11:50:01 2016 +0530
----------------------------------------------------------------------
.../hadoop/security/SecureClientLogin.java | 71 ++-
.../admin/client/RangerAdminRESTClient.java | 121 +++-
.../hadoop/config/RangerConfiguration.java | 5 +
.../apache/ranger/plugin/client/BaseClient.java | 86 +--
.../plugin/client/HadoopConfigHolder.java | 31 +-
.../plugin/store/rest/ServiceRESTStore.java | 23 +-
.../ranger/plugin/util/RangerRESTUtils.java | 5 +
.../main/resources/resourcenamemap.properties | 2 +
embeddedwebserver/pom.xml | 15 +
.../scripts/ranger-admin-services.sh | 4 +-
.../ranger/server/tomcat/EmbeddedServer.java | 80 ++-
.../ranger/services/hdfs/client/HdfsClient.java | 32 +-
.../ranger/services/kms/client/KMSClient.java | 28 +-
.../services/kms/client/KMSConnectionMgr.java | 15 +-
.../services/kms/client/KMSResourceMgr.java | 9 +-
security-admin/scripts/install.properties | 11 +
security-admin/scripts/setup.sh | 93 +++
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 7 +-
.../org/apache/ranger/biz/RangerBizUtil.java | 22 +
.../org/apache/ranger/biz/ServiceDBStore.java | 51 +-
.../java/org/apache/ranger/biz/ServiceMgr.java | 37 +-
.../java/org/apache/ranger/biz/SessionMgr.java | 19 +
.../java/org/apache/ranger/biz/XUserMgr.java | 2 +-
.../apache/ranger/common/UserSessionBase.java | 9 +
.../org/apache/ranger/rest/PublicAPIsv2.java | 5 +-
.../org/apache/ranger/rest/ServiceREST.java | 292 +++++++++-
.../java/org/apache/ranger/rest/TagREST.java | 80 +++
.../apache/ranger/rest/TagRESTConstants.java | 1 +
.../context/RangerPreAuthSecurityHandler.java | 9 +
.../filter/RangerKRBAuthenticationFilter.java | 569 ++++++++++++++++++
.../security/web/filter/RangerKrbFilter.java | 576 +++++++++++++++++++
.../resources/conf.dist/ranger-admin-site.xml | 38 ++
.../conf.dist/security-applicationContext.xml | 8 +-
.../main/resources/resourcenamemap.properties | 2 +
.../main/webapp/META-INF/applicationContext.xml | 3 +-
.../org/apache/ranger/rest/TestServiceREST.java | 1 -
src/main/assembly/admin-web.xml | 6 +
src/main/assembly/usersync.xml | 1 +
.../services/storm/client/StormClient.java | 55 +-
.../storm/client/StormConnectionMgr.java | 17 +-
.../services/storm/client/StormResourceMgr.java | 9 +-
.../conf/templates/installprop2xml.properties | 5 +-
.../conf/templates/ranger-tagsync-template.xml | 11 +-
tagsync/scripts/install.properties | 7 +-
tagsync/scripts/ranger-tagsync-services.sh | 2 +-
tagsync/scripts/setup.py | 47 ++
.../ranger/tagsync/process/TagSyncConfig.java | 45 +-
.../tagsync/sink/tagadmin/TagAdminRESTSink.java | 50 +-
ugsync/pom.xml | 5 +
.../config/UserGroupSyncConfig.java | 5 +-
.../process/PolicyMgrUserGroupBuilder.java | 332 ++++++++---
unixauthservice/scripts/install.properties | 4 +
.../scripts/ranger-usersync-services.sh | 2 +-
unixauthservice/scripts/setup.py | 31 +-
.../templates/installprop2xml.properties | 2 +
.../templates/ranger-ugsync-template.xml | 8 +
56 files changed, 2758 insertions(+), 248 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java b/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
index ba0c443..ce78cbe 100644
--- a/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
+++ b/agents-common/src/main/java/org/apache/hadoop/security/SecureClientLogin.java
@@ -18,6 +18,7 @@
*/
package org.apache.hadoop.security;
+import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
@@ -31,11 +32,16 @@ import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
-
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.hadoop.util.StringUtils;
public class SecureClientLogin {
+ private static final Log LOG = LogFactory.getLog(SecureClientLogin.class);
+ public static final String HOSTNAME_PATTERN = "_HOST";
public synchronized static Subject loginUserFromKeytab(String user, String path) throws IOException {
try {
@@ -49,6 +55,20 @@ public class SecureClientLogin {
throw new IOException("Login failure for " + user + " from keytab " + path, le);
}
}
+
+ public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
+ try {
+ Subject subject = new Subject();
+ SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
+ LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
+ KerberosName.setRules(nameRules);
+ subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
+ login.login();
+ return login.getSubject();
+ } catch (LoginException le) {
+ throw new IOException("Login failure for " + user + " from keytab " + path, le);
+ }
+ }
public synchronized static Subject loginUserWithPassword(String user, String password) throws IOException {
String tmpPass = password;
@@ -90,7 +110,54 @@ public class SecureClientLogin {
public static Principal createUserPrincipal(String aLoginName) {
return new User(aLoginName) ;
}
-
+
+ public static boolean isKerberosCredentialExists(String principal, String keytabPath){
+ boolean isValid = false;
+ if (keytabPath != null && !keytabPath.isEmpty()) {
+ File keytabFile = new File(keytabPath);
+ if (!keytabFile.exists()) {
+ LOG.warn(keytabPath + " doesn't exist.");
+ } else if (!keytabFile.canRead()) {
+ LOG.warn("Unable to read " + keytabPath + " Please check the file access permissions for user");
+ }else{
+ isValid = true;
+ }
+ } else {
+ LOG.warn("Can't find keyTab Path : "+keytabPath);
+ }
+ if (!(principal != null && !principal.isEmpty() && isValid)) {
+ isValid = false;
+ LOG.warn("Can't find principal : "+principal);
+ }
+ return isValid;
+ }
+
+ public static String getPrincipal(String principalConfig, String hostName) throws IOException {
+ String[] components = getComponents(principalConfig);
+ if (components == null || components.length != 3 || !components[1].equals(HOSTNAME_PATTERN)) {
+ return principalConfig;
+ } else {
+ if (hostName == null) {
+ throw new IOException("Can't replace " + HOSTNAME_PATTERN + " pattern since client ranger.service.host is null");
+ }
+ return replacePattern(components, hostName);
+ }
+ }
+
+ private static String[] getComponents(String principalConfig) {
+ if (principalConfig == null)
+ return null;
+ return principalConfig.split("[/@]");
+ }
+
+ private static String replacePattern(String[] components, String hostname)
+ throws IOException {
+ String fqdn = hostname;
+ if (fqdn == null || fqdn.isEmpty() || fqdn.equals("0.0.0.0")) {
+ fqdn = java.net.InetAddress.getLocalHost().getCanonicalHostName();
+ }
+ return components[0] + "/" + StringUtils.toLowerCase(fqdn) + "@" + components[2];
+ }
}
class SecureClientLoginConfiguration extends javax.security.auth.login.Configuration {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index bd2b749..afa347e 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -27,13 +27,15 @@ import com.sun.jersey.api.client.WebResource;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.admin.client.datatype.RESTResponse;
-
+import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.util.*;
import java.lang.reflect.ParameterizedType;
import java.lang.reflect.Type;
+import java.security.PrivilegedAction;
import java.util.List;
public class RangerAdminRESTClient implements RangerAdminClient {
@@ -44,7 +46,6 @@ public class RangerAdminRESTClient implements RangerAdminClient {
private RangerRESTClient restClient = null;
private RangerRESTUtils restUtils = new RangerRESTUtils();
-
public RangerAdminRESTClient() {
}
@@ -76,31 +77,44 @@ public class RangerAdminRESTClient implements RangerAdminClient {
String sslConfigFileName = RangerConfiguration.getInstance().get(propertyPrefix + ".policy.rest.ssl.config.file");
int restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
int restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
-
+
init(url, sslConfigFileName, restClientConnTimeOutMs , restClientReadTimeOutMs);
}
@Override
- public ServicePolicies getServicePoliciesIfUpdated(long lastKnownVersion) throws Exception {
+ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ")");
}
ServicePolicies ret = null;
- WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName)
- .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
- .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
- ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
-
+ ClientResponse response = null;
+ if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) {
+ LOG.info("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser());
+ PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName)
+ .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ };
+ };
+ response = MiscUtil.getUGILoginUser().doAs(action);
+ }else{
+ WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName)
+ .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ }
+
if(response != null && response.getStatus() == 200) {
ret = response.getEntity(ServicePolicies.class);
} else if(response != null && response.getStatus() == 304) {
// no change
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("Error getting policies. request=" + webResource.toString()
- + ", response=" + resp.toString() + ", serviceName=" + serviceName);
+ LOG.error("Error getting policies. response=" + resp.toString() + ", serviceName=" + serviceName);
throw new Exception(resp.getMessage());
}
@@ -112,15 +126,27 @@ public class RangerAdminRESTClient implements RangerAdminClient {
}
@Override
- public void grantAccess(GrantRevokeRequest request) throws Exception {
+ public void grantAccess(final GrantRevokeRequest request) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")");
}
- WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_GRANT_ACCESS + serviceName)
- .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
- ClientResponse response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
-
+ ClientResponse response = null;
+ if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) {
+ PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_SECURE_SERVICE_GRANT_ACCESS + serviceName)
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
+ };
+ };
+ LOG.info("grantAccess as user " + MiscUtil.getUGILoginUser());
+ response = MiscUtil.getUGILoginUser().doAs(action);
+ } else {
+ WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_GRANT_ACCESS + serviceName)
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
+ }
if(response != null && response.getStatus() != 200) {
LOG.error("grantAccess() failed: HTTP status=" + response.getStatus());
@@ -139,14 +165,27 @@ public class RangerAdminRESTClient implements RangerAdminClient {
}
@Override
- public void revokeAccess(GrantRevokeRequest request) throws Exception {
+ public void revokeAccess(final GrantRevokeRequest request) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")");
}
- WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceName)
- .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
- ClientResponse response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
+ ClientResponse response = null;
+ if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) {
+ PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceName)
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ return secureWebResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
+ };
+ };
+ LOG.info("revokeAccess as user " + MiscUtil.getUGILoginUser());
+ response = MiscUtil.getUGILoginUser().doAs(action);
+ } else {
+ WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceName)
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ response = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).post(ClientResponse.class, restClient.toJson(request));
+ }
if(response != null && response.getStatus() != 200) {
LOG.error("revokeAccess() failed: HTTP status=" + response.getStatus());
@@ -186,18 +225,31 @@ public class RangerAdminRESTClient implements RangerAdminClient {
}
@Override
- public ServiceTags getServiceTagsIfUpdated(long lastKnownVersion) throws Exception {
+ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + "): ");
}
ServiceTags ret = null;
-
- WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceName)
- .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion))
- .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
-
- ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ ClientResponse response = null;
+ WebResource webResource = null;
+ if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) {
+ PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName)
+ .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion))
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ };
+ };
+ LOG.info("getServiceTagsIfUpdated as user " + MiscUtil.getUGILoginUser());
+ response = MiscUtil.getUGILoginUser().doAs(action);
+ } else {
+ webResource = createWebResource(RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceName)
+ .queryParam(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion))
+ .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ }
if(response != null && response.getStatus() == 200) {
ret = response.getEntity(ServiceTags.class);
@@ -227,11 +279,22 @@ public class RangerAdminRESTClient implements RangerAdminClient {
List<String> ret = null;
String emptyString = "";
- WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES)
+ final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES)
.queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName)
.queryParam(RangerRESTUtils.PATTERN_PARAM, pattern);
- ClientResponse response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ ClientResponse response = null;
+ if (MiscUtil.getUGILoginUser() != null) {
+ PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ return webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ };
+ };
+ LOG.info("getTagTypes as user " + MiscUtil.getUGILoginUser());
+ response = MiscUtil.getUGILoginUser().doAs(action);
+ } else {
+ response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ }
if(response != null && response.getStatus() == 200) {
ret = response.getEntity(getGenericType(emptyString));
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
index 6cb289f..2a4241c 100644
--- a/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
+++ b/agents-common/src/main/java/org/apache/ranger/authorization/hadoop/config/RangerConfiguration.java
@@ -55,6 +55,7 @@ public class RangerConfiguration extends Configuration {
public boolean addAdminResources() {
String defaultCfg = "ranger-admin-default-site.xml";
String addlCfg = "ranger-admin-site.xml";
+ String coreCfg = "core-site.xml";
if(LOG.isDebugEnabled()) {
LOG.debug("==> addAdminResources()");
@@ -68,6 +69,10 @@ public class RangerConfiguration extends Configuration {
if (! addResourceIfReadable(addlCfg)) {
ret = false;
}
+
+ if(! addResourceIfReadable(coreCfg)){
+ ret = false;
+ }
if(LOG.isDebugEnabled()) {
LOG.debug("<== addAdminResources(), result=" + ret);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
index df69e2a..86a91a4 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/BaseClient.java
@@ -36,8 +36,11 @@ public abstract class BaseClient {
private static final Log LOG = LogFactory.getLog(BaseClient.class) ;
- private String serviceName ;
- private String defaultConfigFile ;
+ private static final String DEFAULT_NAME_RULE = "DEFAULT";
+
+
+ private String serviceName ;
+ private String defaultConfigFile ;
private Subject loginSubject ;
private HadoopConfigHolder configHolder;
@@ -50,7 +53,7 @@ public abstract class BaseClient {
public BaseClient(String serivceName, Map<String,String> connectionProperties, String defaultConfigFile) {
this.serviceName = serivceName ;
this.connectionProperties = connectionProperties ;
- this.defaultConfigFile = defaultConfigFile ;
+ this.defaultConfigFile = defaultConfigFile ;
init() ;
login() ;
}
@@ -73,38 +76,57 @@ public abstract class BaseClient {
+ "resource names. Check xa_portal.log for more info.";
try {
//Thread.currentThread().setContextClassLoader(configHolder.getClassLoader());
- String userName = configHolder.getUserName() ;
- if (userName == null) {
- String msgDesc = "Unable to find login username for hadoop environment, ["
+ String lookupPrincipal = SecureClientLogin.getPrincipal(configHolder.getLookupPrincipal(), java.net.InetAddress.getLocalHost().getCanonicalHostName());
+ String lookupKeytab = configHolder.getLookupKeytab();
+ String nameRules = configHolder.getNameRules();
+ if(StringUtils.isEmpty(nameRules)){
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Name is empty. Setting Name Rule as 'DEFAULT'");
+ }
+ nameRules = DEFAULT_NAME_RULE;
+ }
+ String userName = configHolder.getUserName() ;
+ if(StringUtils.isEmpty(lookupPrincipal) || StringUtils.isEmpty(lookupKeytab)){
+ if (userName == null) {
+ String msgDesc = "Unable to find login username for hadoop environment, ["
+ serviceName + "]";
- HadoopException hdpException = new HadoopException(msgDesc);
- hdpException.generateResponseDataMap(false, msgDesc + errMsg, msgDesc + errMsg,
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc + errMsg, msgDesc + errMsg,
null, null);
- throw hdpException;
- }
- String keyTabFile = configHolder.getKeyTabFile() ;
- if (keyTabFile != null) {
- if ( configHolder.isKerberosAuthentication() ) {
- LOG.info("Init Login: security enabled, using username/keytab");
- loginSubject = SecureClientLogin.loginUserFromKeytab(userName, keyTabFile) ;
- }
- else {
- LOG.info("Init Login: using username");
- loginSubject = SecureClientLogin.login(userName) ;
- }
- }
- else {
- String password = configHolder.getPassword() ;
- if ( configHolder.isKerberosAuthentication() ) {
- LOG.info("Init Login: using username/password");
- loginSubject = SecureClientLogin.loginUserWithPassword(userName, password) ;
- }
- else {
- LOG.info("Init Login: security not enabled, using username");
- loginSubject = SecureClientLogin.login(userName) ;
- }
- }
+ throw hdpException;
+ }
+ String keyTabFile = configHolder.getKeyTabFile() ;
+ if (keyTabFile != null) {
+ if ( configHolder.isKerberosAuthentication() ) {
+ LOG.info("Init Login: security enabled, using username/keytab");
+ loginSubject = SecureClientLogin.loginUserFromKeytab(userName, keyTabFile, nameRules) ;
+ }
+ else {
+ LOG.info("Init Login: using username");
+ loginSubject = SecureClientLogin.login(userName) ;
+ }
+ }
+ else {
+ String password = configHolder.getPassword() ;
+ if ( configHolder.isKerberosAuthentication() ) {
+ LOG.info("Init Login: using username/password");
+ loginSubject = SecureClientLogin.loginUserWithPassword(userName, password) ;
+ }
+ else {
+ LOG.info("Init Login: security not enabled, using username");
+ loginSubject = SecureClientLogin.login(userName) ;
+ }
+ }
+ }else{
+ if ( configHolder.isKerberosAuthentication() ) {
+ LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab");
+ loginSubject = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules) ;
+ }else{
+ LOG.info("Init Login: security not enabled, using username");
+ loginSubject = SecureClientLogin.login(userName);
+ }
+ }
} catch (IOException ioe) {
String msgDesc = "Unable to login to Hadoop environment ["
+ serviceName + "]";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
index b7416b4..1f3987f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
@@ -29,6 +29,7 @@ import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
public class HadoopConfigHolder {
private static final Log LOG = LogFactory.getLog(HadoopConfigHolder.class) ;
@@ -40,7 +41,11 @@ public class HadoopConfigHolder {
public static final String RANGER_LOGIN_USER_NAME_PROP = "username" ;
public static final String RANGER_LOGIN_KEYTAB_FILE_PROP = "keytabfile" ;
public static final String RANGER_LOGIN_PASSWORD = "password" ;
+ public static final String RANGER_LOOKUP_PRINCIPAL = "lookupprincipal";
+ public static final String RANGER_LOOKUP_KEYTAB = "lookupkeytab";
+ public static final String RANGER_NAME_RULES = "namerules";
public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
+ public static final String HADOOP_NAME_RULES = "hadoop.security.auth_to_local";
public static final String HADOOP_SECURITY_AUTHENTICATION_METHOD = "kerberos";
public static final String HADOOP_RPC_PROTECTION = "hadoop.rpc.protection";
@@ -53,11 +58,14 @@ public class HadoopConfigHolder {
private String datasourceName ;
- private String defaultConfigFile ;
+ private String defaultConfigFile ;
private String userName ;
private String keyTabFile ;
private String password ;
private boolean isKerberosAuth ;
+ private String lookupPrincipal;
+ private String lookupKeytab;
+ private String nameRules;
private Map<String,String> connectionProperties;
@@ -270,14 +278,17 @@ public class HadoopConfigHolder {
userName = prop.getProperty(RANGER_LOGIN_USER_NAME_PROP) ;
keyTabFile = prop.getProperty(RANGER_LOGIN_KEYTAB_FILE_PROP) ;
password = prop.getProperty(RANGER_LOGIN_PASSWORD) ;
-
+ lookupPrincipal = prop.getProperty(RANGER_LOOKUP_PRINCIPAL);
+ lookupKeytab = prop.getProperty(RANGER_LOOKUP_KEYTAB);
+ nameRules = prop.getProperty(RANGER_NAME_RULES);
+
String hadoopSecurityAuthenticationn = getHadoopSecurityAuthentication();
if ( hadoopSecurityAuthenticationn != null) {
isKerberosAuth = ( hadoopSecurityAuthenticationn.equalsIgnoreCase(HADOOP_SECURITY_AUTHENTICATION_METHOD));
}
else {
- isKerberosAuth = (userName != null) && (userName.indexOf("@") > -1) ;
+ isKerberosAuth = (((userName != null) && (userName.indexOf("@") > -1)) || (SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)));
}
}
}
@@ -367,7 +378,7 @@ public class HadoopConfigHolder {
return ret;
}
-
+
public String getUserName() {
return userName;
}
@@ -383,6 +394,18 @@ public class HadoopConfigHolder {
public boolean isKerberosAuthentication() {
return isKerberosAuth;
}
+
+ public String getLookupPrincipal(){
+ return lookupPrincipal;
+ }
+
+ public String getLookupKeytab(){
+ return lookupKeytab;
+ }
+
+ public String getNameRules(){
+ return nameRules;
+ }
public Set<String> getRangerInternalPropertyKeys() {
return rangerInternalPropertyKeys;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
index cf81d1f..1cb2175 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/rest/ServiceRESTStore.java
@@ -19,13 +19,16 @@
package org.apache.ranger.plugin.store.rest;
+import java.security.PrivilegedAction;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.admin.client.datatype.RESTResponse;
+import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerService;
@@ -67,6 +70,7 @@ public class ServiceRESTStore extends AbstractServiceStore {
public final String REST_URL_POLICY_GET_FOR_SERVICE = "/service/plugins/policies/service/";
public final String REST_URL_POLICY_GET_FOR_SERVICE_BY_NAME = "/service/plugins/policies/service/name/";
public final String REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED = "/service/plugins/policies/download/";
+ public final String REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED = "/service/plugins/secure/policies/download/";
public static final String REST_MIME_TYPE_JSON = "application/json" ;
@@ -572,15 +576,26 @@ public class ServiceRESTStore extends AbstractServiceStore {
}
@Override
- public ServicePolicies getServicePoliciesIfUpdated(String serviceName, Long lastKnownVersion) throws Exception {
+ public ServicePolicies getServicePoliciesIfUpdated(final String serviceName, final Long lastKnownVersion) throws Exception {
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceRESTStore.getServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ")");
}
ServicePolicies ret = null;
-
- WebResource webResource = createWebResource(REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName + "/" + lastKnownVersion);
- ClientResponse response = webResource.accept(REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ ClientResponse response = null;
+ if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) {
+ LOG.info("Checking Service policy if updated as user : "+ MiscUtil.getUGILoginUser());
+ PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ WebResource secureWebResource = createWebResource(REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName + "/" + lastKnownVersion);
+ return secureWebResource.accept(REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ };
+ };
+ response = MiscUtil.getUGILoginUser().doAs(action);
+ } else {
+ WebResource webResource = createWebResource(REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName + "/" + lastKnownVersion);
+ response = webResource.accept(REST_MIME_TYPE_JSON).get(ClientResponse.class);
+ }
if(response != null && response.getStatus() == 200) {
ret = response.getEntity(ServicePolicies.class);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
index ad113fe..9a47280 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTUtils.java
@@ -39,8 +39,13 @@ public class RangerRESTUtils {
public static final String REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED = "/service/plugins/policies/download/";
public static final String REST_URL_SERVICE_GRANT_ACCESS = "/service/plugins/services/grant/";
public static final String REST_URL_SERVICE_REVOKE_ACCESS = "/service/plugins/services/revoke/";
+
+ public static final String REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED = "/service/plugins/secure/policies/download/";
+ public static final String REST_URL_SECURE_SERVICE_GRANT_ACCESS = "/service/plugins/secure/services/grant/";
+ public static final String REST_URL_SECURE_SERVICE_REVOKE_ACCESS = "/service/plugins/secure/services/revoke/";
public static final String REST_URL_GET_SERVICE_TAGS_IF_UPDATED = "/service/tags/download/";
+ public static final String REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED = "/service/tags/secure/download/";
public static final String SERVICE_NAME_PARAM = "serviceName";
public static final String LAST_KNOWN_TAG_VERSION_PARAM = "lastKnownVersion";
public static final String PATTERN_PARAM = "pattern";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/agents-common/src/main/resources/resourcenamemap.properties
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/resourcenamemap.properties b/agents-common/src/main/resources/resourcenamemap.properties
index d9b4d71..9bfaf61 100644
--- a/agents-common/src/main/resources/resourcenamemap.properties
+++ b/agents-common/src/main/resources/resourcenamemap.properties
@@ -24,6 +24,8 @@ dfs.secondary.namenode.kerberos.principal=hdfs-site.xml
username=xalogin.xml
keytabfile=xalogin.xml
password=xalogin.xml
+lookupprincipal=xalogin.xml
+lookupkeytab=xalogin.xml
hbase.master.kerberos.principal=hbase-site.xml
hbase.rpc.engine=hbase-site.xml
hbase.rpc.protection=hbase-site.xml
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/embeddedwebserver/pom.xml
----------------------------------------------------------------------
diff --git a/embeddedwebserver/pom.xml b/embeddedwebserver/pom.xml
index 9772075..6fde208 100644
--- a/embeddedwebserver/pom.xml
+++ b/embeddedwebserver/pom.xml
@@ -63,5 +63,20 @@
<artifactId>ecj</artifactId>
<version>P20140317-1600</version>
</dependency>
+ <dependency>
+ <groupId>log4j</groupId>
+ <artifactId>log4j</artifactId>
+ <version>${log4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
</project>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/embeddedwebserver/scripts/ranger-admin-services.sh
----------------------------------------------------------------------
diff --git a/embeddedwebserver/scripts/ranger-admin-services.sh b/embeddedwebserver/scripts/ranger-admin-services.sh
index 92016b6..bd913af 100755
--- a/embeddedwebserver/scripts/ranger-admin-services.sh
+++ b/embeddedwebserver/scripts/ranger-admin-services.sh
@@ -53,12 +53,12 @@ then
fi
start() {
- java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${RANGER_ADMIN_LOG_DIR} -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > ${RANGER_ADMIN_LOG_DIR}/catalina.out 2>&1 &
+ java -Dproc_rangeradmin ${JAVA_OPTS} -Dlogdir=${RANGER_ADMIN_LOG_DIR} -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH" org.apache.ranger.server.tomcat.EmbeddedServer > ${RANGER_ADMIN_LOG_DIR}/catalina.out 2>&1 &
echo "Apache Ranger Admin has started."
}
stop(){
- java ${JAVA_OPTS} -Dlogdir=${RANGER_ADMIN_LOG_DIR} -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:$CLASSPATH" org.apache.ranger.server.tomcat.StopEmbeddedServer > ${RANGER_ADMIN_LOG_DIR}/catalina.out 2>&1
+ java ${JAVA_OPTS} -Dlogdir=${RANGER_ADMIN_LOG_DIR} -Dcatalina.base=${XAPOLICYMGR_EWS_DIR} -cp "${XAPOLICYMGR_EWS_DIR}/webapp/WEB-INF/classes/conf:${XAPOLICYMGR_EWS_DIR}/lib/*:${RANGER_JAAS_LIB_DIR}/*:${RANGER_JAAS_CONF_DIR}:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH" org.apache.ranger.server.tomcat.StopEmbeddedServer > ${RANGER_ADMIN_LOG_DIR}/catalina.out 2>&1
echo "Apache Ranger Admin has been stopped."
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
----------------------------------------------------------------------
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index d49ea61..19e944b 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -20,7 +20,9 @@
package org.apache.ranger.server.tomcat;
import java.io.File;
+import java.io.IOException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.Date;
import java.util.Iterator;
import java.util.Properties;
@@ -35,6 +37,10 @@ import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.valves.AccessLogValve;
+import org.apache.hadoop.security.SecureClientLogin;
+
+import javax.security.auth.Subject;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -46,11 +52,19 @@ public class EmbeddedServer {
.getName());
private static final String DEFAULT_CONFIG_FILENAME = "ranger-admin-site.xml";
+ private static final String CORE_SITE_CONFIG_FILENAME = "core-site.xml";
private static final String DEFAULT_WEBAPPS_ROOT_FOLDER = "webapps";
private static String configFile = DEFAULT_CONFIG_FILENAME;
+ private static final String AUTH_TYPE_KERBEROS = "kerberos";
+ private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
+ private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
+ private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
+
+ private static final String ADMIN_NAME_RULES = "hadoop.security.auth_to_local";
+
private Properties serverConfigProperties = new Properties();
public static void main(String[] args) {
@@ -61,14 +75,15 @@ public class EmbeddedServer {
if (args.length > 0) {
configFile = args[0];
}
- loadRangerSiteConfig();
+ loadConfig(CORE_SITE_CONFIG_FILENAME);
+ loadConfig(configFile);
}
public static int DEFAULT_SHUTDOWN_PORT = 6185;
public static String DEFAULT_SHUTDOWN_COMMAND = "SHUTDOWN";
public void start() {
- Tomcat server = new Tomcat();
+ final Tomcat server = new Tomcat();
String logDir = null;
logDir = getConfig("logdir");
@@ -198,16 +213,55 @@ public class EmbeddedServer {
LOG.severe("Tomcat Server failed to start webapp:" + lce.toString());
lce.printStackTrace();
}
-
+
+ String keytab = getConfig(ADMIN_USER_KEYTAB);
+// String principal = getConfig(ADMIN_USER_PRINCIPAL);
+ String principal = null;
try {
- server.start();
- server.getServer().await();
- shutdownServer();
-
- } catch (LifecycleException e) {
- LOG.severe("Tomcat Server failed to start:" + e.toString());
- e.printStackTrace();
- }
+ principal = SecureClientLogin.getPrincipal(getConfig(ADMIN_USER_PRINCIPAL), hostName);
+ } catch (IOException ignored) {
+ // do nothing
+ }
+ String nameRules = getConfig(ADMIN_NAME_RULES);
+ if(getConfig(AUTHENTICATION_TYPE) != null && getConfig(AUTHENTICATION_TYPE).trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ try{
+ LOG.info("Provided Kerberos Credential : Principal = "+principal+" and Keytab = "+keytab);
+ Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ;
+ Subject.doAs(sub, new PrivilegedAction<Void>() {
+ @Override
+ public Void run() {
+ try{
+ LOG.info("Starting Server using kerberos crendential");
+ server.start();
+ server.getServer().await();
+ shutdownServer();
+ }catch (LifecycleException e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }catch (Exception e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }
+ return null;
+ }
+ });
+ }catch(Exception e){
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }
+ }else{
+ try{
+ server.start();
+ server.getServer().await();
+ shutdownServer();
+ } catch (LifecycleException e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ } catch (Exception e) {
+ LOG.severe("Tomcat Server failed to start:" + e.toString());
+ e.printStackTrace();
+ }
+ }
}
private String getKeystoreFile() {
@@ -310,8 +364,8 @@ public class EmbeddedServer {
}
- public void loadRangerSiteConfig() {
- String path = getResourceFileName(configFile);
+ public void loadConfig(String configFileName) {
+ String path = getResourceFileName(configFileName);
try {
DocumentBuilderFactory xmlDocumentBuilderFactory = DocumentBuilderFactory
.newInstance();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java
----------------------------------------------------------------------
diff --git a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java
index bc4f05a..4d563a3 100644
--- a/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java
+++ b/hdfs-agent/src/main/java/org/apache/ranger/services/hdfs/client/HdfsClient.java
@@ -35,6 +35,8 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopException;
@@ -252,18 +254,26 @@ public class HdfsClient extends BaseClient {
public static void validateConnectionConfigs(Map<String, String> configs)
throws IllegalArgumentException {
+ String lookupPrincipal=null;
+ try{
+ lookupPrincipal = SecureClientLogin.getPrincipal(configs.get("lookupprincipal"), java.net.InetAddress.getLocalHost().getCanonicalHostName());
+ }catch(Exception e){
+ //do nothing
+ }
+ String lookupKeytab = configs.get("lookupkeytab");
+ if(StringUtils.isEmpty(lookupPrincipal) || StringUtils.isEmpty(lookupKeytab)){
+ // username
+ String username = configs.get("username") ;
+ if ((username == null || username.isEmpty())) {
+ throw new IllegalArgumentException("Value for username not specified");
+ }
- // username
- String username = configs.get("username") ;
- if ((username == null || username.isEmpty())) {
- throw new IllegalArgumentException("Value for username not specified");
- }
-
- // password
- String password = configs.get("password") ;
- if ((password == null || password.isEmpty())) {
- throw new IllegalArgumentException("Value for password not specified");
- }
+ // password
+ String password = configs.get("password") ;
+ if ((password == null || password.isEmpty())) {
+ throw new IllegalArgumentException("Value for password not specified");
+ }
+ }
// hadoop.security.authentication
String authentication = configs.get("hadoop.security.authentication") ;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 061f95c..6a79433 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -29,8 +29,10 @@ import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+
import javax.security.auth.Subject;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.ProviderUtils;
@@ -64,11 +66,18 @@ public class KMSClient {
String provider;
String username;
String password;
+ String lookupPrincipal;
+ String lookupKeytab;
+ String nameRules;
- public KMSClient(String provider, String username, String password) {
+ public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules) {
this.provider = provider;
this.username = username;
this.password = password;
+ this.lookupPrincipal = lookupPrincipal;
+ this.lookupKeytab = lookupKeytab;
+ this.nameRules = nameRules;
+
if (LOG.isDebugEnabled()) {
LOG.debug("Kms Client is build with url [" + provider + "] user: ["
+ username + "]");
@@ -164,9 +173,18 @@ public class KMSClient {
String shortName = new HadoopKerberosName(username).getShortName();
uri = uri.concat("?doAs="+shortName);
Subject sub = new Subject();
- if (username.contains("@")) {
+ if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab) && lookupPrincipal.contains("@")){
+ if(StringUtils.isEmpty(nameRules)){
+ nameRules = "DEFAULT";
+ }
+ LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab");
+ sub = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules);
+ }
+ else if (username.contains("@")) {
+ LOG.info("Init Login: using username/password");
sub = SecureClientLogin.loginUserWithPassword(username, password);
} else {
+ LOG.info("Init Login: security not enabled, using username");
sub = SecureClientLogin.login(username);
}
final WebResource webResource = client.resource(uri);
@@ -324,7 +342,11 @@ public class KMSClient {
String kmsUrl = configs.get("provider");
String kmsUserName = configs.get("username");
String kmsPassWord = configs.get("password");
- kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord);
+ String lookupPrincipal = configs.get("lookupprincipal");
+ String lookupKeytab = configs.get("lookupkeytab");
+ String nameRules = configs.get("namerules");
+
+ kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules);
}
return kmsClient;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
index 94eaba4..5e96a1c 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
@@ -19,6 +19,7 @@
package org.apache.ranger.services.kms.client;
+import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
@@ -26,16 +27,18 @@ public class KMSConnectionMgr {
public static final Logger LOG = Logger.getLogger(KMSConnectionMgr.class);
- public static KMSClient getKMSClient(final String kmsURL, String userName, String password) {
+ public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules) {
KMSClient kmsClient = null;
if (kmsURL == null || kmsURL.isEmpty()) {
LOG.error("Can not create KMSClient: kmsURL is empty");
- } else if (userName == null || userName.isEmpty()) {
- LOG.error("Can not create KMSClient: kmsuserName is empty");
- } else if (password == null || password.isEmpty()) {
- LOG.error("Can not create KMSClient: kmsPassWord is empty");
+ } else if(StringUtils.isEmpty(lookupPrincipal)){
+ if(userName == null || userName.isEmpty()) {
+ LOG.error("Can not create KMSClient: kmsuserName is empty");
+ } else if (password == null || password.isEmpty()) {
+ LOG.error("Can not create KMSClient: kmsPassWord is empty");
+ }
} else {
- kmsClient = new KMSClient(kmsURL, userName, password);
+ kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules);
}
return kmsClient;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
index 007b97b..6b96515 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
@@ -72,14 +72,17 @@ public class KMSResourceMgr {
String url = configs.get("provider");
String username = configs.get("username");
String password = configs.get("password");
- resultList = getKMSResource(url, username, password,kmsKeyName,kmsKeyList) ;
+ String lookupPrincipal = configs.get("lookupprincipal");
+ String lookupKeytab = configs.get("lookupkeytab");
+ String nameRules = configs.get("namerules");
+ resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, kmsKeyName,kmsKeyList) ;
}
return resultList ;
}
- public static List<String> getKMSResource(String url, String username, String password,String kmsKeyName, List<String> kmsKeyList) {
+ public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String kmsKeyName, List<String> kmsKeyList) {
List<String> topologyList = null;
- final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password);
+ final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules);
synchronized(KMSClient){
topologyList = KMSClient.getKeyList(kmsKeyName, kmsKeyList);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/security-admin/scripts/install.properties b/security-admin/scripts/install.properties
index 4070259..3913254 100644
--- a/security-admin/scripts/install.properties
+++ b/security-admin/scripts/install.properties
@@ -155,6 +155,17 @@ xa_ldap_ad_bind_password=
xa_ldap_ad_referral=
xa_ldap_ad_userSearchFilter=
+#------------ Kerberos Config -----------------
+spnego_principal=
+spnego_keytab=
+token_valid=30
+cookie_domain=
+cookie_path=/
+admin_principal=
+admin_keytab=
+lookup_principal=
+lookup_keytab=
+hadoop_conf=/etc/hadoop/conf
#
#-------- SSO CONFIG - Start ------------------
#
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/security-admin/scripts/setup.sh b/security-admin/scripts/setup.sh
index 832932c..51daf6d 100755
--- a/security-admin/scripts/setup.sh
+++ b/security-admin/scripts/setup.sh
@@ -117,6 +117,17 @@ sso_cookiename=$(get_prop 'sso_cookiename' $PROPFILE)
sso_query_param_originalurl=$(get_prop 'sso_query_param_originalurl' $PROPFILE)
RANGER_ADMIN_LOG_DIR=$(eval echo "$(get_prop 'RANGER_ADMIN_LOG_DIR' $PROPFILE)")
+spnego_principal=$(get_prop 'spnego_principal' $PROPFILE)
+spnego_keytab=$(get_prop 'spnego_keytab' $PROPFILE)
+token_valid=$(get_prop 'token_valid' $PROPFILE)
+cookie_domain=$(get_prop 'cookie_domain' $PROPFILE)
+cookie_path=$(get_prop 'cookie_path' $PROPFILE)
+admin_principal=$(get_prop 'admin_principal' $PROPFILE)
+admin_keytab=$(get_prop 'admin_keytab' $PROPFILE)
+lookup_principal=$(get_prop 'lookup_principal' $PROPFILE)
+lookup_keytab=$(get_prop 'lookup_keytab' $PROPFILE)
+hadoop_conf=$(get_prop 'hadoop_conf' $PROPFILE)
+
DB_HOST="${db_host}"
check_ret_status(){
@@ -356,6 +367,69 @@ update_properties() {
log "[E] $to_file_default does not exists" ; exit 1;
fi
+ if [ "${spnego_principal}" != "" ]
+ then
+ propertyName=ranger.spnego.kerberos.principal
+ newPropertyValue="${spnego_principal}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${spnego_keytab}" != "" ]
+ then
+ propertyName=ranger.spnego.kerberos.keytab
+ newPropertyValue="${spnego_keytab}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${token_valid}" != "" ]
+ then
+ propertyName=ranger.admin.kerberos.token.valid.seconds
+ newPropertyValue="${token_valid}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${cookie_domain}" != "" ]
+ then
+ propertyName=ranger.admin.kerberos.cookie.domain
+ newPropertyValue="${cookie_domain}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${cookie_path}" != "" ]
+ then
+ propertyName=ranger.admin.kerberos.cookie.path
+ newPropertyValue="${cookie_path}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${admin_principal}" != "" ]
+ then
+ propertyName=ranger.admin.kerberos.principal
+ newPropertyValue="${admin_principal}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${admin_keytab}" != "" ]
+ then
+ propertyName=ranger.admin.kerberos.keytab
+ newPropertyValue="${admin_keytab}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${lookup_principal}" != "" ]
+ then
+ propertyName=ranger.lookup.kerberos.principal
+ newPropertyValue="${lookup_principal}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
+ if [ "${lookup_keytab}" != "" ]
+ then
+ propertyName=ranger.lookup.kerberos.keytab
+ newPropertyValue="${lookup_keytab}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file_ranger
+ fi
+
if [ "${DB_FLAVOR}" == "MYSQL" ]
then
propertyName=ranger.jpa.jdbc.url
@@ -965,8 +1039,27 @@ setup_install_files(){
mkdir -p ${WEBAPP_ROOT}/WEB-INF/classes/conf
cp ${WEBAPP_ROOT}/WEB-INF/classes/conf.dist/* ${WEBAPP_ROOT}/WEB-INF/classes/conf
fi
+
+ echo "export RANGER_HADOOP_CONF_DIR=${hadoop_conf}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-admin-env-hadoopconfdir.sh
+ chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-admin-env-hadoopconfdir.sh
+
+ hadoop_conf_file=${hadoop_conf}/core-site.xml
+ ranger_hadoop_conf_file=${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+
if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
+ if [ "${hadoop_conf}" == "" ]
+ then
+ log "[WARN] Property hadoop_conf not found. Creating blank core-site.xml."
+ echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+ else
+ if [ -f ${hadoop_conf_file} ]; then
+ ln -sf ${hadoop_conf_file} ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+ else
+ log "[WARN] core-site.xml file not found in provided hadoop_conf path. Creating blank core-site.xml"
+ echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+ fi
+ fi
fi
if [ ! -d ${WEBAPP_ROOT}/WEB-INF/classes/lib ]; then
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 3647bb1..82dc190 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -49,6 +49,7 @@ import org.apache.log4j.Logger;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.PasswordUtils;
+import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerConfigUtil;
import org.apache.ranger.common.SortField;
@@ -87,6 +88,7 @@ public class KmsKeyMgr {
private static final String KMS_USERNAME = "username";
private static Map<String, String> providerList = new HashMap<String, String>();
private static int nextProvider = 0;
+ static final String NAME_RULES = "hadoop.security.auth_to_local";
@Autowired
ServiceDBStore svcStore;
@@ -526,8 +528,11 @@ public class KmsKeyMgr {
private Subject getSubjectForKerberos(String provider) throws Exception{
String userName = getKMSUserName(provider);
String password = getKMSPassword(provider);
- if (KerberosName.getRules() == null) {
+ String nameRules = PropertiesUtil.getProperty(NAME_RULES);
+ if (StringUtils.isEmpty(nameRules)) {
KerberosName.setRules("DEFAULT") ;
+ }else{
+ KerberosName.setRules(nameRules);
}
Subject sub = new Subject();
if (userName.contains("@")) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
index 2980e51..63c630e 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
@@ -56,6 +56,7 @@ import org.apache.ranger.entity.XXServiceDef;
import org.apache.ranger.entity.XXTrxLog;
import org.apache.ranger.entity.XXUser;
import org.apache.ranger.plugin.model.RangerBaseModelObject;
+import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.service.AbstractBaseResourceService;
import org.apache.ranger.view.VXDataObject;
@@ -1538,5 +1539,26 @@ public class RangerBizUtil {
MessageEnums.OPER_NOT_ALLOWED_FOR_STATE);
}
}
+
+ public boolean isUserAllowed(RangerService rangerService, String cfgNameAllowedUsers) {
+ Map<String, String> map = rangerService.getConfigs();
+ String user = null;
+ UserSessionBase userSession = ContextUtil.getCurrentUserSession();
+ if(userSession != null){
+ user = userSession.getLoginId();
+ }
+ if (map != null && map.containsKey(cfgNameAllowedUsers)) {
+ String userNames = map.get(cfgNameAllowedUsers);
+ String[] userList = userNames.split(",");
+ if(userList != null){
+ for (String u : userList) {
+ if (u.equals("*") || (user != null && u.equalsIgnoreCase(user))) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 21ed686..7ef950a 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -28,10 +28,13 @@ import java.text.SimpleDateFormat;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletResponse;
+
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.common.*;
import org.apache.ranger.db.*;
@@ -96,6 +99,11 @@ import org.apache.poi.ss.usermodel.Workbook;
public class ServiceDBStore extends AbstractServiceStore {
private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
+ private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
+ private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
+ static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
+
+ private static final String KERBEROS_TYPE = "kerberos";
@Autowired
RangerServiceDefService serviceDefService;
@@ -1267,7 +1275,7 @@ public class ServiceDBStore extends AbstractServiceStore {
vXUser = xUserService.populateViewBean(xxUser);
} else {
UserSessionBase usb = ContextUtil.getCurrentUserSession();
- if (usb != null && !usb.isUserAdmin()) {
+ if (usb != null && !usb.isUserAdmin() && !usb.isSpnegoEnabled()) {
throw restErrorUtil.createRESTException("User does not exist with given username: ["
+ userName + "] please use existing user", MessageEnums.OPER_NO_PERMISSION);
}
@@ -2273,6 +2281,14 @@ public class ServiceDBStore extends AbstractServiceStore {
List<String> users = new ArrayList<String>();
users.add(vXUser.getName());
+ VXUser vXLookupUser = getLookupUser();
+ if(vXLookupUser != null){
+ users.add(vXLookupUser.getName());
+ }
+ UserSessionBase usb = ContextUtil.getCurrentUserSession();
+ if (usb != null && usb.isSpnegoEnabled()) {
+ users.add(usb.getLoginId());
+ }
policyItem.setUsers(users);
List<XXAccessTypeDef> accessTypeDefs = daoMgr.getXXAccessTypeDef().findByServiceDefId(createdService.getType());
@@ -2291,6 +2307,39 @@ public class ServiceDBStore extends AbstractServiceStore {
}
policy = createPolicy(policy);
}
+
+ private VXUser getLookupUser() {
+ VXUser vXUser = null;
+ String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
+ String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
+ String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
+ if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
+ if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+ KerberosName krbName = new KerberosName(lookupPrincipal);
+ String lookupUser=null;
+ try {
+ lookupUser = krbName.getShortName();
+ } catch (IOException e) {
+ throw restErrorUtil.createRESTException("Please provide proper value of lookup user principal : "+ lookupPrincipal, MessageEnums.INVALID_INPUT_DATA);
+ }
+
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Checking for Lookup User : "+lookupUser);
+ }
+ if(!StringUtils.isEmpty(lookupUser)){
+ XXUser xxUser = daoMgr.getXXUser().findByUserName(lookupUser);
+ if (xxUser != null) {
+ vXUser = xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser = xUserMgr.createServiceConfigUser(lookupUser);
+ LOG.info("Creating Lookup User : "+vXUser.getName());
+ }
+ }
+ }
+ }
+ return vXUser;
+ }
+
Map<String, RangerPolicyResource> createDefaultPolicyResource(List<RangerResourceDef> resourceHierarchy) throws Exception {
Map<String, RangerPolicyResource> resourceMap = new HashMap<>();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
index 16b00cd..e0f22d2 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
@@ -33,8 +33,10 @@ import java.util.concurrent.TimeUnit;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.TimedExecutor;
+import org.apache.ranger.plugin.client.HadoopConfigHolder;
import org.apache.ranger.plugin.client.HadoopException;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
@@ -55,6 +57,13 @@ public class ServiceMgr {
private static final Log LOG = LogFactory.getLog(ServiceMgr.class);
+ private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
+ private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
+ private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
+ private static final String KERBEROS_TYPE = "kerberos";
+ static final String NAME_RULES = "hadoop.security.auth_to_local";
+ static final String HOST_NAME = "ranger.service.host";
+
@Autowired
RangerServiceService rangerSvcService;
@@ -72,11 +81,24 @@ public class ServiceMgr {
RangerService service = svcDBStore.getServiceByName(serviceName);
+ String authType = PropertiesUtil.getProperty(AUTHENTICATION_TYPE);
+ String lookupPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(LOOKUP_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
+ String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
+ String nameRules = PropertiesUtil.getProperty(NAME_RULES);
+
+ if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+ if(service != null && service.getConfigs() != null){
+ service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
+ }
+ }
+
Map<String, String> newConfigs = rangerSvcService.getConfigsWithDecryptedPassword(service);
service.setConfigs(newConfigs);
RangerBaseService svc = getRangerServiceByService(service, svcStore);
-
+
if(LOG.isDebugEnabled()) {
LOG.debug("==> ServiceMgr.lookupResource for Service: (" + svc + "Context: " + context + ")");
}
@@ -101,6 +123,19 @@ public class ServiceMgr {
public VXResponse validateConfig(RangerService service, ServiceStore svcStore) throws Exception {
VXResponse ret = new VXResponse();
+ String authType = PropertiesUtil.getProperty(AUTHENTICATION_TYPE);
+ String lookupPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(LOOKUP_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
+ String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
+ String nameRules = PropertiesUtil.getProperty(NAME_RULES);
+
+ if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
+ if(service != null && service.getConfigs() != null){
+ service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
+ }
+ }
+
Map<String, String> newConfigs = rangerSvcService.getConfigsWithDecryptedPassword(service);
service.setConfigs(newConfigs);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index c461e83..106d910 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -77,6 +77,9 @@ public class SessionMgr {
RangerDaoManager daoManager;
@Autowired
+ XUserMgr xUserMgr;
+
+ @Autowired
AuthSessionService authSessionService;
@Autowired
@@ -118,6 +121,8 @@ public class SessionMgr {
}
if (newSessionCreation) {
+
+ getSpnegoAuthCheckForAPI(currentLoginId, httpRequest);
// Need to build the UserSession
XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId);
if (gjUser == null) {
@@ -157,6 +162,9 @@ public class SessionMgr {
userSession = new UserSessionBase();
userSession.setXXPortalUser(gjUser);
userSession.setXXAuthSession(gjAuthSession);
+ if(httpRequest.getAttribute("spnegoEnabled") != null && (boolean)httpRequest.getAttribute("spnegoEnabled")){
+ userSession.setSpnegoEnabled(true);
+ }
resetUserSessionForProfiles(userSession);
resetUserModulePermission(userSession);
@@ -180,6 +188,17 @@ public class SessionMgr {
return userSession;
}
+ private void getSpnegoAuthCheckForAPI(String currentLoginId, HttpServletRequest request) {
+
+ XXPortalUser gjUser = daoManager.getXXPortalUser().findByLoginId(currentLoginId);
+ if (gjUser == null && request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")) {
+ if(logger.isDebugEnabled()){
+ logger.debug("User : "+currentLoginId+" doesn't exist in Ranger DB So creating user as it's spnego authenticated");
+ }
+ xUserMgr.createServiceConfigUser(currentLoginId);
+ }
+ }
+
public void resetUserModulePermission(UserSessionBase userSession) {
XXUser xUser = daoManager.getXXUser().findByUserName(userSession.getLoginId());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
index 96ddf3f..571947c 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
@@ -1813,7 +1813,7 @@ public class XUserMgr extends XUserMgrBase {
}
}
- protected VXUser createServiceConfigUser(String userName){
+ public VXUser createServiceConfigUser(String userName){
if (userName == null || "null".equalsIgnoreCase(userName) || userName.trim().isEmpty()) {
logger.error("User Name: "+userName);
throw restErrorUtil.createRESTException("Please provide a valid username.",MessageEnums.INVALID_INPUT_DATA);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
index 144a408..520aa88 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java
@@ -40,6 +40,7 @@ public class UserSessionBase implements Serializable {
private RangerUserPermission rangerUserPermission;
int clientTimeOffsetInMinute = 0;
private Boolean isSSOEnabled;
+ private Boolean isSpnegoEnabled = false;
public Long getUserId() {
if (xXPortalUser != null) {
@@ -137,6 +138,14 @@ public class UserSessionBase implements Serializable {
this.isSSOEnabled = isSSOEnabled;
}
+ public Boolean isSpnegoEnabled() {
+ return isSpnegoEnabled;
+ }
+
+ public void setSpnegoEnabled(Boolean isSpnegoEnabled) {
+ this.isSpnegoEnabled = isSpnegoEnabled;
+ }
+
public static class RangerUserPermission implements Serializable {
private static final long serialVersionUID = 1L;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
index b7c1b59..4432bac 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/PublicAPIsv2.java
@@ -38,6 +38,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.*;
import javax.ws.rs.core.Context;
+
import java.util.List;
@Path("public/v2")
@@ -187,15 +188,15 @@ public class PublicAPIsv2 {
@GET
@Path("/api/service/")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
@Produces({ "application/json", "application/xml" })
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()")
public List<RangerService> searchServices(@Context HttpServletRequest request) {
return serviceREST.getServices(request).getServices();
}
@POST
@Path("/api/service/")
- @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
+ @PreAuthorize("@rangerPreAuthSecurityHandler.isAPISpnegoAccessible()")
@Produces({ "application/json", "application/xml" })
public RangerService createService(RangerService service) {
return serviceREST.createService(service);
[2/3] incubator-ranger git commit: RANGER-867 : Add Kerberos support
for ranger admin and clients
Posted by ga...@apache.org.
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
index c999f86..19a1509 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
@@ -52,12 +52,14 @@ import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.ServiceMgr;
import org.apache.ranger.biz.TagDBStore;
import org.apache.ranger.biz.XUserMgr;
+import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.GUIDUtil;
import org.apache.ranger.common.MessageEnums;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerSearchUtil;
import org.apache.ranger.common.RangerValidatorFactory;
import org.apache.ranger.common.ServiceUtil;
+import org.apache.ranger.common.UserSessionBase;
import org.apache.ranger.db.RangerDaoManager;
import org.apache.ranger.entity.XXPolicyExportAudit;
import org.apache.ranger.entity.XXService;
@@ -108,6 +110,8 @@ public class ServiceREST {
final static public String PARAM_SERVICE_NAME = "serviceName";
final static public String PARAM_POLICY_NAME = "policyName";
final static public String PARAM_UPDATE_IF_EXISTS = "updateIfExists";
+ private static final String Allowed_User_List_For_Download = "policy.download.auth.users";
+ private static final String Allowed_User_List_For_Grant_Revoke = "policy.grantrevoke.auth.users";
@Autowired
RESTErrorUtil restErrorUtil;
@@ -441,14 +445,16 @@ public class ServiceREST {
RangerServiceValidator validator = validatorFactory.getServiceValidator(svcStore);
validator.validate(service, Action.CREATE);
- bizUtil.hasAdminPermissions("Services");
+ UserSessionBase session = ContextUtil.getCurrentUserSession();
+ if(session != null && !session.isSpnegoEnabled()){
+ bizUtil.hasAdminPermissions("Services");
- // TODO: As of now we are allowing SYS_ADMIN to create all the
- // services including KMS
-
- XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
- bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+ // TODO: As of now we are allowing SYS_ADMIN to create all the
+ // services including KMS
+ XXServiceDef xxServiceDef = daoManager.getXXServiceDef().findByName(service.getType());
+ bizUtil.hasKMSPermissions("Service", xxServiceDef.getImplclassname());
+ }
ret = svcStore.createService(service);
} catch(WebApplicationException excp) {
throw excp;
@@ -911,6 +917,119 @@ public class ServiceREST {
return ret;
}
+
+ @POST
+ @Path("/secure/services/grant/{serviceName}")
+ @Produces({ "application/json", "application/xml" })
+ public RESTResponse secureGrantAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest grantRequest, @Context HttpServletRequest request) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + ")");
+ }
+ RESTResponse ret = new RESTResponse();
+ RangerPerfTracer perf = null;
+ boolean isAllowed = false;
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
+ if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
+ try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.scureGrantAccess(serviceName=" + serviceName + ")");
+ }
+ String userName = grantRequest.getGrantor();
+ Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ RangerAccessResource resource = new RangerAccessResourceImpl(grantRequest.getResource());
+ boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
+
+ if(!isAdmin) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
+ }
+ // New Code
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ RangerService rangerService = svcStore.getServiceByName(serviceName);
+
+ if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ if (isKeyAdmin) {
+ isAllowed = true;
+ }else {
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
+ }
+ }else{
+ if (isAdmin) {
+ isAllowed = true;
+ }
+ else{
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
+ }
+ }
+ // New Code
+ if (isAllowed) {
+ RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
+
+ if(policy != null) {
+ boolean policyUpdated = false;
+ policyUpdated = ServiceRESTUtil.processGrantRequest(policy, grantRequest);
+
+ if(policyUpdated) {
+ svcStore.updatePolicy(policy);
+ } else {
+ LOG.error("processSecureGrantRequest processing failed");
+ throw new Exception("processSecureGrantRequest processing failed");
+ }
+ } else {
+ policy = new RangerPolicy();
+ policy.setService(serviceName);
+ policy.setName("grant-" + System.currentTimeMillis()); // TODO: better policy name
+ policy.setDescription("created by grant");
+ policy.setIsAuditEnabled(grantRequest.getEnableAudit());
+ policy.setCreatedBy(userName);
+
+ Map<String, RangerPolicyResource> policyResources = new HashMap<String, RangerPolicyResource>();
+ Set<String> resourceNames = resource.getKeys();
+
+ if(! CollectionUtils.isEmpty(resourceNames)) {
+ for(String resourceName : resourceNames) {
+ RangerPolicyResource policyResource = new RangerPolicyResource(resource.getValue(resourceName));
+ policyResource.setIsRecursive(grantRequest.getIsRecursive());
+
+ policyResources.put(resourceName, policyResource);
+ }
+ }
+ policy.setResources(policyResources);
+
+ RangerPolicyItem policyItem = new RangerPolicyItem();
+
+ policyItem.setDelegateAdmin(grantRequest.getDelegateAdmin());
+ policyItem.getUsers().addAll(grantRequest.getUsers());
+ policyItem.getGroups().addAll(grantRequest.getGroups());
+
+ for(String accessType : grantRequest.getAccessTypes()) {
+ policyItem.getAccesses().add(new RangerPolicyItemAccess(accessType, Boolean.TRUE));
+ }
+
+ policy.getPolicyItems().add(policyItem);
+
+ svcStore.createPolicy(policy);
+ }
+ }else{
+ LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed as User doesn't have permission to grant Policy");
+ }
+ } catch(WebApplicationException excp) {
+ throw excp;
+ } catch(Throwable excp) {
+ LOG.error("secureGrantAccess(" + serviceName + ", " + grantRequest + ") failed", excp);
+
+ throw restErrorUtil.createRESTException(excp.getMessage());
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
+
+ ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
+ }
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceREST.secureGrantAccess(" + serviceName + ", " + grantRequest + "): " + ret);
+ }
+ return ret;
+ }
@POST
@Path("/services/revoke/{serviceName}")
@@ -976,6 +1095,86 @@ public class ServiceREST {
}
@POST
+ @Path("/secure/services/revoke/{serviceName}")
+ @Produces({ "application/json", "application/xml" })
+ public RESTResponse secureRevokeAccess(@PathParam("serviceName") String serviceName, GrantRevokeRequest revokeRequest, @Context HttpServletRequest request) throws Exception {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + ")");
+ }
+ RESTResponse ret = new RESTResponse();
+ RangerPerfTracer perf = null;
+ if (serviceUtil.isValidateHttpsAuthentication(serviceName,request)) {
+ try {
+ if(RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG, "ServiceREST.secureRevokeAccess(serviceName=" + serviceName + ")");
+ }
+ String userName = revokeRequest.getGrantor();
+ Set<String> userGroups = userMgr.getGroupsForUser(userName);
+ RangerAccessResource resource = new RangerAccessResourceImpl(revokeRequest.getResource());
+ boolean isAdmin = hasAdminAccess(serviceName, userName, userGroups, resource);
+ boolean isAllowed = false;
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
+ if(!isAdmin) {
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_UNAUTHORIZED, "", true);
+ }
+
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ RangerService rangerService = svcStore.getServiceByName(serviceName);
+
+ if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ if (isKeyAdmin) {
+ isAllowed = true;
+ }else {
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
+ }
+ }else{
+ if (isAdmin) {
+ isAllowed = true;
+ }
+ else{
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
+ }
+ }
+ // New Code
+ if (isAllowed) {
+ RangerPolicy policy = getExactMatchPolicyForResource(serviceName, resource);
+
+ if(policy != null) {
+ boolean policyUpdated = false;
+ policyUpdated = ServiceRESTUtil.processRevokeRequest(policy, revokeRequest);
+
+ if(policyUpdated) {
+ svcStore.updatePolicy(policy);
+ } else {
+ LOG.error("processSecureRevokeRequest processing failed");
+ throw new Exception("processSecureRevokeRequest processing failed");
+ }
+ } else {
+ // nothing to revoke!
+ }
+ }else{
+ LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed as User doesn't have permission to revoke Policy");
+ }
+ } catch(WebApplicationException excp) {
+ throw excp;
+ } catch(Throwable excp) {
+ LOG.error("secureRevokeAccess(" + serviceName + ", " + revokeRequest + ") failed", excp);
+
+ throw restErrorUtil.createRESTException(excp.getMessage());
+ } finally {
+ RangerPerfTracer.log(perf);
+ }
+
+ ret.setStatusCode(RESTResponse.STATUS_SUCCESS);
+ }
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceREST.secureRevokeAccess(" + serviceName + ", " + revokeRequest + "): " + ret);
+ }
+ return ret;
+ }
+
+ @POST
@Path("/policies")
@Produces({ "application/json", "application/xml" })
public RangerPolicy createPolicy(RangerPolicy policy, @Context HttpServletRequest request) {
@@ -1558,7 +1757,6 @@ public class ServiceREST {
logMsg = excp.getMessage();
} finally {
createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, request);
-
RangerPerfTracer.log(perf);
}
@@ -1574,6 +1772,86 @@ public class ServiceREST {
return ret;
}
+
+ @GET
+ @Path("/secure/policies/download/{serviceName}")
+ @Produces({ "application/json", "application/xml" })
+ public ServicePolicies getSecureServicePoliciesIfUpdated(@PathParam("serviceName") String serviceName,@QueryParam("lastKnownVersion") Long lastKnownVersion,@QueryParam("pluginId") String pluginId,@Context HttpServletRequest request) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> ServiceREST.getSecureServicePoliciesIfUpdated("+ serviceName + ", " + lastKnownVersion + ")");
+ }
+ ServicePolicies ret = null;
+ int httpCode = HttpServletResponse.SC_OK;
+ String logMsg = null;
+ RangerPerfTracer perf = null;
+ boolean isAllowed = false;
+ boolean isAdmin = bizUtil.isAdmin();
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
+
+ if (serviceUtil.isValidateHttpsAuthentication(serviceName, request)) {
+ if (lastKnownVersion == null) {
+ lastKnownVersion = Long.valueOf(-1);
+ }
+ try {
+ if (RangerPerfTracer.isPerfTraceEnabled(PERF_LOG)) {
+ perf = RangerPerfTracer.getPerfTracer(PERF_LOG,"ServiceREST.getSecureServicePoliciesIfUpdated(serviceName="+ serviceName + ",lastKnownVersion="+ lastKnownVersion + ")");
+ }
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ RangerService rangerService = svcStore.getServiceByName(serviceName);
+
+ if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ if (isKeyAdmin) {
+ isAllowed = true;
+ }else {
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
+ if(!isAllowed){
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
+ }
+ }
+ }else{
+ if (isAdmin) {
+ isAllowed = true;
+ }
+ else{
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Download);
+ if(!isAllowed){
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Grant_Revoke);
+ }
+ }
+ }
+ if (isAllowed) {
+ ret = svcStore.getServicePoliciesIfUpdated(serviceName,lastKnownVersion);
+ if (ret == null) {
+ httpCode = HttpServletResponse.SC_NOT_MODIFIED;
+ logMsg = "No change since last update";
+ } else {
+ httpCode = HttpServletResponse.SC_OK;
+ logMsg = "Returning " + (ret.getPolicies() != null ? ret.getPolicies().size() : 0) + " policies. Policy version=" + ret.getPolicyVersion();
+ }
+ } else {
+ LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ") failed as User doesn't have permission to download Policy");
+ httpCode = HttpServletResponse.SC_UNAUTHORIZED;
+ logMsg = "User doesn't have permission to download policy";
+ }
+ } catch (Throwable excp) {
+ LOG.error("getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + ") failed", excp);
+ httpCode = HttpServletResponse.SC_BAD_REQUEST;
+ logMsg = excp.getMessage();
+ } finally {
+ createPolicyDownloadAudit(serviceName, lastKnownVersion, pluginId, httpCode, request);
+ RangerPerfTracer.log(perf);
+ }
+ if (httpCode != HttpServletResponse.SC_OK) {
+ boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
+ throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== ServiceREST.getSecureServicePoliciesIfUpdated(" + serviceName + ", " + lastKnownVersion + "): count=" + ((ret == null || ret.getPolicies() == null) ? 0 : ret.getPolicies().size()));
+ }
+ return ret;
+ }
private void createPolicyDownloadAudit(String serviceName, Long lastKnownVersion, String pluginId, int httpRespCode, HttpServletRequest request) {
try {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
index c69ceed..be70cfe 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
@@ -20,15 +20,22 @@
package org.apache.ranger.rest;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.biz.ServiceDBStore;
import org.apache.ranger.biz.TagDBStore;
import org.apache.ranger.common.RESTErrorUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceResource;
import org.apache.ranger.plugin.model.RangerTag;
import org.apache.ranger.plugin.model.RangerTagResourceMap;
import org.apache.ranger.plugin.model.RangerTagDef;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
import org.apache.ranger.plugin.store.TagStore;
import org.apache.ranger.plugin.store.TagValidator;
import org.apache.ranger.plugin.util.SearchFilter;
@@ -53,6 +60,7 @@ import java.util.List;
public class TagREST {
private static final Log LOG = LogFactory.getLog(TagREST.class);
+ private static final String Allowed_User_List_For_Tag_Download = "tag.download.auth.users";
@Autowired
RESTErrorUtil restErrorUtil;
@@ -62,6 +70,12 @@ public class TagREST {
@Autowired
TagDBStore tagStore;
+
+ @Autowired
+ RangerDaoManager daoManager;
+
+ @Autowired
+ RangerBizUtil bizUtil;
TagValidator validator;
@@ -1109,4 +1123,70 @@ public class TagREST {
return ret;
}
+
+ @GET
+ @Path(TagRESTConstants.TAGS_SECURE_DOWNLOAD + "{serviceName}")
+ @Produces({ "application/json", "application/xml" })
+ public ServiceTags getSecureServiceTagsIfUpdated(@PathParam("serviceName") String serviceName,
+ @QueryParam(TagRESTConstants.LAST_KNOWN_TAG_VERSION_PARAM) Long lastKnownVersion, @QueryParam("pluginId") String pluginId) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> TagREST.getSecureServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + pluginId + ")");
+ }
+
+ ServiceTags ret = null;
+ int httpCode = HttpServletResponse.SC_OK;
+ String logMsg = null;
+ boolean isAllowed = false;
+ boolean isAdmin = bizUtil.isAdmin();
+ boolean isKeyAdmin = bizUtil.isKeyAdmin();
+
+ try {
+ XXService xService = daoManager.getXXService().findByName(serviceName);
+ XXServiceDef xServiceDef = daoManager.getXXServiceDef().getById(xService.getType());
+ RangerService rangerService = svcStore.getServiceByName(serviceName);
+
+ if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)) {
+ if (isKeyAdmin) {
+ isAllowed = true;
+ }else {
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Tag_Download);
+ }
+ }else{
+ if (isAdmin) {
+ isAllowed = true;
+ }else{
+ isAllowed = bizUtil.isUserAllowed(rangerService, Allowed_User_List_For_Tag_Download);
+ }
+ }
+ if (isAllowed) {
+ ret = tagStore.getServiceTagsIfUpdated(serviceName, lastKnownVersion);
+
+ if(ret == null) {
+ httpCode = HttpServletResponse.SC_NOT_MODIFIED;
+ logMsg = "No change since last update";
+ } else {
+ httpCode = HttpServletResponse.SC_OK;
+ logMsg = "Returning " + (ret.getTags() != null ? ret.getTags().size() : 0) + " tags. Tag version=" + ret.getTagVersion();
+ }
+ }else{
+ // do nothing
+ }
+ } catch(Exception excp) {
+ LOG.error("getSecureServiceTagsIfUpdated(" + serviceName + ") failed", excp);
+
+ httpCode = HttpServletResponse.SC_BAD_REQUEST;
+ logMsg = excp.getMessage();
+ }
+
+ if(httpCode != HttpServletResponse.SC_OK) {
+ boolean logError = httpCode != HttpServletResponse.SC_NOT_MODIFIED;
+ throw restErrorUtil.createRESTException(httpCode, logMsg, logError);
+ }
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<==> TagREST.getSecureServiceTagsIfUpdated(" + serviceName + ", " + lastKnownVersion + ", " + pluginId + ")");
+ }
+
+ return ret;
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java b/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java
index 919f814..7f836bc 100644
--- a/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/TagRESTConstants.java
@@ -34,6 +34,7 @@ public class TagRESTConstants {
static final String TAGTYPES_RESOURCE = "/types/";
static final String TAGTYPES_LOOKUP_RESOURCE = "/types/lookup/";
static final String TAGS_DOWNLOAD = "/download/";
+ static final String TAGS_SECURE_DOWNLOAD = "/secure/download/";
public static final String SERVICE_NAME_PARAM = "serviceName";
public static final String LAST_KNOWN_TAG_VERSION_PARAM = "lastKnownVersion";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
index daf732e..899d866 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
@@ -93,4 +93,13 @@ public class RangerPreAuthSecurityHandler {
throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true);
}
+ public boolean isAPISpnegoAccessible(){
+ UserSessionBase userSession = ContextUtil.getCurrentUserSession();
+ if (userSession != null && userSession.isSpnegoEnabled()) {
+ return true;
+ }else if(userSession != null && userSession.isUserAdmin()){
+ return true;
+ }
+ throw restErrorUtil.createRESTException(HttpServletResponse.SC_FORBIDDEN, "User is not allowed to access the API", true);
+ }
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
new file mode 100644
index 0000000..c58c987
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -0,0 +1,569 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.security.web.filter;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.EventListener;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.FilterRegistration;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.Servlet;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRegistration;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.SessionCookieConfig;
+import javax.servlet.SessionTrackingMode;
+import javax.servlet.FilterRegistration.Dynamic;
+import javax.servlet.descriptor.JspConfigDescriptor;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.collections.iterators.IteratorEnumeration;
+import org.apache.ranger.biz.UserMgr;
+import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.security.handler.RangerAuthenticationProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
+ Logger LOG = LoggerFactory.getLogger(RangerKRBAuthenticationFilter.class);
+
+ @Autowired
+ UserMgr userMgr;
+
+ static final String NAME_RULES = "hadoop.security.auth_to_local";
+ static final String TOKEN_VALID = "ranger.admin.kerberos.token.valid.seconds";
+ static final String COOKIE_DOMAIN = "ranger.admin.kerberos.cookie.domain";
+ static final String COOKIE_PATH = "ranger.admin.kerberos.cookie.path";
+ static final String PRINCIPAL = "ranger.spnego.kerberos.principal";
+ static final String KEYTAB = "ranger.spnego.kerberos.keytab";
+ static final String NAME_RULES_PARAM = "kerberos.name.rules";
+ static final String TOKEN_VALID_PARAM = "token.validity";
+ static final String COOKIE_DOMAIN_PARAM = "cookie.domain";
+ static final String COOKIE_PATH_PARAM = "cookie.path";
+ static final String PRINCIPAL_PARAM = "kerberos.principal";
+ static final String KEYTAB_PARAM = "kerberos.keytab";
+ static final String AUTH_TYPE = "type";
+ static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
+ static final String AUTH_COOKIE_NAME = "hadoop.auth";
+ static final String HOST_NAME = "ranger.service.host";
+
+ private static final String KERBEROS_TYPE = "kerberos";
+
+ public RangerKRBAuthenticationFilter() {
+ try {
+ init(null);
+ } catch (ServletException e) {
+ LOG.error("Error while initializing Filter : "+e.getMessage());
+ }
+ }
+
+ @Override
+ public void init(FilterConfig conf) throws ServletException {
+ final FilterConfig globalConf = conf;
+ final Map<String, String> params = new HashMap<String, String>();
+ params.put(AUTH_TYPE, PropertiesUtil.getProperty(RANGER_AUTH_TYPE, "simple"));
+ params.put(NAME_RULES_PARAM, PropertiesUtil.getProperty(NAME_RULES, "DEFAULT"));
+ params.put(TOKEN_VALID_PARAM, PropertiesUtil.getProperty(TOKEN_VALID,"30"));
+ params.put(COOKIE_DOMAIN_PARAM, PropertiesUtil.getProperty(COOKIE_DOMAIN, PropertiesUtil.getProperty(HOST_NAME, "localhost")));
+ params.put(COOKIE_PATH_PARAM, PropertiesUtil.getProperty(COOKIE_PATH, "/"));
+ try {
+ params.put(PRINCIPAL_PARAM, SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(PRINCIPAL,""), PropertiesUtil.getProperty(HOST_NAME)));
+ } catch (IOException ignored) {
+ // do nothing
+ }
+ params.put(KEYTAB_PARAM, PropertiesUtil.getProperty(KEYTAB,""));
+
+ FilterConfig myConf = new FilterConfig() {
+ @Override
+ public ServletContext getServletContext() {
+ if (globalConf != null) {
+ return globalConf.getServletContext();
+ } else {
+ return noContext;
+ }
+ }
+
+ @SuppressWarnings("unchecked")
+ @Override
+ public Enumeration<String> getInitParameterNames() {
+ return new IteratorEnumeration(params.keySet().iterator());
+ }
+
+ @Override
+ public String getInitParameter(String param) {
+ return params.get(param);
+ }
+
+ @Override
+ public String getFilterName() {
+ return "KerberosFilter";
+ }
+ };
+ super.init(myConf);
+ }
+
+ @Override
+ protected void doFilter(FilterChain filterChain,
+ HttpServletRequest request, HttpServletResponse response)
+ throws IOException, ServletException {
+ String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
+ String userName = null;
+ boolean checkCookie = response.containsHeader("Set-Cookie");
+ if(checkCookie){
+ Collection<String> authUserName = response.getHeaders("Set-Cookie");
+ if(authUserName != null){
+ Iterator<String> i = authUserName.iterator();
+ while(i.hasNext()){
+ String cookie = i.next();
+ if(!StringUtils.isEmpty(cookie)){
+ if(cookie.toLowerCase().startsWith(AUTH_COOKIE_NAME.toLowerCase()) && cookie.contains("u=")){
+ String[] split = cookie.split(";");
+ if(split != null){
+ for(String s : split){
+ if(!StringUtils.isEmpty(s) && s.toLowerCase().startsWith(AUTH_COOKIE_NAME.toLowerCase())){
+ int ustr = s.indexOf("u=");
+ if(ustr != -1){
+ int andStr = s.indexOf("&", ustr);
+ if(andStr != -1){
+ try{
+ userName = s.substring(ustr+2, andStr);
+ }catch(Exception e){
+ userName = null;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ if((isSpnegoEnable(authType) && (!StringUtils.isEmpty(userName)))){
+ Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+ if(existingAuth == null || !existingAuth.isAuthenticated()){
+ //--------------------------- To Create Ranger Session --------------------------------------
+ String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
+ //if we get the userName from the token then log into ranger using the same user
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ final UserDetails principal = new User(userName, "",grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(request);
+ ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
+ RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
+ Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
+ authentication = getGrantedAuthority(authentication);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ request.setAttribute("spnegoEnabled", true);
+ LOG.info("Logged into Ranger as = "+userName);
+ filterChain.doFilter(request, response);
+ }else{
+ try{
+ super.doFilter(filterChain, request, response);
+ }catch(Exception e){
+ LOG.error("Error RangerKRBAuthenticationFilter : "+e.getMessage());
+ }
+ }
+ }else{
+ filterChain.doFilter(request, response);
+ }
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response,
+ FilterChain filterChain) throws IOException, ServletException {
+ String authtype = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ if(isSpnegoEnable(authtype)){
+ Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication();
+ String userName = null;
+ Cookie[] cookie = httpRequest.getCookies();
+ if(cookie != null){
+ for(Cookie c : cookie){
+ String cname = c.getName();
+ if(cname != null && cname.equalsIgnoreCase("u"))
+ {
+ int ustr = cname.indexOf("u=");
+ if(ustr != -1){
+ int andStr = cname.indexOf("&", ustr);
+ if(andStr != -1){
+ userName = cname.substring(ustr+2, andStr);
+ }
+ }
+ }else if(cname != null && cname.equalsIgnoreCase(AUTH_COOKIE_NAME)){
+ int ustr = cname.indexOf("u=");
+ if(ustr != -1){
+ int andStr = cname.indexOf("&", ustr);
+ if(andStr != -1){
+ userName = cname.substring(ustr+2, andStr);
+ }
+ }
+ }
+ }
+ }
+ if((existingAuth == null || !existingAuth.isAuthenticated()) && (!StringUtils.isEmpty(userName))){
+ //--------------------------- To Create Ranger Session --------------------------------------
+ String rangerLdapDefaultRole = PropertiesUtil.getProperty("ranger.ldap.default.role", "ROLE_USER");
+ //if we get the userName from the token then log into ranger using the same user
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ grantedAuths.add(new SimpleGrantedAuthority(rangerLdapDefaultRole));
+ final UserDetails principal = new User(userName, "",grantedAuths);
+ final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "", grantedAuths);
+ WebAuthenticationDetails webDetails = new WebAuthenticationDetails(httpRequest);
+ ((AbstractAuthenticationToken) finalAuthentication).setDetails(webDetails);
+ RangerAuthenticationProvider authenticationProvider = new RangerAuthenticationProvider();
+ Authentication authentication = authenticationProvider.authenticate(finalAuthentication);
+ authentication = getGrantedAuthority(authentication);
+ SecurityContextHolder.getContext().setAuthentication(authentication);
+ request.setAttribute("spnegoEnabled", true);
+ LOG.info("Logged into Ranger as = "+userName);
+ }else{
+ try{
+ super.doFilter(request, response, filterChain);
+ }catch(Exception e){
+ LOG.error("Error RangerKRBAuthenticationFilter : "+e.getMessage());
+ }
+ }
+ }else{
+ filterChain.doFilter(request, response);
+ }
+ }
+
+ private boolean isSpnegoEnable(String authType){
+ String principal = PropertiesUtil.getProperty(PRINCIPAL);
+ String keytabPath = PropertiesUtil.getProperty(KEYTAB);
+ return ((!StringUtils.isEmpty(authType)) && authType.equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(principal, keytabPath));
+ }
+
+ private Authentication getGrantedAuthority(Authentication authentication) {
+ UsernamePasswordAuthenticationToken result=null;
+ if(authentication!=null && authentication.isAuthenticated()){
+ final List<GrantedAuthority> grantedAuths=getAuthorities(authentication.getName().toString());
+ final UserDetails userDetails = new User(authentication.getName().toString(), authentication.getCredentials().toString(),grantedAuths);
+ result = new UsernamePasswordAuthenticationToken(userDetails,authentication.getCredentials(),grantedAuths);
+ result.setDetails(authentication.getDetails());
+ return result;
+ }
+ return authentication;
+ }
+
+ private List<GrantedAuthority> getAuthorities(String username) {
+ Collection<String> roleList=userMgr.getRolesByLoginId(username);
+ final List<GrantedAuthority> grantedAuths = new ArrayList<>();
+ for(String role:roleList){
+ grantedAuths.add(new SimpleGrantedAuthority(role));
+ }
+ return grantedAuths;
+ }
+
+ protected static ServletContext noContext = new ServletContext() {
+
+ @Override
+ public void setSessionTrackingModes(
+ Set<SessionTrackingMode> sessionTrackingModes) {
+ }
+
+ @Override
+ public boolean setInitParameter(String name, String value) {
+ return false;
+ }
+
+ @Override
+ public void setAttribute(String name, Object object) {
+ }
+
+ @Override
+ public void removeAttribute(String name) {
+ }
+
+ @Override
+ public void log(String message, Throwable throwable) {
+ }
+
+ @Override
+ public void log(Exception exception, String msg) {
+ }
+
+ @Override
+ public void log(String msg) {
+ }
+
+ @Override
+ public String getVirtualServerName() {
+ return null;
+ }
+
+ @Override
+ public SessionCookieConfig getSessionCookieConfig() {
+ return null;
+ }
+
+ @Override
+ public Enumeration<Servlet> getServlets() {
+ return null;
+ }
+
+ @Override
+ public Map<String, ? extends ServletRegistration> getServletRegistrations() {
+ return null;
+ }
+
+ @Override
+ public ServletRegistration getServletRegistration(String servletName) {
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getServletNames() {
+ return null;
+ }
+
+ @Override
+ public String getServletContextName() {
+ return null;
+ }
+
+ @Override
+ public Servlet getServlet(String name) throws ServletException {
+ return null;
+ }
+
+ @Override
+ public String getServerInfo() {
+ return null;
+ }
+
+ @Override
+ public Set<String> getResourcePaths(String path) {
+ return null;
+ }
+
+ @Override
+ public InputStream getResourceAsStream(String path) {
+ return null;
+ }
+
+ @Override
+ public URL getResource(String path) throws MalformedURLException {
+ return null;
+ }
+
+ @Override
+ public RequestDispatcher getRequestDispatcher(String path) {
+ return null;
+ }
+
+ @Override
+ public String getRealPath(String path) {
+ return null;
+ }
+
+ @Override
+ public RequestDispatcher getNamedDispatcher(String name) {
+ return null;
+ }
+
+ @Override
+ public int getMinorVersion() {
+ return 0;
+ }
+
+ @Override
+ public String getMimeType(String file) {
+ return null;
+ }
+
+ @Override
+ public int getMajorVersion() {
+ return 0;
+ }
+
+ @Override
+ public JspConfigDescriptor getJspConfigDescriptor() {
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getInitParameterNames() {
+ return null;
+ }
+
+ @Override
+ public String getInitParameter(String name) {
+ return null;
+ }
+
+ @Override
+ public Map<String, ? extends FilterRegistration> getFilterRegistrations() {
+ return null;
+ }
+
+ @Override
+ public FilterRegistration getFilterRegistration(String filterName) {
+ return null;
+ }
+
+ @Override
+ public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() {
+ return null;
+ }
+
+ @Override
+ public int getEffectiveMinorVersion() {
+ return 0;
+ }
+
+ @Override
+ public int getEffectiveMajorVersion() {
+ return 0;
+ }
+
+ @Override
+ public Set<SessionTrackingMode> getDefaultSessionTrackingModes() {
+ return null;
+ }
+
+ @Override
+ public String getContextPath() {
+ return null;
+ }
+
+ @Override
+ public ServletContext getContext(String uripath) {
+ return null;
+ }
+
+ @Override
+ public ClassLoader getClassLoader() {
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getAttributeNames() {
+ return null;
+ }
+
+ @Override
+ public Object getAttribute(String name) {
+ return null;
+ }
+
+ @Override
+ public void declareRoles(String... roleNames) {
+ }
+
+ @Override
+ public <T extends Servlet> T createServlet(Class<T> clazz)
+ throws ServletException {
+ return null;
+ }
+
+ @Override
+ public <T extends EventListener> T createListener(Class<T> clazz)
+ throws ServletException {
+ return null;
+ }
+
+ @Override
+ public <T extends Filter> T createFilter(Class<T> clazz)
+ throws ServletException {
+ return null;
+ }
+
+ @Override
+ public javax.servlet.ServletRegistration.Dynamic addServlet(
+ String servletName, Class<? extends Servlet> servletClass) {
+ return null;
+ }
+
+ @Override
+ public javax.servlet.ServletRegistration.Dynamic addServlet(
+ String servletName, Servlet servlet) {
+ return null;
+ }
+
+ @Override
+ public javax.servlet.ServletRegistration.Dynamic addServlet(
+ String servletName, String className) {
+ return null;
+ }
+
+ @Override
+ public void addListener(Class<? extends EventListener> listenerClass) {
+ }
+
+ @Override
+ public <T extends EventListener> void addListener(T t) {
+ }
+
+ @Override
+ public void addListener(String className) {
+ }
+
+ @Override
+ public Dynamic addFilter(String filterName,
+ Class<? extends Filter> filterClass) {
+ return null;
+ }
+
+ @Override
+ public Dynamic addFilter(String filterName, Filter filter) {
+ return null;
+ }
+
+ @Override
+ public Dynamic addFilter(String filterName, String className) {
+ return null;
+ }
+ };
+
+}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
new file mode 100644
index 0000000..88ab020
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -0,0 +1,576 @@
+/**
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License. See accompanying LICENSE file.
+ */
+package org.apache.ranger.security.web.filter;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.hadoop.classification.InterfaceStability;
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
+import org.apache.hadoop.security.authentication.server.AuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.AuthenticationToken;
+import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
+import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
+import org.apache.hadoop.security.authentication.util.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.text.SimpleDateFormat;
+import java.util.*;
+
+@InterfaceAudience.Private
+@InterfaceStability.Unstable
+public class RangerKrbFilter implements Filter {
+
+ private static Logger LOG = LoggerFactory.getLogger(RangerKrbFilter.class);
+
+ /**
+ * Constant for the property that specifies the configuration prefix.
+ */
+ public static final String CONFIG_PREFIX = "config.prefix";
+
+ /**
+ * Constant for the property that specifies the authentication handler to use.
+ */
+ public static final String AUTH_TYPE = "type";
+
+ /**
+ * Constant for the property that specifies the secret to use for signing the HTTP Cookies.
+ */
+ public static final String SIGNATURE_SECRET = "signature.secret";
+
+ public static final String SIGNATURE_SECRET_FILE = SIGNATURE_SECRET + ".file";
+
+ /**
+ * Constant for the configuration property that indicates the validity of the generated token.
+ */
+ public static final String AUTH_TOKEN_VALIDITY = "token.validity";
+
+ /**
+ * Constant for the configuration property that indicates the domain to use in the HTTP cookie.
+ */
+ public static final String COOKIE_DOMAIN = "cookie.domain";
+
+ /**
+ * Constant for the configuration property that indicates the path to use in the HTTP cookie.
+ */
+ public static final String COOKIE_PATH = "cookie.path";
+
+ /**
+ * Constant for the configuration property that indicates the name of the
+ * SignerSecretProvider class to use.
+ * Possible values are: "string", "random", "zookeeper", or a classname.
+ * If not specified, the "string" implementation will be used with
+ * SIGNATURE_SECRET; and if that's not specified, the "random" implementation
+ * will be used.
+ */
+ public static final String SIGNER_SECRET_PROVIDER =
+ "signer.secret.provider";
+
+ /**
+ * Constant for the ServletContext attribute that can be used for providing a
+ * custom implementation of the SignerSecretProvider. Note that the class
+ * should already be initialized. If not specified, SIGNER_SECRET_PROVIDER
+ * will be used.
+ */
+ public static final String SIGNER_SECRET_PROVIDER_ATTRIBUTE =
+ "signer.secret.provider.object";
+
+ private Properties config;
+ private Signer signer;
+ private SignerSecretProvider secretProvider;
+ private AuthenticationHandler authHandler;
+ private long validity;
+ private String cookieDomain;
+ private String cookiePath;
+
+ /**
+ * <p>Initializes the authentication filter and signer secret provider.</p>
+ * It instantiates and initializes the specified {@link
+ * AuthenticationHandler}.
+ *
+ * @param filterConfig filter configuration.
+ *
+ * @throws ServletException thrown if the filter or the authentication handler could not be initialized properly.
+ */
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ String configPrefix = filterConfig.getInitParameter(CONFIG_PREFIX);
+ configPrefix = (configPrefix != null) ? configPrefix + "." : "";
+ config = getConfiguration(configPrefix, filterConfig);
+ String authHandlerName = config.getProperty(AUTH_TYPE, null);
+ String authHandlerClassName;
+ if (authHandlerName == null) {
+ throw new ServletException("Authentication type must be specified: " +
+ PseudoAuthenticationHandler.TYPE + "|" +
+ KerberosAuthenticationHandler.TYPE + "|<class>");
+ }
+ if(StringUtils.equalsIgnoreCase(authHandlerName, PseudoAuthenticationHandler.TYPE)){
+ authHandlerClassName = PseudoAuthenticationHandler.class.getName();
+ }else if(StringUtils.equalsIgnoreCase(authHandlerName, KerberosAuthenticationHandler.TYPE)){
+ authHandlerClassName = KerberosAuthenticationHandler.class.getName();
+ } else {
+ authHandlerClassName = authHandlerName;
+ }
+
+ validity = Long.parseLong(config.getProperty(AUTH_TOKEN_VALIDITY, "36000"))
+ * 1000; //10 hours
+ initializeSecretProvider(filterConfig);
+
+ initializeAuthHandler(authHandlerClassName, filterConfig);
+
+ cookieDomain = config.getProperty(COOKIE_DOMAIN, null);
+ cookiePath = config.getProperty(COOKIE_PATH, null);
+ }
+
+ protected void initializeAuthHandler(String authHandlerClassName, FilterConfig filterConfig)
+ throws ServletException {
+ try {
+ Class<?> klass = Thread.currentThread().getContextClassLoader().loadClass(authHandlerClassName);
+ authHandler = (AuthenticationHandler) klass.newInstance();
+ authHandler.init(config);
+ } catch (ClassNotFoundException | InstantiationException |
+ IllegalAccessException ex) {
+ throw new ServletException(ex);
+ }
+ }
+
+ protected void initializeSecretProvider(FilterConfig filterConfig)
+ throws ServletException {
+ secretProvider = (SignerSecretProvider) filterConfig.getServletContext().
+ getAttribute(SIGNER_SECRET_PROVIDER_ATTRIBUTE);
+ if (secretProvider == null) {
+ // As tomcat cannot specify the provider object in the configuration.
+ // It'll go into this path
+ try {
+ secretProvider = constructSecretProvider(
+ filterConfig.getServletContext(),
+ config, false);
+ } catch (Exception ex) {
+ throw new ServletException(ex);
+ }
+ }
+ signer = new Signer(secretProvider);
+ }
+
+ public static SignerSecretProvider constructSecretProvider(
+ ServletContext ctx, Properties config,
+ boolean disallowFallbackToRandomSecretProvider) throws Exception {
+ long validity = Long.parseLong(config.getProperty(AUTH_TOKEN_VALIDITY,
+ "36000")) * 1000;
+
+ String name = config.getProperty(SIGNER_SECRET_PROVIDER);
+ if (StringUtils.isEmpty(name)) {
+ if (!disallowFallbackToRandomSecretProvider) {
+ name = "random";
+ } else {
+ name = "file";
+ }
+ }
+
+ SignerSecretProvider provider;
+ if ("file".equals(name)) {
+ provider = new FileSignerSecretProvider();
+ try {
+ provider.init(config, ctx, validity);
+ } catch (Exception e) {
+ if (!disallowFallbackToRandomSecretProvider) {
+ LOG.info("Unable to initialize FileSignerSecretProvider, " +
+ "falling back to use random secrets.");
+ provider = new RandomSignerSecretProvider();
+ provider.init(config, ctx, validity);
+ } else {
+ throw e;
+ }
+ }
+ } else if ("random".equals(name)) {
+ provider = new RandomSignerSecretProvider();
+ provider.init(config, ctx, validity);
+ } else if ("zookeeper".equals(name)) {
+ provider = new ZKSignerSecretProvider();
+ provider.init(config, ctx, validity);
+ } else {
+ provider = (SignerSecretProvider) Thread.currentThread().
+ getContextClassLoader().loadClass(name).newInstance();
+ provider.init(config, ctx, validity);
+ }
+ return provider;
+ }
+
+ /**
+ * Returns the configuration properties of the {@link RangerKrbFilter}
+ * without the prefix. The returned properties are the same that the
+ * {@link #getConfiguration(String, FilterConfig)} method returned.
+ *
+ * @return the configuration properties.
+ */
+ protected Properties getConfiguration() {
+ return config;
+ }
+
+ /**
+ * Returns the authentication handler being used.
+ *
+ * @return the authentication handler being used.
+ */
+ protected AuthenticationHandler getAuthenticationHandler() {
+ return authHandler;
+ }
+
+ /**
+ * Returns if a random secret is being used.
+ *
+ * @return if a random secret is being used.
+ */
+ protected boolean isRandomSecret() {
+ return secretProvider != null && secretProvider.getClass() == RandomSignerSecretProvider.class;
+ }
+
+ /**
+ * Returns if a custom implementation of a SignerSecretProvider is being used.
+ *
+ * @return if a custom implementation of a SignerSecretProvider is being used.
+ */
+ protected boolean isCustomSignerSecretProvider() {
+ Class<?> clazz = secretProvider != null ? secretProvider.getClass() : null;
+ return clazz != FileSignerSecretProvider.class && clazz !=
+ RandomSignerSecretProvider.class && clazz != ZKSignerSecretProvider
+ .class;
+ }
+
+ /**
+ * Returns the validity time of the generated tokens.
+ *
+ * @return the validity time of the generated tokens, in seconds.
+ */
+ protected long getValidity() {
+ return validity / 1000;
+ }
+
+ /**
+ * Returns the cookie domain to use for the HTTP cookie.
+ *
+ * @return the cookie domain to use for the HTTP cookie.
+ */
+ protected String getCookieDomain() {
+ return cookieDomain;
+ }
+
+ /**
+ * Returns the cookie path to use for the HTTP cookie.
+ *
+ * @return the cookie path to use for the HTTP cookie.
+ */
+ protected String getCookiePath() {
+ return cookiePath;
+ }
+
+ /**
+ * Destroys the filter.
+ * <p>
+ * It invokes the {@link AuthenticationHandler#destroy()} method to release any resources it may hold.
+ */
+ @Override
+ public void destroy() {
+ if (authHandler != null) {
+ authHandler.destroy();
+ authHandler = null;
+ }
+ }
+
+ /**
+ * Returns the filtered configuration (only properties starting with the specified prefix). The property keys
+ * are also trimmed from the prefix. The returned {@link Properties} object is used to initialized the
+ * {@link AuthenticationHandler}.
+ * <p>
+ * This method can be overriden by subclasses to obtain the configuration from other configuration source than
+ * the web.xml file.
+ *
+ * @param configPrefix configuration prefix to use for extracting configuration properties.
+ * @param filterConfig filter configuration object
+ *
+ * @return the configuration to be used with the {@link AuthenticationHandler} instance.
+ *
+ * @throws ServletException thrown if the configuration could not be created.
+ */
+ protected Properties getConfiguration(String configPrefix, FilterConfig filterConfig) throws ServletException {
+ Properties props = new Properties();
+ if(filterConfig != null){
+ Enumeration<?> names = filterConfig.getInitParameterNames();
+ if(names != null){
+ while (names.hasMoreElements()) {
+ String name = (String) names.nextElement();
+ if (name != null && configPrefix != null && name.startsWith(configPrefix)) {
+ String value = filterConfig.getInitParameter(name);
+ props.put(name.substring(configPrefix.length()), value);
+ }
+ }
+ }
+ }
+ return props;
+ }
+
+ /**
+ * Returns the full URL of the request including the query string.
+ * <p>
+ * Used as a convenience method for logging purposes.
+ *
+ * @param request the request object.
+ *
+ * @return the full URL of the request including the query string.
+ */
+ protected String getRequestURL(HttpServletRequest request) {
+ StringBuffer sb = request.getRequestURL();
+ if (request.getQueryString() != null) {
+ sb.append("?").append(request.getQueryString());
+ }
+ return sb.toString();
+ }
+
+ /**
+ * Returns the {@link AuthenticationToken} for the request.
+ * <p>
+ * It looks at the received HTTP cookies and extracts the value of the {@link AuthenticatedURL#AUTH_COOKIE}
+ * if present. It verifies the signature and if correct it creates the {@link AuthenticationToken} and returns
+ * it.
+ * <p>
+ * If this method returns <code>null</code> the filter will invoke the configured {@link AuthenticationHandler}
+ * to perform user authentication.
+ *
+ * @param request request object.
+ *
+ * @return the Authentication token if the request is authenticated, <code>null</code> otherwise.
+ *
+ * @throws IOException thrown if an IO error occurred.
+ * @throws AuthenticationException thrown if the token is invalid or if it has expired.
+ */
+ protected AuthenticationToken getToken(HttpServletRequest request) throws IOException, AuthenticationException {
+ AuthenticationToken token = null;
+ String tokenStr = null;
+ Cookie[] cookies = request.getCookies();
+ if (cookies != null) {
+ for (Cookie cookie : cookies) {
+ if (AuthenticatedURL.AUTH_COOKIE.equals(cookie.getName())) {
+ tokenStr = cookie.getValue();
+ try {
+ tokenStr = signer.verifyAndExtract(tokenStr);
+ } catch (SignerException ex) {
+ throw new AuthenticationException(ex);
+ }
+ break;
+ }
+ }
+ }
+ if (tokenStr != null) {
+ token = AuthenticationToken.parse(tokenStr);
+ if(token != null){
+ if (!token.getType().equals(authHandler.getType())) {
+ throw new AuthenticationException("Invalid AuthenticationToken type");
+ }
+ if (token.isExpired()) {
+ throw new AuthenticationException("AuthenticationToken expired");
+ }
+ }
+ }
+ return token;
+ }
+
+ /**
+ * If the request has a valid authentication token it allows the request to continue to the target resource,
+ * otherwise it triggers an authentication sequence using the configured {@link AuthenticationHandler}.
+ *
+ * @param request the request object.
+ * @param response the response object.
+ * @param filterChain the filter chain object.
+ *
+ * @throws IOException thrown if an IO error occurred.
+ * @throws ServletException thrown if a processing error occurred.
+ */
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
+ throws IOException, ServletException {
+ boolean unauthorizedResponse = true;
+ int errCode = HttpServletResponse.SC_UNAUTHORIZED;
+ AuthenticationException authenticationEx = null;
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ HttpServletResponse httpResponse = (HttpServletResponse) response;
+ boolean isHttps = "https".equals(httpRequest.getScheme());
+ try {
+ boolean newToken = false;
+ AuthenticationToken token;
+ try {
+ token = getToken(httpRequest);
+ }
+ catch (AuthenticationException ex) {
+ ex.printStackTrace();
+ LOG.warn("AuthenticationToken ignored: " + ex.getMessage());
+ // will be sent back in a 401 unless filter authenticates
+ authenticationEx = ex;
+ token = null;
+ }
+ if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
+ if (token == null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Request [{}] triggering authentication", getRequestURL(httpRequest));
+ }
+ token = authHandler.authenticate(httpRequest, httpResponse);
+ if (token != null && token.getExpires() != 0 &&
+ token != AuthenticationToken.ANONYMOUS) {
+ token.setExpires(System.currentTimeMillis() + getValidity() * 1000);
+ }
+ newToken = true;
+ }
+ if (token != null) {
+ unauthorizedResponse = false;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Request [{}] user [{}] authenticated", getRequestURL(httpRequest), token.getUserName());
+ }
+ final AuthenticationToken authToken = token;
+ httpRequest = new HttpServletRequestWrapper(httpRequest) {
+
+ @Override
+ public String getAuthType() {
+ return authToken.getType();
+ }
+
+ @Override
+ public String getRemoteUser() {
+ return authToken.getUserName();
+ }
+
+ @Override
+ public Principal getUserPrincipal() {
+ return (authToken != AuthenticationToken.ANONYMOUS) ? authToken : null;
+ }
+ };
+ if (newToken && !token.isExpired() && token != AuthenticationToken.ANONYMOUS) {
+ String signedToken = signer.sign(token.toString());
+ createAuthCookie(httpResponse, signedToken, getCookieDomain(),
+ getCookiePath(), token.getExpires(), isHttps);
+ }
+ doFilter(filterChain, httpRequest, httpResponse);
+ }
+ } else {
+ unauthorizedResponse = false;
+ }
+ } catch (AuthenticationException ex) {
+ // exception from the filter itself is fatal
+ ex.printStackTrace();
+ errCode = HttpServletResponse.SC_FORBIDDEN;
+ authenticationEx = ex;
+ LOG.warn("Authentication exception: " + ex.getMessage(), ex);
+ }
+ if (unauthorizedResponse) {
+ if (!httpResponse.isCommitted()) {
+ createAuthCookie(httpResponse, "", getCookieDomain(),
+ getCookiePath(), 0, isHttps);
+ // If response code is 401. Then WWW-Authenticate Header should be
+ // present.. reset to 403 if not found..
+ if ((errCode == HttpServletResponse.SC_UNAUTHORIZED)
+ && (!httpResponse.containsHeader(
+ KerberosAuthenticator.WWW_AUTHENTICATE))) {
+ errCode = HttpServletResponse.SC_FORBIDDEN;
+ }
+ if (authenticationEx == null) {
+ boolean chk = true;
+ Collection<String> headerNames = httpResponse.getHeaderNames();
+ for(String headerName : headerNames){
+ String value = httpResponse.getHeader(headerName);
+ if(headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("JSESSIONID")){
+ chk = false;
+ break;
+ }
+ }
+ String authHeader = httpRequest.getHeader("Authorization");
+ if(authHeader == null && chk){
+ filterChain.doFilter(request, response);
+ }else if(authHeader != null && authHeader.startsWith("Basic")){
+ filterChain.doFilter(request, response);
+ }
+ } else {
+ httpResponse.sendError(errCode, authenticationEx.getMessage());
+ }
+ }
+ }
+ }
+
+ /**
+ * Delegates call to the servlet filter chain. Sub-classes my override this
+ * method to perform pre and post tasks.
+ */
+ protected void doFilter(FilterChain filterChain, HttpServletRequest request,
+ HttpServletResponse response) throws IOException, ServletException {
+ filterChain.doFilter(request, response);
+ }
+
+ /**
+ * Creates the Hadoop authentication HTTP cookie.
+ *
+ * @param token authentication token for the cookie.
+ * @param expires UNIX timestamp that indicates the expire date of the
+ * cookie. It has no effect if its value < 0.
+ *
+ * XXX the following code duplicate some logic in Jetty / Servlet API,
+ * because of the fact that Hadoop is stuck at servlet 2.5 and jetty 6
+ * right now.
+ */
+ public static void createAuthCookie(HttpServletResponse resp, String token,
+ String domain, String path, long expires,
+ boolean isSecure) {
+ StringBuilder sb = new StringBuilder(AuthenticatedURL.AUTH_COOKIE)
+ .append("=");
+ if (token != null && token.length() > 0) {
+ sb.append("\"").append(token).append("\"");
+ }
+
+ if (path != null) {
+ sb.append("; Path=").append(path);
+ }
+
+ if (domain != null) {
+ sb.append("; Domain=").append(domain);
+ }
+
+ if (expires >= 0) {
+ Date date = new Date(expires);
+ SimpleDateFormat df = new SimpleDateFormat("EEE, " +
+ "dd-MMM-yyyy HH:mm:ss zzz");
+ df.setTimeZone(TimeZone.getTimeZone("GMT"));
+ sb.append("; Expires=").append(df.format(date));
+ }
+
+ if (isSecure) {
+ sb.append("; Secure");
+ }
+
+ sb.append("; HttpOnly");
+ resp.addHeader("Set-Cookie", sb.toString());
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index b2ec9de..7d748c5 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -233,4 +233,42 @@
<value>Mozilla,chrome</value>
</property>
<!-- SSO Properties Ends-->
+ <!-- Kerberos Properties starts-->
+ <property>
+ <name>ranger.admin.kerberos.token.valid.seconds</name>
+ <value>30</value>
+ </property>
+ <property>
+ <name>ranger.admin.kerberos.cookie.domain</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.admin.kerberos.cookie.path</name>
+ <value>/</value>
+ </property>
+ <property>
+ <name>ranger.admin.kerberos.principal</name>
+ <value>rangeradmin/_HOST@REALM</value>
+ </property>
+ <property>
+ <name>ranger.admin.kerberos.keytab</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.spnego.kerberos.principal</name>
+ <value>HTTP/_HOST@REALM</value>
+ </property>
+ <property>
+ <name>ranger.spnego.kerberos.keytab</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.lookup.kerberos.principal</name>
+ <value>rangerlookup/_HOST@REALM</value>
+ </property>
+ <property>
+ <name>ranger.lookup.kerberos.keytab</name>
+ <value></value>
+ </property>
+ <!-- Kerberos Properties ENDs-->
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 2f711ad..6becfcd 100644
--- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -36,6 +36,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<security:http pattern="/scripts/**" security="none" />
<security:http pattern="/libs/**" security="none" />
<security:http pattern="/images/**" security="none" />
+ <security:http pattern="/templates/**" security="none" />
<security:http pattern="/service/assets/policyList/*" security="none"/>
<security:http pattern="/service/assets/resources/grant" security="none"/>
<security:http pattern="/service/assets/resources/revoke" security="none"/>
@@ -48,7 +49,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<security:session-management session-fixation-protection="newSession" />
<intercept-url pattern="/**" access="isAuthenticated()"/>
<custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />
-
+ <security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
<security:custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
<security:custom-filter position="LAST" ref="userContextFormationFilter"/>
@@ -89,7 +90,10 @@ http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd">
<beans:bean id="customLogoutSuccessHandler" class="org.apache.ranger.security.web.authentication.CustomLogoutSuccessHandler">
</beans:bean>
- <beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
+ <beans:bean id="krbAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter">
+ </beans:bean>
+
+ <beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
</beans:bean>
<beans:bean id="userContextFormationFilter" class="org.apache.ranger.security.web.filter.RangerSecurityContextFormationFilter"/>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/resources/resourcenamemap.properties
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/resourcenamemap.properties b/security-admin/src/main/resources/resourcenamemap.properties
index 201c0fa..16bf704 100644
--- a/security-admin/src/main/resources/resourcenamemap.properties
+++ b/security-admin/src/main/resources/resourcenamemap.properties
@@ -16,3 +16,5 @@
username=xalogin.xml
keytabfile=xalogin.xml
password=xalogin.xml
+lookupprincipal=xalogin.xml
+lookupkeytab=xalogin.xml
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/main/webapp/META-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/webapp/META-INF/applicationContext.xml b/security-admin/src/main/webapp/META-INF/applicationContext.xml
index c1a9387..17f35a2 100644
--- a/security-admin/src/main/webapp/META-INF/applicationContext.xml
+++ b/security-admin/src/main/webapp/META-INF/applicationContext.xml
@@ -91,8 +91,9 @@ http://www.springframework.org/schema/util/spring-util.xsd">
<!-- <value>classpath:xa_system.properties</value> -->
<!-- <value>classpath:xa_custom.properties</value> -->
<!-- <value>classpath:xa_ldap.properties</value> -->
+ <value>classpath:core-site.xml</value>
<value>classpath:ranger-admin-default-site.xml</value>
- <value>classpath:ranger-admin-site.xml</value>
+ <value>classpath:ranger-admin-site.xml</value>
</list>
</property>
<property name="propertiesPersister" ref="xmlPropertyConfigurer" />
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
index 083c777..48acaa0 100644
--- a/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
+++ b/security-admin/src/test/java/org/apache/ranger/rest/TestServiceREST.java
@@ -499,7 +499,6 @@ public class TestServiceREST {
dbRangerService.getUpdatedBy());
Mockito.verify(validatorFactory).getServiceValidator(svcStore);
- Mockito.verify(daoManager).getXXServiceDef();
Mockito.verify(svcStore).createService(rangerService);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/src/main/assembly/admin-web.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/admin-web.xml b/src/main/assembly/admin-web.xml
index ca68ac6..ea24bf4 100644
--- a/src/main/assembly/admin-web.xml
+++ b/src/main/assembly/admin-web.xml
@@ -200,6 +200,12 @@
<includes>
<include>org.apache.tomcat.embed:tomcat-embed*</include>
<include>org.eclipse.jdt.core.compiler:ecj:jar:P20140317-1600</include>
+ <include>log4j:log4j</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop-common.version}</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ <include>org.slf4j:slf4j-api</include>
+ <include>org.apache.hadoop:hadoop-common</include>
+ <include>commons-logging:commons-logging</include>
</includes>
<unpack>false</unpack>
</dependencySet>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/src/main/assembly/usersync.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/usersync.xml b/src/main/assembly/usersync.xml
index b032a1d..e60aae0 100644
--- a/src/main/assembly/usersync.xml
+++ b/src/main/assembly/usersync.xml
@@ -53,6 +53,7 @@
<include>org.apache.htrace:htrace-core</include>
<include>commons-httpclient:commons-httpclient</include>
<include>commons-codec:commons-codec</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
</includes>
<unpack>false</unpack>
</dependencySet>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
index 74170fe..432ed78 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java
@@ -33,7 +33,9 @@ import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.KrbPasswordSaverLoginModule;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.log4j.Logger;
import org.apache.ranger.plugin.client.BaseClient;
@@ -62,12 +64,18 @@ public class StormClient {
String stormUIUrl;
String userName;
String password;
+ String lookupPrincipal;
+ String lookupKeytab;
+ String nameRules;
- public StormClient(String aStormUIUrl, String aUserName, String aPassword) {
+ public StormClient(String aStormUIUrl, String aUserName, String aPassword, String lookupPrincipal, String lookupKeytab, String nameRules) {
this.stormUIUrl = aStormUIUrl;
this.userName = aUserName ;
this.password = aPassword;
+ this.lookupPrincipal = lookupPrincipal;
+ this.lookupKeytab = lookupKeytab;
+ this.nameRules = nameRules;
if (LOG.isDebugEnabled()) {
LOG.debug("Storm Client is build with url [" + aStormUIUrl + "] user: [" + aUserName + "], password: [" + "" + "]");
@@ -173,7 +181,7 @@ public class StormClient {
} ;
try {
- ret = executeUnderKerberos(this.userName, this.password, topologyListGetter) ;
+ ret = executeUnderKerberos(this.userName, this.password, this.lookupPrincipal, this.lookupKeytab, this.nameRules, topologyListGetter) ;
} catch (IOException e) {
LOG.error("Unable to get Topology list from [" + stormUIUrl + "]", e) ;
}
@@ -181,7 +189,7 @@ public class StormClient {
return ret;
}
- public static <T> T executeUnderKerberos(String userName, String password,
+ public static <T> T executeUnderKerberos(String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules,
PrivilegedAction<T> action) throws IOException {
final String errMsg = errMessage;
@@ -247,20 +255,28 @@ public class StormClient {
LoginContext loginContext = null;
try {
- subject = new Subject();
- LOG.debug("executeUnderKerberos():user=" + userName + ",pass=");
- LOG.debug("executeUnderKerberos():Creating config..");
- MySecureClientLoginConfiguration loginConf = new MySecureClientLoginConfiguration(
- userName, password);
- LOG.debug("executeUnderKerberos():Creating Context..");
- loginContext = new LoginContext("hadoop-keytab-kerberos", subject,
- null, loginConf);
-
- LOG.debug("executeUnderKerberos():Logging in..");
- loginContext.login();
-
- Subject loginSubj = loginContext.getSubject();
-
+ Subject loginSubj = null;
+ if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab)){
+ LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab");
+ if(StringUtils.isEmpty(nameRules)){
+ nameRules = "DEFAULT";
+ }
+ loginSubj = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules);
+ }else{
+ subject = new Subject();
+ LOG.debug("executeUnderKerberos():user=" + userName + ",pass=");
+ LOG.debug("executeUnderKerberos():Creating config..");
+ MySecureClientLoginConfiguration loginConf = new MySecureClientLoginConfiguration(
+ userName, password);
+ LOG.debug("executeUnderKerberos():Creating Context..");
+ loginContext = new LoginContext("hadoop-keytab-kerberos", subject,
+ null, loginConf);
+
+ LOG.debug("executeUnderKerberos():Logging in..");
+ loginContext.login();
+ LOG.info("Init Login: using username/password");
+ loginSubj = loginContext.getSubject();
+ }
if (loginSubj != null) {
ret = Subject.doAs(loginSubj, action);
}
@@ -344,8 +360,11 @@ public class StormClient {
String stormUrl = configs.get("nimbus.url");
String stormAdminUser = configs.get("username");
String stormAdminPassword = configs.get("password");
+ String lookupPrincipal = configs.get("lookupprincipal");
+ String lookupKeytab = configs.get("lookupkeytab");
+ String nameRules = configs.get("namerules");
stormClient = new StormClient(stormUrl, stormAdminUser,
- stormAdminPassword);
+ stormAdminPassword, lookupPrincipal, lookupKeytab, nameRules);
}
return stormClient;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java
index 5d008e7..55e52e2 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormConnectionMgr.java
@@ -19,6 +19,7 @@
package org.apache.ranger.services.storm.client;
+import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
@@ -26,16 +27,18 @@ public class StormConnectionMgr {
public static final Logger LOG = Logger.getLogger(StormConnectionMgr.class);
- public static StormClient getStormClient(final String stormUIURL, String userName, String password) {
+ public static StormClient getStormClient(final String stormUIURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules) {
StormClient stormClient = null;
if (stormUIURL == null || stormUIURL.isEmpty()) {
LOG.error("Can not create StormClient: stormUIURL is empty");
- } else if (userName == null || userName.isEmpty()) {
- LOG.error("Can not create StormClient: stormAdminUser is empty");
- } else if (password == null || password.isEmpty()) {
- LOG.error("Can not create StormClient: stormAdminPassword is empty");
- } else {
- stormClient = new StormClient(stormUIURL, userName, password);
+ } else if(StringUtils.isEmpty(lookupPrincipal) || StringUtils.isEmpty(lookupKeytab)){
+ if (userName == null || userName.isEmpty()) {
+ LOG.error("Can not create StormClient: stormAdminUser is empty");
+ } else if (password == null || password.isEmpty()) {
+ LOG.error("Can not create StormClient: stormAdminPassword is empty");
+ }
+ }else {
+ stormClient = new StormClient(stormUIURL, userName, password, lookupPrincipal, lookupKeytab, nameRules);
}
return stormClient;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java
----------------------------------------------------------------------
diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java
index a16fce1..bf9fea3 100644
--- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java
+++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormResourceMgr.java
@@ -75,14 +75,17 @@ public class StormResourceMgr {
String url = configs.get("nimbus.url");
String username = configs.get("username");
String password = configs.get("password");
- resultList = getStormResources(url, username, password,StromTopologyName,StormTopologyList) ;
+ String lookupPrincipal = configs.get("lookupprincipal");
+ String lookupKeytab = configs.get("lookupkeytab");
+ String nameRules = configs.get("namerules");
+ resultList = getStormResources(url, username, password,lookupPrincipal, lookupKeytab, nameRules, StromTopologyName,StormTopologyList) ;
}
return resultList ;
}
- public static List<String> getStormResources(String url, String username, String password,String topologyName, List<String> StormTopologyList) {
+ public static List<String> getStormResources(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String topologyName, List<String> StormTopologyList) {
List<String> topologyList = null;
- final StormClient stormClient = StormConnectionMgr.getStormClient(url, username, password);
+ final StormClient stormClient = StormConnectionMgr.getStormClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules);
if (stormClient == null) {
LOG.error("Storm Client is null");
return new ArrayList<String>();
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/conf/templates/installprop2xml.properties
----------------------------------------------------------------------
diff --git a/tagsync/conf/templates/installprop2xml.properties b/tagsync/conf/templates/installprop2xml.properties
index a6840b0..8f0ea75 100644
--- a/tagsync/conf/templates/installprop2xml.properties
+++ b/tagsync/conf/templates/installprop2xml.properties
@@ -40,4 +40,7 @@ TAGSYNC_ATLAS_ZOOKEEPER_ENDPOINT = atlas.kafka.zookeeper.connect
TAGSYNC_ATLAS_CONSUMER_GROUP = atlas.kafka.entities.group.id
TAGSYNC_ATLAS_TO_RANGER_SERVICE_MAPPING = ranger.tagsync.atlas.to.service.mapping
-TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS = ranger.tagsync.source.atlas.custom.resource.mappers
\ No newline at end of file
+TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS = ranger.tagsync.source.atlas.custom.resource.mappers
+
+tagsync_principal = ranger.tagsync.kerberos.principal
+tagsync_keytab = ranger.tagsync.kerberos.keytab
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/conf/templates/ranger-tagsync-template.xml
----------------------------------------------------------------------
diff --git a/tagsync/conf/templates/ranger-tagsync-template.xml b/tagsync/conf/templates/ranger-tagsync-template.xml
index bad71bd..d82b6d1 100644
--- a/tagsync/conf/templates/ranger-tagsync-template.xml
+++ b/tagsync/conf/templates/ranger-tagsync-template.xml
@@ -70,4 +70,13 @@
<property>
<name>ranger.tagsync.source.atlas.custom.resource.mappers</name>
<value></value>
- </property></configuration>
+ </property>
+ <property>
+ <name>ranger.tagsync.kerberos.keytab</name>
+ <value></value>
+ </property>
+ <property>
+ <name>ranger.tagsync.kerberos.principal</name>
+ <value></value>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/scripts/install.properties
----------------------------------------------------------------------
diff --git a/tagsync/scripts/install.properties b/tagsync/scripts/install.properties
index b6665d1..695371d 100644
--- a/tagsync/scripts/install.properties
+++ b/tagsync/scripts/install.properties
@@ -34,6 +34,11 @@ logdir = log
# URL for TagAdmin
TAGADMIN_ENDPOINT = http://localhost:6080
+#Set to run in kerberos environment
+tagsync_principal=
+tagsync_keytab=
+hadoop_conf=/etc/hadoop/conf
+
# SSL config file name for TagAdmin
TAGADMIN_SSL_CONFIG_FILENAME =
@@ -82,4 +87,4 @@ TAGSYNC_ATLAS_TO_RANGER_SERVICE_MAPPING=
# RangerServiceResource structures are specified here. If there are no custom mappers,
# then it can be left blank
-TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS=
\ No newline at end of file
+TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS=
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/scripts/ranger-tagsync-services.sh
----------------------------------------------------------------------
diff --git a/tagsync/scripts/ranger-tagsync-services.sh b/tagsync/scripts/ranger-tagsync-services.sh
index add42ee..1235e86 100755
--- a/tagsync/scripts/ranger-tagsync-services.sh
+++ b/tagsync/scripts/ranger-tagsync-services.sh
@@ -59,7 +59,7 @@ if [ "${action}" == "START" ]; then
chmod 777 $logdir
fi
- cp="${cdir}/conf:${cdir}/dist/*:${cdir}/lib/*"
+ cp="${cdir}/conf:${cdir}/dist/*:${cdir}/lib/*:${RANGER_TAGSYNC_HADOOP_CONF_DIR}/*"
if [ -f $pidf ]; then
PID=`cat $pidf`
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/scripts/setup.py
----------------------------------------------------------------------
diff --git a/tagsync/scripts/setup.py b/tagsync/scripts/setup.py
index 59cb5c8..1abb1c8 100755
--- a/tagsync/scripts/setup.py
+++ b/tagsync/scripts/setup.py
@@ -80,6 +80,25 @@ TAG_SOURCE_ATLAS = 'atlas'
TAG_SOURCE_ATLASREST = 'atlasrest'
TAG_SOURCE_FILE = 'file'
+hadoopConfFileName = 'core-site.xml'
+ENV_HADOOP_CONF_FILE = "ranger-tagsync-env-hadoopconfdir.sh"
+globalDict = {}
+
+RANGER_TAGSYNC_HOME = os.getenv("RANGER_TAGSYNC_HOME")
+if RANGER_TAGSYNC_HOME is None:
+ RANGER_TAGSYNC_HOME = os.getcwd()
+
+def populate_global_dict():
+ global globalDict
+ read_config_file = open(os.path.join(RANGER_TAGSYNC_HOME,'install.properties'))
+ for each_line in read_config_file.read().split('\n') :
+ if len(each_line) == 0 : continue
+ if re.search('=', each_line):
+ key , value = each_line.strip().split("=",1)
+ key = key.strip()
+ value = value.strip()
+ globalDict[key] = value
+
def archiveFile(originalFileName):
archiveDir = dirname(originalFileName)
archiveFileName = "." + basename(originalFileName) + "." + (strftime("%d%m%Y%H%M%S", localtime()))
@@ -258,11 +277,32 @@ def initializeInitD():
os.remove(ubinScriptName)
os.symlink(localScriptName,ubinScriptName)
+def write_env_files(exp_var_name, log_path, file_name):
+ final_path = "{0}/{1}".format(confBaseDirName,file_name)
+ if not os.path.isfile(final_path):
+ print "Creating %s file" % file_name
+ f = open(final_path, "w")
+ f.write("export {0}={1}".format(exp_var_name,log_path))
+ f.close()
def main():
print "\nINFO: Installing ranger-tagsync .....\n"
+ populate_global_dict()
+ hadoop_conf = globalDict['hadoop_conf']
+
+ hadoop_conf_full_path = os.path.join(hadoop_conf, hadoopConfFileName)
+ tagsync_conf_full_path = os.path.join(tagsyncBaseDirFullName,confBaseDirName,hadoopConfFileName)
+ if not isfile(hadoop_conf_full_path):
+ print "WARN: core-site.xml file not found in provided hadoop conf path..."
+ f = open(tagsync_conf_full_path, "w")
+ f.write("<configuration></configuration>")
+ f.close()
+ else:
+ if os.path.islink(tagsync_conf_full_path):
+ os.remove(tagsync_conf_full_path)
+
dirList = [ rangerBaseDirName, tagsyncBaseDirFullName, confFolderName ]
for dir in dirList:
if (not os.path.isdir(dir)):
@@ -389,6 +429,13 @@ def main():
os.chown(fn, ownerId, groupId)
os.chmod(fn, 0755)
+ write_env_files("RANGER_TAGSYNC_HADOOP_CONF_DIR", hadoop_conf, ENV_HADOOP_CONF_FILE);
+ os.chown(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),ownerId,groupId)
+ os.chmod(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),0755)
+
+ if isfile(hadoop_conf_full_path):
+ os.symlink(hadoop_conf_full_path, tagsync_conf_full_path)
+
print "\nINFO: Completed ranger-tagsync installation.....\n"
main()