You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2015/05/29 05:47:00 UTC
[1/4] incubator-ranger git commit: RANGER-508 knox plugin should not
package libraries that knox server already provides
Repository: incubator-ranger
Updated Branches:
refs/heads/tag-policy 525fd59ce -> 2474fed11
RANGER-508 knox plugin should not package libraries that knox server already provides
Signed-off-by: Dilli Dorai Arumugam <da...@hortonworks.com>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/0d73c38a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/0d73c38a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/0d73c38a
Branch: refs/heads/tag-policy
Commit: 0d73c38af9a80c00ff2ddfd7dba09c4b6b914990
Parents: 776533f
Author: Alok Lal <al...@hortonworks.com>
Authored: Wed May 27 20:55:36 2015 -0700
Committer: Dilli Dorai Arumugam <da...@hortonworks.com>
Committed: Wed May 27 22:07:06 2015 -0700
----------------------------------------------------------------------
src/main/assembly/knox-agent.xml | 8 --------
1 file changed, 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/0d73c38a/src/main/assembly/knox-agent.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/knox-agent.xml b/src/main/assembly/knox-agent.xml
index c8dddc0..85a1d92 100644
--- a/src/main/assembly/knox-agent.xml
+++ b/src/main/assembly/knox-agent.xml
@@ -35,14 +35,6 @@
<outputDirectory>/lib</outputDirectory>
<includes>
<include>commons-configuration:commons-configuration</include>
- <include>org.apache.hadoop:hadoop-common:jar:${hadoop-common.version}</include>
- <include>org.apache.hadoop:hadoop-common-plus</include>
- <include>org.glassfish.jersey.core:jersey-client</include>
- <include>com.google.code.gson:gson*</include>
- <include>org.eclipse.persistence:eclipselink</include>
- <include>org.eclipse.persistence:javax.persistence</include>
- <include>org.apache.httpcomponents:httpclient:jar:${httpcomponent.httpclient.version}</include>
- <include>org.apache.httpcomponents:httpcore:jar:${httpcomponent.httpcore.version}</include>
<include>org.apache.httpcomponents:httpmime:jar:${httpcomponent.httpmime.version}</include>
<include>org.noggit:noggit:jar:${noggit.version}</include>
</includes>
[4/4] incubator-ranger git commit: Merge branch 'master' into
tag-policy
Posted by ma...@apache.org.
Merge branch 'master' into tag-policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2474fed1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2474fed1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2474fed1
Branch: refs/heads/tag-policy
Commit: 2474fed115430d54be8be95caec5f66703b3c83c
Parents: 525fd59 fb6e94f
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu May 28 20:40:45 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu May 28 20:40:45 2015 -0700
----------------------------------------------------------------------
.../ranger/services/kms/client/KMSClient.java | 70 +++--
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 291 ++++++++++++++-----
.../org/apache/ranger/biz/ServiceDBStore.java | 25 +-
.../java/org/apache/ranger/rest/XKeyREST.java | 6 +-
src/main/assembly/knox-agent.xml | 8 -
5 files changed, 280 insertions(+), 120 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2474fed1/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --cc security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 041f032,b259be6..66111ba
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@@ -1792,25 -1756,9 +1792,25 @@@ public class ServiceDBStore extends Abs
serviceDbObj.setPolicyUpdateTime(service.getPolicyUpdateTime());
serviceDao.update(serviceDbObj);
+
+ // if this is a tag service, update all services that refer to this tag service
+ // so that next policy-download from plugins will get updated tag policies
+ boolean isTagService = serviceDbObj.getType() == EmbeddedServiceDefsUtil.instance().getTagServiceDefId();
+ if(isTagService) {
+ List<XXService> referringServices = serviceDao.findByTagServiceId(serviceDbObj.getId());
+
+ if(CollectionUtils.isNotEmpty(referringServices)) {
+ for(XXService referringService : referringServices) {
+ referringService.setPolicyVersion(getNextVersion(referringService.getPolicyVersion()));
+ referringService.setPolicyUpdateTime(service.getPolicyUpdateTime());
+
+ serviceDao.update(referringService);
+ }
+ }
+ }
}
- private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef) {
+ private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef) throws Exception {
for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
RangerPolicyItem policyItem = policyItems.get(itemOrder);
[3/4] incubator-ranger git commit: RANGER-512: fixed policy
create/update to fail when non-existing user or group is specified
Posted by ma...@apache.org.
RANGER-512: fixed policy create/update to fail when non-existing user or group is specified
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/fb6e94f1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/fb6e94f1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/fb6e94f1
Branch: refs/heads/tag-policy
Commit: fb6e94f13e674988d7d237211f29a24a80fdc3d4
Parents: d79401b
Author: Madhan Neethiraj <ma...@apache.org>
Authored: Thu May 28 14:28:13 2015 -0700
Committer: Madhan Neethiraj <ma...@apache.org>
Committed: Thu May 28 20:27:57 2015 -0700
----------------------------------------------------------------------
.../org/apache/ranger/biz/ServiceDBStore.java | 25 ++++++--------------
1 file changed, 7 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fb6e94f1/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index 2c9ceff..b259be6 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -1758,7 +1758,7 @@ public class ServiceDBStore implements ServiceStore {
serviceDao.update(serviceDbObj);
}
- private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef) {
+ private void createNewPolicyItemsForPolicy(RangerPolicy policy, XXPolicy xPolicy, List<RangerPolicyItem> policyItems, XXServiceDef xServiceDef) throws Exception {
for (int itemOrder = 0; itemOrder < policyItems.size(); itemOrder++) {
RangerPolicyItem policyItem = policyItems.get(itemOrder);
@@ -1778,9 +1778,7 @@ public class ServiceDBStore implements ServiceStore {
.findByNameAndServiceId(access.getType(),
xPolicy.getService());
if (xAccTypeDef == null) {
- LOG.info("One of given accessType is not valid for this policy. access: "
- + access.getType() + ", Ignoring this access");
- continue;
+ throw new Exception(access.getType() + ": is not a valid access-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyItemAccess xPolItemAcc = new XXPolicyItemAccess();
@@ -1799,9 +1797,7 @@ public class ServiceDBStore implements ServiceStore {
XXUser xUser = daoMgr.getXXUser().findByUserName(user);
if(xUser == null) {
- LOG.info("User does not exists with username: "
- + user + ", Ignoring permissions given to this user for policy");
- continue;
+ throw new Exception(user + ": user does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyItemUserPerm xUserPerm = new XXPolicyItemUserPerm();
xUserPerm = (XXPolicyItemUserPerm) rangerAuditFields.populateAuditFields(xUserPerm, xPolicyItem);
@@ -1817,9 +1813,7 @@ public class ServiceDBStore implements ServiceStore {
XXGroup xGrp = daoMgr.getXXGroup().findByGroupName(group);
if(xGrp == null) {
- LOG.info("Group does not exists with groupName: "
- + group + ", Ignoring permissions given to this group for policy");
- continue;
+ throw new Exception(group + ": group does not exist. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyItemGroupPerm xGrpPerm = new XXPolicyItemGroupPerm();
xGrpPerm = (XXPolicyItemGroupPerm) rangerAuditFields.populateAuditFields(xGrpPerm, xPolicyItem);
@@ -1836,10 +1830,7 @@ public class ServiceDBStore implements ServiceStore {
xServiceDef.getId(), condition.getType());
if(xPolCond == null) {
- LOG.info("PolicyCondition is not valid, condition: "
- + condition.getType()
- + ", Ignoring creation of this policy condition");
- continue;
+ throw new Exception(condition.getType() + ": is not a valid condition-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
for(int i = 0; i < condition.getValues().size(); i++) {
@@ -1856,7 +1847,7 @@ public class ServiceDBStore implements ServiceStore {
}
}
- private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) {
+ private void createNewResourcesForPolicy(RangerPolicy policy, XXPolicy xPolicy, Map<String, RangerPolicyResource> resources) throws Exception {
for (Entry<String, RangerPolicyResource> resource : resources.entrySet()) {
RangerPolicyResource policyRes = resource.getValue();
@@ -1864,9 +1855,7 @@ public class ServiceDBStore implements ServiceStore {
XXResourceDef xResDef = daoMgr.getXXResourceDef()
.findByNameAndPolicyId(resource.getKey(), policy.getId());
if (xResDef == null) {
- LOG.info("No Such Resource found, resourceName : "
- + resource.getKey() + ", Ignoring this resource.");
- continue;
+ throw new Exception(resource.getKey() + ": is not a valid resource-type. policy='"+ policy.getName() + "' service='"+ policy.getService() + "'");
}
XXPolicyResource xPolRes = new XXPolicyResource();
[2/4] incubator-ranger git commit: KMS keys listing throws
authentication required error in secure cluster
Posted by ma...@apache.org.
KMS keys listing throws authentication required error in secure cluster
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d79401bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d79401bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d79401bb
Branch: refs/heads/tag-policy
Commit: d79401bb429754ef9d4203f6c78c28606c922ccb
Parents: 0d73c38
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue May 26 16:47:57 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Thu May 28 21:18:24 2015 -0400
----------------------------------------------------------------------
.../ranger/services/kms/client/KMSClient.java | 70 +++--
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 291 ++++++++++++++-----
.../java/org/apache/ranger/rest/XKeyREST.java | 6 +-
3 files changed, 273 insertions(+), 94 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 59fa634..c67584e 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -24,14 +24,17 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.regex.Pattern;
+import javax.security.auth.Subject;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Logger;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopException;
@@ -43,6 +46,8 @@ import com.google.gson.GsonBuilder;
import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
public class KMSClient {
@@ -50,7 +55,7 @@ public class KMSClient {
private static final String EXPECTED_MIME_TYPE = "application/json";
- private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names?user.name=${userName}"; // GET
+ private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names"; // GET
private static final String errMessage = " You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
@@ -64,7 +69,6 @@ public class KMSClient {
this.provider = provider;
this.username = username;
this.password = password;
-
if (LOG.isDebugEnabled()) {
LOG.debug("Kms Client is build with url [" + provider + "] user: ["
+ username + "]");
@@ -137,24 +141,42 @@ public class KMSClient {
for (int i = 0; i < providers.length; i++) {
lret = new ArrayList<String>();
if (LOG.isDebugEnabled()) {
- LOG.debug("Getting Kms Key list for keyNameMatching : "
- + keyNameMatching);
+ LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching);
}
- String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(
- Pattern.quote("${userName}"), username);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+ String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/" + KMS_LIST_API_ENDPOINT));
Client client = null;
ClientResponse response = null;
-
+ boolean isKerberose = false;
try {
- client = Client.create();
-
- WebResource webResource = client.resource(uri);
-
- response = webResource.accept(EXPECTED_MIME_TYPE).get(
- ClientResponse.class);
-
+ ClientConfig cc = new DefaultClientConfig();
+ cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
+ client = Client.create(cc);
+
+ if(username.contains("@")){
+ isKerberose = true;
+ }
+
+ if(!isKerberose){
+ uri = uri.concat("?user.name="+username);
+ WebResource webResource = client.resource(uri);
+ response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }else{
+ String shortName = new HadoopKerberosName(username).getShortName();
+ uri = uri.concat("?doAs="+shortName);
+ Subject sub = new Subject();
+ if (username.contains("@")) {
+ sub = SecureClientLogin.loginUserWithPassword(username, password);
+ } else {
+ sub = SecureClientLogin.login(username);
+ }
+ final WebResource webResource = client.resource(uri);
+ response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() {
+ @Override
+ public ClientResponse run() {
+ return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }
+ });
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("getKeyList():calling " + uri);
}
@@ -192,12 +214,22 @@ public class KMSClient {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
+ ", so returning null list");
- return lret;
+ String msgDesc = response.getEntity(String.class);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
} else if (response.getStatus() == 403) {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
+ ", so returning null list");
- return lret;
+ String msgDesc = response.getEntity(String.class);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
} else {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 7446d1e..7854f4b 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -24,12 +24,14 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
+import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.MediaType;
@@ -40,13 +42,19 @@ import org.apache.commons.collections.PredicateUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.log4j.Logger;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PasswordUtils;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerConfigUtil;
import org.apache.ranger.common.SortField;
import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManagerBase;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceConfigMap;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.util.KeySearchFilter;
import org.apache.ranger.view.VXKmsKey;
@@ -68,12 +76,14 @@ public class KmsKeyMgr {
static final Logger logger = Logger.getLogger(KmsKeyMgr.class);
- private static final String KMS_KEY_LIST_URI = "v1/keys/names?user.name=${userName}"; //GET
- private static final String KMS_ADD_KEY_URI = "v1/keys?user.name=${userName}"; //POST
- private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //POST
- private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //DELETE
- private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata?user.name=${userName}"; //GET
+ private static final String KMS_KEY_LIST_URI = "v1/keys/names"; //GET
+ private static final String KMS_ADD_KEY_URI = "v1/keys"; //POST
+ private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}"; //POST
+ private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}"; //DELETE
+ private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata"; //GET
private static final String KMS_URL_CONFIG = "provider";
+ private static final String KMS_PASSWORD = "password";
+ private static final String KMS_USERNAME = "username";
private static Map<String, String> providerList = new HashMap<String, String>();
private static int nextProvider = 0;
@@ -86,8 +96,11 @@ public class KmsKeyMgr {
@Autowired
RangerConfigUtil configUtil;
+ @Autowired
+ RangerDaoManagerBase rangerDaoManagerBase;
+
@SuppressWarnings("unchecked")
- public VXKmsKeyList searchKeys(String repoName){
+ public VXKmsKeyList searchKeys(String repoName) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(repoName);
@@ -98,6 +111,12 @@ public class KmsKeyMgr {
VXKmsKeyList vxKmsKeyList = new VXKmsKeyList();
List<String> keys = null;
String connProvider = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(repoName);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + repoName + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
@@ -105,15 +124,28 @@ public class KmsKeyMgr {
Pattern.quote("${userName}"), currentUserLoginId);
connProvider = providers[i];
String uri = providers[i]
- + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
-
- WebResource r = c.resource(uri);
+ + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .get(String.class);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug(" Search Key RESPONSE: [" + response + "]");
-
keys = gson.fromJson(response, List.class);
break;
} catch (Exception e) {
@@ -125,7 +157,7 @@ public class KmsKeyMgr {
}
if (keys != null && keys.size() > 0) {
for (String name : keys) {
- VXKmsKey key = getKeyFromUri(connProvider, name);
+ VXKmsKey key = getKeyFromUri(connProvider, name, isKerberos, repoName);
vXKeys.add(key);
}
vxKmsKeyList.setResultSize(vXKeys.size());
@@ -137,31 +169,46 @@ public class KmsKeyMgr {
return vxKmsKeyList;
}
- public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey){
+ public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
- logger.error("rolloverKey(" + provider + ", " + vXKey.getName()
- + ") failed", e);
+ logger.error("rolloverKey(" + provider + ", " + vXKey.getName() + ") failed", e);
}
VXKmsKey ret = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String rollRest = KMS_ROLL_KEY_URI.replaceAll(
- Pattern.quote("${alias}"), vXKey.getName());
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- rollRest = rollRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
- WebResource r = c.resource(uri);
+ String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName());
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
Gson gson = new GsonBuilder().create();
- String jsonString = gson.toJson(vXKey);
+ final String jsonString = gson.toJson(vXKey);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .type(MediaType.APPLICATION_JSON_TYPE)
- .post(String.class, jsonString);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);}
+ else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }
+ });
+ }
logger.debug("Roll RESPONSE: [" + response + "]");
ret = gson.fromJson(response, VXKmsKey.class);
break;
@@ -174,27 +221,44 @@ public class KmsKeyMgr {
}
return ret;
}
-
- public void deleteKey(String provider, String name){
+
+ public void deleteKey(String provider, String name) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
logger.error("deleteKey(" + provider + ", " + name + ") failed", e);
}
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String deleteRest = KMS_DELETE_KEY_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- deleteRest = deleteRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? deleteRest
- : ("/" + deleteRest));
- WebResource r = c.resource(uri);
+ String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.delete(String.class) ;
+ String response = null;
+ if(!isKerberos){
+ response = r.delete(String.class) ;
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.delete(String.class);
+ }
+ });
+ }
logger.debug("delete RESPONSE: [" + response + "]") ;
break;
} catch (Exception e) {
@@ -206,7 +270,7 @@ public class KmsKeyMgr {
}
}
- public VXKmsKey createKey(String provider, VXKmsKey vXKey){
+ public VXKmsKey createKey(String provider, VXKmsKey vXKey) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
@@ -215,21 +279,37 @@ public class KmsKeyMgr {
+ ") failed", e);
}
VXKmsKey ret = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- String createRest = KMS_ADD_KEY_URI.replaceAll(
- Pattern.quote("${userName}"), currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? createRest
- : ("/" + createRest));
- WebResource r = c.resource(uri);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
Gson gson = new GsonBuilder().create();
- String jsonString = gson.toJson(vXKey);
+ final String jsonString = gson.toJson(vXKey);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .type(MediaType.APPLICATION_JSON_TYPE)
- .post(String.class, jsonString);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }
+ });
+ }
logger.debug("Create RESPONSE: [" + response + "]");
ret = gson.fromJson(response, VXKmsKey.class);
return ret;
@@ -243,26 +323,43 @@ public class KmsKeyMgr {
return ret;
}
- public VXKmsKey getKey(String provider, String name){
+ public VXKmsKey getKey(String provider, String name) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
logger.error("getKey(" + provider + ", " + name + ") failed", e);
}
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String keyRest = KMS_KEY_METADATA_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
- WebResource r = c.resource(uri);
+ String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .get(String.class);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug("RESPONSE: [" + response + "]");
VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -277,16 +374,29 @@ public class KmsKeyMgr {
return null;
}
- public VXKmsKey getKeyFromUri(String provider, String name) {
+ public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String repoName) throws Exception {
Client c = getClient();
- String keyRest = KMS_KEY_METADATA_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
+ String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest));
- WebResource r = c.resource(uri);
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug("RESPONSE: [" + response + "]");
VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -360,7 +470,7 @@ public class KmsKeyMgr {
providerNext = providerNext+";";
}
}
- for(int i=0; i<nextProvider; i++){
+ for(int i=0; i<nextProvider && i<hosts.length; i++){
providerNext = providerNext+";"+hosts[i];
}
if(nextProvider != hosts.length-1){
@@ -381,6 +491,43 @@ public class KmsKeyMgr {
}
return providers;
}
+
+ private Subject getSubjectForKerberos(String provider, String currentUserLoginId) throws Exception{
+ String userName = getKMSUserName(provider);
+ String password = getKMSPassword(provider);
+ if (KerberosName.getRules() == null) {
+ KerberosName.setRules("DEFAULT") ;
+ }
+ Subject sub = new Subject();
+ if (userName.contains("@")) {
+ sub = SecureClientLogin.loginUserWithPassword(userName, password);
+ } else {
+ sub = SecureClientLogin.login(userName);
+ }
+ return sub;
+ }
+
+ private String getKMSPassword(String srvName) throws Exception {
+ XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName);
+ XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(), KMS_PASSWORD);
+ String encryptedPwd = xxConfigMap.getConfigvalue();
+ String pwd = PasswordUtils.decryptPassword(encryptedPwd);
+ return pwd;
+ }
+
+ private String getKMSUserName(String srvName) throws Exception {
+ RangerService rangerService = null;
+ rangerService = svcStore.getServiceByName(srvName);
+ return rangerService.getConfigs().get(KMS_USERNAME);
+ }
+
+ private boolean checkKerberos(String provider) throws Exception {
+ String userName = getKMSUserName(provider);
+ if(userName.contains("@")){
+ return true;
+ }
+ return false;
+ }
private synchronized Client getClient() {
Client ret = null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 379ea3c..7845b86 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -199,11 +199,11 @@ public class XKeyREST {
}
if(!(message==null) && !(message.isEmpty()) && message.contains("Connection refused")){
message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running";
- }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 403")){
+ }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 403") || message.contains("HTTP Status 403"))){
message = UNAUTHENTICATED_MSG;
- }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 401")){
+ }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required"))){
message = UNAUTHENTICATED_MSG;
- }
+ }
throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM);
}
}