You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by wl...@apache.org on 2017/06/07 03:25:29 UTC
incubator-hawq git commit: HAWQ-1477. Implement Ranger plugin service
connect to Ranger admin via kerberos.
Repository: incubator-hawq
Updated Branches:
refs/heads/master 3b55bfd67 -> 721f90ff1
HAWQ-1477. Implement Ranger plugin service connect to Ranger admin via kerberos.
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/721f90ff
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/721f90ff
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/721f90ff
Branch: refs/heads/master
Commit: 721f90ff1604edc1bf0a2fc1749b9d7c2fe85804
Parents: 3b55bfd
Author: interma <in...@outlook.com>
Authored: Wed May 31 15:02:18 2017 +0800
Committer: Wen Lin <wl...@pivotal.io>
Committed: Wed Jun 7 11:24:08 2017 +0800
----------------------------------------------------------------------
ranger-plugin/conf/rps.properties | 11 +++++
ranger-plugin/pom.xml | 5 +++
ranger-plugin/service/pom.xml | 4 ++
.../authorization/RangerHawqPluginResource.java | 44 +++++++++++++++++++-
.../apache/hawq/ranger/authorization/Utils.java | 39 +++++++++++++++++
5 files changed, 101 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/conf/rps.properties
----------------------------------------------------------------------
diff --git a/ranger-plugin/conf/rps.properties b/ranger-plugin/conf/rps.properties
index 7565885..2ef4507 100644
--- a/ranger-plugin/conf/rps.properties
+++ b/ranger-plugin/conf/rps.properties
@@ -39,3 +39,14 @@ CATALINA_HOME=${CATALINA_HOME:-/usr/lib/bigtop-tomcat}
# use JAVA_HOME in default and use /usr/java/default if JAVA_HOME not set
JAVA_HOME=${JAVA_HOME:-/usr/java/default}
+
+# RPS connect to RangerAdmin authentication type: simple or kerberos
+RPS_AUTH=simple
+
+# kerberos client principal, e.g. postgres
+# can set empty (use the current kinit context)
+RPS_PRINCIPAL=
+
+# kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
+# can set empty (use the current kinit context)
+RPS_KEYTAB=
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/pom.xml b/ranger-plugin/pom.xml
index bf2d718..80e09fe 100644
--- a/ranger-plugin/pom.xml
+++ b/ranger-plugin/pom.xml
@@ -269,6 +269,11 @@
<version>${hadoop.version}</version>
</dependency>
<dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ <version>${hadoop.version}</version>
+ </dependency>
+ <dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/service/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/pom.xml b/ranger-plugin/service/pom.xml
index ed4ccdb..be61934 100644
--- a/ranger-plugin/service/pom.xml
+++ b/ranger-plugin/service/pom.xml
@@ -104,6 +104,10 @@
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-hdfs</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ </dependency>
<dependency>
<groupId>log4j</groupId>
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
index 26a7660..42f49e8 100644
--- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
+++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
@@ -28,7 +28,9 @@ import org.apache.hawq.ranger.authorization.model.AuthorizationResponse;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
-import java.util.Date;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
/**
* JAX-RS resource for the authorization endpoint.
@@ -45,8 +47,46 @@ public class RangerHawqPluginResource {
/**
* Constructor. Creates a new instance of the resource that uses <code>RangerHawqAuthorizer</code>.
*/
- public RangerHawqPluginResource() {
+ public RangerHawqPluginResource()
+ {
+ // set UserGroupInformation under kerberos authentication
+ if (Utils.getAuth() == Utils.AuthMethod.KERBEROS)
+ {
+ Configuration conf = new Configuration();
+ conf.set("hadoop.security.authentication", "kerberos");
+ UserGroupInformation.setConfiguration(conf);
+
+ String prin = Utils.getPrincipal();
+ String keytab = Utils.getKeytab();
+
+ if ( !prin.equals("") && !keytab.equals("") )
+ {
+ try
+ {
+ UserGroupInformation.loginUserFromKeytab(prin, keytab);
+ }
+ catch (Exception e)
+ {
+ LOG.warn(String.format("loginUserFromKeytab failed, user[%s], keytab[%s]", prin, keytab));
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled())
+ {
+ try
+ {
+ UserGroupInformation user = UserGroupInformation.getLoginUser();
+ LOG.debug(String.format("login user: %s", user));
+ }
+ catch (Exception e)
+ {
+ LOG.warn("get login user failed exception: " + e);
+ }
+ }
+
this.authorizer = RangerHawqAuthorizer.getInstance();
+
}
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
----------------------------------------------------------------------
diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
index a3579a9..3eede6e 100644
--- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
+++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
@@ -26,6 +26,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;
+
/**
* Utility class for reading values from the environment with falling back to reading them from the property file.
*/
@@ -40,6 +41,16 @@ public abstract class Utils {
public static final String VERSION_PROPERTY_KEY_FILE = "RPS_VERSION";
public static final String RANGER_SERVICE_PROPERTY_FILE = "rps.properties";
+ //kerberos support property
+ public static enum AuthMethod { SIMPLE, KERBEROS }
+ public static final String AUTH_KEY_ENV = "auth";
+ public static final String AUTH_KEY_FILE = "RPS_AUTH";
+ public static final String PRINCIPAL_KEY_ENV = "principal";
+ public static final String PRINCIPAL_KEY_FILE = "RPS_PRINCIPAL";
+ public static final String KEYTAB_KEY_ENV = "keytab";
+ public static final String KEYTAB_KEY_FILE = "RPS_KEYTAB";
+
+
private static final Log LOG = LogFactory.getLog(Utils.class);
private static final Properties properties = readPropertiesFromFile();
@@ -68,6 +79,34 @@ public abstract class Utils {
}
/**
+ * Retrieves the authentication
+ * @return kerberos or simple[default]
+ */
+ public static AuthMethod getAuth() {
+ String auth = System.getProperty(AUTH_KEY_ENV, properties.getProperty(AUTH_KEY_FILE, "simple"));
+ if (auth.toLowerCase().equals("kerberos"))
+ return AuthMethod.KERBEROS;
+ else
+ return AuthMethod.SIMPLE;
+ }
+
+ /**
+ * Retrieves the kerberos client principal
+ * @return principal name or ""[default]
+ */
+ public static String getPrincipal() {
+ return System.getProperty(PRINCIPAL_KEY_ENV, properties.getProperty(PRINCIPAL_KEY_FILE, ""));
+ }
+
+ /**
+ * Retrieves the kerberos keytab file path
+ * @return keytab file path or ""[default]
+ */
+ public static String getKeytab() {
+ return System.getProperty(KEYTAB_KEY_ENV, properties.getProperty(KEYTAB_KEY_FILE, ""));
+ }
+
+ /**
* Reads properties from the property file.
* @return properties read from the file
*/