You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ab...@apache.org on 2017/11/11 03:21:23 UTC
ranger git commit: RANGER-1883: TagSync should reuse kerberos ticket
in REST calls to Ranger Admin
Repository: ranger
Updated Branches:
refs/heads/master 2a1406df8 -> 98cb80e33
RANGER-1883: TagSync should reuse kerberos ticket in REST calls to Ranger Admin
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/98cb80e3
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/98cb80e3
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/98cb80e3
Branch: refs/heads/master
Commit: 98cb80e3335e7c9588b9ad5b57667d3421fba4e6
Parents: 2a1406d
Author: Abhay Kulkarni <ak...@hortonworks.com>
Authored: Fri Nov 10 19:21:15 2017 -0800
Committer: Abhay Kulkarni <ak...@hortonworks.com>
Committed: Fri Nov 10 19:21:15 2017 -0800
----------------------------------------------------------------------
.../tagsync/sink/tagadmin/TagAdminRESTSink.java | 76 ++++++++++++++------
1 file changed, 56 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/98cb80e3/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
----------------------------------------------------------------------
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
index b1225c2..4f6761f 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
@@ -27,6 +27,7 @@ import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.tagsync.model.TagSink;
import org.apache.ranger.plugin.util.RangerRESTClient;
@@ -36,6 +37,7 @@ import org.apache.ranger.tagsync.process.TagSyncConfig;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Properties;
@@ -95,16 +97,33 @@ public class TagAdminRESTSink implements TagSink, Runnable {
if (StringUtils.isNotBlank(restUrl)) {
tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile);
- if(!(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))){
+ if(isKerberosEnabled()) {
+ Subject subject = null;
+ try {
+ subject = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+ } catch(IOException exception) {
+ LOG.error("Could not get Subject from principal:[" + principal + "], keytab:[" + keytab + "], nameRules:[" + nameRules + "]", exception);
+ }
+ if (subject != null) {
+ try {
+ UserGroupInformation.loginUserFromSubject(subject);
+ ret = true;
+ } catch (IOException exception) {
+ LOG.error("Failed to get UGI from Subject:[" + subject + "]");
+ }
+ }
+ } else {
tagRESTClient.setBasicAuthInfo(userName, password);
+ ret = true;
}
- uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>();
-
- ret = true;
} else {
LOG.error("No value specified for property 'ranger.tagsync.tagadmin.rest.url'!");
}
+ if (ret) {
+ uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>();
+ }
+
if(LOG.isDebugEnabled()) {
LOG.debug("<== TagAdminRESTSink.initialize(), result=" + ret);
}
@@ -133,26 +152,43 @@ public class TagAdminRESTSink implements TagSink, Runnable {
return ret;
}
+ private boolean isKerberosEnabled() {
+ return !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab);
+ }
+
private ServiceTags doUpload(ServiceTags serviceTags) throws Exception {
- if(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+ if(isKerberosEnabled()) {
try{
- Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
- if(LOG.isDebugEnabled()) {
- LOG.debug("Using Principal = "+ principal + ", keytab = "+keytab);
+ UserGroupInformation userGroupInformation = UserGroupInformation.getLoginUser();
+ if (userGroupInformation != null) {
+ try {
+ userGroupInformation.checkTGTAndReloginFromKeytab();
+ } catch (IOException ioe) {
+ LOG.error("Error renewing TGT and relogin", ioe);
+ userGroupInformation = null;
+ }
}
- final ServiceTags serviceTag = serviceTags;
- ServiceTags ret = Subject.doAs(sub, new PrivilegedAction<ServiceTags>() {
- @Override
- public ServiceTags run() {
- try{
- return uploadServiceTags(serviceTag);
- }catch (Exception e) {
- LOG.error("Upload of service-tags failed with message ", e);
- }
- return null;
+ if (userGroupInformation != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Using Principal = " + principal + ", keytab = " + keytab);
}
- });
- return ret;
+ final ServiceTags serviceTag = serviceTags;
+ ServiceTags ret = userGroupInformation.doAs(new PrivilegedAction<ServiceTags>() {
+ @Override
+ public ServiceTags run() {
+ try {
+ return uploadServiceTags(serviceTag);
+ } catch (Exception e) {
+ LOG.error("Upload of service-tags failed with message ", e);
+ }
+ return null;
+ }
+ });
+ return ret;
+ } else {
+ LOG.error("Failed to get UserGroupInformation.getLoginUser()");
+ return null; // This will cause retries !!!
+ }
}catch(Exception e){
LOG.error("Upload of service-tags failed with message ", e);
}