You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2023/03/02 22:00:16 UTC
[ranger] branch ranger-1.1 updated: RANGER-3856: Ranger admin client updated with option to work with non-kerberized server
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-1.1
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-1.1 by this push:
new e1b035f5e RANGER-3856: Ranger admin client updated with option to work with non-kerberized server
e1b035f5e is described below
commit e1b035f5e442b2a605239b14381cd60f040b6d50
Author: Ankita Sinha <an...@apache.org>
AuthorDate: Mon Aug 22 14:03:37 2022 +0530
RANGER-3856: Ranger admin client updated with option to work with non-kerberized server
---
.../ranger/admin/client/RangerAdminRESTClient.java | 25 +++++++++++++++++-----
.../admin/client/RangerAdminJersey2RESTClient.java | 18 ++++++++++++++--
2 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index dddfbc7fe..fc49ef052 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -53,6 +53,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
private String clusterName;
private RangerRESTClient restClient;
private RangerRESTUtils restUtils = new RangerRESTUtils();
+ private boolean forceNonKerberos = false;
public static <T> GenericType<List<T>> getGenericType(final T clazz) {
@@ -84,6 +85,8 @@ public class RangerAdminRESTClient implements RangerAdminClient {
clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
int restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
int restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
+ this.forceNonKerberos = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".forceNonKerberos", false);
+
if (!StringUtil.isEmpty(tmpUrl)) {
url = tmpUrl.trim();
}
@@ -102,7 +105,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
ServicePolicies ret = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
ClientResponse response = null;
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
@@ -174,7 +177,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
if (isSecureMode) {
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -219,7 +222,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
if (isSecureMode) {
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -287,7 +290,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
ClientResponse response = null;
WebResource webResource = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
if (isSecureMode) {
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -358,7 +361,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
List<String> ret = null;
String emptyString = "";
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES)
.queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName)
@@ -396,4 +399,16 @@ public class RangerAdminRESTClient implements RangerAdminClient {
return ret;
}
+ public boolean isKerberosEnabled(UserGroupInformation user) {
+ final boolean ret;
+
+ if (forceNonKerberos) {
+ ret = false;
+ } else {
+ ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+ }
+
+ return ret;
+ }
+
}
diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index d856f898b..8712945ae 100644
--- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -66,6 +66,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
String _pluginId = null;
int _restClientConnTimeOutMs;
int _restClientReadTimeOutMs;
+ boolean forceNonKerberos = false;
@Override
public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -81,6 +82,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
_restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
_restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
_clusterName = RangerConfiguration.getInstance().get(configPropertyPrefix + ".ambari.cluster.name", "");
+ forceNonKerberos = RangerConfiguration.getInstance().getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
LOG.info("Init params: " + String.format("Base URL[%s], SSL Congig filename[%s], ServiceName=[%s]", _baseUrl, _sslConfigFileName, _serviceName));
@@ -100,7 +102,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
}
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
String url = null;
ServicePolicies servicePolicies = null;
@@ -261,7 +263,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
}
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
String url = null;
ServiceTags serviceTags = null;
@@ -405,4 +407,16 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
return _client;
}
+
+ public boolean isKerberosEnabled(UserGroupInformation user) {
+ final boolean ret;
+
+ if (forceNonKerberos) {
+ ret = false;
+ } else {
+ ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+ }
+
+ return ret;
+ }
}