You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2023/03/02 22:00:16 UTC

[ranger] branch ranger-1.1 updated: RANGER-3856: Ranger admin client updated with option to work with non-kerberized server

This is an automated email from the ASF dual-hosted git repository.

madhan pushed a commit to branch ranger-1.1
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/ranger-1.1 by this push:
     new e1b035f5e RANGER-3856: Ranger admin client updated with option to work with non-kerberized server
e1b035f5e is described below

commit e1b035f5e442b2a605239b14381cd60f040b6d50
Author: Ankita Sinha <an...@apache.org>
AuthorDate: Mon Aug 22 14:03:37 2022 +0530

    RANGER-3856: Ranger admin client updated with option to work with non-kerberized server
---
 .../ranger/admin/client/RangerAdminRESTClient.java | 25 +++++++++++++++++-----
 .../admin/client/RangerAdminJersey2RESTClient.java | 18 ++++++++++++++--
 2 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index dddfbc7fe..fc49ef052 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -53,6 +53,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 	private String clusterName;
 	private RangerRESTClient restClient;
 	private RangerRESTUtils restUtils   = new RangerRESTUtils();
+	private boolean forceNonKerberos = false;
 
 	public static <T> GenericType<List<T>> getGenericType(final T clazz) {
 
@@ -84,6 +85,8 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 		clusterName       				= RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
 		int	 restClientConnTimeOutMs	= RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
 		int	 restClientReadTimeOutMs	= RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
+		this.forceNonKerberos 			= RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".forceNonKerberos", false);
+
         if (!StringUtil.isEmpty(tmpUrl)) {
             url = tmpUrl.trim();
         }
@@ -102,7 +105,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 
 		ServicePolicies ret = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 		ClientResponse response = null;
 		if (isSecureMode) {
 			if (LOG.isDebugEnabled()) {
@@ -174,7 +177,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		if (isSecureMode) {
 			PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -219,7 +222,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 
 		ClientResponse response = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		if (isSecureMode) {
 			PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -287,7 +290,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 		ClientResponse response = null;
 		WebResource webResource = null;
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		if (isSecureMode) {
 			PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -358,7 +361,7 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 		List<String> ret = null;
 		String emptyString = "";
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES)
 				.queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName)
@@ -396,4 +399,16 @@ public class RangerAdminRESTClient implements RangerAdminClient {
 		return ret;
 	}
 
+	public boolean isKerberosEnabled(UserGroupInformation user) {
+        final boolean ret;
+
+        if (forceNonKerberos) {
+            ret = false;
+        } else {
+            ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+        }
+
+        return ret;
+    }
+
 }
diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index d856f898b..8712945ae 100644
--- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -66,6 +66,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
 	String _pluginId = null;
 	int	   _restClientConnTimeOutMs;
 	int	   _restClientReadTimeOutMs;
+	boolean forceNonKerberos = false;
 
 	@Override
 	public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -81,6 +82,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
 		_restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
 		_restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
 		_clusterName = RangerConfiguration.getInstance().get(configPropertyPrefix + ".ambari.cluster.name", "");
+		forceNonKerberos = RangerConfiguration.getInstance().getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
 
 		LOG.info("Init params: " + String.format("Base URL[%s], SSL Congig filename[%s], ServiceName=[%s]", _baseUrl, _sslConfigFileName, _serviceName));
 		
@@ -100,7 +102,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
 		}
 
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		String url = null;
 		ServicePolicies servicePolicies = null;
@@ -261,7 +263,7 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
 		}
 
 		UserGroupInformation user = MiscUtil.getUGILoginUser();
-		boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+		boolean isSecureMode = isKerberosEnabled(user);
 
 		String url = null;
 		ServiceTags serviceTags = null;
@@ -405,4 +407,16 @@ public class RangerAdminJersey2RESTClient implements RangerAdminClient {
 		
 		return _client;
 	}
+
+	public boolean isKerberosEnabled(UserGroupInformation user) {
+        final boolean ret;
+
+        if (forceNonKerberos) {
+            ret = false;
+        } else {
+            ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+        }
+
+        return ret;
+    }
 }