You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2016/05/10 09:19:36 UTC
incubator-ranger git commit: RANGER-973: Ranger Admin to perform Key
operations using Principal / keytab of RangerAdmin from UI in Kerberos mode
Repository: incubator-ranger
Updated Branches:
refs/heads/master b744c8eb6 -> 2bd65f7bc
RANGER-973: Ranger Admin to perform Key operations using Principal / keytab of RangerAdmin from UI in Kerberos mode
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2bd65f7b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2bd65f7b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2bd65f7b
Branch: refs/heads/master
Commit: 2bd65f7bc9fa5eff9cc33d17c1218571ca756cf6
Parents: b744c8e
Author: Ankita Sinha <an...@freestoneinfotech.com>
Authored: Fri May 6 15:27:43 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Tue May 10 14:49:19 2016 +0530
----------------------------------------------------------------------
.../plugin/client/HadoopConfigHolder.java | 2 +
.../main/resources/resourcenamemap.properties | 2 +
kms/config/kms-webapp/kms-site.xml | 16 +++++-
.../ranger/services/kms/client/KMSClient.java | 24 ++++----
.../services/kms/client/KMSConnectionMgr.java | 8 +--
.../services/kms/client/KMSResourceMgr.java | 10 ++--
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 10 +++-
.../org/apache/ranger/biz/ServiceDBStore.java | 58 ++++++++++++++++----
.../java/org/apache/ranger/biz/ServiceMgr.java | 24 +++++++-
.../java/org/apache/ranger/biz/SessionMgr.java | 18 +++++-
.../resources/conf.dist/ranger-admin-site.xml | 4 ++
.../main/resources/resourcenamemap.properties | 4 +-
12 files changed, 142 insertions(+), 38 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
index 8991872..37d7e6f 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
@@ -43,6 +43,8 @@ public class HadoopConfigHolder {
public static final String RANGER_LOGIN_PASSWORD = "password" ;
public static final String RANGER_LOOKUP_PRINCIPAL = "lookupprincipal";
public static final String RANGER_LOOKUP_KEYTAB = "lookupkeytab";
+ public static final String RANGER_PRINCIPAL = "rangerprincipal";
+ public static final String RANGER_KEYTAB = "rangerkeytab";
public static final String RANGER_NAME_RULES = "namerules";
public static final String RANGER_AUTH_TYPE = "authtype";
public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/agents-common/src/main/resources/resourcenamemap.properties
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/resourcenamemap.properties b/agents-common/src/main/resources/resourcenamemap.properties
index 72d78d2..f7e4d48 100644
--- a/agents-common/src/main/resources/resourcenamemap.properties
+++ b/agents-common/src/main/resources/resourcenamemap.properties
@@ -28,6 +28,8 @@ lookupprincipal=xalogin.xml
lookupkeytab=xalogin.xml
namerules=xalogin.xml
authtype=xalogin.xml
+rangerprincipal=xalogin.xml
+rangerkeytab=xalogin.xml
hbase.master.kerberos.principal=hbase-site.xml
hbase.rpc.engine=hbase-site.xml
hbase.rpc.protection=hbase-site.xml
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/kms/config/kms-webapp/kms-site.xml
----------------------------------------------------------------------
diff --git a/kms/config/kms-webapp/kms-site.xml b/kms/config/kms-webapp/kms-site.xml
index b61d1b2..a2c4af3 100644
--- a/kms/config/kms-webapp/kms-site.xml
+++ b/kms/config/kms-webapp/kms-site.xml
@@ -174,5 +174,19 @@
<name>hadoop.kms.security.authorization.manager</name>
<value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value>
</property>
-
+
+ <property>
+ <name>hadoop.kms.proxyuser.rangeradmin.groups</name>
+ <value>*</value>
+ </property>
+
+ <property>
+ <name>hadoop.kms.proxyuser.rangeradmin.hosts</name>
+ <value>*</value>
+ </property>
+
+ <property>
+ <name>hadoop.kms.proxyuser.rangeradmin.users</name>
+ <value>*</value>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 218d1e3..81b6e34 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -68,17 +68,17 @@ public class KMSClient {
String provider;
String username;
String password;
- String lookupPrincipal;
- String lookupKeytab;
+ String rangerPrincipal;
+ String rangerKeytab;
String nameRules;
String authType;
- public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) {
+ public KMSClient(String provider, String username, String password, String rangerPrincipal, String rangerKeytab, String nameRules, String authType) {
this.provider = provider;
this.username = username;
this.password = password;
- this.lookupPrincipal = lookupPrincipal;
- this.lookupKeytab = lookupKeytab;
+ this.rangerPrincipal = rangerPrincipal;
+ this.rangerKeytab = rangerKeytab;
this.nameRules = nameRules;
this.authType = authType;
@@ -177,14 +177,14 @@ public class KMSClient {
LOG.info("Init Login: security not enabled, using username");
sub = SecureClientLogin.login(username);
}else{
- if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab)){
- LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab");
+ if(!StringUtils.isEmpty(rangerPrincipal) && !StringUtils.isEmpty(rangerKeytab)){
+ LOG.info("Init Lookup Login: security enabled, using rangerPrincipal/rangerKeytab");
if(StringUtils.isEmpty(nameRules)){
nameRules = "DEFAULT";
}
- String shortName = new HadoopKerberosName(lookupPrincipal).getShortName();
+ String shortName = new HadoopKerberosName(rangerPrincipal).getShortName();
uri = uri.concat("?doAs="+shortName);
- sub = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules);
+ sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, rangerKeytab, nameRules);
}
else{
LOG.info("Init Login: using username/password");
@@ -348,12 +348,12 @@ public class KMSClient {
String kmsUrl = configs.get("provider");
String kmsUserName = configs.get("username");
String kmsPassWord = configs.get("password");
- String lookupPrincipal = configs.get("lookupprincipal");
- String lookupKeytab = configs.get("lookupkeytab");
+ String rangerPrincipal = configs.get("rangerprincipal");
+ String rangerKeytab = configs.get("rangerkeytab");
String nameRules = configs.get("namerules");
String authType = configs.get("authtype");
- kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules, authType);
+ kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, rangerPrincipal, rangerKeytab, nameRules, authType);
}
return kmsClient;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
index c247a44..e5d718b 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
@@ -27,19 +27,19 @@ public class KMSConnectionMgr {
public static final Logger LOG = Logger.getLogger(KMSConnectionMgr.class);
- public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) {
+ public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String rangerPrincipal, String rangerKeytab, String nameRules, String authType) {
KMSClient kmsClient = null;
if (kmsURL == null || kmsURL.isEmpty()) {
LOG.error("Can not create KMSClient: kmsURL is empty");
- } else if(StringUtils.isEmpty(lookupPrincipal)){
+ } else if(StringUtils.isEmpty(rangerPrincipal)){
if(userName == null || userName.isEmpty()) {
LOG.error("Can not create KMSClient: kmsuserName is empty");
} else if (password == null || password.isEmpty()) {
LOG.error("Can not create KMSClient: kmsPassWord is empty");
}
- kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType);
+ kmsClient = new KMSClient(kmsURL, userName, password, rangerPrincipal, rangerKeytab, nameRules, authType);
} else {
- kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType);
+ kmsClient = new KMSClient(kmsURL, userName, password, rangerPrincipal, rangerKeytab, nameRules, authType);
}
return kmsClient;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
index aa4c65a..e61d0bc 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
@@ -72,18 +72,18 @@ public class KMSResourceMgr {
String url = configs.get("provider");
String username = configs.get("username");
String password = configs.get("password");
- String lookupPrincipal = configs.get("lookupprincipal");
- String lookupKeytab = configs.get("lookupkeytab");
+ String rangerPrincipal = configs.get("rangerprincipal");
+ String rangerKeytab = configs.get("rangerkeytab");
String nameRules = configs.get("namerules");
String authType = configs.get("authtype");
- resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType, kmsKeyName,kmsKeyList) ;
+ resultList = getKMSResource(url, username, password, rangerPrincipal, rangerKeytab, nameRules, authType, kmsKeyName,kmsKeyList) ;
}
return resultList ;
}
- public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType, String kmsKeyName, List<String> kmsKeyList) {
+ public static List<String> getKMSResource(String url, String username, String password, String rangerPrincipal, String rangerKeytab, String nameRules, String authType, String kmsKeyName, List<String> kmsKeyList) {
List<String> topologyList = null;
- final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType);
+ final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, rangerPrincipal, rangerKeytab, nameRules, authType);
synchronized(KMSClient){
topologyList = KMSClient.getKeyList(kmsKeyName, kmsKeyList);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 2f77e2d..fb09542 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -91,6 +91,9 @@ public class KmsKeyMgr {
static final String NAME_RULES = "hadoop.security.auth_to_local";
static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
private static final String KERBEROS_TYPE = "kerberos";
+ private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
+ private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
+ static final String HOST_NAME = "ranger.service.host";
@Autowired
ServiceDBStore svcStore;
@@ -537,8 +540,13 @@ public class KmsKeyMgr {
KerberosName.setRules(nameRules);
}
Subject sub = new Subject();
+ String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
if (checkKerberos()) {
- sub = SecureClientLogin.loginUserWithPassword(userName, password);
+ if(SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))){
+ sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules);
+ }else{
+ sub = SecureClientLogin.loginUserWithPassword(userName, password);
+ }
} else {
sub = SecureClientLogin.login(userName);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
index ab0798b..321ab5e 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
@@ -99,9 +99,12 @@ import org.apache.poi.ss.usermodel.Workbook;
public class ServiceDBStore extends AbstractServiceStore {
private static final Log LOG = LogFactory.getLog(ServiceDBStore.class);
public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry";
+ private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
+ private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
+ private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user";
private static final String KERBEROS_TYPE = "kerberos";
@@ -153,8 +156,7 @@ public class ServiceDBStore extends AbstractServiceStore {
@Autowired
RangerFactory factory;
-
-
+
private static volatile boolean legacyServiceDefsInitDone = false;
private Boolean populateExistingBaseFields = false;
@@ -2294,6 +2296,12 @@ public class ServiceDBStore extends AbstractServiceStore {
}
private void createDefaultPolicy(XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy, int num) throws Exception {
+ String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL);
+ String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
+ String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
+ String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
+ String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
+
RangerPolicy policy = new RangerPolicy();
String policyName=createdService.getName()+"-"+num+"-"+DateUtil.dateToString(DateUtil.getUTCDate(),"yyyyMMddHHmmss");
@@ -2312,13 +2320,44 @@ public class ServiceDBStore extends AbstractServiceStore {
List<String> users = new ArrayList<String>();
users.add(vXUser.getName());
- VXUser vXLookupUser = getLookupUser();
- if(vXLookupUser != null){
+ VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab);
+
+ XXService xService = daoMgr.getXXService().findByName(createdService.getName());
+ XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType());
+ if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){
+ VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
+ if(vXAdminUser != null){
+ users.add(vXAdminUser.getName());
+ }
+ }else if(vXLookupUser != null){
users.add(vXLookupUser.getName());
+ }else{
+ // do nothing
}
- UserSessionBase usb = ContextUtil.getCurrentUserSession();
- if (usb != null && usb.isSpnegoEnabled()) {
- users.add(usb.getLoginId());
+
+ RangerService rangerService = getServiceByName(createdService.getName());
+ if (rangerService != null){
+ Map<String, String> map = rangerService.getConfigs();
+ if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){
+ String userNames = map.get(AMBARI_SERVICE_CHECK_USER);
+ String[] userList = userNames.split(",");
+ if(userList != null){
+ for (String userName : userList) {
+ if(!StringUtils.isEmpty(userName)){
+ XXUser xxUser = daoMgr.getXXUser().findByUserName(userName);
+ if (xxUser != null) {
+ vXUser = xUserService.populateViewBean(xxUser);
+ } else {
+ vXUser = xUserMgr.createServiceConfigUser(userName);
+ LOG.info("Creating Ambari Service Check User : "+vXUser.getName());
+ }
+ if(vXUser != null){
+ users.add(vXUser.getName());
+ }
+ }
+ }
+ }
+ }
}
policyItem.setUsers(users);
@@ -2339,11 +2378,8 @@ public class ServiceDBStore extends AbstractServiceStore {
policy = createPolicy(policy);
}
- private VXUser getLookupUser() {
+ private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
VXUser vXUser = null;
- String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE);
- String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL);
- String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
KerberosName krbName = new KerberosName(lookupPrincipal);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
index b837a68..0059884 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
@@ -59,6 +59,8 @@ public class ServiceMgr {
private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal";
private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab";
+ private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal";
+ private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab";
private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";
private static final String KERBEROS_TYPE = "kerberos";
static final String NAME_RULES = "hadoop.security.auth_to_local";
@@ -85,13 +87,23 @@ public class ServiceMgr {
String lookupPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(LOOKUP_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
String nameRules = PropertiesUtil.getProperty(NAME_RULES);
+ String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
+ String rangerkeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
if(service != null && service.getConfigs() != null){
service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal);
service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab);
service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
- service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
+ }
+ }
+ if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, rangerkeytab)){
+ if(service != null && service.getConfigs() != null){
+ service.getConfigs().put(HadoopConfigHolder.RANGER_PRINCIPAL, rangerPrincipal);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_KEYTAB, rangerkeytab);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
}
}
@@ -128,6 +140,8 @@ public class ServiceMgr {
String lookupPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(LOOKUP_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB);
String nameRules = PropertiesUtil.getProperty(NAME_RULES);
+ String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
+ String rangerkeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB);
if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
if(service != null && service.getConfigs() != null){
@@ -137,6 +151,14 @@ public class ServiceMgr {
service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
}
}
+ if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, rangerkeytab)){
+ if(service != null && service.getConfigs() != null){
+ service.getConfigs().put(HadoopConfigHolder.RANGER_PRINCIPAL, rangerPrincipal);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_KEYTAB, rangerkeytab);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
+ }
+ }
Map<String, String> newConfigs = rangerSvcService.getConfigsWithDecryptedPassword(service);
service.setConfigs(newConfigs);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index 106d910..6fcf754 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -31,11 +31,13 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.time.DateUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.common.DateUtil;
import org.apache.ranger.common.HTTPUtil;
import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PropertiesUtil;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerCommonEnums;
import org.apache.ranger.common.RangerConstants;
@@ -152,8 +154,20 @@ public class SessionMgr {
if (session.getAttribute("auditLoginId") == null) {
synchronized (session) {
if (session.getAttribute("auditLoginId") == null) {
- gjAuthSession = storeAuthSession(gjAuthSession);
- session.setAttribute("auditLoginId", gjAuthSession.getId());
+ boolean isDownloadLogEnabled = PropertiesUtil.getBooleanProperty("ranger.downloadpolicy.session.log.enabled", false);
+ if (isDownloadLogEnabled){
+ gjAuthSession = storeAuthSession(gjAuthSession);
+ session.setAttribute("auditLoginId", gjAuthSession.getId());
+ }
+ else if (!StringUtils.isEmpty(httpRequest.getRequestURI()) && !(httpRequest.getRequestURI().contains("/secure/policies/download/") || httpRequest.getRequestURI().contains("/secure/download/"))){
+ gjAuthSession = storeAuthSession(gjAuthSession);
+ session.setAttribute("auditLoginId", gjAuthSession.getId());
+ }else if (StringUtils.isEmpty(httpRequest.getRequestURI())){
+ gjAuthSession = storeAuthSession(gjAuthSession);
+ session.setAttribute("auditLoginId", gjAuthSession.getId());
+ }else{
+ //do not log the details for download policy and tag
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index e3f9f03..54bad58 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -275,4 +275,8 @@
<name>ranger.supportedcomponents</name>
<value></value>
</property>
+ <property>
+ <name>ranger.downloadpolicy.session.log.enabled</name>
+ <value>false</value>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/resources/resourcenamemap.properties
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/resourcenamemap.properties b/security-admin/src/main/resources/resourcenamemap.properties
index e4a2edf..a5497fc 100644
--- a/security-admin/src/main/resources/resourcenamemap.properties
+++ b/security-admin/src/main/resources/resourcenamemap.properties
@@ -19,4 +19,6 @@ password=xalogin.xml
lookupprincipal=xalogin.xml
lookupkeytab=xalogin.xml
namerules=xalogin.xml
-authtype=xalogin.xml
\ No newline at end of file
+authtype=xalogin.xml
+rangerprincipal=xalogin.xml
+rangerkeytab=xalogin.xml
\ No newline at end of file