You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Jalpan Randeri <ja...@gmail.com> on 2020/07/31 01:11:21 UTC

Review Request 72724: [RANGER-2936] Support for policy download mode configuration on plugin

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72724/
-----------------------------------------------------------

Review request for ranger.


Bugs: RANGER-2936
    https://issues.apache.org/jira/browse/RANGER-2936


Repository: ranger


Description
-------

Ranger Plugins uses RangerAdminRESTClient to download policies. Ranger Admin server exposes two different endpoints for policy downloads

    Secure mode
    normal mode RangerAdminRESTClient select mode secure mode if Hadoop cluster is running in Kerberos. https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java#L129

Since, Ranger admin server is capable of managing heterogeneous Hadoop clusters. 
Ranger plugins are unable to communicate with Ranger admin server under following scenario

1. Ranger Plugin is running on Hadoop cluster protected by Kerberos
2. Ranger Admin server is running in non-Kerberos mode

Above mentioned scenario, ranger plugins are observing following error

2020-06-13 03:47:20 WARN RangerAdminRESTClient:176 - [] Error getting policies. secureMode=true, user=hive (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}


### How to this patch mitigate issue?

This patch introduces boolean configuration `ranger.plugin.{service}.policyDownload.secureMode` in RangerAdminRESTClient.

- true use secure mode to download policies
- false use simple mode to download policies

Plugin will read this configuration to determine policy download mode


Diffs
-----

  agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
  agents-common/src/test/java/org/apache/ranger/admin/client/RangerAdminRESTClientTest.java PRE-CREATION 


Diff: https://reviews.apache.org/r/72724/diff/1/


Testing
-------

Added Unit tests
Maven Build
mvn -pl agent-common install
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:04 min
[INFO] Finished at: 2020-07-24T12:57:45-07:00
[INFO] ------------------------------------------------------------------------

```

Testing on Hive Plugin
```
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:126 - [] ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522)
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:162 - [] Checking Service policy if updated with old api call
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:174 - [] No change in policies. secureMode=false, user=jalpan@EC2.INTERNAL (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}, serviceName=hivedev
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:198 - [] <== RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522): null

```

Plugin Configuration
```
    <property>
        <name>ranger.plugin.hive.policy.source.impl</name>
        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
    </property>

    <property>
        <name>ranger.plugin.hive.policyDownload.secureMode</name>
        <value>false</value>
    </property>
```


Thanks,

Jalpan Randeri

Re: Review Request 72724: [RANGER-2936] Support for policy download mode configuration on plugin

Posted by Jalpan Randeri <ja...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72724/
-----------------------------------------------------------

(Updated July 31, 2020, 6 p.m.)


Review request for ranger.


Bugs: RANGER-2936
    https://issues.apache.org/jira/browse/RANGER-2936


Repository: ranger


Description
-------

Ranger Plugins uses RangerAdminRESTClient to download policies. Ranger Admin server exposes two different endpoints for policy downloads

    Secure mode
    normal mode RangerAdminRESTClient select mode secure mode if Hadoop cluster is running in Kerberos. https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java#L129

Since, Ranger admin server is capable of managing heterogeneous Hadoop clusters. 
Ranger plugins are unable to communicate with Ranger admin server under following scenario

1. Ranger Plugin is running on Hadoop cluster protected by Kerberos
2. Ranger Admin server is running in non-Kerberos mode

Above mentioned scenario, ranger plugins are observing following error

2020-06-13 03:47:20 WARN RangerAdminRESTClient:176 - [] Error getting policies. secureMode=true, user=hive (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}


### How to this patch mitigate issue?

This patch introduces boolean configuration `ranger.plugin.{service}.policyDownload.secureMode` in RangerAdminRESTClient.

- true use secure mode to download policies
- false use simple mode to download policies

Plugin will read this configuration to determine policy download mode


Diffs (updated)
-----

  agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b 
  agents-common/src/test/java/org/apache/ranger/admin/client/RangerAdminRESTClientTest.java PRE-CREATION 


Diff: https://reviews.apache.org/r/72724/diff/2/

Changes: https://reviews.apache.org/r/72724/diff/1-2/


Testing
-------

Added Unit tests
Maven Build
mvn -pl agent-common install
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:04 min
[INFO] Finished at: 2020-07-24T12:57:45-07:00
[INFO] ------------------------------------------------------------------------

```

Testing on Hive Plugin
```
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:126 - [] ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522)
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:162 - [] Checking Service policy if updated with old api call
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:174 - [] No change in policies. secureMode=false, user=jalpan@EC2.INTERNAL (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}, serviceName=hivedev
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:198 - [] <== RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522): null

```

Plugin Configuration
```
    <property>
        <name>ranger.plugin.hive.policy.source.impl</name>
        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
    </property>

    <property>
        <name>ranger.plugin.hive.policyDownload.secureMode</name>
        <value>false</value>
    </property>
```


Thanks,

Jalpan Randeri