You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Jalpan Randeri <ja...@gmail.com> on 2020/07/31 01:11:21 UTC
Review Request 72724: [RANGER-2936] Support for policy download mode
configuration on plugin
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72724/
-----------------------------------------------------------
Review request for ranger.
Bugs: RANGER-2936
https://issues.apache.org/jira/browse/RANGER-2936
Repository: ranger
Description
-------
Ranger Plugins uses RangerAdminRESTClient to download policies. Ranger Admin server exposes two different endpoints for policy downloads
Secure mode
normal mode RangerAdminRESTClient select mode secure mode if Hadoop cluster is running in Kerberos. https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java#L129
Since, Ranger admin server is capable of managing heterogeneous Hadoop clusters.
Ranger plugins are unable to communicate with Ranger admin server under following scenario
1. Ranger Plugin is running on Hadoop cluster protected by Kerberos
2. Ranger Admin server is running in non-Kerberos mode
Above mentioned scenario, ranger plugins are observing following error
2020-06-13 03:47:20 WARN RangerAdminRESTClient:176 - [] Error getting policies. secureMode=true, user=hive (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}
### How to this patch mitigate issue?
This patch introduces boolean configuration `ranger.plugin.{service}.policyDownload.secureMode` in RangerAdminRESTClient.
- true use secure mode to download policies
- false use simple mode to download policies
Plugin will read this configuration to determine policy download mode
Diffs
-----
agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b
agents-common/src/test/java/org/apache/ranger/admin/client/RangerAdminRESTClientTest.java PRE-CREATION
Diff: https://reviews.apache.org/r/72724/diff/1/
Testing
-------
Added Unit tests
Maven Build
mvn -pl agent-common install
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:04 min
[INFO] Finished at: 2020-07-24T12:57:45-07:00
[INFO] ------------------------------------------------------------------------
```
Testing on Hive Plugin
```
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:126 - [] ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522)
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:162 - [] Checking Service policy if updated with old api call
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:174 - [] No change in policies. secureMode=false, user=jalpan@EC2.INTERNAL (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}, serviceName=hivedev
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:198 - [] <== RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522): null
```
Plugin Configuration
```
<property>
<name>ranger.plugin.hive.policy.source.impl</name>
<value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
</property>
<property>
<name>ranger.plugin.hive.policyDownload.secureMode</name>
<value>false</value>
</property>
```
Thanks,
Jalpan Randeri
Re: Review Request 72724: [RANGER-2936] Support for policy download
mode configuration on plugin
Posted by Jalpan Randeri <ja...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72724/
-----------------------------------------------------------
(Updated July 31, 2020, 6 p.m.)
Review request for ranger.
Bugs: RANGER-2936
https://issues.apache.org/jira/browse/RANGER-2936
Repository: ranger
Description
-------
Ranger Plugins uses RangerAdminRESTClient to download policies. Ranger Admin server exposes two different endpoints for policy downloads
Secure mode
normal mode RangerAdminRESTClient select mode secure mode if Hadoop cluster is running in Kerberos. https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java#L129
Since, Ranger admin server is capable of managing heterogeneous Hadoop clusters.
Ranger plugins are unable to communicate with Ranger admin server under following scenario
1. Ranger Plugin is running on Hadoop cluster protected by Kerberos
2. Ranger Admin server is running in non-Kerberos mode
Above mentioned scenario, ranger plugins are observing following error
2020-06-13 03:47:20 WARN RangerAdminRESTClient:176 - [] Error getting policies. secureMode=true, user=hive (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}
### How to this patch mitigate issue?
This patch introduces boolean configuration `ranger.plugin.{service}.policyDownload.secureMode` in RangerAdminRESTClient.
- true use secure mode to download policies
- false use simple mode to download policies
Plugin will read this configuration to determine policy download mode
Diffs (updated)
-----
agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java e5f97477b
agents-common/src/test/java/org/apache/ranger/admin/client/RangerAdminRESTClientTest.java PRE-CREATION
Diff: https://reviews.apache.org/r/72724/diff/2/
Changes: https://reviews.apache.org/r/72724/diff/1-2/
Testing
-------
Added Unit tests
Maven Build
mvn -pl agent-common install
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:04 min
[INFO] Finished at: 2020-07-24T12:57:45-07:00
[INFO] ------------------------------------------------------------------------
```
Testing on Hive Plugin
```
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:126 - [] ==> RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522)
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:162 - [] Checking Service policy if updated with old api call
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:174 - [] No change in policies. secureMode=false, user=jalpan@EC2.INTERNAL (auth:KERBEROS), response={"httpStatusCode":304,"statusCode":0}, serviceName=hivedev
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:198 - [] <== RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522): null
```
Plugin Configuration
```
<property>
<name>ranger.plugin.hive.policy.source.impl</name>
<value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
</property>
<property>
<name>ranger.plugin.hive.policyDownload.secureMode</name>
<value>false</value>
</property>
```
Thanks,
Jalpan Randeri