You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ga...@apache.org on 2016/04/28 17:04:46 UTC
incubator-ranger git commit: RANGER-957: Modify ranger kms to use
service identity to download policies from ranger admin
Repository: incubator-ranger
Updated Branches:
refs/heads/master 415ed4399 -> b056c4b77
RANGER-957: Modify ranger kms to use service identity to download policies from ranger admin
Signed-off-by: Gautam Borad <ga...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b056c4b7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b056c4b7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b056c4b7
Branch: refs/heads/master
Commit: b056c4b77017c64b55d4083b332d464dbdd46825
Parents: 415ed43
Author: Ankita Sinha <an...@freestoneinfotech.com>
Authored: Thu Apr 28 12:27:06 2016 +0530
Committer: Gautam Borad <ga...@apache.org>
Committed: Thu Apr 28 20:34:33 2016 +0530
----------------------------------------------------------------------
.../admin/client/RangerAdminRESTClient.java | 9 +++-
.../plugin/client/HadoopConfigHolder.java | 7 +++
.../main/resources/resourcenamemap.properties | 2 +
kms/config/kms-webapp/dbks-site.xml | 13 ++++-
kms/pom.xml | 5 ++
kms/scripts/install.properties | 5 ++
kms/scripts/ranger-kms | 2 +-
kms/scripts/setup.sh | 42 +++++++++++++++
.../key/kms/server/KMSAuthenticationFilter.java | 2 +-
.../crypto/key/kms/server/KMSConfiguration.java | 2 +-
kms/src/main/webapp/WEB-INF/web.xml | 6 ---
.../kms/authorizer/RangerKmsAuthorizer.java | 53 ++++++++++--------
.../ranger/services/kms/client/KMSClient.java | 57 +++++++++++---------
.../services/kms/client/KMSConnectionMgr.java | 5 +-
.../services/kms/client/KMSResourceMgr.java | 7 +--
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 32 +++++------
.../java/org/apache/ranger/biz/ServiceMgr.java | 2 +
.../main/resources/resourcenamemap.properties | 4 +-
src/main/assembly/kms.xml | 1 +
19 files changed, 176 insertions(+), 80 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index afa347e..aaf1596 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -91,7 +91,9 @@ public class RangerAdminRESTClient implements RangerAdminClient {
ClientResponse response = null;
if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) {
- LOG.info("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser());
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser());
+ }
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
public ClientResponse run() {
WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName)
@@ -102,7 +104,10 @@ public class RangerAdminRESTClient implements RangerAdminClient {
};
response = MiscUtil.getUGILoginUser().doAs(action);
}else{
- WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName)
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated with old api call");
+ }
+ WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName)
.queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion))
.queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
index 1f3987f..8991872 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java
@@ -44,6 +44,7 @@ public class HadoopConfigHolder {
public static final String RANGER_LOOKUP_PRINCIPAL = "lookupprincipal";
public static final String RANGER_LOOKUP_KEYTAB = "lookupkeytab";
public static final String RANGER_NAME_RULES = "namerules";
+ public static final String RANGER_AUTH_TYPE = "authtype";
public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
public static final String HADOOP_NAME_RULES = "hadoop.security.auth_to_local";
public static final String HADOOP_SECURITY_AUTHENTICATION_METHOD = "kerberos";
@@ -66,6 +67,7 @@ public class HadoopConfigHolder {
private String lookupPrincipal;
private String lookupKeytab;
private String nameRules;
+ private String authType;
private Map<String,String> connectionProperties;
@@ -281,6 +283,7 @@ public class HadoopConfigHolder {
lookupPrincipal = prop.getProperty(RANGER_LOOKUP_PRINCIPAL);
lookupKeytab = prop.getProperty(RANGER_LOOKUP_KEYTAB);
nameRules = prop.getProperty(RANGER_NAME_RULES);
+ authType = prop.getProperty(RANGER_AUTH_TYPE, "simple");
String hadoopSecurityAuthenticationn = getHadoopSecurityAuthentication();
@@ -406,6 +409,10 @@ public class HadoopConfigHolder {
public String getNameRules(){
return nameRules;
}
+
+ public String getAuthType(){
+ return authType;
+ }
public Set<String> getRangerInternalPropertyKeys() {
return rangerInternalPropertyKeys;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/agents-common/src/main/resources/resourcenamemap.properties
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/resourcenamemap.properties b/agents-common/src/main/resources/resourcenamemap.properties
index 9bfaf61..72d78d2 100644
--- a/agents-common/src/main/resources/resourcenamemap.properties
+++ b/agents-common/src/main/resources/resourcenamemap.properties
@@ -26,6 +26,8 @@ keytabfile=xalogin.xml
password=xalogin.xml
lookupprincipal=xalogin.xml
lookupkeytab=xalogin.xml
+namerules=xalogin.xml
+authtype=xalogin.xml
hbase.master.kerberos.principal=hbase-site.xml
hbase.rpc.engine=hbase-site.xml
hbase.rpc.protection=hbase-site.xml
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/config/kms-webapp/dbks-site.xml
----------------------------------------------------------------------
diff --git a/kms/config/kms-webapp/dbks-site.xml b/kms/config/kms-webapp/dbks-site.xml
index f649264..a82a72b 100755
--- a/kms/config/kms-webapp/dbks-site.xml
+++ b/kms/config/kms-webapp/dbks-site.xml
@@ -113,6 +113,17 @@
</description>
</property>
+ <!-- Ranger KMS Kerberos Config -->
+ <property>
+ <name>ranger.ks.kerberos.principal</name>
+ <value>rangerkms/_HOST@REALM</value>
+ </property>
+
+ <property>
+ <name>ranger.ks.kerberos.keytab</name>
+ <value></value>
+ </property>
+
<!-- HSM Config -->
<property>
<name>ranger.ks.hsm.type</name>
@@ -142,6 +153,6 @@
<name>ranger.ks.hsm.partition.password.alias</name>
<value>ranger.kms.hsm.partition.password</value>
<description></description>
- </property>
+ </property>
</configuration>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/pom.xml
----------------------------------------------------------------------
diff --git a/kms/pom.xml b/kms/pom.xml
index af2138a..a9f6c6c 100644
--- a/kms/pom.xml
+++ b/kms/pom.xml
@@ -436,6 +436,11 @@
<artifactId>hadoop-hdfs</artifactId>
<version>${hadoop.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
</dependencies>
<build>
<pluginManagement>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/scripts/install.properties
----------------------------------------------------------------------
diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties
index fceae8f..da6e185 100755
--- a/kms/scripts/install.properties
+++ b/kms/scripts/install.properties
@@ -65,6 +65,11 @@ db_password=
#------------------------- RANGER KMS Master Key Crypt Key ------------------
KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd
+#------------------------- Ranger KMS Kerberos Configuration ---------------------------
+kms_principal=
+kms_keytab=
+hadoop_conf=/etc/hadoop/conf
+
#------------------------- Ranger KMS HSM CONFIG ------------------------------
HSM_TYPE=LunaProvider
HSM_ENABLED=false
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/scripts/ranger-kms
----------------------------------------------------------------------
diff --git a/kms/scripts/ranger-kms b/kms/scripts/ranger-kms
index 74ecd05..0e29d7f 100755
--- a/kms/scripts/ranger-kms
+++ b/kms/scripts/ranger-kms
@@ -76,7 +76,7 @@ fi
KMS_CONF_DIR=${RANGER_KMS_EWS_DIR}/webapp/WEB-INF/classes/conf
-JAVA_OPTS="${JAVA_OPTS} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:$CLASSPATH "
+JAVA_OPTS="${JAVA_OPTS} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH "
if [ "${action}" == "START" ]; then
echo "+ java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} "
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/scripts/setup.sh
----------------------------------------------------------------------
diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh
index 6019526..031c4f3 100755
--- a/kms/scripts/setup.sh
+++ b/kms/scripts/setup.sh
@@ -89,6 +89,10 @@ HSM_ENABLED=$(get_prop 'HSM_ENABLED' $PROPFILE)
HSM_PARTITION_NAME=$(get_prop 'HSM_PARTITION_NAME' $PROPFILE)
HSM_PARTITION_PASSWORD=$(get_prop 'HSM_PARTITION_PASSWORD' $PROPFILE)
+kms_principal=$(get_prop 'kms_principal' $PROPFILE)
+kms_keytab=$(get_prop 'kms_keytab' $PROPFILE)
+hadoop_conf=$(get_prop 'hadoop_conf' $PROPFILE)
+
DB_HOST="${db_host}"
check_ret_status(){
@@ -589,6 +593,22 @@ update_properties() {
newPropertyValue="${KMS_BLACKLIST_DECRYPT_EEK}"
updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ ########### KERBEROS CONFIG ############
+
+ if [ "${kms_principal}" != "" ]
+ then
+ propertyName=ranger.ks.kerberos.principal
+ newPropertyValue="${kms_principal}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ fi
+
+ if [ "${kms_keytab}" != "" ]
+ then
+ propertyName=ranger.ks.kerberos.keytab
+ newPropertyValue="${kms_keytab}"
+ updatePropertyToFilePy $propertyName $newPropertyValue $to_file
+ fi
+
########### HSM CONFIG #################
@@ -659,6 +679,28 @@ setup_install_files(){
chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib
fi
+ echo "export RANGER_HADOOP_CONF_DIR=${hadoop_conf}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-hadoopconfdir.sh
+ chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-hadoopconfdir.sh
+
+ hadoop_conf_file=${hadoop_conf}/core-site.xml
+ ranger_hadoop_conf_file=${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+
+ if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then
+ chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf
+ if [ "${hadoop_conf}" == "" ]
+ then
+ log "[WARN] Property hadoop_conf not found. Creating blank core-site.xml."
+ echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+ else
+ if [ -f ${hadoop_conf_file} ]; then
+ ln -sf ${hadoop_conf_file} ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+ else
+ log "[WARN] core-site.xml file not found in provided hadoop_conf path. Creating blank core-site.xml"
+ echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml
+ fi
+ fi
+ fi
+
if [ -d /etc/init.d ]; then
log "[I] Setting up init.d"
cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
index 79652f3..ada9a56 100644
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java
@@ -63,7 +63,7 @@ public class KMSAuthenticationFilter
props.setProperty(name, value);
}
}
- String authType = props.getProperty(AUTH_TYPE);
+ String authType = props.getProperty(AUTH_TYPE,"simple");
if (authType.equals(PseudoAuthenticationHandler.TYPE)) {
props.setProperty(AUTH_TYPE,
PseudoDelegationTokenAuthenticationHandler.class.getName());
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
----------------------------------------------------------------------
diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
index f4f9d3e..ac2b5d2 100755
--- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
+++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java
@@ -104,7 +104,7 @@ public class KMSConfiguration {
}
public static Configuration getACLsConf() {
- return getConfiguration(false, KMS_ACLS_XML);
+ return getConfiguration(true, KMS_ACLS_XML);
}
public static boolean isACLsFileNewer(long time) {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/src/main/webapp/WEB-INF/web.xml
----------------------------------------------------------------------
diff --git a/kms/src/main/webapp/WEB-INF/web.xml b/kms/src/main/webapp/WEB-INF/web.xml
index 6aef672..815e2bd 100644
--- a/kms/src/main/webapp/WEB-INF/web.xml
+++ b/kms/src/main/webapp/WEB-INF/web.xml
@@ -33,12 +33,6 @@
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
-
- <!-- <servlet>
- <servlet-name>RangerKMSStartUp</servlet-name>
- <servlet-class>org.apache.ranger.kms.biz.RangerKMSStartUp</servlet-class>
- <load-on-startup>2</load-on-startup>
- </servlet> -->
<servlet>
<servlet-name>jmx-servlet</servlet-name>
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
index 34ac4b9..75e25c2 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java
@@ -19,13 +19,14 @@
package org.apache.ranger.authorization.kms.authorizer;
+import java.io.IOException;
+import java.net.UnknownHostException;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
-
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.KMSACLsType;
import org.apache.hadoop.crypto.key.kms.server.KMSConfiguration;
@@ -35,6 +36,7 @@ import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType;
import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.AuthorizationException;
@@ -52,6 +54,11 @@ import com.google.common.collect.Sets;
public class RangerKmsAuthorizer implements Runnable, KeyACLs {
private static final Logger LOG = LoggerFactory.getLogger(RangerKmsAuthorizer.class);
+ private static final String KMS_USER_PRINCIPAL = "ranger.ks.kerberos.principal";
+ private static final String KMS_USER_KEYTAB = "ranger.ks.kerberos.keytab";
+
+ private static final String KMS_NAME_RULES = "hadoop.security.auth_to_local";
+
private static final String UNAUTHORIZED_MSG_WITH_KEY =
"User:%s not allowed to do '%s' on '%s'";
@@ -93,37 +100,39 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs {
*/
public static final String KEYTAB = TYPE + ".keytab";
- /**
- * Constant for the configuration property that indicates the Kerberos name
- * rules for the Kerberos principals.
- */
- public static final String NAME_RULES = TYPE + ".name.rules";
-
RangerKmsAuthorizer(Configuration conf) {
LOG.info("RangerKmsAuthorizer(conf)...");
- authWithKerberos();
if (conf == null) {
conf = loadACLs();
}
+ authWithKerberos(conf);
setKMSACLs(conf);
init(conf);
-
}
- /**
- *
- */
- private void authWithKerberos() {
- //Let's if we can create the login user UGI
- Configuration kconf = new Configuration();
- kconf.addResource("kms-site.xml");
- String keytab = kconf.get("hadoop.kms.authentication.kerberos.keytab");
- String principal = kconf.get("hadoop.kms.authentication.kerberos.principal");
- String nameRules = kconf.get(NAME_RULES);
- MiscUtil.authWithKerberos(keytab, principal, nameRules);
- }
+ private void authWithKerberos(Configuration conf) {
+ String localHostName = null;
+ try {
+ localHostName = java.net.InetAddress.getLocalHost().getCanonicalHostName();
+ } catch (UnknownHostException e1) {
+ LOG.warn("Error getting local host name : "+e1.getMessage());
+ }
+
+ String principal = null;
+ try {
+ principal = SecureClientLogin.getPrincipal(conf.get(KMS_USER_PRINCIPAL), localHostName);
+ } catch (IOException e1) {
+ LOG.warn("Error getting "+KMS_USER_PRINCIPAL+" : "+e1.getMessage());
+ }
+ String keytab = conf.get(KMS_USER_KEYTAB);
+ String nameRules = conf.get(KMS_NAME_RULES);
+ if(LOG.isDebugEnabled()){
+ LOG.debug("Ranger KMS Principal : "+principal+", Keytab : "+keytab+", NameRule : "+nameRules);
+ }
+ MiscUtil.authWithKerberos(keytab, principal, nameRules);
+ }
- public RangerKmsAuthorizer() {
+ public RangerKmsAuthorizer() {
this(null);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 6a79433..271392b 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -62,6 +62,8 @@ public class KMSClient {
private static final String errMessage = " You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
+ "resource names. Check xa_portal.log for more info.";
+
+ private static final String AUTH_TYPE_KERBEROS = "kerberos";
String provider;
String username;
@@ -69,14 +71,16 @@ public class KMSClient {
String lookupPrincipal;
String lookupKeytab;
String nameRules;
+ String authType;
- public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules) {
+ public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) {
this.provider = provider;
this.username = username;
this.password = password;
this.lookupPrincipal = lookupPrincipal;
this.lookupKeytab = lookupKeytab;
this.nameRules = nameRules;
+ this.authType = authType;
if (LOG.isDebugEnabled()) {
LOG.debug("Kms Client is build with url [" + provider + "] user: ["
@@ -155,46 +159,48 @@ public class KMSClient {
String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/" + KMS_LIST_API_ENDPOINT));
Client client = null;
ClientResponse response = null;
- boolean isKerberose = false;
+ boolean isKerberos = false;
try {
ClientConfig cc = new DefaultClientConfig();
cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
client = Client.create(cc);
-
- if(username.contains("@")){
- isKerberose = true;
+
+ if(authType != null && authType.equalsIgnoreCase(AUTH_TYPE_KERBEROS)){
+ isKerberos = true;
}
- if(!isKerberose){
+ Subject sub = new Subject();
+ if(!isKerberos){
uri = uri.concat("?user.name="+username);
WebResource webResource = client.resource(uri);
response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
- }else{
- String shortName = new HadoopKerberosName(username).getShortName();
- uri = uri.concat("?doAs="+shortName);
- Subject sub = new Subject();
- if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab) && lookupPrincipal.contains("@")){
+ LOG.info("Init Login: security not enabled, using username");
+ sub = SecureClientLogin.login(username);
+ }else{
+ if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab)){
+ LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab");
if(StringUtils.isEmpty(nameRules)){
nameRules = "DEFAULT";
}
- LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab");
+ String shortName = new HadoopKerberosName(lookupPrincipal).getShortName();
+ uri = uri.concat("?doAs="+shortName);
sub = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules);
}
- else if (username.contains("@")) {
+ else{
LOG.info("Init Login: using username/password");
+ String shortName = new HadoopKerberosName(username).getShortName();
+ uri = uri.concat("?doAs="+shortName);
sub = SecureClientLogin.loginUserWithPassword(username, password);
- } else {
- LOG.info("Init Login: security not enabled, using username");
- sub = SecureClientLogin.login(username);
- }
- final WebResource webResource = client.resource(uri);
- response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() {
- @Override
- public ClientResponse run() {
- return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
- }
- });
+ }
}
+ final WebResource webResource = client.resource(uri);
+ response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() {
+ @Override
+ public ClientResponse run() {
+ return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }
+ });
+
if (LOG.isDebugEnabled()) {
LOG.debug("getKeyList():calling " + uri);
}
@@ -345,8 +351,9 @@ public class KMSClient {
String lookupPrincipal = configs.get("lookupprincipal");
String lookupKeytab = configs.get("lookupkeytab");
String nameRules = configs.get("namerules");
+ String authType = configs.get("authtype");
- kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules);
+ kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules, authType);
}
return kmsClient;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
index 5e96a1c..c247a44 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java
@@ -27,7 +27,7 @@ public class KMSConnectionMgr {
public static final Logger LOG = Logger.getLogger(KMSConnectionMgr.class);
- public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules) {
+ public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) {
KMSClient kmsClient = null;
if (kmsURL == null || kmsURL.isEmpty()) {
LOG.error("Can not create KMSClient: kmsURL is empty");
@@ -37,8 +37,9 @@ public class KMSConnectionMgr {
} else if (password == null || password.isEmpty()) {
LOG.error("Can not create KMSClient: kmsPassWord is empty");
}
+ kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType);
} else {
- kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules);
+ kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType);
}
return kmsClient;
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
index 6b96515..aa4c65a 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java
@@ -75,14 +75,15 @@ public class KMSResourceMgr {
String lookupPrincipal = configs.get("lookupprincipal");
String lookupKeytab = configs.get("lookupkeytab");
String nameRules = configs.get("namerules");
- resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, kmsKeyName,kmsKeyList) ;
+ String authType = configs.get("authtype");
+ resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType, kmsKeyName,kmsKeyList) ;
}
return resultList ;
}
- public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String kmsKeyName, List<String> kmsKeyList) {
+ public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType, String kmsKeyName, List<String> kmsKeyList) {
List<String> topologyList = null;
- final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules);
+ final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType);
synchronized(KMSClient){
topologyList = KMSClient.getKeyList(kmsKeyName, kmsKeyList);
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 82dc190..2f77e2d 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -89,7 +89,9 @@ public class KmsKeyMgr {
private static Map<String, String> providerList = new HashMap<String, String>();
private static int nextProvider = 0;
static final String NAME_RULES = "hadoop.security.auth_to_local";
-
+ static final String RANGER_AUTH_TYPE = "hadoop.security.authentication";
+ private static final String KERBEROS_TYPE = "kerberos";
+
@Autowired
ServiceDBStore svcStore;
@@ -116,7 +118,7 @@ public class KmsKeyMgr {
String connProvider = null;
boolean isKerberos=false;
try {
- isKerberos = checkKerberos(repoName);
+ isKerberos = checkKerberos();
} catch (Exception e1) {
logger.error("checkKerberos(" + repoName + ") failed", e1);
}
@@ -212,7 +214,7 @@ public class KmsKeyMgr {
VXKmsKey ret = null;
boolean isKerberos=false;
try {
- isKerberos = checkKerberos(provider);
+ isKerberos = checkKerberos();
} catch (Exception e1) {
logger.error("checkKerberos(" + provider + ") failed", e1);
}
@@ -264,7 +266,7 @@ public class KmsKeyMgr {
}
boolean isKerberos=false;
try {
- isKerberos = checkKerberos(provider);
+ isKerberos = checkKerberos();
} catch (Exception e1) {
logger.error("checkKerberos(" + provider + ") failed", e1);
}
@@ -314,7 +316,7 @@ public class KmsKeyMgr {
VXKmsKey ret = null;
boolean isKerberos=false;
try {
- isKerberos = checkKerberos(provider);
+ isKerberos = checkKerberos();
} catch (Exception e1) {
logger.error("checkKerberos(" + provider + ") failed", e1);
}
@@ -365,7 +367,7 @@ public class KmsKeyMgr {
}
boolean isKerberos=false;
try {
- isKerberos = checkKerberos(provider);
+ isKerberos = checkKerberos();
} catch (Exception e1) {
logger.error("checkKerberos(" + provider + ") failed", e1);
}
@@ -526,17 +528,17 @@ public class KmsKeyMgr {
}
private Subject getSubjectForKerberos(String provider) throws Exception{
- String userName = getKMSUserName(provider);
- String password = getKMSPassword(provider);
- String nameRules = PropertiesUtil.getProperty(NAME_RULES);
+ String userName = getKMSUserName(provider);
+ String password = getKMSPassword(provider);
+ String nameRules = PropertiesUtil.getProperty(NAME_RULES);
if (StringUtils.isEmpty(nameRules)) {
KerberosName.setRules("DEFAULT") ;
}else{
KerberosName.setRules(nameRules);
}
Subject sub = new Subject();
- if (userName.contains("@")) {
- sub = SecureClientLogin.loginUserWithPassword(userName, password);
+ if (checkKerberos()) {
+ sub = SecureClientLogin.loginUserWithPassword(userName, password);
} else {
sub = SecureClientLogin.login(userName);
}
@@ -557,12 +559,12 @@ public class KmsKeyMgr {
return rangerService.getConfigs().get(KMS_USERNAME);
}
- private boolean checkKerberos(String provider) throws Exception {
- String userName = getKMSUserName(provider);
- if(userName.contains("@")){
+ private boolean checkKerberos() throws Exception {
+ if(PropertiesUtil.getProperty(RANGER_AUTH_TYPE, "simple").equalsIgnoreCase(KERBEROS_TYPE)){
return true;
+ }else{
+ return false;
}
- return false;
}
private synchronized Client getClient() {
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
index e0f22d2..b837a68 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java
@@ -91,6 +91,7 @@ public class ServiceMgr {
service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal);
service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab);
service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
}
}
@@ -133,6 +134,7 @@ public class ServiceMgr {
service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal);
service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab);
service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules);
+ service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/security-admin/src/main/resources/resourcenamemap.properties
----------------------------------------------------------------------
diff --git a/security-admin/src/main/resources/resourcenamemap.properties b/security-admin/src/main/resources/resourcenamemap.properties
index 16bf704..e4a2edf 100644
--- a/security-admin/src/main/resources/resourcenamemap.properties
+++ b/security-admin/src/main/resources/resourcenamemap.properties
@@ -17,4 +17,6 @@ username=xalogin.xml
keytabfile=xalogin.xml
password=xalogin.xml
lookupprincipal=xalogin.xml
-lookupkeytab=xalogin.xml
\ No newline at end of file
+lookupkeytab=xalogin.xml
+namerules=xalogin.xml
+authtype=xalogin.xml
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/src/main/assembly/kms.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml
index 44276cc..41a2754 100755
--- a/src/main/assembly/kms.xml
+++ b/src/main/assembly/kms.xml
@@ -104,6 +104,7 @@
<include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
<include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
<include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
</includes>
</dependencySet>
</dependencySets>