You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hawq.apache.org by interma <gi...@git.apache.org> on 2017/06/13 04:52:13 UTC
[GitHub] incubator-hawq pull request #1253: Use user/password jdbc method in Ranger l...
GitHub user interma opened a pull request:
https://github.com/apache/incubator-hawq/pull/1253
Use user/password jdbc method in Ranger lookup for HAWQ with Kerberos…
… enabled.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/interma/interma-hawq hawq-1485
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-hawq/pull/1253.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1253
----
commit 6810f9e7cf6ab01b70d2a6b37038f65955496853
Author: interma <in...@outlook.com>
Date: 2017-06-13T04:09:40Z
Use user/password jdbc method in Ranger lookup for HAWQ with Kerberos enabled.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1253: HAWQ-1485. Use user/password instead of credenti...
Posted by interma <gi...@git.apache.org>.
Github user interma commented on the issue:
https://github.com/apache/incubator-hawq/pull/1253
@linwen @stanlyxiang @zhangh43 help to review, thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1253: HAWQ-1485. Use user/password instead of c...
Posted by interma <gi...@git.apache.org>.
Github user interma closed the pull request at:
https://github.com/apache/incubator-hawq/pull/1253
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1253: HAWQ-1485. Use user/password instead of c...
Posted by interma <gi...@git.apache.org>.
Github user interma commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1253#discussion_r121583655
--- Diff: ranger-plugin/admin-plugin/src/main/java/org/apache/hawq/ranger/service/RangerServiceHawq.java ---
@@ -25,41 +25,48 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.service.ResourceLookupContext;
+import org.apache.ranger.plugin.util.PasswordUtils;
import java.util.*;
+import java.io.IOException;
public class RangerServiceHawq extends RangerBaseService {
private static final Log LOG = LogFactory.getLog(RangerServiceHawq.class);
public RangerServiceHawq() {
- super();
- }
-
- @Override
- public void init(RangerServiceDef serviceDef, RangerService service) {
- super.init(serviceDef, service);
- }
-
+ super();
+ }
+
+ @Override
+ public void init(RangerServiceDef serviceDef, RangerService service) {
+ super.init(serviceDef, service);
+ }
+
@Override
public HashMap<String, Object> validateConfig() throws Exception {
boolean isDebugEnabled = LOG.isDebugEnabled();
- if(isDebugEnabled) {
+ if (isDebugEnabled) {
LOG.debug("==> RangerServiceHawq.validateConfig Service: (hawq)");
}
HashMap<String, Object> result = new HashMap<>();
- String serviceName = getServiceName();
if (configs != null) {
- try {
- HawqClient hawqClient = new HawqClient(serviceName, configs);
- result = hawqClient.checkConnection(configs);
- hawqClient.close();
- } catch (HadoopException e) {
- LOG.error("<== RangerServiceHawq.validateConfig Error:" + e);
- throw e;
+ boolean retry = false;
+
+ // try normal password (user input in webform)
+ result = check_connection(configs);
+ if (!(boolean)(result.get("connectivityStatus"))) {
+ retry = true;
+ }
+
+ if (retry) {
+ // try decrypt password
+ decrypt_password(configs);
+ result = check_connection(configs);
--- End diff --
Explain why try check_connection() twice in this validateConfig():
validateConfig() is called in ranger UI "test connection" buttion, and the password stored in ranger db is encrypted (I have tested).
There are two situations when user clicks "test connection" button:
1. User already inputed a new password, and the password is plain(not encrypted).
2. User didn't change anything, just click button, but the password is encrypted (fetch directly from ranger db).
Since there is no way to identify these two situations, we just try twice:
plain password and decrypted password, test connection is success if one of them is passed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1253: HAWQ-1485. Use user/password instead of credenti...
Posted by zhangh43 <gi...@git.apache.org>.
Github user zhangh43 commented on the issue:
https://github.com/apache/incubator-hawq/pull/1253
+1
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1253: HAWQ-1485. Use user/password instead of c...
Posted by interma <gi...@git.apache.org>.
Github user interma commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1253#discussion_r121583805
--- Diff: ranger-plugin/admin-plugin/src/main/java/org/apache/hawq/ranger/service/HawqClient.java ---
@@ -91,125 +88,42 @@
}
public HawqClient(String serviceName, Map<String, String> connectionProperties) throws Exception {
- super(serviceName,connectionProperties);
+ super(serviceName, connectionProperties);
this.connectionProperties = connectionProperties;
- initHawq();
}
-
- public void initHawq() throws Exception {
- if(connectionProperties.containsKey(AUTHENTICATION)) {
- isKerberosAuth = connectionProperties.get(AUTHENTICATION).equals(KERBEROS);
- }
- if (isKerberosAuth) {
- LOG.info("Secured Mode: JDBC Connection done with preAuthenticated Subject");
-
- // do kinit in hawqclient by principal name and password
- final String userName = getConfigHolder().getUserName();
- final String password = getConfigHolder().getPassword();
-
- String[] kinitcmd ={
- "/bin/sh",
- "-c",
- "echo '"+password+"' | kinit " + userName
- };
- java.lang.Runtime rt = java.lang.Runtime.getRuntime();
- if (LOG.isDebugEnabled()) {
- LOG.debug("kinit command: "+"echo '"+password+"' | kinit " + userName);
- }
- java.lang.Process p = rt.exec(kinitcmd);
-
- Subject.doAs(getLoginSubject(), new PrivilegedExceptionAction<Void>(){
- public Void run() throws Exception {
- final String lookupPricipalName = getConfigHolder().getUserName();
- final String serverprincipal = connectionProperties.get("principal");
- initConnectionKerberos(serverprincipal, lookupPricipalName);
- return null;
- }});
- }
- else {
- LOG.info("Trying to use UnSecure client with username "+ getConfigHolder().getUserName() +" and password");
- final String userName = getConfigHolder().getUserName();
- final String password = getConfigHolder().getPassword();
- initConnection(userName, password);
- }
- }
-
- private void initConnectionKerberos(String serverPricipal, String userPrincipal) throws SQLException{
- try {
- String url = String.format("jdbc:postgresql://%s:%s/%s?kerberosServerName=%s&jaasApplicationName=pgjdbc&user=%s",
- connectionProperties.get("hostname"),
- connectionProperties.get("port"), DEFAULT_DATABASE,
- serverPricipal, userPrincipal
- );
- if (LOG.isDebugEnabled()) {
- LOG.debug("InitConnectionKerberos "+ url);
- }
- con = DriverManager.getConnection(url);
- jdbc_url_template = String.format("jdbc:postgresql://%s:%s/%s?kerberosServerName=%s&jaasApplicationName=pgjdbc&user=%s",
- connectionProperties.get("hostname"),
- connectionProperties.get("port"), DEFAULT_DATABASE_TEMPLATE,
- serverPricipal, userPrincipal
- );
- } catch (SQLException e) {
- e.printStackTrace();
- LOG.error("Unable to Connect to Hawq", e);
- throw e;
- } catch (SecurityException se) {
- se.printStackTrace();
- }
- }
-
-
- private void initConnection(String userName, String password) throws SQLException {
- try {
- String url = String.format("jdbc:postgresql://%s:%s/%s", connectionProperties.get("hostname"), connectionProperties.get("port"), DEFAULT_DATABASE);
- if (LOG.isDebugEnabled()) {
- LOG.debug("InitConnectionKerberos "+ url);
- }
- con = DriverManager.getConnection(url, userName, password);
- jdbc_url_template = String.format("jdbc:postgresql://%s:%s/%s", connectionProperties.get("hostname"), connectionProperties.get("port"), DEFAULT_DATABASE_TEMPLATE);
- } catch (SQLException e) {
- e.printStackTrace();
- LOG.error("Unable to Connect to Hawq", e);
- throw e;
- } catch (SecurityException se) {
- se.printStackTrace();
- }
- }
-
- public void setConnection(Connection conn) {
- con = conn;
- }
-
- public void resetConnection(String db) throws SQLException{
- try {
- if(db == null) {
- return;
- }
- String newdb = db;
- LOG.debug("resetconnectionbefore "+ jdbc_url_template + newdb);
- String url = jdbc_url_template.replace(DEFAULT_DATABASE_TEMPLATE, newdb);
- if (LOG.isDebugEnabled()) {
- LOG.debug("resetconnection "+ jdbc_url_template+ url);
- }
- if(con !=null && !con.isClosed()){
- con.close();
- }
- if (isKerberosAuth) {
- con = DriverManager.getConnection(url);
- } else {
- final String userName = getConfigHolder().getUserName();
- final String password = getConfigHolder().getPassword();
- con = DriverManager.getConnection(url, userName, password);
- }
- } catch (SQLException e) {
- e.printStackTrace();
- LOG.error("Unable to Connect to Hawq", e);
- throw e;
- } catch (SecurityException se) {
- se.printStackTrace();
- }
- }
+
+
+ private Connection getConnection(Map<String, String> connectionProperties) throws SQLException {
+ return getConnection(connectionProperties, null);
+ }
+
+ private Connection getConnection(Map<String, String> connectionProperties, String database) throws SQLException {
+
+ String db = database != null ? database : DEFAULT_DATABASE;
+ Properties props = new Properties();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== HawqClient.checkConnection configuration" + connectionProperties );
+ }
+
+ if (connectionProperties.containsKey(AUTHENTICATION) && connectionProperties.get(AUTHENTICATION).equals(KERBEROS)) {
+ //kerberos mode
+ props.setProperty("kerberosServerName", connectionProperties.get("principal"));
+ props.setProperty("jaasApplicationName", "pgjdbc");
+ }
--- End diff --
just need add the two properties in kerberos mode in jdbc.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---