You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ve...@apache.org on 2015/05/29 03:18:27 UTC
incubator-ranger git commit: KMS keys listing throws authentication
required error in secure cluster
Repository: incubator-ranger
Updated Branches:
refs/heads/master 0d73c38af -> d79401bb4
KMS keys listing throws authentication required error in secure cluster
Signed-off-by: Velmurugan Periasamy <ve...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d79401bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d79401bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d79401bb
Branch: refs/heads/master
Commit: d79401bb429754ef9d4203f6c78c28606c922ccb
Parents: 0d73c38
Author: Gautam Borad <gb...@gmail.com>
Authored: Tue May 26 16:47:57 2015 +0530
Committer: Velmurugan Periasamy <ve...@apache.org>
Committed: Thu May 28 21:18:24 2015 -0400
----------------------------------------------------------------------
.../ranger/services/kms/client/KMSClient.java | 70 +++--
.../java/org/apache/ranger/biz/KmsKeyMgr.java | 291 ++++++++++++++-----
.../java/org/apache/ranger/rest/XKeyREST.java | 6 +-
3 files changed, 273 insertions(+), 94 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 59fa634..c67584e 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -24,14 +24,17 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.regex.Pattern;
+import javax.security.auth.Subject;
import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
import org.apache.log4j.Logger;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopException;
@@ -43,6 +46,8 @@ import com.google.gson.GsonBuilder;
import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
public class KMSClient {
@@ -50,7 +55,7 @@ public class KMSClient {
private static final String EXPECTED_MIME_TYPE = "application/json";
- private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names?user.name=${userName}"; // GET
+ private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names"; // GET
private static final String errMessage = " You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
@@ -64,7 +69,6 @@ public class KMSClient {
this.provider = provider;
this.username = username;
this.password = password;
-
if (LOG.isDebugEnabled()) {
LOG.debug("Kms Client is build with url [" + provider + "] user: ["
+ username + "]");
@@ -137,24 +141,42 @@ public class KMSClient {
for (int i = 0; i < providers.length; i++) {
lret = new ArrayList<String>();
if (LOG.isDebugEnabled()) {
- LOG.debug("Getting Kms Key list for keyNameMatching : "
- + keyNameMatching);
+ LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching);
}
- String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(
- Pattern.quote("${userName}"), username);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+ String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/" + KMS_LIST_API_ENDPOINT));
Client client = null;
ClientResponse response = null;
-
+ boolean isKerberose = false;
try {
- client = Client.create();
-
- WebResource webResource = client.resource(uri);
-
- response = webResource.accept(EXPECTED_MIME_TYPE).get(
- ClientResponse.class);
-
+ ClientConfig cc = new DefaultClientConfig();
+ cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
+ client = Client.create(cc);
+
+ if(username.contains("@")){
+ isKerberose = true;
+ }
+
+ if(!isKerberose){
+ uri = uri.concat("?user.name="+username);
+ WebResource webResource = client.resource(uri);
+ response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }else{
+ String shortName = new HadoopKerberosName(username).getShortName();
+ uri = uri.concat("?doAs="+shortName);
+ Subject sub = new Subject();
+ if (username.contains("@")) {
+ sub = SecureClientLogin.loginUserWithPassword(username, password);
+ } else {
+ sub = SecureClientLogin.login(username);
+ }
+ final WebResource webResource = client.resource(uri);
+ response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() {
+ @Override
+ public ClientResponse run() {
+ return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+ }
+ });
+ }
if (LOG.isDebugEnabled()) {
LOG.debug("getKeyList():calling " + uri);
}
@@ -192,12 +214,22 @@ public class KMSClient {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
+ ", so returning null list");
- return lret;
+ String msgDesc = response.getEntity(String.class);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
} else if (response.getStatus() == 403) {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
+ ", so returning null list");
- return lret;
+ String msgDesc = response.getEntity(String.class);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc,
+ msgDesc + errMsg, null, null);
+ lret = null;
+ throw hdpException;
} else {
LOG.info("getKeyList():response.getStatus()= "
+ response.getStatus() + " for URL " + uri
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 7446d1e..7854f4b 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -24,12 +24,14 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
+import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.MediaType;
@@ -40,13 +42,19 @@ import org.apache.commons.collections.PredicateUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.log4j.Logger;
import org.apache.ranger.common.ContextUtil;
import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PasswordUtils;
import org.apache.ranger.common.RESTErrorUtil;
import org.apache.ranger.common.RangerConfigUtil;
import org.apache.ranger.common.SortField;
import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManagerBase;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceConfigMap;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.util.KeySearchFilter;
import org.apache.ranger.view.VXKmsKey;
@@ -68,12 +76,14 @@ public class KmsKeyMgr {
static final Logger logger = Logger.getLogger(KmsKeyMgr.class);
- private static final String KMS_KEY_LIST_URI = "v1/keys/names?user.name=${userName}"; //GET
- private static final String KMS_ADD_KEY_URI = "v1/keys?user.name=${userName}"; //POST
- private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //POST
- private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //DELETE
- private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata?user.name=${userName}"; //GET
+ private static final String KMS_KEY_LIST_URI = "v1/keys/names"; //GET
+ private static final String KMS_ADD_KEY_URI = "v1/keys"; //POST
+ private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}"; //POST
+ private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}"; //DELETE
+ private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata"; //GET
private static final String KMS_URL_CONFIG = "provider";
+ private static final String KMS_PASSWORD = "password";
+ private static final String KMS_USERNAME = "username";
private static Map<String, String> providerList = new HashMap<String, String>();
private static int nextProvider = 0;
@@ -86,8 +96,11 @@ public class KmsKeyMgr {
@Autowired
RangerConfigUtil configUtil;
+ @Autowired
+ RangerDaoManagerBase rangerDaoManagerBase;
+
@SuppressWarnings("unchecked")
- public VXKmsKeyList searchKeys(String repoName){
+ public VXKmsKeyList searchKeys(String repoName) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(repoName);
@@ -98,6 +111,12 @@ public class KmsKeyMgr {
VXKmsKeyList vxKmsKeyList = new VXKmsKeyList();
List<String> keys = null;
String connProvider = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(repoName);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + repoName + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
@@ -105,15 +124,28 @@ public class KmsKeyMgr {
Pattern.quote("${userName}"), currentUserLoginId);
connProvider = providers[i];
String uri = providers[i]
- + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
-
- WebResource r = c.resource(uri);
+ + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .get(String.class);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug(" Search Key RESPONSE: [" + response + "]");
-
keys = gson.fromJson(response, List.class);
break;
} catch (Exception e) {
@@ -125,7 +157,7 @@ public class KmsKeyMgr {
}
if (keys != null && keys.size() > 0) {
for (String name : keys) {
- VXKmsKey key = getKeyFromUri(connProvider, name);
+ VXKmsKey key = getKeyFromUri(connProvider, name, isKerberos, repoName);
vXKeys.add(key);
}
vxKmsKeyList.setResultSize(vXKeys.size());
@@ -137,31 +169,46 @@ public class KmsKeyMgr {
return vxKmsKeyList;
}
- public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey){
+ public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
- logger.error("rolloverKey(" + provider + ", " + vXKey.getName()
- + ") failed", e);
+ logger.error("rolloverKey(" + provider + ", " + vXKey.getName() + ") failed", e);
}
VXKmsKey ret = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String rollRest = KMS_ROLL_KEY_URI.replaceAll(
- Pattern.quote("${alias}"), vXKey.getName());
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- rollRest = rollRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
- WebResource r = c.resource(uri);
+ String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName());
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
Gson gson = new GsonBuilder().create();
- String jsonString = gson.toJson(vXKey);
+ final String jsonString = gson.toJson(vXKey);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .type(MediaType.APPLICATION_JSON_TYPE)
- .post(String.class, jsonString);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);}
+ else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }
+ });
+ }
logger.debug("Roll RESPONSE: [" + response + "]");
ret = gson.fromJson(response, VXKmsKey.class);
break;
@@ -174,27 +221,44 @@ public class KmsKeyMgr {
}
return ret;
}
-
- public void deleteKey(String provider, String name){
+
+ public void deleteKey(String provider, String name) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
logger.error("deleteKey(" + provider + ", " + name + ") failed", e);
}
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String deleteRest = KMS_DELETE_KEY_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- deleteRest = deleteRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? deleteRest
- : ("/" + deleteRest));
- WebResource r = c.resource(uri);
+ String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.delete(String.class) ;
+ String response = null;
+ if(!isKerberos){
+ response = r.delete(String.class) ;
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.delete(String.class);
+ }
+ });
+ }
logger.debug("delete RESPONSE: [" + response + "]") ;
break;
} catch (Exception e) {
@@ -206,7 +270,7 @@ public class KmsKeyMgr {
}
}
- public VXKmsKey createKey(String provider, VXKmsKey vXKey){
+ public VXKmsKey createKey(String provider, VXKmsKey vXKey) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
@@ -215,21 +279,37 @@ public class KmsKeyMgr {
+ ") failed", e);
}
VXKmsKey ret = null;
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- String createRest = KMS_ADD_KEY_URI.replaceAll(
- Pattern.quote("${userName}"), currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? createRest
- : ("/" + createRest));
- WebResource r = c.resource(uri);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
Gson gson = new GsonBuilder().create();
- String jsonString = gson.toJson(vXKey);
+ final String jsonString = gson.toJson(vXKey);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .type(MediaType.APPLICATION_JSON_TYPE)
- .post(String.class, jsonString);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);
+ }
+ });
+ }
logger.debug("Create RESPONSE: [" + response + "]");
ret = gson.fromJson(response, VXKmsKey.class);
return ret;
@@ -243,26 +323,43 @@ public class KmsKeyMgr {
return ret;
}
- public VXKmsKey getKey(String provider, String name){
+ public VXKmsKey getKey(String provider, String name) throws Exception{
String providers[] = null;
try {
providers = getKMSURL(provider);
} catch (Exception e) {
logger.error("getKey(" + provider + ", " + name + ") failed", e);
}
+ boolean isKerberos=false;
+ try {
+ isKerberos = checkKerberos(provider);
+ } catch (Exception e1) {
+ logger.error("checkKerberos(" + provider + ") failed", e1);
+ }
for (int i = 0; i < providers.length; i++) {
Client c = getClient();
- String keyRest = KMS_KEY_METADATA_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
- String uri = providers[i]
- + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
- WebResource r = c.resource(uri);
+ String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
+ String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
try {
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
- .get(String.class);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug("RESPONSE: [" + response + "]");
VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -277,16 +374,29 @@ public class KmsKeyMgr {
return null;
}
- public VXKmsKey getKeyFromUri(String provider, String name) {
+ public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String repoName) throws Exception {
Client c = getClient();
- String keyRest = KMS_KEY_METADATA_URI.replaceAll(
- Pattern.quote("${alias}"), name);
- String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
- keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
- currentUserLoginId);
+ String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+ String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest));
- WebResource r = c.resource(uri);
- String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ if(!isKerberos){
+ uri = uri.concat("?user.name="+currentUserLoginId);
+ }else{
+ uri = uri.concat("?doAs="+currentUserLoginId);
+ }
+ final WebResource r = c.resource(uri);
+ String response = null;
+ if(!isKerberos){
+ response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }else{
+ Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+ response = Subject.doAs(sub, new PrivilegedAction<String>() {
+ @Override
+ public String run() {
+ return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+ }
+ });
+ }
Gson gson = new GsonBuilder().create();
logger.debug("RESPONSE: [" + response + "]");
VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -360,7 +470,7 @@ public class KmsKeyMgr {
providerNext = providerNext+";";
}
}
- for(int i=0; i<nextProvider; i++){
+ for(int i=0; i<nextProvider && i<hosts.length; i++){
providerNext = providerNext+";"+hosts[i];
}
if(nextProvider != hosts.length-1){
@@ -381,6 +491,43 @@ public class KmsKeyMgr {
}
return providers;
}
+
+ private Subject getSubjectForKerberos(String provider, String currentUserLoginId) throws Exception{
+ String userName = getKMSUserName(provider);
+ String password = getKMSPassword(provider);
+ if (KerberosName.getRules() == null) {
+ KerberosName.setRules("DEFAULT") ;
+ }
+ Subject sub = new Subject();
+ if (userName.contains("@")) {
+ sub = SecureClientLogin.loginUserWithPassword(userName, password);
+ } else {
+ sub = SecureClientLogin.login(userName);
+ }
+ return sub;
+ }
+
+ private String getKMSPassword(String srvName) throws Exception {
+ XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName);
+ XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(), KMS_PASSWORD);
+ String encryptedPwd = xxConfigMap.getConfigvalue();
+ String pwd = PasswordUtils.decryptPassword(encryptedPwd);
+ return pwd;
+ }
+
+ private String getKMSUserName(String srvName) throws Exception {
+ RangerService rangerService = null;
+ rangerService = svcStore.getServiceByName(srvName);
+ return rangerService.getConfigs().get(KMS_USERNAME);
+ }
+
+ private boolean checkKerberos(String provider) throws Exception {
+ String userName = getKMSUserName(provider);
+ if(userName.contains("@")){
+ return true;
+ }
+ return false;
+ }
private synchronized Client getClient() {
Client ret = null;
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 379ea3c..7845b86 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -199,11 +199,11 @@ public class XKeyREST {
}
if(!(message==null) && !(message.isEmpty()) && message.contains("Connection refused")){
message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running";
- }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 403")){
+ }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 403") || message.contains("HTTP Status 403"))){
message = UNAUTHENTICATED_MSG;
- }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 401")){
+ }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required"))){
message = UNAUTHENTICATED_MSG;
- }
+ }
throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM);
}
}