Repository: ranger Updated Branches: refs/heads/master 4d9eca776 -> 4603dfa3d
RANGER-1338:Ranger Plugin failed to download policy when JaasConfig alone is used to set the UGI instead of Principal/Keytab Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/4603dfa3 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/4603dfa3 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/4603dfa3 Branch: refs/heads/master Commit: 4603dfa3de3921d1b6c6e1be10dfb82720896de6 Parents: 4d9eca7 Author: rmani <rm...@hortonworks.com> Authored: Wed Feb 1 19:19:40 2017 -0800 Committer: rmani <rm...@hortonworks.com> Committed: Wed Feb 1 19:19:40 2017 -0800 ---------------------------------------------------------------------- .../apache/ranger/audit/provider/MiscUtil.java | 45 +++++++++++++++++++- .../authorization/knox/RangerPDPKnoxFilter.java | 31 +------------- .../storm/authorizer/RangerStormAuthorizer.java | 28 +----------- 3 files changed, 47 insertions(+), 57 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/4603dfa3/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java index d440b85..bb85e5e 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java @@ -45,6 +45,7 @@ import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; +import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -505,8 +506,8 @@ public class MiscUtil { if(ret != null) { try { ret.checkTGTAndReloginFromKeytab(); - } catch(IOException excp) { - // ignore + } catch(IOException ioe) { + logger.error("Error renewing TGT and relogin. Ignoring Exception, and continuing with the old TGT", ioe); } } @@ -634,6 +635,46 @@ public class MiscUtil { } + public static void setUGIFromJAASConfig(String jaasConfigAppName) throws Exception { + String keytabFile = null; + String principal = null; + UserGroupInformation ugi = null; + if (logger.isDebugEnabled()){ + logger.debug("===> MiscUtil.setUGIFromJAASConfig() jaasConfigAppName: " + jaasConfigAppName); + } + try { + AppConfigurationEntry entries[] = Configuration.getConfiguration().getAppConfigurationEntry(jaasConfigAppName); + if(!ArrayUtils.isEmpty(entries)){ + for (AppConfigurationEntry entry : entries) { + if (entry.getOptions().get("keyTab") != null) { + keytabFile = (String) entry.getOptions().get("keyTab"); + } + if (entry.getOptions().get("principal") != null) { + principal = (String) entry.getOptions().get("principal"); + } + if (!StringUtils.isEmpty(principal) && !StringUtils.isEmpty(keytabFile)) { + break; + } + } + } + if (!StringUtils.isEmpty(principal) && !StringUtils.isEmpty(keytabFile)) { + // This will login and set the UGI + UserGroupInformation.loginUserFromKeytab(principal, keytabFile); + ugi = UserGroupInformation.getLoginUser(); + } else { + String error_mesage = "Unable to get the principal/keytab from jaasConfigAppName: " + jaasConfigAppName; + logger.error(error_mesage); + throw new Exception(error_mesage); + } + logger.info("MiscUtil.setUGIFromJAASConfig() UGI: " + ugi + " principal: " + principal + " keytab: " + keytabFile); + } catch ( Exception e) { + logger.error("Unable to set UGI for Principal: " + principal + " keytab: " + keytabFile ); + throw e; + } + if (logger.isDebugEnabled()) { + logger.debug("<=== MiscUtil.setUGIFromJAASConfig() jaasConfigAppName: " + jaasConfigAppName + " UGI: " + ugi + " principal: " + principal + " keytab: " + keytabFile); + } + } public static void authWithConfig(String appName, Configuration config) { try { if (config != null) { http://git-wip-us.apache.org/repos/asf/ranger/blob/4603dfa3/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java ---------------------------------------------------------------------- diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java index 2ec5300..55ebf58 100644 --- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java +++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java @@ -25,7 +25,6 @@ import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; -import javax.security.auth.login.LoginContext; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; @@ -40,7 +39,6 @@ import org.apache.hadoop.gateway.filter.AbstractGatewayFilter; import org.apache.hadoop.gateway.security.GroupPrincipal; import org.apache.hadoop.gateway.security.ImpersonatedPrincipal; import org.apache.hadoop.gateway.security.PrimaryPrincipal; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.plugin.policyengine.RangerAccessRequest; import org.apache.ranger.plugin.policyengine.RangerAccessResult; @@ -66,17 +64,10 @@ public class RangerPDPKnoxFilter implements Filter { if(me == null) { try { - Subject subject = getKnoxSubject(); - - UserGroupInformation ugi = MiscUtil.createUGIFromSubject(subject); - - if (ugi != null) { - MiscUtil.setUGILoginUser(ugi, subject); - } - + MiscUtil.setUGIFromJAASConfig(KNOX_GATEWAY_JASS_CONFIG_SECTION); LOG.info("LoginUser=" + MiscUtil.getUGILoginUser()); } catch (Throwable t) { - LOG.error("Error getting principal.", t); + LOG.error("Error while setting UGI for Knox Plugin...", t); } LOG.info("Creating KnoxRangerPlugin"); @@ -191,22 +182,4 @@ public class RangerPDPKnoxFilter implements Filter { private String getServiceName() { return resourceRole; } - - private Subject getKnoxSubject() { - Subject ret = null; - - try { - LoginContext lc = new LoginContext(KNOX_GATEWAY_JASS_CONFIG_SECTION); - - lc.login(); - - ret = lc.getSubject(); - } catch (Exception excp) { - LOG.error("Failed to get Knox server login subject", excp); - } - - return ret; - } - - } http://git-wip-us.apache.org/repos/asf/ranger/blob/4603dfa3/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java ---------------------------------------------------------------------- diff --git a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java index c66b665..9751213 100644 --- a/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java +++ b/storm-agent/src/main/java/org/apache/ranger/authorization/storm/authorizer/RangerStormAuthorizer.java @@ -22,7 +22,6 @@ import java.security.Principal; import java.util.Map; import java.util.Set; -import javax.security.auth.login.LoginContext; import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.audit.provider.MiscUtil; @@ -39,7 +38,6 @@ import org.apache.storm.Config; import org.apache.storm.security.auth.IAuthorizer; import org.apache.storm.security.auth.ReqContext; -import javax.security.auth.Subject; public class RangerStormAuthorizer implements IAuthorizer { @@ -158,17 +156,10 @@ public class RangerStormAuthorizer implements IAuthorizer { if (me == null) { try { - Subject subject = getStormSubject(); - - UserGroupInformation ugi = MiscUtil.createUGIFromSubject(subject); - - if (ugi != null) { - MiscUtil.setUGILoginUser(ugi, subject); - } - + MiscUtil.setUGIFromJAASConfig(STORM_CLIENT_JASS_CONFIG_SECTION); LOG.info("LoginUser=" + MiscUtil.getUGILoginUser()); } catch (Throwable t) { - LOG.error("Error getting principal.", t); + LOG.error("Error while setting UGI for Storm Plugin...", t); } LOG.info("Creating StormRangerPlugin"); @@ -180,19 +171,4 @@ public class RangerStormAuthorizer implements IAuthorizer { } } - private Subject getStormSubject() { - Subject ret = null; - - try { - LoginContext lc = new LoginContext(STORM_CLIENT_JASS_CONFIG_SECTION); - - lc.login(); - - ret = lc.getSubject(); - } catch (Exception excp) { - LOG.error("Failed to get Storm server login subject", excp); - } - - return ret; - } }