Repository: ranger Updated Branches: refs/heads/master 2a1406df8 -> 98cb80e33
RANGER-1883: TagSync should reuse kerberos ticket in REST calls to Ranger Admin Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/98cb80e3 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/98cb80e3 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/98cb80e3 Branch: refs/heads/master Commit: 98cb80e3335e7c9588b9ad5b57667d3421fba4e6 Parents: 2a1406d Author: Abhay Kulkarni <akulka...@hortonworks.com> Authored: Fri Nov 10 19:21:15 2017 -0800 Committer: Abhay Kulkarni <akulka...@hortonworks.com> Committed: Fri Nov 10 19:21:15 2017 -0800 ---------------------------------------------------------------------- .../tagsync/sink/tagadmin/TagAdminRESTSink.java | 76 ++++++++++++++------ 1 file changed, 56 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/98cb80e3/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java ---------------------------------------------------------------------- diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java index b1225c2..4f6761f 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java @@ -27,6 +27,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.SecureClientLogin; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.tagsync.model.TagSink; import org.apache.ranger.plugin.util.RangerRESTClient; @@ -36,6 +37,7 @@ import org.apache.ranger.tagsync.process.TagSyncConfig; import javax.security.auth.Subject; import javax.servlet.http.HttpServletResponse; +import java.io.IOException; import java.security.PrivilegedAction; import java.util.Map; import java.util.Properties; @@ -95,16 +97,33 @@ public class TagAdminRESTSink implements TagSink, Runnable { if (StringUtils.isNotBlank(restUrl)) { tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile); - if(!(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))){ + if(isKerberosEnabled()) { + Subject subject = null; + try { + subject = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + } catch(IOException exception) { + LOG.error("Could not get Subject from principal:[" + principal + "], keytab:[" + keytab + "], nameRules:[" + nameRules + "]", exception); + } + if (subject != null) { + try { + UserGroupInformation.loginUserFromSubject(subject); + ret = true; + } catch (IOException exception) { + LOG.error("Failed to get UGI from Subject:[" + subject + "]"); + } + } + } else { tagRESTClient.setBasicAuthInfo(userName, password); + ret = true; } - uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>(); - - ret = true; } else { LOG.error("No value specified for property 'ranger.tagsync.tagadmin.rest.url'!"); } + if (ret) { + uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>(); + } + if(LOG.isDebugEnabled()) { LOG.debug("<== TagAdminRESTSink.initialize(), result=" + ret); } @@ -133,26 +152,43 @@ public class TagAdminRESTSink implements TagSink, Runnable { return ret; } + private boolean isKerberosEnabled() { + return !StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab); + } + private ServiceTags doUpload(ServiceTags serviceTags) throws Exception { - if(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){ + if(isKerberosEnabled()) { try{ - Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); - if(LOG.isDebugEnabled()) { - LOG.debug("Using Principal = "+ principal + ", keytab = "+keytab); + UserGroupInformation userGroupInformation = UserGroupInformation.getLoginUser(); + if (userGroupInformation != null) { + try { + userGroupInformation.checkTGTAndReloginFromKeytab(); + } catch (IOException ioe) { + LOG.error("Error renewing TGT and relogin", ioe); + userGroupInformation = null; + } } - final ServiceTags serviceTag = serviceTags; - ServiceTags ret = Subject.doAs(sub, new PrivilegedAction<ServiceTags>() { - @Override - public ServiceTags run() { - try{ - return uploadServiceTags(serviceTag); - }catch (Exception e) { - LOG.error("Upload of service-tags failed with message ", e); - } - return null; + if (userGroupInformation != null) { + if (LOG.isDebugEnabled()) { + LOG.debug("Using Principal = " + principal + ", keytab = " + keytab); } - }); - return ret; + final ServiceTags serviceTag = serviceTags; + ServiceTags ret = userGroupInformation.doAs(new PrivilegedAction<ServiceTags>() { + @Override + public ServiceTags run() { + try { + return uploadServiceTags(serviceTag); + } catch (Exception e) { + LOG.error("Upload of service-tags failed with message ", e); + } + return null; + } + }); + return ret; + } else { + LOG.error("Failed to get UserGroupInformation.getLoginUser()"); + return null; // This will cause retries !!! + } }catch(Exception e){ LOG.error("Upload of service-tags failed with message ", e); }
