This is an automated email from the ASF dual-hosted git repository.
mehul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 8248039 RANGER-3345 : Default Ranger policy for KMS should include
'om' user for Ozone bucket level encryption to work
8248039 is described below
commit 8248039709eacab568491601f240d55a7a0d0942
Author: mateenmansoori <ma3naus...@gmail.com>
AuthorDate: Tue Jul 27 11:58:38 2021 +0530
RANGER-3345 : Default Ranger policy for KMS should include 'om' user for
Ozone bucket level encryption to work
Signed-off-by: Mehul Parikh <me...@apache.org>
---
.../org/apache/ranger/services/kms/RangerServiceKMS.java | 13 ++++++++++++-
.../src/main/resources/conf.dist/ranger-admin-site.xml | 4 ++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git
a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index 8af592b..eb48318 100644
---
a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++
b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
@@ -112,17 +112,20 @@ public class RangerServiceKMS extends RangerBaseService {
String adminUser = getLookupUser(authType, adminPrincipal,
adminKeytab);
- // Add default policies for HDFS & HIVE users.
+ // Add default policies for HDFS, HIVE, HABSE & OM users.
List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs =
new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+ List<RangerServiceDef.RangerAccessTypeDef> omAccessTypeDefs =
new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs =
new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
List<RangerServiceDef.RangerAccessTypeDef> hbaseAccessTypeDefs
= new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
for(RangerServiceDef.RangerAccessTypeDef accessTypeDef :
serviceDef.getAccessTypes()) {
if
(accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
hdfsAccessTypeDefs.add(accessTypeDef);
+ omAccessTypeDefs.add(accessTypeDef);
hiveAccessTypeDefs.add(accessTypeDef);
} else if
(accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
hdfsAccessTypeDefs.add(accessTypeDef);
+ omAccessTypeDefs.add(accessTypeDef);
} else if
(accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
hiveAccessTypeDefs.add(accessTypeDef);
hbaseAccessTypeDefs.add(accessTypeDef);
@@ -156,6 +159,14 @@ public class RangerServiceKMS extends RangerBaseService {
policyItems.add(policyItem);
}
+ final String omUser =
getConfig().get("ranger.kms.service.user.om", "om");
+ if (StringUtils.isNotEmpty(omUser)) {
+ LOG.info("Creating default KMS policy item for
" + omUser);
+ List<String> users = new ArrayList<String>();
+ users.add(omUser);
+ RangerPolicy.RangerPolicyItem policyItem =
createDefaultPolicyItem(omAccessTypeDefs, users);
+ policyItems.add(policyItem);
+ }
String hiveUser =
getConfig().get("ranger.kms.service.user.hive", "hive");
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index 12eb8fe..793c479 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -313,6 +313,10 @@
<name>ranger.kms.service.user.hbase</name>
<value>hbase</value>
</property>
+ <property>
+ <name>ranger.kms.service.user.om</name>
+ <value>om</value>
+ </property>
<property>
<name>ranger.audit.hive.query.visibility</name>
