[
https://issues.apache.org/jira/browse/RANGER-1738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16259441#comment-16259441
]
Don Bosco Durai commented on RANGER-1738:
-----------------------------------------
bq. Velmurugan Periasamy, It's not possible to have RangerYarnAuthorizer work
with multiple versions, as with Hadoop 3.0.0 you have to implement methods that
take arguments that are only available in Hadoop 3.0.0.
[~coheigea], historically we have kept Ranger Admin backward compatible with
all plugin versions and the Plugin compatible with specific versions of the
component only. The reason being, plugins run within the address space of the
component process and it has to be compatible with the component signature. So
we recommend users to use the latest Ranger Admin, but for the plugins, use the
corresponding compatible Ranger Plugin version.
bq. There is a problem then when we call UserGroupInformation.createRemoteUser
in RangerStormAuthorizer, as the UGI in Hadoop 3.0.0 finds the KerberosUtil in
Storm instead of in Hadoop, and doesn't work as a result.
Since we use the shim architecture, we control what library the authorizer
should use. So ideally, we could use Hadoop 2.7 library within our plugin till
3.0 stabilizes. Do you feel, by packaging the libraries in ranger plugin, we
would be able to address your issue?
> RangerYarnAuthorizer not compatible with Hadoop-3.0.0
> -----------------------------------------------------
>
> Key: RANGER-1738
> URL: https://issues.apache.org/jira/browse/RANGER-1738
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.7.1
> Reporter: Hong Shen
> Assignee: Colm O hEigeartaigh
> Fix For: 1.0.0
>
> Attachments:
> 0001-RANGER-1738-RangerYarnAuthorizer-not-compatible-with.patch
>
>
> In the newest hadoop version 3.0.0, YarnAuthorizationProvider has changed.
> The new YarnAuthorizationProvider.java has change the methods checkPermission
> and setPermission,
> {code:title=YarnAuthorizationProvider.java|borderStyle=solid}
> /**
> * Check if user has the permission to access the target object.
> *
> * @param accessRequest
> * the request object which contains all the access context info.
> * @return true if user can access the object, otherwise false.
> */
> public abstract boolean checkPermission(AccessRequest accessRequest);
> /**
> * Set permissions for the target object.
> *
> * @param permissions
> * A list of permissions on the target object.
> * @param ugi User who sets the permissions.
> */
> public abstract void setPermission(List<Permission> permissions,
> UserGroupInformation ugi);
> {code}
> But the RangerYarnAuthorizer extends YarnAuthorizationProvider impletement
> the old method.
> {code:title=RangerYarnAuthorizer.java|borderStyle=solid}
> @Override
> public void setPermission(PrivilegedEntity entity, Map<AccessType,
> AccessControlList> permission, UserGroupInformation ugi) {
> ...
> @Override
> public boolean checkPermission(AccessType accessType, PrivilegedEntity
> entity, UserGroupInformation ugi) {
> {code}
> I think yarn plugin should also impletement the new method. I will add a
> patch for it.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
