[
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776964#comment-17776964
]
Xuze Yang commented on RANGER-4481:
-----------------------------------
This is a bug in the openjdk code. Someone in the openjdk community has already
raised an issue([https://bugs.openjdk.org/browse/JDK-8208299]), but the issue
is still in an open state, and this issue still exists in the latest version of
openjdk.
Therefore, it is necessary for us to provide a method to avoid the problem on
the ranger side.
CC [~madhan] [~kirbyzhou]
> Add a configuration item to support Ranger client not using authentication
> --------------------------------------------------------------------------
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 2.1.0
> Reporter: Xuze Yang
> Priority: Major
> Attachments: 1.png, 2.png, 3.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles
> through unauthenticated http requests even if kerberos is enabled on the
> server.
> But in terms of the current implementation of RangerAdminRESTClient, whether
> to enable authenticated HTTP requests depends on the service in which it is
> located. For example, if the Hadoop service has kerberos enabled, then the
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS
> and Yarn plugins should also be allowed to download policies and roles
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in
> our production environment. I will introduce the bug I encountered later.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
