[ https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776988#comment-17776988 ]
Xuze Yang commented on RANGER-4481: ----------------------------------- Add a configuration item to enable RangerAdminRESTClient's getRolesIfUpdated()/getServicePoliciesIfUpdated()/getServiceTagsIfUpdated() use unauthenticated http request may involve a large amount of work. Because we should add this configuration item in all plugin component's configuration file. Another way, when the response code was 401, I tried to clear the supported cache through java reflection. This has been proven to be feasible. !4.png! Now I don't know which modification method is more reasonable, or there are other better modification methods. [~madhan] [~kirbyzhou] > Add a configuration item to support Ranger client not using authentication > -------------------------------------------------------------------------- > > Key: RANGER-4481 > URL: https://issues.apache.org/jira/browse/RANGER-4481 > Project: Ranger > Issue Type: Improvement > Components: Ranger > Affects Versions: 2.1.0 > Reporter: Xuze Yang > Priority: Major > Attachments: 1.png, 2.png, 3.png, 4.png > > > As described in RANGER-3602, ranger supports downloading policies and roles > through unauthenticated http requests even if kerberos is enabled on the > server. > But in terms of the current implementation of RangerAdminRESTClient, whether > to enable authenticated HTTP requests depends on the service in which it is > located. For example, if the Hadoop service has kerberos enabled, then the > RangerAdminRESTClient in the HDFS and Yarn plugins will also use > authenticated HTTP requests. > I think this is not reasonable enough. In this case (both the Ranger server > and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS > and Yarn plugins should also be allowed to download policies and roles > through unauthenticated HTTP requests. > The reason why I proposed this improvement is due to a bug I encountered in > our production environment. I will introduce the bug I encountered later. -- This message was sent by Atlassian Jira (v8.20.10#820010)