[
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776988#comment-17776988
]
Xuze Yang edited comment on RANGER-4481 at 10/26/23 2:52 AM:
-------------------------------------------------------------
Add a configuration item to enable RangerAdminRESTClient's
getRolesIfUpdated()/getServicePoliciesIfUpdated()/getServiceTagsIfUpdated() use
unauthenticated http request may involve a large amount of work. Because we
should add this configuration item in all plugin component's configuration file.
Another way, when the response code was 401, I tried to clear the supported
cache through java reflection. This has been proven to be feasible.
!feasible solution code.png!
Now I don't know which modification method is more reasonable, or there are
other better modification methods. [~madhan] [~kirbyzhou]
was (Author: xuze yang):
Add a configuration item to enable RangerAdminRESTClient's
getRolesIfUpdated()/getServicePoliciesIfUpdated()/getServiceTagsIfUpdated() use
unauthenticated http request may involve a large amount of work. Because we
should add this configuration item in all plugin component's configuration file.
Another way, when the response code was 401, I tried to clear the supported
cache through java reflection. This has been proven to be feasible.
!4.png!
Now I don't know which modification method is more reasonable, or there are
other better modification methods. [~madhan] [~kirbyzhou]
> Add a configuration item to support Ranger client not using authentication
> --------------------------------------------------------------------------
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 2.1.0
> Reporter: Xuze Yang
> Priority: Major
> Attachments: feasible solution code.png, first http response.png,
> openjdk problem code.png, second http request.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles
> through unauthenticated http requests even if kerberos is enabled on the
> server.
> But in terms of the current implementation of RangerAdminRESTClient, whether
> to enable authenticated HTTP requests depends on the service in which it is
> located. For example, if the Hadoop service has kerberos enabled, then the
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS
> and Yarn plugins should also be allowed to download policies and roles
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in
> our production environment. I will introduce the bug I encountered later.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
