[jira] [Comment Edited] (RANGER-5116) Ranger plugin to support configurations to initialize kerberos identity

[Madhan Neethiraj (Jira)]

    [ 
https://issues.apache.org/jira/browse/RANGER-5116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17921624#comment-17921624
 ] 

Madhan Neethiraj edited comment on RANGER-5116 at 1/28/25 7:24 AM:
-------------------------------------------------------------------

Following properties in plugin configuration file (like 
{{{}ranger-trino-security.xml{}}}) would trigger the plugin to initialize 
UserGroupInformation from the specified keytab. This Kerberos principle will be 
used by the plugin to authenticate itself with Ranger admin to download 
policies/tags/roles. Also, this principal will be used to authenticate with 
HDFS to write audit logs to HDFS.
{noformat}
ranger.plugin.trino.ugi.initialize=true
ranger.plugin.trino.ugi.login.type=keytab
ranger.plugin.trino.ugi.keytab.principal=tr...@mydomain.com
ranger.plugin.trino.ugi.keytab.file=/etc/keytabs/trino.keytab
{noformat}
 

In addition to above, make sure to have following configurations in place:
 # setup Kerberos configuration in /etc/krb5.conf
 # {{hadoop.security.authentication=kerberos}} in core-site.xml in the classpath


was (Author: madhan.neethiraj):
Following properties in plugin configuration file (like 
{{{}ranger-trino-security.xml{}}}) would trigger the plugin to initialize 
UserGroupInformation from the specified keytab. This Kerberos principle will be 
used by the plugin to authenticate itself with Ranger admin to download 
policies/tags/roles. Also, this principal will be used to authenticate with 
HDFS to write audit logs to HDFS.
{noformat}
ranger.plugin.kafka.ugi.initialize=true
ranger.plugin.kafka.ugi.login.type=keytab
ranger.plugin.kafka.ugi.keytab.principal=tr...@mydomain.com
ranger.plugin.kafka.ugi.keytab.file=/etc/keytabs/trino.keytab
{noformat}
 

In addition to above, make sure to have following configurations in place:
 # setup Kerberos configuration in /etc/krb5.conf
 # {{hadoop.security.authentication=kerberos}} in core-site.xml in the classpath

> Ranger plugin to support configurations to initialize kerberos identity
> -----------------------------------------------------------------------
>
>                 Key: RANGER-5116
>                 URL: https://issues.apache.org/jira/browse/RANGER-5116
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>            Priority: Major
>             Fix For: 3.0.0, 2.6.0
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> In deployments using Kerberos to authenticate with Ranger admin server, 
> Ranger plugins use the Kerberos identity returned by 
> UserGroupInformation.getLoginUser() to authenticate with Ranger admin server. 
> This identity is also used by HDFS audit write to authenticate with HDFS 
> services.
> Ranger plugin relies on its host service (like HDFS, Hive, HBase, Knox, 
> Impala) to establish the identity in UserGroupInformation. To support 
> services that don't use UserGroupInformation (like Trino), the plugin should 
> be enhanced to initialize Kerberos identity from its configurations.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)