[GitHub] incubator-hawq pull request #1250: Hawq 1477. Ranger-plugin connect to Range...
Github user stanlyxiang commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1250#discussion_r120044242
--- Diff:
ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
---
@@ -45,8 +47,43 @@
/**
* Constructor. Creates a new instance of the resource that uses
RangerHawqAuthorizer.
*/
-public RangerHawqPluginResource() {
+public RangerHawqPluginResource()
+{
+// set UserGroupInformation under kerberos authentication
+if (Utils.getAuth().equals("kerberos"))
+{
+Configuration conf = new Configuration();
+conf.set("hadoop.security.authentication", "kerberos");
+UserGroupInformation.setConfiguration(conf);
+
+String prin = Utils.getPrincipal();
+String keytab = Utils.getKeytab();
+
+if ( !prin.equals("") && !keytab.equals("") )
+{
+try
+{
+UserGroupInformation.loginUserFromKeytab(prin, keytab);
+}
+catch (Exception e)
+{
+LOG.warn(String.format("loginUserFromKeytab failed,
user[%s], keytab[%s]", prin, keytab));
+}
+}
+}
--- End diff --
To my understanding for this logic, principal and keytab are needed for
loginUserFromKeytab.But the default value of the 2 configurations are empty,
empty values are not work for kerberos, if user set RPS_AUTH to kerberos and
leave them empty, he will only get a warning of "get login user failed" until
the program tries to getLoginUser(). So why don't we check them earlier ?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1250: Hawq 1477. Ranger-plugin connect to Range...
Github user stanlyxiang commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1250#discussion_r120044685
--- Diff:
ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
---
@@ -45,8 +47,43 @@
/**
* Constructor. Creates a new instance of the resource that uses
RangerHawqAuthorizer.
*/
-public RangerHawqPluginResource() {
+public RangerHawqPluginResource()
+{
+// set UserGroupInformation under kerberos authentication
+if (Utils.getAuth().equals("kerberos"))
+{
+Configuration conf = new Configuration();
+conf.set("hadoop.security.authentication", "kerberos");
+UserGroupInformation.setConfiguration(conf);
+
+String prin = Utils.getPrincipal();
+String keytab = Utils.getKeytab();
+
+if ( !prin.equals("") && !keytab.equals("") )
+{
+try
+{
+UserGroupInformation.loginUserFromKeytab(prin, keytab);
+}
+catch (Exception e)
+{
+LOG.warn(String.format("loginUserFromKeytab failed,
user[%s], keytab[%s]", prin, keytab));
+}
+}
+}
+
+try
+{
+UserGroupInformation user =
UserGroupInformation.getLoginUser();
+LOG.info(String.format("login user: %s", user));
+}
+catch (Exception e)
+{
+LOG.warn("get login user failed");
--- End diff --
If get login user failed, this constructor can run well anyway ?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1250: Hawq 1477. Ranger-plugin connect to Range...
Github user stanlyxiang commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1250#discussion_r120043142
--- Diff:
ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java
---
@@ -68,6 +77,30 @@ public static String getVersion() {
}
/**
+ * Retrieves the authentication
+ * @return kerberos or simple[default]
+ */
+public static String getAuth() {
+return System.getProperty(AUTH_KEY_ENV,
properties.getProperty(AUTH_KEY_FILE, "simple"));
--- End diff --
public static final String SIMPLE="simple"; and use SIMPLE here. So does
EMPTY_STRING for ""
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq pull request #1250: Hawq 1477. Ranger-plugin connect to Range...
Github user stanlyxiang commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1250#discussion_r120042673
--- Diff:
ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
---
@@ -45,8 +47,43 @@
/**
* Constructor. Creates a new instance of the resource that uses
RangerHawqAuthorizer.
*/
-public RangerHawqPluginResource() {
+public RangerHawqPluginResource()
+{
+// set UserGroupInformation under kerberos authentication
+if (Utils.getAuth().equals("kerberos"))
--- End diff --
using variable instead of using "kerberos" string everywhere.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-hawq issue #1250: Hawq 1477. Ranger-plugin connect to Ranger admin...
Github user interma commented on the issue: https://github.com/apache/incubator-hawq/pull/1250 @linwen @stanlyxiang @zhangh43 help to review, tks! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[jira] [Updated] (HAWQ-1477) Ranger-plugin connect to Ranger admin under kerberos security.
[
https://issues.apache.org/jira/browse/HAWQ-1477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hongxu Ma updated HAWQ-1477:
Description:
Ranger-plugin connect to Ranger admin server under kerberos security.
Added three property items in rps.properties
{code}
# RPS connect to RangerAdmin authentication type: simple or kerberos
RPS_AUTH=simple
# kerberos client principal, e.g. postgres
# can set empty (use the current kinit context)
RPS_PRINCIPAL=
# kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
# can set empty (use the current kinit context)
RPS_KEYTAB=
{code}
was:
Ranger-plugin connect to Ranger admin server under kerberos security.
add three property items in rps.properties
{code}
# RPS connect to RangerAdmin authentication type: simple or kerberos
RPS_AUTH=simple
# kerberos client principal, e.g. postgres
# can set empty (use the current kinit context)
RPS_PRINCIPAL=
# kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
# can set empty (use the current kinit context)
RPS_KEYTAB=
{code}
> Ranger-plugin connect to Ranger admin under kerberos security.
> --
>
> Key: HAWQ-1477
> URL: https://issues.apache.org/jira/browse/HAWQ-1477
> Project: Apache HAWQ
> Issue Type: Sub-task
> Components: Security
>Reporter: Hongxu Ma
>Assignee: Hongxu Ma
> Fix For: backlog
>
>
> Ranger-plugin connect to Ranger admin server under kerberos security.
> Added three property items in rps.properties
> {code}
> # RPS connect to RangerAdmin authentication type: simple or kerberos
> RPS_AUTH=simple
> # kerberos client principal, e.g. postgres
> # can set empty (use the current kinit context)
> RPS_PRINCIPAL=
> # kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
> # can set empty (use the current kinit context)
> RPS_KEYTAB=
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (HAWQ-1477) Ranger-plugin connect to Ranger admin under kerberos security.
[ https://issues.apache.org/jira/browse/HAWQ-1477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Hongxu Ma updated HAWQ-1477: Description: Ranger-plugin connect to Ranger admin server under kerberos security. add three property items in rps.properties [code] # RPS connect to RangerAdmin authentication type: simple or kerberos RPS_AUTH=simple # kerberos client principal, e.g. postgres # can set empty (use the current kinit context) RPS_PRINCIPAL= # kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab # can set empty (use the current kinit context) RPS_KEYTAB= [code] was:Ranger-plugin connect to Ranger admin server under kerberos security. > Ranger-plugin connect to Ranger admin under kerberos security. > -- > > Key: HAWQ-1477 > URL: https://issues.apache.org/jira/browse/HAWQ-1477 > Project: Apache HAWQ > Issue Type: Sub-task > Components: Security >Reporter: Hongxu Ma >Assignee: Hongxu Ma > Fix For: backlog > > > Ranger-plugin connect to Ranger admin server under kerberos security. > add three property items in rps.properties > [code] > # RPS connect to RangerAdmin authentication type: simple or kerberos > RPS_AUTH=simple > # kerberos client principal, e.g. postgres > # can set empty (use the current kinit context) > RPS_PRINCIPAL= > # kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab > # can set empty (use the current kinit context) > RPS_KEYTAB= > [code] -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (HAWQ-1477) Ranger-plugin connect to Ranger admin under kerberos security.
[
https://issues.apache.org/jira/browse/HAWQ-1477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hongxu Ma updated HAWQ-1477:
Description:
Ranger-plugin connect to Ranger admin server under kerberos security.
add three property items in rps.properties
{code}
# RPS connect to RangerAdmin authentication type: simple or kerberos
RPS_AUTH=simple
# kerberos client principal, e.g. postgres
# can set empty (use the current kinit context)
RPS_PRINCIPAL=
# kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
# can set empty (use the current kinit context)
RPS_KEYTAB=
{code}
was:
Ranger-plugin connect to Ranger admin server under kerberos security.
add three property items in rps.properties
[code]
# RPS connect to RangerAdmin authentication type: simple or kerberos
RPS_AUTH=simple
# kerberos client principal, e.g. postgres
# can set empty (use the current kinit context)
RPS_PRINCIPAL=
# kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
# can set empty (use the current kinit context)
RPS_KEYTAB=
[code]
> Ranger-plugin connect to Ranger admin under kerberos security.
> --
>
> Key: HAWQ-1477
> URL: https://issues.apache.org/jira/browse/HAWQ-1477
> Project: Apache HAWQ
> Issue Type: Sub-task
> Components: Security
>Reporter: Hongxu Ma
>Assignee: Hongxu Ma
> Fix For: backlog
>
>
> Ranger-plugin connect to Ranger admin server under kerberos security.
> add three property items in rps.properties
> {code}
> # RPS connect to RangerAdmin authentication type: simple or kerberos
> RPS_AUTH=simple
> # kerberos client principal, e.g. postgres
> # can set empty (use the current kinit context)
> RPS_PRINCIPAL=
> # kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab
> # can set empty (use the current kinit context)
> RPS_KEYTAB=
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
