Repository: incubator-hawq Updated Branches: refs/heads/master 3b55bfd67 -> 721f90ff1
HAWQ-1477. Implement Ranger plugin service connect to Ranger admin via kerberos. Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/721f90ff Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/721f90ff Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/721f90ff Branch: refs/heads/master Commit: 721f90ff1604edc1bf0a2fc1749b9d7c2fe85804 Parents: 3b55bfd Author: interma <[email protected]> Authored: Wed May 31 15:02:18 2017 +0800 Committer: Wen Lin <[email protected]> Committed: Wed Jun 7 11:24:08 2017 +0800 ---------------------------------------------------------------------- ranger-plugin/conf/rps.properties | 11 +++++ ranger-plugin/pom.xml | 5 +++ ranger-plugin/service/pom.xml | 4 ++ .../authorization/RangerHawqPluginResource.java | 44 +++++++++++++++++++- .../apache/hawq/ranger/authorization/Utils.java | 39 +++++++++++++++++ 5 files changed, 101 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/conf/rps.properties ---------------------------------------------------------------------- diff --git a/ranger-plugin/conf/rps.properties b/ranger-plugin/conf/rps.properties index 7565885..2ef4507 100644 --- a/ranger-plugin/conf/rps.properties +++ b/ranger-plugin/conf/rps.properties @@ -39,3 +39,14 @@ CATALINA_HOME=${CATALINA_HOME:-/usr/lib/bigtop-tomcat} # use JAVA_HOME in default and use /usr/java/default if JAVA_HOME not set JAVA_HOME=${JAVA_HOME:-/usr/java/default} + +# RPS connect to RangerAdmin authentication type: simple or kerberos +RPS_AUTH=simple + +# kerberos client principal, e.g. postgres +# can set empty (use the current kinit context) +RPS_PRINCIPAL= + +# kerberos client keytab file, e.g. /etc/security/keytabs/hawq.service.keytab +# can set empty (use the current kinit context) +RPS_KEYTAB= http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-plugin/pom.xml b/ranger-plugin/pom.xml index bf2d718..80e09fe 100644 --- a/ranger-plugin/pom.xml +++ b/ranger-plugin/pom.xml @@ -269,6 +269,11 @@ <version>${hadoop.version}</version> </dependency> <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + <version>${hadoop.version}</version> + </dependency> + <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/service/pom.xml ---------------------------------------------------------------------- diff --git a/ranger-plugin/service/pom.xml b/ranger-plugin/service/pom.xml index ed4ccdb..be61934 100644 --- a/ranger-plugin/service/pom.xml +++ b/ranger-plugin/service/pom.xml @@ -104,6 +104,10 @@ <groupId>org.apache.hadoop</groupId> <artifactId>hadoop-hdfs</artifactId> </dependency> + <dependency> + <groupId>org.apache.hadoop</groupId> + <artifactId>hadoop-common</artifactId> + </dependency> <dependency> <groupId>log4j</groupId> http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java ---------------------------------------------------------------------- diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java index 26a7660..42f49e8 100644 --- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java +++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java @@ -28,7 +28,9 @@ import org.apache.hawq.ranger.authorization.model.AuthorizationResponse; import javax.ws.rs.*; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; -import java.util.Date; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.UserGroupInformation; /** * JAX-RS resource for the authorization endpoint. @@ -45,8 +47,46 @@ public class RangerHawqPluginResource { /** * Constructor. Creates a new instance of the resource that uses <code>RangerHawqAuthorizer</code>. */ - public RangerHawqPluginResource() { + public RangerHawqPluginResource() + { + // set UserGroupInformation under kerberos authentication + if (Utils.getAuth() == Utils.AuthMethod.KERBEROS) + { + Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + UserGroupInformation.setConfiguration(conf); + + String prin = Utils.getPrincipal(); + String keytab = Utils.getKeytab(); + + if ( !prin.equals("") && !keytab.equals("") ) + { + try + { + UserGroupInformation.loginUserFromKeytab(prin, keytab); + } + catch (Exception e) + { + LOG.warn(String.format("loginUserFromKeytab failed, user[%s], keytab[%s]", prin, keytab)); + } + } + } + + if (LOG.isDebugEnabled()) + { + try + { + UserGroupInformation user = UserGroupInformation.getLoginUser(); + LOG.debug(String.format("login user: %s", user)); + } + catch (Exception e) + { + LOG.warn("get login user failed exception: " + e); + } + } + this.authorizer = RangerHawqAuthorizer.getInstance(); + } http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/721f90ff/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java ---------------------------------------------------------------------- diff --git a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java index a3579a9..3eede6e 100644 --- a/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java +++ b/ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/Utils.java @@ -26,6 +26,7 @@ import java.io.IOException; import java.io.InputStream; import java.util.Properties; + /** * Utility class for reading values from the environment with falling back to reading them from the property file. */ @@ -40,6 +41,16 @@ public abstract class Utils { public static final String VERSION_PROPERTY_KEY_FILE = "RPS_VERSION"; public static final String RANGER_SERVICE_PROPERTY_FILE = "rps.properties"; + //kerberos support property + public static enum AuthMethod { SIMPLE, KERBEROS } + public static final String AUTH_KEY_ENV = "auth"; + public static final String AUTH_KEY_FILE = "RPS_AUTH"; + public static final String PRINCIPAL_KEY_ENV = "principal"; + public static final String PRINCIPAL_KEY_FILE = "RPS_PRINCIPAL"; + public static final String KEYTAB_KEY_ENV = "keytab"; + public static final String KEYTAB_KEY_FILE = "RPS_KEYTAB"; + + private static final Log LOG = LogFactory.getLog(Utils.class); private static final Properties properties = readPropertiesFromFile(); @@ -68,6 +79,34 @@ public abstract class Utils { } /** + * Retrieves the authentication + * @return kerberos or simple[default] + */ + public static AuthMethod getAuth() { + String auth = System.getProperty(AUTH_KEY_ENV, properties.getProperty(AUTH_KEY_FILE, "simple")); + if (auth.toLowerCase().equals("kerberos")) + return AuthMethod.KERBEROS; + else + return AuthMethod.SIMPLE; + } + + /** + * Retrieves the kerberos client principal + * @return principal name or ""[default] + */ + public static String getPrincipal() { + return System.getProperty(PRINCIPAL_KEY_ENV, properties.getProperty(PRINCIPAL_KEY_FILE, "")); + } + + /** + * Retrieves the kerberos keytab file path + * @return keytab file path or ""[default] + */ + public static String getKeytab() { + return System.getProperty(KEYTAB_KEY_ENV, properties.getProperty(KEYTAB_KEY_FILE, "")); + } + + /** * Reads properties from the property file. * @return properties read from the file */
