This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch RANGER-4076_master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/RANGER-4076_master by this
push:
new c39c5176d Revert "RANGER-5488: Allow clients to access secure API
endpoints in Ranger admin forcibly via config (#849)"
c39c5176d is described below
commit c39c5176d3bf3511d25b915b1d3e898add6e7daa
Author: Pradeep AgrawaL <[email protected]>
AuthorDate: Tue Feb 24 07:00:25 2026 +0530
Revert "RANGER-5488: Allow clients to access secure API endpoints in Ranger
admin forcibly via config (#849)"
This reverts commit 370edde40a2efefb93c5feefdae6bcac4aa2b708.
---
.../admin/client/AbstractRangerAdminClient.java | 15 +-
.../ranger/admin/client/RangerAdminRESTClient.java | 165 +++++++++++----------
.../ranger/plugin/util/RangerRESTClient.java | 4 -
.../client/TestAbstractRangerAdminClient.java | 9 --
.../admin/client/RangerAdminJersey2RESTClient.java | 54 ++++---
5 files changed, 124 insertions(+), 123 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
index 551111f0c..d22a87d42 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
@@ -23,7 +23,6 @@
import com.google.gson.GsonBuilder;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
@@ -44,8 +43,6 @@ public abstract class AbstractRangerAdminClient implements
RangerAdminClient {
private boolean forceNonKerberos;
- private boolean forceSecureEndpointAccess;
-
@Override
public void init(String serviceName, String appId, String
configPropertyPrefix, Configuration config) {
Gson gson = null;
@@ -57,8 +54,7 @@ public void init(String serviceName, String appId, String
configPropertyPrefix,
}
this.gson = gson;
- this.forceNonKerberos =
config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
- this.forceSecureEndpointAccess =
config.getBoolean(configPropertyPrefix + ".forceSecureEndpointAccess", false);
+ this.forceNonKerberos = config.getBoolean(configPropertyPrefix +
".forceNonKerberos", false);
}
@Override
@@ -131,21 +127,12 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
return null;
}
- public boolean isAuthenticationEnabled() {
- return forceSecureEndpointAccess || isKerberosEnabled();
- }
-
- public boolean isKerberosEnabled() {
- return isKerberosEnabled(MiscUtil.getUGILoginUser());
- }
-
public boolean isKerberosEnabled(UserGroupInformation user) {
final boolean ret;
if (forceNonKerberos) {
ret = false;
} else {
- LOG.debug("UGI user: {}", user);
ret = user != null && UserGroupInformation.isSecurityEnabled() &&
user.hasKerberosCredentials();
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index c6bbbb586..847dfe160 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -22,6 +22,7 @@
import com.fasterxml.jackson.core.type.TypeReference;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.http.HttpStatus;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.audit.provider.MiscUtil;
@@ -130,7 +131,8 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated({},
{})", lastKnownVersion, lastActivationTimeInMillis);
final ServicePolicies ret;
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -144,7 +146,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
final Response response;
if (isSecureMode) {
- LOG.debug("Checking Service policy if updated");
+ LOG.debug("Checking Service policy if updated as user : {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -169,12 +171,12 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
if (response == null) {
- LOG.error("Error getting policies; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
+ LOG.error("Error getting policies; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in policies. secureMode={}, response={},
serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
+ LOG.debug("No change in policies. secureMode={}, user={},
response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName,
lastKnownVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -183,8 +185,8 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting policies; service not found.
secureMode={}, response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting policies; service not found.
secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -194,7 +196,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting policies. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
+ LOG.warn("Error getting policies. secureMode={}, user={},
response={}, serviceName={}", isSecureMode, user, resp, serviceName);
ret = null;
}
@@ -209,7 +211,8 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
LOG.debug("==> RangerAdminRESTClient.getRolesIfUpdated({}, {})",
lastKnownRoleVersion, lastActivationTimeInMillis);
final RangerRoles ret;
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -222,7 +225,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
final Response response;
if (isSecureMode) {
- LOG.debug("Checking Roles");
+ LOG.debug("Checking Roles updated as user : {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -236,7 +239,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
return null;
});
} else {
- LOG.debug("Checking Roles (non-secure)");
+ LOG.debug("Checking Roles updated as user : {}", user);
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam;
@@ -247,12 +250,12 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
if (response == null) {
- LOG.error("Error getting Roles; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
+ LOG.error("Error getting Roles; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in Roles. secureMode={}, response={},
serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName, lastKnownRoleVersion,
lastActivationTimeInMillis);
+ LOG.debug("No change in Roles. secureMode={}, user={},
response={}, serviceName={}, lastKnownRoleVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName,
lastKnownRoleVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -261,8 +264,8 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting Roles; service not found. secureMode={},
response={}, serviceName={}, lastKnownRoleVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, response.getStatus(), serviceName,
lastKnownRoleVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting Roles; service not found. secureMode={},
user={}, response={}, serviceName={}, lastKnownRoleVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, response.getStatus(), serviceName,
lastKnownRoleVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -272,7 +275,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting Roles. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
+ LOG.warn("Error getting Roles. secureMode={}, user={},
response={}, serviceName={}", isSecureMode, user, resp, serviceName);
ret = null;
}
@@ -287,7 +290,8 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
LOG.debug("==> RangerAdminRESTClient.createRole({})", request);
final RangerRole ret;
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE;
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -297,7 +301,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
final Response response;
if (isSecureMode) {
- LOG.debug("Create role");
+ LOG.debug("create role as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -317,7 +321,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -339,7 +343,8 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
public void dropRole(final String execUser, final String roleName) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.dropRole({})", roleName);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -350,7 +355,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
final Response response;
if (isSecureMode) {
- LOG.debug("Drop role");
+ LOG.debug("drop role as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -372,7 +377,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
} else if (response.getStatus() != HttpServletResponse.SC_OK &&
response.getStatus() != HttpServletResponse.SC_NO_CONTENT) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -388,7 +393,8 @@ public void dropRole(final String execUser, final String
roleName) throws Except
public List<String> getAllRoles(final String execUser) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getAllRoles()");
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES;
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -399,7 +405,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
final Response response;
if (isSecureMode) {
- LOG.debug("Get roles");
+ LOG.debug("get roles as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -422,7 +428,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("getAllRoles() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("getAllRoles() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -445,13 +451,14 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
public List<String> getUserRoles(final String execUser) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getUserRoles({})", execUser);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser;
final Cookie sessionId = this.sessionId;
final Response response;
if (isSecureMode) {
- LOG.debug("Get roles");
+ LOG.debug("get roles as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -474,7 +481,7 @@ public List<String> getUserRoles(final String execUser)
throws Exception {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("getUserRoles() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("getUserRoles() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -497,7 +504,8 @@ public List<String> getUserRoles(final String execUser)
throws Exception {
public RangerRole getRole(final String execUser, final String roleName)
throws Exception {
LOG.debug("==> RangerAdminRESTClient.getRole({}, {})", execUser,
roleName);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName;
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -507,7 +515,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
queryParams.put(RangerRESTUtils.REST_PARAM_EXEC_USER, execUser);
if (isSecureMode) {
- LOG.debug("Get role info");
+ LOG.debug("get role info as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -530,7 +538,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("getRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("getRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -553,13 +561,14 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
public void grantRole(final GrantRevokeRoleRequest request) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.grantRole({})", request);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam;
final Cookie sessionId = this.sessionId;
final Response response;
if (isSecureMode) {
- LOG.debug("Grant role");
+ LOG.debug("grant role as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -579,7 +588,7 @@ public void grantRole(final GrantRevokeRoleRequest request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("grantRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("grantRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -597,13 +606,14 @@ public void grantRole(final GrantRevokeRoleRequest
request) throws Exception {
public void revokeRole(final GrantRevokeRoleRequest request) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.revokeRole({})", request);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam;
final Cookie sessionId = this.sessionId;
final Response response;
if (isSecureMode) {
- LOG.debug("Revoke role");
+ LOG.debug("revoke role as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -623,7 +633,7 @@ public void revokeRole(final GrantRevokeRoleRequest
request) throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("revokeRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("revokeRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -641,7 +651,8 @@ public void revokeRole(final GrantRevokeRoleRequest
request) throws Exception {
public void grantAccess(final GrantRevokeRequest request) throws Exception
{
LOG.debug("==> RangerAdminRESTClient.grantAccess({})", request);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -650,7 +661,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
final Response response;
if (isSecureMode) {
- LOG.debug("GrantAccess");
+ LOG.debug("grantAccess as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -674,7 +685,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("grantAccess() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("grantAccess() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -692,7 +703,8 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
public void revokeAccess(final GrantRevokeRequest request) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.revokeAccess({})", request);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -701,7 +713,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
final Response response;
if (isSecureMode) {
- LOG.debug("RevokeAccess");
+ LOG.debug("revokeAccess as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -725,7 +737,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("revokeAccess() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
+ LOG.error("revokeAccess() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -743,7 +755,8 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion,
final long lastActivationTimeInMillis) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated({}, {}):
", lastKnownVersion, lastActivationTimeInMillis);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -756,7 +769,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
final Response response;
if (isSecureMode) {
- LOG.debug("getServiceTagsIfUpdated");
+ LOG.debug("getServiceTagsIfUpdated as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -781,12 +794,12 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
if (response == null) {
- LOG.error("Error getting tags; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
+ LOG.error("Error getting tags; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in tags. secureMode={}, response={},
serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
+ LOG.debug("No change in tags. secureMode={}, user={},
response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName,
lastKnownVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -795,8 +808,8 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting tags; service not found. secureMode={},
response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting tags; service not found. secureMode={},
user={}, response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -806,7 +819,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting tags. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
+ LOG.warn("Error getting tags. secureMode={}, user={}, response={},
serviceName={}", isSecureMode, user, resp, serviceName);
ret = null;
}
@@ -821,7 +834,8 @@ public List<String> getTagTypes(String pattern) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.getTagTypes({}): ", pattern);
final String relativeURL =
RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES;
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -831,7 +845,7 @@ public List<String> getTagTypes(String pattern) throws
Exception {
final Response response;
if (isSecureMode) {
- LOG.debug("getTagTypes");
+ LOG.debug("getTagTypes as user {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -869,7 +883,8 @@ public List<String> getTagTypes(String pattern) throws
Exception {
public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getUserStoreIfUpdated({}, {})",
lastKnownUserStoreVersion, lastActivationTimeInMillis);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -882,7 +897,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
final Response response;
if (isSecureMode) {
- LOG.debug("Checking UserStore if updated");
+ LOG.debug("Checking UserStore updated as user : {}", user);
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
@@ -896,7 +911,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
return null;
});
} else {
- LOG.debug("Checking UserStore updated");
+ LOG.debug("Checking UserStore updated as user : {}", user);
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam;
@@ -909,12 +924,12 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
if (response == null) {
- LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
+ LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in UserStore. secureMode={}, response={},
serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in UserStore. secureMode={}, user={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -923,8 +938,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting UserStore; service not found.
secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting UserStore; service not found.
secureMode={}, user={}, response={}, serviceName={},
lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, user, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -934,7 +949,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting UserStore. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
+ LOG.warn("Error getting UserStore. secureMode={}, user={},
response={}, serviceName={}", isSecureMode, user, resp, serviceName);
ret = null;
}
@@ -948,7 +963,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long
lastActivationTimeInMillis) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getGdsInfoIfUpdated({}, {})",
lastKnownVersion, lastActivationTimeInMillis);
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -958,7 +974,7 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- LOG.debug("Checking for updated GdsInfo: secureMode={},
serviceName={}", isSecureMode, serviceName);
+ LOG.debug("Checking for updated GdsInfo: secureMode={}, user={},
serviceName={}", isSecureMode, user, serviceName);
final Response response;
@@ -987,21 +1003,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
if (response == null) {
ret = null;
- LOG.error("Error getting GdsInfo - received NULL response:
secureMode={}, serviceName={}", isSecureMode, serviceName);
+ LOG.error("Error getting GdsInfo - received NULL response:
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
} else if (response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
ret = null;
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in GdsInfo: secureMode={}, response={},
serviceName={}, lastKnownGdsVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
+ LOG.debug("No change in GdsInfo: secureMode={}, user={},
response={}, serviceName={}, lastKnownGdsVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
} else if (response.getStatus() == HttpServletResponse.SC_OK) {
ret = JsonUtilsV2.readResponse(response, ServiceGdsInfo.class);
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting GdsInfo - service not found:
secureMode={}, response={}, serviceName={},
lastKnownGdsVersion={},lastActivationTimeInMillis={}",
- isSecureMode, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting GdsInfo - service not found:
secureMode={}, user={}, response={}, serviceName={},
lastKnownGdsVersion={},lastActivationTimeInMillis={}",
+ isSecureMode, user, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -1013,8 +1029,8 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting GdsInfo: unexpected status code {}:
secureMode={}, response={}, serviceName={}",
- response.getStatus(), isSecureMode, resp, serviceName);
+ LOG.warn("Error getting GdsInfo: unexpected status code {}:
secureMode={}, user={}, response={}, serviceName={}",
+ response.getStatus(), isSecureMode, user, resp,
serviceName);
}
LOG.debug("<== RangerAdminRESTClient.getGdsInfoIfUpdated({}, {}):
ret={}", lastKnownVersion, lastActivationTimeInMillis, ret);
@@ -1022,11 +1038,6 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
return ret;
}
- @Override
- public boolean isAuthenticationEnabled() {
- return restClient.isAuthFilterPresent() ||
super.isAuthenticationEnabled();
- }
-
private void init(String url, String sslConfigFileName, int
restClientConnTimeOutMs, int restClientReadTimeOutMs, int
restClientMaxRetryAttempts, int restClientRetryIntervalMs, Configuration
config) {
LOG.debug("==> RangerAdminRESTClient.init({}, {})", url,
sslConfigFileName);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index fec6cde0a..da471e0c5 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -151,10 +151,6 @@ public String getPassword() {
return mPassword;
}
- public boolean isAuthFilterPresent() {
- return jwtAuthFilter != null || basicAuthFilter != null;
- }
-
public int getRestClientConnTimeOutMs() {
return mRestClientConnTimeOutMs;
}
diff --git
a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
index 549051b7d..550983ee3 100644
---
a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
+++
b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
@@ -95,13 +95,4 @@ public void test03_defaultNoOpMethodsReturnNullOrNoThrow()
throws Exception {
Assertions.assertNull(c.getUserStoreIfUpdated(1L, 2L));
Assertions.assertNull(c.getGdsInfoIfUpdated(1L, 2L));
}
-
- @Test
- public void test04_isSecureEndpointAccess() {
- DummyClient c = new DummyClient();
- Configuration cfg = new Configuration(false);
- cfg.setBoolean("ranger.plugin.forceSecureEndpointAccess", true);
- c.init("svc", "app", "ranger.plugin", cfg);
- Assertions.assertTrue(c.isAuthenticationEnabled());
- }
}
diff --git
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index 991e9b255..a1e9c917b 100644
---
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -28,6 +28,7 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
+import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -286,7 +287,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
final RangerUserStore ret;
final Response response;
- final boolean isSecureMode = isAuthenticationEnabled();
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = isKerberosEnabled(user);
Map<String, String> queryParams = new HashMap<>();
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_USERSTORE_VERSION,
Long.toString(lastKnownUserStoreVersion));
@@ -296,6 +298,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
if (isSecureMode) {
+ LOG.debug("Checking UserStore updated as user: {}", user);
+
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam;
@@ -308,6 +312,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
return null;
});
} else {
+ LOG.debug("Checking UserStore updated as user: {}", user);
+
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam;
response = get(queryParams, relativeURL);
@@ -315,12 +321,12 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (response == null || response.getStatus() == 304) { // NOT_MODIFIED
if (response == null) {
- LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
+ LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
} else {
String resp = response.hasEntity() ?
response.readEntity(String.class) : null;
- LOG.debug("No change in UserStore. secureMode={}, response={},
serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in UserStore. secureMode={}, user={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -331,8 +337,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else if (response.getStatus() == 404) { // NOT_FOUND
ret = null;
- LOG.error("Error getting UserStore; service not found.
secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting UserStore; service not found.
secureMode={}, user={}, response={}, serviceName={},
lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, user, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -342,8 +348,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else {
String resp = response.hasEntity() ?
response.readEntity(String.class) : null;
- LOG.warn("Error getting UserStore. secureMode={}, response={},
serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.warn("Error getting UserStore. secureMode={}, user={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, user, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
ret = null;
}
@@ -595,7 +601,7 @@ private ServicePolicies
getServicePoliciesIfUpdatedWithCred(final long lastKnown
policyDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode()));
break;
}
@@ -661,7 +667,7 @@ private ServicePolicies
getServicePoliciesIfUpdatedWithCookie(final long lastKno
isValidPolicyDownloadSessionCookie = false;
body =
response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode()));
break;
}
@@ -683,8 +689,10 @@ private Response
getRangerAdminPolicyDownloadResponse(final long lastKnownVersio
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(supportsPolicyDeltas));
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- if (isAuthenticationEnabled()) {
- LOG.debug("Checking Service policy if updated");
+ if (isSecureMode()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated as user : {}",
MiscUtil.getUGILoginUser());
+ }
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURL(true), policyDownloadSessionId));
} else {
@@ -798,7 +806,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final
long lastKnownVersion,
tagDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForTagDownload(isAuthenticationEnabled()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode()));
break;
}
@@ -885,8 +893,10 @@ private Response getTagsDownloadResponse(final long
lastKnownVersion, final long
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(supportsTagDeltas));
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- if (isAuthenticationEnabled()) {
- LOG.debug("Checking Service tags if updated");
+ if (isSecureMode()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service tags if updated as user : {}",
MiscUtil.getUGILoginUser());
+ }
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId));
} else {
@@ -998,7 +1008,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final
long lastKnownRoleVers
roleDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isAuthenticationEnabled()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode()));
break;
}
@@ -1065,7 +1075,7 @@ private RangerRoles
getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe
isValidRoleDownloadSessionCookie = false;
body =
response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isAuthenticationEnabled()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode()));
break;
}
@@ -1086,8 +1096,10 @@ private Response getRoleDownloadResponse(final long
lastKnownRoleVersion, final
queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
- if (isAuthenticationEnabled()) {
- LOG.debug("Checking Roles if updated");
+ if (isSecureMode()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Roles if updated as user : {}",
MiscUtil.getUGILoginUser());
+ }
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId));
} else {
@@ -1146,6 +1158,10 @@ private void
setCookieReceivedFromRoleDownloadSession(Response response) {
}
}
+ private boolean isSecureMode() {
+ return isKerberosEnabled(MiscUtil.getUGILoginUser());
+ }
+
// We get date from the policy manager as unix long! This deserializer
exists to deal with it. Remove this class once we start send date/time per RFC
3339
public static class GsonUnixDateDeserializer implements
JsonDeserializer<Date> {
@Override
