KMS keys listing throws authentication required error in secure cluster Signed-off-by: Velmurugan Periasamy <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d79401bb Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d79401bb Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d79401bb Branch: refs/heads/tag-policy Commit: d79401bb429754ef9d4203f6c78c28606c922ccb Parents: 0d73c38 Author: Gautam Borad <[email protected]> Authored: Tue May 26 16:47:57 2015 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Thu May 28 21:18:24 2015 -0400 ---------------------------------------------------------------------- .../ranger/services/kms/client/KMSClient.java | 70 +++-- .../java/org/apache/ranger/biz/KmsKeyMgr.java | 291 ++++++++++++++----- .../java/org/apache/ranger/rest/XKeyREST.java | 6 +- 3 files changed, 273 insertions(+), 94 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java index 59fa634..c67584e 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java @@ -24,14 +24,17 @@ import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import java.util.regex.Pattern; +import javax.security.auth.Subject; import org.apache.hadoop.fs.Path; +import org.apache.hadoop.security.HadoopKerberosName; import org.apache.hadoop.security.ProviderUtils; +import org.apache.hadoop.security.SecureClientLogin; import org.apache.log4j.Logger; import org.apache.ranger.plugin.client.BaseClient; import org.apache.ranger.plugin.client.HadoopException; @@ -43,6 +46,8 @@ import com.google.gson.GsonBuilder; import com.sun.jersey.api.client.Client; import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; +import com.sun.jersey.api.client.config.ClientConfig; +import com.sun.jersey.api.client.config.DefaultClientConfig; public class KMSClient { @@ -50,7 +55,7 @@ public class KMSClient { private static final String EXPECTED_MIME_TYPE = "application/json"; - private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names?user.name=${userName}"; // GET + private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names"; // GET private static final String errMessage = " You can still save the repository and start creating " + "policies, but you would not be able to use autocomplete for " @@ -64,7 +69,6 @@ public class KMSClient { this.provider = provider; this.username = username; this.password = password; - if (LOG.isDebugEnabled()) { LOG.debug("Kms Client is build with url [" + provider + "] user: [" + username + "]"); @@ -137,24 +141,42 @@ public class KMSClient { for (int i = 0; i < providers.length; i++) { lret = new ArrayList<String>(); if (LOG.isDebugEnabled()) { - LOG.debug("Getting Kms Key list for keyNameMatching : " - + keyNameMatching); + LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching); } - String keyLists = KMS_LIST_API_ENDPOINT.replaceAll( - Pattern.quote("${userName}"), username); - String uri = providers[i] - + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists)); + String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/" + KMS_LIST_API_ENDPOINT)); Client client = null; ClientResponse response = null; - + boolean isKerberose = false; try { - client = Client.create(); - - WebResource webResource = client.resource(uri); - - response = webResource.accept(EXPECTED_MIME_TYPE).get( - ClientResponse.class); - + ClientConfig cc = new DefaultClientConfig(); + cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); + client = Client.create(cc); + + if(username.contains("@")){ + isKerberose = true; + } + + if(!isKerberose){ + uri = uri.concat("?user.name="+username); + WebResource webResource = client.resource(uri); + response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); + }else{ + String shortName = new HadoopKerberosName(username).getShortName(); + uri = uri.concat("?doAs="+shortName); + Subject sub = new Subject(); + if (username.contains("@")) { + sub = SecureClientLogin.loginUserWithPassword(username, password); + } else { + sub = SecureClientLogin.login(username); + } + final WebResource webResource = client.resource(uri); + response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() { + @Override + public ClientResponse run() { + return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); + } + }); + } if (LOG.isDebugEnabled()) { LOG.debug("getKeyList():calling " + uri); } @@ -192,12 +214,22 @@ public class KMSClient { LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); - return lret; + String msgDesc = response.getEntity(String.class); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, + msgDesc + errMsg, null, null); + lret = null; + throw hdpException; } else if (response.getStatus() == 403) { LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri + ", so returning null list"); - return lret; + String msgDesc = response.getEntity(String.class); + HadoopException hdpException = new HadoopException(msgDesc); + hdpException.generateResponseDataMap(false, msgDesc, + msgDesc + errMsg, null, null); + lret = null; + throw hdpException; } else { LOG.info("getKeyList():response.getStatus()= " + response.getStatus() + " for URL " + uri http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java index 7446d1e..7854f4b 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java @@ -24,12 +24,14 @@ import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; +import javax.security.auth.Subject; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.MediaType; @@ -40,13 +42,19 @@ import org.apache.commons.collections.PredicateUtils; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.fs.Path; import org.apache.hadoop.security.ProviderUtils; +import org.apache.hadoop.security.SecureClientLogin; +import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.log4j.Logger; import org.apache.ranger.common.ContextUtil; import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.PasswordUtils; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerConfigUtil; import org.apache.ranger.common.SortField; import org.apache.ranger.common.StringUtil; +import org.apache.ranger.db.RangerDaoManagerBase; +import org.apache.ranger.entity.XXService; +import org.apache.ranger.entity.XXServiceConfigMap; import org.apache.ranger.plugin.model.RangerService; import org.apache.ranger.plugin.util.KeySearchFilter; import org.apache.ranger.view.VXKmsKey; @@ -68,12 +76,14 @@ public class KmsKeyMgr { static final Logger logger = Logger.getLogger(KmsKeyMgr.class); - private static final String KMS_KEY_LIST_URI = "v1/keys/names?user.name=${userName}"; //GET - private static final String KMS_ADD_KEY_URI = "v1/keys?user.name=${userName}"; //POST - private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //POST - private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}?user.name=${userName}"; //DELETE - private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata?user.name=${userName}"; //GET + private static final String KMS_KEY_LIST_URI = "v1/keys/names"; //GET + private static final String KMS_ADD_KEY_URI = "v1/keys"; //POST + private static final String KMS_ROLL_KEY_URI = "v1/key/${alias}"; //POST + private static final String KMS_DELETE_KEY_URI = "v1/key/${alias}"; //DELETE + private static final String KMS_KEY_METADATA_URI = "v1/key/${alias}/_metadata"; //GET private static final String KMS_URL_CONFIG = "provider"; + private static final String KMS_PASSWORD = "password"; + private static final String KMS_USERNAME = "username"; private static Map<String, String> providerList = new HashMap<String, String>(); private static int nextProvider = 0; @@ -86,8 +96,11 @@ public class KmsKeyMgr { @Autowired RangerConfigUtil configUtil; + @Autowired + RangerDaoManagerBase rangerDaoManagerBase; + @SuppressWarnings("unchecked") - public VXKmsKeyList searchKeys(String repoName){ + public VXKmsKeyList searchKeys(String repoName) throws Exception{ String providers[] = null; try { providers = getKMSURL(repoName); @@ -98,6 +111,12 @@ public class KmsKeyMgr { VXKmsKeyList vxKmsKeyList = new VXKmsKeyList(); List<String> keys = null; String connProvider = null; + boolean isKerberos=false; + try { + isKerberos = checkKerberos(repoName); + } catch (Exception e1) { + logger.error("checkKerberos(" + repoName + ") failed", e1); + } for (int i = 0; i < providers.length; i++) { Client c = getClient(); String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); @@ -105,15 +124,28 @@ public class KmsKeyMgr { Pattern.quote("${userName}"), currentUserLoginId); connProvider = providers[i]; String uri = providers[i] - + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists)); - - WebResource r = c.resource(uri); + + (providers[i].endsWith("/") ? keyLists : ("/" + keyLists)); + if(!isKerberos){ + uri = uri.concat("?user.name="+currentUserLoginId); + }else{ + uri = uri.concat("?doAs="+currentUserLoginId); + } + final WebResource r = c.resource(uri); try { - String response = r.accept(MediaType.APPLICATION_JSON_TYPE) - .get(String.class); + String response = null; + if(!isKerberos){ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); + }else{ + Subject sub = getSubjectForKerberos(repoName, currentUserLoginId); + response = Subject.doAs(sub, new PrivilegedAction<String>() { + @Override + public String run() { + return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); + } + }); + } Gson gson = new GsonBuilder().create(); logger.debug(" Search Key RESPONSE: [" + response + "]"); - keys = gson.fromJson(response, List.class); break; } catch (Exception e) { @@ -125,7 +157,7 @@ public class KmsKeyMgr { } if (keys != null && keys.size() > 0) { for (String name : keys) { - VXKmsKey key = getKeyFromUri(connProvider, name); + VXKmsKey key = getKeyFromUri(connProvider, name, isKerberos, repoName); vXKeys.add(key); } vxKmsKeyList.setResultSize(vXKeys.size()); @@ -137,31 +169,46 @@ public class KmsKeyMgr { return vxKmsKeyList; } - public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey){ + public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey) throws Exception{ String providers[] = null; try { providers = getKMSURL(provider); } catch (Exception e) { - logger.error("rolloverKey(" + provider + ", " + vXKey.getName() - + ") failed", e); + logger.error("rolloverKey(" + provider + ", " + vXKey.getName() + ") failed", e); } VXKmsKey ret = null; + boolean isKerberos=false; + try { + isKerberos = checkKerberos(provider); + } catch (Exception e1) { + logger.error("checkKerberos(" + provider + ") failed", e1); + } for (int i = 0; i < providers.length; i++) { Client c = getClient(); - String rollRest = KMS_ROLL_KEY_URI.replaceAll( - Pattern.quote("${alias}"), vXKey.getName()); - String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); - rollRest = rollRest.replaceAll(Pattern.quote("${userName}"), - currentUserLoginId); - String uri = providers[i] - + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest)); - WebResource r = c.resource(uri); + String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName()); + String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); + String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest)); + if(!isKerberos){ + uri = uri.concat("?user.name="+currentUserLoginId); + }else{ + uri = uri.concat("?doAs="+currentUserLoginId); + } + final WebResource r = c.resource(uri); Gson gson = new GsonBuilder().create(); - String jsonString = gson.toJson(vXKey); + final String jsonString = gson.toJson(vXKey); try { - String response = r.accept(MediaType.APPLICATION_JSON_TYPE) - .type(MediaType.APPLICATION_JSON_TYPE) - .post(String.class, jsonString); + String response = null; + if(!isKerberos){ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString);} + else{ + Subject sub = getSubjectForKerberos(provider, currentUserLoginId); + response = Subject.doAs(sub, new PrivilegedAction<String>() { + @Override + public String run() { + return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + } + }); + } logger.debug("Roll RESPONSE: [" + response + "]"); ret = gson.fromJson(response, VXKmsKey.class); break; @@ -174,27 +221,44 @@ public class KmsKeyMgr { } return ret; } - - public void deleteKey(String provider, String name){ + + public void deleteKey(String provider, String name) throws Exception{ String providers[] = null; try { providers = getKMSURL(provider); } catch (Exception e) { logger.error("deleteKey(" + provider + ", " + name + ") failed", e); } + boolean isKerberos=false; + try { + isKerberos = checkKerberos(provider); + } catch (Exception e1) { + logger.error("checkKerberos(" + provider + ") failed", e1); + } for (int i = 0; i < providers.length; i++) { Client c = getClient(); - String deleteRest = KMS_DELETE_KEY_URI.replaceAll( - Pattern.quote("${alias}"), name); - String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); - deleteRest = deleteRest.replaceAll(Pattern.quote("${userName}"), - currentUserLoginId); - String uri = providers[i] - + (providers[i].endsWith("/") ? deleteRest - : ("/" + deleteRest)); - WebResource r = c.resource(uri); + String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name); + String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); + String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest)); + if(!isKerberos){ + uri = uri.concat("?user.name="+currentUserLoginId); + }else{ + uri = uri.concat("?doAs="+currentUserLoginId); + } + final WebResource r = c.resource(uri); try { - String response = r.delete(String.class) ; + String response = null; + if(!isKerberos){ + response = r.delete(String.class) ; + }else{ + Subject sub = getSubjectForKerberos(provider, currentUserLoginId); + response = Subject.doAs(sub, new PrivilegedAction<String>() { + @Override + public String run() { + return r.delete(String.class); + } + }); + } logger.debug("delete RESPONSE: [" + response + "]") ; break; } catch (Exception e) { @@ -206,7 +270,7 @@ public class KmsKeyMgr { } } - public VXKmsKey createKey(String provider, VXKmsKey vXKey){ + public VXKmsKey createKey(String provider, VXKmsKey vXKey) throws Exception{ String providers[] = null; try { providers = getKMSURL(provider); @@ -215,21 +279,37 @@ public class KmsKeyMgr { + ") failed", e); } VXKmsKey ret = null; + boolean isKerberos=false; + try { + isKerberos = checkKerberos(provider); + } catch (Exception e1) { + logger.error("checkKerberos(" + provider + ") failed", e1); + } for (int i = 0; i < providers.length; i++) { Client c = getClient(); - String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); - String createRest = KMS_ADD_KEY_URI.replaceAll( - Pattern.quote("${userName}"), currentUserLoginId); - String uri = providers[i] - + (providers[i].endsWith("/") ? createRest - : ("/" + createRest)); - WebResource r = c.resource(uri); + String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); + String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI)); + if(!isKerberos){ + uri = uri.concat("?user.name="+currentUserLoginId); + }else{ + uri = uri.concat("?doAs="+currentUserLoginId); + } + final WebResource r = c.resource(uri); Gson gson = new GsonBuilder().create(); - String jsonString = gson.toJson(vXKey); + final String jsonString = gson.toJson(vXKey); try { - String response = r.accept(MediaType.APPLICATION_JSON_TYPE) - .type(MediaType.APPLICATION_JSON_TYPE) - .post(String.class, jsonString); + String response = null; + if(!isKerberos){ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + }else{ + Subject sub = getSubjectForKerberos(provider, currentUserLoginId); + response = Subject.doAs(sub, new PrivilegedAction<String>() { + @Override + public String run() { + return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class, jsonString); + } + }); + } logger.debug("Create RESPONSE: [" + response + "]"); ret = gson.fromJson(response, VXKmsKey.class); return ret; @@ -243,26 +323,43 @@ public class KmsKeyMgr { return ret; } - public VXKmsKey getKey(String provider, String name){ + public VXKmsKey getKey(String provider, String name) throws Exception{ String providers[] = null; try { providers = getKMSURL(provider); } catch (Exception e) { logger.error("getKey(" + provider + ", " + name + ") failed", e); } + boolean isKerberos=false; + try { + isKerberos = checkKerberos(provider); + } catch (Exception e1) { + logger.error("checkKerberos(" + provider + ") failed", e1); + } for (int i = 0; i < providers.length; i++) { Client c = getClient(); - String keyRest = KMS_KEY_METADATA_URI.replaceAll( - Pattern.quote("${alias}"), name); - String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); - keyRest = keyRest.replaceAll(Pattern.quote("${userName}"), - currentUserLoginId); - String uri = providers[i] - + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest)); - WebResource r = c.resource(uri); + String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name); + String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); + String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest)); + if(!isKerberos){ + uri = uri.concat("?user.name="+currentUserLoginId); + }else{ + uri = uri.concat("?doAs="+currentUserLoginId); + } + final WebResource r = c.resource(uri); try { - String response = r.accept(MediaType.APPLICATION_JSON_TYPE) - .get(String.class); + String response = null; + if(!isKerberos){ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); + }else{ + Subject sub = getSubjectForKerberos(provider, currentUserLoginId); + response = Subject.doAs(sub, new PrivilegedAction<String>() { + @Override + public String run() { + return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); + } + }); + } Gson gson = new GsonBuilder().create(); logger.debug("RESPONSE: [" + response + "]"); VXKmsKey key = gson.fromJson(response, VXKmsKey.class); @@ -277,16 +374,29 @@ public class KmsKeyMgr { return null; } - public VXKmsKey getKeyFromUri(String provider, String name) { + public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String repoName) throws Exception { Client c = getClient(); - String keyRest = KMS_KEY_METADATA_URI.replaceAll( - Pattern.quote("${alias}"), name); - String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); - keyRest = keyRest.replaceAll(Pattern.quote("${userName}"), - currentUserLoginId); + String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name); + String currentUserLoginId = ContextUtil.getCurrentUserLoginId(); String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest)); - WebResource r = c.resource(uri); - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); + if(!isKerberos){ + uri = uri.concat("?user.name="+currentUserLoginId); + }else{ + uri = uri.concat("?doAs="+currentUserLoginId); + } + final WebResource r = c.resource(uri); + String response = null; + if(!isKerberos){ + response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); + }else{ + Subject sub = getSubjectForKerberos(repoName, currentUserLoginId); + response = Subject.doAs(sub, new PrivilegedAction<String>() { + @Override + public String run() { + return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class); + } + }); + } Gson gson = new GsonBuilder().create(); logger.debug("RESPONSE: [" + response + "]"); VXKmsKey key = gson.fromJson(response, VXKmsKey.class); @@ -360,7 +470,7 @@ public class KmsKeyMgr { providerNext = providerNext+";"; } } - for(int i=0; i<nextProvider; i++){ + for(int i=0; i<nextProvider && i<hosts.length; i++){ providerNext = providerNext+";"+hosts[i]; } if(nextProvider != hosts.length-1){ @@ -381,6 +491,43 @@ public class KmsKeyMgr { } return providers; } + + private Subject getSubjectForKerberos(String provider, String currentUserLoginId) throws Exception{ + String userName = getKMSUserName(provider); + String password = getKMSPassword(provider); + if (KerberosName.getRules() == null) { + KerberosName.setRules("DEFAULT") ; + } + Subject sub = new Subject(); + if (userName.contains("@")) { + sub = SecureClientLogin.loginUserWithPassword(userName, password); + } else { + sub = SecureClientLogin.login(userName); + } + return sub; + } + + private String getKMSPassword(String srvName) throws Exception { + XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName); + XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(), KMS_PASSWORD); + String encryptedPwd = xxConfigMap.getConfigvalue(); + String pwd = PasswordUtils.decryptPassword(encryptedPwd); + return pwd; + } + + private String getKMSUserName(String srvName) throws Exception { + RangerService rangerService = null; + rangerService = svcStore.getServiceByName(srvName); + return rangerService.getConfigs().get(KMS_USERNAME); + } + + private boolean checkKerberos(String provider) throws Exception { + String userName = getKMSUserName(provider); + if(userName.contains("@")){ + return true; + } + return false; + } private synchronized Client getClient() { Client ret = null; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java index 379ea3c..7845b86 100755 --- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java +++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java @@ -199,11 +199,11 @@ public class XKeyREST { } if(!(message==null) && !(message.isEmpty()) && message.contains("Connection refused")){ message = "Connection refused : Please check the KMS provider URL and whether the Ranger KMS is running"; - }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 403")){ + }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 403") || message.contains("HTTP Status 403"))){ message = UNAUTHENTICATED_MSG; - }else if(!(message==null) && !(message.isEmpty()) && message.contains("response status of 401")){ + }else if(!(message==null) && !(message.isEmpty()) && (message.contains("response status of 401") || message.contains("HTTP Status 401 - Authentication required"))){ message = UNAUTHENTICATED_MSG; - } + } throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM); } }
