RANGER-552 Need to get UGI from keytab, instead of subject
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/34f7e3b0 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/34f7e3b0 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/34f7e3b0 Branch: refs/heads/ranger-0.5 Commit: 34f7e3b078c80bad84791d543ae159acd2aa7fc1 Parents: de946a3 Author: Don Bosco Durai <[email protected]> Authored: Fri Jun 12 18:56:51 2015 -0700 Committer: sneethiraj <[email protected]> Committed: Tue Jun 30 02:58:09 2015 -0400 ---------------------------------------------------------------------- .../ranger/audit/provider/BaseAuditHandler.java | 19 ++++- .../apache/ranger/audit/provider/MiscUtil.java | 87 ++++++++++++-------- .../apache/ranger/audit/queue/AuditQueue.java | 12 +++ 3 files changed, 79 insertions(+), 39 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/34f7e3b0/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java index 3859a7e..30db18b 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/BaseAuditHandler.java @@ -169,6 +169,10 @@ public abstract class BaseAuditHandler implements AuditHandler { this.parentPath = parentPath; } + public String getFinalPath() { + return getName(); + } + public void setName(String name) { providerName = name; } @@ -249,22 +253,31 @@ public abstract class BaseAuditHandler implements AuditHandler { lastStatusLogTime = currTime; long diffCount = totalCount - lastIntervalCount; - if (diffCount == 0) { - return; - } long diffSuccess = totalSuccessCount - lastIntervalSuccessCount; long diffFailed = totalFailedCount - lastIntervalFailedCount; long diffStashed = totalStashedCount - lastStashedCount; long diffDeferred = totalDeferredCount - lastDeferredCount; + if (diffCount == 0 && diffSuccess == 0 && diffFailed == 0 + && diffStashed == 0 && diffDeferred == 0) { + return; + } + lastIntervalCount = totalCount; lastIntervalSuccessCount = totalSuccessCount; lastIntervalFailedCount = totalFailedCount; lastStashedCount = totalStashedCount; lastDeferredCount = totalDeferredCount; + String finalPath = ""; + String tFinalPath = getFinalPath(); + if (!getName().equals(tFinalPath)) { + finalPath = ", finalDestination=" + tFinalPath; + } + String msg = "Audit Status Log: name=" + getName() + + finalPath + ", interval=" + formatIntervalForLog(diffTime) + ", events=" http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/34f7e3b0/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java index bfded93..a3a3a84 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java @@ -37,8 +37,6 @@ import javax.security.auth.Subject; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; -import javax.security.auth.login.LoginException; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.security.UserGroupInformation; @@ -435,7 +433,8 @@ public class MiscUtil { // Do not remove the below statement. The default // getLoginUser does some initialization which is needed // for getUGIFromSubject() to work. - logger.info("Default UGI before using Subject from Kafka:" + UserGroupInformation.getLoginUser(); + logger.info("Default UGI before using new Subject:" + UserGroupInformation.getLoginUser()); } catch (Throwable t) { logger.error(t); @@ -549,7 +548,7 @@ public class MiscUtil { public static void authWithKerberos(String keytab, String principal, String nameRules) { - if (keytab == null) { + if (keytab == null || principal == null) { return; } Subject serverSubject = new Subject(); @@ -570,44 +569,60 @@ public class MiscUtil { KerberosName.setRules(nameRules); } - List<LoginContext> loginContexts = new ArrayList<LoginContext>(); - for (String spnegoPrincipal : spnegoPrincipals) { - try { - logger.info("Login using keytab " + keytab - + ", for principal " + spnegoPrincipal); - final KerberosConfiguration kerberosConfiguration = new KerberosConfiguration( - keytab, spnegoPrincipal); - final LoginContext loginContext = new LoginContext("", - serverSubject, null, kerberosConfiguration); - loginContext.login(); - successLoginCount++; - logger.info("Login success keytab " + keytab - + ", for principal " + spnegoPrincipal); - loginContexts.add(loginContext); - } catch (Throwable t) { - logger.error("Login failed keytab " + keytab - + ", for principal " + spnegoPrincipal, t); + boolean useKeytab = true; + if (!useKeytab) { + logger.info("Creating UGI with subject"); + List<LoginContext> loginContexts = new ArrayList<LoginContext>(); + for (String spnegoPrincipal : spnegoPrincipals) { + try { + logger.info("Login using keytab " + keytab + + ", for principal " + spnegoPrincipal); + final KerberosConfiguration kerberosConfiguration = new KerberosConfiguration( + keytab, spnegoPrincipal); + final LoginContext loginContext = new LoginContext("", + serverSubject, null, kerberosConfiguration); + loginContext.login(); + successLoginCount++; + logger.info("Login success keytab " + keytab + + ", for principal " + spnegoPrincipal); + loginContexts.add(loginContext); + } catch (Throwable t) { + logger.error("Login failed keytab " + keytab + + ", for principal " + spnegoPrincipal, t); + } + if (successLoginCount > 0) { + logger.info("Total login success count=" + + successLoginCount); + try { + UserGroupInformation + .loginUserFromSubject(serverSubject); + // UserGroupInformation ugi = + // createUGIFromSubject(serverSubject); + // if (ugi != null) { + // setUGILoginUser(ugi, serverSubject); + // } + } catch (Throwable e) { + logger.error("Error creating UGI from subject. subject=" + + serverSubject); + } + } else { + logger.error("Total logins were successfull from keytab=" + + keytab + ", principal=" + principal); + } } + } else { + logger.info("Creating UGI from keytab directly. keytab=" + + keytab + ", principal=" + spnegoPrincipals[0]); + UserGroupInformation ugi = UserGroupInformation + .loginUserFromKeytabAndReturnUGI(spnegoPrincipals[0], + keytab); + MiscUtil.setUGILoginUser(ugi, null); } + } catch (Throwable t) { logger.error("Failed to login as [" + spnegoPrincipals + "]", t); } - if (successLoginCount > 0) { - logger.info("Total login success count=" + successLoginCount); - try { - UserGroupInformation ugi = createUGIFromSubject(serverSubject); - if (ugi != null) { - setUGILoginUser(ugi, serverSubject); - } - } catch (Throwable e) { - logger.error("Error creating UGI from subject. subject=" - + serverSubject); - } - } else { - logger.error("Total logins were successfull from keytab=" + keytab - + ", principal=" + principal); - } } static class LogHistory { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/34f7e3b0/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java ---------------------------------------------------------------------- diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java index 000a658..88c9831 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/queue/AuditQueue.java @@ -133,6 +133,18 @@ public abstract class AuditQueue extends BaseAuditHandler { } @Override + public String getFinalPath() { + if (consumer != null) { + if (consumer instanceof BaseAuditHandler) { + return ((BaseAuditHandler) consumer).getFinalPath(); + } else { + return consumer.getName(); + } + } + return getName(); + } + + @Override public void setName(String name) { super.setName(name); if (consumer != null && consumer instanceof BaseAuditHandler) {
