Repository: incubator-ranger Updated Branches: refs/heads/master 981f01a7a -> 8614032c9
http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java ---------------------------------------------------------------------- diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java index 9588d66..b547b8f 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java @@ -21,12 +21,16 @@ package org.apache.ranger.tagsync.process; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.security.SecureClientLogin; import org.apache.log4j.Logger; import java.io.*; import java.net.URL; +import java.net.UnknownHostException; import java.util.Enumeration; import java.util.Properties; + +//import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.credentialapi.CredentialReader; public class TagSyncConfig extends Configuration { @@ -76,8 +80,23 @@ public class TagSyncConfig extends Configuration { private static final int DEFAULT_TAGSYNC_TAGADMIN_CONNECTION_CHECK_INTERVAL = 2000; + private static final String AUTH_TYPE = "hadoop.security.authentication"; + private static final String NAME_RULES = "hadoop.security.auth_to_local"; + private static final String TAGSYNC_KERBEROS_PRICIPAL = "ranger.tagsync.kerberos.principal"; + private static final String TAGSYNC_KERBEROS_KEYTAB = "ranger.tagsync.kerberos.keytab"; + + private static final String CORE_SITE_FILE = "core-site.xml"; + private static String LOCAL_HOSTNAME = "unknown" ; private Properties props; + static { + try { + LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName(); + } catch (UnknownHostException e) { + LOCAL_HOSTNAME = "unknown" ; + } + } + public static TagSyncConfig getInstance() { TagSyncConfig newConfig = new TagSyncConfig(); return newConfig; @@ -289,6 +308,29 @@ public class TagSyncConfig extends Configuration { static public String getCustomAtlasResourceMappers(Properties prop) { return prop.getProperty(TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS_PROP); } + + static public String getAuthenticationType(Properties prop){ + return prop.getProperty(AUTH_TYPE, "simple"); + } + + static public String getNameRules(Properties prop){ + return prop.getProperty(NAME_RULES, "DEFAULT"); + } + + static public String getKerberosPrincipal(Properties prop){ +// return prop.getProperty(TAGSYNC_KERBEROS_PRICIPAL); + String principal = null; + try { + return SecureClientLogin.getPrincipal(prop.getProperty(TAGSYNC_KERBEROS_PRICIPAL, ""), LOCAL_HOSTNAME); + } catch (IOException ignored) { + // do nothing + } + return principal; + } + + static public String getKerberosKeytab(Properties prop){ + return prop.getProperty(TAGSYNC_KERBEROS_KEYTAB, ""); + } static public long getTagAdminConnectionCheckInterval(Properties prop) { long ret = DEFAULT_TAGSYNC_TAGADMIN_CONNECTION_CHECK_INTERVAL; @@ -310,8 +352,9 @@ public class TagSyncConfig extends Configuration { private void init() { + readConfigFile(CORE_SITE_FILE); readConfigFile(DEFAULT_CONFIG_FILE); - readConfigFile(CONFIG_FILE); + readConfigFile(CONFIG_FILE); props = getProps(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java ---------------------------------------------------------------------- diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java index 2fd5ea1..dfc3fdb 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java @@ -26,17 +26,19 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.security.SecureClientLogin; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.tagsync.model.TagSink; import org.apache.ranger.plugin.util.RangerRESTClient; import org.apache.ranger.plugin.util.SearchFilter; import org.apache.ranger.plugin.util.ServiceTags; import org.apache.ranger.tagsync.process.TagSyncConfig; - +import javax.security.auth.Subject; import javax.servlet.http.HttpServletResponse; + +import java.security.PrivilegedAction; import java.util.Map; import java.util.Properties; - import java.util.concurrent.ArrayBlockingQueue; import java.util.concurrent.BlockingQueue; import java.util.concurrent.LinkedBlockingQueue; @@ -51,11 +53,18 @@ public class TagAdminRESTSink implements TagSink, Runnable { private static final String REST_URL_IMPORT_SERVICETAGS_RESOURCE = REST_PREFIX + MODULE_PREFIX + "/importservicetags/"; + private static final String AUTH_TYPE_KERBEROS = "kerberos"; + private long rangerAdminConnectionCheckInterval; private RangerRESTClient tagRESTClient = null; private BlockingQueue<UploadWorkItem> uploadWorkItems; + + private String authenticationType; + private String principal; + private String keytab; + private String nameRules; private Thread myThread = null; @@ -72,6 +81,10 @@ public class TagAdminRESTSink implements TagSink, Runnable { String userName = TagSyncConfig.getTagAdminUserName(properties); String password = TagSyncConfig.getTagAdminPassword(properties); rangerAdminConnectionCheckInterval = TagSyncConfig.getTagAdminConnectionCheckInterval(properties); + authenticationType = TagSyncConfig.getAuthenticationType(properties); + nameRules = TagSyncConfig.getNameRules(properties); + principal = TagSyncConfig.getKerberosPrincipal(properties); + keytab = TagSyncConfig.getKerberosKeytab(properties); if (LOG.isDebugEnabled()) { LOG.debug("restUrl=" + restUrl); @@ -82,7 +95,9 @@ public class TagAdminRESTSink implements TagSink, Runnable { if (StringUtils.isNotBlank(restUrl)) { tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile); - tagRESTClient.setBasicAuthInfo(userName, password); + if(!(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))){ + tagRESTClient.setBasicAuthInfo(userName, password); + } uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>(); ret = true; @@ -119,6 +134,35 @@ public class TagAdminRESTSink implements TagSink, Runnable { } private ServiceTags doUpload(ServiceTags serviceTags) throws Exception { + if(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){ + try{ + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ; + if(LOG.isDebugEnabled()) { + LOG.debug("Using Principal = "+ principal + ", keytab = "+keytab); + } + final ServiceTags serviceTag = serviceTags; + ServiceTags ret = Subject.doAs(sub, new PrivilegedAction<ServiceTags>() { + @Override + public ServiceTags run() { + try{ + return uploadServiceTags(serviceTag); + }catch (Exception e) { + LOG.error("Upload of service-tags failed with message ", e); + } + return null; + } + }); + return ret; + }catch(Exception e){ + LOG.error("Upload of service-tags failed with message ", e); + } + return null; + }else{ + return uploadServiceTags(serviceTags); + } + } + + private ServiceTags uploadServiceTags(ServiceTags serviceTags) throws Exception { if(LOG.isDebugEnabled()) { LOG.debug("==> doUpload()"); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/pom.xml ---------------------------------------------------------------------- diff --git a/ugsync/pom.xml b/ugsync/pom.xml index 1106e30..6ff21ca 100644 --- a/ugsync/pom.xml +++ b/ugsync/pom.xml @@ -141,6 +141,11 @@ <artifactId>commons-io</artifactId> <version>${commons.io.version}</version> </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> </dependencies> <build> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index f54b24a..9321e6e 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -53,6 +53,8 @@ public class UserGroupSyncConfig { public static final String DEFAULT_CONFIG_FILE = "ranger-ugsync-default-site.xml" ; + private static final String CORE_SITE_CONFIG_FILE = "core-site.xml"; + public static final String UGSYNC_ENABLED_PROP = "ranger.usersync.enabled" ; public static final String UGSYNC_PM_URL_PROP = "ranger.usersync.policymanager.baseURL" ; @@ -235,8 +237,9 @@ public class UserGroupSyncConfig { } private void init() { + readConfigFile(CORE_SITE_CONFIG_FILE); readConfigFile(CONFIG_FILE); - readConfigFile(DEFAULT_CONFIG_FILE); + readConfigFile(DEFAULT_CONFIG_FILE); } private void readConfigFile(String fileName) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java ---------------------------------------------------------------------- diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java index 20466ab..068c9df 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java @@ -22,9 +22,11 @@ import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; +import java.io.IOException; import java.io.InputStream; import java.net.UnknownHostException; import java.security.KeyStore; +import java.security.PrivilegedAction; import java.security.SecureRandom; import java.util.ArrayList; import java.util.HashMap; @@ -38,8 +40,10 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.security.auth.Subject; import javax.ws.rs.core.MediaType; +import org.apache.hadoop.security.SecureClientLogin; import org.apache.log4j.Level; import org.apache.log4j.Logger; @@ -69,6 +73,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class) ; + private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication"; + private String AUTH_KERBEROS = "kerberos"; + private static final String PRINCIPAL = "ranger.usersync.kerberos.principal"; + private static final String KEYTAB = "ranger.usersync.kerberos.keytab"; + private static final String NAME_RULE = "hadoop.security.auth_to_local"; + public static final String PM_USER_LIST_URI = "/service/xusers/users/" ; // GET private static final String PM_ADD_USER_URI = "/service/xusers/users/" ; // POST private static final String PM_ADD_USER_GROUP_INFO_URI = "/service/xusers/users/userinfo" ; // POST @@ -84,6 +94,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private static final String PM_ADD_LOGIN_USER_URI = "/service/users/default" ; // POST private static final String GROUP_SOURCE_EXTERNAL ="1"; + private static String LOCAL_HOSTNAME = "unknown" ; private String recordsToPullPerCall = "1000" ; private boolean isMockRun = false ; @@ -108,11 +119,14 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { private HostnameVerifier hv = null ; private SSLContext sslContext = null ; - + private String authenticationType = null; + String principal; + String keytab; + String nameRules; static { try { - LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getHostName(); + LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName(); } catch (UnknownHostException e) { LOCAL_HOSTNAME = "unknown" ; } @@ -148,18 +162,56 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { trustStoreFilepwd = config.getSSLTrustStorePathPassword() ; keyStoreType = KeyStore.getDefaultType() ; trustStoreType = KeyStore.getDefaultType() ; - + authenticationType = config.getProperty(AUTHENTICATION_TYPE,"simple"); + try { + principal = SecureClientLogin.getPrincipal(config.getProperty(PRINCIPAL,""), LOCAL_HOSTNAME); + } catch (IOException ignored) { + // do nothing + } + keytab = config.getProperty(KEYTAB,""); + nameRules = config.getProperty(NAME_RULE,"DEFAULT"); buildUserGroupInfo() ; } private void buildUserGroupInfo() throws Throwable { - buildGroupList(); - buildUserList(); - buildUserGroupLinkList() ; - rebuildUserGroupMap() ; - if (LOG.isDebugEnabled()) { - this.print(); - } + if(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> Kerberos Environment : Principal is " + principal + " and Keytab is " + keytab); + } + } + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { + try { + LOG.info("Using principal = " + principal + " and keytab = " + keytab); + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + Subject.doAs(sub, new PrivilegedAction<Void>() { + @Override + public Void run() { + try { + buildGroupList(); + buildUserList(); + buildUserGroupLinkList() ; + rebuildUserGroupMap() ; + if (LOG.isDebugEnabled()) { + // this.print(); + } + } catch (Exception e) { + LOG.error("Failed to build Group List : ", e); + } + return null; + } + }); + } catch (Exception e) { + LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e); + } + } else { + buildGroupList(); + buildUserList(); + buildUserGroupLinkList() ; + rebuildUserGroupMap() ; + if (LOG.isDebugEnabled()) { + this.print(); + } + } } private String getURL(String uri) { @@ -341,46 +393,46 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } - private void buildGroupList() { + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList"); + } + Client c = getClient() ; - Client c = getClient() ; - - int totalCount = 100 ; - int retrievedCount = 0 ; - - while (retrievedCount < totalCount) { - - WebResource r = c.resource(getURL(PM_GROUP_LIST_URI)) - .queryParam("pageSize", recordsToPullPerCall) - .queryParam("startIndex", String.valueOf(retrievedCount)) ; - - String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); + int totalCount = 100 ; + int retrievedCount = 0 ; + + while (retrievedCount < totalCount) { + WebResource r = c.resource(getURL(PM_GROUP_LIST_URI)) + .queryParam("pageSize", recordsToPullPerCall) + .queryParam("startIndex", String.valueOf(retrievedCount)) ; + + String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class); - LOG.debug("RESPONSE: [" + response + "]") ; + LOG.debug("RESPONSE: [" + response + "]") ; - Gson gson = new GsonBuilder().create() ; - - GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class) ; - - totalCount = groupList.getTotalCount() ; - - if (groupList.getXgroupInfoList() != null) { - xgroupList.addAll(groupList.getXgroupInfoList()) ; - retrievedCount = xgroupList.size() ; + Gson gson = new GsonBuilder().create() ; - for(XGroupInfo g : groupList.getXgroupInfoList()) { - LOG.debug("GROUP: Id:" + g.getId() + ", Name: " + g.getName() + ", Description: " + g.getDescription()) ; - } - } - } + GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class) ; + + totalCount = groupList.getTotalCount() ; + + if (groupList.getXgroupInfoList() != null) { + xgroupList.addAll(groupList.getXgroupInfoList()); + retrievedCount = xgroupList.size(); + for (XGroupInfo g : groupList.getXgroupInfoList()) { + LOG.debug("GROUP: Id:" + g.getId() + ", Name: "+ g.getName() + ", Description: "+ g.getDescription()); + } + } + } } - private void buildUserList() { - - Client c = getClient() ; + if (LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserList"); + } + Client c = getClient() ; int totalCount = 100 ; int retrievedCount = 0 ; @@ -410,12 +462,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } } - } - private void buildUserGroupLinkList() { - + if(LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserGroupLinkList"); + } Client c = getClient() ; int totalCount = 100 ; @@ -446,14 +498,13 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } } - } - - + private UserGroupInfo addUserGroupInfo(String userName, List<String> groups){ - + if(LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo " + userName + " and groups"); + } UserGroupInfo ret = null; - XUserInfo user = null; LOG.debug("INFO: addPMXAUser(" + userName + ")" ) ; @@ -467,7 +518,32 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { if (! isMockRun ) { addXUserGroupInfo(user, groups) ; } - + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){ + try { + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + final UserGroupInfo result = ret; + ret = Subject.doAs(sub, new PrivilegedAction<UserGroupInfo>() { + @Override + public UserGroupInfo run() { + try { + return getUsergroupInfo(result); + } catch (Exception e) { + LOG.error("Failed to add User Group Info : ", e); + } + return null; + } + }); + return ret; + } catch (Exception e) { + LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e); + } + return null; + }else{ + return getUsergroupInfo(ret); + } + } + + private UserGroupInfo getUsergroupInfo(UserGroupInfo ret) { Client c = getClient(); WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); @@ -495,13 +571,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } - return ret; + return ret; } - private void addUserGroupInfo(UserGroupInfo usergroupInfo){ - - UserGroupInfo ret = null; - + private void getUserGroupInfo(UserGroupInfo ret, UserGroupInfo usergroupInfo) { Client c = getClient(); WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI)); @@ -530,6 +603,35 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } } + + private void addUserGroupInfo(UserGroupInfo usergroupInfo){ + if(LOG.isDebugEnabled()) { + LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo"); + } + UserGroupInfo ret = null; + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { + try { + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + final UserGroupInfo result = ret; + final UserGroupInfo ugInfo = usergroupInfo; + Subject.doAs(sub, new PrivilegedAction<Void>() { + @Override + public Void run() { + try { + getUserGroupInfo(result, ugInfo); + } catch (Exception e) { + LOG.error("Failed to add User Group Info : ", e); + } + return null; + } + }); + } catch (Exception e) { + LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e); + } + } else { + getUserGroupInfo(ret, usergroupInfo); + } + } private XUserInfo addXUserInfo(String aUserName) { @@ -609,11 +711,31 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } - private void delXUserGroupInfo(XUserInfo aUserInfo, List<String> aGroupList) { + private void delXUserGroupInfo(final XUserInfo aUserInfo, List<String> aGroupList) { for(String groupName : aGroupList) { - XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ; + final XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ; if (group != null) { - delXUserGroupInfo(aUserInfo, group) ; + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { + try { + LOG.info("Using principal = " + principal + " and keytab = " + keytab); + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + Subject.doAs(sub, new PrivilegedAction<Void>() { + @Override + public Void run() { + try { + delXUserGroupInfo(aUserInfo, group); + } catch (Exception e) { + LOG.error("Failed to build Group List : ", e); + } + return null; + } + }); + } catch (Exception e) { + LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e); + } + } else { + delXUserGroupInfo(aUserInfo, group); + } } } } @@ -650,19 +772,44 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } - private MUserInfo addMUser(String aUserName) { - - MUserInfo ret = null ; - - MUserInfo userInfo = new MUserInfo() ; + MUserInfo ret = null; + MUserInfo userInfo = new MUserInfo(); userInfo.setLoginId(aUserName); userInfo.setFirstName(aUserName); userInfo.setLastName(aUserName); userInfo.setEmailAddress(aUserName + "@" + LOCAL_HOSTNAME); - - Client c = getClient() ; + + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)) { + try { + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + final MUserInfo result = ret; + final MUserInfo userInfoFinal = userInfo; + ret = Subject.doAs(sub, new PrivilegedAction<MUserInfo>() { + @Override + public MUserInfo run() { + try { + return getMUser(userInfoFinal, result); + } catch (Exception e) { + LOG.error("Failed to add User : ", e); + } + return null; + } + }); + return ret; + } catch (Exception e) { + LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e); + } + return null; + } else { + return getMUser(userInfo, ret); + } + } + + + private MUserInfo getMUser(MUserInfo userInfo, MUserInfo ret) { + Client c = getClient() ; WebResource r = c.resource(getURL(PM_ADD_LOGIN_USER_URI)) ; @@ -679,10 +826,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { LOG.debug("MUser Creation successful " + ret); return ret ; - - } - private synchronized Client getClient() { @@ -771,16 +915,18 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); ret = Client.create(cc); } - if(ret!=null){ - String username = config.getPolicyMgrUserName(); - String password = config.getPolicyMgrPassword(); - if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){ - username=config.getDefaultPolicyMgrUserName(); - password=config.getDefaultPolicyMgrPassword(); - } - if(username!=null && password!=null){ - ret.addFilter(new HTTPBasicAuthFilter(username, password)); - } + if(!(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))){ + if(ret!=null){ + String username = config.getPolicyMgrUserName(); + String password = config.getPolicyMgrPassword(); + if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){ + username=config.getDefaultPolicyMgrUserName(); + password=config.getDefaultPolicyMgrPassword(); + } + if(username!=null && password!=null){ + ret.addFilter(new HTTPBasicAuthFilter(username, password)); + } + } } return ret ; } @@ -832,7 +978,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { } } - private XGroupInfo addGroupInfo(String groupName){ + private XGroupInfo addGroupInfo(final String groupName){ XGroupInfo ret = null; XGroupInfo group = null; @@ -840,6 +986,34 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink { if (! isMockRun) { group = addXGroupInfo(groupName) ; } + if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal,keytab)) { + try { + LOG.info("Using principal = " + principal + " and keytab = " + keytab); + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules); + final XGroupInfo groupInfo = group; + ret = Subject.doAs(sub, new PrivilegedAction<XGroupInfo>() { + @Override + public XGroupInfo run() { + try { + return getAddedGroupInfo(groupInfo); + } catch (Exception e) { + LOG.error("Failed to build Group List : ", e); + } + return null; + } + }); + return ret; + } catch (Exception e) { + LOG.error("Failed to Authenticate Using given Principal and Keytab : ", e); + } + return null; + } else { + return getAddedGroupInfo(group); + } + } + + private XGroupInfo getAddedGroupInfo(XGroupInfo group){ + XGroupInfo ret = null; Client c = getClient(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/install.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties index f206d0a..f4fd4c0 100644 --- a/unixauthservice/scripts/install.properties +++ b/unixauthservice/scripts/install.properties @@ -42,6 +42,10 @@ SYNC_INTERVAL = unix_user=ranger unix_group=ranger +#Set to run in kerberos environment +usersync_principal= +usersync_keytab= +hadoop_conf=/etc/hadoop/conf # # The file where all credential is kept in cryptic format # http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/ranger-usersync-services.sh ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/ranger-usersync-services.sh b/unixauthservice/scripts/ranger-usersync-services.sh index 9cd5ee2..ed3c936 100644 --- a/unixauthservice/scripts/ranger-usersync-services.sh +++ b/unixauthservice/scripts/ranger-usersync-services.sh @@ -47,7 +47,7 @@ if [ "${action}" == "START" ]; then export PATH=$JAVA_HOME/bin:$PATH fi - cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf" + cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf:${RANGER_USERSYNC_HADOOP_CONF_DIR}/*" if [ -f $pidf ]; then PID=`cat $pidf` http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/setup.py ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py index 8bb3bf0..1f46546 100755 --- a/unixauthservice/scripts/setup.py +++ b/unixauthservice/scripts/setup.py @@ -86,6 +86,8 @@ SYNC_LDAP_BIND_PASSWORD_KEY = 'ranger.usersync.ldap.ldapbindpassword' credUpdateClassName = 'org.apache.ranger.credentialapi.buildks' #credUpdateClassName = 'com.hortonworks.credentialapi.buildks' ENV_LOGDIR_FILE = 'ranger-usersync-env-logdir.sh' +hadoopConfFileName = 'core-site.xml' +ENV_HADOOP_CONF_FILE = "ranger-usersync-env-hadoopconfdir.sh" RANGER_USERSYNC_HOME = os.getenv("RANGER_USERSYNC_HOME") @@ -307,18 +309,31 @@ def createJavaKeystoreForSSL(fn,passwd): sys.exit(1) return ret -def write_env_files(log_path): - final_path = "{0}/{1}".format(confBaseDirName,ENV_LOGDIR_FILE) +def write_env_files(exp_var_name, log_path, file_name): + final_path = "{0}/{1}".format(confBaseDirName,file_name) if not os.path.isfile(final_path): - print "Creating %s file" % ENV_LOGDIR_FILE + print "Creating %s file" % file_name f = open(final_path, "w") - f.write("export logdir={0}".format(log_path)) + f.write("export {0}={1}".format(exp_var_name,log_path)) f.close() def main(): populate_global_dict() logFolderName = globalDict['logdir'] + hadoop_conf = globalDict['hadoop_conf'] + + hadoop_conf_full_path = os.path.join(hadoop_conf, hadoopConfFileName) + usersync_conf_full_path = os.path.join(usersyncBaseDirFullName,confBaseDirName,hadoopConfFileName) + if not isfile(hadoop_conf_full_path): + print "WARN: core-site.xml file not found in provided hadoop conf path..." + f = open(usersync_conf_full_path, "w") + f.write("<configuration></configuration>") + f.close() + else: + if os.path.islink(usersync_conf_full_path): + os.remove(usersync_conf_full_path) + if logFolderName.lower() == "$pwd" or logFolderName == "" : logFolderName = os.path.join(os.getcwd(),"logs") ugsyncLogFolderName = logFolderName @@ -485,8 +500,14 @@ def main(): else: print "WARNING: Unix Authentication Program (%s) is not available for setting chmod(4550), chown(%s:%s) " % (nativeAuthProgramName, "root", groupName) - write_env_files(logFolderName); + write_env_files("logdir", logFolderName, ENV_LOGDIR_FILE); + write_env_files("RANGER_USERSYNC_HADOOP_CONF_DIR", hadoop_conf, ENV_HADOOP_CONF_FILE); os.chown(os.path.join(confBaseDirName, ENV_LOGDIR_FILE),ownerId,groupId) os.chmod(os.path.join(confBaseDirName, ENV_LOGDIR_FILE),0755) + os.chown(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),ownerId,groupId) + os.chmod(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),0755) + + if isfile(hadoop_conf_full_path): + os.symlink(hadoop_conf_full_path, usersync_conf_full_path) main() http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/templates/installprop2xml.properties ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/templates/installprop2xml.properties b/unixauthservice/scripts/templates/installprop2xml.properties index 77b8eac..a78157e 100644 --- a/unixauthservice/scripts/templates/installprop2xml.properties +++ b/unixauthservice/scripts/templates/installprop2xml.properties @@ -49,3 +49,5 @@ AUTH_SSL_TRUSTSTORE_FILE = ranger.usersync.truststore.file AUTH_SSL_TRUSTSTORE_PASSWORD = ranger.usersync.truststore.password AUTH_SSL_ENABLED = ranger.usersync.enabled SYNC_LDAP_REFERRAL = ranger.usersync.ldap.referral +usersync_principal= ranger.usersync.kerberos.principal +usersync_keytab= ranger.usersync.kerberos.keytab http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/templates/ranger-ugsync-template.xml ---------------------------------------------------------------------- diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml index 2bf5562..d32ef33 100644 --- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml +++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml @@ -185,4 +185,12 @@ <name>ranger.usersync.ldap.referral</name> <value></value> </property> + <property> + <name>ranger.usersync.kerberos.principal</name> + <value></value> + </property> + <property> + <name>ranger.usersync.kerberos.keytab</name> + <value></value> + </property> </configuration>
