Repository: incubator-ranger Updated Branches: refs/heads/master 415ed4399 -> b056c4b77
RANGER-957: Modify ranger kms to use service identity to download policies from ranger admin Signed-off-by: Gautam Borad <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/b056c4b7 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/b056c4b7 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/b056c4b7 Branch: refs/heads/master Commit: b056c4b77017c64b55d4083b332d464dbdd46825 Parents: 415ed43 Author: Ankita Sinha <[email protected]> Authored: Thu Apr 28 12:27:06 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Thu Apr 28 20:34:33 2016 +0530 ---------------------------------------------------------------------- .../admin/client/RangerAdminRESTClient.java | 9 +++- .../plugin/client/HadoopConfigHolder.java | 7 +++ .../main/resources/resourcenamemap.properties | 2 + kms/config/kms-webapp/dbks-site.xml | 13 ++++- kms/pom.xml | 5 ++ kms/scripts/install.properties | 5 ++ kms/scripts/ranger-kms | 2 +- kms/scripts/setup.sh | 42 +++++++++++++++ .../key/kms/server/KMSAuthenticationFilter.java | 2 +- .../crypto/key/kms/server/KMSConfiguration.java | 2 +- kms/src/main/webapp/WEB-INF/web.xml | 6 --- .../kms/authorizer/RangerKmsAuthorizer.java | 53 ++++++++++-------- .../ranger/services/kms/client/KMSClient.java | 57 +++++++++++--------- .../services/kms/client/KMSConnectionMgr.java | 5 +- .../services/kms/client/KMSResourceMgr.java | 7 +-- .../java/org/apache/ranger/biz/KmsKeyMgr.java | 32 +++++------ .../java/org/apache/ranger/biz/ServiceMgr.java | 2 + .../main/resources/resourcenamemap.properties | 4 +- src/main/assembly/kms.xml | 1 + 19 files changed, 176 insertions(+), 80 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index afa347e..aaf1596 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -91,7 +91,9 @@ public class RangerAdminRESTClient implements RangerAdminClient { ClientResponse response = null; if (MiscUtil.getUGILoginUser() != null && UserGroupInformation.isSecurityEnabled()) { - LOG.info("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser()); + if(LOG.isDebugEnabled()) { + LOG.debug("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser()); + } PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceName) @@ -102,7 +104,10 @@ public class RangerAdminRESTClient implements RangerAdminClient { }; response = MiscUtil.getUGILoginUser().doAs(action); }else{ - WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName) + if(LOG.isDebugEnabled()) { + LOG.debug("Checking Service policy if updated with old api call"); + } + WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceName) .queryParam(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)) .queryParam(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); response = webResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java index 1f3987f..8991872 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java @@ -44,6 +44,7 @@ public class HadoopConfigHolder { public static final String RANGER_LOOKUP_PRINCIPAL = "lookupprincipal"; public static final String RANGER_LOOKUP_KEYTAB = "lookupkeytab"; public static final String RANGER_NAME_RULES = "namerules"; + public static final String RANGER_AUTH_TYPE = "authtype"; public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication"; public static final String HADOOP_NAME_RULES = "hadoop.security.auth_to_local"; public static final String HADOOP_SECURITY_AUTHENTICATION_METHOD = "kerberos"; @@ -66,6 +67,7 @@ public class HadoopConfigHolder { private String lookupPrincipal; private String lookupKeytab; private String nameRules; + private String authType; private Map<String,String> connectionProperties; @@ -281,6 +283,7 @@ public class HadoopConfigHolder { lookupPrincipal = prop.getProperty(RANGER_LOOKUP_PRINCIPAL); lookupKeytab = prop.getProperty(RANGER_LOOKUP_KEYTAB); nameRules = prop.getProperty(RANGER_NAME_RULES); + authType = prop.getProperty(RANGER_AUTH_TYPE, "simple"); String hadoopSecurityAuthenticationn = getHadoopSecurityAuthentication(); @@ -406,6 +409,10 @@ public class HadoopConfigHolder { public String getNameRules(){ return nameRules; } + + public String getAuthType(){ + return authType; + } public Set<String> getRangerInternalPropertyKeys() { return rangerInternalPropertyKeys; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/agents-common/src/main/resources/resourcenamemap.properties ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/resourcenamemap.properties b/agents-common/src/main/resources/resourcenamemap.properties index 9bfaf61..72d78d2 100644 --- a/agents-common/src/main/resources/resourcenamemap.properties +++ b/agents-common/src/main/resources/resourcenamemap.properties @@ -26,6 +26,8 @@ keytabfile=xalogin.xml password=xalogin.xml lookupprincipal=xalogin.xml lookupkeytab=xalogin.xml +namerules=xalogin.xml +authtype=xalogin.xml hbase.master.kerberos.principal=hbase-site.xml hbase.rpc.engine=hbase-site.xml hbase.rpc.protection=hbase-site.xml http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/config/kms-webapp/dbks-site.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/dbks-site.xml b/kms/config/kms-webapp/dbks-site.xml index f649264..a82a72b 100755 --- a/kms/config/kms-webapp/dbks-site.xml +++ b/kms/config/kms-webapp/dbks-site.xml @@ -113,6 +113,17 @@ </description> </property> + <!-- Ranger KMS Kerberos Config --> + <property> + <name>ranger.ks.kerberos.principal</name> + <value>rangerkms/_HOST@REALM</value> + </property> + + <property> + <name>ranger.ks.kerberos.keytab</name> + <value></value> + </property> + <!-- HSM Config --> <property> <name>ranger.ks.hsm.type</name> @@ -142,6 +153,6 @@ <name>ranger.ks.hsm.partition.password.alias</name> <value>ranger.kms.hsm.partition.password</value> <description></description> - </property> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/pom.xml ---------------------------------------------------------------------- diff --git a/kms/pom.xml b/kms/pom.xml index af2138a..a9f6c6c 100644 --- a/kms/pom.xml +++ b/kms/pom.xml @@ -436,6 +436,11 @@ <artifactId>hadoop-hdfs</artifactId> <version>${hadoop.version}</version> </dependency> + <dependency> + <groupId>org.apache.ranger</groupId> + <artifactId>ranger-plugins-common</artifactId> + <version>${project.version}</version> + </dependency> </dependencies> <build> <pluginManagement> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/scripts/install.properties ---------------------------------------------------------------------- diff --git a/kms/scripts/install.properties b/kms/scripts/install.properties index fceae8f..da6e185 100755 --- a/kms/scripts/install.properties +++ b/kms/scripts/install.properties @@ -65,6 +65,11 @@ db_password= #------------------------- RANGER KMS Master Key Crypt Key ------------------ KMS_MASTER_KEY_PASSWD=Str0ngPassw0rd +#------------------------- Ranger KMS Kerberos Configuration --------------------------- +kms_principal= +kms_keytab= +hadoop_conf=/etc/hadoop/conf + #------------------------- Ranger KMS HSM CONFIG ------------------------------ HSM_TYPE=LunaProvider HSM_ENABLED=false http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/scripts/ranger-kms ---------------------------------------------------------------------- diff --git a/kms/scripts/ranger-kms b/kms/scripts/ranger-kms index 74ecd05..0e29d7f 100755 --- a/kms/scripts/ranger-kms +++ b/kms/scripts/ranger-kms @@ -76,7 +76,7 @@ fi KMS_CONF_DIR=${RANGER_KMS_EWS_DIR}/webapp/WEB-INF/classes/conf -JAVA_OPTS="${JAVA_OPTS} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:$CLASSPATH " +JAVA_OPTS="${JAVA_OPTS} -Dcatalina.base=${RANGER_KMS_EWS_DIR} -Dkms.config.dir=${KMS_CONF_DIR} -Dkms.log.dir=${TOMCAT_LOG_DIR} -cp ${RANGER_KMS_EWS_CONF_DIR}:${RANGER_KMS_EWS_LIB_DIR}/*:${RANGER_KMS_EWS_DIR}/webapp/lib/*:${JAVA_HOME}/lib/*:${RANGER_HADOOP_CONF_DIR}/*:$CLASSPATH " if [ "${action}" == "START" ]; then echo "+ java -D${PROC_NAME} ${JAVA_OPTS} ${START_CLASS_NAME} ${KMS_CONFIG_FILENAME} " http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/scripts/setup.sh ---------------------------------------------------------------------- diff --git a/kms/scripts/setup.sh b/kms/scripts/setup.sh index 6019526..031c4f3 100755 --- a/kms/scripts/setup.sh +++ b/kms/scripts/setup.sh @@ -89,6 +89,10 @@ HSM_ENABLED=$(get_prop 'HSM_ENABLED' $PROPFILE) HSM_PARTITION_NAME=$(get_prop 'HSM_PARTITION_NAME' $PROPFILE) HSM_PARTITION_PASSWORD=$(get_prop 'HSM_PARTITION_PASSWORD' $PROPFILE) +kms_principal=$(get_prop 'kms_principal' $PROPFILE) +kms_keytab=$(get_prop 'kms_keytab' $PROPFILE) +hadoop_conf=$(get_prop 'hadoop_conf' $PROPFILE) + DB_HOST="${db_host}" check_ret_status(){ @@ -589,6 +593,22 @@ update_properties() { newPropertyValue="${KMS_BLACKLIST_DECRYPT_EEK}" updatePropertyToFilePy $propertyName $newPropertyValue $to_file + ########### KERBEROS CONFIG ############ + + if [ "${kms_principal}" != "" ] + then + propertyName=ranger.ks.kerberos.principal + newPropertyValue="${kms_principal}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + fi + + if [ "${kms_keytab}" != "" ] + then + propertyName=ranger.ks.kerberos.keytab + newPropertyValue="${kms_keytab}" + updatePropertyToFilePy $propertyName $newPropertyValue $to_file + fi + ########### HSM CONFIG ################# @@ -659,6 +679,28 @@ setup_install_files(){ chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/lib fi + echo "export RANGER_HADOOP_CONF_DIR=${hadoop_conf}" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-hadoopconfdir.sh + chmod a+rx ${WEBAPP_ROOT}/WEB-INF/classes/conf/ranger-kms-env-hadoopconfdir.sh + + hadoop_conf_file=${hadoop_conf}/core-site.xml + ranger_hadoop_conf_file=${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml + + if [ -d ${WEBAPP_ROOT}/WEB-INF/classes/conf ]; then + chown -R ${unix_user} ${WEBAPP_ROOT}/WEB-INF/classes/conf + if [ "${hadoop_conf}" == "" ] + then + log "[WARN] Property hadoop_conf not found. Creating blank core-site.xml." + echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml + else + if [ -f ${hadoop_conf_file} ]; then + ln -sf ${hadoop_conf_file} ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml + else + log "[WARN] core-site.xml file not found in provided hadoop_conf path. Creating blank core-site.xml" + echo "<configuration></configuration>" > ${WEBAPP_ROOT}/WEB-INF/classes/conf/core-site.xml + fi + fi + fi + if [ -d /etc/init.d ]; then log "[I] Setting up init.d" cp ${INSTALL_DIR}/${RANGER_KMS}-initd /etc/init.d/${RANGER_KMS} http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java index 79652f3..ada9a56 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java @@ -63,7 +63,7 @@ public class KMSAuthenticationFilter props.setProperty(name, value); } } - String authType = props.getProperty(AUTH_TYPE); + String authType = props.getProperty(AUTH_TYPE,"simple"); if (authType.equals(PseudoAuthenticationHandler.TYPE)) { props.setProperty(AUTH_TYPE, PseudoDelegationTokenAuthenticationHandler.class.getName()); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java index f4f9d3e..ac2b5d2 100755 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSConfiguration.java @@ -104,7 +104,7 @@ public class KMSConfiguration { } public static Configuration getACLsConf() { - return getConfiguration(false, KMS_ACLS_XML); + return getConfiguration(true, KMS_ACLS_XML); } public static boolean isACLsFileNewer(long time) { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/kms/src/main/webapp/WEB-INF/web.xml ---------------------------------------------------------------------- diff --git a/kms/src/main/webapp/WEB-INF/web.xml b/kms/src/main/webapp/WEB-INF/web.xml index 6aef672..815e2bd 100644 --- a/kms/src/main/webapp/WEB-INF/web.xml +++ b/kms/src/main/webapp/WEB-INF/web.xml @@ -33,12 +33,6 @@ </init-param> <load-on-startup>1</load-on-startup> </servlet> - - <!-- <servlet> - <servlet-name>RangerKMSStartUp</servlet-name> - <servlet-class>org.apache.ranger.kms.biz.RangerKMSStartUp</servlet-class> - <load-on-startup>2</load-on-startup> - </servlet> --> <servlet> <servlet-name>jmx-servlet</servlet-name> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java index 34ac4b9..75e25c2 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java +++ b/plugin-kms/src/main/java/org/apache/ranger/authorization/kms/authorizer/RangerKmsAuthorizer.java @@ -19,13 +19,14 @@ package org.apache.ranger.authorization.kms.authorizer; +import java.io.IOException; +import java.net.UnknownHostException; import java.util.Date; import java.util.HashMap; import java.util.Map; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; - import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.crypto.key.kms.server.KMSACLsType; import org.apache.hadoop.crypto.key.kms.server.KMSConfiguration; @@ -35,6 +36,7 @@ import org.apache.hadoop.crypto.key.kms.server.KMSACLsType.Type; import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs; import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.SecureClientLogin; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authorize.AccessControlList; import org.apache.hadoop.security.authorize.AuthorizationException; @@ -52,6 +54,11 @@ import com.google.common.collect.Sets; public class RangerKmsAuthorizer implements Runnable, KeyACLs { private static final Logger LOG = LoggerFactory.getLogger(RangerKmsAuthorizer.class); + private static final String KMS_USER_PRINCIPAL = "ranger.ks.kerberos.principal"; + private static final String KMS_USER_KEYTAB = "ranger.ks.kerberos.keytab"; + + private static final String KMS_NAME_RULES = "hadoop.security.auth_to_local"; + private static final String UNAUTHORIZED_MSG_WITH_KEY = "User:%s not allowed to do '%s' on '%s'"; @@ -93,37 +100,39 @@ public class RangerKmsAuthorizer implements Runnable, KeyACLs { */ public static final String KEYTAB = TYPE + ".keytab"; - /** - * Constant for the configuration property that indicates the Kerberos name - * rules for the Kerberos principals. - */ - public static final String NAME_RULES = TYPE + ".name.rules"; - RangerKmsAuthorizer(Configuration conf) { LOG.info("RangerKmsAuthorizer(conf)..."); - authWithKerberos(); if (conf == null) { conf = loadACLs(); } + authWithKerberos(conf); setKMSACLs(conf); init(conf); - } - /** - * - */ - private void authWithKerberos() { - //Let's if we can create the login user UGI - Configuration kconf = new Configuration(); - kconf.addResource("kms-site.xml"); - String keytab = kconf.get("hadoop.kms.authentication.kerberos.keytab"); - String principal = kconf.get("hadoop.kms.authentication.kerberos.principal"); - String nameRules = kconf.get(NAME_RULES); - MiscUtil.authWithKerberos(keytab, principal, nameRules); - } + private void authWithKerberos(Configuration conf) { + String localHostName = null; + try { + localHostName = java.net.InetAddress.getLocalHost().getCanonicalHostName(); + } catch (UnknownHostException e1) { + LOG.warn("Error getting local host name : "+e1.getMessage()); + } + + String principal = null; + try { + principal = SecureClientLogin.getPrincipal(conf.get(KMS_USER_PRINCIPAL), localHostName); + } catch (IOException e1) { + LOG.warn("Error getting "+KMS_USER_PRINCIPAL+" : "+e1.getMessage()); + } + String keytab = conf.get(KMS_USER_KEYTAB); + String nameRules = conf.get(KMS_NAME_RULES); + if(LOG.isDebugEnabled()){ + LOG.debug("Ranger KMS Principal : "+principal+", Keytab : "+keytab+", NameRule : "+nameRules); + } + MiscUtil.authWithKerberos(keytab, principal, nameRules); + } - public RangerKmsAuthorizer() { + public RangerKmsAuthorizer() { this(null); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java index 6a79433..271392b 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java @@ -62,6 +62,8 @@ public class KMSClient { private static final String errMessage = " You can still save the repository and start creating " + "policies, but you would not be able to use autocomplete for " + "resource names. Check xa_portal.log for more info."; + + private static final String AUTH_TYPE_KERBEROS = "kerberos"; String provider; String username; @@ -69,14 +71,16 @@ public class KMSClient { String lookupPrincipal; String lookupKeytab; String nameRules; + String authType; - public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules) { + public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) { this.provider = provider; this.username = username; this.password = password; this.lookupPrincipal = lookupPrincipal; this.lookupKeytab = lookupKeytab; this.nameRules = nameRules; + this.authType = authType; if (LOG.isDebugEnabled()) { LOG.debug("Kms Client is build with url [" + provider + "] user: [" @@ -155,46 +159,48 @@ public class KMSClient { String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/" + KMS_LIST_API_ENDPOINT)); Client client = null; ClientResponse response = null; - boolean isKerberose = false; + boolean isKerberos = false; try { ClientConfig cc = new DefaultClientConfig(); cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true); client = Client.create(cc); - - if(username.contains("@")){ - isKerberose = true; + + if(authType != null && authType.equalsIgnoreCase(AUTH_TYPE_KERBEROS)){ + isKerberos = true; } - if(!isKerberose){ + Subject sub = new Subject(); + if(!isKerberos){ uri = uri.concat("?user.name="+username); WebResource webResource = client.resource(uri); response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); - }else{ - String shortName = new HadoopKerberosName(username).getShortName(); - uri = uri.concat("?doAs="+shortName); - Subject sub = new Subject(); - if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab) && lookupPrincipal.contains("@")){ + LOG.info("Init Login: security not enabled, using username"); + sub = SecureClientLogin.login(username); + }else{ + if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab)){ + LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab"); if(StringUtils.isEmpty(nameRules)){ nameRules = "DEFAULT"; } - LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab"); + String shortName = new HadoopKerberosName(lookupPrincipal).getShortName(); + uri = uri.concat("?doAs="+shortName); sub = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules); } - else if (username.contains("@")) { + else{ LOG.info("Init Login: using username/password"); + String shortName = new HadoopKerberosName(username).getShortName(); + uri = uri.concat("?doAs="+shortName); sub = SecureClientLogin.loginUserWithPassword(username, password); - } else { - LOG.info("Init Login: security not enabled, using username"); - sub = SecureClientLogin.login(username); - } - final WebResource webResource = client.resource(uri); - response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() { - @Override - public ClientResponse run() { - return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); - } - }); + } } + final WebResource webResource = client.resource(uri); + response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() { + @Override + public ClientResponse run() { + return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class); + } + }); + if (LOG.isDebugEnabled()) { LOG.debug("getKeyList():calling " + uri); } @@ -345,8 +351,9 @@ public class KMSClient { String lookupPrincipal = configs.get("lookupprincipal"); String lookupKeytab = configs.get("lookupkeytab"); String nameRules = configs.get("namerules"); + String authType = configs.get("authtype"); - kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules); + kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules, authType); } return kmsClient; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java index 5e96a1c..c247a44 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java @@ -27,7 +27,7 @@ public class KMSConnectionMgr { public static final Logger LOG = Logger.getLogger(KMSConnectionMgr.class); - public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules) { + public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) { KMSClient kmsClient = null; if (kmsURL == null || kmsURL.isEmpty()) { LOG.error("Can not create KMSClient: kmsURL is empty"); @@ -37,8 +37,9 @@ public class KMSConnectionMgr { } else if (password == null || password.isEmpty()) { LOG.error("Can not create KMSClient: kmsPassWord is empty"); } + kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType); } else { - kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules); + kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType); } return kmsClient; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java index 6b96515..aa4c65a 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java @@ -75,14 +75,15 @@ public class KMSResourceMgr { String lookupPrincipal = configs.get("lookupprincipal"); String lookupKeytab = configs.get("lookupkeytab"); String nameRules = configs.get("namerules"); - resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, kmsKeyName,kmsKeyList) ; + String authType = configs.get("authtype"); + resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType, kmsKeyName,kmsKeyList) ; } return resultList ; } - public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String kmsKeyName, List<String> kmsKeyList) { + public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType, String kmsKeyName, List<String> kmsKeyList) { List<String> topologyList = null; - final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules); + final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType); synchronized(KMSClient){ topologyList = KMSClient.getKeyList(kmsKeyName, kmsKeyList); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java index 82dc190..2f77e2d 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java @@ -89,7 +89,9 @@ public class KmsKeyMgr { private static Map<String, String> providerList = new HashMap<String, String>(); private static int nextProvider = 0; static final String NAME_RULES = "hadoop.security.auth_to_local"; - + static final String RANGER_AUTH_TYPE = "hadoop.security.authentication"; + private static final String KERBEROS_TYPE = "kerberos"; + @Autowired ServiceDBStore svcStore; @@ -116,7 +118,7 @@ public class KmsKeyMgr { String connProvider = null; boolean isKerberos=false; try { - isKerberos = checkKerberos(repoName); + isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos(" + repoName + ") failed", e1); } @@ -212,7 +214,7 @@ public class KmsKeyMgr { VXKmsKey ret = null; boolean isKerberos=false; try { - isKerberos = checkKerberos(provider); + isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos(" + provider + ") failed", e1); } @@ -264,7 +266,7 @@ public class KmsKeyMgr { } boolean isKerberos=false; try { - isKerberos = checkKerberos(provider); + isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos(" + provider + ") failed", e1); } @@ -314,7 +316,7 @@ public class KmsKeyMgr { VXKmsKey ret = null; boolean isKerberos=false; try { - isKerberos = checkKerberos(provider); + isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos(" + provider + ") failed", e1); } @@ -365,7 +367,7 @@ public class KmsKeyMgr { } boolean isKerberos=false; try { - isKerberos = checkKerberos(provider); + isKerberos = checkKerberos(); } catch (Exception e1) { logger.error("checkKerberos(" + provider + ") failed", e1); } @@ -526,17 +528,17 @@ public class KmsKeyMgr { } private Subject getSubjectForKerberos(String provider) throws Exception{ - String userName = getKMSUserName(provider); - String password = getKMSPassword(provider); - String nameRules = PropertiesUtil.getProperty(NAME_RULES); + String userName = getKMSUserName(provider); + String password = getKMSPassword(provider); + String nameRules = PropertiesUtil.getProperty(NAME_RULES); if (StringUtils.isEmpty(nameRules)) { KerberosName.setRules("DEFAULT") ; }else{ KerberosName.setRules(nameRules); } Subject sub = new Subject(); - if (userName.contains("@")) { - sub = SecureClientLogin.loginUserWithPassword(userName, password); + if (checkKerberos()) { + sub = SecureClientLogin.loginUserWithPassword(userName, password); } else { sub = SecureClientLogin.login(userName); } @@ -557,12 +559,12 @@ public class KmsKeyMgr { return rangerService.getConfigs().get(KMS_USERNAME); } - private boolean checkKerberos(String provider) throws Exception { - String userName = getKMSUserName(provider); - if(userName.contains("@")){ + private boolean checkKerberos() throws Exception { + if(PropertiesUtil.getProperty(RANGER_AUTH_TYPE, "simple").equalsIgnoreCase(KERBEROS_TYPE)){ return true; + }else{ + return false; } - return false; } private synchronized Client getClient() { http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java index e0f22d2..b837a68 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java @@ -91,6 +91,7 @@ public class ServiceMgr { service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal); service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab); service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules); + service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } @@ -133,6 +134,7 @@ public class ServiceMgr { service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal); service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab); service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules); + service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/security-admin/src/main/resources/resourcenamemap.properties ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/resourcenamemap.properties b/security-admin/src/main/resources/resourcenamemap.properties index 16bf704..e4a2edf 100644 --- a/security-admin/src/main/resources/resourcenamemap.properties +++ b/security-admin/src/main/resources/resourcenamemap.properties @@ -17,4 +17,6 @@ username=xalogin.xml keytabfile=xalogin.xml password=xalogin.xml lookupprincipal=xalogin.xml -lookupkeytab=xalogin.xml \ No newline at end of file +lookupkeytab=xalogin.xml +namerules=xalogin.xml +authtype=xalogin.xml \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/b056c4b7/src/main/assembly/kms.xml ---------------------------------------------------------------------- diff --git a/src/main/assembly/kms.xml b/src/main/assembly/kms.xml index 44276cc..41a2754 100755 --- a/src/main/assembly/kms.xml +++ b/src/main/assembly/kms.xml @@ -104,6 +104,7 @@ <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include> <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include> <include>org.apache.htrace:htrace-core:jar:${htrace-core.version}</include> + <include>org.apache.ranger:ranger-plugins-common</include> </includes> </dependencySet> </dependencySets>
