Repository: incubator-ranger Updated Branches: refs/heads/master b744c8eb6 -> 2bd65f7bc
RANGER-973: Ranger Admin to perform Key operations using Principal / keytab of RangerAdmin from UI in Kerberos mode Signed-off-by: Gautam Borad <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/2bd65f7b Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/2bd65f7b Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/2bd65f7b Branch: refs/heads/master Commit: 2bd65f7bc9fa5eff9cc33d17c1218571ca756cf6 Parents: b744c8e Author: Ankita Sinha <[email protected]> Authored: Fri May 6 15:27:43 2016 +0530 Committer: Gautam Borad <[email protected]> Committed: Tue May 10 14:49:19 2016 +0530 ---------------------------------------------------------------------- .../plugin/client/HadoopConfigHolder.java | 2 + .../main/resources/resourcenamemap.properties | 2 + kms/config/kms-webapp/kms-site.xml | 16 +++++- .../ranger/services/kms/client/KMSClient.java | 24 ++++---- .../services/kms/client/KMSConnectionMgr.java | 8 +-- .../services/kms/client/KMSResourceMgr.java | 10 ++-- .../java/org/apache/ranger/biz/KmsKeyMgr.java | 10 +++- .../org/apache/ranger/biz/ServiceDBStore.java | 58 ++++++++++++++++---- .../java/org/apache/ranger/biz/ServiceMgr.java | 24 +++++++- .../java/org/apache/ranger/biz/SessionMgr.java | 18 +++++- .../resources/conf.dist/ranger-admin-site.xml | 4 ++ .../main/resources/resourcenamemap.properties | 4 +- 12 files changed, 142 insertions(+), 38 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java index 8991872..37d7e6f 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/client/HadoopConfigHolder.java @@ -43,6 +43,8 @@ public class HadoopConfigHolder { public static final String RANGER_LOGIN_PASSWORD = "password" ; public static final String RANGER_LOOKUP_PRINCIPAL = "lookupprincipal"; public static final String RANGER_LOOKUP_KEYTAB = "lookupkeytab"; + public static final String RANGER_PRINCIPAL = "rangerprincipal"; + public static final String RANGER_KEYTAB = "rangerkeytab"; public static final String RANGER_NAME_RULES = "namerules"; public static final String RANGER_AUTH_TYPE = "authtype"; public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication"; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/agents-common/src/main/resources/resourcenamemap.properties ---------------------------------------------------------------------- diff --git a/agents-common/src/main/resources/resourcenamemap.properties b/agents-common/src/main/resources/resourcenamemap.properties index 72d78d2..f7e4d48 100644 --- a/agents-common/src/main/resources/resourcenamemap.properties +++ b/agents-common/src/main/resources/resourcenamemap.properties @@ -28,6 +28,8 @@ lookupprincipal=xalogin.xml lookupkeytab=xalogin.xml namerules=xalogin.xml authtype=xalogin.xml +rangerprincipal=xalogin.xml +rangerkeytab=xalogin.xml hbase.master.kerberos.principal=hbase-site.xml hbase.rpc.engine=hbase-site.xml hbase.rpc.protection=hbase-site.xml http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/kms/config/kms-webapp/kms-site.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/kms-site.xml b/kms/config/kms-webapp/kms-site.xml index b61d1b2..a2c4af3 100644 --- a/kms/config/kms-webapp/kms-site.xml +++ b/kms/config/kms-webapp/kms-site.xml @@ -174,5 +174,19 @@ <name>hadoop.kms.security.authorization.manager</name> <value>org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizer</value> </property> - + + <property> + <name>hadoop.kms.proxyuser.rangeradmin.groups</name> + <value>*</value> + </property> + + <property> + <name>hadoop.kms.proxyuser.rangeradmin.hosts</name> + <value>*</value> + </property> + + <property> + <name>hadoop.kms.proxyuser.rangeradmin.users</name> + <value>*</value> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java index 218d1e3..81b6e34 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java @@ -68,17 +68,17 @@ public class KMSClient { String provider; String username; String password; - String lookupPrincipal; - String lookupKeytab; + String rangerPrincipal; + String rangerKeytab; String nameRules; String authType; - public KMSClient(String provider, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) { + public KMSClient(String provider, String username, String password, String rangerPrincipal, String rangerKeytab, String nameRules, String authType) { this.provider = provider; this.username = username; this.password = password; - this.lookupPrincipal = lookupPrincipal; - this.lookupKeytab = lookupKeytab; + this.rangerPrincipal = rangerPrincipal; + this.rangerKeytab = rangerKeytab; this.nameRules = nameRules; this.authType = authType; @@ -177,14 +177,14 @@ public class KMSClient { LOG.info("Init Login: security not enabled, using username"); sub = SecureClientLogin.login(username); }else{ - if(!StringUtils.isEmpty(lookupPrincipal) && !StringUtils.isEmpty(lookupKeytab)){ - LOG.info("Init Lookup Login: security enabled, using lookupPrincipal/lookupKeytab"); + if(!StringUtils.isEmpty(rangerPrincipal) && !StringUtils.isEmpty(rangerKeytab)){ + LOG.info("Init Lookup Login: security enabled, using rangerPrincipal/rangerKeytab"); if(StringUtils.isEmpty(nameRules)){ nameRules = "DEFAULT"; } - String shortName = new HadoopKerberosName(lookupPrincipal).getShortName(); + String shortName = new HadoopKerberosName(rangerPrincipal).getShortName(); uri = uri.concat("?doAs="+shortName); - sub = SecureClientLogin.loginUserFromKeytab(lookupPrincipal, lookupKeytab, nameRules); + sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, rangerKeytab, nameRules); } else{ LOG.info("Init Login: using username/password"); @@ -348,12 +348,12 @@ public class KMSClient { String kmsUrl = configs.get("provider"); String kmsUserName = configs.get("username"); String kmsPassWord = configs.get("password"); - String lookupPrincipal = configs.get("lookupprincipal"); - String lookupKeytab = configs.get("lookupkeytab"); + String rangerPrincipal = configs.get("rangerprincipal"); + String rangerKeytab = configs.get("rangerkeytab"); String nameRules = configs.get("namerules"); String authType = configs.get("authtype"); - kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, lookupPrincipal, lookupKeytab, nameRules, authType); + kmsClient = new KMSClient(kmsUrl, kmsUserName, kmsPassWord, rangerPrincipal, rangerKeytab, nameRules, authType); } return kmsClient; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java index c247a44..e5d718b 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSConnectionMgr.java @@ -27,19 +27,19 @@ public class KMSConnectionMgr { public static final Logger LOG = Logger.getLogger(KMSConnectionMgr.class); - public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType) { + public static KMSClient getKMSClient(final String kmsURL, String userName, String password, String rangerPrincipal, String rangerKeytab, String nameRules, String authType) { KMSClient kmsClient = null; if (kmsURL == null || kmsURL.isEmpty()) { LOG.error("Can not create KMSClient: kmsURL is empty"); - } else if(StringUtils.isEmpty(lookupPrincipal)){ + } else if(StringUtils.isEmpty(rangerPrincipal)){ if(userName == null || userName.isEmpty()) { LOG.error("Can not create KMSClient: kmsuserName is empty"); } else if (password == null || password.isEmpty()) { LOG.error("Can not create KMSClient: kmsPassWord is empty"); } - kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType); + kmsClient = new KMSClient(kmsURL, userName, password, rangerPrincipal, rangerKeytab, nameRules, authType); } else { - kmsClient = new KMSClient(kmsURL, userName, password, lookupPrincipal, lookupKeytab, nameRules, authType); + kmsClient = new KMSClient(kmsURL, userName, password, rangerPrincipal, rangerKeytab, nameRules, authType); } return kmsClient; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java ---------------------------------------------------------------------- diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java index aa4c65a..e61d0bc 100755 --- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java +++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSResourceMgr.java @@ -72,18 +72,18 @@ public class KMSResourceMgr { String url = configs.get("provider"); String username = configs.get("username"); String password = configs.get("password"); - String lookupPrincipal = configs.get("lookupprincipal"); - String lookupKeytab = configs.get("lookupkeytab"); + String rangerPrincipal = configs.get("rangerprincipal"); + String rangerKeytab = configs.get("rangerkeytab"); String nameRules = configs.get("namerules"); String authType = configs.get("authtype"); - resultList = getKMSResource(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType, kmsKeyName,kmsKeyList) ; + resultList = getKMSResource(url, username, password, rangerPrincipal, rangerKeytab, nameRules, authType, kmsKeyName,kmsKeyList) ; } return resultList ; } - public static List<String> getKMSResource(String url, String username, String password, String lookupPrincipal, String lookupKeytab, String nameRules, String authType, String kmsKeyName, List<String> kmsKeyList) { + public static List<String> getKMSResource(String url, String username, String password, String rangerPrincipal, String rangerKeytab, String nameRules, String authType, String kmsKeyName, List<String> kmsKeyList) { List<String> topologyList = null; - final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, lookupPrincipal, lookupKeytab, nameRules, authType); + final KMSClient KMSClient = KMSConnectionMgr.getKMSClient(url, username, password, rangerPrincipal, rangerKeytab, nameRules, authType); synchronized(KMSClient){ topologyList = KMSClient.getKeyList(kmsKeyName, kmsKeyList); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java index 2f77e2d..fb09542 100755 --- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java @@ -91,6 +91,9 @@ public class KmsKeyMgr { static final String NAME_RULES = "hadoop.security.auth_to_local"; static final String RANGER_AUTH_TYPE = "hadoop.security.authentication"; private static final String KERBEROS_TYPE = "kerberos"; + private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal"; + private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab"; + static final String HOST_NAME = "ranger.service.host"; @Autowired ServiceDBStore svcStore; @@ -537,8 +540,13 @@ public class KmsKeyMgr { KerberosName.setRules(nameRules); } Subject sub = new Subject(); + String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); if (checkKerberos()) { - sub = SecureClientLogin.loginUserWithPassword(userName, password); + if(SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))){ + sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules); + }else{ + sub = SecureClientLogin.loginUserWithPassword(userName, password); + } } else { sub = SecureClientLogin.login(userName); } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java index ab0798b..321ab5e 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java @@ -99,9 +99,12 @@ import org.apache.poi.ss.usermodel.Workbook; public class ServiceDBStore extends AbstractServiceStore { private static final Log LOG = LogFactory.getLog(ServiceDBStore.class); public static final String RANGER_TAG_EXPIRY_CONDITION_NAME = "accessed-after-expiry"; + private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal"; + private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab"; private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal"; private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab"; static final String RANGER_AUTH_TYPE = "hadoop.security.authentication"; + private static final String AMBARI_SERVICE_CHECK_USER = "ambari.service.check.user"; private static final String KERBEROS_TYPE = "kerberos"; @@ -153,8 +156,7 @@ public class ServiceDBStore extends AbstractServiceStore { @Autowired RangerFactory factory; - - + private static volatile boolean legacyServiceDefsInitDone = false; private Boolean populateExistingBaseFields = false; @@ -2294,6 +2296,12 @@ public class ServiceDBStore extends AbstractServiceStore { } private void createDefaultPolicy(XXService createdService, VXUser vXUser, List<RangerResourceDef> resourceHierarchy, int num) throws Exception { + String adminPrincipal = PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL); + String adminKeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB); + String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE); + String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL); + String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB); + RangerPolicy policy = new RangerPolicy(); String policyName=createdService.getName()+"-"+num+"-"+DateUtil.dateToString(DateUtil.getUTCDate(),"yyyyMMddHHmmss"); @@ -2312,13 +2320,44 @@ public class ServiceDBStore extends AbstractServiceStore { List<String> users = new ArrayList<String>(); users.add(vXUser.getName()); - VXUser vXLookupUser = getLookupUser(); - if(vXLookupUser != null){ + VXUser vXLookupUser = getLookupUser(authType, lookupPrincipal, lookupKeytab); + + XXService xService = daoMgr.getXXService().findByName(createdService.getName()); + XXServiceDef xServiceDef = daoMgr.getXXServiceDef().getById(xService.getType()); + if (StringUtils.equals(xServiceDef.getImplclassname(), EmbeddedServiceDefsUtil.KMS_IMPL_CLASS_NAME)){ + VXUser vXAdminUser = getLookupUser(authType, adminPrincipal, adminKeytab); + if(vXAdminUser != null){ + users.add(vXAdminUser.getName()); + } + }else if(vXLookupUser != null){ users.add(vXLookupUser.getName()); + }else{ + // do nothing } - UserSessionBase usb = ContextUtil.getCurrentUserSession(); - if (usb != null && usb.isSpnegoEnabled()) { - users.add(usb.getLoginId()); + + RangerService rangerService = getServiceByName(createdService.getName()); + if (rangerService != null){ + Map<String, String> map = rangerService.getConfigs(); + if (map != null && map.containsKey(AMBARI_SERVICE_CHECK_USER)){ + String userNames = map.get(AMBARI_SERVICE_CHECK_USER); + String[] userList = userNames.split(","); + if(userList != null){ + for (String userName : userList) { + if(!StringUtils.isEmpty(userName)){ + XXUser xxUser = daoMgr.getXXUser().findByUserName(userName); + if (xxUser != null) { + vXUser = xUserService.populateViewBean(xxUser); + } else { + vXUser = xUserMgr.createServiceConfigUser(userName); + LOG.info("Creating Ambari Service Check User : "+vXUser.getName()); + } + if(vXUser != null){ + users.add(vXUser.getName()); + } + } + } + } + } } policyItem.setUsers(users); @@ -2339,11 +2378,8 @@ public class ServiceDBStore extends AbstractServiceStore { policy = createPolicy(policy); } - private VXUser getLookupUser() { + private VXUser getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) { VXUser vXUser = null; - String authType = PropertiesUtil.getProperty(RANGER_AUTH_TYPE); - String lookupPrincipal = PropertiesUtil.getProperty(LOOKUP_PRINCIPAL); - String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB); if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){ if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){ KerberosName krbName = new KerberosName(lookupPrincipal); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java index b837a68..0059884 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java @@ -59,6 +59,8 @@ public class ServiceMgr { private static final String LOOKUP_PRINCIPAL = "ranger.lookup.kerberos.principal"; private static final String LOOKUP_KEYTAB = "ranger.lookup.kerberos.keytab"; + private static final String ADMIN_USER_PRINCIPAL = "ranger.admin.kerberos.principal"; + private static final String ADMIN_USER_KEYTAB = "ranger.admin.kerberos.keytab"; private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication"; private static final String KERBEROS_TYPE = "kerberos"; static final String NAME_RULES = "hadoop.security.auth_to_local"; @@ -85,13 +87,23 @@ public class ServiceMgr { String lookupPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(LOOKUP_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB); String nameRules = PropertiesUtil.getProperty(NAME_RULES); + String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); + String rangerkeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB); if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){ if(service != null && service.getConfigs() != null){ service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_PRINCIPAL, lookupPrincipal); service.getConfigs().put(HadoopConfigHolder.RANGER_LOOKUP_KEYTAB, lookupKeytab); service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules); - service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); + service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); + } + } + if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, rangerkeytab)){ + if(service != null && service.getConfigs() != null){ + service.getConfigs().put(HadoopConfigHolder.RANGER_PRINCIPAL, rangerPrincipal); + service.getConfigs().put(HadoopConfigHolder.RANGER_KEYTAB, rangerkeytab); + service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules); + service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } @@ -128,6 +140,8 @@ public class ServiceMgr { String lookupPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(LOOKUP_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); String lookupKeytab = PropertiesUtil.getProperty(LOOKUP_KEYTAB); String nameRules = PropertiesUtil.getProperty(NAME_RULES); + String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME)); + String rangerkeytab = PropertiesUtil.getProperty(ADMIN_USER_KEYTAB); if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){ if(service != null && service.getConfigs() != null){ @@ -137,6 +151,14 @@ public class ServiceMgr { service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); } } + if(!StringUtils.isEmpty(authType) && authType.trim().equalsIgnoreCase(KERBEROS_TYPE) && SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, rangerkeytab)){ + if(service != null && service.getConfigs() != null){ + service.getConfigs().put(HadoopConfigHolder.RANGER_PRINCIPAL, rangerPrincipal); + service.getConfigs().put(HadoopConfigHolder.RANGER_KEYTAB, rangerkeytab); + service.getConfigs().put(HadoopConfigHolder.RANGER_NAME_RULES, nameRules); + service.getConfigs().put(HadoopConfigHolder.RANGER_AUTH_TYPE, authType); + } + } Map<String, String> newConfigs = rangerSvcService.getConfigsWithDecryptedPassword(service); service.setConfigs(newConfigs); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java index 106d910..6fcf754 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java @@ -31,11 +31,13 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import org.apache.commons.collections.CollectionUtils; +import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.time.DateUtils; import org.apache.log4j.Logger; import org.apache.ranger.common.DateUtil; import org.apache.ranger.common.HTTPUtil; import org.apache.ranger.common.MessageEnums; +import org.apache.ranger.common.PropertiesUtil; import org.apache.ranger.common.RESTErrorUtil; import org.apache.ranger.common.RangerCommonEnums; import org.apache.ranger.common.RangerConstants; @@ -152,8 +154,20 @@ public class SessionMgr { if (session.getAttribute("auditLoginId") == null) { synchronized (session) { if (session.getAttribute("auditLoginId") == null) { - gjAuthSession = storeAuthSession(gjAuthSession); - session.setAttribute("auditLoginId", gjAuthSession.getId()); + boolean isDownloadLogEnabled = PropertiesUtil.getBooleanProperty("ranger.downloadpolicy.session.log.enabled", false); + if (isDownloadLogEnabled){ + gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); + } + else if (!StringUtils.isEmpty(httpRequest.getRequestURI()) && !(httpRequest.getRequestURI().contains("/secure/policies/download/") || httpRequest.getRequestURI().contains("/secure/download/"))){ + gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); + }else if (StringUtils.isEmpty(httpRequest.getRequestURI())){ + gjAuthSession = storeAuthSession(gjAuthSession); + session.setAttribute("auditLoginId", gjAuthSession.getId()); + }else{ + //do not log the details for download policy and tag + } } } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index e3f9f03..54bad58 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -275,4 +275,8 @@ <name>ranger.supportedcomponents</name> <value></value> </property> + <property> + <name>ranger.downloadpolicy.session.log.enabled</name> + <value>false</value> + </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/2bd65f7b/security-admin/src/main/resources/resourcenamemap.properties ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/resourcenamemap.properties b/security-admin/src/main/resources/resourcenamemap.properties index e4a2edf..a5497fc 100644 --- a/security-admin/src/main/resources/resourcenamemap.properties +++ b/security-admin/src/main/resources/resourcenamemap.properties @@ -19,4 +19,6 @@ password=xalogin.xml lookupprincipal=xalogin.xml lookupkeytab=xalogin.xml namerules=xalogin.xml -authtype=xalogin.xml \ No newline at end of file +authtype=xalogin.xml +rangerprincipal=xalogin.xml +rangerkeytab=xalogin.xml \ No newline at end of file
