Repository: incubator-ranger Updated Branches: refs/heads/master 0102cdbde -> be7465968
RANGER-990 : Automate setting Proxy User in Ranger KMS Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/88d82ae1 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/88d82ae1 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/88d82ae1 Branch: refs/heads/master Commit: 88d82ae173cc0bd0ba78cc79b6d0b8cf728beabc Parents: 0102cdb Author: Ankita Sinha <[email protected]> Authored: Thu May 19 15:20:15 2016 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Mon May 23 14:05:48 2016 -0400 ---------------------------------------------------------------------- .../ranger/server/tomcat/EmbeddedServer.java | 80 ++++++++++++-------- kms/config/kms-webapp/kms-site.xml | 6 +- .../org/apache/hadoop/crypto/key/RangerHSM.java | 43 ++++++----- .../filter/RangerKRBAuthenticationFilter.java | 2 + .../filter/RangerSSOAuthenticationFilter.java | 2 +- 5 files changed, 77 insertions(+), 56 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java ---------------------------------------------------------------------- diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java index 19e944b..a74f8d1 100644 --- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java +++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java @@ -214,40 +214,54 @@ public class EmbeddedServer { lce.printStackTrace(); } - String keytab = getConfig(ADMIN_USER_KEYTAB); -// String principal = getConfig(ADMIN_USER_PRINCIPAL); - String principal = null; - try { - principal = SecureClientLogin.getPrincipal(getConfig(ADMIN_USER_PRINCIPAL), hostName); - } catch (IOException ignored) { - // do nothing - } - String nameRules = getConfig(ADMIN_NAME_RULES); - if(getConfig(AUTHENTICATION_TYPE) != null && getConfig(AUTHENTICATION_TYPE).trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){ - try{ - LOG.info("Provided Kerberos Credential : Principal = "+principal+" and Keytab = "+keytab); - Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ; - Subject.doAs(sub, new PrivilegedAction<Void>() { - @Override - public Void run() { - try{ - LOG.info("Starting Server using kerberos crendential"); - server.start(); - server.getServer().await(); - shutdownServer(); - }catch (LifecycleException e) { - LOG.severe("Tomcat Server failed to start:" + e.toString()); - e.printStackTrace(); - }catch (Exception e) { - LOG.severe("Tomcat Server failed to start:" + e.toString()); - e.printStackTrace(); + if(getConfig("logdir") != null){ + String keytab = getConfig(ADMIN_USER_KEYTAB); + // String principal = getConfig(ADMIN_USER_PRINCIPAL); + String principal = null; + try { + principal = SecureClientLogin.getPrincipal(getConfig(ADMIN_USER_PRINCIPAL), hostName); + } catch (IOException ignored) { + // do nothing + } + String nameRules = getConfig(ADMIN_NAME_RULES); + if(getConfig(AUTHENTICATION_TYPE) != null && getConfig(AUTHENTICATION_TYPE).trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS) && SecureClientLogin.isKerberosCredentialExists(principal, keytab)){ + try{ + LOG.info("Provided Kerberos Credential : Principal = "+principal+" and Keytab = "+keytab); + Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ; + Subject.doAs(sub, new PrivilegedAction<Void>() { + @Override + public Void run() { + try{ + LOG.info("Starting Server using kerberos crendential"); + server.start(); + server.getServer().await(); + shutdownServer(); + }catch (LifecycleException e) { + LOG.severe("Tomcat Server failed to start:" + e.toString()); + e.printStackTrace(); + }catch (Exception e) { + LOG.severe("Tomcat Server failed to start:" + e.toString()); + e.printStackTrace(); + } + return null; } - return null; - } - }); - }catch(Exception e){ - LOG.severe("Tomcat Server failed to start:" + e.toString()); - e.printStackTrace(); + }); + }catch(Exception e){ + LOG.severe("Tomcat Server failed to start:" + e.toString()); + e.printStackTrace(); + } + }else{ + try{ + server.start(); + server.getServer().await(); + shutdownServer(); + } catch (LifecycleException e) { + LOG.severe("Tomcat Server failed to start:" + e.toString()); + e.printStackTrace(); + } catch (Exception e) { + LOG.severe("Tomcat Server failed to start:" + e.toString()); + e.printStackTrace(); + } } }else{ try{ http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/kms/config/kms-webapp/kms-site.xml ---------------------------------------------------------------------- diff --git a/kms/config/kms-webapp/kms-site.xml b/kms/config/kms-webapp/kms-site.xml index a2c4af3..5f2575a 100644 --- a/kms/config/kms-webapp/kms-site.xml +++ b/kms/config/kms-webapp/kms-site.xml @@ -176,17 +176,17 @@ </property> <property> - <name>hadoop.kms.proxyuser.rangeradmin.groups</name> + <name>hadoop.kms.proxyuser.ranger.groups</name> <value>*</value> </property> <property> - <name>hadoop.kms.proxyuser.rangeradmin.hosts</name> + <name>hadoop.kms.proxyuser.ranger.hosts</name> <value>*</value> </property> <property> - <name>hadoop.kms.proxyuser.rangeradmin.users</name> + <name>hadoop.kms.proxyuser.ranger.users</name> <value>*</value> </property> </configuration> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java ---------------------------------------------------------------------- diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java index 6ab91d9..b937f0c 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerHSM.java @@ -69,6 +69,7 @@ public class RangerHSM implements RangerKMSMKI { logger.debug("Loading HSM tokenlabel : "+partitionName); myStore = KeyStore.getInstance("Luna"); myStore.load(is1, passwd.toCharArray()); + if(myStore == null){ logger.error("Luna not found. Please verify the Ranger KMS HSM configuration setup."); } } catch (KeyStoreException kse) { logger.error("Unable to create keystore object : "+kse.getMessage()); } catch (NoSuchAlgorithmException nsae) { @@ -82,7 +83,7 @@ public class RangerHSM implements RangerKMSMKI { @Override public boolean generateMasterKey(String password) throws Throwable { - if(myStore.size() < 1){ + if(myStore != null && myStore.size() < 1){ KeyGenerator keyGen = null; SecretKey aesKey = null; try { @@ -103,28 +104,32 @@ public class RangerHSM implements RangerKMSMKI { @Override public String getMasterKey(String password) throws Throwable { - try { - logger.debug("Searching for Ranger Master Key in Luna Keystore"); - boolean result = myStore.containsAlias(alias); - if (result == true) { - logger.debug("Ranger Master Key is present in Keystore"); - SecretKey key = (SecretKey)myStore.getKey(alias, password.toCharArray()); - String masterKey = Base64.encode(key.getEncoded()) ; - return masterKey; - } - } catch (Exception e) { - logger.error("getMasterKey : Exception searching for Ranger Master Key - " + e.getMessage()); - } + if(myStore != null){ + try { + logger.debug("Searching for Ranger Master Key in Luna Keystore"); + boolean result = myStore.containsAlias(alias); + if (result == true) { + logger.debug("Ranger Master Key is present in Keystore"); + SecretKey key = (SecretKey)myStore.getKey(alias, password.toCharArray()); + String masterKey = Base64.encode(key.getEncoded()) ; + return masterKey; + } + } catch (Exception e) { + logger.error("getMasterKey : Exception searching for Ranger Master Key - " + e.getMessage()); + } + } return null; } public boolean setMasterKey(String password, byte[] key){ - try { - Key aesKey = new SecretKeySpec(key, MK_CIPHER); - myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null); - return true; - } catch (KeyStoreException e) { - logger.error("setMasterKey : Exception while setting Master Key - " + e.getMessage()); + if(myStore != null){ + try { + Key aesKey = new SecretKeySpec(key, MK_CIPHER); + myStore.setKeyEntry(alias, aesKey, password.toCharArray(), (java.security.cert.Certificate[]) null); + return true; + } catch (KeyStoreException e) { + logger.error("setMasterKey : Exception while setting Master Key - " + e.getMessage()); + } } return false; } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java index c58c987..4439be1 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java @@ -69,6 +69,7 @@ import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.security.SecureClientLogin; +import org.apache.hadoop.security.authentication.util.KerberosName; import org.springframework.security.web.authentication.WebAuthenticationDetails; public class RangerKRBAuthenticationFilter extends RangerKrbFilter { @@ -224,6 +225,7 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter { String authtype = PropertiesUtil.getProperty(RANGER_AUTH_TYPE); HttpServletRequest httpRequest = (HttpServletRequest)request; if(isSpnegoEnable(authtype)){ + KerberosName.setRules(PropertiesUtil.getProperty(NAME_RULES, "DEFAULT")); Authentication existingAuth = SecurityContextHolder.getContext().getAuthentication(); String userName = null; Cookie[] cookie = httpRequest.getCookies(); http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/88d82ae1/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java index 9d5680d..4ebf972 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java @@ -412,7 +412,7 @@ public class RangerSSOAuthenticationFilter implements Filter { public SSOAuthenticationProperties getJwtProperties() { String providerUrl = PropertiesUtil.getProperty(JWT_AUTH_PROVIDER_URL); - if (providerUrl != null) { + if (providerUrl != null && PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false)) { String publicKeyPath = PropertiesUtil.getProperty(JWT_PUBLIC_KEY); if (publicKeyPath == null) { LOG.error("Public key pem not specified for SSO auth provider {}. SSO auth will be disabled.",providerUrl);
