Re: Review Request 71432: Configure Kerberos for Hive Ranger Client via HS2 configuration

Thu, 05 Sep 2019 09:16:52 -0700 


> On Sept. 5, 2019, 3:42 p.m., Don Bosco Durai wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Lines 147 (patched)
> > <https://reviews.apache.org/r/71432/diff/1/?file=2163334#file2163334line147>
> >
> >     What happens if the cluster is already Kerberos enabled?

Before the change, when the cluster was already Kerberos enabled, 
MiscUtil.getUGILoginUser() delegated request to 
UserGroupInformation.getLoginUser() as ugiLoginUser was never set.
After the change it should start using ugiLoginUser.

public static UserGroupInformation getUGILoginUser()
    UserGroupInformation ret = ugiLoginUser;
    if (ret == null) {
        ret = UserGroupInformation.getLoginUser()
    }
    ...
}

public ServicePolicies getServicePoliciesIfUpdated(...) {
    UserGroupInformation user = MiscUtil.getUGILoginUser();
    boolean isSecureMode = user != null && 
UserGroupInformation.isSecurityEnabled();

    if (isSecureMode) {
      PrivilegedAction<ClientResponse> action = new 
PrivilegedAction<ClientResponse>() {
        public ClientResponse run() {
          WebResource secureWebResource = 
RangerAdminRESTClient.this.createWebResource("/service/plugins/secure/ ...);
          return (ClientResponse)secureWebResource.accept(new 
String[]{"application/json"}).get(ClientResponse.class);
        }
      };
      ...
}


- Denys


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71432/#review217591
-----------------------------------------------------------


On Sept. 5, 2019, 12:13 p.m., Denys Kuzmenko wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71432/
> -----------------------------------------------------------
> 
> (Updated Sept. 5, 2019, 12:13 p.m.)
> 
> 
> Review request for ranger and Ramesh Mani.
> 
> 
> Bugs: RANGER-2557
>     https://issues.apache.org/jira/browse/RANGER-2557
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> In Hive we would like to have possibility to enable Kerberos partially (i.e 
> only Ranger, Atlas and HMS).
> However, since hadoop security is a global flag there are many places that 
> need to be commented out to avoid the UGI cluster wide configuration.
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java 
> b7315a922 
>   
> hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
>  bb015c595 
> 
> 
> Diff: https://reviews.apache.org/r/71432/diff/1/
> 
> 
> Testing
> -------
> 
> On local cluster.
> 
> 
> Thanks,
> 
> Denys Kuzmenko
> 
>

Reply via email to