> On Sept. 5, 2019, 3:42 p.m., Don Bosco Durai wrote: > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > > Lines 147 (patched) > > <https://reviews.apache.org/r/71432/diff/1/?file=2163334#file2163334line147> > > > > What happens if the cluster is already Kerberos enabled? > > Denys Kuzmenko wrote: > Before the change, when the cluster was already Kerberos enabled, > MiscUtil.getUGILoginUser() delegated request to > UserGroupInformation.getLoginUser() as ugiLoginUser was never set. > After the change it should start using ugiLoginUser. > > public static UserGroupInformation getUGILoginUser() > UserGroupInformation ret = ugiLoginUser; > if (ret == null) { > ret = UserGroupInformation.getLoginUser() > } > ... > } > > public ServicePolicies getServicePoliciesIfUpdated(...) { > UserGroupInformation user = MiscUtil.getUGILoginUser(); > boolean isSecureMode = user != null && > UserGroupInformation.isSecurityEnabled(); > > if (isSecureMode) { > PrivilegedAction<ClientResponse> action = new > PrivilegedAction<ClientResponse>() { > public ClientResponse run() { > WebResource secureWebResource = > RangerAdminRESTClient.this.createWebResource("/service/plugins/secure/ ...); > return (ClientResponse)secureWebResource.accept(new > String[]{"application/json"}).get(ClientResponse.class); > } > }; > ... > }
Since it was working before this change, do you think calling this method will have side affect? In an existing Kerberos Hive, we rely on Hive Server2 to manage the UGI, right? Ideally, we shouldn't change static variables managed by the component. If we do, let's make sure there are no side affects. - Don Bosco ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71432/#review217591 ----------------------------------------------------------- On Sept. 5, 2019, 12:13 p.m., Denys Kuzmenko wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71432/ > ----------------------------------------------------------- > > (Updated Sept. 5, 2019, 12:13 p.m.) > > > Review request for ranger and Ramesh Mani. > > > Bugs: RANGER-2557 > https://issues.apache.org/jira/browse/RANGER-2557 > > > Repository: ranger > > > Description > ------- > > In Hive we would like to have possibility to enable Kerberos partially (i.e > only Ranger, Atlas and HMS). > However, since hadoop security is a global flag there are many places that > need to be commented out to avoid the UGI cluster wide configuration. > > > Diffs > ----- > > agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java > b7315a922 > > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java > bb015c595 > > > Diff: https://reviews.apache.org/r/71432/diff/1/ > > > Testing > ------- > > On local cluster. > > > Thanks, > > Denys Kuzmenko > >
