Re: Review Request 72724: [RANGER-2936] Support for policy download mode configuration on plugin

Fri, 31 Jul 2020 11:01:45 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72724/
-----------------------------------------------------------

(Updated July 31, 2020, 6 p.m.)


Review request for ranger.


Bugs: RANGER-2936
    https://issues.apache.org/jira/browse/RANGER-2936


Repository: ranger


Description
-------

Ranger Plugins uses RangerAdminRESTClient to download policies. Ranger Admin 
server exposes two different endpoints for policy downloads

    Secure mode
    normal mode RangerAdminRESTClient select mode secure mode if Hadoop cluster 
is running in Kerberos. 
https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java#L129

Since, Ranger admin server is capable of managing heterogeneous Hadoop 
clusters. 
Ranger plugins are unable to communicate with Ranger admin server under 
following scenario

1. Ranger Plugin is running on Hadoop cluster protected by Kerberos
2. Ranger Admin server is running in non-Kerberos mode

Above mentioned scenario, ranger plugins are observing following error

2020-06-13 03:47:20 WARN RangerAdminRESTClient:176 - [] Error getting policies. 
secureMode=true, user=hive (auth:KERBEROS), 
response={"httpStatusCode":304,"statusCode":0}


### How to this patch mitigate issue?

This patch introduces boolean configuration 
`ranger.plugin.{service}.policyDownload.secureMode` in RangerAdminRESTClient.

- true use secure mode to download policies
- false use simple mode to download policies

Plugin will read this configuration to determine policy download mode


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
 e5f97477b 
  
agents-common/src/test/java/org/apache/ranger/admin/client/RangerAdminRESTClientTest.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/72724/diff/2/

Changes: https://reviews.apache.org/r/72724/diff/1-2/


Testing
-------

Added Unit tests
Maven Build
mvn -pl agent-common install
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:04 min
[INFO] Finished at: 2020-07-24T12:57:45-07:00
[INFO] ------------------------------------------------------------------------

```

Testing on Hive Plugin
```
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:126 - [] ==> 
RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522)
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:162 - [] Checking Service 
policy if updated with old api call
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:174 - [] No change in policies. 
secureMode=false, [email protected] (auth:KERBEROS), 
response={"httpStatusCode":304,"statusCode":0}, serviceName=hivedev
2020-07-30 22:32:05 DEBUG RangerAdminRESTClient:198 - [] <== 
RangerAdminRESTClient.getServicePoliciesIfUpdated(49, 1596148295522): null

```

Plugin Configuration
```
    <property>
        <name>ranger.plugin.hive.policy.source.impl</name>
        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
    </property>

    <property>
        <name>ranger.plugin.hive.policyDownload.secureMode</name>
        <value>false</value>
    </property>
```


Thanks,

Jalpan Randeri

Reply via email to