[
https://issues.apache.org/jira/browse/RANGER-2936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17196576#comment-17196576
]
Jalpan Randeri commented on RANGER-2936:
----------------------------------------
Current, code is deriving from environment by looking at UGI to determine if
Hadoop cluster is running under kerberos or not. Due to this assumption we are
observing failures, when Ranger Admin Server is shared by two different hadoop
cluster.
Lets say, following is the setup
# Ranger Admin Server running on standalone machine no kerberos
# Hadoop Cluster without Kerberos
# Hadoop Cluster with Kerberos
Now in above setup, when Hadoop cluster with Kerberos is trying to download
policy it results into failure with `Authentication Failed`.
So to handle this scenario, having a override on plugin itself will enable
sharing of ranger admin server to heterogeneous type of Hadoop clusters
> Support for policy download mode configuration on plugin
> --------------------------------------------------------
>
> Key: RANGER-2936
> URL: https://issues.apache.org/jira/browse/RANGER-2936
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Jalpan Randeri
> Priority: Minor
> Labels: newbie, pull-request-available
> Attachments:
> 0001-RANGER-2936-Support-for-policy-download-mode-configu.patch,
> 0001-RANGER-2936-Support-for-policy-download-mode-configu.patch.1.patch
>
>
> h3. Description
> Ranger Plugins uses RangerAdminRESTClient to download policies. Ranger Admin
> server exposes two different endpoints for policy downloads
> # Secure mode
> # normal mode RangerAdminRESTClient select mode secure mode if Hadoop
> cluster is running in Kerberos.
> [https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java#L129]
> Since, Ranger admin server is capable of managing heterogeneous Hadoop
> clusters. Ranger plugins are unable to communicate with Ranger admin server
> under following scenario
> * Ranger Plugin is running on Hadoop cluster protected by Kerberos
> * Ranger Admin server is running in non-Kerberos mode
> Above mentioned scenario, ranger plugins are observing following error
> {quote}
> {{2020-06-13 03:47:20 WARN RangerAdminRESTClient:176 - [] Error getting
> policies.
> secureMode=true,
> user=hive (auth:KERBEROS),
> response=
> {"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
> ,
> serviceName=hivedev}}
> {quote}
> h3. How to this patch mitigate issue?
> This patch introduces boolean configuration
> {{ranger.plugin.\{service}.policyDownload.secureMode}} in
> RangerAdminRESTClient.
> * true use secure mode to download policies
> * false use simple mode to download policies
> Plugin will read this configuration to determine policy download mode
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
