[
https://issues.apache.org/jira/browse/RANGER-3778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17544717#comment-17544717
]
Ramesh Mani commented on RANGER-3778:
-------------------------------------
[~kirbyzhou]
One difference is the auth_to_local. Here in my config is translating the
principal names to specific user id
{code:java}
<property>
<name>hadoop.security.auth_to_local</name>
<value>RULE:[2:$1@$0]([email protected])s/(.*)@ROOT.HWX.SITE/ranger/
RULE:[2:$1@$0]([email protected])s/(.*)@ROOT.HWX.SITE/rangertagsync/
RULE:[2:$1@$0]([email protected])s/(.*)@ROOT.HWX.SITE/rangerusersync/
RULE:[2:$1@$0]([email protected])s/(.*)@ROOT.HWX.SITE/atlas/
DEFAULT</value>
</property>\{code}
Also "hadoop.security.group.mapping" mapping is having the following and a
bunch of impersonation config "hadoop.proxyuser.<user>.hosts"
{code:java}
<property>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
</property>
<property>
<name>hadoop.proxyuser.HTTP.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.HTTP.groups</name>
<value>*</value>
</property>
........
{code}
One more thing I notice in your curl output is the user "keyadmin" and I didn't
see the Negotiation Token. Is the kinit is done before the curl is invoked.
{code:java}
< Set-Cookie:
hadoop.auth="u=keyadmin&p=keyadmin/kirbytest01.sa@SA&t=kerberos&e=1653979197887&s=MzaGKPr7Xu3Dv1T7M9j2guQD8Yx+n3n1PdJVZwVllzk=";
Path=/; Expires=Tue, 31-May-2022 06:39:57 GMT; HttpOnly
{code}
Could you please put ranger in debug and get the server log?
> Kerberos Login cause NullPointerException
> -----------------------------------------
>
> Key: RANGER-3778
> URL: https://issues.apache.org/jira/browse/RANGER-3778
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 3.0.0, 2.3.0
> Reporter: kirby zhou
> Priority: Blocker
> Attachments: Screen Shot 2022-05-30 at 10.56.26 AM.png,
> kirbyconf.tar.gz
>
>
> Related to RANGER-3737
> I found NullPointerException happens again with kerberos login, this time is
> due to sessionMgr.
> The reason is that: sometimes RangerAuthenticationProvider is not managed by
> spring but created by new in RangerKRBAuthenticationFilter
> {code:java}
> RangerAuthenticationProvider authenticationProvider = new
> RangerAuthenticationProvider();
> Authentication authentication =
> authenticationProvider.authenticate(finalAuthentication);
> {code}
> Only beans managed by spring is ensured to auto-wire its members. So at that
> situation, userMgr and sessionMgr are both null.
> But I do not know why we call authenticationProvider.authenticate here.
> I have traced the code, After a series of condition judgments, the
> authentication object passed in was returned finally without any
> modification. And nothing happens such like register new session, access
> database... Because at that point, user is already authenticated by Kerberos.
> Something like that should work
> {code:java}
> ---
> a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
> +++
> b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
> @@ -297,9 +297,7 @@ protected void doFilter(FilterChain filterChain,
> final Authentication
> finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "",
> grantedAuths);
> WebAuthenticationDetails webDetails =
> new WebAuthenticationDetails(request);
> ((AbstractAuthenticationToken)
> finalAuthentication).setDetails(webDetails);
> - RangerAuthenticationProvider
> authenticationProvider = new RangerAuthenticationProvider();
> - Authentication authentication =
> authenticationProvider.authenticate(finalAuthentication);
> - authentication =
> getGrantedAuthority(authentication);
> + Authentication authentication =
> getGrantedAuthority(finalAuthentication);
> if (authentication != null &&
> authentication.isAuthenticated()) {
> if
> (request.getParameterMap().containsKey("doAs")) {
> if
> (!response.isCommitted()) {
> {code}
> Just for discuss
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
