[
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xuze Yang updated RANGER-4481:
------------------------------
Description:
As described in RANGER-3602, ranger supports downloading policies and roles
through unauthenticated http requests even if kerberos is enabled on the
server.
But in terms of the current implementation of RangerAdminRESTClient, whether to
enable authenticated HTTP requests depends on the service in which it is
located. For example, if the Hadoop service has kerberos enabled, then the
RangerAdminRESTClient in the HDFS and Yarn plugins will also use authenticated
HTTP requests.
I think this is not reasonable enough. In this case (both the Ranger server and
Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS and
Yarn plugins should also be allowed to download policies and roles through
unauthenticated HTTP requests.
The reason why I proposed this improvement is due to a bug I encountered in our
production environment. I will introduce the bug I encountered later.
was:
As described in
[RANGER-3602|https://issues.apache.org/jira/browse/RANGER-3602], ranger
supports downloading policies and roles through unauthenticated http requests
even if kerberos is enabled on the server.
But in terms of the current implementation of RangerAdminRESTClient, whether to
enable authenticated HTTP requests depends on the service in which it is
located. For example, if the Hadoop service has kerberos enabled, then the
RangerAdminRESTClient in the HDFS and Yarn plugins will also use authenticated
HTTP requests.
I think this is not reasonable enough. In this case (both the Ranger server and
Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS and
Yarn plugins should also be allowed to download policies and roles through
unauthenticated HTTP requests.
> Add a configuration item to support Ranger client not using authentication
> --------------------------------------------------------------------------
>
> Key: RANGER-4481
> URL: https://issues.apache.org/jira/browse/RANGER-4481
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 2.1.0
> Reporter: Xuze Yang
> Priority: Major
>
> As described in RANGER-3602, ranger supports downloading policies and roles
> through unauthenticated http requests even if kerberos is enabled on the
> server.
> But in terms of the current implementation of RangerAdminRESTClient, whether
> to enable authenticated HTTP requests depends on the service in which it is
> located. For example, if the Hadoop service has kerberos enabled, then the
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS
> and Yarn plugins should also be allowed to download policies and roles
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in
> our production environment. I will introduce the bug I encountered later.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
