[jira] [Commented] (RANGER-4481) Add a configuration item to support Ranger client not using authentication

Wed, 18 Oct 2023 20:23:04 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-4481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17776988#comment-17776988
 ] 

Xuze Yang commented on RANGER-4481:
-----------------------------------

Add a configuration item to enable RangerAdminRESTClient's 
getRolesIfUpdated()/getServicePoliciesIfUpdated()/getServiceTagsIfUpdated() use 
unauthenticated http request may involve a large amount of work. Because we 
should add this configuration item in all plugin component's configuration file.

Another way, when the response code was 401, I tried to clear the supported 
cache through java reflection. This has been proven to be feasible.

!4.png!

Now I don't know which modification method is more reasonable, or there are 
other better modification methods.  [~madhan] [~kirbyzhou] 

> Add a configuration item to support Ranger client not using authentication
> --------------------------------------------------------------------------
>
>                 Key: RANGER-4481
>                 URL: https://issues.apache.org/jira/browse/RANGER-4481
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>    Affects Versions: 2.1.0
>            Reporter: Xuze Yang
>            Priority: Major
>         Attachments: 1.png, 2.png, 3.png, 4.png
>
>
> As described in RANGER-3602, ranger supports downloading policies and roles 
> through unauthenticated http requests even if kerberos is enabled on the 
> server. 
> But in terms of the current implementation of RangerAdminRESTClient, whether 
> to enable authenticated HTTP requests depends on the service in which it is 
> located. For example, if the Hadoop service has kerberos enabled, then the 
> RangerAdminRESTClient in the HDFS and Yarn plugins will also use 
> authenticated HTTP requests.
> I think this is not reasonable enough. In this case (both the Ranger server 
> and Hadoop are enabled for kerberos), the RangerAdminRESTClient of the HDFS 
> and Yarn plugins should also be allowed to download policies and roles 
> through unauthenticated HTTP requests.
> The reason why I proposed this improvement is due to a bug I encountered in 
> our production environment. I will introduce the bug I encountered later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to