Github user stanlyxiang commented on a diff in the pull request: https://github.com/apache/incubator-hawq/pull/1250#discussion_r120044242 --- Diff: ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java --- @@ -45,8 +47,43 @@ /** * Constructor. Creates a new instance of the resource that uses <code>RangerHawqAuthorizer</code>. */ - public RangerHawqPluginResource() { + public RangerHawqPluginResource() + { + // set UserGroupInformation under kerberos authentication + if (Utils.getAuth().equals("kerberos")) + { + Configuration conf = new Configuration(); + conf.set("hadoop.security.authentication", "kerberos"); + UserGroupInformation.setConfiguration(conf); + + String prin = Utils.getPrincipal(); + String keytab = Utils.getKeytab(); + + if ( !prin.equals("") && !keytab.equals("") ) + { + try + { + UserGroupInformation.loginUserFromKeytab(prin, keytab); + } + catch (Exception e) + { + LOG.warn(String.format("loginUserFromKeytab failed, user[%s], keytab[%s]", prin, keytab)); + } + } + } --- End diff -- To my understanding for this logic, principal and keytab are needed for loginUserFromKeytab.But the default value of the 2 configurations are empty, empty values are not work for kerberos, if user set RPS_AUTH to kerberos and leave them empty, he will only get a warning of "get login user failed" until the program tries to getLoginUser(). So why don't we check them earlier ?
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---