Github user stanlyxiang commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1250#discussion_r120044242
--- Diff:
ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
---
@@ -45,8 +47,43 @@
/**
* Constructor. Creates a new instance of the resource that uses
<code>RangerHawqAuthorizer</code>.
*/
- public RangerHawqPluginResource() {
+ public RangerHawqPluginResource()
+ {
+ // set UserGroupInformation under kerberos authentication
+ if (Utils.getAuth().equals("kerberos"))
+ {
+ Configuration conf = new Configuration();
+ conf.set("hadoop.security.authentication", "kerberos");
+ UserGroupInformation.setConfiguration(conf);
+
+ String prin = Utils.getPrincipal();
+ String keytab = Utils.getKeytab();
+
+ if ( !prin.equals("") && !keytab.equals("") )
+ {
+ try
+ {
+ UserGroupInformation.loginUserFromKeytab(prin, keytab);
+ }
+ catch (Exception e)
+ {
+ LOG.warn(String.format("loginUserFromKeytab failed,
user[%s], keytab[%s]", prin, keytab));
+ }
+ }
+ }
--- End diff --
To my understanding for this logic, principal and keytab are needed for
loginUserFromKeytab.But the default value of the 2 configurations are empty,
empty values are not work for kerberos, if user set RPS_AUTH to kerberos and
leave them empty, he will only get a warning of "get login user failed" until
the program tries to getLoginUser(). So why don't we check them earlier ?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
