[GitHub] incubator-hawq pull request #1250: Hawq 1477. Ranger-plugin connect to Range...

[interma]

Github user interma commented on a diff in the pull request:

    https://github.com/apache/incubator-hawq/pull/1250#discussion_r120286370
  
    --- Diff: 
ranger-plugin/service/src/main/java/org/apache/hawq/ranger/authorization/RangerHawqPluginResource.java
 ---
    @@ -45,8 +47,43 @@
         /**
          * Constructor. Creates a new instance of the resource that uses 
<code>RangerHawqAuthorizer</code>.
          */
    -    public RangerHawqPluginResource() {
    +    public RangerHawqPluginResource()
    +    {
    +        // set UserGroupInformation under kerberos authentication
    +        if (Utils.getAuth().equals("kerberos"))
    +        {
    +            Configuration conf = new Configuration();
    +            conf.set("hadoop.security.authentication", "kerberos");
    +            UserGroupInformation.setConfiguration(conf);
    +
    +            String prin = Utils.getPrincipal();
    +            String keytab = Utils.getKeytab();
    +
    +            if ( !prin.equals("") && !keytab.equals("") )
    +            {
    +                try
    +                {
    +                    UserGroupInformation.loginUserFromKeytab(prin, keytab);
    +                }
    +                catch (Exception e)
    +                {
    +                    LOG.warn(String.format("loginUserFromKeytab failed, 
user[%s], keytab[%s]", prin, keytab));
    +                }
    +            }
    +        }
    +
    +        try
    +        {
    +            UserGroupInformation user = 
UserGroupInformation.getLoginUser();
    +            LOG.info(String.format("login user: %s", user));
    +        }
    +        catch (Exception e)
    +        {
    +            LOG.warn("get login user failed");
    --- End diff --
    
    Two reasons:
    1. Abort immediately may be not appropriate, sometimes it can run happily 
in below code (e.g. set simple auth and get login_user() failed by some 
reasons, but will call a no-secure webservice later)
    2. Another small reason: this code locates in a constructor, I didn't find 
a easy way to deal with exception... 
    
    So I just leave it as it is, it will fail in the first place which need 
auth in the below code (I tested, it usually prints a warning message contains 
"HTTP 401/403" in the log, looks well).



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---