kerneltime commented on code in PR #3576:
URL: https://github.com/apache/ozone/pull/3576#discussion_r919421693
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.java:
##########
@@ -56,138 +60,276 @@ public class RangerClientMultiTenantAccessController
implements
private static final Logger LOG = LoggerFactory
.getLogger(RangerClientMultiTenantAccessController.class);
+ private static final int HTTP_STATUS_CODE_UNAUTHORIZED = 401;
+ private static final int HTTP_STATUS_CODE_BAD_REQUEST = 400;
+
private final RangerClient client;
private final String rangerServiceName;
private final Map<IAccessAuthorizer.ACLType, String> aclToString;
private final Map<String, IAccessAuthorizer.ACLType> stringToAcl;
private final String omPrincipal;
+ // execUser for Ranger
+ private final String shortName;
public RangerClientMultiTenantAccessController(OzoneConfiguration conf)
throws IOException {
+
aclToString = MultiTenantAccessController.getRangerAclStrings();
stringToAcl = new HashMap<>();
aclToString.forEach((type, string) -> stringToAcl.put(string, type));
- // Should have passed the check in OMMultiTenantManager
+ // Should have passed the config checks in
+ // OMMultiTenantManager#checkAndEnableMultiTenancy at this point.
+
String rangerHttpsAddress = conf.get(OZONE_RANGER_HTTPS_ADDRESS_KEY);
Preconditions.checkNotNull(rangerHttpsAddress);
rangerServiceName = conf.get(OZONE_RANGER_SERVICE);
Preconditions.checkNotNull(rangerServiceName);
- String configuredOmPrincipal = conf.get(OZONE_OM_KERBEROS_PRINCIPAL_KEY);
- Preconditions.checkNotNull(configuredOmPrincipal);
- // Replace _HOST pattern with host name in the Kerberos principal. Ranger
- // client currently does not do this automatically.
- omPrincipal = SecurityUtil.getServerPrincipal(
- configuredOmPrincipal, OmUtils.getOmAddress(conf).getHostName());
- String keytabPath = conf.get(OZONE_OM_KERBEROS_KEYTAB_FILE_KEY);
- Preconditions.checkNotNull(keytabPath);
+ // Determine auth type (KERBEROS or SIMPLE)
+ final String authType;
+ final String usernameOrPrincipal;
+ final String passwordOrKeytab;
+
+ // If both OZONE_OM_RANGER_HTTPS_ADMIN_API_USER and
+ // OZONE_OM_RANGER_HTTPS_ADMIN_API_PASSWD are set, SIMPLE auth will be
used
+ String fallbackUsername = conf.get(OZONE_OM_RANGER_HTTPS_ADMIN_API_USER);
+ String fallbackPassword = conf.get(OZONE_OM_RANGER_HTTPS_ADMIN_API_PASSWD);
+
+ if (fallbackUsername != null && fallbackPassword != null) {
+ // Both clear text username and password are set, use SIMPLE auth.
+ authType = AuthenticationMethod.SIMPLE.name();
+
+ usernameOrPrincipal = fallbackUsername;
+ passwordOrKeytab = fallbackPassword;
+
+ omPrincipal = fallbackUsername;
+ shortName = fallbackUsername;
+ } else {
+ // Use KERBEROS auth.
+ authType = AuthenticationMethod.KERBEROS.name();
+
+ String configuredOmPrincipal = conf.get(OZONE_OM_KERBEROS_PRINCIPAL_KEY);
+ Preconditions.checkNotNull(configuredOmPrincipal);
+
+ // Replace _HOST pattern with host name in the Kerberos principal.
+ // Ranger client currently does not do this automatically.
+ omPrincipal = SecurityUtil.getServerPrincipal(
+ configuredOmPrincipal, OmUtils.getOmAddress(conf).getHostName());
+ final String keytabPath = conf.get(OZONE_OM_KERBEROS_KEYTAB_FILE_KEY);
+ Preconditions.checkNotNull(keytabPath);
+
+ // Convert to short name to be used in some Ranger requests
+ shortName = UserGroupInformation.createRemoteUser(omPrincipal)
+ .getShortUserName();
+
+ usernameOrPrincipal = omPrincipal;
+ passwordOrKeytab = keytabPath;
+ }
+
+ LOG.info("authType = {}, login user = {}", authType, usernameOrPrincipal);
client = new RangerClient(rangerHttpsAddress,
- KERBEROS.name().toLowerCase(), omPrincipal, keytabPath,
+ authType, usernameOrPrincipal, passwordOrKeytab,
rangerServiceName, OzoneConsts.OZONE);
+
+ // Whether or not the Ranger credentials are valid is unknown right after
+ // RangerClient initialization here. Because RangerClient does not perform
+ // any authentication at this point just yet.
+ //
+ // If the credentials are invalid, RangerClient later throws 401 in every
+ // single request to Ranger.
+ }
+
+ /**
+ * Check StatusCode from RangerServiceException and try to log helpful,
+ * actionable messages.
+ *
+ * @param rse RangerServiceException
+ */
+ private void decodeRSEStatusCodes(RangerServiceException rse) {
+
+ switch (rse.getStatus().getStatusCode()) {
+ case HTTP_STATUS_CODE_UNAUTHORIZED:
+ LOG.error("Auth failure. Please double check Ranger-related configs");
+ break;
+ case HTTP_STATUS_CODE_BAD_REQUEST:
+ LOG.error("Request failure. If this is an assign-user operation, "
+ + "check if the user name exists in Ranger.");
+ default:
Review Comment:
Nit: Do we want to log return codes other than 200?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
