Support Questions
Find answers, ask questions, and share your expertise

How does ranger plugin access ranger server in kerberos environment?


I'm working on enable hawq ranger plugin access ranger server(e.g. fetch policies from ranger server) in kerberos way.

Some codes confused me:

code below are a fraction in function getServicePoliciesIfUpdated() in

I'm wondering that where is code doing authentication? no UserGroupInformation.loginUserFromKeytab() and UserGroupInformation.checkTGTAndReloginFromKeytab() is called at all.

The doAs function, as far as i know, is just the impersonation of user to do the http request(which is a jersey client in detail).

Is there anyone can tell me how does ranger plugin do authentication(when fetch policies from Ranger server) in kerberos way? How to renew the ticket?


UserGroupInformation user = MiscUtil.getUGILoginUser();

if (isSecureMode) {

	PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {

		public ClientResponse run() {

			WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName);

			return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);



	response = user.doAs(action);


Re: How does ranger plugin access ranger server in kerberos environment? depends on the org.apache.ranger.audit.provider package which contains the class. Please see