Support Questions

hzhang · ‎05-02-2017

I'm working on enable hawq ranger plugin access ranger server(e.g. fetch policies from ranger server) in kerberos way.

Some codes confused me:

code below are a fraction in function getServicePoliciesIfUpdated() in RangerAdminRestClient.java.

I'm wondering that where is code doing authentication? no UserGroupInformation.loginUserFromKeytab() and UserGroupInformation.checkTGTAndReloginFromKeytab() is called at all.

The doAs function, as far as i know, is just the impersonation of user to do the http request(which is a jersey client in detail).

Is there anyone can tell me how does ranger plugin do authentication(when fetch policies from Ranger server) in kerberos way? How to renew the ticket?

Thanks

UserGroupInformation user = MiscUtil.getUGILoginUser();

if (isSecureMode) {

	PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {

		public ClientResponse run() {

			WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName);

			return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);

		}

	};


	response = user.doAs(action);

}

slachterman · ‎05-02-2017

RangerAdminRestClient.java depends on the org.apache.ranger.audit.provider package which contains the MiscUtil.java class. Please see https://github.com/apache/ranger/blob/master/agents-audit/src/main/java/org/apache/ranger/audit/prov...

Support Questions

How does ranger plugin access ranger server in kerberos environment?