Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

How does ranger plugin access ranger server in kerberos environment?


I'm working on enable hawq ranger plugin access ranger server(e.g. fetch policies from ranger server) in kerberos way.

Some codes confused me:

code below are a fraction in function getServicePoliciesIfUpdated() in

I'm wondering that where is code doing authentication? no UserGroupInformation.loginUserFromKeytab() and UserGroupInformation.checkTGTAndReloginFromKeytab() is called at all.

The doAs function, as far as i know, is just the impersonation of user to do the http request(which is a jersey client in detail).

Is there anyone can tell me how does ranger plugin do authentication(when fetch policies from Ranger server) in kerberos way? How to renew the ticket?


UserGroupInformation user = MiscUtil.getUGILoginUser();

if (isSecureMode) {

	PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {

		public ClientResponse run() {

			WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName);

			return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);



	response = user.doAs(action);

1 REPLY 1 depends on the org.apache.ranger.audit.provider package which contains the class. Please see

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.