I'm working on enable hawq ranger plugin access ranger server(e.g. fetch policies from ranger server) in kerberos way. Some codes confused me: code below are a fraction in function getServicePoliciesIfUpdated() in RangerAdminRestClient.java. I'm wondering that where is code doing authentication? no UserGroupInformation.loginUserFromKeytab() and UserGroupInformation.checkTGTAndReloginFromKeytab() is called at all. The doAs function, as far as i know, is just the impersonation of user to do the http request(which is a jersey client in detail). Is there anyone can tell me how does ranger plugin do authentication(when fetch policies from Ranger server) in kerberos way? How to renew the ticket? Thanks UserGroupInformation user = MiscUtil.getUGILoginUser(); if (isSecureMode) { PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() { public ClientResponse run() { WebResource secureWebResource = createWebResource(RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceName); return secureWebResource.accept(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); } }; response = user.doAs(action); } ... View more

Ranger plugin(Hive, Hbase, Hawq) user RangerAdminRestClient to fetch policies from ranger server. It support ssl/tls to do authentication. My question is that does it support to use kerberos to do authentication?(Since it's http, so spnego is more specific) I already know that ranger lookup support kerberos(e.g. ranger server lookup hbase), my question is from plugin side to ranger server side. ... View more

Ranger plugin(Hive,Hbase,Hawq etc.) use RangerBasePlugin to fetch policies from ranger server, while RangerBasePlugin use RangerAdminRestClient by default to fetch policies. RangerAdminRestClient can be configured to use ssl/tls to do authentication. But my question is that does it support Kerberos authentication(since restclient use http, spnego maybe more specific)? ... View more