ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From v..@apache.org
Subject incubator-ranger git commit: KMS keys listing throws authentication required error in secure cluster
Date Fri, 29 May 2015 01:18:27 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master 0d73c38af -> d79401bb4


KMS keys listing throws authentication required error in secure cluster

Signed-off-by: Velmurugan Periasamy <vel@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/d79401bb
Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/d79401bb
Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/d79401bb

Branch: refs/heads/master
Commit: d79401bb429754ef9d4203f6c78c28606c922ccb
Parents: 0d73c38
Author: Gautam Borad <gborad@gmail.com>
Authored: Tue May 26 16:47:57 2015 +0530
Committer: Velmurugan Periasamy <vel@apache.org>
Committed: Thu May 28 21:18:24 2015 -0400

----------------------------------------------------------------------
 .../ranger/services/kms/client/KMSClient.java   |  70 +++--
 .../java/org/apache/ranger/biz/KmsKeyMgr.java   | 291 ++++++++++++++-----
 .../java/org/apache/ranger/rest/XKeyREST.java   |   6 +-
 3 files changed, 273 insertions(+), 94 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
----------------------------------------------------------------------
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
index 59fa634..c67584e 100755
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/client/KMSClient.java
@@ -24,14 +24,17 @@ import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.regex.Pattern;
+import javax.security.auth.Subject;
 
 import org.apache.hadoop.fs.Path;
+import org.apache.hadoop.security.HadoopKerberosName;
 import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
 import org.apache.log4j.Logger;
 import org.apache.ranger.plugin.client.BaseClient;
 import org.apache.ranger.plugin.client.HadoopException;
@@ -43,6 +46,8 @@ import com.google.gson.GsonBuilder;
 import com.sun.jersey.api.client.Client;
 import com.sun.jersey.api.client.ClientResponse;
 import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.config.ClientConfig;
+import com.sun.jersey.api.client.config.DefaultClientConfig;
 
 public class KMSClient {
 
@@ -50,7 +55,7 @@ public class KMSClient {
 
 	private static final String EXPECTED_MIME_TYPE = "application/json";
 
-	private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names?user.name=${userName}";
// GET
+	private static final String KMS_LIST_API_ENDPOINT = "v1/keys/names"; // GET
 
 	private static final String errMessage = " You can still save the repository and start creating
"
 			+ "policies, but you would not be able to use autocomplete for "
@@ -64,7 +69,6 @@ public class KMSClient {
 		this.provider = provider;
 		this.username = username;
 		this.password = password;
-
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("Kms Client is build with url [" + provider + "] user: ["
 					+ username + "]");
@@ -137,24 +141,42 @@ public class KMSClient {
 		for (int i = 0; i < providers.length; i++) {
 			lret  = new ArrayList<String>();
 			if (LOG.isDebugEnabled()) {
-				LOG.debug("Getting Kms Key list for keyNameMatching : "
-						+ keyNameMatching);
+				LOG.debug("Getting Kms Key list for keyNameMatching : " + keyNameMatching);
 			}
-			String keyLists = KMS_LIST_API_ENDPOINT.replaceAll(
-					Pattern.quote("${userName}"), username);
-			String uri = providers[i]
-					+ (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
+			String uri = providers[i] + (providers[i].endsWith("/") ? KMS_LIST_API_ENDPOINT : ("/"
+ KMS_LIST_API_ENDPOINT));
 			Client client = null;
 			ClientResponse response = null;
-
+			boolean isKerberose = false;
 			try {
-				client = Client.create();
-
-				WebResource webResource = client.resource(uri);
-
-				response = webResource.accept(EXPECTED_MIME_TYPE).get(
-						ClientResponse.class);
-
+				ClientConfig cc = new DefaultClientConfig();
+				cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
+				client = Client.create(cc);
+				
+				if(username.contains("@")){
+					isKerberose = true;
+				}
+				
+				if(!isKerberose){
+					uri = uri.concat("?user.name="+username);
+					WebResource webResource = client.resource(uri);
+					response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+				}else{
+					String shortName = new HadoopKerberosName(username).getShortName();
+					uri = uri.concat("?doAs="+shortName);
+					Subject sub = new Subject();
+					if (username.contains("@")) {
+						sub = SecureClientLogin.loginUserWithPassword(username, password);						
+					} else {
+						sub = SecureClientLogin.login(username);						
+					}
+					final WebResource webResource = client.resource(uri);
+					response = Subject.doAs(sub, new PrivilegedAction<ClientResponse>() {
+						@Override
+						public ClientResponse run() {
+							return webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+						}
+					});
+				}
 				if (LOG.isDebugEnabled()) {
 					LOG.debug("getKeyList():calling " + uri);
 				}
@@ -192,12 +214,22 @@ public class KMSClient {
 						LOG.info("getKeyList():response.getStatus()= "
 								+ response.getStatus() + " for URL " + uri
 								+ ", so returning null list");
-						return lret;
+						String msgDesc = response.getEntity(String.class);
+						HadoopException hdpException = new HadoopException(msgDesc);
+						hdpException.generateResponseDataMap(false, msgDesc,
+								msgDesc + errMsg, null, null);
+						lret = null;
+						throw hdpException;
 					} else if (response.getStatus() == 403) {
 						LOG.info("getKeyList():response.getStatus()= "
 								+ response.getStatus() + " for URL " + uri
 								+ ", so returning null list");
-						return lret;
+						String msgDesc = response.getEntity(String.class);
+						HadoopException hdpException = new HadoopException(msgDesc);
+						hdpException.generateResponseDataMap(false, msgDesc,
+								msgDesc + errMsg, null, null);
+						lret = null;
+						throw hdpException;
 					} else {
 						LOG.info("getKeyList():response.getStatus()= "
 								+ response.getStatus() + " for URL " + uri

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
index 7446d1e..7854f4b 100755
--- a/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java
@@ -24,12 +24,14 @@ import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.regex.Pattern;
 
+import javax.security.auth.Subject;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.core.MediaType;
 
@@ -40,13 +42,19 @@ import org.apache.commons.collections.PredicateUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.security.ProviderUtils;
+import org.apache.hadoop.security.SecureClientLogin;
+import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.apache.log4j.Logger;
 import org.apache.ranger.common.ContextUtil;
 import org.apache.ranger.common.MessageEnums;
+import org.apache.ranger.common.PasswordUtils;
 import org.apache.ranger.common.RESTErrorUtil;
 import org.apache.ranger.common.RangerConfigUtil;
 import org.apache.ranger.common.SortField;
 import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManagerBase;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.entity.XXServiceConfigMap;
 import org.apache.ranger.plugin.model.RangerService;
 import org.apache.ranger.plugin.util.KeySearchFilter;
 import org.apache.ranger.view.VXKmsKey;
@@ -68,12 +76,14 @@ public class KmsKeyMgr {
 
 	static final Logger logger = Logger.getLogger(KmsKeyMgr.class);
 	
-	private static final String KMS_KEY_LIST_URI  		= "v1/keys/names?user.name=${userName}";
		//GET
-	private static final String KMS_ADD_KEY_URI  		= "v1/keys?user.name=${userName}";					//POST
-	private static final String KMS_ROLL_KEY_URI 		= "v1/key/${alias}?user.name=${userName}";
		//POST
-	private static final String KMS_DELETE_KEY_URI 		= "v1/key/${alias}?user.name=${userName}";
		//DELETE
-	private static final String KMS_KEY_METADATA_URI 	= "v1/key/${alias}/_metadata?user.name=${userName}";
 //GET
+	private static final String KMS_KEY_LIST_URI  		= "v1/keys/names";				//GET
+	private static final String KMS_ADD_KEY_URI  		= "v1/keys";					//POST
+	private static final String KMS_ROLL_KEY_URI 		= "v1/key/${alias}";			//POST
+	private static final String KMS_DELETE_KEY_URI 		= "v1/key/${alias}";			//DELETE
+	private static final String KMS_KEY_METADATA_URI 	= "v1/key/${alias}/_metadata";  //GET
 	private static final String KMS_URL_CONFIG 			= "provider"; 
+	private static final String KMS_PASSWORD 			= "password";
+	private static final String KMS_USERNAME 			= "username";
 	private static Map<String, String> providerList = new HashMap<String, String>();

 	private static int nextProvider = 0;
 	
@@ -86,8 +96,11 @@ public class KmsKeyMgr {
 	@Autowired
 	RangerConfigUtil configUtil;
 	
+	@Autowired
+	RangerDaoManagerBase rangerDaoManagerBase;
+	
 	@SuppressWarnings("unchecked")
-	public VXKmsKeyList searchKeys(String repoName){
+	public VXKmsKeyList searchKeys(String repoName) throws Exception{
 		String providers[] = null;
 		try {
 			providers = getKMSURL(repoName);
@@ -98,6 +111,12 @@ public class KmsKeyMgr {
 		VXKmsKeyList vxKmsKeyList = new VXKmsKeyList();
 		List<String> keys = null;
 		String connProvider = null;
+		boolean isKerberos=false;
+		try {
+			isKerberos = checkKerberos(repoName);
+		} catch (Exception e1) {
+			logger.error("checkKerberos(" + repoName + ") failed", e1);
+		} 
 		for (int i = 0; i < providers.length; i++) {
 			Client c = getClient();
 			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
@@ -105,15 +124,28 @@ public class KmsKeyMgr {
 					Pattern.quote("${userName}"), currentUserLoginId);
 			connProvider = providers[i];
 			String uri = providers[i]
-					+ (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));
-
-			WebResource r = c.resource(uri);
+					+ (providers[i].endsWith("/") ? keyLists : ("/" + keyLists));			
+			if(!isKerberos){
+				uri = uri.concat("?user.name="+currentUserLoginId);
+			}else{
+				uri = uri.concat("?doAs="+currentUserLoginId);
+			}
+			final WebResource r = c.resource(uri);
 			try {
-				String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
-						.get(String.class);
+				String response = null;
+				if(!isKerberos){
+					response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+				}else{
+					Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+					response = Subject.doAs(sub, new PrivilegedAction<String>() {
+						@Override
+						public String run() {
+							return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+						}						
+					});
+				}
 				Gson gson = new GsonBuilder().create();
 				logger.debug(" Search Key RESPONSE: [" + response + "]");
-
 				keys = gson.fromJson(response, List.class);
 				break;
 			} catch (Exception e) {
@@ -125,7 +157,7 @@ public class KmsKeyMgr {
 		}
 		if (keys != null && keys.size() > 0) {
 			for (String name : keys) {
-				VXKmsKey key = getKeyFromUri(connProvider, name);
+				VXKmsKey key = getKeyFromUri(connProvider, name, isKerberos, repoName);
 				vXKeys.add(key);
 			}
 			vxKmsKeyList.setResultSize(vXKeys.size());
@@ -137,31 +169,46 @@ public class KmsKeyMgr {
 		return vxKmsKeyList;
 	}
 
-	public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey){
+	public VXKmsKey rolloverKey(String provider, VXKmsKey vXKey) throws Exception{
 		String providers[] = null;
 		try {
 			providers = getKMSURL(provider);
 		} catch (Exception e) {
-			logger.error("rolloverKey(" + provider + ", " + vXKey.getName()
-					+ ") failed", e);
+			logger.error("rolloverKey(" + provider + ", " + vXKey.getName() + ") failed", e);
 		}
 		VXKmsKey ret = null;
+		boolean isKerberos=false;
+		try {
+			isKerberos = checkKerberos(provider);
+		} catch (Exception e1) {
+			logger.error("checkKerberos(" + provider + ") failed", e1);
+		} 
 		for (int i = 0; i < providers.length; i++) {
 			Client c = getClient();
-			String rollRest = KMS_ROLL_KEY_URI.replaceAll(
-					Pattern.quote("${alias}"), vXKey.getName());
-			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
-			rollRest = rollRest.replaceAll(Pattern.quote("${userName}"),
-					currentUserLoginId);
-			String uri = providers[i]
-					+ (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
-			WebResource r = c.resource(uri);
+			String rollRest = KMS_ROLL_KEY_URI.replaceAll(Pattern.quote("${alias}"), vXKey.getName());
+			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();			
+			String uri = providers[i] + (providers[i].endsWith("/") ? rollRest : ("/" + rollRest));
+			if(!isKerberos){
+				uri = uri.concat("?user.name="+currentUserLoginId);
+			}else{
+				uri = uri.concat("?doAs="+currentUserLoginId);
+			}
+			final WebResource r = c.resource(uri);
 			Gson gson = new GsonBuilder().create();
-			String jsonString = gson.toJson(vXKey);
+			final String jsonString = gson.toJson(vXKey);
 			try {
-				String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
-						.type(MediaType.APPLICATION_JSON_TYPE)
-						.post(String.class, jsonString);
+				String response = null;
+				if(!isKerberos){
+				 response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class,
jsonString);}
+				else{
+					Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+		            response = Subject.doAs(sub, new PrivilegedAction<String>() {
+						@Override
+						public String run() {
+	                        return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class,
jsonString);
+						}		            	
+					});
+	            }
 				logger.debug("Roll RESPONSE: [" + response + "]");
 				ret = gson.fromJson(response, VXKmsKey.class);
 				break;
@@ -174,27 +221,44 @@ public class KmsKeyMgr {
 		}
 		return ret;
 	}
-
-	public void deleteKey(String provider, String name){
+	
+	public void deleteKey(String provider, String name) throws Exception{
 		String providers[] = null;
 		try {
 			providers = getKMSURL(provider);
 		} catch (Exception e) {
 			logger.error("deleteKey(" + provider + ", " + name + ") failed", e);
 		}
+		boolean isKerberos=false;
+		try {
+			isKerberos = checkKerberos(provider);
+		} catch (Exception e1) {
+			logger.error("checkKerberos(" + provider + ") failed", e1);
+		} 
 		for (int i = 0; i < providers.length; i++) {
 			Client c = getClient();
-			String deleteRest = KMS_DELETE_KEY_URI.replaceAll(
-					Pattern.quote("${alias}"), name);
-			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
-			deleteRest = deleteRest.replaceAll(Pattern.quote("${userName}"),
-					currentUserLoginId);
-			String uri = providers[i]
-					+ (providers[i].endsWith("/") ? deleteRest
-							: ("/" + deleteRest));
-			WebResource r = c.resource(uri);
+			String deleteRest = KMS_DELETE_KEY_URI.replaceAll(Pattern.quote("${alias}"), name);
+			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();			
+			String uri = providers[i] + (providers[i].endsWith("/") ? deleteRest : ("/" + deleteRest));
+			if(!isKerberos){
+					uri = uri.concat("?user.name="+currentUserLoginId);
+			}else{
+				uri = uri.concat("?doAs="+currentUserLoginId);
+			}
+			final WebResource r = c.resource(uri);
 			try {
-				String response = r.delete(String.class) ;
+				String response = null;
+				if(!isKerberos){
+					response = r.delete(String.class) ;
+				}else{
+					Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+					response = Subject.doAs(sub, new PrivilegedAction<String>() {
+						@Override
+						public String run() {
+							return r.delete(String.class);
+						}
+					});
+				}
 				logger.debug("delete RESPONSE: [" + response + "]") ;	
 				break;
 			} catch (Exception e) {
@@ -206,7 +270,7 @@ public class KmsKeyMgr {
 		}			
 	}
 
-	public VXKmsKey createKey(String provider, VXKmsKey vXKey){
+	public VXKmsKey createKey(String provider, VXKmsKey vXKey) throws Exception{
 		String providers[] = null;
 		try {
 			providers = getKMSURL(provider);
@@ -215,21 +279,37 @@ public class KmsKeyMgr {
 					+ ") failed", e);
 		}
 		VXKmsKey ret = null;
+		boolean isKerberos=false;
+		try {
+			isKerberos = checkKerberos(provider);
+		} catch (Exception e1) {
+			logger.error("checkKerberos(" + provider + ") failed", e1);
+		} 
 		for (int i = 0; i < providers.length; i++) {
 			Client c = getClient();
-			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
-			String createRest = KMS_ADD_KEY_URI.replaceAll(
-					Pattern.quote("${userName}"), currentUserLoginId);
-			String uri = providers[i]
-					+ (providers[i].endsWith("/") ? createRest
-							: ("/" + createRest));
-			WebResource r = c.resource(uri);
+			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();			
+			String uri = providers[i] + (providers[i].endsWith("/") ? KMS_ADD_KEY_URI : ("/" + KMS_ADD_KEY_URI));
		
+			if(!isKerberos){
+				uri = uri.concat("?user.name="+currentUserLoginId);
+			}else{
+				uri = uri.concat("?doAs="+currentUserLoginId);
+			}
+			final WebResource r = c.resource(uri);
 			Gson gson = new GsonBuilder().create();
-			String jsonString = gson.toJson(vXKey);
+			final String jsonString = gson.toJson(vXKey);
 			try {
-				String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
-						.type(MediaType.APPLICATION_JSON_TYPE)
-						.post(String.class, jsonString);
+				String response = null;
+				if(!isKerberos){
+					response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class,
jsonString);
+				}else{
+						Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+						response = Subject.doAs(sub, new PrivilegedAction<String>() {
+							@Override
+							public String run() {
+								return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).post(String.class,
jsonString);
+							}							
+						});
+				}
 				logger.debug("Create RESPONSE: [" + response + "]");
 				ret = gson.fromJson(response, VXKmsKey.class);
 				return ret;
@@ -243,26 +323,43 @@ public class KmsKeyMgr {
 		return ret;	
 	}
 	
-	public VXKmsKey getKey(String provider, String name){
+	public VXKmsKey getKey(String provider, String name) throws Exception{
 		String providers[] = null;
 		try {
 			providers = getKMSURL(provider);
 		} catch (Exception e) {
 			logger.error("getKey(" + provider + ", " + name + ") failed", e);
 		}
+		boolean isKerberos=false;
+		try {
+			isKerberos = checkKerberos(provider);
+		} catch (Exception e1) {
+			logger.error("checkKerberos(" + provider + ") failed", e1);
+		} 
 		for (int i = 0; i < providers.length; i++) {
 			Client c = getClient();
-			String keyRest = KMS_KEY_METADATA_URI.replaceAll(
-					Pattern.quote("${alias}"), name);
-			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
-			keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
-					currentUserLoginId);
-			String uri = providers[i]
-					+ (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
-			WebResource r = c.resource(uri);
+			String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+			String currentUserLoginId = ContextUtil.getCurrentUserLoginId();			
+			String uri = providers[i] + (providers[i].endsWith("/") ? keyRest : ("/" + keyRest));
+			if(!isKerberos){
+					uri = uri.concat("?user.name="+currentUserLoginId);
+			}else{
+				uri = uri.concat("?doAs="+currentUserLoginId);
+			}
+			final WebResource r = c.resource(uri);
 			try {
-				String response = r.accept(MediaType.APPLICATION_JSON_TYPE)
-						.get(String.class);
+				String response = null;
+				if(!isKerberos){
+					response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+				}else{
+					Subject sub = getSubjectForKerberos(provider, currentUserLoginId);
+					response = Subject.doAs(sub, new PrivilegedAction<String>() {
+						@Override
+						public String run() {
+							return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+						}
+					});
+				}
 				Gson gson = new GsonBuilder().create();
 				logger.debug("RESPONSE: [" + response + "]");
 				VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -277,16 +374,29 @@ public class KmsKeyMgr {
 		return null;
 	}
 	
-	public VXKmsKey getKeyFromUri(String provider, String name) {
+	public VXKmsKey getKeyFromUri(String provider, String name, boolean isKerberos, String repoName)
throws Exception {
 		Client c = getClient();
-		String keyRest = KMS_KEY_METADATA_URI.replaceAll(
-				Pattern.quote("${alias}"), name);
-		String currentUserLoginId = ContextUtil.getCurrentUserLoginId();
-		keyRest = keyRest.replaceAll(Pattern.quote("${userName}"),
-				currentUserLoginId);
+		String keyRest = KMS_KEY_METADATA_URI.replaceAll(Pattern.quote("${alias}"), name);
+		String currentUserLoginId = ContextUtil.getCurrentUserLoginId();		
 		String uri = provider + (provider.endsWith("/") ? keyRest : ("/" + keyRest));
-		WebResource r = c.resource(uri);
-		String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+		if(!isKerberos){
+			uri = uri.concat("?user.name="+currentUserLoginId);
+		}else{
+			uri = uri.concat("?doAs="+currentUserLoginId);
+		}
+		final WebResource r = c.resource(uri);
+		String response = null;
+		if(!isKerberos){
+			response = r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+		}else{
+			Subject sub = getSubjectForKerberos(repoName, currentUserLoginId);
+			response = Subject.doAs(sub, new PrivilegedAction<String>() {
+				@Override
+				public String run() {
+					return r.accept(MediaType.APPLICATION_JSON_TYPE).type(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+				}				
+			});
+		}
 		Gson gson = new GsonBuilder().create();
 		logger.debug("RESPONSE: [" + response + "]");
 		VXKmsKey key = gson.fromJson(response, VXKmsKey.class);
@@ -360,7 +470,7 @@ public class KmsKeyMgr {
 					providerNext = providerNext+";";
 				}
 			}
-			for(int i=0; i<nextProvider; i++){
+			for(int i=0; i<nextProvider && i<hosts.length; i++){
 				providerNext = providerNext+";"+hosts[i];
 			}
 			if(nextProvider != hosts.length-1){
@@ -381,6 +491,43 @@ public class KmsKeyMgr {
 		}
 		return providers;
 	}
+	
+	private Subject getSubjectForKerberos(String provider, String currentUserLoginId) throws
Exception{
+		String userName = getKMSUserName(provider); 
+	    String password = getKMSPassword(provider);
+	    if (KerberosName.getRules() == null) {
+        	KerberosName.setRules("DEFAULT") ;
+    	}
+	    Subject sub = new Subject();
+	    if (userName.contains("@")) {
+			sub = SecureClientLogin.loginUserWithPassword(userName, password);
+		} else {
+			sub = SecureClientLogin.login(userName);
+		}
+        return sub;
+	}
+
+	private String getKMSPassword(String srvName) throws Exception {
+		XXService rangerService = rangerDaoManagerBase.getXXService().findByName(srvName);		
+		XXServiceConfigMap xxConfigMap = rangerDaoManagerBase.getXXServiceConfigMap().findByServiceAndConfigKey(rangerService.getId(),
KMS_PASSWORD);
+		String encryptedPwd = xxConfigMap.getConfigvalue();
+		String pwd = PasswordUtils.decryptPassword(encryptedPwd);
+		return pwd;
+	}
+
+	private String getKMSUserName(String srvName) throws Exception {
+		RangerService rangerService = null;
+		rangerService = svcStore.getServiceByName(srvName);
+		return rangerService.getConfigs().get(KMS_USERNAME);
+	}
+
+	private boolean checkKerberos(String provider) throws Exception {
+		String userName = getKMSUserName(provider);
+		if(userName.contains("@")){
+			return true;
+		}
+		return false;
+	}
 
 	private synchronized Client getClient() {
 		Client ret = null; 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/d79401bb/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
----------------------------------------------------------------------
diff --git a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
index 379ea3c..7845b86 100755
--- a/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
+++ b/security-admin/src/main/java/org/apache/ranger/rest/XKeyREST.java
@@ -199,11 +199,11 @@ public class XKeyREST {
 		}			
 		if(!(message==null) && !(message.isEmpty()) && message.contains("Connection
refused")){
 			message = "Connection refused : Please check the KMS provider URL and whether the Ranger
KMS is running";			
-		}else if(!(message==null) && !(message.isEmpty()) && message.contains("response
status of 403")){
+		}else if(!(message==null) && !(message.isEmpty()) && (message.contains("response
status of 403") || message.contains("HTTP Status 403"))){
 			message = UNAUTHENTICATED_MSG;
-		}else if(!(message==null) && !(message.isEmpty()) && message.contains("response
status of 401")){
+		}else if(!(message==null) && !(message.isEmpty()) && (message.contains("response
status of 401") || message.contains("HTTP Status 401 - Authentication required"))){
 			message = UNAUTHENTICATED_MSG;
-		}	
+		}		
 		throw restErrorUtil.createRESTException(message, MessageEnums.ERROR_SYSTEM);
 	}	
 }


Mime
View raw message