ranger-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gau...@apache.org
Subject [1/3] incubator-ranger git commit: RANGER-867 : Add Kerberos support for ranger admin and clients
Date Thu, 21 Apr 2016 06:20:16 GMT
Repository: incubator-ranger
Updated Branches:
  refs/heads/master 981f01a7a -> 8614032c9


http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
----------------------------------------------------------------------
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
index 9588d66..b547b8f 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
@@ -21,12 +21,16 @@ package org.apache.ranger.tagsync.process;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.SecureClientLogin;
 import org.apache.log4j.Logger;
 
 import java.io.*;
 import java.net.URL;
+import java.net.UnknownHostException;
 import java.util.Enumeration;
 import java.util.Properties;
+
+//import org.apache.ranger.common.PropertiesUtil;
 import org.apache.ranger.credentialapi.CredentialReader;
 
 public class TagSyncConfig extends Configuration {
@@ -76,8 +80,23 @@ public class TagSyncConfig extends Configuration {
 
 	private static final int DEFAULT_TAGSYNC_TAGADMIN_CONNECTION_CHECK_INTERVAL = 2000;
 
+	private static final String AUTH_TYPE = "hadoop.security.authentication";
+	private static final String NAME_RULES = "hadoop.security.auth_to_local";
+	private static final String TAGSYNC_KERBEROS_PRICIPAL = "ranger.tagsync.kerberos.principal";
+	private static final String TAGSYNC_KERBEROS_KEYTAB = "ranger.tagsync.kerberos.keytab";
+
+	private static final String CORE_SITE_FILE = "core-site.xml";
+	private static String LOCAL_HOSTNAME = "unknown" ;
 	private Properties props;
 
+	static {
+		try {
+			LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
+		} catch (UnknownHostException e) {
+			LOCAL_HOSTNAME = "unknown" ;
+		} 
+	}
+	
 	public static TagSyncConfig getInstance() {
 		TagSyncConfig newConfig = new TagSyncConfig();
 		return newConfig;
@@ -289,6 +308,29 @@ public class TagSyncConfig extends Configuration {
 	static public String getCustomAtlasResourceMappers(Properties prop) {
 		return prop.getProperty(TAGSYNC_SOURCE_ATLAS_CUSTOM_RESOURCE_MAPPERS_PROP);
 	}
+	
+	static public String getAuthenticationType(Properties prop){
+		return prop.getProperty(AUTH_TYPE, "simple");
+	}
+	
+	static public String getNameRules(Properties prop){
+		return prop.getProperty(NAME_RULES, "DEFAULT");
+	}
+	
+	static public String getKerberosPrincipal(Properties prop){
+//		return prop.getProperty(TAGSYNC_KERBEROS_PRICIPAL);
+		String principal = null;
+		try {
+			return SecureClientLogin.getPrincipal(prop.getProperty(TAGSYNC_KERBEROS_PRICIPAL, ""),
LOCAL_HOSTNAME);
+		} catch (IOException ignored) {
+			 // do nothing
+		}
+		return principal;
+	}
+	
+	static public String getKerberosKeytab(Properties prop){
+		return prop.getProperty(TAGSYNC_KERBEROS_KEYTAB, "");
+	}
 
 	static public long getTagAdminConnectionCheckInterval(Properties prop) {
 		long ret = DEFAULT_TAGSYNC_TAGADMIN_CONNECTION_CHECK_INTERVAL;
@@ -310,8 +352,9 @@ public class TagSyncConfig extends Configuration {
 
 	private void init() {
 
+		readConfigFile(CORE_SITE_FILE);
 		readConfigFile(DEFAULT_CONFIG_FILE);
-		readConfigFile(CONFIG_FILE);
+		readConfigFile(CONFIG_FILE);		
 
 		props = getProps();
 

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
----------------------------------------------------------------------
diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
index 2fd5ea1..dfc3fdb 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
@@ -26,17 +26,19 @@ import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.SecureClientLogin;
 import org.apache.ranger.admin.client.datatype.RESTResponse;
 import org.apache.ranger.tagsync.model.TagSink;
 import org.apache.ranger.plugin.util.RangerRESTClient;
 import org.apache.ranger.plugin.util.SearchFilter;
 import org.apache.ranger.plugin.util.ServiceTags;
 import org.apache.ranger.tagsync.process.TagSyncConfig;
-
+import javax.security.auth.Subject;
 import javax.servlet.http.HttpServletResponse;
+
+import java.security.PrivilegedAction;
 import java.util.Map;
 import java.util.Properties;
-
 import java.util.concurrent.ArrayBlockingQueue;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.LinkedBlockingQueue;
@@ -51,11 +53,18 @@ public class TagAdminRESTSink implements TagSink, Runnable {
 
 	private static final String REST_URL_IMPORT_SERVICETAGS_RESOURCE = REST_PREFIX + MODULE_PREFIX
+ "/importservicetags/";
 
+	private static final String AUTH_TYPE_KERBEROS = "kerberos";
+
 	private long rangerAdminConnectionCheckInterval;
 
 	private RangerRESTClient tagRESTClient = null;
 
 	private BlockingQueue<UploadWorkItem> uploadWorkItems;
+	
+	private String authenticationType;	
+	private String principal;
+	private String keytab;
+	private String nameRules;
 
 	private Thread myThread = null;
 
@@ -72,6 +81,10 @@ public class TagAdminRESTSink implements TagSink, Runnable {
 		String userName = TagSyncConfig.getTagAdminUserName(properties);
 		String password = TagSyncConfig.getTagAdminPassword(properties);
 		rangerAdminConnectionCheckInterval = TagSyncConfig.getTagAdminConnectionCheckInterval(properties);
+		authenticationType = TagSyncConfig.getAuthenticationType(properties);
+		nameRules = TagSyncConfig.getNameRules(properties);
+		principal = TagSyncConfig.getKerberosPrincipal(properties);
+		keytab = TagSyncConfig.getKerberosKeytab(properties);
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("restUrl=" + restUrl);
@@ -82,7 +95,9 @@ public class TagAdminRESTSink implements TagSink, Runnable {
 
 		if (StringUtils.isNotBlank(restUrl)) {
 			tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile);
-			tagRESTClient.setBasicAuthInfo(userName, password);
+			if(!(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab))){
+				tagRESTClient.setBasicAuthInfo(userName, password);
+			}
 			uploadWorkItems = new LinkedBlockingQueue<UploadWorkItem>();
 
 			ret = true;
@@ -119,6 +134,35 @@ public class TagAdminRESTSink implements TagSink, Runnable {
 	}
 
 	private ServiceTags doUpload(ServiceTags serviceTags) throws Exception {
+			if(!StringUtils.isEmpty(authenticationType) && authenticationType.trim().equalsIgnoreCase(AUTH_TYPE_KERBEROS)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+				try{
+					Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules) ;
+					if(LOG.isDebugEnabled()) {
+						LOG.debug("Using Principal = "+ principal + ", keytab = "+keytab);
+					}
+					final ServiceTags serviceTag = serviceTags;
+					ServiceTags ret = Subject.doAs(sub, new PrivilegedAction<ServiceTags>() {
+						@Override
+						public ServiceTags run() {
+							try{
+								return uploadServiceTags(serviceTag);
+							}catch (Exception e) {
+								LOG.error("Upload of service-tags failed with message ", e);
+						    }
+							return null;
+						}
+					});
+					return ret;
+				}catch(Exception e){
+					LOG.error("Upload of service-tags failed with message ", e);
+				}
+				return null;
+			}else{
+				return uploadServiceTags(serviceTags);
+			}
+	}
+	
+	private ServiceTags uploadServiceTags(ServiceTags serviceTags) throws Exception {
 		if(LOG.isDebugEnabled()) {
 			LOG.debug("==> doUpload()");
 		}

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/pom.xml
----------------------------------------------------------------------
diff --git a/ugsync/pom.xml b/ugsync/pom.xml
index 1106e30..6ff21ca 100644
--- a/ugsync/pom.xml
+++ b/ugsync/pom.xml
@@ -141,6 +141,11 @@
       <artifactId>commons-io</artifactId>
       <version>${commons.io.version}</version>
     </dependency>
+    <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-plugins-common</artifactId>
+            <version>${project.version}</version>
+    </dependency>
     </dependencies>
 
     <build>

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index f54b24a..9321e6e 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -53,6 +53,8 @@ public class UserGroupSyncConfig  {
 
 	public static final String DEFAULT_CONFIG_FILE = "ranger-ugsync-default-site.xml" ;
 	
+	private static final String CORE_SITE_CONFIG_FILE = "core-site.xml";
+	
 	public static final String  UGSYNC_ENABLED_PROP = "ranger.usersync.enabled" ;
 	
 	public static final String  UGSYNC_PM_URL_PROP = 	"ranger.usersync.policymanager.baseURL"
;
@@ -235,8 +237,9 @@ public class UserGroupSyncConfig  {
 	}
 
 	private void init() {
+		readConfigFile(CORE_SITE_CONFIG_FILE);
 		readConfigFile(CONFIG_FILE);
-		readConfigFile(DEFAULT_CONFIG_FILE);
+		readConfigFile(DEFAULT_CONFIG_FILE);		
 	}
 
 	private void readConfigFile(String fileName) {

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
----------------------------------------------------------------------
diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
index 20466ab..068c9df 100644
--- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
+++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/PolicyMgrUserGroupBuilder.java
@@ -22,9 +22,11 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.io.InputStream;
 import java.net.UnknownHostException;
 import java.security.KeyStore;
+import java.security.PrivilegedAction;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -38,8 +40,10 @@ import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.Subject;
 import javax.ws.rs.core.MediaType;
 
+import org.apache.hadoop.security.SecureClientLogin;
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
 
@@ -69,6 +73,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 	
 	private static final Logger LOG = Logger.getLogger(PolicyMgrUserGroupBuilder.class) ;
 	
+	private static final String AUTHENTICATION_TYPE = "hadoop.security.authentication";	
+	private String AUTH_KERBEROS = "kerberos";
+	private static final String PRINCIPAL = "ranger.usersync.kerberos.principal";
+	private static final String KEYTAB = "ranger.usersync.kerberos.keytab";
+	private static final String NAME_RULE = "hadoop.security.auth_to_local";
+	
 	public static final String PM_USER_LIST_URI  = "/service/xusers/users/" ;				// GET
 	private static final String PM_ADD_USER_URI  = "/service/xusers/users/" ;				// POST
 	private static final String PM_ADD_USER_GROUP_INFO_URI = "/service/xusers/users/userinfo"
;	// POST
@@ -84,6 +94,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 	
 	private static final String PM_ADD_LOGIN_USER_URI = "/service/users/default" ;			// POST
 	private static final String GROUP_SOURCE_EXTERNAL ="1";
+	
 	private static String LOCAL_HOSTNAME = "unknown" ;
 	private String recordsToPullPerCall = "1000" ;
 	private boolean isMockRun = false ;
@@ -108,11 +119,14 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 	private HostnameVerifier hv =  null ;
 
 	private SSLContext sslContext = null ;
-
+	private String authenticationType = null;
+	String principal;
+	String keytab;
+	String nameRules;
 	
 	static {
 		try {
-			LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getHostName();
+			LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName();
 		} catch (UnknownHostException e) {
 			LOCAL_HOSTNAME = "unknown" ;
 		} 
@@ -148,18 +162,56 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		trustStoreFilepwd = config.getSSLTrustStorePathPassword() ;
 		keyStoreType = KeyStore.getDefaultType() ;
 		trustStoreType = KeyStore.getDefaultType() ;
-		
+		authenticationType = config.getProperty(AUTHENTICATION_TYPE,"simple");
+		try {
+			principal = SecureClientLogin.getPrincipal(config.getProperty(PRINCIPAL,""), LOCAL_HOSTNAME);
+		} catch (IOException ignored) {
+			 // do nothing
+		}
+		keytab = config.getProperty(KEYTAB,"");
+		nameRules = config.getProperty(NAME_RULE,"DEFAULT");
 		buildUserGroupInfo() ;
 	}
 	
 	private void buildUserGroupInfo() throws Throwable {
-		buildGroupList(); 
-		buildUserList();
-		buildUserGroupLinkList() ;
-		rebuildUserGroupMap() ;
-		if (LOG.isDebugEnabled()) {
-			this.print(); 
-		}
+		if(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+			if(LOG.isDebugEnabled()) {
+				LOG.debug("==> Kerberos Environment : Principal is " + principal + " and Keytab is
" + keytab);
+			}
+		}		
+		if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+			try {
+				LOG.info("Using principal = " + principal + " and keytab = " + keytab);
+				Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);		
	
+				Subject.doAs(sub, new PrivilegedAction<Void>() {
+					@Override
+					public Void run() {
+						try {
+							buildGroupList(); 
+							buildUserList();
+							buildUserGroupLinkList() ;
+							rebuildUserGroupMap() ;
+							if (LOG.isDebugEnabled()) {
+							//	this.print(); 
+							}
+						} catch (Exception e) {
+							LOG.error("Failed to build Group List : ", e);
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
+			}
+		} else {
+			buildGroupList(); 
+			buildUserList();
+			buildUserGroupLinkList() ;
+			rebuildUserGroupMap() ;
+			if (LOG.isDebugEnabled()) {
+				this.print(); 
+			}
+		}	
 	}
 	
 	private String getURL(String uri) {
@@ -341,46 +393,46 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		}
 	}
 	
-	
 	private void buildGroupList() {
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> PolicyMgrUserGroupBuilder.buildGroupList");
+		}		
+		Client c = getClient() ;
 		
-	    Client c = getClient() ;
-	    
-	    int totalCount = 100 ;
-	    int retrievedCount = 0 ;
-	    
-	    while (retrievedCount < totalCount) {
-	    	
-		    WebResource r = c.resource(getURL(PM_GROUP_LIST_URI))
-		    					.queryParam("pageSize", recordsToPullPerCall)
-		    					.queryParam("startIndex", String.valueOf(retrievedCount)) ;
-		    
-		    String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
+		int totalCount = 100 ;
+		int retrievedCount = 0 ;
+		 	    
+		while (retrievedCount < totalCount) {
+			WebResource r = c.resource(getURL(PM_GROUP_LIST_URI))
+					.queryParam("pageSize", recordsToPullPerCall)
+					.queryParam("startIndex", String.valueOf(retrievedCount)) ;
+			
+		String response = r.accept(MediaType.APPLICATION_JSON_TYPE).get(String.class);
 		    
-		    LOG.debug("RESPONSE: [" + response + "]") ;
+		LOG.debug("RESPONSE: [" + response + "]") ;
 		    		    
-		    Gson gson = new GsonBuilder().create() ;
-	
-		    GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class)
;
-		    
-		    totalCount = groupList.getTotalCount() ;
-		    
-		    if (groupList.getXgroupInfoList() != null) {
-		    	xgroupList.addAll(groupList.getXgroupInfoList()) ;
-		    	retrievedCount = xgroupList.size() ;
+		Gson gson = new GsonBuilder().create() ;
 
-		    	for(XGroupInfo g : groupList.getXgroupInfoList()) {
-		    		LOG.debug("GROUP:  Id:" + g.getId() + ", Name: " + g.getName() + ", Description:
" + g.getDescription()) ;
-			    }
-		    }
-	    }
+		GetXGroupListResponse groupList = gson.fromJson(response, GetXGroupListResponse.class)
;
+				    
+		totalCount = groupList.getTotalCount() ;
+		
+			if (groupList.getXgroupInfoList() != null) {
+				xgroupList.addAll(groupList.getXgroupInfoList());
+				retrievedCount = xgroupList.size();
 
+				for (XGroupInfo g : groupList.getXgroupInfoList()) {
+					LOG.debug("GROUP:  Id:" + g.getId() + ", Name: "+ g.getName() + ", Description: "+ g.getDescription());
+				}
+			}
+		}
 	}
-
 	
 	private void buildUserList() {
-		
-	    Client c = getClient() ;	
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserList");
+		}
+		Client c = getClient() ;	
 	    
 	    int totalCount = 100 ;
 	    int retrievedCount = 0 ;
@@ -410,12 +462,12 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 			    }
 		    }
 	    }
-	    
 	}
 	
-	
 	private void buildUserGroupLinkList() {
-
+		if(LOG.isDebugEnabled()) {
+	 		LOG.debug("==> PolicyMgrUserGroupBuilder.buildUserGroupLinkList");
+	 	}
 		Client c = getClient() ;
 	    
 	    int totalCount = 100 ;
@@ -446,14 +498,13 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 			    }
 		    }
 	    }
-
 	}
-	
-	
+
 	private UserGroupInfo addUserGroupInfo(String userName, List<String> groups){
-	
+		if(LOG.isDebugEnabled()) {
+	 		LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo " + userName + " and groups");
+	 	}
 		UserGroupInfo ret = null;
-		
 		XUserInfo user = null;
 		
 		LOG.debug("INFO: addPMXAUser(" + userName + ")" ) ;
@@ -467,7 +518,32 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		if (! isMockRun ) { 
 			addXUserGroupInfo(user, groups) ;
 		}
-		
+		if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)){
+			try {
+				Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+				final UserGroupInfo result = ret;
+				ret = Subject.doAs(sub, new PrivilegedAction<UserGroupInfo>() {
+					@Override
+					public UserGroupInfo run() {
+						try {
+							return getUsergroupInfo(result);
+						} catch (Exception e) {
+							LOG.error("Failed to add User Group Info : ", e);
+						}
+						return null;
+					}
+				});
+				return ret;
+			} catch (Exception e) {
+				LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
+			}
+			return null;
+		}else{
+			return getUsergroupInfo(ret);
+		}
+	}
+
+	private UserGroupInfo getUsergroupInfo(UserGroupInfo ret) {
 		Client c = getClient();
 		
 		WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI));
@@ -495,13 +571,10 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 			}
 		}
 		
-		return ret;	
+		return ret;
 	}
 
-	private void addUserGroupInfo(UserGroupInfo usergroupInfo){
-
-		UserGroupInfo ret = null;
-
+	private void getUserGroupInfo(UserGroupInfo ret, UserGroupInfo usergroupInfo) {
 		Client c = getClient();
 
 		WebResource r = c.resource(getURL(PM_ADD_USER_GROUP_INFO_URI));
@@ -530,6 +603,35 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 			}
 		}
 	}
+	
+	private void addUserGroupInfo(UserGroupInfo usergroupInfo){
+		if(LOG.isDebugEnabled()) {
+	 		LOG.debug("==> PolicyMgrUserGroupBuilder.addUserGroupInfo");
+	 	}
+		UserGroupInfo ret = null;
+		if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+			try {
+				Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+				final UserGroupInfo result = ret;
+				final UserGroupInfo ugInfo = usergroupInfo;
+				Subject.doAs(sub, new PrivilegedAction<Void>() {
+					@Override
+					public Void run() {
+						try {
+							getUserGroupInfo(result, ugInfo);
+						} catch (Exception e) {
+							LOG.error("Failed to add User Group Info : ", e);
+						}
+						return null;
+					}
+				});
+			} catch (Exception e) {
+				LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
+			}
+		} else {
+			getUserGroupInfo(ret, usergroupInfo);
+		}
+	}
 
 	private XUserInfo addXUserInfo(String aUserName) {
 		
@@ -609,11 +711,31 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 	}
 
 	
-	private void delXUserGroupInfo(XUserInfo aUserInfo, List<String> aGroupList) {
+	private void delXUserGroupInfo(final XUserInfo aUserInfo, List<String> aGroupList)
{
 		for(String groupName : aGroupList) {
-			XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ;
+			final XGroupInfo group = groupName2XGroupInfoMap.get(groupName) ;
 			if (group != null) {
-				delXUserGroupInfo(aUserInfo, group) ;
+				if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+					try {
+						LOG.info("Using principal = " + principal + " and keytab = " + keytab);
+						Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+						Subject.doAs(sub, new PrivilegedAction<Void>() {
+							@Override
+							public Void run() {
+								try {
+									delXUserGroupInfo(aUserInfo, group);
+								} catch (Exception e) {
+									LOG.error("Failed to build Group List : ", e);
+								}
+								return null;
+							}
+						});
+					} catch (Exception e) {
+						LOG.error("Failed to Authenticate Using given Principal and Keytab : ",e);
+					}
+				} else {
+					delXUserGroupInfo(aUserInfo, group);
+				}
 			}
 		}
 	}
@@ -650,19 +772,44 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 
 	}
 	
-
 	private MUserInfo addMUser(String aUserName) {
-		
-		MUserInfo ret = null ;
-		
-		MUserInfo userInfo = new MUserInfo() ;
+		MUserInfo ret = null;
+		MUserInfo userInfo = new MUserInfo();
 
 		userInfo.setLoginId(aUserName);
 		userInfo.setFirstName(aUserName);
 		userInfo.setLastName(aUserName);
 		userInfo.setEmailAddress(aUserName + "@" + LOCAL_HOSTNAME);
-	
-	    Client c = getClient() ;
+
+		if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab)) {
+			try {
+				Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+				final MUserInfo result = ret;
+				final MUserInfo userInfoFinal = userInfo;
+				ret = Subject.doAs(sub, new PrivilegedAction<MUserInfo>() {
+					@Override
+					public MUserInfo run() {
+						try {
+							return getMUser(userInfoFinal, result);
+						} catch (Exception e) {
+							LOG.error("Failed to add User : ", e);
+						}
+						return null;
+					}
+				});
+				return ret;
+			} catch (Exception e) {
+				LOG.error("Failed to Authenticate Using given Principal and Keytab : " , e);
+			}
+			return null;
+		} else {
+			return getMUser(userInfo, ret);
+		}
+	}
+
+
+	private MUserInfo getMUser(MUserInfo userInfo, MUserInfo ret) {		
+		Client c = getClient() ;
 	    
 	    WebResource r = c.resource(getURL(PM_ADD_LOGIN_USER_URI)) ;
 	    
@@ -679,10 +826,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 	    LOG.debug("MUser Creation successful " + ret);
 		
 		return ret ;
-		
-
 	}
-	
 
 	private synchronized Client getClient() {
 		
@@ -771,16 +915,18 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		    cc.getProperties().put(ClientConfig.PROPERTY_FOLLOW_REDIRECTS, true);
 		    ret = Client.create(cc);	
 		}
-		if(ret!=null){
-			 String username = config.getPolicyMgrUserName();
-			 String password = config.getPolicyMgrPassword();
-			 if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){
-				 username=config.getDefaultPolicyMgrUserName();
-				 password=config.getDefaultPolicyMgrPassword();
-			 }
-			 if(username!=null && password!=null){
-				 ret.addFilter(new HTTPBasicAuthFilter(username, password));
-			 }
+		if(!(authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal, keytab))){
+			if(ret!=null){
+				 String username = config.getPolicyMgrUserName();
+				 String password = config.getPolicyMgrPassword();
+				 if(username==null||password==null||username.trim().isEmpty()||password.trim().isEmpty()){
+					 username=config.getDefaultPolicyMgrUserName();
+					 password=config.getDefaultPolicyMgrPassword();
+				 }
+				 if(username!=null && password!=null){
+					 ret.addFilter(new HTTPBasicAuthFilter(username, password));
+				 }
+			}
 		}
 		return ret ;
 	}
@@ -832,7 +978,7 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		}
 	}
 	
-	private XGroupInfo addGroupInfo(String groupName){
+	private XGroupInfo addGroupInfo(final String groupName){
 		XGroupInfo ret = null;
 		XGroupInfo group = null;
 		
@@ -840,6 +986,34 @@ public class PolicyMgrUserGroupBuilder implements UserGroupSink {
 		if (! isMockRun) {
 			group = addXGroupInfo(groupName) ;
 		}
+		if (authenticationType != null && AUTH_KERBEROS.equalsIgnoreCase(authenticationType)
&& SecureClientLogin.isKerberosCredentialExists(principal,keytab)) {
+			try {
+				LOG.info("Using principal = " + principal + " and keytab = " + keytab);
+				Subject sub = SecureClientLogin.loginUserFromKeytab(principal, keytab, nameRules);
+				final XGroupInfo groupInfo = group;
+				ret = Subject.doAs(sub, new PrivilegedAction<XGroupInfo>() {
+					@Override
+					public XGroupInfo run() {
+						try {
+							return getAddedGroupInfo(groupInfo);
+						} catch (Exception e) {
+							LOG.error("Failed to build Group List : ", e);
+						}
+						return null;
+					}
+				});
+				return ret;
+			} catch (Exception e) {
+				LOG.error("Failed to Authenticate Using given Principal and Keytab : ", e);
+			}
+			return null;
+		} else {
+			return getAddedGroupInfo(group);
+		}	
+	}
+
+	private XGroupInfo getAddedGroupInfo(XGroupInfo group){	
+		XGroupInfo ret = null;
 		
 		Client c = getClient();
 		

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/install.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/install.properties b/unixauthservice/scripts/install.properties
index f206d0a..f4fd4c0 100644
--- a/unixauthservice/scripts/install.properties
+++ b/unixauthservice/scripts/install.properties
@@ -42,6 +42,10 @@ SYNC_INTERVAL =
 unix_user=ranger
 unix_group=ranger
 
+#Set to run in kerberos environment
+usersync_principal=
+usersync_keytab=
+hadoop_conf=/etc/hadoop/conf
 #
 # The file where all credential is kept in cryptic format
 #

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/ranger-usersync-services.sh
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/ranger-usersync-services.sh b/unixauthservice/scripts/ranger-usersync-services.sh
index 9cd5ee2..ed3c936 100644
--- a/unixauthservice/scripts/ranger-usersync-services.sh
+++ b/unixauthservice/scripts/ranger-usersync-services.sh
@@ -47,7 +47,7 @@ if [ "${action}" == "START" ]; then
         	export PATH=$JAVA_HOME/bin:$PATH
 	fi
 
-	cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf"
+	cp="${cdir}/dist/*:${cdir}/lib/*:${cdir}/conf:${RANGER_USERSYNC_HADOOP_CONF_DIR}/*"
 
     if [ -f $pidf ]; then
             PID=`cat $pidf`

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/setup.py
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/setup.py b/unixauthservice/scripts/setup.py
index 8bb3bf0..1f46546 100755
--- a/unixauthservice/scripts/setup.py
+++ b/unixauthservice/scripts/setup.py
@@ -86,6 +86,8 @@ SYNC_LDAP_BIND_PASSWORD_KEY  = 'ranger.usersync.ldap.ldapbindpassword'
 credUpdateClassName =  'org.apache.ranger.credentialapi.buildks'
 #credUpdateClassName =  'com.hortonworks.credentialapi.buildks'
 ENV_LOGDIR_FILE = 'ranger-usersync-env-logdir.sh'
+hadoopConfFileName = 'core-site.xml'
+ENV_HADOOP_CONF_FILE = "ranger-usersync-env-hadoopconfdir.sh"
 
 
 RANGER_USERSYNC_HOME = os.getenv("RANGER_USERSYNC_HOME")
@@ -307,18 +309,31 @@ def createJavaKeystoreForSSL(fn,passwd):
 		sys.exit(1)
 	return ret
 
-def write_env_files(log_path):
-        final_path = "{0}/{1}".format(confBaseDirName,ENV_LOGDIR_FILE)
+def write_env_files(exp_var_name, log_path, file_name):
+        final_path = "{0}/{1}".format(confBaseDirName,file_name)
         if not os.path.isfile(final_path):
-                print "Creating %s file" % ENV_LOGDIR_FILE
+                print "Creating %s file" % file_name
         f = open(final_path, "w")
-        f.write("export logdir={0}".format(log_path))
+        f.write("export {0}={1}".format(exp_var_name,log_path))
         f.close()
 
 def main():
 
 	populate_global_dict()
 	logFolderName = globalDict['logdir']
+	hadoop_conf = globalDict['hadoop_conf']
+
+        hadoop_conf_full_path = os.path.join(hadoop_conf, hadoopConfFileName)
+	usersync_conf_full_path = os.path.join(usersyncBaseDirFullName,confBaseDirName,hadoopConfFileName)
+        if not isfile(hadoop_conf_full_path):
+                print "WARN: core-site.xml file not found in provided hadoop conf path..."
+                f = open(usersync_conf_full_path, "w")
+                f.write("<configuration></configuration>")
+                f.close()
+        else:
+                if os.path.islink(usersync_conf_full_path):
+                        os.remove(usersync_conf_full_path)
+
 	if logFolderName.lower() == "$pwd" or logFolderName == "" :
                 logFolderName = os.path.join(os.getcwd(),"logs")
 	ugsyncLogFolderName = logFolderName
@@ -485,8 +500,14 @@ def main():
 	else:
 		print "WARNING: Unix Authentication Program (%s) is not available for setting chmod(4550),
chown(%s:%s) " % (nativeAuthProgramName, "root", groupName)
 
-	write_env_files(logFolderName);
+        write_env_files("logdir", logFolderName, ENV_LOGDIR_FILE);
+        write_env_files("RANGER_USERSYNC_HADOOP_CONF_DIR", hadoop_conf, ENV_HADOOP_CONF_FILE);
         os.chown(os.path.join(confBaseDirName, ENV_LOGDIR_FILE),ownerId,groupId)
         os.chmod(os.path.join(confBaseDirName, ENV_LOGDIR_FILE),0755)
+        os.chown(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),ownerId,groupId)
+        os.chmod(os.path.join(confBaseDirName, ENV_HADOOP_CONF_FILE),0755)
+
+	if isfile(hadoop_conf_full_path):
+        	os.symlink(hadoop_conf_full_path, usersync_conf_full_path)
 
 main()

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/templates/installprop2xml.properties
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/templates/installprop2xml.properties b/unixauthservice/scripts/templates/installprop2xml.properties
index 77b8eac..a78157e 100644
--- a/unixauthservice/scripts/templates/installprop2xml.properties
+++ b/unixauthservice/scripts/templates/installprop2xml.properties
@@ -49,3 +49,5 @@ AUTH_SSL_TRUSTSTORE_FILE = ranger.usersync.truststore.file
 AUTH_SSL_TRUSTSTORE_PASSWORD = ranger.usersync.truststore.password
 AUTH_SSL_ENABLED = ranger.usersync.enabled
 SYNC_LDAP_REFERRAL = ranger.usersync.ldap.referral
+usersync_principal= ranger.usersync.kerberos.principal
+usersync_keytab= ranger.usersync.kerberos.keytab

http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/8614032c/unixauthservice/scripts/templates/ranger-ugsync-template.xml
----------------------------------------------------------------------
diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
index 2bf5562..d32ef33 100644
--- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml
+++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
@@ -185,4 +185,12 @@
 		<name>ranger.usersync.ldap.referral</name>
 		<value></value>
 	</property>
+	<property>
+		<name>ranger.usersync.kerberos.principal</name>
+		<value></value>
+	</property>
+	<property>
+		<name>ranger.usersync.kerberos.keytab</name>
+		<value></value>
+	</property>
 </configuration>


Mime
View raw message