ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bo...@apache.org>
Subject Re: Review Request 71432: Configure Kerberos for Hive Ranger Client via HS2 configuration
Date Mon, 09 Sep 2019 15:16:08 GMT


> On Sept. 5, 2019, 3:42 p.m., Don Bosco Durai wrote:
> > hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
> > Lines 147 (patched)
> > <https://reviews.apache.org/r/71432/diff/1/?file=2163334#file2163334line147>
> >
> >     What happens if the cluster is already Kerberos enabled?
> 
> Denys Kuzmenko wrote:
>     Before the change, when the cluster was already Kerberos enabled, MiscUtil.getUGILoginUser()
delegated request to UserGroupInformation.getLoginUser() as ugiLoginUser was never set.
>     After the change it should start using ugiLoginUser.
>     
>     public static UserGroupInformation getUGILoginUser()
>         UserGroupInformation ret = ugiLoginUser;
>         if (ret == null) {
>             ret = UserGroupInformation.getLoginUser()
>         }
>         ...
>     }
>     
>     public ServicePolicies getServicePoliciesIfUpdated(...) {
>         UserGroupInformation user = MiscUtil.getUGILoginUser();
>         boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
>     
>         if (isSecureMode) {
>           PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>()
{
>             public ClientResponse run() {
>               WebResource secureWebResource = RangerAdminRESTClient.this.createWebResource("/service/plugins/secure/
...);
>               return (ClientResponse)secureWebResource.accept(new String[]{"application/json"}).get(ClientResponse.class);
>             }
>           };
>           ...
>     }

Since it was working before this change, do you think calling this method will have side affect?
In an existing Kerberos Hive, we rely on Hive Server2 to manage the UGI, right? Ideally, we
shouldn't change static variables managed by the component. If we do, let's make sure there
are no side affects.


- Don Bosco


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71432/#review217591
-----------------------------------------------------------


On Sept. 5, 2019, 12:13 p.m., Denys Kuzmenko wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71432/
> -----------------------------------------------------------
> 
> (Updated Sept. 5, 2019, 12:13 p.m.)
> 
> 
> Review request for ranger and Ramesh Mani.
> 
> 
> Bugs: RANGER-2557
>     https://issues.apache.org/jira/browse/RANGER-2557
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> In Hive we would like to have possibility to enable Kerberos partially (i.e only Ranger,
Atlas and HMS).
> However, since hadoop security is a global flag there are many places that need to be
commented out to avoid the UGI cluster wide configuration.
> 
> 
> Diffs
> -----
> 
>   agents-audit/src/main/java/org/apache/ranger/audit/provider/MiscUtil.java b7315a922

>   hive-agent/src/main/java/org/apache/ranger/authorization/hive/authorizer/RangerHiveAuthorizer.java
bb015c595 
> 
> 
> Diff: https://reviews.apache.org/r/71432/diff/1/
> 
> 
> Testing
> -------
> 
> On local cluster.
> 
> 
> Thanks,
> 
> Denys Kuzmenko
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message