RANGER-2912: Ranger and plugins will throw GSSAPI error when write audit log to ElasticSearch when cluster running on none security mode
Signed-off-by: pradeep <pradeep@apache.org>
diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
index 384d1a0..d4897a4 100644
--- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
+++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/ElasticSearchAuditDestination.java
@@ -185,18 +185,20 @@
}
}
}
- KerberosTicket ticket = CredentialsProviderUtil.getTGT(subject);
- try {
- if (new Date().getTime() > ticket.getEndTime().getTime()){
- client = null;
- CredentialsProviderUtil.ticketExpireTime80 = 0;
- newClient();
- } else if (CredentialsProviderUtil.ticketWillExpire(ticket)) {
- subject = CredentialsProviderUtil.login(user, password);
+ if (subject != null) {
+ KerberosTicket ticket = CredentialsProviderUtil.getTGT(subject);
+ try {
+ if (new Date().getTime() > ticket.getEndTime().getTime()){
+ client = null;
+ CredentialsProviderUtil.ticketExpireTime80 = 0;
+ newClient();
+ } else if (CredentialsProviderUtil.ticketWillExpire(ticket)) {
+ subject = CredentialsProviderUtil.login(user, password);
+ }
+ } catch (PrivilegedActionException e) {
+ LOG.error("PrivilegedActionException:", e);
+ throw new RuntimeException(e);
}
- } catch (PrivilegedActionException e) {
- LOG.error("PrivilegedActionException:", e);
- throw new RuntimeException(e);
}
return client;
}
@@ -209,7 +211,7 @@
.map(x -> new HttpHost(x, port, protocol))
.<HttpHost>toArray(i -> new HttpHost[i])
);
- if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password)) {
+ if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password) && !user.equalsIgnoreCase("NONE") && !password.equalsIgnoreCase("NONE")) {
if (password.contains("keytab") && new File(password).exists()) {
final KerberosCredentialsProvider credentialsProvider =
CredentialsProviderUtil.getKerberosCredentials(user, password);
diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
index 57d4735..e6eb7af 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/ElasticSearchIndexBootStrapper.java
@@ -203,7 +203,7 @@
.map(x -> new HttpHost(x, port, protocol))
.<HttpHost>toArray(i -> new HttpHost[i])
);
- if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password)) {
+ if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password) && !user.equalsIgnoreCase("NONE") && !password.equalsIgnoreCase("NONE")) {
if (password.contains("keytab") && new File(password).exists()) {
final KerberosCredentialsProvider credentialsProvider =
CredentialsProviderUtil.getKerberosCredentials(user, password);
diff --git a/security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java b/security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java
index 1c1ff4e..78c338b 100644
--- a/security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/elasticsearch/ElasticSearchMgr.java
@@ -103,7 +103,7 @@
.map(x -> new HttpHost(x, port, protocol))
.<HttpHost>toArray(i -> new HttpHost[i])
);
- if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password)) {
+ if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password) && !user.equalsIgnoreCase("NONE") && !password.equalsIgnoreCase("NONE")) {
if (password.contains("keytab") && new File(password).exists()) {
final KerberosCredentialsProvider credentialsProvider =
CredentialsProviderUtil.getKerberosCredentials(user, password);
@@ -131,7 +131,7 @@
RestHighLevelClient client = null;
public RestHighLevelClient getClient() {
- if(client !=null) {
+ if (client != null && subject != null) {
KerberosTicket ticket = CredentialsProviderUtil.getTGT(subject);
try {
if (new Date().getTime() > ticket.getEndTime().getTime()){
