RANGER-3856: Ranger admin client updated with option to work with non-kerberized server
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index dddfbc7..fc49ef0 100644
--- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -53,6 +53,7 @@
private String clusterName;
private RangerRESTClient restClient;
private RangerRESTUtils restUtils = new RangerRESTUtils();
+ private boolean forceNonKerberos = false;
public static <T> GenericType<List<T>> getGenericType(final T clazz) {
@@ -84,6 +85,8 @@
clusterName = RangerConfiguration.getInstance().get(propertyPrefix + ".ambari.cluster.name", "");
int restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
int restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
+ this.forceNonKerberos = RangerConfiguration.getInstance().getBoolean(propertyPrefix + ".forceNonKerberos", false);
+
if (!StringUtil.isEmpty(tmpUrl)) {
url = tmpUrl.trim();
}
@@ -102,7 +105,7 @@
ServicePolicies ret = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
ClientResponse response = null;
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
@@ -174,7 +177,7 @@
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
if (isSecureMode) {
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -219,7 +222,7 @@
ClientResponse response = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
if (isSecureMode) {
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -287,7 +290,7 @@
ClientResponse response = null;
WebResource webResource = null;
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
if (isSecureMode) {
PrivilegedAction<ClientResponse> action = new PrivilegedAction<ClientResponse>() {
@@ -358,7 +361,7 @@
List<String> ret = null;
String emptyString = "";
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
final WebResource webResource = createWebResource(RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES)
.queryParam(RangerRESTUtils.SERVICE_NAME_PARAM, serviceName)
@@ -396,4 +399,16 @@
return ret;
}
+ public boolean isKerberosEnabled(UserGroupInformation user) {
+ final boolean ret;
+
+ if (forceNonKerberos) {
+ ret = false;
+ } else {
+ ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+ }
+
+ return ret;
+ }
+
}
diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index d856f89..8712945 100644
--- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -66,6 +66,7 @@
String _pluginId = null;
int _restClientConnTimeOutMs;
int _restClientReadTimeOutMs;
+ boolean forceNonKerberos = false;
@Override
public void init(String serviceName, String appId, String configPropertyPrefix) {
@@ -81,6 +82,7 @@
_restClientConnTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.connection.timeoutMs", 120 * 1000);
_restClientReadTimeOutMs = RangerConfiguration.getInstance().getInt(configPropertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
_clusterName = RangerConfiguration.getInstance().get(configPropertyPrefix + ".ambari.cluster.name", "");
+ forceNonKerberos = RangerConfiguration.getInstance().getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
LOG.info("Init params: " + String.format("Base URL[%s], SSL Congig filename[%s], ServiceName=[%s]", _baseUrl, _sslConfigFileName, _serviceName));
@@ -100,7 +102,7 @@
}
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
String url = null;
ServicePolicies servicePolicies = null;
@@ -261,7 +263,7 @@
}
UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
+ boolean isSecureMode = isKerberosEnabled(user);
String url = null;
ServiceTags serviceTags = null;
@@ -405,4 +407,16 @@
return _client;
}
+
+ public boolean isKerberosEnabled(UserGroupInformation user) {
+ final boolean ret;
+
+ if (forceNonKerberos) {
+ ret = false;
+ } else {
+ ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
+ }
+
+ return ret;
+ }
}