Uploaded image for project: 'Apache HAWQ (Retired)'
  1. Apache HAWQ (Retired)
  2. HAWQ-256 Integrate Security with Apache Ranger
  3. HAWQ-1485

Use user/password instead of credentials cache in Ranger lookup for HAWQ with Kerberos enabled.

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.0.0-incubating
    • Security
    • None

    Description

      When used credentials cache:
      Try error password in Ranger UI doesn't destroy the existed kerberos credentials (created by last success kinit command)
      It's a strange behavior to user.

      So we should use user/password for kerberos authentication.
      Core logic:

              Properties props = new Properties();
        if (connectionProperties.containsKey(AUTHENTICATION) && connectionProperties.get(AUTHENTICATION).equals(KERBEROS)) {
            //kerberos mode
            props.setProperty("kerberosServerName", connectionProperties.get("principal"));
            props.setProperty("jaasApplicationName", "pgjdbc");
        }

        String url = String.format("jdbc:postgresql://%s:%s/%s", connectionProperties.get("hostname"), connectionProperties.get("port"), db);
        props.setProperty("user", connectionProperties.get("username"));
        props.setProperty("password", connectionProperties.get("password"));

        return DriverManager.getConnection(url, props);

      Attachments

        Activity

          People

            hongxu ma Hongxu Ma
            hongxu ma Hongxu Ma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: