Uploaded image for project: 'Apache HAWQ'
  1. Apache HAWQ
  2. HAWQ-256 Integrate Security with Apache Ranger
  3. HAWQ-1485

Use user/password instead of credentials cache in Ranger lookup for HAWQ with Kerberos enabled.

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.3.0.0-incubating
    • Component/s: Security
    • Labels:
      None

      Description

      When used credentials cache:
      Try error password in Ranger UI doesn't destroy the existed kerberos credentials (created by last success kinit command)
      It's a strange behavior to user.

      So we should use user/password for kerberos authentication.
      Core logic:

              Properties props = new Properties();
              if (connectionProperties.containsKey(AUTHENTICATION) && connectionProperties.get(AUTHENTICATION).equals(KERBEROS)) {
                  //kerberos mode
                  props.setProperty("kerberosServerName", connectionProperties.get("principal"));
                  props.setProperty("jaasApplicationName", "pgjdbc");
              }
      
              String url = String.format("jdbc:postgresql://%s:%s/%s", connectionProperties.get("hostname"), connectionProperties.get("port"), db);
              props.setProperty("user", connectionProperties.get("username"));
              props.setProperty("password", connectionProperties.get("password"));
      
              return DriverManager.getConnection(url, props);
      

        Attachments

          Activity

            People

            • Assignee:
              hongxu ma Hongxu Ma
              Reporter:
              hongxu ma Hongxu Ma
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: