MINOR : Refactor service principal configuration (#688)

* Change the serive auth configuration

* Rename ranger configuration file

* Refactor login code

* Log exception

Co-authored-by: Saravanan Raju <sraju@cloudera.com>

Author: raju-saravanan

common/src/main/java/com/hortonworks/registries/common/AuthMethodConfiguration.java common/src/main/java/com/hortonworks/registries/common/ServiceAuthenticationConfiguration.java

@@ -14,10 +14,13 @@
  **/
 package com.hortonworks.registries.common;
 
-public class AuthMethodConfiguration {
+import java.util.Map;
+
+public class ServiceAuthenticationConfiguration {
+
     private String type;
-    private String serverPrinciple;
-    private String serverPrincipleKeytab;
+
+    private Map<String, String> properties;
 
     public String getType() {
         return type;
@@ -27,28 +30,15 @@ public void setType(String type) {
         this.type = type;
     }
 
-    public String getServerPrinciple() {
-        return serverPrinciple;
-    }
-
-    public void setServerPrinciple(String serverPrinciple) {
-        this.serverPrinciple = serverPrinciple;
-    }
-
-    public String getServerPrincipleKeytab() {
-        return serverPrincipleKeytab;
-    }
-
-    public void setServerPrincipleKeytab(String serverPrincipleKeytab) {
-        this.serverPrincipleKeytab = serverPrincipleKeytab;
+    public Map<String, String> getProperties() {
+        return properties;
     }
 
     @Override
     public String toString() {
-        return "AuthMethodConfiguration{" +
+        return "ServiceAuthenticationConfiguration{" +
                 "type='" + type + '\'' +
-                ", serverPrinciple='" + serverPrinciple + '\'' +
-                ", serverPrincipleKeytab='" + serverPrincipleKeytab + '\'' +
+                ", properties='" + properties + '\'' +
                 '}';
     }
 }

conf/registry.yaml

@@ -107,9 +107,10 @@ logging:
     com.hortonworks.registries: INFO
 
 # Config for schema registry kerberos principle
-#authenticationMethod:
+#serviceAuthenticationConfiguration:
 #  type: kerberos
-#  serverPrinciple: "schema-registry/hostname@GCE.CLOUDERA.COM"
-#  serverPrincipleKeytab: "/tmp/schema-registry.keytab"
+#  properties:
+#    principal: "schema-registry/hostname@GCE.CLOUDERA.COM"
+#    keytab: "/tmp/schema-registry.keytab"
 
 

schema-registry/authorizer/ranger-plugin/ranger-authorizer-shim/src/test/resources/ranger-schema-registry-security.xml

@@ -21,7 +21,7 @@
 		<name>ranger.plugin.schema-registry.service.name</name>
 		<value>SR1</value>
 		<description>
-			Name of the Ranger service containing policies for this YARN instance
+			Name of the Ranger service containing policies for this Schema Registry instance
 		</description>
 	</property>
 

schema-registry/authorizer/ranger-plugin/ranger-authorizer/conf/ranger-policymgr-ssl.xml schema-registry/authorizer/ranger-plugin/ranger-authorizer/conf/ranger-schema-registry-policymgr-ssl.xml

@@ -43,7 +43,7 @@
 
 	<property>
 		<name>ranger.plugin.schema-registry.policy.rest.ssl.config.file</name>
-		<value>/tmp/schema-registry/ranger-plugin/ranger-policymgr-ssl.xml</value>
+		<value>/tmp/schema-registry/ranger-plugin/ranger-schema-registry-policymgr-ssl.xml</value>
 		<description>
 			Path to the file containing SSL details to contact Ranger Admin
 		</description>

schema-registry/authorizer/ranger-plugin/ranger-authorizer/conf/ranger-schema-registry-security.xml

@@ -21,7 +21,7 @@
 		<name>ranger.plugin.schema-registry.service.name</name>
 		<value>SR1</value>
 		<description>
-			Name of the Ranger service containing policies for this YARN instance
+			Name of the Ranger service containing policies for this Schema Registry instance
 		</description>
 	</property>
 

schema-registry/authorizer/ranger-plugin/ranger-authorizer/src/test/resources/ranger-schema-registry-security.xml

@@ -14,7 +14,7 @@
  **/
 package com.hortonworks.registries.webservice;
 
-import com.hortonworks.registries.common.AuthMethodConfiguration;
+import com.hortonworks.registries.common.ServiceAuthenticationConfiguration;
 import com.hortonworks.registries.common.FileStorageConfiguration;
 import com.hortonworks.registries.common.GenericExceptionMapper;
 import com.hortonworks.registries.common.HAConfiguration;
@@ -44,6 +44,7 @@
 import io.dropwizard.setup.Environment;
 import io.federecio.dropwizard.swagger.SwaggerBundle;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
+import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.servlets.CrossOriginFilter;
@@ -94,29 +95,33 @@ public void run(RegistryConfiguration registryConfiguration, Environment environ
     }
 
     private void initializeUGI(RegistryConfiguration conf) throws IOException {
-        LOG.debug("Initialization of User Group ininformation...");
-        if (UserGroupInformation.isSecurityEnabled()) {
-            LOG.debug("UGI.isSecurityEnabled() = true.");
-
-            AuthMethodConfiguration authMethodConf = conf.getAuthenticationMethod();
-            if(authMethodConf != null) {
-                String serverPrincipal = authMethodConf.getServerPrinciple();
-                String keyTab = authMethodConf.getServerPrincipleKeytab();
-
-                LOG.debug("UGI is trying to login with principle = " + serverPrincipal
-                        + ", keyTab = " + keyTab);
-
-                //Authenticate using keytab
-                UserGroupInformation.loginUserFromKeytab(serverPrincipal, keyTab);
-
-                LOG.debug("UGI is login successfully with principle = " + serverPrincipal
-                        + ", keyTab = " + keyTab);
+        if (conf.getServiceAuthenticationConfiguration() != null) {
+            String authenticationType = conf.getServiceAuthenticationConfiguration().getType();
+            if (authenticationType != null && authenticationType.equals("kerberos")) {
+                Map<String, String> serviceAuthenticationProperties = conf.getServiceAuthenticationConfiguration().getProperties();
+                if (serviceAuthenticationProperties != null) {
+                    String principal = serviceAuthenticationProperties.get("principal");
+                    String keytab = serviceAuthenticationProperties.get("keytab");
+
+                    if (StringUtils.isNotEmpty(principal) && StringUtils.isNotEmpty(keytab)) {
+                        LOG.debug("Login with principal = '" + principal + "' and keyTab = '" + keytab + "'");
+                        try {
+                            UserGroupInformation.loginUserFromKeytab(principal, keytab);
+                            LOG.debug("Successfully logged in");
+                        } catch (Exception e) {
+                            LOG.error("Failed to log in", e);
+                        }
+                    } else {
+                        LOG.error("Invalid service authentication configuration for 'kerberos' principal = '" + principal + "' and keytab = '" + keytab + "'");
+                    }
+                } else {
+                    LOG.error("No service authentication properties were configured for 'kerberos'");
+                }
             } else {
-                LOG.warn("UGI.isSecurityEnabled() = true, but authenticationMethod section of SR config file is empty. "
-                        + " Default UGI configuration will be used.");
+                LOG.error("Invalid service authentication type : " + authenticationType);
             }
         } else {
-            LOG.debug("UGI.isSecurityEnabled() = false. Simple authentication method will be used.");
+            LOG.debug("No service authentication is configured");
         }
     }
 
@@ -145,7 +150,7 @@ public void serverStarted(Server server) {
 
                 haServerNotificationManager.notifyDebut();
 
-                refreshHAServerManagedTask = new RefreshHAServerManagedTask(storageManager,transactionManager, haServerNotificationManager);
+                refreshHAServerManagedTask = new RefreshHAServerManagedTask(storageManager, transactionManager, haServerNotificationManager);
                 environment.lifecycle().manage(refreshHAServerManagedTask);
                 refreshHAServerManagedTask.start();
             }
@@ -154,7 +159,7 @@ public void serverStarted(Server server) {
     }
 
     private void registerHA(HAConfiguration haConfiguration, Environment environment) throws Exception {
-        if(haConfiguration != null) {
+        if (haConfiguration != null) {
             environment.lifecycle().addServerLifecycleListener(new ServerLifecycleListener() {
                 @Override
                 public void serverStarted(Server server) {
@@ -241,13 +246,13 @@ private void registerResources(Environment environment, RegistryConfiguration re
                 transactionManagerAware.setTransactionManager(transactionManager);
             }
 
-            if(moduleRegistration instanceof LeadershipAware) {
+            if (moduleRegistration instanceof LeadershipAware) {
                 LOG.info("Module [{}] is registered for LeadershipParticipant registration.", moduleName);
                 LeadershipAware leadershipAware = (LeadershipAware) moduleRegistration;
                 leadershipAware.setLeadershipParticipant(leadershipParticipantRef);
             }
 
-            if(moduleRegistration instanceof HAServersAware) {
+            if (moduleRegistration instanceof HAServersAware) {
                 LOG.info("Module [{}] is registered for HAServersAware registration.");
                 HAServersAware leadershipAware = (HAServersAware) moduleRegistration;
                 leadershipAware.setHAServerConfigManager(haServerNotificationManager);
@@ -260,7 +265,7 @@ private void registerResources(Environment environment, RegistryConfiguration re
         for (Object resource : resourcesToRegister) {
             environment.jersey().register(resource);
         }
-        
+
         environment.jersey().register(MultiPartFeature.class);
         environment.jersey().register(new TransactionEventListener(transactionManager, TransactionIsolation.READ_COMMITTED));
 
@@ -284,7 +289,7 @@ private FileStorage getJarStorage(FileStorageConfiguration fileStorageConfigurat
         if (fileStorageConfiguration.getClassName() != null)
             try {
                 fileStorage = (FileStorage) Class.forName(fileStorageConfiguration.getClassName(), true,
-                                                          Thread.currentThread().getContextClassLoader()).newInstance();
+                        Thread.currentThread().getContextClassLoader()).newInstance();
                 fileStorage.init(fileStorageConfiguration.getProperties());
             } catch (Exception e) {
                 throw new RuntimeException(e);
@@ -307,15 +312,15 @@ private StorageManager getStorageManager(StorageProviderConfiguration storagePro
     private void addServletFilters(RegistryConfiguration registryConfiguration, Environment environment) {
         List<ServletFilterConfiguration> servletFilterConfigurations = registryConfiguration.getServletFilters();
         if (servletFilterConfigurations != null && !servletFilterConfigurations.isEmpty()) {
-            for (ServletFilterConfiguration servletFilterConfig: servletFilterConfigurations) {
+            for (ServletFilterConfiguration servletFilterConfig : servletFilterConfigurations) {
                 try {
                     String className = servletFilterConfig.getClassName();
                     Map<String, String> params = servletFilterConfig.getParams();
                     String typeSuffix = params.get("type") != null ? ("-" + params.get("type").toString()) : "";
                     LOG.info("Registering servlet filter [{}]", servletFilterConfig);
                     Class<? extends Filter> filterClass = (Class<? extends Filter>) Class.forName(className);
                     FilterRegistration.Dynamic dynamic = environment.servlets().addFilter(className + typeSuffix, filterClass);
-                    if(params != null) {
+                    if (params != null) {
                         dynamic.setInitParameters(params);
                     }
                     dynamic.addMappingForUrlPatterns(EnumSet.allOf(DispatcherType.class), true, "/*");

webservice/src/main/java/com/hortonworks/registries/webservice/RegistryApplication.java

@@ -17,11 +17,8 @@
 package com.hortonworks.registries.webservice;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.hortonworks.registries.common.AuthMethodConfiguration;
-import com.hortonworks.registries.common.FileStorageConfiguration;
-import com.hortonworks.registries.common.HAConfiguration;
-import com.hortonworks.registries.common.ModuleConfiguration;
-import com.hortonworks.registries.common.ServletFilterConfiguration;
+import com.hortonworks.registries.common.*;
+import com.hortonworks.registries.common.ServiceAuthenticationConfiguration;
 import com.hortonworks.registries.storage.StorageProviderConfiguration;
 import io.dropwizard.Configuration;
 import io.federecio.dropwizard.swagger.SwaggerBundleConfiguration;
@@ -55,7 +52,7 @@ public class RegistryConfiguration extends Configuration {
     private String httpProxyPassword;
 
     @JsonProperty
-    private AuthMethodConfiguration authenticationMethod;
+    private ServiceAuthenticationConfiguration serviceAuthenticationConfiguration;
 
     public String getHttpProxyUrl() {
         return httpProxyUrl;
@@ -138,12 +135,12 @@ public void setServletFilters(List<ServletFilterConfiguration> servletFilters) {
         this.servletFilters = servletFilters;
     }
 
-    public AuthMethodConfiguration getAuthenticationMethod() {
-        return authenticationMethod;
+    public ServiceAuthenticationConfiguration getServiceAuthenticationConfiguration() {
+        return serviceAuthenticationConfiguration;
     }
 
-    public void setAuthenticationMethod(AuthMethodConfiguration authenticationMethod) {
-        this.authenticationMethod = authenticationMethod;
+    public void setServiceAuthenticationConfiguration(ServiceAuthenticationConfiguration serviceAuthenticationConfiguration) {
+        this.serviceAuthenticationConfiguration = serviceAuthenticationConfiguration;
     }
 
 }