Feature/ranger delegation token

META-INF/services/org.apache.hadoop.security.token.TokenIdentifier

@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+org.apache.ranger.plugin.util.RangerDelegationTokenIdentifier

META-INF/services/org.apache.hadoop.security.token.TokenRenewer

@@ -0,0 +1,16 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+org.apache.ranger.plugin.util.RangerTokenRenewer

META-INF/services/org.apache.spark.security.HadoopDelegationTokenProvider

@@ -0,0 +1,15 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#    http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+org.apache.kyuubi.plugin.spark.authz.ranger.RangerDelegationTokenProvider

agents-audit/pom.xml

@@ -274,6 +274,17 @@
             <artifactId>ranger-plugins-cred</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.solr</groupId>
+            <artifactId>solr-hadoop-auth-framework</artifactId>
+            <version>${solr.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.hadoop</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
         <dependency>
             <groupId>org.apache.solr</groupId>
             <artifactId>solr-solrj</artifactId>

agents-audit/src/main/java/org/apache/ranger/audit/destination/SolrAuditDestination.java

@@ -27,15 +27,19 @@
 import org.apache.ranger.audit.utils.KerberosAction;
 import org.apache.ranger.audit.utils.KerberosUser;
 import org.apache.ranger.audit.utils.KerberosJAASConfigUser;
+import org.apache.hadoop.security.Credentials;
+import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.solr.client.solrj.SolrClient;
 import org.apache.solr.client.solrj.impl.CloudSolrClient;
 import org.apache.solr.client.solrj.impl.HttpClientUtil;
+import org.apache.solr.client.solrj.impl.HttpSolrClient;
 import org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder;
 import org.apache.solr.client.solrj.impl.SolrHttpClientBuilder;
 import org.apache.solr.client.solrj.impl.LBHttpSolrClient;
 import org.apache.solr.client.solrj.response.UpdateResponse;
 import org.apache.solr.common.SolrException;
 import org.apache.solr.common.SolrInputDocument;
+import org.apache.solr.hadoop.SolrDelegationTokenUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -160,26 +164,57 @@ synchronized void connect() {
 					LOG.info("Solr zkHosts=" + zkHosts + ", solrURLs=" + urls
 							+ ", collectionName=" + collectionName);
 
+					// Check for a Solr delegation token in UGI credentials
+					String delegationToken = null;
+					try {
+						Credentials creds = UserGroupInformation.getLoginUser().getCredentials();
+						delegationToken = SolrDelegationTokenUtil.findTokenInCredentials(creds);
+						if (delegationToken != null) {
+							LOG.info("Found Solr delegation token in UGI credentials, will use it for authentication");
+						}
+					} catch (Exception e) {
+						LOG.debug("Failed to look up Solr delegation token, falling back to Kerberos", e);
+					}
+
 					if (zkHosts != null && !zkHosts.isEmpty()) {
 						LOG.info("Connecting to solr cloud using zkHosts="
 								+ zkHosts);
 						try {
-							// Instantiate
-							Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
-							SolrHttpClientBuilder kb = krbBuild.getBuilder();
-							HttpClientUtil.setHttpClientBuilder(kb);
-
 							final List<String> zkhosts = new ArrayList<String>(Arrays.asList(zkHosts.split(",")));
-							final CloudSolrClient solrCloudClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<CloudSolrClient>() {
-								@Override
-								public CloudSolrClient run()  throws Exception {
-									CloudSolrClient solrCloudClient = new CloudSolrClient.Builder(zkhosts, Optional.empty()).build();
-									return solrCloudClient;
-								};
-							});
-
-							solrCloudClient.setDefaultCollection(collectionName);
-							me = solrClient = solrCloudClient;
+
+							if (delegationToken != null) {
+								final String dt = delegationToken;
+								final CloudSolrClient solrCloudClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<CloudSolrClient>() {
+									@Override
+									public CloudSolrClient run() throws Exception {
+										return new CloudSolrClient.Builder(zkhosts, Optional.empty())
+												.withLBHttpSolrClientBuilder(new LBHttpSolrClient.Builder()
+														.withConnectionTimeout(1000)
+														.withHttpSolrClientBuilder(
+																new HttpSolrClient.Builder()
+																		.withKerberosDelegationToken(dt)))
+												.build();
+									}
+								});
+								solrCloudClient.setDefaultCollection(collectionName);
+								me = solrClient = solrCloudClient;
+							} else {
+								// Instantiate
+								Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
+								SolrHttpClientBuilder kb = krbBuild.getBuilder();
+								HttpClientUtil.setHttpClientBuilder(kb);
+
+								final CloudSolrClient solrCloudClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<CloudSolrClient>() {
+									@Override
+									public CloudSolrClient run()  throws Exception {
+										CloudSolrClient solrCloudClient = new CloudSolrClient.Builder(zkhosts, Optional.empty()).build();
+										return solrCloudClient;
+									};
+								});
+
+								solrCloudClient.setDefaultCollection(collectionName);
+								me = solrClient = solrCloudClient;
+							}
 						} catch (Throwable t) {
 							LOG.error("Can't connect to Solr server. ZooKeepers="
 									+ zkHosts, t);
@@ -190,25 +225,46 @@ public CloudSolrClient run()  throws Exception {
 					} else if (solrURLs != null && !solrURLs.isEmpty()) {
 						try {
 							LOG.info("Connecting to Solr using URLs=" + solrURLs);
-							Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
-							SolrHttpClientBuilder kb = krbBuild.getBuilder();
-							HttpClientUtil.setHttpClientBuilder(kb);
 							final List<String> solrUrls = solrURLs;
-							final LBHttpSolrClient lbSolrClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<LBHttpSolrClient>() {
-								@Override
-								public LBHttpSolrClient run()  throws Exception {
-									LBHttpSolrClient.Builder builder = new LBHttpSolrClient.Builder();
-									builder.withBaseSolrUrl(solrUrls.get(0));
-									builder.withConnectionTimeout(1000);
-									LBHttpSolrClient lbSolrClient = builder.build();
-									return lbSolrClient;
-								};
-							});
-
-							for (int i = 1; i < solrURLs.size(); i++) {
-								lbSolrClient.addSolrServer(solrURLs.get(i));
+
+							if (delegationToken != null) {
+								final String dt = delegationToken;
+								final LBHttpSolrClient lbSolrClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<LBHttpSolrClient>() {
+									@Override
+									public LBHttpSolrClient run() throws Exception {
+										return new LBHttpSolrClient.Builder()
+												.withBaseSolrUrl(solrUrls.get(0))
+												.withConnectionTimeout(1000)
+												.withHttpSolrClientBuilder(
+														new HttpSolrClient.Builder()
+																.withKerberosDelegationToken(dt))
+												.build();
+									}
+								});
+								for (int i = 1; i < solrURLs.size(); i++) {
+									lbSolrClient.addSolrServer(solrURLs.get(i));
+								}
+								me = solrClient = lbSolrClient;
+							} else {
+								Krb5HttpClientBuilder krbBuild = new Krb5HttpClientBuilder();
+								SolrHttpClientBuilder kb = krbBuild.getBuilder();
+								HttpClientUtil.setHttpClientBuilder(kb);
+								final LBHttpSolrClient lbSolrClient = MiscUtil.executePrivilegedAction(new PrivilegedExceptionAction<LBHttpSolrClient>() {
+									@Override
+									public LBHttpSolrClient run()  throws Exception {
+										LBHttpSolrClient.Builder builder = new LBHttpSolrClient.Builder();
+										builder.withBaseSolrUrl(solrUrls.get(0));
+										builder.withConnectionTimeout(1000);
+										LBHttpSolrClient lbSolrClient = builder.build();
+										return lbSolrClient;
+									};
+								});
+
+								for (int i = 1; i < solrURLs.size(); i++) {
+									lbSolrClient.addSolrServer(solrURLs.get(i));
+								}
+								me = solrClient = lbSolrClient;
 							}
-							me = solrClient = lbSolrClient;
 						} catch (Throwable t) {
 							LOG.error("Can't connect to Solr server. URL="
 									+ solrURLs, t);

agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java

@@ -23,12 +23,14 @@
 import com.google.gson.GsonBuilder;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.token.Token;
 import org.apache.ranger.plugin.model.RangerRole;
 import org.apache.ranger.plugin.model.ResourceMappingDiffs;
 import org.apache.ranger.plugin.util.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.Collection;
 import java.util.List;
 
 public abstract class AbstractRangerAdminClient implements RangerAdminClient {
@@ -127,6 +129,20 @@ public ResourceMappingDiffs getResourceMappingDiffs(String sourceService, String
         return null;
     }
 
+    @Override
+    public Token<RangerDelegationTokenIdentifier> getDelegationToken(String renewer) throws Exception {
+        return null;
+    }
+
+    @Override
+    public long renewDelegationToken(Token<RangerDelegationTokenIdentifier> token) throws Exception {
+        return 0;
+    }
+
+    @Override
+    public void cancelDelegationToken(Token<RangerDelegationTokenIdentifier> token) throws Exception {
+    }
+
     public boolean isKerberosEnabled(UserGroupInformation user) {
         final boolean ret;
 
@@ -138,4 +154,22 @@ public boolean isKerberosEnabled(UserGroupInformation user) {
 
         return ret;
     }
+
+    @SuppressWarnings("unchecked")
+    public static Token<RangerDelegationTokenIdentifier> getDelegationTokenFromUGI() {
+        try {
+            UserGroupInformation ugi = UserGroupInformation.getLoginUser();
+            if (ugi != null) {
+                Collection<Token<?>> tokens = ugi.getCredentials().getAllTokens();
+                for (Token<?> token : tokens) {
+                    if (RangerDelegationTokenIdentifier.RANGER_DELEGATION_KIND.equals(token.getKind())) {
+                        return (Token<RangerDelegationTokenIdentifier>) token;
+                    }
+                }
+            }
+        } catch (Exception e) {
+            LOG.debug("Failed to get delegation token from UGI", e);
+        }
+        return null;
+    }
 }

agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminClient.java

@@ -21,10 +21,12 @@
 
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.token.Token;
 import org.apache.ranger.plugin.model.RangerRole;
 import org.apache.ranger.plugin.model.ResourceMappingDiffs;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
+import org.apache.ranger.plugin.util.RangerDelegationTokenIdentifier;
 import org.apache.ranger.plugin.util.RangerRoles;
 import org.apache.ranger.plugin.util.ServicePolicies;
 import org.apache.ranger.plugin.util.ServiceTags;
@@ -66,4 +68,10 @@ public interface RangerAdminClient {
 	RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception;
 
 	ResourceMappingDiffs getResourceMappingDiffs(String sourceService, String targetService, Long diffId) throws Exception;
+
+	Token<RangerDelegationTokenIdentifier> getDelegationToken(String renewer) throws Exception;
+
+	long renewDelegationToken(Token<RangerDelegationTokenIdentifier> token) throws Exception;
+
+	void cancelDelegationToken(Token<RangerDelegationTokenIdentifier> token) throws Exception;
 }