This is an automated email from the ASF dual-hosted git repository.
abhi pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new b6b60da7e RANGER-5488: Allow clients to access secure API endpoints in
Ranger Admin forcibly via config
b6b60da7e is described below
commit b6b60da7ed11f635f9ef0bacd0aef3cbb89e8040
Author: Abhishek Kumar <[email protected]>
AuthorDate: Thu Feb 12 11:42:14 2026 -0800
RANGER-5488: Allow clients to access secure API endpoints in Ranger Admin
forcibly via config
---
.../admin/client/AbstractRangerAdminClient.java | 15 ++-
.../ranger/admin/client/RangerAdminRESTClient.java | 133 ++++++++++-----------
.../ranger/plugin/util/RangerRESTClient.java | 4 +
.../admin/client/RangerAdminJersey2RESTClient.java | 48 ++++----
4 files changed, 100 insertions(+), 100 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
index a65c18708..41c9ef9ac 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
@@ -23,6 +23,7 @@
import com.google.gson.GsonBuilder;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.util.*;
import org.slf4j.Logger;
@@ -37,6 +38,8 @@ public abstract class AbstractRangerAdminClient implements
RangerAdminClient {
private boolean forceNonKerberos = false;
+ private boolean forceSecureEndpointAccess;
+
@Override
public void init(String serviceName, String appId, String
configPropertyPrefix, Configuration config) {
Gson gson = null;
@@ -48,7 +51,8 @@ public void init(String serviceName, String appId, String
configPropertyPrefix,
}
this.gson = gson;
- this.forceNonKerberos = config.getBoolean(configPropertyPrefix +
".forceNonKerberos", false);
+ this.forceNonKerberos =
config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
+ this.forceSecureEndpointAccess =
config.getBoolean(configPropertyPrefix + ".forceSecureEndpointAccess", false);
}
@Override
@@ -121,12 +125,21 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
return null;
}
+ public boolean isAuthenticationEnabled() {
+ return forceSecureEndpointAccess || isKerberosEnabled();
+ }
+
+ public boolean isKerberosEnabled() {
+ return isKerberosEnabled(MiscUtil.getUGILoginUser());
+ }
+
public boolean isKerberosEnabled(UserGroupInformation user) {
final boolean ret;
if (forceNonKerberos) {
ret = false;
} else {
+ LOG.debug("UGI user: {}", user);
ret = user != null && UserGroupInformation.isSecurityEnabled() &&
user.hasKerberosCredentials();
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index b9197e029..12f6df99e 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -25,7 +25,6 @@
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.http.HttpStatus;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.audit.provider.MiscUtil;
@@ -116,8 +115,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
}
final ServicePolicies ret;
- final UserGroupInformation user =
MiscUtil.getUGILoginUser();
- final boolean isSecureMode =
isKerberosEnabled(user);
+ final boolean isSecureMode =
isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final ClientResponse response;
@@ -131,7 +129,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated
as user : " + user);
+ LOG.debug("Checking Service policy if updated");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
@@ -157,11 +155,11 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
if (response == null) {
- LOG.error("Error getting policies; Received
NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ",
serviceName=" + serviceName);
+ LOG.error("Error getting policies; Received
NULL response!!. secureMode=" + isSecureMode + ", serviceName=" + serviceName);
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
if (LOG.isDebugEnabled()) {
- LOG.debug("No change in policies.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.debug("No change in policies.
secureMode=" + isSecureMode
+ ",
response=" + resp + ", serviceName=" + serviceName
+ ",
" + "lastKnownVersion=" + lastKnownVersion
+ ",
" + "lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -172,7 +170,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
ret = JsonUtilsV2.readResponse(response,
ServicePolicies.class);
} else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting policies; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.error("Error getting policies; service not found.
secureMode=" + isSecureMode
+ ", response=" +
response.getStatus() + ", serviceName=" + serviceName
+ ", " +
"lastKnownVersion=" + lastKnownVersion
+ ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -183,7 +181,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting policies. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ LOG.warn("Error getting policies. secureMode=" +
isSecureMode + ", response=" + resp + ", serviceName=" + serviceName);
ret = null;
}
@@ -201,9 +199,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
}
final RangerRoles ret;
-
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final ClientResponse response;
@@ -216,7 +212,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles updated as user : " +
user);
+ LOG.debug("Checking Roles updated");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -231,7 +227,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
});
} else {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles updated as user : " +
user);
+ LOG.debug("Checking Roles updated
(non-secure)");
}
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam;
response = restClient.get(relativeURL, queryParams,
sessionId);
@@ -241,11 +237,11 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
if (response == null) {
- LOG.error("Error getting Roles; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
+ LOG.error("Error getting Roles; Received NULL
response!!. secureMode=" + isSecureMode + ", serviceName=" + serviceName);
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
if (LOG.isDebugEnabled()) {
- LOG.debug("No change in Roles.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.debug("No change in Roles.
secureMode=" + isSecureMode
+ ",
response=" + resp + ", serviceName=" + serviceName
+ ",
" + "lastKnownRoleVersion=" + lastKnownRoleVersion
+ ",
" + "lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -256,7 +252,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
ret = JsonUtilsV2.readResponse(response,
RangerRoles.class);
} else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting Roles; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.error("Error getting Roles; service not found.
secureMode=" + isSecureMode
+ ", response=" +
response.getStatus() + ", serviceName=" + serviceName
+ ", " +
"lastKnownRoleVersion=" + lastKnownRoleVersion
+ ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -267,7 +263,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting Roles. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ LOG.warn("Error getting Roles. secureMode=" +
isSecureMode + ", response=" + resp + ", serviceName=" + serviceName);
ret = null;
}
@@ -287,8 +283,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
RangerRole ret = null;
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE;
Cookie sessionId = this.sessionId;
@@ -297,7 +292,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("create role as user " + user);
+ LOG.debug("create role");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
@@ -317,7 +312,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
if(response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("createRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("createRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if(response.getStatus()==HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -343,8 +338,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
}
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
Cookie sessionId = this.sessionId;
Map<String, String> queryParams = new HashMap<String, String>();
@@ -355,7 +349,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("drop role as user " + user);
+ LOG.debug("drop role");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -376,7 +370,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
throw new Exception("unknown error during deleteRole.
roleName=" + roleName);
} else if(response.getStatus() != HttpServletResponse.SC_OK &&
response.getStatus() != HttpServletResponse.SC_NO_CONTENT) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("createRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("createRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if(response.getStatus()==HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -399,14 +393,13 @@ public List<String> getUserRoles(final String execUser)
throws Exception {
List<String> ret = null;
String emptyString = "";
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser;
Cookie sessionId = this.sessionId;
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("get roles as user " + user);
+ LOG.debug("get roles");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -426,7 +419,7 @@ public List<String> getUserRoles(final String execUser)
throws Exception {
if(response != null) {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("getUserRoles() failed: HTTP status="
+ response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("getUserRoles() failed: HTTP status="
+ response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -455,8 +448,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
List<String> ret = null;
String emptyString = "";
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES;
Cookie sessionId = this.sessionId;
@@ -466,7 +458,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("get roles as user " + user);
+ LOG.debug("get roles");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -486,7 +478,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
if(response != null) {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("getAllRoles() failed: HTTP status="
+ response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("getAllRoles() failed: HTTP status="
+ response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -514,8 +506,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
RangerRole ret = null;
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName;
Cookie sessionId = this.sessionId;
@@ -525,7 +516,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("get role info as user " + user);
+ LOG.debug("get role info");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -545,7 +536,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
if(response != null) {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("getPrincipalsForRole() failed: HTTP
status=" + response.getStatus() + ", message=" + resp.getMessage() + ",
isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("getPrincipalsForRole() failed: HTTP
status=" + response.getStatus() + ", message=" + resp.getMessage() + ",
isSecure=" + isSecureMode);
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -573,14 +564,13 @@ public void grantRole(final GrantRevokeRoleRequest
request) throws Exception {
}
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam;
Cookie sessionId = this.sessionId;
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("grant role as user " + user);
+ LOG.debug("grant role");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -599,7 +589,7 @@ public void grantRole(final GrantRevokeRoleRequest request)
throws Exception {
if(response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("grantRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("grantRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if(response.getStatus()==HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -622,14 +612,14 @@ public void revokeRole(final GrantRevokeRoleRequest
request) throws Exception {
}
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+
+ boolean isSecureMode = isAuthenticationEnabled();
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam;
Cookie sessionId = this.sessionId;
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("revoke role as user " + user);
+ LOG.debug("revoke role");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -648,7 +638,7 @@ public void revokeRole(final GrantRevokeRoleRequest
request) throws Exception {
if(response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("revokeRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("revokeRole() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if(response.getStatus()==HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -671,8 +661,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
}
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
Cookie sessionId = this.sessionId;
Map<String, String> queryParams = new HashMap<String, String>();
@@ -680,7 +669,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("grantAccess as user " + user);
+ LOG.debug("grantAccess");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -702,7 +691,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
if(response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("grantAccess() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("grantAccess() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if(response.getStatus()==HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -725,8 +714,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
}
final ClientResponse response;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
Cookie sessionId = this.sessionId;
Map<String, String> queryParams = new HashMap<String, String>();
@@ -734,7 +722,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("revokeAccess as user " + user);
+ LOG.debug("revokeAccess");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -756,7 +744,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
if(response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.error("revokeAccess() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode + (isSecureMode ? (", user=" + user) : ""));
+ LOG.error("revokeAccess() failed: HTTP status=" +
response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" +
isSecureMode);
if(response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -772,6 +760,11 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
}
}
+ @Override
+ public boolean isAuthenticationEnabled() {
+ return restClient.isAuthFilterPresent() ||
super.isAuthenticationEnabled();
+ }
+
private void init(String url, String sslConfigFileName, int
restClientConnTimeOutMs , int restClientReadTimeOutMs, int
restClientMaxRetryAttempts, int restClientRetryIntervalMs, Configuration
config) {
if(LOG.isDebugEnabled()) {
LOG.debug("==> RangerAdminRESTClient.init(" + url + ",
" + sslConfigFileName + ")");
@@ -795,9 +788,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
}
final ServiceTags ret;
-
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final ClientResponse response;
final Cookie sessionId = this.sessionId;
@@ -810,7 +801,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("getServiceTagsIfUpdated as user " +
user);
+ LOG.debug("getServiceTagsIfUpdated");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -832,11 +823,11 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
if (response == null) {
- LOG.error("Error getting tags; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
+ LOG.error("Error getting tags; Received NULL
response!!. secureMode=" + isSecureMode + ", serviceName=" + serviceName);
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
if (LOG.isDebugEnabled()) {
- LOG.debug("No change in tags.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.debug("No change in tags.
secureMode=" + isSecureMode
+ ",
response=" + resp + ", serviceName=" + serviceName
+ ",
" + "lastKnownVersion=" + lastKnownVersion
+ ",
" + "lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -847,7 +838,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
ret = JsonUtilsV2.readResponse(response,
ServiceTags.class);
} else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting tags; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.error("Error getting tags; service not found.
secureMode=" + isSecureMode
+ ", response=" +
response.getStatus() + ", serviceName=" + serviceName
+ ", " +
"lastKnownVersion=" + lastKnownVersion
+ ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -857,7 +848,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting tags. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ LOG.warn("Error getting tags. secureMode=" +
isSecureMode + ", response=" + resp + ", serviceName=" + serviceName);
ret = null;
}
@@ -876,8 +867,7 @@ public List<String> getTagTypes(String pattern) throws
Exception {
List<String> ret = null;
String emptyString = "";
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = isKerberosEnabled(user);
+ boolean isSecureMode = isAuthenticationEnabled();
Cookie sessionId = this.sessionId;
Map<String, String> queryParams = new HashMap<String, String>();
@@ -888,7 +878,7 @@ public List<String> getTagTypes(String pattern) throws
Exception {
final ClientResponse response;
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("getTagTypes as user " + user);
+ LOG.debug("getTagTypes");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -927,8 +917,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
}
final RangerUserStore ret;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final ClientResponse response;
final Cookie sessionId = this.sessionId;
@@ -941,7 +930,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking UserStore updated as user :
" + user);
+ LOG.debug("Checking UserStore updated");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -956,7 +945,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
});
} else {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking UserStore updated as user :
" + user);
+ LOG.debug("Checking UserStore updated");
}
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam;
response = restClient.get(relativeURL, queryParams,
sessionId);
@@ -966,11 +955,11 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
if (response == null) {
- LOG.error("Error getting UserStore; Received
NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ",
serviceName=" + serviceName);
+ LOG.error("Error getting UserStore; Received
NULL response!!. secureMode=" + isSecureMode + ", serviceName=" + serviceName);
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
if (LOG.isDebugEnabled()) {
- LOG.debug("No change in UserStore.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.debug("No change in UserStore.
secureMode=" + isSecureMode
+ ", response=" + resp
+ ", serviceName=" + serviceName
+ ", " +
"lastKnownUserStoreVersion=" + lastKnownUserStoreVersion
+ ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
@@ -981,7 +970,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
ret = JsonUtilsV2.readResponse(response,
RangerUserStore.class);
} else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting UserStore; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ LOG.error("Error getting UserStore; service not found.
secureMode=" + isSecureMode
+ ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ ", " + "lastKnownUserStoreVersion=" +
lastKnownUserStoreVersion
+ ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
@@ -992,7 +981,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
} else {
RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting UserStore. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ LOG.warn("Error getting UserStore. secureMode=" +
isSecureMode + ", response=" + resp + ", serviceName=" + serviceName);
ret = null;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index 70bdba91d..e421ec9a5 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -157,6 +157,10 @@ public String getPassword() {
return mPassword;
}
+ public boolean isAuthFilterPresent() {
+ return jwtAuthFilter != null || basicAuthFilter != null;
+ }
+
public int getRestClientConnTimeOutMs() {
return mRestClientConnTimeOutMs;
}
diff --git
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index 779bf422f..ea4ead5eb 100644
---
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -47,7 +47,6 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.plugin.util.*;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.utils.StringUtil;
@@ -288,8 +287,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
}
final RangerUserStore ret;
- final UserGroupInformation user =
MiscUtil.getUGILoginUser();
- final boolean isSecureMode =
isKerberosEnabled(user);
+ final boolean isSecureMode =
isAuthenticationEnabled();
final Response response;
Map<String, String> queryParams = new HashMap<String, String>();
@@ -302,7 +300,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (isSecureMode) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking UserStore updated as user:
{}", user);
+ LOG.debug("Checking UserStore updated");
}
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
@@ -318,7 +316,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
});
} else {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking UserStore updated as user:
{}", user);
+ LOG.debug("Checking UserStore updated");
}
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + _serviceNameUrlParam;
@@ -328,13 +326,13 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (response == null || response.getStatus() == 304) { //
NOT_MODIFIED
if (response == null) {
- LOG.error("Error getting UserStore; Received
NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user,
_serviceName);
+ LOG.error("Error getting UserStore; Received
NULL response!!. secureMode={}, serviceName={}", isSecureMode, _serviceName);
} else {
String resp = response.hasEntity() ?
response.readEntity(String.class) : null;
if (LOG.isDebugEnabled()) {
- LOG.debug("No change in UserStore.
secureMode={}, user={}, response={}, serviceName={},
lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, user,
resp, _serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in UserStore.
secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, resp,
_serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
}
}
@@ -346,8 +344,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else if (response.getStatus() == 404) { // NOT_FOUND
ret = null;
- LOG.error("Error getting UserStore; service not found.
secureMode={}, user={}, response={}, serviceName={},
lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, user,
response.getStatus(), _serviceName, lastKnownUserStoreVersion,
lastActivationTimeInMillis);
+ LOG.error("Error getting UserStore; service not found.
secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(),
_serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -357,8 +355,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else {
String resp = response.hasEntity() ?
response.readEntity(String.class) : null;
- LOG.warn("Error getting UserStore. secureMode={},
user={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp,
_serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.warn("Error getting UserStore. secureMode={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, resp, _serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
ret = null;
}
@@ -582,7 +580,7 @@ private ServicePolicies
getServicePoliciesIfUpdatedWithCred(final long lastKnown
ret = null;
policyDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURL(isSecureMode())));
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURL(isAuthenticationEnabled())));
break;
}
@@ -649,7 +647,7 @@ private ServicePolicies
getServicePoliciesIfUpdatedWithCookie(final long lastKno
policyDownloadSessionId = null;
isValidPolicyDownloadSessionCookie = false;
body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURL(isSecureMode())));
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURL(isAuthenticationEnabled())));
break;
}
@@ -675,9 +673,9 @@ private Response getRangerAdminPolicyDownloadResponse(final
long lastKnownVersio
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(_supportsPolicyDeltas));
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- if (isSecureMode()) {
+ if (isAuthenticationEnabled()) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated
as user : " + MiscUtil.getUGILoginUser());
+ LOG.debug("Checking Service policy if updated");
}
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURL(true), policyDownloadSessionId));
} else {
@@ -787,7 +785,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final
long lastKnownVersion,
ret = null;
tagDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForTagDownload(isSecureMode())));
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForTagDownload(isAuthenticationEnabled())));
break;
}
@@ -879,9 +877,9 @@ private Response getTagsDownloadResponse(final long
lastKnownVersion, final long
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(_supportsTagDeltas));
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- if (isSecureMode()) {
+ if (isAuthenticationEnabled()) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service tags if updated as
user : " + MiscUtil.getUGILoginUser());
+ LOG.debug("Checking Service tags if updated");
}
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId));
} else {
@@ -990,7 +988,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final
long lastKnownRoleVers
ret = null;
roleDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode())));
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForRoleDownload(isAuthenticationEnabled())));
break;
}
@@ -1056,7 +1054,7 @@ private RangerRoles
getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe
roleDownloadSessionId = null;
isValidRoleDownloadSessionCookie = false;
body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode())));
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForRoleDownload(isAuthenticationEnabled())));
break;
}
@@ -1080,9 +1078,9 @@ private Response getRoleDownloadResponse(final long
lastKnownRoleVersion, final
queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
_clusterName);
- if (isSecureMode()) {
+ if (isAuthenticationEnabled()) {
if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles if updated as user :
" + MiscUtil.getUGILoginUser());
+ LOG.debug("Checking Roles if updated");
}
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId));
} else {
@@ -1162,8 +1160,4 @@ protected boolean shouldRetry(String currentUrl, int
index, int retryAttemptCoun
return ret;
}
-
- private boolean isSecureMode() {
- return isKerberosEnabled(MiscUtil.getUGILoginUser());
- }
}
