[ https://issues.apache.org/jira/browse/RANGER-3063?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ramachandran resolved RANGER-3063. ---------------------------------- Resolution: Fixed > 404 http status response on requesting an existing policy > --------------------------------------------------------- > > Key: RANGER-3063 > URL: https://issues.apache.org/jira/browse/RANGER-3063 > Project: Ranger > Issue Type: Bug > Components: admin > Affects Versions: 2.0.0 > Environment: Cloudera, CDP (CDH) 7.1.3 > Hadoop - 3.1.1.7.1.3.0-100 > Ranger - 2.0.0.7.1.3.0-100 > Reporter: Vyacheslav Tutrinov > Assignee: Ramachandran > Priority: Major > > I caught a strange behavior of the ranger admin REST API. > The challenge was started as I saw that the 'cm_kms' service doesn't appear > on the UI side however it exists in the REST API response. > Then the trying to get policies list for this service respond by the list > that contains the single policy: > {code:bash} > [root@vm path]# curl -XGET -u user:********** -v > http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy > * About to connect() tomy-ranger-server-host port 6080 (#0) > * Trying 10.6.120.140... > * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) > * Server auth using Basic with user 'user' > > GET /service/public/v2/api/service/cm_kms/policy HTTP/1.1 > > Authorization: Basic ********************* > > User-Agent: curl/7.29.0 > > Host: my-ranger-server-host:6080 > > Accept: */* > > > < HTTP/1.1 200 OK > < Set-Cookie: RANGERADMINSESSIONID=42E2616A84477202A0CB4442C9C4EA88; Path=/; > HttpOnly > < X-Frame-Options: DENY > < X-XSS-Protection: 1; mode=block > < Strict-Transport-Security: max-age=31536000; includeSubDomains > < Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > < Cache-Control: no-cache, no-store, max-age=0, must-revalidate > < Pragma: no-cache > < Expires: 0 > < X-Content-Type-Options: nosniff > < Content-Type: application/json > < Transfer-Encoding: chunked > < Date: Thu, 29 Oct 2020 07:11:15 GMT > < Server: Apache Ranger > < > [{"id":41,"guid":"52b42504-5798-4340-9da3-8e9188a3592f","isEnabled":true,"version":1,"service":"cm_kms","name":"all > - keyname","policyType":0,"policyPriority":0,"description":"Policy for all - > keyname","isAuditEnabled":true,"resources":{"keyname":{"values":["*"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"create","isAllowed":true},{"type":"delete","isAllowed":true},{"type":"rollover","isAllowed":true},{"type":"setkeymaterial","isAllowed":true},{"type":"get","isAllowed":true},{"type":"getkeys","isAllowed":true},{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true}],"users":["hdfs"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["hive"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"kms","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}] > {code} > However the request for the specific policy by name 'all - keyname' responded > by 404 status: > {code:bash} > [root@vm path]# curl -XGET -u user:********** -v > http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy/all%20-%20keyname > * About to connect() to my-ranger-server-host port 6080 (#0) > * Trying 10.6.120.140... > * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) > * Server auth using Basic with user 'user' > > GET /service/public/v2/api/service/cm_kms/policy/all%20-%20keyname HTTP/1.1 > > Authorization: Basic *************************** > > User-Agent: curl/7.29.0 > > Host: my-ranger-server-host:6080 > > Accept: */* > > > < HTTP/1.1 404 Not Found > < Set-Cookie: RANGERADMINSESSIONID=2885FFB77C5B83345F5F6C0F4E7CB4D8; Path=/; > HttpOnly > < X-Frame-Options: DENY > < X-XSS-Protection: 1; mode=block > < Strict-Transport-Security: max-age=31536000; includeSubDomains > < Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > < Cache-Control: no-cache, no-store, max-age=0, must-revalidate > < Pragma: no-cache > < Expires: 0 > < X-Content-Type-Options: nosniff > < Content-Type: application/json > < Transfer-Encoding: chunked > < Date: Thu, 29 Oct 2020 07:43:14 GMT > < Server: Apache Ranger > < > * Connection #0 to host my-ranger-server-host left intact > Not found > {code} > PUT request to update the policy responds the same way (404), but POST > request to create policy with the same name responds by 400 status - a policy > with 'all - keyname' already exists > But the similar call chain works (GET list of polcies, GET policy by name) > perfectly for the 'cm_hdfs' service policies: > {code:bash} > [root@vm path]# curl -XGET -u user:*********** -v > http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy > * About to connect() to my-ranger-server-host port 6080 (#0) > * Trying 10.6.120.140... > * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) > * Server auth using Basic with user 'user' > > GET /service/public/v2/api/service/cm_hdfs/policy HTTP/1.1 > > Authorization: Basic ************************* > > User-Agent: curl/7.29.0 > > Host: my-ranger-server-host:6080 > > Accept: */* > > > < HTTP/1.1 200 OK > < Set-Cookie: RANGERADMINSESSIONID=9D112823529E0F1695CB94A4C5081C0E; Path=/; > HttpOnly > < X-Frame-Options: DENY > < X-XSS-Protection: 1; mode=block > < Strict-Transport-Security: max-age=31536000; includeSubDomains > < Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > < Cache-Control: no-cache, no-store, max-age=0, must-revalidate > < Pragma: no-cache > < Expires: 0 > < X-Content-Type-Options: nosniff > < Content-Type: application/json > < Transfer-Encoding: chunked > < Date: Thu, 29 Oct 2020 07:44:32 GMT > < Server: Apache Ranger > < > [{"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all > - path","policyType":0,"policyPriority":0,"description":"Policy for all - > path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false},{"id":2,"guid":"422c3e21-4162-43e8-a884-74791e6e4b39","isEnabled":true,"version":1,"service":"cm_hdfs","name":"kms-audit-path","policyType":0,"policyPriority":0,"description":"Policy > for kms-audit-path","isAuditEnabled":true,"resources":{"path":{"values* > Connection #0 to host vtutr01-vm0.bdauto.wandisco.com left intact > ":["/ranger/audit/kms"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}] > > > > [root@vm path]# curl -XGET -u user:**************** -v > http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy/all%20-%20path > * About to connect() to my-ranger-server-host port 6080 (#0) > * Trying 10.6.120.140... > * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) > * Server auth using Basic with user 'user' > > GET /service/public/v2/api/service/cm_hdfs/policy/all%20-%20path HTTP/1.1 > > Authorization: Basic ********************* > > User-Agent: curl/7.29.0 > > Host: my-ranger-server-host:6080 > > Accept: */* > > > < HTTP/1.1 200 OK > < Set-Cookie: RANGERADMINSESSIONID=4179CB624F0F54402CAE4F6158A0082F; Path=/; > HttpOnly > < X-Frame-Options: DENY > < X-XSS-Protection: 1; mode=block > < Strict-Transport-Security: max-age=31536000; includeSubDomains > < Content-Security-Policy: default-src 'none'; script-src 'self' > 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src > 'self' 'unsafe-inline';font-src 'self' > < Cache-Control: no-cache, no-store, max-age=0, must-revalidate > < Pragma: no-cache > < Expires: 0 > < X-Content-Type-Options: nosniff > < Content-Type: application/json > < Transfer-Encoding: chunked > < Date: Thu, 29 Oct 2020 07:45:19 GMT > < Server: Apache Ranger > < > * Connection #0 to host my-ranger-server-host left intact > {"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all > - path","policyType":0,"policyPriority":0,"description":"Policy for all - > path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false} > {code} > And IDE debugger says me that the filtered policies list size is equals to 0 > (org.apache.ranger.rest.PublicAPIsv2#getPolicyByName) -- This message was sent by Atlassian Jira (v8.20.10#820010)