This is an automated email from the ASF dual-hosted git repository. madhan pushed a commit to branch ranger-2.6 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.6 by this push: new e5eabf336 RANGER-4908: updated plugin to use session cookie for all APIs e5eabf336 is described below commit e5eabf33666c87003330f6e572e705b9ce780a1e Author: Madhan Neethiraj <mad...@apache.org> AuthorDate: Thu Aug 15 18:34:50 2024 -0700 RANGER-4908: updated plugin to use session cookie for all APIs (cherry picked from commit cf2c4a536f6a027260ccf474b2bd59c0d7f6ab8d) --- .../ranger/admin/client/RangerAdminRESTClient.java | 847 +++++++-------------- .../ranger/plugin/util/RangerRESTClient.java | 143 ++-- 2 files changed, 380 insertions(+), 610 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index cb7c510c7..b9197e029 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -26,6 +26,7 @@ import com.sun.jersey.api.client.ClientResponse; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.AccessControlException; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.http.HttpStatus; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; @@ -58,14 +59,9 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { private boolean supportsPolicyDeltas; private boolean supportsTagDeltas; private boolean isRangerCookieEnabled; - private String rangerAdminCookieName; - private Cookie policyDownloadSessionId = null; - private boolean isValidPolicyDownloadSessionCookie = false; - private Cookie tagDownloadSessionId = null; - private boolean isValidTagDownloadSessionCookie = false; - private Cookie roleDownloadSessionId = null; - private boolean isValidRoleDownloadSessionCookie = false; - private final String pluginCapabilities = Long.toHexString(new RangerPluginCapability().getPluginCapabilities()); + private String rangerAdminCookieName; + private Cookie sessionId = null; + private final String pluginCapabilities = Long.toHexString(new RangerPluginCapability().getPluginCapabilities()); @Override public void init(String serviceName, String appId, String propertyPrefix, Configuration config) { @@ -119,12 +115,76 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); } - final ServicePolicies ret; + final ServicePolicies ret; + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); + final Cookie sessionId = this.sessionId; + final ClientResponse response; + + Map<String, String> queryParams = new HashMap<String, String>(); + queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)); + queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis)); + queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); + queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); + queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, Boolean.toString(supportsPolicyDeltas)); + queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); + + if (isSecureMode) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Service policy if updated as user : " + user); + } + + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { + try { + String relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceNameUrlParam; + + return restClient.get(relativeURL, queryParams, sessionId); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Service policy if updated with old api call"); + } + String relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceNameUrlParam; + response = restClient.get(relativeURL, queryParams, sessionId); + } - if (isRangerCookieEnabled && policyDownloadSessionId != null && isValidPolicyDownloadSessionCookie) { - ret = getServicePoliciesIfUpdatedWithCookie(lastKnownVersion, lastActivationTimeInMillis); + checkAndResetSessionCookie(response); + + if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { + if (response == null) { + LOG.error("Error getting policies; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); + } else { + RESTResponse resp = RESTResponse.fromClientResponse(response); + if (LOG.isDebugEnabled()) { + LOG.debug("No change in policies. secureMode=" + isSecureMode + ", user=" + user + + ", response=" + resp + ", serviceName=" + serviceName + + ", " + "lastKnownVersion=" + lastKnownVersion + + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); + } + } + ret = null; + } else if (response.getStatus() == HttpServletResponse.SC_OK) { + ret = JsonUtilsV2.readResponse(response, ServicePolicies.class); + } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { + ret = null; + LOG.error("Error getting policies; service not found. secureMode=" + isSecureMode + ", user=" + user + + ", response=" + response.getStatus() + ", serviceName=" + serviceName + + ", " + "lastKnownVersion=" + lastKnownVersion + + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); + String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; + + RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); + + LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); } else { - ret = getServicePoliciesIfUpdatedWithCred(lastKnownVersion, lastActivationTimeInMillis); + RESTResponse resp = RESTResponse.fromClientResponse(response); + LOG.warn("Error getting policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); + ret = null; } if (LOG.isDebugEnabled()) { @@ -142,10 +202,73 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { final RangerRoles ret; - if (isRangerCookieEnabled && roleDownloadSessionId != null && isValidRoleDownloadSessionCookie) { - ret = getRolesIfUpdatedWithCookie(lastKnownRoleVersion, lastActivationTimeInMillis); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); + final Cookie sessionId = this.sessionId; + final ClientResponse response; + + Map<String, String> queryParams = new HashMap<String, String>(); + queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_ROLE_VERSION, Long.toString(lastKnownRoleVersion)); + queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis)); + queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); + queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); + queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); + + if (isSecureMode) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Roles updated as user : " + user); + } + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { + try { + String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES + serviceNameUrlParam; + + return restClient.get(relativeURL, queryParams, sessionId); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); + } else { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Roles updated as user : " + user); + } + String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam; + response = restClient.get(relativeURL, queryParams, sessionId); + } + + checkAndResetSessionCookie(response); + + if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { + if (response == null) { + LOG.error("Error getting Roles; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); + } else { + RESTResponse resp = RESTResponse.fromClientResponse(response); + if (LOG.isDebugEnabled()) { + LOG.debug("No change in Roles. secureMode=" + isSecureMode + ", user=" + user + + ", response=" + resp + ", serviceName=" + serviceName + + ", " + "lastKnownRoleVersion=" + lastKnownRoleVersion + + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); + } + } + ret = null; + } else if (response.getStatus() == HttpServletResponse.SC_OK) { + ret = JsonUtilsV2.readResponse(response, RangerRoles.class); + } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { + ret = null; + LOG.error("Error getting Roles; service not found. secureMode=" + isSecureMode + ", user=" + user + + ", response=" + response.getStatus() + ", serviceName=" + serviceName + + ", " + "lastKnownRoleVersion=" + lastKnownRoleVersion + + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); + String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; + + RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); + + LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); } else { - ret = getRolesIfUpdatedWithCred(lastKnownRoleVersion, lastActivationTimeInMillis); + RESTResponse resp = RESTResponse.fromClientResponse(response); + LOG.warn("Error getting Roles. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); + ret = null; } if(LOG.isDebugEnabled()) { @@ -167,6 +290,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE; + Cookie sessionId = this.sessionId; Map <String, String> queryParams = new HashMap<String, String> (); queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam); @@ -178,7 +302,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.post(relativeURL, queryParams, request); + return restClient.post(relativeURL, queryParams, request, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -186,9 +310,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.post(relativeURL, queryParams, request); + response = restClient.post(relativeURL, queryParams, request, sessionId); } + checkAndResetSessionCookie(response); + if(response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("createRole() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); @@ -219,6 +345,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); + Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam); @@ -232,7 +359,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.delete(relativeURL, queryParams); + return restClient.delete(relativeURL, queryParams, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -240,8 +367,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.delete(relativeURL, queryParams); + response = restClient.delete(relativeURL, queryParams, sessionId); } + + checkAndResetSessionCookie(response); + if(response == null) { throw new Exception("unknown error during deleteRole. roleName=" + roleName); } else if(response.getStatus() != HttpServletResponse.SC_OK && response.getStatus() != HttpServletResponse.SC_NO_CONTENT) { @@ -272,6 +402,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser; + Cookie sessionId = this.sessionId; if (isSecureMode) { if (LOG.isDebugEnabled()) { @@ -279,7 +410,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.get(relativeURL, null); + return restClient.get(relativeURL, null, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -287,8 +418,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.get(relativeURL, null); + response = restClient.get(relativeURL, null, sessionId); } + + checkAndResetSessionCookie(response); + if(response != null) { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); @@ -324,6 +458,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES; + Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam); @@ -335,7 +470,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.get(relativeURL, queryParams); + return restClient.get(relativeURL, queryParams, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -343,8 +478,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.get(relativeURL, queryParams); + response = restClient.get(relativeURL, queryParams, sessionId); } + + checkAndResetSessionCookie(response); + if(response != null) { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); @@ -379,6 +517,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName; + Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam); @@ -390,7 +529,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.get(relativeURL, queryParams); + return restClient.get(relativeURL, queryParams, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -398,8 +537,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.get(relativeURL, queryParams); + response = restClient.get(relativeURL, queryParams, sessionId); } + + checkAndResetSessionCookie(response); + if(response != null) { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); @@ -434,6 +576,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam; + Cookie sessionId = this.sessionId; if (isSecureMode) { if (LOG.isDebugEnabled()) { @@ -441,7 +584,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.put(relativeURL, null, request); + return restClient.put(relativeURL, request, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -449,8 +592,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.put(relativeURL, null, request); + response = restClient.put(relativeURL, request, sessionId); } + + checkAndResetSessionCookie(response); + if(response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("grantRole() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); @@ -479,6 +625,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam; + Cookie sessionId = this.sessionId; if (isSecureMode) { if (LOG.isDebugEnabled()) { @@ -486,7 +633,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.put(relativeURL, null, request); + return restClient.put(relativeURL, request, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -494,8 +641,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.put(relativeURL, null, request); + response = restClient.put(relativeURL, request, sessionId); } + + checkAndResetSessionCookie(response); + if(response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("revokeRole() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); @@ -523,6 +673,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); + Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); @@ -535,7 +686,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { try { String relativeURL = RangerRESTUtils.REST_URL_SECURE_SERVICE_GRANT_ACCESS + serviceNameUrlParam; - return restClient.post(relativeURL, queryParams, request); + return restClient.post(relativeURL, queryParams, request, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -544,8 +695,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { }); } else { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ACCESS + serviceNameUrlParam; - response = restClient.post(relativeURL, queryParams, request); + response = restClient.post(relativeURL, queryParams, request, sessionId); } + + checkAndResetSessionCookie(response); + if(response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("grantAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); @@ -573,6 +727,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); + Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); @@ -585,7 +740,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { try { String relativeURL = RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceNameUrlParam; - return restClient.post(relativeURL, queryParams, request); + return restClient.post(relativeURL, queryParams, request, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -594,9 +749,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { }); } else { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceNameUrlParam; - response = restClient.post(relativeURL, queryParams, request); + response = restClient.post(relativeURL, queryParams, request, sessionId); } + checkAndResetSessionCookie(response); + if(response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); LOG.error("revokeAccess() failed: HTTP status=" + response.getStatus() + ", message=" + resp.getMessage() + ", isSecure=" + isSecureMode + (isSecureMode ? (", user=" + user) : "")); @@ -639,10 +796,69 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { final ServiceTags ret; - if (isRangerCookieEnabled && tagDownloadSessionId != null && isValidTagDownloadSessionCookie) { - ret = getServiceTagsIfUpdatedWithCookie(lastKnownVersion, lastActivationTimeInMillis); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); + final ClientResponse response; + final Cookie sessionId = this.sessionId; + + Map<String, String> queryParams = new HashMap<String, String>(); + queryParams.put(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)); + queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis)); + queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); + queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS, Boolean.toString(supportsTagDeltas)); + queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); + + if (isSecureMode) { + if (LOG.isDebugEnabled()) { + LOG.debug("getServiceTagsIfUpdated as user " + user); + } + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { + try { + String relativeURL = RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; + + return restClient.get(relativeURL, queryParams, sessionId); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); + } else { + String relativeURL = RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; + response = restClient.get(relativeURL, queryParams, sessionId); + } + + checkAndResetSessionCookie(response); + + if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { + if (response == null) { + LOG.error("Error getting tags; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); + } else { + RESTResponse resp = RESTResponse.fromClientResponse(response); + if (LOG.isDebugEnabled()) { + LOG.debug("No change in tags. secureMode=" + isSecureMode + ", user=" + user + + ", response=" + resp + ", serviceName=" + serviceName + + ", " + "lastKnownVersion=" + lastKnownVersion + + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); + } + } + ret = null; + } else if (response.getStatus() == HttpServletResponse.SC_OK) { + ret = JsonUtilsV2.readResponse(response, ServiceTags.class); + } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { + ret = null; + LOG.error("Error getting tags; service not found. secureMode=" + isSecureMode + ", user=" + user + + ", response=" + response.getStatus() + ", serviceName=" + serviceName + + ", " + "lastKnownVersion=" + lastKnownVersion + + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); + + String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; + RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); + LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); } else { - ret = getServiceTagsIfUpdatedWithCred(lastKnownVersion, lastActivationTimeInMillis); + RESTResponse resp = RESTResponse.fromClientResponse(response); + LOG.warn("Error getting tags. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); + ret = null; } if(LOG.isDebugEnabled()) { @@ -662,6 +878,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { String emptyString = ""; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); + Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam); @@ -675,7 +892,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { } response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { - return restClient.get(relativeURL, queryParams); + return restClient.get(relativeURL, queryParams, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -683,9 +900,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return null; }); } else { - response = restClient.get(relativeURL, queryParams); + response = restClient.get(relativeURL, queryParams, sessionId); } + checkAndResetSessionCookie(response); + if(response != null && response.getStatus() == HttpServletResponse.SC_OK) { ret = JsonUtilsV2.readResponse(response, TYPE_LIST_STRING); } else { @@ -711,6 +930,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { final UserGroupInformation user = MiscUtil.getUGILoginUser(); final boolean isSecureMode = isKerberosEnabled(user); final ClientResponse response; + final Cookie sessionId = this.sessionId; Map<String, String> queryParams = new HashMap<String, String>(); queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_USERSTORE_VERSION, Long.toString(lastKnownUserStoreVersion)); @@ -727,7 +947,7 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { try { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam; - return restClient.get(relativeURL, queryParams); + return restClient.get(relativeURL, queryParams, sessionId); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } @@ -739,9 +959,11 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { LOG.debug("Checking UserStore updated as user : " + user); } String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam; - response = restClient.get(relativeURL, queryParams); + response = restClient.get(relativeURL, queryParams, sessionId); } + checkAndResetSessionCookie(response); + if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { if (response == null) { LOG.error("Error getting UserStore; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); @@ -781,542 +1003,37 @@ public class RangerAdminRESTClient extends AbstractRangerAdminClient { return ret; } - /* Policies Download ranger admin rest call methods */ - private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCred(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final ServicePolicies ret; - - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final ClientResponse response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); - - if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { + private void checkAndResetSessionCookie(ClientResponse response) { + if (isRangerCookieEnabled) { if (response == null) { - policyDownloadSessionId = null; - LOG.error("Error getting policies; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); - } else { - setCookieReceivedFromCredSession(response); - RESTResponse resp = RESTResponse.fromClientResponse(response); - if (LOG.isDebugEnabled()) { - LOG.debug("No change in policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - } - } - ret = null; - } else if (response.getStatus() == HttpServletResponse.SC_OK) { - setCookieReceivedFromCredSession(response); - ret = JsonUtilsV2.readResponse(response, ServicePolicies.class); - } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { - policyDownloadSessionId = null; - ret = null; - LOG.error("Error getting policies; service not found. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + response.getStatus() + ", serviceName=" + serviceName - + ", " + "lastKnownVersion=" + lastKnownVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; - RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); - LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); - } else { - policyDownloadSessionId = null; - ret = null; - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCred(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCookie(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final ServicePolicies ret; - - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final ClientResponse response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); + LOG.debug("checkAndResetSessionCookie(): RESETTING sessionId - response is null"); - if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { - if (response == null) { - policyDownloadSessionId = null; - isValidPolicyDownloadSessionCookie = false; - LOG.error("Error getting policies; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); + sessionId = null; } else { - checkAndResetSessionCookie(response); - RESTResponse resp = RESTResponse.fromClientResponse(response); - if (LOG.isDebugEnabled()) { - LOG.debug("No change in policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - } - } - ret = null; - } else if (response.getStatus() == HttpServletResponse.SC_OK) { - checkAndResetSessionCookie(response); - ret = JsonUtilsV2.readResponse(response, ServicePolicies.class); - } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { - policyDownloadSessionId = null; - isValidPolicyDownloadSessionCookie = false; - ret = null; - LOG.error("Error getting policies; service not found. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + response.getStatus() + ", serviceName=" + serviceName - + ", " + "lastKnownVersion=" + lastKnownVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; - RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); - LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); - } else { - policyDownloadSessionId = null; - isValidPolicyDownloadSessionCookie = false; - ret = null; - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting policies. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - } + int status = response.getStatus(); - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCookie(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } + if (status == HttpStatus.SC_OK || status == HttpStatus.SC_NO_CONTENT || status == HttpStatus.SC_NOT_MODIFIED) { + Cookie newCookie = null; - return ret; - } + for (NewCookie cookie : response.getCookies()) { + if (cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { + newCookie = cookie; - private ClientResponse getRangerAdminPolicyDownloadResponse(final long lastKnownVersion, final long lastActivationTimeInMillis, final UserGroupInformation user, final boolean isSecureMode) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getRangerAdminPolicyDownloadResponse(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); - } + break; + } + } - final ClientResponse ret; + if (sessionId == null || newCookie != null) { + LOG.debug("checkAndResetSessionCookie(): status={}, sessionIdCookie={}, newCookie={}", status, sessionId, newCookie); - Map<String, String> queryParams = new HashMap<String, String>(); - queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION, Long.toString(lastKnownVersion)); - queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis)); - queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); - queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); - queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, Boolean.toString(supportsPolicyDeltas)); - queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - - if (isSecureMode) { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Service policy if updated as user : " + user); - } - ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { - try { - String relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceNameUrlParam; - - return restClient.get(relativeURL, queryParams, policyDownloadSessionId); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - - return null; - }); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Service policy if updated with old api call"); - } - String relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + serviceNameUrlParam; - ret = restClient.get(relativeURL, queryParams, policyDownloadSessionId); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getRangerAdminPolicyDownloadResponse(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private void checkAndResetSessionCookie(ClientResponse response) { - List<NewCookie> respCookieList = response.getCookies(); - for (NewCookie respCookie : respCookieList) { - if (respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { - policyDownloadSessionId = respCookie; - isValidPolicyDownloadSessionCookie = (policyDownloadSessionId != null); - break; - } - } - } - - private void setCookieReceivedFromCredSession(ClientResponse clientResponse) { - if (isRangerCookieEnabled) { - Cookie sessionCookie = null; - List<NewCookie> cookieList = clientResponse.getCookies(); - // save cookie received from credentials session login - for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { - sessionCookie = cookie.toCookie(); - break; - } - } - policyDownloadSessionId = sessionCookie; - isValidPolicyDownloadSessionCookie = (policyDownloadSessionId != null); - } - } - - /* Tags Download ranger admin rest call */ - private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdatedWithCred(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final ServiceTags ret; - - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final ClientResponse response = getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); - - if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { - if (response == null) { - tagDownloadSessionId = null; - LOG.error("Error getting tags; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); - } else { - setCookieReceivedFromTagDownloadSession(response); - RESTResponse resp = RESTResponse.fromClientResponse(response); - if (LOG.isDebugEnabled()) { - LOG.debug("No change in tags. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + resp + ", serviceName=" + serviceName - + ", " + "lastKnownVersion=" + lastKnownVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - } - } - ret = null; - } else if (response.getStatus() == HttpServletResponse.SC_OK) { - setCookieReceivedFromTagDownloadSession(response); - ret = JsonUtilsV2.readResponse(response, ServiceTags.class); - } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { - tagDownloadSessionId = null; - ret = null; - LOG.error("Error getting tags; service not found. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + response.getStatus() + ", serviceName=" + serviceName - + ", " + "lastKnownVersion=" + lastKnownVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - - String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; - RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); - LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting tags. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - tagDownloadSessionId = null; - ret = null; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getServiceTagsIfUpdatedWithCred(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private ServiceTags getServiceTagsIfUpdatedWithCookie(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdatedWithCookie(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final ServiceTags ret; - - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final ClientResponse response = getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); - - if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { - if (response == null) { - tagDownloadSessionId = null; - isValidTagDownloadSessionCookie = false; - LOG.error("Error getting tags; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); - } else { - checkAndResetTagDownloadSessionCookie(response); - RESTResponse resp = RESTResponse.fromClientResponse(response); - if (LOG.isDebugEnabled()) { - LOG.debug("No change in tags. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + resp + ", serviceName=" + serviceName - + ", " + "lastKnownVersion=" + lastKnownVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - } - } - ret = null; - } else if (response.getStatus() == HttpServletResponse.SC_OK) { - checkAndResetTagDownloadSessionCookie(response); - ret = JsonUtilsV2.readResponse(response, ServiceTags.class); - } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { - tagDownloadSessionId = null; - isValidTagDownloadSessionCookie = false; - ret = null; - LOG.error("Error getting tags; service not found. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + response.getStatus() + ", serviceName=" + serviceName - + ", " + "lastKnownVersion=" + lastKnownVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - - String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; - RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); - LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting tags. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - tagDownloadSessionId = null; - isValidTagDownloadSessionCookie = false; - ret = null; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getServiceTagsIfUpdatedWithCookie(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private ClientResponse getRangerAdminTagDownloadResponse(final long lastKnownVersion, final long lastActivationTimeInMillis, final UserGroupInformation user, final boolean isSecureMode) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getRangerAdminTagDownloadResponse(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final ClientResponse ret; - - Map<String, String> queryParams = new HashMap<String, String>(); - queryParams.put(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM, Long.toString(lastKnownVersion)); - queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis)); - queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); - queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS, Boolean.toString(supportsTagDeltas)); - queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - - if (isSecureMode) { - if (LOG.isDebugEnabled()) { - LOG.debug("getServiceTagsIfUpdated as user " + user); - } - ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { - try { - String relativeURL = RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; - - return restClient.get(relativeURL, queryParams, tagDownloadSessionId); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - - return null; - }); - } else { - String relativeURL = RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; - ret = restClient.get(relativeURL, queryParams); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getRangerAdminTagDownloadResponse(" + lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private void checkAndResetTagDownloadSessionCookie(ClientResponse response) { - List<NewCookie> respCookieList = response.getCookies(); - for (NewCookie respCookie : respCookieList) { - if (respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { - tagDownloadSessionId = respCookie; - isValidTagDownloadSessionCookie = (tagDownloadSessionId != null); - break; - } - } - } - - private void setCookieReceivedFromTagDownloadSession(ClientResponse clientResponse) { - if (isRangerCookieEnabled) { - Cookie sessionCookie = null; - List<NewCookie> cookieList = clientResponse.getCookies(); - // save cookie received from credentials session login - for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { - sessionCookie = cookie.toCookie(); - break; - } - } - tagDownloadSessionId = sessionCookie; - isValidTagDownloadSessionCookie = (tagDownloadSessionId != null); - } - } - - /* Roles Download ranger admin rest call methods */ - private RangerRoles getRolesIfUpdatedWithCred(final long lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getRolesIfUpdatedWithCred(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final RangerRoles ret; - - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final ClientResponse response = getRangerRolesDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode); - - if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { - if (response == null) { - roleDownloadSessionId = null; - LOG.error("Error getting Roles; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); - } else { - setCookieReceivedFromRoleDownloadSession(response); - RESTResponse resp = RESTResponse.fromClientResponse(response); - if (LOG.isDebugEnabled()) { - LOG.debug("No change in Roles. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + resp + ", serviceName=" + serviceName - + ", " + "lastKnownRoleVersion=" + lastKnownRoleVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - } - } - ret = null; - } else if (response.getStatus() == HttpServletResponse.SC_OK) { - setCookieReceivedFromRoleDownloadSession(response); - ret = JsonUtilsV2.readResponse(response, RangerRoles.class); - } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { - roleDownloadSessionId = null; - ret = null; - LOG.error("Error getting Roles; service not found. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + response.getStatus() + ", serviceName=" + serviceName - + ", " + "lastKnownRoleVersion=" + lastKnownRoleVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; - - RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); - - LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting Roles. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - roleDownloadSessionId = null; - ret = null; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getRolesIfUpdatedWithCred(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private RangerRoles getRolesIfUpdatedWithCookie(final long lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getRolesIfUpdatedWithCookie(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final RangerRoles ret; - - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final ClientResponse response = getRangerRolesDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode); - - if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { - if (response == null) { - roleDownloadSessionId = null; - isValidRoleDownloadSessionCookie = false; - LOG.error("Error getting Roles; Received NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" + serviceName); - } else { - checkAndResetRoleDownloadSessionCookie(response); - RESTResponse resp = RESTResponse.fromClientResponse(response); - if (LOG.isDebugEnabled()) { - LOG.debug("No change in Roles. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + resp + ", serviceName=" + serviceName - + ", " + "lastKnownRoleVersion=" + lastKnownRoleVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - } - } - ret = null; - } else if (response.getStatus() == HttpServletResponse.SC_OK) { - checkAndResetRoleDownloadSessionCookie(response); - ret = JsonUtilsV2.readResponse(response, RangerRoles.class); - } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { - roleDownloadSessionId = null; - isValidRoleDownloadSessionCookie = false; - ret = null; - LOG.error("Error getting Roles; service not found. secureMode=" + isSecureMode + ", user=" + user - + ", response=" + response.getStatus() + ", serviceName=" + serviceName - + ", " + "lastKnownRoleVersion=" + lastKnownRoleVersion - + ", " + "lastActivationTimeInMillis=" + lastActivationTimeInMillis); - String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; - RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName, exceptionMsg); - LOG.warn("Received 404 error code with body:[" + exceptionMsg + "], Ignoring"); - } else { - RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting Roles. secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" + serviceName); - roleDownloadSessionId = null; - isValidRoleDownloadSessionCookie = false; - ret = null; - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getRolesIfUpdatedWithCookie(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private ClientResponse getRangerRolesDownloadResponse(final long lastKnownRoleVersion, final long lastActivationTimeInMillis, final UserGroupInformation user, final boolean isSecureMode) throws Exception { - if (LOG.isDebugEnabled()) { - LOG.debug("==> RangerAdminRESTClient.getRangerRolesDownloadResponse(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + ")"); - } - - final ClientResponse ret; - - Map<String, String> queryParams = new HashMap<String, String>(); - queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_ROLE_VERSION, Long.toString(lastKnownRoleVersion)); - queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME, Long.toString(lastActivationTimeInMillis)); - queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); - queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); - queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - - if (isSecureMode) { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Roles updated as user : " + user); - } - ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { - try { - String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES + serviceNameUrlParam; - - return restClient.get(relativeURL, queryParams, roleDownloadSessionId); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - - return null; - }); - } else { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Roles updated as user : " + user); - } - String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam; - ret = restClient.get(relativeURL, queryParams); - } - - if (LOG.isDebugEnabled()) { - LOG.debug("<== RangerAdminRESTClient.getRangerRolesDownloadResponse(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + "): " + ret); - } - - return ret; - } - - private void checkAndResetRoleDownloadSessionCookie(ClientResponse response) { - List<NewCookie> respCookieList = response.getCookies(); - for (NewCookie respCookie : respCookieList) { - if (respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { - roleDownloadSessionId = respCookie; - isValidRoleDownloadSessionCookie = (roleDownloadSessionId != null); - break; - } - } - } + sessionId = newCookie; + } + } else { + LOG.debug("checkAndResetSessionCookie(): RESETTING sessionId - status={}", status); - private void setCookieReceivedFromRoleDownloadSession(ClientResponse clientResponse) { - if (isRangerCookieEnabled) { - Cookie sessionCookie = null; - List<NewCookie> cookieList = clientResponse.getCookies(); - // save cookie received from credentials session login - for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { - sessionCookie = cookie.toCookie(); - break; + sessionId = null; } } - roleDownloadSessionId = sessionCookie; - isValidRoleDownloadSessionCookie = (roleDownloadSessionId != null); } } } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java index 621d07614..e5461c2e6 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java @@ -46,9 +46,11 @@ import javax.net.ssl.TrustManagerFactory; import javax.ws.rs.core.Cookie; import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider; +import com.sun.jersey.api.client.filter.ClientFilter; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.Validate; import org.apache.hadoop.conf.Configuration; +import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider; import org.apache.ranger.authorization.utils.JsonUtils; import org.apache.ranger.authorization.utils.StringUtil; @@ -110,7 +112,8 @@ public class RangerRESTClient { private final List<String> configuredURLs; private volatile Client client; - + private volatile Client cookieAuthClient; + private ClientFilter basicAuthFilter = null; public RangerRESTClient(String url, String sslConfigFileName, Configuration config) { mUrl = url; @@ -165,6 +168,8 @@ public class RangerRESTClient { public void setBasicAuthInfo(String username, String password) { mUsername = username; mPassword = password; + + setBasicAuthFilter(username, password); } public WebResource getResource(String relativeUrl) { @@ -196,6 +201,28 @@ public class RangerRESTClient { return result; } + private Client getCookieAuthClient() { + Client ret = cookieAuthClient; + + if (ret == null) { + synchronized (this) { + ret = cookieAuthClient; + + if (ret == null) { + cookieAuthClient = buildClient(); + + if (basicAuthFilter != null) { + cookieAuthClient.removeFilter(basicAuthFilter); + } + + ret = cookieAuthClient; + } + } + } + + return ret; + } + private Client buildClient() { Client client = null; @@ -226,8 +253,8 @@ public class RangerRESTClient { client = Client.create(config); } - if(StringUtils.isNotEmpty(mUsername) && StringUtils.isNotEmpty(mPassword)) { - client.addFilter(new HTTPBasicAuthFilter(mUsername, mPassword)); + if (basicAuthFilter != null && !client.isFilterPresent(basicAuthFilter)) { + client.addFilter(basicAuthFilter); } // Set Connection Timeout and ReadTime for the PolicyRefresh @@ -237,6 +264,14 @@ public class RangerRESTClient { return client; } + private void setBasicAuthFilter(String username, String password) { + if (StringUtils.isNotEmpty(username) && StringUtils.isNotEmpty(password)) { + basicAuthFilter = new HTTPBasicAuthFilter(username, password); + } else { + basicAuthFilter = null; + } + } + public void resetClient(){ client = null; } @@ -271,6 +306,21 @@ public class RangerRESTClient { } } + + final String pluginPropertyPrefix; + + if (config instanceof RangerPluginConfig) { + pluginPropertyPrefix = ((RangerPluginConfig) config).getPropertyPrefix(); + } else { + pluginPropertyPrefix = "ranger.plugin"; + } + + String username = config.get(pluginPropertyPrefix + ".policy.rest.client.username"); + String password = config.get(pluginPropertyPrefix + ".policy.rest.client.password"); + + if (StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password)) { + setBasicAuthFilter(username, password); + } } private boolean isSslEnabled(String url) { @@ -455,15 +505,13 @@ public class RangerRESTClient { public ClientResponse get(String relativeUrl, Map<String, String> params) throws Exception { ClientResponse finalResponse = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { - try { - currentIndex = (startIndex + index) % configuredURLs.size(); + int currentIndex = (startIndex + index) % configuredURLs.size(); - WebResource webResource = getClient().resource(configuredURLs.get(currentIndex) + relativeUrl); - webResource = setQueryParams(webResource, params); + try { + WebResource.Builder webResource = createWebResource(currentIndex, relativeUrl, params); finalResponse = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); @@ -485,16 +533,14 @@ public class RangerRESTClient { public ClientResponse get(String relativeUrl, Map<String, String> params, Cookie sessionId) throws Exception{ ClientResponse finalResponse = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { + int currentIndex = (startIndex + index) % configuredURLs.size(); + try { - currentIndex = (startIndex + index) % configuredURLs.size(); + WebResource.Builder br = createWebResource(currentIndex, relativeUrl, params, sessionId); - WebResource webResource = createWebResourceForCookieAuth(currentIndex, relativeUrl); - webResource = setQueryParams(webResource, params); - WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); finalResponse = br.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class); if (finalResponse != null) { @@ -515,15 +561,14 @@ public class RangerRESTClient { public ClientResponse post(String relativeUrl, Map<String, String> params, Object obj) throws Exception { ClientResponse finalResponse = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { + int currentIndex = (startIndex + index) % configuredURLs.size(); + try { - currentIndex = (startIndex + index) % configuredURLs.size(); + WebResource.Builder webResource = createWebResource(currentIndex, relativeUrl, params); - WebResource webResource = getClient().resource(configuredURLs.get(currentIndex) + relativeUrl); - webResource = setQueryParams(webResource, params); finalResponse = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).post(ClientResponse.class, toJson(obj)); if (finalResponse != null) { setLastKnownActiveUrlIndex(currentIndex); @@ -543,18 +588,17 @@ public class RangerRESTClient { public ClientResponse post(String relativeURL, Map<String, String> params, Object obj, Cookie sessionId) throws Exception { ClientResponse response = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { + int currentIndex = (startIndex + index) % configuredURLs.size(); + try { - currentIndex = (startIndex + index) % configuredURLs.size(); + WebResource.Builder br = createWebResource(currentIndex, relativeURL, params, sessionId); - WebResource webResource = createWebResourceForCookieAuth(currentIndex, relativeURL); - webResource = setQueryParams(webResource, params); - WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); response = br.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON) .post(ClientResponse.class, toJson(obj)); + if (response != null) { setLastKnownActiveUrlIndex(currentIndex); break; @@ -573,15 +617,13 @@ public class RangerRESTClient { public ClientResponse delete(String relativeUrl, Map<String, String> params) throws Exception { ClientResponse finalResponse = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { - try { - currentIndex = (startIndex + index) % configuredURLs.size(); + int currentIndex = (startIndex + index) % configuredURLs.size(); - WebResource webResource = getClient().resource(configuredURLs.get(currentIndex) + relativeUrl); - webResource = setQueryParams(webResource, params); + try { + WebResource.Builder webResource = createWebResource(currentIndex, relativeUrl, params); finalResponse = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).delete(ClientResponse.class); if (finalResponse != null) { @@ -602,17 +644,16 @@ public class RangerRESTClient { public ClientResponse delete(String relativeURL, Map<String, String> params, Cookie sessionId) throws Exception { ClientResponse response = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { + int currentIndex = (startIndex + index) % configuredURLs.size(); + try { - currentIndex = (startIndex + index) % configuredURLs.size(); + WebResource.Builder br = createWebResource(currentIndex, relativeURL, params, sessionId); - WebResource webResource = createWebResourceForCookieAuth(currentIndex, relativeURL); - webResource = setQueryParams(webResource, params); - WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); response = br.delete(ClientResponse.class); + if (response != null) { setLastKnownActiveUrlIndex(currentIndex); break; @@ -631,15 +672,14 @@ public class RangerRESTClient { public ClientResponse put(String relativeUrl, Map<String, String> params, Object obj) throws Exception { ClientResponse finalResponse = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { + int currentIndex = (startIndex + index) % configuredURLs.size(); + try { - currentIndex = (startIndex + index) % configuredURLs.size(); + WebResource.Builder webResource = createWebResource(currentIndex, relativeUrl, params); - WebResource webResource = getClient().resource(configuredURLs.get(currentIndex) + relativeUrl); - webResource = setQueryParams(webResource, params); finalResponse = webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).put(ClientResponse.class, toJson(obj)); if (finalResponse != null) { setLastKnownActiveUrlIndex(currentIndex); @@ -659,17 +699,17 @@ public class RangerRESTClient { public ClientResponse put(String relativeURL, Object request, Cookie sessionId) throws Exception { ClientResponse response = null; int startIndex = this.lastKnownActiveUrlIndex; - int currentIndex = 0; int retryAttempt = 0; for (int index = 0; index < configuredURLs.size(); index++) { + int currentIndex = (startIndex + index) % configuredURLs.size(); + try { - currentIndex = (startIndex + index) % configuredURLs.size(); + WebResource.Builder br = createWebResource(currentIndex, relativeURL, null, sessionId); - WebResource webResource = createWebResourceForCookieAuth(currentIndex, relativeURL); - WebResource.Builder br = webResource.getRequestBuilder().cookie(sessionId); response = br.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON) .put(ClientResponse.class, toJson(request)); + if (response != null) { setLastKnownActiveUrlIndex(currentIndex); break; @@ -700,11 +740,24 @@ public class RangerRESTClient { this.lastKnownActiveUrlIndex = lastKnownActiveUrlIndex; } - protected WebResource createWebResourceForCookieAuth(int currentIndex, String relativeURL) { - Client cookieClient = getClient(); - cookieClient.removeAllFilters(); - WebResource ret = cookieClient.resource(configuredURLs.get(currentIndex) + relativeURL); - return ret; + protected WebResource.Builder createWebResource(int currentIndex, String relativeURL, Map<String, String> params) { + WebResource webResource = getClient().resource(configuredURLs.get(currentIndex) + relativeURL); + + webResource = setQueryParams(webResource, params); + + return webResource.getRequestBuilder(); + } + + protected WebResource.Builder createWebResource(int currentIndex, String relativeURL, Map<String, String> params, Cookie sessionId) { + if (sessionId == null) { + return createWebResource(currentIndex, relativeURL, params); + } else { + WebResource webResource = getCookieAuthClient().resource(configuredURLs.get(currentIndex) + relativeURL); + + webResource = setQueryParams(webResource, params); + + return webResource.getRequestBuilder().cookie(sessionId); + } } protected boolean shouldRetry(String currentUrl, int index, int retryAttemptCount, Exception ex) throws Exception {