This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.17.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/branch-1.17.x by this push:
new 5704bb27b KUDU-3359 Allow multi-JAR cp for Ranger client
5704bb27b is described below
commit 5704bb27b25a601c25c38fff3016c24c27a010af
Author: Attila Bukor <[email protected]>
AuthorDate: Mon Aug 14 13:51:58 2023 +0200
KUDU-3359 Allow multi-JAR cp for Ranger client
In order to let Ranger client to write audit to HDFS, Hadoop client
JARs need to be loaded. To make sure this is possible to do, this commit
changes the behavior of the ranger_jar_path to allow colon-separated JAR
classpaths to be passed to Java.
Change-Id: If137b5541b948506372db50e984eeee7e05dfd22
Reviewed-on: http://gerrit.cloudera.org:8080/20346
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <[email protected]>
(cherry picked from commit 6b1240afc7e7d4c5730ff6fc61927177df607b2a)
Reviewed-on: http://gerrit.cloudera.org:8080/20416
Reviewed-by: Yingchun Lai <[email protected]>
---
src/kudu/ranger/ranger_client-test.cc | 19 +++++++++++
src/kudu/ranger/ranger_client.cc | 60 +++++++++++++++++++----------------
src/kudu/ranger/ranger_client.h | 3 ++
3 files changed, 55 insertions(+), 27 deletions(-)
diff --git a/src/kudu/ranger/ranger_client-test.cc
b/src/kudu/ranger/ranger_client-test.cc
index 878a47820..6e204418f 100644
--- a/src/kudu/ranger/ranger_client-test.cc
+++ b/src/kudu/ranger/ranger_client-test.cc
@@ -54,6 +54,7 @@ DECLARE_string(log_dir);
DECLARE_string(ranger_config_path);
DECLARE_string(ranger_log_config_dir);
DECLARE_string(ranger_log_level);
+DECLARE_string(ranger_jar_path);
DECLARE_string(ranger_java_extra_args);
DECLARE_bool(ranger_logtostdout);
DECLARE_bool(ranger_overwrite_log_config);
@@ -339,6 +340,24 @@ TEST_F(RangerClientTest,
TestAuthorizeActionsAllAuthorized) {
ASSERT_EQ(3, actions.size());
}
+TEST_F(RangerClientTest, TestInvalidJARFails) {
+ FLAGS_ranger_config_path = test_dir_;
+ FLAGS_ranger_jar_path = "/this/is/not/a/real/location/hopefully.jar";
+ ASSERT_FALSE(ValidateRangerConfiguration());
+}
+
+TEST_F(RangerClientTest, TestMultipleInvalidJARsLeftUnchecked) {
+ FLAGS_ranger_config_path = test_dir_;
+ FLAGS_ranger_jar_path =
"/this/is/not/a/real/location/hopefully.jar:/another/invalid/path.jar";
+ ASSERT_TRUE(ValidateRangerConfiguration());
+}
+
+TEST_F(RangerClientTest, TestDefaultJARPath) {
+ FLAGS_ranger_config_path = test_dir_;
+ ASSERT_TRUE(ValidateRangerConfiguration());
+}
+
+
class RangerClientTestBase : public KuduTest {
public:
RangerClientTestBase()
diff --git a/src/kudu/ranger/ranger_client.cc b/src/kudu/ranger/ranger_client.cc
index 1faf0a3fc..7baac4c99 100644
--- a/src/kudu/ranger/ranger_client.cc
+++ b/src/kudu/ranger/ranger_client.cc
@@ -69,7 +69,9 @@ DEFINE_string(ranger_java_extra_args, "",
DEFINE_string(ranger_jar_path, "",
"Path to the JAR file containing the Ranger subprocess. If "
"not specified, the default JAR file path is expected to be "
- "next to the master binary.");
+ "next to the master binary. It can be a colon-separated list of "
+ "JARs. If it is, the paths are not verified and passed straight
to "
+ "Java.");
DEFINE_string(ranger_receiver_fifo_dir, "",
"Directory in which to create a fifo used to receive messages "
@@ -237,32 +239,6 @@ string JavaPath() {
return FLAGS_ranger_java_path;
}
-bool ValidateRangerConfiguration() {
- if (!FLAGS_ranger_config_path.empty()) {
- // First, check the specified Java path.
- const string java_path = JavaPath();
- if (!Env::Default()->FileExists(java_path)) {
- // Otherwise, since the specified path is not absolute, check if
- // the Java binary is on the PATH.
- string p;
- Status s = Subprocess::Call({ "which", java_path }, "", &p);
- if (!s.ok()) {
- LOG(ERROR) << Substitute("--ranger_java_path has invalid java binary
path: $0",
- java_path);
- return false;
- }
- }
- const string ranger_jar_path = RangerJarPath();
- if (!Env::Default()->FileExists(ranger_jar_path)) {
- LOG(ERROR) << Substitute("--ranger_jar_path has invalid JAR file path:
$0",
- ranger_jar_path);
- return false;
- }
- }
- return true;
-}
-GROUP_FLAG_VALIDATOR(ranger_config_flags, ValidateRangerConfiguration);
-
bool ValidateLog4jLevel(const char* /*flagname*/, const string& value) {
static const vector<string> kLevels = {
"all",
@@ -391,6 +367,36 @@ Status BuildArgv(const string& fifo_path, const string&
log_properties_path,
} // anonymous namespace
+bool ValidateRangerConfiguration() {
+ if (!FLAGS_ranger_config_path.empty()) {
+ // First, check the specified Java path.
+ const string java_path = JavaPath();
+ if (!Env::Default()->FileExists(java_path)) {
+ // Otherwise, since the specified path is not absolute, check if
+ // the Java binary is on the PATH.
+ string p;
+ Status s = Subprocess::Call({ "which", java_path }, "", &p);
+ if (!s.ok()) {
+ LOG(ERROR) << Substitute("--ranger_java_path has invalid java binary
path: $0",
+ java_path);
+ return false;
+ }
+ }
+ const string ranger_jar_path = RangerJarPath();
+
+ // If the JAR path contains a colon, we skip verifying the paths and leave
+ // it to Java.
+ if (ranger_jar_path.find(':') == string::npos &&
+ !Env::Default()->FileExists(ranger_jar_path)) {
+ LOG(ERROR) << Substitute("--ranger_jar_path has invalid JAR file path:
$0",
+ ranger_jar_path);
+ return false;
+ }
+ }
+ return true;
+}
+GROUP_FLAG_VALIDATOR(ranger_config_flags, ValidateRangerConfiguration);
+
#define CINIT(member, x) member = METRIC_##x.Instantiate(entity)
#define HISTINIT(member, x) member = METRIC_##x.Instantiate(entity)
RangerSubprocessMetrics::RangerSubprocessMetrics(const
scoped_refptr<MetricEntity>& entity) {
diff --git a/src/kudu/ranger/ranger_client.h b/src/kudu/ranger/ranger_client.h
index baf74ed3e..9d9e66c78 100644
--- a/src/kudu/ranger/ranger_client.h
+++ b/src/kudu/ranger/ranger_client.h
@@ -130,5 +130,8 @@ class RangerClient {
scoped_refptr<MetricEntity> metric_entity_;
};
+// Validate Ranger configuration.
+bool ValidateRangerConfiguration();
+
} // namespace ranger
} // namespace kudu
