This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 1dee2b3 RANGER-3334:Enhance Ranger admin REST Client to use cookie
for policy, tag and role download
1dee2b3 is described below
commit 1dee2b377e20b811cc568f30ff789b50d8e241ec
Author: Ramesh Mani <[email protected]>
AuthorDate: Sat Jul 24 01:37:53 2021 -0700
RANGER-3334:Enhance Ranger admin REST Client to use cookie for policy, tag
and role download
Signed-off-by: Ramesh Mani <[email protected]>
---
.../ranger/admin/client/RangerAdminRESTClient.java | 756 ++++++++++++-----
.../RangerAbstractContextEnricher.java | 4 +
.../contextenricher/RangerAdminTagRetriever.java | 7 +-
.../RangerAdminUserStoreRetriever.java | 7 +-
.../plugin/contextenricher/RangerTagEnricher.java | 1 +
.../plugin/contextenricher/RangerTagRetriever.java | 10 +
.../contextenricher/RangerUserStoreEnricher.java | 1 +
.../contextenricher/RangerUserStoreRetriever.java | 10 +
.../plugin/policyengine/RangerPluginContext.java | 58 ++
.../ranger/plugin/service/RangerBasePlugin.java | 4 +
.../apache/ranger/plugin/util/PolicyRefresher.java | 5 +-
.../ranger/plugin/util/RangerCommonConstants.java | 2 +
.../ranger/plugin/util/RangerRESTClient.java | 26 +
.../admin/client/RangerAdminJersey2RESTClient.java | 915 ++++++++++++++++-----
14 files changed, 1397 insertions(+), 409 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index e0d7a9b..3283487 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -36,6 +36,8 @@ import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.util.*;
import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.core.Cookie;
+import javax.ws.rs.core.NewCookie;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.ParameterizedType;
import java.lang.reflect.Type;
@@ -55,7 +57,15 @@ public class RangerAdminRESTClient extends
AbstractRangerAdminClient {
private RangerRESTUtils restUtils = new RangerRESTUtils();
private boolean supportsPolicyDeltas;
private boolean supportsTagDeltas;
- private final String pluginCapabilities = Long.toHexString(new
RangerPluginCapability().getPluginCapabilities());
+ private boolean isRangerCookieEnabled;
+ private String rangerAdminCookieName;
+ private Cookie policyDownloadSessionId =
null;
+ private boolean isValidPolicyDownloadSessionCookie = false;
+ private Cookie tagDownloadSessionId =
null;
+ private boolean isValidTagDownloadSessionCookie =
false;
+ private Cookie roleDownloadSessionId =
null;
+ private boolean isValidRoleDownloadSessionCookie =
false;
+ private final String pluginCapabilities = Long.toHexString(new
RangerPluginCapability().getPluginCapabilities());
public static <T> GenericType<List<T>> getGenericType(final T clazz) {
@@ -99,6 +109,8 @@ public class RangerAdminRESTClient extends
AbstractRangerAdminClient {
int restClientReadTimeOutMs =
config.getInt(propertyPrefix + ".policy.rest.client.read.timeoutMs", 30 * 1000);
supportsPolicyDeltas =
config.getBoolean(propertyPrefix +
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_POLICY_DELTA,
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_POLICY_DELTA_DEFAULT);
supportsTagDeltas =
config.getBoolean(propertyPrefix +
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_TAG_DELTA,
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_TAG_DELTA_DEFAULT);
+ isRangerCookieEnabled =
config.getBoolean(propertyPrefix + ".policy.rest.client.cookie.enabled",
RangerCommonConstants.POLICY_REST_CLIENT_SESSION_COOKIE_ENABLED);
+ rangerAdminCookieName =
config.get(propertyPrefix + ".policy.rest.client.session.cookie.name",
RangerCommonConstants.DEFAULT_COOKIE_NAME);
if (!StringUtil.isEmpty(tmpUrl)) {
url = tmpUrl.trim();
@@ -125,70 +137,10 @@ public class RangerAdminRESTClient extends
AbstractRangerAdminClient {
final ServicePolicies ret;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
- final ClientResponse response;
-
- Map<String, String> queryParams = new HashMap<String, String>();
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION,
Long.toString(lastKnownVersion));
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
- queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
- queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
clusterName);
-
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(supportsPolicyDeltas));
- queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
-
- if (isSecureMode) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated
as user : " + user);
- }
- PrivilegedAction<ClientResponse> action = new
PrivilegedAction<ClientResponse>() {
- public ClientResponse run() {
- ClientResponse clientRes = null;
- String relativeURL =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED +
serviceNameUrlParam;
- try {
- clientRes =
restClient.get(relativeURL, queryParams);
- } catch (Exception e) {
- LOG.error("Failed to get
response, Error is : "+e.getMessage());
- }
- return clientRes;
- }
- };
- response = user.doAs(action);
- } else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated
with old api call");
- }
- String relativeURL =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED +
serviceNameUrlParam;
- response = restClient.get(relativeURL, queryParams);
- }
-
- if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
- if (response == null) {
- LOG.error("Error getting policies; Received
NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ",
serviceName=" + serviceName);
- } else {
- RESTResponse resp =
RESTResponse.fromClientResponse(response);
- if (LOG.isDebugEnabled()) {
- LOG.debug("No change in policies.
secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ",
serviceName=" + serviceName);
- }
- }
- ret = null;
- } else if (response.getStatus() == HttpServletResponse.SC_OK) {
- ret = response.getEntity(ServicePolicies.class);
- } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
- LOG.error("Error getting policies; service not found.
secureMode=" + isSecureMode + ", user=" + user
- + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
- + ", " + "lastKnownVersion=" +
lastKnownVersion
- + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
- ret = null;
- String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
-
-
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
-
- LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ if (isRangerCookieEnabled && policyDownloadSessionId != null &&
isValidPolicyDownloadSessionCookie) {
+ ret =
getServicePoliciesIfUpdatedWithCookie(lastKnownVersion,
lastActivationTimeInMillis);
} else {
- RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting policies. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
- ret = null;
+ ret =
getServicePoliciesIfUpdatedWithCred(lastKnownVersion,
lastActivationTimeInMillis);
}
if (LOG.isDebugEnabled()) {
@@ -205,72 +157,11 @@ public class RangerAdminRESTClient extends
AbstractRangerAdminClient {
}
final RangerRoles ret;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
- final ClientResponse response;
-
- Map<String, String> queryParams = new HashMap<String, String>();
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_ROLE_VERSION,
Long.toString(lastKnownRoleVersion));
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
- queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
- queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
clusterName);
- queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
-
- if (isSecureMode) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles updated as user : " +
user);
- }
- PrivilegedAction<ClientResponse> action = new
PrivilegedAction<ClientResponse>() {
- public ClientResponse run() {
- ClientResponse clientRes = null;
- String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES +
serviceNameUrlParam;
- try {
- clientRes =
restClient.get(relativeURL, queryParams);
- } catch (Exception e) {
- LOG.error("Failed to get
response, Error is : "+e.getMessage());
- }
- return clientRes;
- }
- };
- response = user.doAs(action);
- } else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles updated as user : " +
user);
- }
- String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam;
- response = restClient.get(relativeURL, queryParams);
- }
-
- if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
- if (response == null) {
- LOG.error("Error getting Roles; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
- } else {
- RESTResponse resp =
RESTResponse.fromClientResponse(response);
- if (LOG.isDebugEnabled()) {
- LOG.debug("No change in Roles.
secureMode=" + isSecureMode + ", user=" + user
- + ", response=" + resp
+ ", serviceName=" + serviceName
- + ", " +
"lastKnownRoleVersion=" + lastKnownRoleVersion
- + ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
- }
- }
- ret = null;
- } else if (response.getStatus() == HttpServletResponse.SC_OK) {
- ret = response.getEntity(RangerRoles.class);
- } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
- ret = null;
- LOG.error("Error getting Roles; service not found.
secureMode=" + isSecureMode + ", user=" + user
- + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
- + ", " + "lastKnownRoleVersion=" +
lastKnownRoleVersion
- + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
- String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
-
-
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
- LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ if (isRangerCookieEnabled && roleDownloadSessionId != null &&
isValidRoleDownloadSessionCookie) {
+ ret = getRolesIfUpdatedWithCookie(lastKnownRoleVersion,
lastActivationTimeInMillis);
} else {
- RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting Roles. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
- ret = null;
+ ret = getRolesIfUpdatedWithCred(lastKnownRoleVersion,
lastActivationTimeInMillis);
}
if(LOG.isDebugEnabled()) {
@@ -784,69 +675,12 @@ public class RangerAdminRESTClient extends
AbstractRangerAdminClient {
LOG.debug("==>
RangerAdminRESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + ", " +
lastActivationTimeInMillis + "): ");
}
- ServiceTags ret = null;
- ClientResponse response = null;
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
-
- Map<String, String> queryParams = new HashMap<String, String>();
- queryParams.put(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM,
Long.toString(lastKnownVersion));
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
- queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
- queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(supportsTagDeltas));
- queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
-
- if (isSecureMode) {
- PrivilegedAction<ClientResponse> action = new
PrivilegedAction<ClientResponse>() {
- public ClientResponse run() {
- String relativeURL =
RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED +
serviceNameUrlParam;
- ClientResponse clientResp = null;
- try {
- clientResp =
restClient.get(relativeURL, queryParams);
- } catch (Exception e) {
- LOG.error("Failed to get
response, Error is : "+e.getMessage());
- }
- return clientResp;
- }
- };
- if (LOG.isDebugEnabled()) {
- LOG.debug("getServiceTagsIfUpdated as user " +
user);
- }
- response = user.doAs(action);
- } else {
- String relativeURL =
RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam;
- response = restClient.get(relativeURL, queryParams);
- }
-
- if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
- if (response == null) {
- LOG.error("Error getting tags; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
- } else {
- RESTResponse resp =
RESTResponse.fromClientResponse(response);
- if (LOG.isDebugEnabled()) {
- LOG.debug("No change in tags.
secureMode=" + isSecureMode + ", user=" + user
- + ", response=" + resp
+ ", serviceName=" + serviceName
- + ", " +
"lastKnownVersion=" + lastKnownVersion
- + ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
- }
- }
- ret = null;
- } else if (response.getStatus() == HttpServletResponse.SC_OK) {
- ret = response.getEntity(ServiceTags.class);
- } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
- LOG.error("Error getting tags; service not found.
secureMode=" + isSecureMode + ", user=" + user
- + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
- + ", " + "lastKnownVersion=" +
lastKnownVersion
- + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
- String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
-
-
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+ final ServiceTags ret;
- LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ if (isRangerCookieEnabled && tagDownloadSessionId != null &&
isValidTagDownloadSessionCookie) {
+ ret =
getServiceTagsIfUpdatedWithCookie(lastKnownVersion, lastActivationTimeInMillis);
} else {
- RESTResponse resp =
RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting tags. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
- ret = null;
+ ret = getServiceTagsIfUpdatedWithCred(lastKnownVersion,
lastActivationTimeInMillis);
}
if(LOG.isDebugEnabled()) {
@@ -990,4 +824,548 @@ public class RangerAdminRESTClient extends
AbstractRangerAdminClient {
return ret;
}
+ /* Policies Download ranger admin rest call methods */
+ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long
lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCred(" + lastKnownVersion
+ ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServicePolicies ret;
+
+ final UserGroupInformation user =
MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ClientResponse response =
getRangerAdminPolicyDownloadResponse(lastKnownVersion,
lastActivationTimeInMillis, user, isSecureMode);
+
+ if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
+ if (response == null) {
+ policyDownloadSessionId = null;
+ LOG.error("Error getting policies; Received
NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ",
serviceName=" + serviceName);
+ } else {
+ setCookieReceivedFromCredSession(response);
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No change in policies.
secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ",
serviceName=" + serviceName);
+ }
+ }
+ ret = null;
+ } else if (response.getStatus() == HttpServletResponse.SC_OK) {
+ setCookieReceivedFromCredSession(response);
+ ret = response.getEntity(ServicePolicies.class);
+ } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
+ policyDownloadSessionId = null;
+ ret = null;
+ LOG.error("Error getting policies; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ + ", " + "lastKnownVersion=" +
lastKnownVersion
+ + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
+ String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+ LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ } else {
+ policyDownloadSessionId = null;
+ ret = null;
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ LOG.warn("Error getting policies. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCred(" + lastKnownVersion
+ ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final
long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCookie(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServicePolicies ret;
+
+ final UserGroupInformation user =
MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ClientResponse response =
getRangerAdminPolicyDownloadResponse(lastKnownVersion,
lastActivationTimeInMillis, user, isSecureMode);
+
+ if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
+ if (response == null) {
+ policyDownloadSessionId = null;
+ isValidPolicyDownloadSessionCookie = false;
+ LOG.error("Error getting policies; Received
NULL response!!. secureMode=" + isSecureMode + ", user=" + user + ",
serviceName=" + serviceName);
+ } else {
+ checkAndResetSessionCookie(response);
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No change in policies.
secureMode=" + isSecureMode + ", user=" + user + ", response=" + resp + ",
serviceName=" + serviceName);
+ }
+ }
+ ret = null;
+ } else if (response.getStatus() == HttpServletResponse.SC_OK) {
+ checkAndResetSessionCookie(response);
+ ret = response.getEntity(ServicePolicies.class);
+ } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
+ policyDownloadSessionId = null;
+ isValidPolicyDownloadSessionCookie = false;
+ ret = null;
+ LOG.error("Error getting policies; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ + ", " + "lastKnownVersion=" +
lastKnownVersion
+ + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
+ String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+ LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ } else {
+ policyDownloadSessionId = null;
+ isValidPolicyDownloadSessionCookie = false;
+ ret = null;
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ LOG.warn("Error getting policies. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getServicePoliciesIfUpdatedWithCookie(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ClientResponse getRangerAdminPolicyDownloadResponse(final long
lastKnownVersion, final long lastActivationTimeInMillis, final
UserGroupInformation user, final boolean isSecureMode) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getRangerAdminPolicyDownloadResponse(" + lastKnownVersion
+ ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ClientResponse ret;
+
+ Map<String, String> queryParams = new HashMap<String, String>();
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION,
Long.toString(lastKnownVersion));
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
+ queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
clusterName);
+
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(supportsPolicyDeltas));
+ queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
+
+ if (isSecureMode) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated
as user : " + user);
+ }
+ PrivilegedAction<ClientResponse> action = new
PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ String relativeURL =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED +
serviceNameUrlParam;
+ ClientResponse clientResp = null;
+ try {
+ clientResp =
restClient.get(relativeURL, queryParams, policyDownloadSessionId);
+ } catch (Exception e) {
+ LOG.error("Failed to get
response, Error is : "+e.getMessage());
+ }
+ return clientResp;
+ }
+ };
+ ret = user.doAs(action);
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated
with old api call");
+ }
+ String relativeURL =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED +
serviceNameUrlParam;
+ ret = restClient.get(relativeURL, queryParams,
policyDownloadSessionId);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getRangerAdminPolicyDownloadResponse(" + lastKnownVersion
+ ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private void checkAndResetSessionCookie(ClientResponse response) {
+ List<NewCookie> respCookieList = response.getCookies();
+ for (NewCookie respCookie : respCookieList) {
+ if
(respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
+ policyDownloadSessionId = respCookie;
+ isValidPolicyDownloadSessionCookie =
(policyDownloadSessionId != null);
+ break;
+ }
+ }
+ }
+
+ private void setCookieReceivedFromCredSession(ClientResponse
clientResponse) {
+ if (isRangerCookieEnabled) {
+ Cookie sessionCookie = null;
+ List<NewCookie> cookieList =
clientResponse.getCookies();
+ // save cookie received from credentials session login
+ for (NewCookie cookie : cookieList) {
+ if
(cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
+ sessionCookie = cookie.toCookie();
+ break;
+ }
+ }
+ policyDownloadSessionId = sessionCookie;
+ isValidPolicyDownloadSessionCookie =
(policyDownloadSessionId != null);
+ }
+ }
+
+ /* Tags Download ranger admin rest call */
+ private ServiceTags getServiceTagsIfUpdatedWithCred(final long
lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getServiceTagsIfUpdatedWithCred(" + lastKnownVersion + ",
" + lastActivationTimeInMillis + ")");
+ }
+
+ final ServiceTags ret;
+
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ClientResponse response =
getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis,
user, isSecureMode);
+
+ if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
+ if (response == null) {
+ tagDownloadSessionId = null;
+ LOG.error("Error getting tags; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
+ } else {
+
setCookieReceivedFromTagDownloadSession(response);
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No change in tags.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + resp
+ ", serviceName=" + serviceName
+ + ", " +
"lastKnownVersion=" + lastKnownVersion
+ + ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
+ }
+ }
+ ret = null;
+ } else if (response.getStatus() == HttpServletResponse.SC_OK) {
+ setCookieReceivedFromTagDownloadSession(response);
+ ret = response.getEntity(ServiceTags.class);
+ } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
+ tagDownloadSessionId = null;
+ ret = null;
+ LOG.error("Error getting tags; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ + ", " + "lastKnownVersion=" +
lastKnownVersion
+ + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
+
+ String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+ LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ } else {
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ LOG.warn("Error getting tags. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ tagDownloadSessionId = null;
+ ret = null;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getServiceTagsIfUpdatedWithCred(" + lastKnownVersion + ",
" + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ServiceTags getServiceTagsIfUpdatedWithCookie(final long
lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getServiceTagsIfUpdatedWithCookie(" + lastKnownVersion +
", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServiceTags ret;
+
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ClientResponse response =
getRangerAdminTagDownloadResponse(lastKnownVersion, lastActivationTimeInMillis,
user, isSecureMode);
+
+ if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
+ if (response == null) {
+ tagDownloadSessionId = null;
+ isValidTagDownloadSessionCookie = false;
+ LOG.error("Error getting tags; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
+ } else {
+ checkAndResetTagDownloadSessionCookie(response);
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No change in tags.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + resp
+ ", serviceName=" + serviceName
+ + ", " +
"lastKnownVersion=" + lastKnownVersion
+ + ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
+ }
+ }
+ ret = null;
+ } else if (response.getStatus() == HttpServletResponse.SC_OK) {
+ checkAndResetTagDownloadSessionCookie(response);
+ ret = response.getEntity(ServiceTags.class);
+ } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
+ tagDownloadSessionId = null;
+ isValidTagDownloadSessionCookie = false;
+ ret = null;
+ LOG.error("Error getting tags; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ + ", " + "lastKnownVersion=" +
lastKnownVersion
+ + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
+
+ String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+ LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ } else {
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ LOG.warn("Error getting tags. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ tagDownloadSessionId = null;
+ isValidTagDownloadSessionCookie = false;
+ ret = null;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getServiceTagsIfUpdatedWithCookie(" + lastKnownVersion +
", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ClientResponse getRangerAdminTagDownloadResponse(final long
lastKnownVersion, final long lastActivationTimeInMillis, final
UserGroupInformation user, final boolean isSecureMode) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getRangerAdminTagDownloadResponse(" + lastKnownVersion +
", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ClientResponse ret;
+
+ Map<String, String> queryParams = new HashMap<String, String>();
+ queryParams.put(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM,
Long.toString(lastKnownVersion));
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
+ queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(supportsTagDeltas));
+ queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
+
+ if (isSecureMode) {
+ PrivilegedAction<ClientResponse> action = new
PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ String relativeURL =
RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED +
serviceNameUrlParam;
+ ClientResponse clientResp = null;
+ try {
+ clientResp =
restClient.get(relativeURL, queryParams, tagDownloadSessionId);
+ } catch (Exception e) {
+ LOG.error("Failed to get
response, Error is : "+e.getMessage());
+ }
+ return clientResp;
+ }
+ };
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getServiceTagsIfUpdated as user " +
user);
+ }
+ ret = user.doAs(action);
+ } else {
+ String relativeURL =
RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam;
+ ret = restClient.get(relativeURL, queryParams);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getRangerAdminTagDownloadResponse(" + lastKnownVersion +
", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private void checkAndResetTagDownloadSessionCookie(ClientResponse
response) {
+ List<NewCookie> respCookieList = response.getCookies();
+ for (NewCookie respCookie : respCookieList) {
+ if
(respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
+ tagDownloadSessionId = respCookie;
+ isValidTagDownloadSessionCookie =
(tagDownloadSessionId != null);
+ break;
+ }
+ }
+ }
+
+ private void setCookieReceivedFromTagDownloadSession(ClientResponse
clientResponse) {
+ if (isRangerCookieEnabled) {
+ Cookie sessionCookie = null;
+ List<NewCookie> cookieList =
clientResponse.getCookies();
+ // save cookie received from credentials session login
+ for (NewCookie cookie : cookieList) {
+ if
(cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
+ sessionCookie = cookie.toCookie();
+ break;
+ }
+ }
+ tagDownloadSessionId = sessionCookie;
+ isValidTagDownloadSessionCookie = (tagDownloadSessionId
!= null);
+ }
+ }
+
+ /* Roles Download ranger admin rest call methods */
+ private RangerRoles getRolesIfUpdatedWithCred(final long
lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getRolesIfUpdatedWithCred(" + lastKnownRoleVersion + ", "
+ lastActivationTimeInMillis + ")");
+ }
+
+ final RangerRoles ret;
+
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ClientResponse response =
getRangerRolesDownloadResponse(lastKnownRoleVersion,
lastActivationTimeInMillis, user, isSecureMode);
+
+ if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
+ if (response == null) {
+ roleDownloadSessionId = null;
+ LOG.error("Error getting Roles; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
+ } else {
+
setCookieReceivedFromRoleDownloadSession(response);
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No change in Roles.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + resp
+ ", serviceName=" + serviceName
+ + ", " +
"lastKnownRoleVersion=" + lastKnownRoleVersion
+ + ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
+ }
+ }
+ ret = null;
+ } else if (response.getStatus() == HttpServletResponse.SC_OK) {
+ setCookieReceivedFromRoleDownloadSession(response);
+ ret = response.getEntity(RangerRoles.class);
+ } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
+ roleDownloadSessionId = null;
+ ret = null;
+ LOG.error("Error getting Roles; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ + ", " + "lastKnownRoleVersion=" +
lastKnownRoleVersion
+ + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
+ String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
+
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+
+ LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ } else {
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ LOG.warn("Error getting Roles. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ roleDownloadSessionId = null;
+ ret = null;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getRolesIfUpdatedWithCred(" + lastKnownRoleVersion + ", "
+ lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private RangerRoles getRolesIfUpdatedWithCookie(final long
lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getRolesIfUpdatedWithCookie(" + lastKnownRoleVersion + ",
" + lastActivationTimeInMillis + ")");
+ }
+
+ final RangerRoles ret;
+
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ClientResponse response =
getRangerRolesDownloadResponse(lastKnownRoleVersion,
lastActivationTimeInMillis, user, isSecureMode);
+
+ if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
+ if (response == null) {
+ roleDownloadSessionId = null;
+ isValidRoleDownloadSessionCookie = false;
+ LOG.error("Error getting Roles; Received NULL
response!!. secureMode=" + isSecureMode + ", user=" + user + ", serviceName=" +
serviceName);
+ } else {
+
checkAndResetRoleDownloadSessionCookie(response);
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("No change in Roles.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + resp
+ ", serviceName=" + serviceName
+ + ", " +
"lastKnownRoleVersion=" + lastKnownRoleVersion
+ + ", " +
"lastActivationTimeInMillis=" + lastActivationTimeInMillis);
+ }
+ }
+ ret = null;
+ } else if (response.getStatus() == HttpServletResponse.SC_OK) {
+ checkAndResetRoleDownloadSessionCookie(response);
+ ret = response.getEntity(RangerRoles.class);
+ } else if (response.getStatus() ==
HttpServletResponse.SC_NOT_FOUND) {
+ roleDownloadSessionId = null;
+ isValidRoleDownloadSessionCookie = false;
+ ret = null;
+ LOG.error("Error getting Roles; service not found.
secureMode=" + isSecureMode + ", user=" + user
+ + ", response=" + response.getStatus()
+ ", serviceName=" + serviceName
+ + ", " + "lastKnownRoleVersion=" +
lastKnownRoleVersion
+ + ", " + "lastActivationTimeInMillis="
+ lastActivationTimeInMillis);
+ String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(serviceName,
exceptionMsg);
+ LOG.warn("Received 404 error code with body:[" +
exceptionMsg + "], Ignoring");
+ } else {
+ RESTResponse resp =
RESTResponse.fromClientResponse(response);
+ LOG.warn("Error getting Roles. secureMode=" +
isSecureMode + ", user=" + user + ", response=" + resp + ", serviceName=" +
serviceName);
+ roleDownloadSessionId = null;
+ isValidRoleDownloadSessionCookie = false;
+ ret = null;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getRolesIfUpdatedWithCookie(" + lastKnownRoleVersion + ",
" + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ClientResponse getRangerRolesDownloadResponse(final long
lastKnownRoleVersion, final long lastActivationTimeInMillis, final
UserGroupInformation user, final boolean isSecureMode) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminRESTClient.getRangerRolesDownloadResponse(" + lastKnownRoleVersion +
", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ClientResponse ret;
+
+ Map<String, String> queryParams = new HashMap<String, String>();
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_ROLE_VERSION,
Long.toString(lastKnownRoleVersion));
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
+ queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
+ queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
clusterName);
+ queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
+
+ if (isSecureMode) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Roles updated as user : " +
user);
+ }
+ PrivilegedAction<ClientResponse> action = new
PrivilegedAction<ClientResponse>() {
+ public ClientResponse run() {
+ ClientResponse clientRes = null;
+ String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES +
serviceNameUrlParam;
+ try {
+ clientRes =
restClient.get(relativeURL, queryParams, roleDownloadSessionId);
+ } catch (Exception e) {
+ LOG.error("Failed to get
response, Error is : "+e.getMessage());
+ }
+ return clientRes;
+ }
+ };
+ ret = user.doAs(action);
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Roles updated as user : " +
user);
+ }
+ String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam;
+ ret = restClient.get(relativeURL, queryParams);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminRESTClient.getRangerRolesDownloadResponse(" + lastKnownRoleVersion +
", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private void checkAndResetRoleDownloadSessionCookie(ClientResponse
response) {
+ List<NewCookie> respCookieList = response.getCookies();
+ for (NewCookie respCookie : respCookieList) {
+ if
(respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
+ roleDownloadSessionId = respCookie;
+ isValidRoleDownloadSessionCookie =
(roleDownloadSessionId != null);
+ break;
+ }
+ }
+ }
+
+ private void setCookieReceivedFromRoleDownloadSession(ClientResponse
clientResponse) {
+ if (isRangerCookieEnabled) {
+ Cookie sessionCookie = null;
+ List<NewCookie> cookieList =
clientResponse.getCookies();
+ // save cookie received from credentials session login
+ for (NewCookie cookie : cookieList) {
+ if
(cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
+ sessionCookie = cookie.toCookie();
+ break;
+ }
+ }
+ roleDownloadSessionId = sessionCookie;
+ isValidRoleDownloadSessionCookie =
(roleDownloadSessionId != null);
+ }
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
index f838f84..55a9a78 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAbstractContextEnricher.java
@@ -178,6 +178,10 @@ public abstract class RangerAbstractContextEnricher
implements RangerContextEnri
this.pluginContext = pluginContext;
}
+ public RangerPluginContext getPluginContext() {
+ return this.pluginContext;
+ }
+
final public void setPolicyEngineOptions(RangerPolicyEngineOptions
options) {
this.options = options;
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
index 7b49a99..ef941bd 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminTagRetriever.java
@@ -24,7 +24,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.util.ServiceTags;
import java.nio.channels.ClosedByInterruptException;
@@ -45,7 +45,10 @@ public class RangerAdminTagRetriever extends
RangerTagRetriever {
pluginConfig = new
RangerPluginConfig(serviceDef.getName(), serviceName, appId, null, null, null);
}
- adminClient =
RangerBasePlugin.createAdminClient(pluginConfig);
+ RangerPluginContext pluginContext = getPluginContext();
+ RangerAdminClient rangerAdmin =
pluginContext.getAdminClient();
+ this.adminClient = (rangerAdmin !=
null) ? rangerAdmin : pluginContext.createAdminClient(pluginConfig);
+
} else {
LOG.error("FATAL: Cannot find service/serviceDef to use
for retrieving tags. Will NOT be able to retrieve tags.");
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java
index ed96336..c75a5cd 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerAdminUserStoreRetriever.java
@@ -24,7 +24,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.util.RangerUserStore;
import java.nio.channels.ClosedByInterruptException;
@@ -45,7 +45,10 @@ public class RangerAdminUserStoreRetriever extends
RangerUserStoreRetriever {
pluginConfig = new RangerPluginConfig(serviceDef.getName(),
serviceName, appId, null, null, null);
}
- adminClient = RangerBasePlugin.createAdminClient(pluginConfig);
+ RangerPluginContext pluginContext = getPluginContext();
+ RangerAdminClient rangerAdmin = pluginContext.getAdminClient();
+ this.adminClient = (rangerAdmin != null) ?
rangerAdmin : pluginContext.createAdminClient(pluginConfig);
+
} else {
LOG.error("FATAL: Cannot find service/serviceDef to use for
retrieving userstore. Will NOT be able to retrieve userstore.");
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
index a78b484..c8346d3 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagEnricher.java
@@ -143,6 +143,7 @@ public class RangerTagEnricher extends
RangerAbstractContextEnricher {
tagRetriever.setServiceDef(serviceDef);
tagRetriever.setAppId(appId);
tagRetriever.setPluginConfig(getPluginConfig());
+
tagRetriever.setPluginContext(getPluginContext());
tagRetriever.init(enricherDef.getEnricherOptions());
tagRefresher = new
RangerTagRefresher(tagRetriever, this, -1L, tagDownloadQueue, cacheFile);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java
index 0f09b64..d7c7375 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerTagRetriever.java
@@ -21,6 +21,7 @@ package org.apache.ranger.plugin.contextenricher;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.util.ServiceTags;
import java.util.Map;
@@ -31,6 +32,7 @@ public abstract class RangerTagRetriever {
protected RangerServiceDef serviceDef;
protected String appId;
protected RangerPluginConfig pluginConfig;
+ protected RangerPluginContext pluginContext;
public abstract void init(Map<String, String> options);
@@ -61,4 +63,12 @@ public abstract class RangerTagRetriever {
}
public void setPluginConfig(RangerPluginConfig pluginConfig) {
this.pluginConfig = pluginConfig; }
+
+ public RangerPluginContext getPluginContext() {
+ return pluginContext;
+ }
+
+ public void setPluginContext(RangerPluginContext pluginContext) {
+ this.pluginContext = pluginContext;
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
index 1061633..22f036b 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreEnricher.java
@@ -96,6 +96,7 @@ public class RangerUserStoreEnricher extends
RangerAbstractContextEnricher {
userStoreRetriever.setServiceDef(serviceDef);
userStoreRetriever.setAppId(appId);
userStoreRetriever.setPluginConfig(getPluginConfig());
+ userStoreRetriever.setPluginContext(getPluginContext());
userStoreRetriever.init(enricherDef.getEnricherOptions());
userStoreRefresher = new
RangerUserStoreRefresher(userStoreRetriever, this, null, -1L,
userStoreDownloadQueue, cacheFile);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java
index 1addbc4..c9a9492 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRetriever.java
@@ -21,6 +21,7 @@ package org.apache.ranger.plugin.contextenricher;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.util.RangerUserStore;
import java.util.Map;
@@ -31,6 +32,7 @@ public abstract class RangerUserStoreRetriever {
protected RangerServiceDef serviceDef;
protected String appId;
protected RangerPluginConfig pluginConfig;
+ protected RangerPluginContext pluginContext;
public abstract void init(Map<String, String> options);
@@ -61,4 +63,12 @@ public abstract class RangerUserStoreRetriever {
}
public void setPluginConfig(RangerPluginConfig pluginConfig) {
this.pluginConfig = pluginConfig; }
+
+ public RangerPluginContext getPluginContext() {
+ return pluginContext;
+ }
+
+ public void setPluginContext(RangerPluginContext pluginContext) {
+ this.pluginContext = pluginContext;
+ }
}
\ No newline at end of file
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
index a8e7600..39683a5 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -19,14 +19,22 @@
package org.apache.ranger.plugin.policyengine;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.admin.client.RangerAdminClient;
+import org.apache.ranger.admin.client.RangerAdminRESTClient;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.plugin.service.RangerAuthContext;
import org.apache.ranger.plugin.service.RangerAuthContextListener;
public class RangerPluginContext {
+ private static final Log LOG =
LogFactory.getLog(RangerPluginContext.class);
+
private final RangerPluginConfig config;
private RangerAuthContext authContext;
private RangerAuthContextListener authContextListener;
+ private RangerAdminClient adminClient;
public RangerPluginContext(RangerPluginConfig config) {
@@ -57,4 +65,54 @@ public class RangerPluginContext {
}
}
+ public RangerAdminClient getAdminClient() {
+ return adminClient;
+ }
+
+ public void setAdminClient(RangerAdminClient adminClient) {
+ this.adminClient = adminClient;
+ }
+
+ public RangerAdminClient createAdminClient(RangerPluginConfig
pluginConfig) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerBasePlugin.createAdminClient(" +
pluginConfig.getServiceName() + ", " + pluginConfig.getAppId() + ", " +
pluginConfig.getPropertyPrefix() + ")");
+ }
+
+ RangerAdminClient ret = null;
+ String propertyName =
pluginConfig.getPropertyPrefix() + ".policy.source.impl";
+ String policySourceImpl =
pluginConfig.get(propertyName);
+
+ if(StringUtils.isEmpty(policySourceImpl)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(String.format("Value for property[%s]
was null or empty. Unexpected! Will use policy source of type[%s]",
propertyName, RangerAdminRESTClient.class.getName()));
+ }
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(String.format("Value for property[%s]
was [%s].", propertyName, policySourceImpl));
+ }
+
+ try {
+ @SuppressWarnings("unchecked")
+ Class<RangerAdminClient> adminClass =
(Class<RangerAdminClient>)Class.forName(policySourceImpl);
+
+ ret = adminClass.newInstance();
+ } catch (Exception excp) {
+ LOG.error("failed to instantiate policy source
of type '" + policySourceImpl + "'. Will use policy source of type '" +
RangerAdminRESTClient.class.getName() + "'", excp);
+ }
+ }
+
+ if(ret == null) {
+ ret = new RangerAdminRESTClient();
+ }
+
+ ret.init(pluginConfig.getServiceName(),
pluginConfig.getAppId(), pluginConfig.getPropertyPrefix(), pluginConfig);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerBasePlugin.createAdminClient(" +
pluginConfig.getServiceName() + ", " + pluginConfig.getAppId() + ", " +
pluginConfig.getPropertyPrefix() + "): policySourceImpl=" + policySourceImpl +
", client=" + ret);
+ }
+
+ setAdminClient(ret);
+
+ return ret;
+ }
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
index 82b0481..7e0894d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -140,6 +140,10 @@ public class RangerBasePlugin {
return pluginConfig.getClusterName();
}
+ public RangerPluginContext getPluginContext() {
+ return pluginContext;
+ }
+
public RangerAuthContext getCurrentRangerAuthContext() { return
currentAuthContext; }
// For backward compatibility
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
index dcba363..7250de1 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/PolicyRefresher.java
@@ -33,6 +33,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
+import org.apache.ranger.plugin.policyengine.RangerPluginContext;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import com.google.gson.Gson;
@@ -89,8 +90,10 @@ public class PolicyRefresher extends Thread {
LOG.fatal("PolicyRefresher(): failed to create
GsonBuilder object", excp);
}
+ RangerPluginContext pluginContext = plugIn.getPluginContext();
+ RangerAdminClient adminClient =
pluginContext.getAdminClient();
+ this.rangerAdmin = (adminClient != null) ?
adminClient : pluginContext.createAdminClient(pluginConfig);
this.gson = gson;
- this.rangerAdmin =
RangerBasePlugin.createAdminClient(pluginConfig);
this.rolesProvider = new
RangerRolesProvider(getServiceType(), appId, getServiceName(), rangerAdmin,
cacheDir, pluginConfig);
this.pollingIntervalMs =
pluginConfig.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
index 570eb6e..75132d8 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
@@ -48,6 +48,8 @@ public class RangerCommonConstants {
public static final boolean
RANGER_ADMIN_SUFFIX_IN_PLACE_TAG_UPDATES_DEFAULT = false;
public static final boolean
PLUGIN_CONFIG_SUFFIX_IN_PLACE_TAG_UPDATES_DEFAULT = false;
+ public static final boolean POLICY_REST_CLIENT_SESSION_COOKIE_ENABLED
= true;
+
public static final String SCRIPT_OPTION_ENABLE_JSON_CTX =
"enableJsonCtx";
public static final String SCRIPT_VAR_CONTEXT =
"_ctx";
public static final String SCRIPT_VAR_CONTEXT_JSON =
"_ctx_json";
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index 216b6b2..695212d 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -472,6 +472,32 @@ public class RangerRESTClient {
return finalResponse;
}
+ public ClientResponse get(String relativeUrl, Map<String, String>
params, Cookie sessionId) throws Exception{
+ ClientResponse finalResponse = null;
+ int startIndex = this.lastKnownActiveUrlIndex;
+ int currentIndex = 0;
+
+ for (int index = 0; index < configuredURLs.size(); index++) {
+ try {
+ currentIndex = (startIndex + index) %
configuredURLs.size();
+
+ WebResource webResource =
createWebResourceForCookieAuth(currentIndex, relativeUrl);
+ webResource = setQueryParams(webResource,
params);
+ WebResource.Builder br =
webResource.getRequestBuilder().cookie(sessionId);
+ finalResponse =
br.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).get(ClientResponse.class);
+
+ if (finalResponse != null) {
+
setLastKnownActiveUrlIndex(currentIndex);
+ break;
+ }
+ } catch (ClientHandlerException ex) {
+ LOG.warn("Failed to communicate with Ranger
Admin, URL : "+configuredURLs.get(currentIndex));
+ processException(index, ex);
+ }
+ }
+ return finalResponse;
+ }
+
public ClientResponse post(String relativeUrl, Map<String, String>
params, Object obj) throws Exception {
ClientResponse finalResponse = null;
int startIndex = this.lastKnownActiveUrlIndex;
diff --git
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index fa17f5d..0316621 100644
---
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -36,8 +36,11 @@ import javax.net.ssl.SSLSession;
import javax.ws.rs.ProcessingException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
+import javax.ws.rs.client.Invocation;
import javax.ws.rs.client.WebTarget;
+import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
@@ -78,8 +81,17 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
int _restClientReadTimeOutMs;
private int lastKnownActiveUrlIndex;
private List<String> configURLs;
- private final String pluginCapabilities = Long.toHexString(new
RangerPluginCapability().getPluginCapabilities());
- private static final int MAX_PLUGIN_ID_LEN = 255;
+ private boolean isRangerCookieEnabled;
+ private String rangerAdminCookieName;
+ private Cookie policyDownloadSessionId = null;
+ private boolean isValidPolicyDownloadSessionCookie = false;
+ private Cookie tagDownloadSessionId =
null;
+ private boolean isValidTagDownloadSessionCookie =
false;
+ private Cookie roleDownloadSessionId =
null;
+ private boolean isValidRoleDownloadSessionCookie =
false;
+ //private Map<String, NewCookie> cookieMap =
new HashMap<>();
+ private final String pluginCapabilities =
Long.toHexString(new RangerPluginCapability().getPluginCapabilities());
+ private static final int MAX_PLUGIN_ID_LEN = 255;
@Override
public void init(String serviceName, String appId, String
configPropertyPrefix, Configuration config) {
@@ -101,6 +113,8 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
}
_supportsPolicyDeltas = config.getBoolean(configPropertyPrefix
+ RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_POLICY_DELTA,
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_POLICY_DELTA_DEFAULT);
_supportsTagDeltas = config.getBoolean(configPropertyPrefix +
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_TAG_DELTA,
RangerCommonConstants.PLUGIN_CONFIG_SUFFIX_TAG_DELTA_DEFAULT);
+ isRangerCookieEnabled = config.getBoolean(configPropertyPrefix
+ ".policy.rest.client.cookie.enabled",
RangerCommonConstants.POLICY_REST_CLIENT_SESSION_COOKIE_ENABLED);
+ rangerAdminCookieName = config.get(configPropertyPrefix +
".policy.rest.client.session.cookie.name",
RangerCommonConstants.DEFAULT_COOKIE_NAME);
configURLs = StringUtil.getURLs(tmpUrl);
this.lastKnownActiveUrlIndex = new
Random().nextInt(configURLs.size());
@@ -123,79 +137,12 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
LOG.debug("==>
RangerAdminJersey2RESTClient.getServicePoliciesIfUpdated(" + lastKnownVersion +
", " + lastActivationTimeInMillis + ")");
}
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final ServicePolicies servicePolicies;
- String relativeURL = null;
- ServicePolicies servicePolicies = null;
- Response response = null;
-
- Map<String, String> queryParams = new HashMap<String, String>();
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION,
Long.toString(lastKnownVersion));
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
- queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
- queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
_clusterName);
-
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(_supportsPolicyDeltas));
- queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
-
- if (isSecureMode) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated
as user : " + user);
- }
- relativeURL =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED +
_serviceName;
- final String secureRelativeUrl = relativeURL;
- PrivilegedAction<Response> action = new
PrivilegedAction<Response>() {
- public Response run() {
- return get(queryParams,
secureRelativeUrl);
- }
- };
- response = user.doAs(action);
+ if (isRangerCookieEnabled && policyDownloadSessionId != null &&
isValidPolicyDownloadSessionCookie) {
+ servicePolicies =
getServicePoliciesIfUpdatedWithCookie(lastKnownVersion,
lastActivationTimeInMillis);
} else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated
with old api call");
- }
- relativeURL =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + _serviceName;
- response = get(queryParams, relativeURL);
- }
-
- int httpResponseCode = response == null ? -1 :
response.getStatus();
- String body = null;
-
- switch (httpResponseCode) {
- case 200:
- body = response.readEntity(String.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Response from 200 server: "
+ body);
- }
-
- Gson gson = getGson();
- servicePolicies = gson.fromJson(body,
ServicePolicies.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Deserialized response to: "
+ servicePolicies);
- }
- break;
- case 304:
- LOG.debug("Got response: 304. Ok. Returning
null");
- break;
- case -1:
- LOG.warn("Unexpected: Null response from policy
server while trying to get policies! Returning null!");
- break;
- case 404: {
- if (response.hasEntity()) {
- body =
response.readEntity(String.class);
- if (StringUtils.isNotBlank(body)) {
-
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
- }
- }
- LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
- break;
- }
- default:
- body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body, relativeURL));
- break;
+ servicePolicies =
getServicePoliciesIfUpdatedWithCred(lastKnownVersion,
lastActivationTimeInMillis);
}
if(LOG.isDebugEnabled()) {
@@ -210,86 +157,18 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
LOG.debug("==>
RangerAdminJersey2RESTClient.getRolesIfUpdated(" + lastKnowRoleVersion + ", " +
lastActivationTimeInMillis + ")");
}
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
-
- String relativeURL = null;
- RangerRoles ret = null;
- Response response = null;
-
- Map<String, String> queryParams = new HashMap<String, String>();
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_ROLE_VERSION,
Long.toString(lastKnowRoleVersion));
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
- queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
- queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
_clusterName);
- queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
-
- if (isSecureMode) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles if updated as user :
" + user);
- }
+ final RangerRoles rangerRoles;
- relativeURL =
RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES + _serviceName;
- final String secureRelativeUrl = relativeURL;
- PrivilegedAction<Response> action = new
PrivilegedAction<Response>() {
- public Response run() {
- return get(queryParams,
secureRelativeUrl);
- }
- };
- response = user.doAs(action);
+ if (isRangerCookieEnabled && roleDownloadSessionId != null &&
isValidRoleDownloadSessionCookie) {
+ rangerRoles =
getRangerRolesIfUpdatedWithCookie(lastKnowRoleVersion,
lastActivationTimeInMillis);
} else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles if updated with old
api call");
- }
-
- relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + _serviceName;
- response = get(queryParams, relativeURL);
- }
-
- int httpResponseCode = response == null ? -1 :
response.getStatus();
- String body = null;
-
- switch (httpResponseCode) {
- case 200:
- body = response.readEntity(String.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Response from 200 server: "
+ body);
- }
-
- Gson gson = getGson();
- ret = gson.fromJson(body, RangerRoles.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Deserialized response to: "
+ ret);
- }
- break;
- case 304:
- LOG.debug("Got response: 304. Ok. Returning
null");
- break;
- case -1:
- LOG.warn("Unexpected: Null response from policy
server while trying to get policies! Returning null!");
- break;
- case 404: {
- if (response.hasEntity()) {
- body =
response.readEntity(String.class);
- if (StringUtils.isNotBlank(body)) {
-
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
- }
- }
- LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
- break;
- }
- default:
- body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body, relativeURL));
- break;
+ rangerRoles =
getRangerRolesIfUpdatedWithCred(lastKnowRoleVersion,
lastActivationTimeInMillis);
}
if(LOG.isDebugEnabled()) {
- LOG.debug("<==
RangerAdminJersey2RESTClient.getRolesIfUpdated(" + lastKnowRoleVersion + ", " +
lastActivationTimeInMillis + "): " + ret);
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getRolesIfUpdated(" + lastKnowRoleVersion + ", " +
lastActivationTimeInMillis + "): " + rangerRoles);
}
- return ret;
+ return rangerRoles;
}
@Override
@@ -370,76 +249,12 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
LOG.debug("==>
RangerAdminJersey2RESTClient.getServiceTagsIfUpdated(" + lastKnownVersion + ",
" + lastActivationTimeInMillis + ")");
}
- UserGroupInformation user = MiscUtil.getUGILoginUser();
- boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
-
- Map<String, String> queryParams = new HashMap<String, String>();
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION,
Long.toString(lastKnownVersion));
-
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
- queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
- queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(_supportsTagDeltas));
- queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
+ final ServiceTags serviceTags;
- String relativeURL = null;
- ServiceTags serviceTags = null;
- Response response = null;
- if (isSecureMode) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service tags if updated as
user : " + user);
- }
- relativeURL =
RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + _serviceName;
- final String secureRelativeURLUrl = relativeURL;
- PrivilegedAction<Response> action = new
PrivilegedAction<Response>() {
- public Response run() {
- return get(queryParams,
secureRelativeURLUrl);
- }
- };
- response = user.doAs(action);
+ if (isRangerCookieEnabled && tagDownloadSessionId != null &&
isValidTagDownloadSessionCookie) {
+ serviceTags =
getServiceTagsIfUpdatedWithCookie(lastKnownVersion, lastActivationTimeInMillis);
} else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service tags if updated
with old api call");
- }
- relativeURL =
RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + _serviceName;
- response = get(queryParams, relativeURL);
- }
-
- int httpResponseCode = response == null ? -1 :
response.getStatus();
- String body = null;
-
- switch (httpResponseCode) {
- case 200:
- body = response.readEntity(String.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Response from 200 server: "
+ body);
- }
-
- Gson gson = getGson();
- serviceTags = gson.fromJson(body,
ServiceTags.class);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Deserialized response to: "
+ serviceTags);
- }
- break;
- case 304:
- LOG.debug("Got response: 304. Ok. Returning
null");
- break;
- case -1:
- LOG.warn("Unexpected: Null response from tag
server while trying to get tags! Returning null!");
- break;
- case 404:
- if (response.hasEntity()) {
- body =
response.readEntity(String.class);
- if (StringUtils.isNotBlank(body)) {
-
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
- }
- }
- LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
- break;
- default:
- body = response.readEntity(String.class);
- LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body, relativeURL));
- break;
+ serviceTags =
getServiceTagsIfUpdatedWithCred(lastKnownVersion, lastActivationTimeInMillis);
}
if (LOG.isDebugEnabled()) {
@@ -539,6 +354,33 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
return response;
}
+ private Response get(Map<String, String> queyParams, String
relativeURL, Cookie sessionId) {
+ Response response = null;
+ int startIndex = this.lastKnownActiveUrlIndex;
+ int currentIndex = 0;
+
+ for (int index = 0; index < configURLs.size(); index++) {
+ try {
+ currentIndex = (startIndex + index) %
configURLs.size();
+
+ WebTarget target =
_client.target(configURLs.get(currentIndex)+relativeURL);
+ target = setQueryParams(target, queyParams);
+ Invocation.Builder invocationBuilder =
target.request(MediaType.APPLICATION_JSON_TYPE).cookie(sessionId);
+ response = invocationBuilder.get();
+ if (response != null) {
+
setLastKnownActiveUrlIndex(currentIndex);
+ break;
+ }
+ } catch (ProcessingException e) {
+ LOG.warn("Failed to communicate with Ranger
Admin, URL : "+configURLs.get(currentIndex));
+ if(index == configURLs.size()-1) {
+ throw new ProcessingException("Failed
to communicate with all Ranger Admin's URL : [ "+ configURLs+" ]", e);
+ }
+ }
+ }
+ return response;
+ }
+
private static WebTarget setQueryParams(WebTarget target, Map<String,
String> params) {
WebTarget ret = target;
if (target != null && params != null) {
@@ -580,4 +422,647 @@ public class RangerAdminJersey2RESTClient extends
AbstractRangerAdminClient {
return ret ;
}
+
+ /* Policies Download from Ranger admin */
+ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long
lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getServicePoliciesWithCred(" + lastKnownVersion +
", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServicePolicies ret;
+
+ final UserGroupInformation user =
MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final Response response =
getRangerAdminPolicyDownloadResponse(lastKnownVersion,
lastActivationTimeInMillis, user, isSecureMode);
+
+ int httpResponseCode = response == null ? -1 :
response.getStatus();
+ String body = null;
+
+ switch (httpResponseCode) {
+ case 200:
+ body = response.readEntity(String.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Response from 200 server: "
+ body);
+ }
+
+ Gson gson = getGson();
+ ret = gson.fromJson(body,
ServicePolicies.class);
+ setCookieReceivedFromCredSession(response);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Deserialized response to: "
+ ret);
+ }
+ break;
+ case 304:
+ ret = null;
+ setCookieReceivedFromCredSession(response);
+ LOG.debug("Got response: 304. Ok. Returning
null");
+ break;
+ case -1:
+ ret = null;
+ policyDownloadSessionId = null;
+ LOG.warn("Unexpected: Null response from policy
server while trying to get policies! Returning null!");
+ break;
+ case 404:
+ ret = null;
+ policyDownloadSessionId = null;
+ if (response.hasEntity()) {
+ body =
response.readEntity(String.class);
+ if (StringUtils.isNotBlank(body)) {
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
+ }
+ }
+ LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
+ break;
+ default:
+ ret = null;
+ policyDownloadSessionId = null;
+ body = response.readEntity(String.class);
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURL(isSecureMode)));
+ break;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getServicePoliciesWithCred(" + lastKnownVersion +
", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final
long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getServicePoliciesWithCookie(" + lastKnownVersion
+ ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServicePolicies ret;
+
+ final UserGroupInformation user =
MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final Response response =
getRangerAdminPolicyDownloadResponse(lastKnownVersion,
lastActivationTimeInMillis, user, isSecureMode);
+
+ int httpResponseCode = response == null ? -1 :
response.getStatus();
+ String body = null;
+
+ switch (httpResponseCode) {
+ case 200:
+ body = response.readEntity(String.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Response from 200 server: "
+ body);
+ }
+
+ Gson gson = getGson();
+ ret = gson.fromJson(body,
ServicePolicies.class);
+ checkAndResetSessionCookie(response);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Deserialized response to: "
+ ret);
+ }
+ break;
+ case 304:
+ ret = null;
+ checkAndResetSessionCookie(response);
+ LOG.debug("Got response: 304. Ok. Returning
null");
+ break;
+ case -1:
+ ret = null;
+ policyDownloadSessionId = null;
+ isValidPolicyDownloadSessionCookie = false;
+ LOG.warn("Unexpected: Null response from policy
server while trying to get policies! Returning null!");
+ break;
+ case 404:
+ ret = null;
+ policyDownloadSessionId = null;
+ isValidPolicyDownloadSessionCookie = false;
+ if (response.hasEntity()) {
+ body =
response.readEntity(String.class);
+ if (StringUtils.isNotBlank(body)) {
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
+ }
+ }
+ LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
+ break;
+ default:
+ ret = null;
+ policyDownloadSessionId = null;
+ isValidPolicyDownloadSessionCookie = false;
+ body = response.readEntity(String.class);
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURL(isSecureMode)));
+ break;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getServicePoliciesWithCookie(" + lastKnownVersion
+ ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private Response getRangerAdminPolicyDownloadResponse(final long
lastKnownVersion, final long lastActivationTimeInMillis, final
UserGroupInformation user, final boolean isSecureMode) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getRangerAdminPolicyDownloadResponse(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final Response ret;
+
+ Map<String, String> queryParams = new HashMap<String, String>();
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_POLICY_VERSION,
Long.toString(lastKnownVersion));
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
+ queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
+ queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
_clusterName);
+
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(_supportsPolicyDeltas));
+ queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
+
+ final String relativeURL = getRelativeURL(isSecureMode);
+
+ if (isSecureMode) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated
as user : " + user);
+ }
+ PrivilegedAction<Response> action = new
PrivilegedAction<Response>() {
+ public Response run() {
+ return get(queryParams, relativeURL,
policyDownloadSessionId);
+ }
+ };
+ ret = user.doAs(action);
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service policy if updated
with old api call");
+ }
+ ret = get(queryParams, relativeURL,
policyDownloadSessionId);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getRangerAdminPolicyDownloadResponse(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private String getRelativeURL(final boolean isSecureMode) {
+ final String ret;
+ if (isSecureMode){
+ ret =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED +
_serviceName;
+ } else {
+ ret =
RangerRESTUtils.REST_URL_POLICY_GET_FOR_SERVICE_IF_UPDATED + _serviceName;
+ }
+ return ret;
+ }
+
+ private void checkAndResetSessionCookie(Response response) {
+ Map<String, NewCookie> cookieMap = response.getCookies();
+ Set<String> cookieNames = cookieMap.keySet();
+ for (String cookieName : cookieNames) {
+ if (cookieName.equalsIgnoreCase(rangerAdminCookieName))
{
+ policyDownloadSessionId =
cookieMap.get(cookieName);
+ isValidPolicyDownloadSessionCookie =
(policyDownloadSessionId != null);
+ break;
+ }
+ }
+ }
+
+ private void setCookieReceivedFromCredSession(Response response) {
+ if (isRangerCookieEnabled) {
+ Cookie sessionCookie = null;
+ Map<String, NewCookie> cookieMap =
response.getCookies();
+ // save cookie received from credentials session login
+ Set<String> cookieNames = cookieMap.keySet();
+ for (String cookieName : cookieNames) {
+ if
(cookieName.equalsIgnoreCase(rangerAdminCookieName)) {
+ sessionCookie =
cookieMap.get(cookieName);
+ break;
+ }
+ }
+ policyDownloadSessionId = sessionCookie;
+ isValidPolicyDownloadSessionCookie =
(policyDownloadSessionId != null);
+ }
+ }
+
+ /* Tags Download from Ranger admin */
+ private ServiceTags getServiceTagsIfUpdatedWithCred(final long
lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getServiceTagsIfUpdatedWithCred(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServiceTags ret;
+
+ final UserGroupInformation user =
MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final Response response =
getTagsDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user,
isSecureMode);
+
+ int httpResponseCode = response == null ? -1 :
response.getStatus();
+ String body = null;
+
+ switch (httpResponseCode) {
+ case 200:
+ body = response.readEntity(String.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Response from 200 server: "
+ body);
+ }
+
+ Gson gson = getGson();
+ ret = gson.fromJson(body, ServiceTags.class);
+
setCookieReceivedFromTagDownloadSession(response);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Deserialized response to: "
+ ret);
+ }
+ break;
+ case 304:
+ ret = null;
+
setCookieReceivedFromTagDownloadSession(response);
+ LOG.debug("Got response: 304. Ok. Returning
null");
+ break;
+ case -1:
+ ret = null;
+ tagDownloadSessionId = null;
+ LOG.warn("Unexpected: Null response from tag
server while trying to get tags! Returning null!");
+ break;
+ case 404:
+ ret = null;
+ tagDownloadSessionId = null;
+ if (response.hasEntity()) {
+ body =
response.readEntity(String.class);
+ if (StringUtils.isNotBlank(body)) {
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
+ }
+ }
+ LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
+ break;
+ default:
+ ret = null;
+ tagDownloadSessionId = null;
+ body = response.readEntity(String.class);
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForTagDownload(isSecureMode)));
+ break;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getServiceTagsIfUpdatedWithCred(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private ServiceTags getServiceTagsIfUpdatedWithCookie(final long
lastKnownVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getServiceTagsIfUpdatedWithCookie(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final ServiceTags ret;
+
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final Response response =
getTagsDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user,
isSecureMode);
+
+ int httpResponseCode = response == null ? -1 :
response.getStatus();
+ String body = null;
+
+ switch (httpResponseCode) {
+ case 200:
+ body = response.readEntity(String.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Response from 200 server: "
+ body);
+ }
+
+ Gson gson = getGson();
+ ret = gson.fromJson(body, ServiceTags.class);
+ checkAndResetTagDownloadSessionCookie(response);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Deserialized response to: "
+ ret);
+ }
+ break;
+ case 304:
+ ret = null;
+ checkAndResetTagDownloadSessionCookie(response);
+ LOG.debug("Got response: 304. Ok. Returning
null");
+ break;
+ case -1:
+ ret = null;
+ tagDownloadSessionId = null;
+ isValidTagDownloadSessionCookie = false;
+ LOG.warn("Unexpected: Null response from tag
server while trying to get tags! Returning null!");
+ break;
+ case 404:
+ ret = null;
+ tagDownloadSessionId = null;
+ isValidTagDownloadSessionCookie = false;
+ if (response.hasEntity()) {
+ body =
response.readEntity(String.class);
+ if (StringUtils.isNotBlank(body)) {
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
+ }
+ }
+ LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
+ break;
+ default:
+ ret = null;
+ tagDownloadSessionId = null;
+ isValidTagDownloadSessionCookie = false;
+ body = response.readEntity(String.class);
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body, ret));
+ break;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getServiceTagsIfUpdatedWithCookie(" +
lastKnownVersion + ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private Response getTagsDownloadResponse(final long lastKnownVersion,
final long lastActivationTimeInMillis, final UserGroupInformation user, final
boolean isSecureMode) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getTagsDownloadResponse(" + lastKnownVersion + ",
" + lastActivationTimeInMillis + ")");
+ }
+
+ final Response ret;
+
+ Map<String, String> queryParams = new HashMap<String, String>();
+ queryParams.put(RangerRESTUtils.LAST_KNOWN_TAG_VERSION_PARAM,
Long.toString(lastKnownVersion));
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
+ queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
+ queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(_supportsTagDeltas));
+ queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
+
+ final String relativeURL =
getRelativeURLForTagDownload(isSecureMode);
+
+ if (isSecureMode) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service tags if updated as
user : " + user);
+ }
+ PrivilegedAction<Response> action = new
PrivilegedAction<Response>() {
+ public Response run() {
+ return get(queryParams, relativeURL,
tagDownloadSessionId);
+ }
+ };
+ ret = user.doAs(action);
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Service tags if updated
with old api call");
+ }
+ ret = get(queryParams, relativeURL,
tagDownloadSessionId);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getTagsDownloadResponse(" + lastKnownVersion + ",
" + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private String getRelativeURLForTagDownload(final boolean isSecureMode)
{
+ final String ret;
+ if (isSecureMode){
+ ret =
RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + _serviceName;
+ } else {
+ ret =
RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + _serviceName;
+ }
+ return ret;
+ }
+
+ private void checkAndResetTagDownloadSessionCookie(Response response) {
+ Map<String,NewCookie> cookieMap = response.getCookies();
+ Set<String> cookieNames = cookieMap.keySet();
+ for (String cookieName : cookieNames) {
+ if (cookieName.equalsIgnoreCase(rangerAdminCookieName))
{
+ tagDownloadSessionId =
cookieMap.get(cookieName);
+ isValidTagDownloadSessionCookie =
(tagDownloadSessionId != null);
+ break;
+ }
+ }
+ }
+
+ private void setCookieReceivedFromTagDownloadSession(Response response)
{
+ if (isRangerCookieEnabled) {
+ Cookie sessionCookie = null;
+ Map<String, NewCookie> cookieMap =
response.getCookies();
+ // save cookie received from credentials session login
+ Set<String> cookieNames = cookieMap.keySet();
+ for (String cookieName : cookieNames) {
+ if
(cookieName.equalsIgnoreCase(rangerAdminCookieName)) {
+ sessionCookie =
cookieMap.get(cookieName);
+ }
+ }
+ tagDownloadSessionId = sessionCookie;
+ isValidTagDownloadSessionCookie = (tagDownloadSessionId
!= null);
+ }
+ }
+
+ /* Role Download from Ranger Admin */
+ private RangerRoles getRangerRolesIfUpdatedWithCred(final long
lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getRangerRolesIfUpdatedWithCred(" +
lastKnownRoleVersion + ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final RangerRoles ret;
+
+ final UserGroupInformation user =
MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final Response response =
getRoleDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user,
isSecureMode);
+
+ int httpResponseCode = response == null ? -1 :
response.getStatus();
+ String body = null;
+
+ switch (httpResponseCode) {
+ case 200:
+ body = response.readEntity(String.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Response from 200 server: "
+ body);
+ }
+
+ Gson gson = getGson();
+ ret = gson.fromJson(body, RangerRoles.class);
+
setCookieReceivedFromRoleDownloadSession(response);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Deserialized response to: "
+ ret);
+ }
+ break;
+ case 304:
+ ret = null;
+
setCookieReceivedFromRoleDownloadSession(response);
+ LOG.debug("Got response: 304. Ok. Returning
null");
+ break;
+ case -1:
+ ret = null;
+ roleDownloadSessionId = null;
+ LOG.warn("Unexpected: Null response from policy
server while trying to get policies! Returning null!");
+ break;
+ case 404:
+ ret = null;
+ roleDownloadSessionId = null;
+ if (response.hasEntity()) {
+ body =
response.readEntity(String.class);
+ if (StringUtils.isNotBlank(body)) {
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
+ }
+ }
+ LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
+ break;
+ default:
+ ret = null;
+ roleDownloadSessionId = null;
+ body = response.readEntity(String.class);
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode)));
+ break;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getRangerRolesIfUpdatedWithCred(" +
lastKnownRoleVersion + ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long
lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getRangerRolesIfUpdatedWithCookie(" +
lastKnownRoleVersion + ", " + lastActivationTimeInMillis + ")");
+ }
+
+ final RangerRoles ret;
+
+ final UserGroupInformation user = MiscUtil.getUGILoginUser();
+ final boolean isSecureMode = user != null &&
UserGroupInformation.isSecurityEnabled();
+ final Response response =
getRoleDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user,
isSecureMode);
+
+ int httpResponseCode = response == null ? -1 :
response.getStatus();
+ String body = null;
+
+ switch (httpResponseCode) {
+ case 200:
+ body = response.readEntity(String.class);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Response from 200 server: "
+ body);
+ }
+
+ Gson gson = getGson();
+ ret = gson.fromJson(body, RangerRoles.class);
+
checkAndResetRoleDownloadSessionCookie(response);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Deserialized response to: "
+ ret);
+ }
+ break;
+ case 304:
+ ret = null;
+
checkAndResetRoleDownloadSessionCookie(response);
+ LOG.debug("Got response: 304. Ok. Returning
null");
+ break;
+ case -1:
+ ret = null;
+ roleDownloadSessionId = null;
+ isValidRoleDownloadSessionCookie = false;
+ LOG.warn("Unexpected: Null response from policy
server while trying to get policies! Returning null!");
+ break;
+ case 404:
+ ret = null;
+ roleDownloadSessionId = null;
+ isValidRoleDownloadSessionCookie = false;
+ if (response.hasEntity()) {
+ body =
response.readEntity(String.class);
+ if (StringUtils.isNotBlank(body)) {
+
RangerServiceNotFoundException.throwExceptionIfServiceNotFound(_serviceName,
body);
+ }
+ }
+ LOG.warn("Received 404 error code with body:["
+ body + "], Ignoring");
+ break;
+ default:
+ ret = null;
+ roleDownloadSessionId = null;
+ isValidRoleDownloadSessionCookie = false;
+ body = response.readEntity(String.class);
+ LOG.warn(String.format("Unexpected: Received
status[%d] with body[%s] form url[%s]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode)));
+ break;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getRangerRolesIfUpdatedWithCookie(" +
lastKnownRoleVersion + ", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private Response getRoleDownloadResponse(final long
lastKnownRoleVersion, final long lastActivationTimeInMillis, final
UserGroupInformation user, final boolean isSecureMode) throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==>
RangerAdminJersey2RESTClient.getRoleDownloadResponse(" + lastKnownRoleVersion +
", " + lastActivationTimeInMillis + ")");
+ }
+
+ final Response ret;
+
+ Map<String, String> queryParams = new HashMap<String, String>();
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_ROLE_VERSION,
Long.toString(lastKnownRoleVersion));
+
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_ACTIVATION_TIME,
Long.toString(lastActivationTimeInMillis));
+ queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID,
_pluginId);
+ queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME,
_clusterName);
+
+ final String relativeURL =
getRelativeURLForRoleDownload(isSecureMode);
+
+ if (isSecureMode) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Roles if updated as user :
" + user);
+ }
+ PrivilegedAction<Response> action = new
PrivilegedAction<Response>() {
+ public Response run() {
+ return get(queryParams, relativeURL,
roleDownloadSessionId);
+ }
+ };
+ ret = user.doAs(action);
+ } else {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Checking Roles if updated with old
api call");
+ }
+ ret = get(queryParams, relativeURL,
roleDownloadSessionId);
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<==
RangerAdminJersey2RESTClient.getRoleDownloadResponse(" + lastKnownRoleVersion +
", " + lastActivationTimeInMillis + "): " + ret);
+ }
+
+ return ret;
+ }
+
+ private String getRelativeURLForRoleDownload(final boolean
isSecureMode) {
+ final String ret;
+ if (isSecureMode){
+ ret =
RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES + _serviceName;
+ } else {
+ ret =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + _serviceName;
+ }
+ return ret;
+ }
+
+ private void checkAndResetRoleDownloadSessionCookie(Response response) {
+ Map<String,NewCookie> cookieMap = response.getCookies();
+ Set<String> cookieNames = cookieMap.keySet();
+ for (String cookieName : cookieNames) {
+ if (cookieName.equalsIgnoreCase(rangerAdminCookieName))
{
+ roleDownloadSessionId =
cookieMap.get(cookieName);
+ isValidRoleDownloadSessionCookie =
(roleDownloadSessionId != null);
+ break;
+ }
+ }
+ }
+
+ private void setCookieReceivedFromRoleDownloadSession(Response
response) {
+ if (isRangerCookieEnabled) {
+ Cookie sessionCookie = null;
+ Map<String, NewCookie> cookieMap =
response.getCookies();
+ // save cookie received from credentials session login
+ Set<String> cookieNames = cookieMap.keySet();
+ for (String cookieName : cookieNames) {
+ if
(cookieName.equalsIgnoreCase(rangerAdminCookieName)) {
+ sessionCookie =
cookieMap.get(cookieName);
+ break;
+ }
+ }
+ roleDownloadSessionId = sessionCookie;
+ isValidRoleDownloadSessionCookie =
(roleDownloadSessionId != null);
+ }
+ }
}
