This is an automated email from the ASF dual-hosted git repository. abhi pushed a commit to branch ranger_5475 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 1004dcadbc3dd390eecaaa17685380cc61f077ee Author: Abhishek Kumar <[email protected]> AuthorDate: Fri Jan 30 12:41:04 2026 -0800 RANGER-5475: Add support to fetch JWT if available in RangerRESTClient --- .../ranger/plugin/util/RangerRESTClient.java | 89 +++++++++++++++++++--- .../tagsync/sink/tagadmin/TagAdminRESTSink.java | 2 +- .../process/RangerUgSyncRESTClient.java | 2 +- 3 files changed, 82 insertions(+), 11 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java index da1e0eee9..98942eff5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java @@ -22,6 +22,7 @@ import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider; import com.sun.jersey.api.client.Client; import com.sun.jersey.api.client.ClientHandlerException; +import com.sun.jersey.api.client.ClientRequest; import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; import com.sun.jersey.api.client.config.ClientConfig; @@ -48,9 +49,11 @@ import javax.ws.rs.core.Cookie; import javax.ws.rs.core.Response; +import java.io.BufferedReader; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; +import java.io.FileReader; import java.io.IOException; import java.io.InputStream; import java.security.KeyManagementException; @@ -82,8 +85,11 @@ public class RangerRESTClient { public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = KeyManagerFactory.getDefaultAlgorithm(); public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = TrustManagerFactory.getDefaultAlgorithm(); public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLSv1.2"; + public static final String JWT_HEADER_PREFIX = "Bearer "; private final List<String> configuredURLs; + private final String propertyPrefix; + private String jwt; private String mUrl; private final String mSslConfigFileName; private String mUsername; @@ -107,6 +113,10 @@ public class RangerRESTClient { private ClientFilter basicAuthFilter; public RangerRESTClient(String url, String sslConfigFileName, Configuration config) { + this(url, sslConfigFileName, config, getPropertyPrefix(config)); + } + + public RangerRESTClient(String url, String sslConfigFileName, Configuration config, String propertyPrefix) { mUrl = url; mSslConfigFileName = sslConfigFileName; configuredURLs = StringUtil.getURLs(mUrl); @@ -115,9 +125,14 @@ public RangerRESTClient(String url, String sslConfigFileName, Configuration conf } else { setLastKnownActiveUrlIndex((new Random()).nextInt(getConfiguredURLs().size())); } + this.propertyPrefix = propertyPrefix; init(config); } + private static String getPropertyPrefix(Configuration config) { + return (config instanceof RangerPluginConfig) ? ((RangerPluginConfig) config).getPropertyPrefix() : "ranger.plugin"; + } + protected static WebResource setQueryParams(WebResource webResource, Map<String, String> params) { WebResource ret = webResource; @@ -732,8 +747,18 @@ private Client buildClient() { client = Client.create(config); } - if (basicAuthFilter != null && !client.isFilterPresent(basicAuthFilter)) { + if (StringUtils.isNotEmpty(jwt)) { // use JWT if present + client.addFilter(new ClientFilter() { + @Override + public ClientResponse handle(ClientRequest cr) throws ClientHandlerException { + cr.getHeaders().add("Authorization", JWT_HEADER_PREFIX + jwt); + return getNext().handle(cr); + } + }); + LOG.info("Registering JWT auth header in REST client"); + } else if (basicAuthFilter != null && !client.isFilterPresent(basicAuthFilter)) { client.addFilter(basicAuthFilter); + LOG.info("Registering Basic auth header in REST client"); } // Set Connection Timeout and ReadTime for the PolicyRefresh @@ -780,22 +805,68 @@ private void init(Configuration config) { } } - final String pluginPropertyPrefix; - - if (config instanceof RangerPluginConfig) { - pluginPropertyPrefix = ((RangerPluginConfig) config).getPropertyPrefix(); - } else { - pluginPropertyPrefix = "ranger.plugin"; + String jwtAsString = fetchJWT(propertyPrefix, config); + if (jwtAsString != null){ + this.jwt = jwtAsString; } - String username = config.get(pluginPropertyPrefix + ".policy.rest.client.username"); - String password = config.get(pluginPropertyPrefix + ".policy.rest.client.password"); + String username = config.get(propertyPrefix + ".policy.rest.client.username"); + String password = config.get(propertyPrefix + ".policy.rest.client.password"); if (StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password)) { setBasicAuthFilter(username, password); } } + private String fetchJWT(String propertyPrefix, Configuration config) { + final String jwtSrc = config.get(propertyPrefix + ".policy.rest.client.jwt.source"); + + if (StringUtils.isNotEmpty(jwtSrc)) { + switch (jwtSrc) { + case "env": + String jwtEnvVar = config.get(propertyPrefix + ".policy.rest.client.jwt.env"); + if (StringUtils.isNotEmpty(jwtEnvVar)) { + String jwt = System.getenv(jwtEnvVar); + if (StringUtils.isNotBlank(jwt)) { + return jwt; + } + } + break; + case "file": + String jwtFilePath = config.get(propertyPrefix + ".policy.rest.client.jwt.file"); + if (StringUtils.isNotEmpty(jwtFilePath)) { + File jwtFile = new File(jwtFilePath); + if (jwtFile.exists()) { + try (BufferedReader reader = new BufferedReader(new FileReader(jwtFile))) { + String line = null; + while ((line = reader.readLine()) != null) { + if (StringUtils.isNotBlank(line) && !line.startsWith("#")) { + return line; + } + } + } catch (IOException e) { + LOG.error("Failed to read JWT from file: {}", jwtFilePath, e); + } + } + } + break; + case "cred": + String credFilePath = config.get(propertyPrefix + ".policy.rest.client.jwt.cred.file"); + String credAlias = config.get(propertyPrefix + ".policy.rest.client.jwt.cred.alias"); + if (StringUtils.isNotEmpty(credFilePath) && StringUtils.isNotEmpty(credAlias)) { + String jwt = RangerCredentialProvider.getInstance().getCredentialString(credFilePath, credAlias); + if (StringUtils.isNotBlank(jwt)) { + return jwt; + } + } + break; + } + } else { + LOG.info("JWT source not configured, proceeding without JWT"); + } + return null; + } + private boolean isSslEnabled(String url) { return !StringUtils.isEmpty(url) && url.toLowerCase().startsWith("https"); } diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java index 58dba7400..961ebfb53 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java @@ -85,7 +85,7 @@ public boolean initialize(Properties properties) { LOG.debug("isKerberized={}", isKerberized); if (StringUtils.isNotBlank(restUrl)) { - tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile, TagSyncConfig.getInstance()); + tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile, TagSyncConfig.getInstance(), "ranger.tagsync"); if (!isKerberized) { tagRESTClient.setBasicAuthInfo(userName, password); diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java index aab18d0f7..111ff12a2 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java @@ -37,7 +37,7 @@ public class RangerUgSyncRESTClient extends RangerRESTClient { public RangerUgSyncRESTClient(String policyMgrBaseUrls, String ugKeyStoreFile, String ugKeyStoreFilepwd, String ugKeyStoreType, String ugTrustStoreFile, String ugTrustStoreFilepwd, String ugTrustStoreType, String authenticationType, String principal, String keytab, String polMgrUsername, String polMgrPassword) { - super(policyMgrBaseUrls, "", UserGroupSyncConfig.getInstance().getConfig()); + super(policyMgrBaseUrls, "", UserGroupSyncConfig.getInstance().getConfig(), "ranger.usersync"); String authKerberos = "kerberos";
