This is an automated email from the ASF dual-hosted git repository. abhi pushed a commit to branch ranger_5479 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit b0161c62881220c43d7fcbfe3a6ea93fc727aff3 Author: Abhishek Kumar <[email protected]> AuthorDate: Mon Feb 2 18:38:55 2026 -0800 RANGER-5479: Remove dependency on hadoop libs --- ranger-authn/pom.xml | 12 ----------- .../apache/ranger/authz/handler/RangerAuth.java | 6 ++---- .../handler/jwt/RangerDefaultJwtAuthHandler.java | 8 +++----- .../authz/handler/jwt/RangerJwtAuthHandler.java | 23 ++++++++++------------ .../web/filter/TestRangerJwtAuthFilter.java | 3 +-- 5 files changed, 16 insertions(+), 36 deletions(-) diff --git a/ranger-authn/pom.xml b/ranger-authn/pom.xml index 7552c2b32..40c1e5f8e 100644 --- a/ranger-authn/pom.xml +++ b/ranger-authn/pom.xml @@ -65,18 +65,6 @@ <version>${commons.text.version}</version> </dependency> - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-client-api</artifactId> - <version>${hadoop.version}</version> - </dependency> - - <dependency> - <groupId>org.apache.hadoop</groupId> - <artifactId>hadoop-client-runtime</artifactId> - <version>${hadoop.version}</version> - </dependency> - <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> diff --git a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java index a027966a7..13bd37a20 100644 --- a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java +++ b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java @@ -18,15 +18,13 @@ */ package org.apache.ranger.authz.handler; -import org.apache.hadoop.security.authentication.server.AuthenticationToken; - public class RangerAuth { private String userName; private AuthType type; private boolean isAuthenticated; - public RangerAuth(final AuthenticationToken authenticationToken, AuthType type) { - this.userName = authenticationToken.getName(); + public RangerAuth(String username, AuthType type) { + this.userName = username; this.isAuthenticated = true; this.type = type; } diff --git a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java index 6df75e71c..94ebc7495 100644 --- a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java +++ b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java @@ -25,7 +25,6 @@ import com.nimbusds.jwt.proc.DefaultJWTProcessor; import com.nimbusds.jwt.proc.JWTClaimsSetVerifier; import org.apache.commons.lang3.StringUtils; -import org.apache.hadoop.security.authentication.server.AuthenticationToken; import org.apache.ranger.authz.handler.RangerAuth; import javax.servlet.ServletRequest; @@ -82,11 +81,10 @@ public RangerAuth authenticate(HttpServletRequest httpServletRequest) { String jwtAuthHeaderStr = getJwtAuthHeader(httpServletRequest); String jwtCookieStr = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(httpServletRequest) : null; String doAsUser = httpServletRequest.getParameter(DO_AS_PARAMETER); + String username = authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser); - AuthenticationToken authenticationToken = authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser); - - if (authenticationToken != null) { - rangerAuth = new RangerAuth(authenticationToken, RangerAuth.AuthType.JWT_JWKS); + if (username != null) { + rangerAuth = new RangerAuth(username, RangerAuth.AuthType.JWT_JWKS); } return rangerAuth; diff --git a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java index c8333b357..53c5aaae2 100644 --- a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java +++ b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java @@ -22,17 +22,17 @@ import com.nimbusds.jose.JWSObject; import com.nimbusds.jose.JWSVerifier; import com.nimbusds.jose.crypto.RSASSAVerifier; +import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.jwk.source.RemoteJWKSet; import com.nimbusds.jose.proc.BadJOSEException; import com.nimbusds.jose.proc.JWSKeySelector; import com.nimbusds.jose.proc.JWSVerificationKeySelector; import com.nimbusds.jose.proc.SecurityContext; +import com.nimbusds.jose.util.X509CertUtils; import com.nimbusds.jwt.SignedJWT; import com.nimbusds.jwt.proc.ConfigurableJWTProcessor; import org.apache.commons.lang3.StringUtils; -import org.apache.hadoop.security.authentication.server.AuthenticationToken; -import org.apache.hadoop.security.authentication.util.CertificateUtil; import org.apache.ranger.authz.handler.RangerAuthHandler; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -82,7 +82,7 @@ public void initialize(final Properties config) throws Exception { // setup JWT provider public key if configured if (StringUtils.isNotBlank(pemPublicKey)) { - verifier = new RSASSAVerifier(CertificateUtil.parseRSAPublicKey(pemPublicKey)); + verifier = new RSASSAVerifier(RSAKey.parse(X509CertUtils.parse(pemPublicKey))); } else if (StringUtils.isBlank(jwksProviderUrl)) { throw new Exception("RangerJwtAuthHandler: Mandatory configs ('jwks.provider-url' & 'jwt.public-key') are missing, must provide atleast one."); } @@ -106,12 +106,11 @@ public void initialize(final Properties config) throws Exception { public abstract ConfigurableJWTProcessor<SecurityContext> getJwtProcessor(JWSKeySelector<SecurityContext> keySelector); - protected AuthenticationToken authenticate(final String jwtAuthHeader, final String jwtCookie, final String doAsUser) { + protected String authenticate(final String jwtAuthHeader, final String jwtCookie, final String doAsUser) { if (LOG.isDebugEnabled()) { LOG.debug("===>>> RangerJwtAuthHandler.authenticate()"); } - AuthenticationToken token = null; if (shouldProceedAuth(jwtAuthHeader, jwtCookie)) { String serializedJWT = getJWT(jwtAuthHeader, jwtCookie); @@ -132,7 +131,7 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str LOG.debug("RangerJwtAuthHandler.authenticate(): Issuing AuthenticationToken for user: [{}]", userName); LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", jwtToken.getJWTClaimsSet().getSubject(), doAsUser); } - token = new AuthenticationToken(userName, userName, TYPE); + return userName; } else { LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [{}] ", jwtToken.serialize()); } @@ -148,7 +147,7 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str LOG.debug("<<<=== RangerJwtAuthHandler.authenticate()"); } - return token; + return null; } protected String getJWT(final String jwtAuthHeader, final String jwtCookie) { @@ -267,13 +266,11 @@ protected boolean validateAudiences(final SignedJWT jwtToken) { boolean valid = false; try { List<String> tokenAudienceList = jwtToken.getJWTClaimsSet().getAudience(); - // if there were no expected audiences configured then just - // consider any audience acceptable + // if there were no expected audiences configured then just consider any audience acceptable if (audiences == null) { valid = true; } else { - // if any of the configured audiences is found then consider it - // acceptable + // if any of the configured audiences is found then consider it acceptable for (String aud : tokenAudienceList) { if (audiences.contains(aud)) { if (LOG.isDebugEnabled()) { @@ -294,8 +291,8 @@ protected boolean validateAudiences(final SignedJWT jwtToken) { } /** - * Validate that the expiration time of the JWT token has not been violated. If - * it has then throw an AuthenticationException. Override this method in + * Validate that the expiration time of the JWT has not been violated. If + * it has, then throw an AuthenticationException. Override this method in * subclasses in order to customize the expiration validation behavior. * * @param jwtToken the token that contains the expiration date to validate diff --git a/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java b/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java index 128763e09..94ad73a4a 100644 --- a/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java +++ b/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java @@ -89,8 +89,7 @@ public void testDoFilter_setsAuthenticationWhenAuthenticateSucceeds() throws Ser ServletResponse res = Mockito.mock(ServletResponse.class); FilterChain chain = Mockito.mock(FilterChain.class); - AuthenticationToken token = new AuthenticationToken("alice", "alice", "ranger-jwt"); - RangerAuth rangerAuth = new RangerAuth(token, RangerAuth.AuthType.JWT_JWKS); + RangerAuth rangerAuth = new RangerAuth("alice", RangerAuth.AuthType.JWT_JWKS); doReturn(rangerAuth).when(filter).authenticate(any(HttpServletRequest.class));
