This is an automated email from the ASF dual-hosted git repository.
abhi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 7a2d2da6d RANGER-5479: Remove dependency on hadoop libs in
ranger-authn (#836)
7a2d2da6d is described below
commit 7a2d2da6d96a164ef3b58079900610c73ad0eb26
Author: Abhishek Kumar <[email protected]>
AuthorDate: Mon Feb 2 20:31:20 2026 -0800
RANGER-5479: Remove dependency on hadoop libs in ranger-authn (#836)
---
ranger-authn/pom.xml | 12 -----------
.../apache/ranger/authz/handler/RangerAuth.java | 6 ++----
.../handler/jwt/RangerDefaultJwtAuthHandler.java | 8 +++-----
.../authz/handler/jwt/RangerJwtAuthHandler.java | 23 ++++++++++------------
.../web/filter/TestRangerJwtAuthFilter.java | 4 +---
5 files changed, 16 insertions(+), 37 deletions(-)
diff --git a/ranger-authn/pom.xml b/ranger-authn/pom.xml
index 7552c2b32..40c1e5f8e 100644
--- a/ranger-authn/pom.xml
+++ b/ranger-authn/pom.xml
@@ -65,18 +65,6 @@
<version>${commons.text.version}</version>
</dependency>
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-client-api</artifactId>
- <version>${hadoop.version}</version>
- </dependency>
-
- <dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-client-runtime</artifactId>
- <version>${hadoop.version}</version>
- </dependency>
-
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
diff --git
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java
index a027966a7..13bd37a20 100644
--- a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java
+++ b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java
@@ -18,15 +18,13 @@
*/
package org.apache.ranger.authz.handler;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-
public class RangerAuth {
private String userName;
private AuthType type;
private boolean isAuthenticated;
- public RangerAuth(final AuthenticationToken authenticationToken, AuthType
type) {
- this.userName = authenticationToken.getName();
+ public RangerAuth(String username, AuthType type) {
+ this.userName = username;
this.isAuthenticated = true;
this.type = type;
}
diff --git
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
index 6df75e71c..94ebc7495 100644
---
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
+++
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java
@@ -25,7 +25,6 @@
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.ranger.authz.handler.RangerAuth;
import javax.servlet.ServletRequest;
@@ -82,11 +81,10 @@ public RangerAuth authenticate(HttpServletRequest
httpServletRequest) {
String jwtAuthHeaderStr = getJwtAuthHeader(httpServletRequest);
String jwtCookieStr = StringUtils.isBlank(jwtAuthHeaderStr) ?
getJwtCookie(httpServletRequest) : null;
String doAsUser =
httpServletRequest.getParameter(DO_AS_PARAMETER);
+ String username = authenticate(jwtAuthHeaderStr,
jwtCookieStr, doAsUser);
- AuthenticationToken authenticationToken =
authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser);
-
- if (authenticationToken != null) {
- rangerAuth = new RangerAuth(authenticationToken,
RangerAuth.AuthType.JWT_JWKS);
+ if (username != null) {
+ rangerAuth = new RangerAuth(username,
RangerAuth.AuthType.JWT_JWKS);
}
return rangerAuth;
diff --git
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
index c8333b357..53c5aaae2 100644
---
a/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
+++
b/ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java
@@ -22,17 +22,17 @@
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-import org.apache.hadoop.security.authentication.util.CertificateUtil;
import org.apache.ranger.authz.handler.RangerAuthHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -82,7 +82,7 @@ public void initialize(final Properties config) throws
Exception {
// setup JWT provider public key if configured
if (StringUtils.isNotBlank(pemPublicKey)) {
- verifier = new
RSASSAVerifier(CertificateUtil.parseRSAPublicKey(pemPublicKey));
+ verifier = new
RSASSAVerifier(RSAKey.parse(X509CertUtils.parse(pemPublicKey)));
} else if (StringUtils.isBlank(jwksProviderUrl)) {
throw new Exception("RangerJwtAuthHandler: Mandatory configs
('jwks.provider-url' & 'jwt.public-key') are missing, must provide atleast
one.");
}
@@ -106,12 +106,11 @@ public void initialize(final Properties config) throws
Exception {
public abstract ConfigurableJWTProcessor<SecurityContext>
getJwtProcessor(JWSKeySelector<SecurityContext> keySelector);
- protected AuthenticationToken authenticate(final String jwtAuthHeader,
final String jwtCookie, final String doAsUser) {
+ protected String authenticate(final String jwtAuthHeader, final String
jwtCookie, final String doAsUser) {
if (LOG.isDebugEnabled()) {
LOG.debug("===>>> RangerJwtAuthHandler.authenticate()");
}
- AuthenticationToken token = null;
if (shouldProceedAuth(jwtAuthHeader, jwtCookie)) {
String serializedJWT = getJWT(jwtAuthHeader, jwtCookie);
@@ -132,7 +131,7 @@ protected AuthenticationToken authenticate(final String
jwtAuthHeader, final Str
LOG.debug("RangerJwtAuthHandler.authenticate():
Issuing AuthenticationToken for user: [{}]", userName);
LOG.debug("RangerJwtAuthHandler.authenticate():
Authentication successful for user [{}] and doAs user is [{}]",
jwtToken.getJWTClaimsSet().getSubject(), doAsUser);
}
- token = new AuthenticationToken(userName, userName,
TYPE);
+ return userName;
} else {
LOG.warn("RangerJwtAuthHandler.authenticate():
Validation failed for JWT token: [{}] ", jwtToken.serialize());
}
@@ -148,7 +147,7 @@ protected AuthenticationToken authenticate(final String
jwtAuthHeader, final Str
LOG.debug("<<<=== RangerJwtAuthHandler.authenticate()");
}
- return token;
+ return null;
}
protected String getJWT(final String jwtAuthHeader, final String
jwtCookie) {
@@ -267,13 +266,11 @@ protected boolean validateAudiences(final SignedJWT
jwtToken) {
boolean valid = false;
try {
List<String> tokenAudienceList =
jwtToken.getJWTClaimsSet().getAudience();
- // if there were no expected audiences configured then just
- // consider any audience acceptable
+ // if there were no expected audiences configured then just
consider any audience acceptable
if (audiences == null) {
valid = true;
} else {
- // if any of the configured audiences is found then consider it
- // acceptable
+ // if any of the configured audiences is found then consider
it acceptable
for (String aud : tokenAudienceList) {
if (audiences.contains(aud)) {
if (LOG.isDebugEnabled()) {
@@ -294,8 +291,8 @@ protected boolean validateAudiences(final SignedJWT
jwtToken) {
}
/**
- * Validate that the expiration time of the JWT token has not been
violated. If
- * it has then throw an AuthenticationException. Override this method in
+ * Validate that the expiration time of the JWT has not been violated. If
+ * it has, then throw an AuthenticationException. Override this method in
* subclasses in order to customize the expiration validation behavior.
*
* @param jwtToken the token that contains the expiration date to validate
diff --git
a/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java
b/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java
index 128763e09..276c5e3b9 100644
---
a/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java
+++
b/security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java
@@ -18,7 +18,6 @@
*/
package org.apache.ranger.security.web.filter;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.ranger.authz.handler.RangerAuth;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.MethodOrderer;
@@ -89,8 +88,7 @@ public void
testDoFilter_setsAuthenticationWhenAuthenticateSucceeds() throws Ser
ServletResponse res = Mockito.mock(ServletResponse.class);
FilterChain chain = Mockito.mock(FilterChain.class);
- AuthenticationToken token = new AuthenticationToken("alice", "alice",
"ranger-jwt");
- RangerAuth rangerAuth = new RangerAuth(token,
RangerAuth.AuthType.JWT_JWKS);
+ RangerAuth rangerAuth = new RangerAuth("alice",
RangerAuth.AuthType.JWT_JWKS);
doReturn(rangerAuth).when(filter).authenticate(any(HttpServletRequest.class));
