This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch RANGER-4076_master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 525bc50e44350d302981c7d18861b180f1d62678 Author: Pradeep AgrawaL <[email protected]> AuthorDate: Tue Feb 3 13:17:42 2026 +0530 Revert "RANGER-5475: add JWT support in RangerRESTClient (#831)" This reverts commit f98a149d56fb4589cc47d03e55bd16b0adf4a153. --- .../ranger/plugin/util/RangerRESTClient.java | 138 ++++----------------- .../tagsync/sink/tagadmin/TagAdminRESTSink.java | 2 +- .../process/RangerUgSyncRESTClient.java | 6 +- 3 files changed, 30 insertions(+), 116 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java index 4be6d0214..693d3adcd 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java @@ -22,7 +22,6 @@ import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider; import com.sun.jersey.api.client.Client; import com.sun.jersey.api.client.ClientHandlerException; -import com.sun.jersey.api.client.ClientRequest; import com.sun.jersey.api.client.ClientResponse; import com.sun.jersey.api.client.WebResource; import com.sun.jersey.api.client.config.ClientConfig; @@ -49,11 +48,9 @@ import javax.ws.rs.core.Cookie; import javax.ws.rs.core.Response; -import java.io.BufferedReader; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; -import java.io.FileReader; import java.io.IOException; import java.io.InputStream; import java.security.KeyManagementException; @@ -85,10 +82,8 @@ public class RangerRESTClient { public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = KeyManagerFactory.getDefaultAlgorithm(); public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = TrustManagerFactory.getDefaultAlgorithm(); public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLSv1.2"; - public static final String JWT_HEADER_PREFIX = "Bearer "; private final List<String> configuredURLs; - private final String propertyPrefix; private String mUrl; private final String mSslConfigFileName; private String mUsername; @@ -109,28 +104,32 @@ public class RangerRESTClient { private int lastKnownActiveUrlIndex; private volatile Client client; private volatile Client cookieAuthClient; - private ClientFilter jwtAuthFilter; private ClientFilter basicAuthFilter; public RangerRESTClient(String url, String sslConfigFileName, Configuration config) { - this(url, sslConfigFileName, config, getPropertyPrefix(config)); - } - - public RangerRESTClient(String url, String sslConfigFileName, Configuration config, String propertyPrefix) { - mUrl = url; - mSslConfigFileName = sslConfigFileName; - configuredURLs = StringUtil.getURLs(mUrl); - this.propertyPrefix = propertyPrefix; - + mUrl = url; + mSslConfigFileName = sslConfigFileName; + configuredURLs = StringUtil.getURLs(mUrl); if (StringUtil.isEmpty(url)) { throw new IllegalArgumentException("Ranger URL is null or empty. Likely caused by incorrect configuration"); } else { setLastKnownActiveUrlIndex((new Random()).nextInt(getConfiguredURLs().size())); } - init(config); } + protected static WebResource setQueryParams(WebResource webResource, Map<String, String> params) { + WebResource ret = webResource; + + if (webResource != null && params != null) { + for (Map.Entry<String, String> entry : params.entrySet()) { + ret = ret.queryParam(entry.getKey(), entry.getValue()); + } + } + + return ret; + } + public String getUrl() { return mUrl; } @@ -687,22 +686,6 @@ protected void setTrustStoreType(String mTrustStoreType) { this.mTrustStoreType = mTrustStoreType; } - protected static WebResource setQueryParams(WebResource webResource, Map<String, String> params) { - WebResource ret = webResource; - - if (webResource != null && params != null) { - for (Map.Entry<String, String> entry : params.entrySet()) { - ret = ret.queryParam(entry.getKey(), entry.getValue()); - } - } - - return ret; - } - - private static String getPropertyPrefix(Configuration config) { - return (config instanceof RangerPluginConfig) ? ((RangerPluginConfig) config).getPropertyPrefix() : "ranger.plugin"; - } - private Client getCookieAuthClient() { Client ret = cookieAuthClient; @@ -713,10 +696,6 @@ private Client getCookieAuthClient() { if (ret == null) { cookieAuthClient = buildClient(); - if (jwtAuthFilter != null) { - cookieAuthClient.removeFilter(jwtAuthFilter); - } - if (basicAuthFilter != null) { cookieAuthClient.removeFilter(basicAuthFilter); } @@ -755,11 +734,8 @@ private Client buildClient() { client = Client.create(config); } - // use JWT if present - ClientFilter authFilter = jwtAuthFilter != null ? jwtAuthFilter : basicAuthFilter; - - if (authFilter != null && !client.isFilterPresent(authFilter)) { - client.addFilter(authFilter); + if (basicAuthFilter != null && !client.isFilterPresent(basicAuthFilter)) { + client.addFilter(basicAuthFilter); } // Set Connection Timeout and ReadTime for the PolicyRefresh @@ -769,23 +745,6 @@ private Client buildClient() { return client; } - private void setJWTFilter(String jwtAsString) { - if (StringUtils.isNotBlank(jwtAsString)) { - LOG.info("Registering JWT auth header in REST client"); - - jwtAuthFilter = new ClientFilter() { - @Override - public ClientResponse handle(ClientRequest clientRequest) throws ClientHandlerException { - clientRequest.getHeaders().add("Authorization", JWT_HEADER_PREFIX + jwtAsString); - - return getNext().handle(clientRequest); - } - }; - } else { - jwtAuthFilter = null; - } - } - private void setBasicAuthFilter(String username, String password) { if (StringUtils.isNotEmpty(username) && StringUtils.isNotEmpty(password)) { basicAuthFilter = new HTTPBasicAuthFilter(username, password); @@ -823,65 +782,20 @@ private void init(Configuration config) { } } - String jwtAsString = fetchJWT(propertyPrefix, config); - String username = config.get(propertyPrefix + ".policy.rest.client.username"); - String password = config.get(propertyPrefix + ".policy.rest.client.password"); - - setJWTFilter(jwtAsString); + final String pluginPropertyPrefix; - if (StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password)) { - setBasicAuthFilter(username, password); + if (config instanceof RangerPluginConfig) { + pluginPropertyPrefix = ((RangerPluginConfig) config).getPropertyPrefix(); + } else { + pluginPropertyPrefix = "ranger.plugin"; } - } - private String fetchJWT(String propertyPrefix, Configuration config) { - final String jwtSrc = config.get(propertyPrefix + ".policy.rest.client.jwt.source"); + String username = config.get(pluginPropertyPrefix + ".policy.rest.client.username"); + String password = config.get(pluginPropertyPrefix + ".policy.rest.client.password"); - if (StringUtils.isNotEmpty(jwtSrc)) { - switch (jwtSrc) { - case "env": - String jwtEnvVar = config.get(propertyPrefix + ".policy.rest.client.jwt.env"); - if (StringUtils.isNotEmpty(jwtEnvVar)) { - String jwt = System.getenv(jwtEnvVar); - if (StringUtils.isNotBlank(jwt)) { - return jwt; - } - } - break; - case "file": - String jwtFilePath = config.get(propertyPrefix + ".policy.rest.client.jwt.file"); - if (StringUtils.isNotEmpty(jwtFilePath)) { - File jwtFile = new File(jwtFilePath); - if (jwtFile.exists()) { - try (BufferedReader reader = new BufferedReader(new FileReader(jwtFile))) { - String line = null; - while ((line = reader.readLine()) != null) { - if (StringUtils.isNotBlank(line) && !line.startsWith("#")) { - return line; - } - } - } catch (IOException e) { - LOG.error("Failed to read JWT from file: {}", jwtFilePath, e); - } - } - } - break; - case "cred": - String credFilePath = config.get(propertyPrefix + ".policy.rest.client.jwt.cred.file"); - String credAlias = config.get(propertyPrefix + ".policy.rest.client.jwt.cred.alias"); - if (StringUtils.isNotEmpty(credFilePath) && StringUtils.isNotEmpty(credAlias)) { - String jwt = RangerCredentialProvider.getInstance().getCredentialString(credFilePath, credAlias); - if (StringUtils.isNotBlank(jwt)) { - return jwt; - } - } - break; - } - } else { - LOG.info("JWT source not configured, proceeding without JWT"); + if (StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password)) { + setBasicAuthFilter(username, password); } - - return null; } private boolean isSslEnabled(String url) { diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java index 961ebfb53..58dba7400 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java @@ -85,7 +85,7 @@ public boolean initialize(Properties properties) { LOG.debug("isKerberized={}", isKerberized); if (StringUtils.isNotBlank(restUrl)) { - tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile, TagSyncConfig.getInstance(), "ranger.tagsync"); + tagRESTClient = new RangerRESTClient(restUrl, sslConfigFile, TagSyncConfig.getInstance()); if (!isKerberized) { tagRESTClient.setBasicAuthInfo(userName, password); diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java index 56fca65e0..aab18d0f7 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/process/RangerUgSyncRESTClient.java @@ -37,11 +37,11 @@ public class RangerUgSyncRESTClient extends RangerRESTClient { public RangerUgSyncRESTClient(String policyMgrBaseUrls, String ugKeyStoreFile, String ugKeyStoreFilepwd, String ugKeyStoreType, String ugTrustStoreFile, String ugTrustStoreFilepwd, String ugTrustStoreType, String authenticationType, String principal, String keytab, String polMgrUsername, String polMgrPassword) { - super(policyMgrBaseUrls, "", UserGroupSyncConfig.getInstance().getConfig(), "ranger.usersync"); + super(policyMgrBaseUrls, "", UserGroupSyncConfig.getInstance().getConfig()); - boolean isKerberized = "kerberos".equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab); + String authKerberos = "kerberos"; - if (!isKerberized) { + if (!(authKerberos.equalsIgnoreCase(authenticationType) && SecureClientLogin.isKerberosCredentialExists(principal, keytab))) { setBasicAuthInfo(polMgrUsername, polMgrPassword); }
