This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new 5812f3885 RANGER-4883: fix failure in audit-to-HDFS from Kafka and
Knox plugins (#839)
5812f3885 is described below
commit 5812f388551586c7a56b0eb5004e6bd5af425cd1
Author: Madhan Neethiraj <[email protected]>
AuthorDate: Tue Feb 3 20:07:38 2026 -0800
RANGER-4883: fix failure in audit-to-HDFS from Kafka and Knox plugins (#839)
(cherry picked from commit abac75741f939025226595dea60bb34656088649)
---
dev-support/ranger-docker/docker-compose.ranger-kafka.yml | 3 ++-
dev-support/ranger-docker/docker-compose.ranger-knox.yml | 2 ++
dev-support/ranger-docker/scripts/hadoop/hdfs-client-site.xml | 11 +++++++++++
dev-support/ranger-docker/scripts/kafka/ranger-kafka-setup.sh | 1 +
.../scripts/knox/ranger-knox-plugin-install.properties | 6 ++++++
.../ranger-docker/scripts/knox/ranger-knox-sandbox.xml | 2 +-
dev-support/ranger-docker/scripts/knox/ranger-knox-setup.sh | 3 +++
distro/src/main/assembly/knox-agent.xml | 1 +
distro/src/main/assembly/plugin-kafka.xml | 1 +
knox-agent/conf/ranger-knox-security-changes.cfg | 7 ++++++-
10 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
b/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
index c850d6df6..80e386a50 100644
--- a/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
+++ b/dev-support/ranger-docker/docker-compose.ranger-kafka.yml
@@ -15,7 +15,8 @@ services:
volumes:
- ./dist/keytabs/ranger-kafka:/etc/keytabs
- ./scripts/kdc/krb5.conf:/etc/krb5.conf:ro
- - ./scripts/hadoop/core-site.xml:/home/ranger/scripts/core-site.xml
+ - ./scripts/hadoop/core-site.xml:/home/ranger/scripts/core-site.xml:ro
+ -
./scripts/hadoop/hdfs-client-site.xml:/home/ranger/scripts/hdfs-site.xml:ro
-
./scripts/kafka/kafka-server-jaas.conf:/home/ranger/scripts/kafka-server-jaas.conf
- ./dist/version:/home/ranger/dist/version:ro
-
./scripts/kafka/ranger-kafka-plugin-install.properties:/opt/ranger/ranger-kafka-plugin/install.properties
diff --git a/dev-support/ranger-docker/docker-compose.ranger-knox.yml
b/dev-support/ranger-docker/docker-compose.ranger-knox.yml
index 4defd81e9..c65e0b1fe 100644
--- a/dev-support/ranger-docker/docker-compose.ranger-knox.yml
+++ b/dev-support/ranger-docker/docker-compose.ranger-knox.yml
@@ -15,6 +15,8 @@ services:
volumes:
- ./dist/keytabs/ranger-knox:/etc/keytabs
- ./scripts/kdc/krb5.conf:/etc/krb5.conf:ro
+ - ./scripts/hadoop/core-site.xml:/home/ranger/scripts/core-site.xml:ro
+ -
./scripts/hadoop/hdfs-client-site.xml:/home/ranger/scripts/hdfs-site.xml:ro
- ./dist/version:/home/ranger/dist/version:ro
-
./scripts/knox/ranger-knox-sandbox.xml:/opt/knox/conf/topologies/sandbox.xml
-
./scripts/knox/ranger-knox-plugin-install.properties:/opt/ranger/ranger-knox-plugin/install.properties
diff --git a/dev-support/ranger-docker/scripts/hadoop/hdfs-client-site.xml
b/dev-support/ranger-docker/scripts/hadoop/hdfs-client-site.xml
new file mode 100644
index 000000000..650e2818c
--- /dev/null
+++ b/dev-support/ranger-docker/scripts/hadoop/hdfs-client-site.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<configuration>
+ <property>
+ <name>dfs.namenode.kerberos.principal</name>
+ <value>nn/[email protected]</value>
+ </property>
+ <property>
+ <name>dfs.datanode.kerberos.principal</name>
+ <value>dn/[email protected]</value>
+ </property>
+</configuration>
diff --git a/dev-support/ranger-docker/scripts/kafka/ranger-kafka-setup.sh
b/dev-support/ranger-docker/scripts/kafka/ranger-kafka-setup.sh
index e71705be4..f41f7322a 100755
--- a/dev-support/ranger-docker/scripts/kafka/ranger-kafka-setup.sh
+++ b/dev-support/ranger-docker/scripts/kafka/ranger-kafka-setup.sh
@@ -29,6 +29,7 @@ then
fi
cp ${RANGER_SCRIPTS}/core-site.xml ${KAFKA_HOME}/config/
+cp ${RANGER_SCRIPTS}/hdfs-site.xml ${KAFKA_HOME}/config/
cp ${RANGER_SCRIPTS}/kafka-server-jaas.conf ${KAFKA_HOME}/config/
chown -R kafka:hadoop /opt/kafka/
diff --git
a/dev-support/ranger-docker/scripts/knox/ranger-knox-plugin-install.properties
b/dev-support/ranger-docker/scripts/knox/ranger-knox-plugin-install.properties
index 1e4a14948..db2deb0a9 100644
---
a/dev-support/ranger-docker/scripts/knox/ranger-knox-plugin-install.properties
+++
b/dev-support/ranger-docker/scripts/knox/ranger-knox-plugin-install.properties
@@ -17,6 +17,12 @@ POLICY_MGR_URL=http://ranger:6080
REPOSITORY_NAME=dev_knox
COMPONENT_INSTALL_DIR_NAME=/opt/knox
+UGI_INITIALIZE=true
+UGI_LOGIN_TYPE=keytab
+UGI_KEYTAB_PRINCIPAL=knox/[email protected]
+UGI_KEYTAB_FILE=/etc/keytabs/knox.keytab
+UGI_JAAS_APPCONFIG=unknown
+
CUSTOM_USER=knox
CUSTOM_GROUP=knox
diff --git a/dev-support/ranger-docker/scripts/knox/ranger-knox-sandbox.xml
b/dev-support/ranger-docker/scripts/knox/ranger-knox-sandbox.xml
index 0da825ff4..1563cc68e 100644
--- a/dev-support/ranger-docker/scripts/knox/ranger-knox-sandbox.xml
+++ b/dev-support/ranger-docker/scripts/knox/ranger-knox-sandbox.xml
@@ -64,7 +64,7 @@
<provider>
<role>authorization</role>
- <name>AclsAuthz</name>
+ <name>XASecurePDPKnox</name>
<enabled>true</enabled>
</provider>
diff --git a/dev-support/ranger-docker/scripts/knox/ranger-knox-setup.sh
b/dev-support/ranger-docker/scripts/knox/ranger-knox-setup.sh
index 488c26474..564bddb98 100755
--- a/dev-support/ranger-docker/scripts/knox/ranger-knox-setup.sh
+++ b/dev-support/ranger-docker/scripts/knox/ranger-knox-setup.sh
@@ -28,6 +28,9 @@ then
${RANGER_SCRIPTS}/wait_for_testusers_keytab.sh
fi
+cp ${RANGER_SCRIPTS}/core-site.xml /opt/knox/conf/
+cp ${RANGER_SCRIPTS}/hdfs-site.xml /opt/knox/conf/
+
chown -R knox:knox /opt/knox/
mkdir -p /opt/knox/logs
diff --git a/distro/src/main/assembly/knox-agent.xml
b/distro/src/main/assembly/knox-agent.xml
index e8679e822..aca7baf95 100644
--- a/distro/src/main/assembly/knox-agent.xml
+++ b/distro/src/main/assembly/knox-agent.xml
@@ -69,6 +69,7 @@
<include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
<include>org.apache.hadoop:hadoop-client-api:jar:${hadoop.version}</include>
<include>org.apache.hadoop:hadoop-client-runtime:jar:${hadoop.version}</include>
+
<include>org.apache.hadoop:hadoop-hdfs-client:jar:${hadoop.version}</include>
<include>com.fasterxml.jackson.core:jackson-annotations:jar:${fasterxml.jackson.version}</include>
<include>com.fasterxml.jackson.core:jackson-core:jar:${fasterxml.jackson.version}</include>
<include>com.fasterxml.jackson.core:jackson-databind:jar:${fasterxml.jackson.version}</include>
diff --git a/distro/src/main/assembly/plugin-kafka.xml
b/distro/src/main/assembly/plugin-kafka.xml
index 15b9d85ab..aa0dec1cd 100644
--- a/distro/src/main/assembly/plugin-kafka.xml
+++ b/distro/src/main/assembly/plugin-kafka.xml
@@ -59,6 +59,7 @@
<include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
<include>org.apache.hadoop:hadoop-client-api:jar:${hadoop.version}</include>
<include>org.apache.hadoop:hadoop-client-runtime:jar:${hadoop.version}</include>
+
<include>org.apache.hadoop:hadoop-hdfs-client:jar:${hadoop.version}</include>
<include>com.google.code.gson:gson</include>
<include>org.eclipse.jetty:jetty-client:jar:${jetty-client.version}</include>
<include>commons-collections:commons-collections</include>
diff --git a/knox-agent/conf/ranger-knox-security-changes.cfg
b/knox-agent/conf/ranger-knox-security-changes.cfg
index 9562fafa9..747a328d6 100644
--- a/knox-agent/conf/ranger-knox-security-changes.cfg
+++ b/knox-agent/conf/ranger-knox-security-changes.cfg
@@ -23,4 +23,9 @@ ranger.plugin.knox.policy.rest.ssl.config.file
%COMPONENT_INSTALL_DIR_NAME%/conf
ranger.plugin.knox.policy.pollIntervalMs 30000
mod create-if-not-exists
ranger.plugin.knox.policy.cache.dir %POLICY_CACHE_FILE_PATH%
mod create-if-not-exists
ranger.plugin.knox.policy.rest.client.connection.timeoutMs 120000
mod
create-if-not-exists
-ranger.plugin.knox.policy.rest.client.read.timeoutMs 30000
mod
create-if-not-exists
\ No newline at end of file
+ranger.plugin.knox.policy.rest.client.read.timeoutMs 30000
mod
create-if-not-exists
+ranger.plugin.knox.ugi.initialize %UGI_INITIALIZE% mod
create-if-not-exists
+ranger.plugin.knox.ugi.login.type %UGI_LOGIN_TYPE% mod
create-if-not-exists
+ranger.plugin.knox.ugi.keytab.principal %UGI_KEYTAB_PRINCIPAL% mod
create-if-not-exists
+ranger.plugin.knox.ugi.keytab.file %UGI_KEYTAB_FILE% mod
create-if-not-exists
+ranger.plugin.knox.ugi.jaas.appconfig %UGI_JAAS_APPCONFIG% mod
create-if-not-exists
