This is an automated email from the ASF dual-hosted git repository. abhi pushed a commit to branch ranger_5488 in repository https://gitbox.apache.org/repos/asf/ranger.git
commit d444c136b3144a47af0c18491f7a7f6e8eb46838 Author: Abhishek Kumar <[email protected]> AuthorDate: Wed Feb 11 14:29:21 2026 -0800 RANGER-5488: Allow clients to access secure API endpoints in Ranger Admin forcibly via config --- .../admin/client/AbstractRangerAdminClient.java | 15 +- .../ranger/admin/client/RangerAdminRESTClient.java | 160 ++++++++++----------- .../client/TestAbstractRangerAdminClient.java | 9 ++ .../admin/client/RangerAdminJersey2RESTClient.java | 54 +++---- 4 files changed, 114 insertions(+), 124 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java index d22a87d42..551111f0c 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java @@ -23,6 +23,7 @@ import com.google.gson.GsonBuilder; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; +import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; @@ -43,6 +44,8 @@ public abstract class AbstractRangerAdminClient implements RangerAdminClient { private boolean forceNonKerberos; + private boolean forceSecureEndpointAccess; + @Override public void init(String serviceName, String appId, String configPropertyPrefix, Configuration config) { Gson gson = null; @@ -54,7 +57,8 @@ public void init(String serviceName, String appId, String configPropertyPrefix, } this.gson = gson; - this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false); + this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false); + this.forceSecureEndpointAccess = config.getBoolean(configPropertyPrefix + ".forceSecureEndpointAccess", false); } @Override @@ -127,12 +131,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva return null; } + public boolean isAuthenticationEnabled() { + return forceSecureEndpointAccess || isKerberosEnabled(); + } + + public boolean isKerberosEnabled() { + return isKerberosEnabled(MiscUtil.getUGILoginUser()); + } + public boolean isKerberosEnabled(UserGroupInformation user) { final boolean ret; if (forceNonKerberos) { ret = false; } else { + LOG.debug("UGI user: {}", user); ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials(); } diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index 1a1e9c8e9..bf12b8909 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -23,7 +23,6 @@ import com.sun.jersey.api.client.ClientResponse; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.AccessControlException; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.http.HttpStatus; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.audit.provider.MiscUtil; @@ -131,8 +130,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated({}, {})", lastKnownVersion, lastActivationTimeInMillis); final ServicePolicies ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -146,7 +144,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, final ClientResponse response; if (isSecureMode) { - LOG.debug("Checking Service policy if updated as user : {}", user); + LOG.debug("Checking Service policy if updated"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -171,12 +169,12 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { if (response == null) { - LOG.error("Error getting policies; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.error("Error getting policies; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in policies. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.debug("No change in policies. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); } ret = null; @@ -185,8 +183,8 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting policies; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.error("Error getting policies; service not found. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; @@ -196,7 +194,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting policies. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); + LOG.warn("Error getting policies. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); ret = null; } @@ -211,8 +209,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long LOG.debug("==> RangerAdminRESTClient.getRolesIfUpdated({}, {})", lastKnownRoleVersion, lastActivationTimeInMillis); final RangerRoles ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -225,7 +222,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long final ClientResponse response; if (isSecureMode) { - LOG.debug("Checking Roles updated as user : {}", user); + LOG.debug("Checking Roles"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -239,7 +236,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long return null; }); } else { - LOG.debug("Checking Roles updated as user : {}", user); + LOG.debug("Checking Roles (non-secure)"); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam; @@ -250,12 +247,12 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { if (response == null) { - LOG.error("Error getting Roles; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.error("Error getting Roles; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in Roles. secureMode={}, user={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); + LOG.debug("No change in Roles. secureMode={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); } ret = null; @@ -264,8 +261,8 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting Roles; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, response.getStatus(), serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); + LOG.error("Error getting Roles; service not found. secureMode={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", + isSecureMode, response.getStatus(), serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; @@ -275,7 +272,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting Roles. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); + LOG.warn("Error getting Roles. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); ret = null; } @@ -290,8 +287,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { LOG.debug("==> RangerAdminRESTClient.createRole({})", request); final RangerRole ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE; final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -301,7 +297,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { final ClientResponse response; if (isSecureMode) { - LOG.debug("create role as user {}", user); + LOG.debug("Create role"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -321,7 +317,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -343,8 +339,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { public void dropRole(final String execUser, final String roleName) throws Exception { LOG.debug("==> RangerAdminRESTClient.dropRole({})", roleName); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -355,7 +350,7 @@ public void dropRole(final String execUser, final String roleName) throws Except final ClientResponse response; if (isSecureMode) { - LOG.debug("drop role as user {}", user); + LOG.debug("Drop role"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -377,7 +372,7 @@ public void dropRole(final String execUser, final String roleName) throws Except } else if (response.getStatus() != HttpServletResponse.SC_OK && response.getStatus() != HttpServletResponse.SC_NO_CONTENT) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -393,8 +388,7 @@ public void dropRole(final String execUser, final String roleName) throws Except public List<String> getAllRoles(final String execUser) throws Exception { LOG.debug("==> RangerAdminRESTClient.getAllRoles()"); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES; final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -405,7 +399,7 @@ public List<String> getAllRoles(final String execUser) throws Exception { final ClientResponse response; if (isSecureMode) { - LOG.debug("get roles as user {}", user); + LOG.debug("Get roles"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -428,7 +422,7 @@ public List<String> getAllRoles(final String execUser) throws Exception { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("getAllRoles() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("getAllRoles() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -451,14 +445,13 @@ public List<String> getAllRoles(final String execUser) throws Exception { public List<String> getUserRoles(final String execUser) throws Exception { LOG.debug("==> RangerAdminRESTClient.getUserRoles({})", execUser); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser; final Cookie sessionId = this.sessionId; final ClientResponse response; if (isSecureMode) { - LOG.debug("get roles as user {}", user); + LOG.debug("Get roles"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -481,7 +474,7 @@ public List<String> getUserRoles(final String execUser) throws Exception { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("getUserRoles() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("getUserRoles() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -504,8 +497,7 @@ public List<String> getUserRoles(final String execUser) throws Exception { public RangerRole getRole(final String execUser, final String roleName) throws Exception { LOG.debug("==> RangerAdminRESTClient.getRole({}, {})", execUser, roleName); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName; final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -515,7 +507,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E queryParams.put(RangerRESTUtils.REST_PARAM_EXEC_USER, execUser); if (isSecureMode) { - LOG.debug("get role info as user {}", user); + LOG.debug("Get role info"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -538,7 +530,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("getRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("getRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -561,14 +553,13 @@ public RangerRole getRole(final String execUser, final String roleName) throws E public void grantRole(final GrantRevokeRoleRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.grantRole({})", request); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam; final Cookie sessionId = this.sessionId; final ClientResponse response; if (isSecureMode) { - LOG.debug("grant role as user {}", user); + LOG.debug("Grant role"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -588,7 +579,7 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("grantRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("grantRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -606,14 +597,13 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception { public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.revokeRole({})", request); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam; final Cookie sessionId = this.sessionId; final ClientResponse response; if (isSecureMode) { - LOG.debug("revoke role as user {}", user); + LOG.debug("Revoke role"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -633,7 +623,7 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("revokeRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("revokeRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -651,8 +641,7 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { public void grantAccess(final GrantRevokeRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.grantAccess({})", request); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -661,7 +650,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { final ClientResponse response; if (isSecureMode) { - LOG.debug("grantAccess as user {}", user); + LOG.debug("GrantAccess"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -685,7 +674,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("grantAccess() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("grantAccess() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -703,8 +692,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { public void revokeAccess(final GrantRevokeRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.revokeAccess({})", request); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -713,7 +701,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { final ClientResponse response; if (isSecureMode) { - LOG.debug("revokeAccess as user {}", user); + LOG.debug("RevokeAccess"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -737,7 +725,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("revokeAccess() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); + LOG.error("revokeAccess() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -755,8 +743,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated({}, {}): ", lastKnownVersion, lastActivationTimeInMillis); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -769,7 +756,7 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo final ClientResponse response; if (isSecureMode) { - LOG.debug("getServiceTagsIfUpdated as user {}", user); + LOG.debug("getServiceTagsIfUpdated"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -794,12 +781,12 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { if (response == null) { - LOG.error("Error getting tags; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.error("Error getting tags; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in tags. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.debug("No change in tags. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); } ret = null; @@ -808,8 +795,8 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting tags; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.error("Error getting tags; service not found. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; @@ -819,7 +806,7 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting tags. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); + LOG.warn("Error getting tags. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); ret = null; } @@ -834,8 +821,7 @@ public List<String> getTagTypes(String pattern) throws Exception { LOG.debug("==> RangerAdminRESTClient.getTagTypes({}): ", pattern); final String relativeURL = RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -845,7 +831,7 @@ public List<String> getTagTypes(String pattern) throws Exception { final ClientResponse response; if (isSecureMode) { - LOG.debug("getTagTypes as user {}", user); + LOG.debug("getTagTypes"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -883,8 +869,7 @@ public List<String> getTagTypes(String pattern) throws Exception { public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception { LOG.debug("==> RangerAdminRESTClient.getUserStoreIfUpdated({}, {})", lastKnownUserStoreVersion, lastActivationTimeInMillis); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -897,7 +882,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon final ClientResponse response; if (isSecureMode) { - LOG.debug("Checking UserStore updated as user : {}", user); + LOG.debug("Checking UserStore if updated"); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) () -> { try { @@ -911,7 +896,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon return null; }); } else { - LOG.debug("Checking UserStore updated as user : {}", user); + LOG.debug("Checking UserStore updated"); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam; @@ -924,12 +909,12 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { if (response == null) { - LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.debug("No change in UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); } ret = null; @@ -938,8 +923,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting UserStore; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.error("Error getting UserStore; service not found. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; @@ -949,7 +934,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting UserStore. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); + LOG.warn("Error getting UserStore. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); ret = null; } @@ -963,8 +948,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception { LOG.debug("==> RangerAdminRESTClient.getGdsInfoIfUpdated({}, {})", lastKnownVersion, lastActivationTimeInMillis); - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -974,7 +958,7 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - LOG.debug("Checking for updated GdsInfo: secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.debug("Checking for updated GdsInfo: secureMode={}, serviceName={}", isSecureMode, serviceName); final ClientResponse response; @@ -1003,21 +987,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva if (response == null) { ret = null; - LOG.error("Error getting GdsInfo - received NULL response: secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.error("Error getting GdsInfo - received NULL response: secureMode={}, serviceName={}", isSecureMode, serviceName); } else if (response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { ret = null; RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in GdsInfo: secureMode={}, user={}, response={}, serviceName={}, lastKnownGdsVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.debug("No change in GdsInfo: secureMode={}, response={}, serviceName={}, lastKnownGdsVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); } else if (response.getStatus() == HttpServletResponse.SC_OK) { ret = JsonUtilsV2.readResponse(response, ServiceGdsInfo.class); } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting GdsInfo - service not found: secureMode={}, user={}, response={}, serviceName={}, lastKnownGdsVersion={},lastActivationTimeInMillis={}", - isSecureMode, user, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.error("Error getting GdsInfo - service not found: secureMode={}, response={}, serviceName={}, lastKnownGdsVersion={},lastActivationTimeInMillis={}", + isSecureMode, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.getEntity(String.class) : null; @@ -1029,8 +1013,8 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting GdsInfo: unexpected status code {}: secureMode={}, user={}, response={}, serviceName={}", - response.getStatus(), isSecureMode, user, resp, serviceName); + LOG.warn("Error getting GdsInfo: unexpected status code {}: secureMode={}, response={}, serviceName={}", + response.getStatus(), isSecureMode, resp, serviceName); } LOG.debug("<== RangerAdminRESTClient.getGdsInfoIfUpdated({}, {}): ret={}", lastKnownVersion, lastActivationTimeInMillis, ret); diff --git a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java index 550983ee3..549051b7d 100644 --- a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java +++ b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java @@ -95,4 +95,13 @@ public void test03_defaultNoOpMethodsReturnNullOrNoThrow() throws Exception { Assertions.assertNull(c.getUserStoreIfUpdated(1L, 2L)); Assertions.assertNull(c.getGdsInfoIfUpdated(1L, 2L)); } + + @Test + public void test04_isSecureEndpointAccess() { + DummyClient c = new DummyClient(); + Configuration cfg = new Configuration(false); + cfg.setBoolean("ranger.plugin.forceSecureEndpointAccess", true); + c.init("svc", "app", "ranger.plugin", cfg); + Assertions.assertTrue(c.isAuthenticationEnabled()); + } } diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java index e5866d2dd..5c363d36c 100644 --- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java +++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java @@ -28,7 +28,6 @@ import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.AccessControlException; -import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; @@ -287,8 +286,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon final RangerUserStore ret; final Response response; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); + final boolean isSecureMode = isAuthenticationEnabled(); Map<String, String> queryParams = new HashMap<>(); queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_USERSTORE_VERSION, Long.toString(lastKnownUserStoreVersion)); @@ -298,8 +296,6 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); if (isSecureMode) { - LOG.debug("Checking UserStore updated as user: {}", user); - response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam; @@ -312,8 +308,6 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon return null; }); } else { - LOG.debug("Checking UserStore updated as user: {}", user); - String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam; response = get(queryParams, relativeURL); @@ -321,12 +315,12 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon if (response == null || response.getStatus() == 304) { // NOT_MODIFIED if (response == null) { - LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); + LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); } else { String resp = response.hasEntity() ? response.readEntity(String.class) : null; - LOG.debug("No change in UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.debug("No change in UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); } ret = null; @@ -337,8 +331,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else if (response.getStatus() == 404) { // NOT_FOUND ret = null; - LOG.error("Error getting UserStore; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.error("Error getting UserStore; service not found. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -348,8 +342,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else { String resp = response.hasEntity() ? response.readEntity(String.class) : null; - LOG.warn("Error getting UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.warn("Error getting UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); ret = null; } @@ -599,7 +593,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown policyDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled())); break; } @@ -665,7 +659,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno isValidPolicyDownloadSessionCookie = false; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled())); break; } @@ -687,10 +681,8 @@ private Response getRangerAdminPolicyDownloadResponse(final long lastKnownVersio queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, Boolean.toString(supportsPolicyDeltas)); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - if (isSecureMode()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Service policy if updated as user : {}", MiscUtil.getUGILoginUser()); - } + if (isAuthenticationEnabled()) { + LOG.debug("Checking Service policy if updated"); ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURL(true), policyDownloadSessionId)); } else { @@ -804,7 +796,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion, tagDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isAuthenticationEnabled())); break; } @@ -891,10 +883,8 @@ private Response getTagsDownloadResponse(final long lastKnownVersion, final long queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS, Boolean.toString(supportsTagDeltas)); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - if (isSecureMode()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Service tags if updated as user : {}", MiscUtil.getUGILoginUser()); - } + if (isAuthenticationEnabled()) { + LOG.debug("Checking Service tags if updated"); ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId)); } else { @@ -1006,7 +996,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final long lastKnownRoleVers roleDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isAuthenticationEnabled())); break; } @@ -1073,7 +1063,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe isValidRoleDownloadSessionCookie = false; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isAuthenticationEnabled())); break; } @@ -1094,10 +1084,8 @@ private Response getRoleDownloadResponse(final long lastKnownRoleVersion, final queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); - if (isSecureMode()) { - if (LOG.isDebugEnabled()) { - LOG.debug("Checking Roles if updated as user : {}", MiscUtil.getUGILoginUser()); - } + if (isAuthenticationEnabled()) { + LOG.debug("Checking Roles if updated"); ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId)); } else { @@ -1156,10 +1144,6 @@ private void setCookieReceivedFromRoleDownloadSession(Response response) { } } - private boolean isSecureMode() { - return isKerberosEnabled(MiscUtil.getUGILoginUser()); - } - // We get date from the policy manager as unix long! This deserializer exists to deal with it. Remove this class once we start send date/time per RFC 3339 public static class GsonUnixDateDeserializer implements JsonDeserializer<Date> { @Override
