This is an automated email from the ASF dual-hosted git repository.
abhi pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 370edde40 RANGER-5488: Allow clients to access secure API endpoints in
Ranger admin forcibly via config (#849)
370edde40 is described below
commit 370edde40a2efefb93c5feefdae6bcac4aa2b708
Author: Abhishek Kumar <[email protected]>
AuthorDate: Wed Feb 11 18:20:41 2026 -0800
RANGER-5488: Allow clients to access secure API endpoints in Ranger admin
forcibly via config (#849)
---
.../admin/client/AbstractRangerAdminClient.java | 15 +-
.../ranger/admin/client/RangerAdminRESTClient.java | 165 ++++++++++-----------
.../ranger/plugin/util/RangerRESTClient.java | 4 +
.../client/TestAbstractRangerAdminClient.java | 9 ++
.../admin/client/RangerAdminJersey2RESTClient.java | 54 +++----
5 files changed, 123 insertions(+), 124 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
index d22a87d42..551111f0c 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java
@@ -23,6 +23,7 @@
import com.google.gson.GsonBuilder;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
@@ -43,6 +44,8 @@ public abstract class AbstractRangerAdminClient implements
RangerAdminClient {
private boolean forceNonKerberos;
+ private boolean forceSecureEndpointAccess;
+
@Override
public void init(String serviceName, String appId, String
configPropertyPrefix, Configuration config) {
Gson gson = null;
@@ -54,7 +57,8 @@ public void init(String serviceName, String appId, String
configPropertyPrefix,
}
this.gson = gson;
- this.forceNonKerberos = config.getBoolean(configPropertyPrefix +
".forceNonKerberos", false);
+ this.forceNonKerberos =
config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
+ this.forceSecureEndpointAccess =
config.getBoolean(configPropertyPrefix + ".forceSecureEndpointAccess", false);
}
@Override
@@ -127,12 +131,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
return null;
}
+ public boolean isAuthenticationEnabled() {
+ return forceSecureEndpointAccess || isKerberosEnabled();
+ }
+
+ public boolean isKerberosEnabled() {
+ return isKerberosEnabled(MiscUtil.getUGILoginUser());
+ }
+
public boolean isKerberosEnabled(UserGroupInformation user) {
final boolean ret;
if (forceNonKerberos) {
ret = false;
} else {
+ LOG.debug("UGI user: {}", user);
ret = user != null && UserGroupInformation.isSecurityEnabled() &&
user.hasKerberosCredentials();
}
diff --git
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
index 1a1e9c8e9..62aac0a4b 100644
---
a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -23,7 +23,6 @@
import com.sun.jersey.api.client.ClientResponse;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.http.HttpStatus;
import org.apache.ranger.admin.client.datatype.RESTResponse;
import org.apache.ranger.audit.provider.MiscUtil;
@@ -131,8 +130,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated({},
{})", lastKnownVersion, lastActivationTimeInMillis);
final ServicePolicies ret;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -146,7 +144,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("Checking Service policy if updated as user : {}", user);
+ LOG.debug("Checking Service policy if updated");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -171,12 +169,12 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
if (response == null) {
- LOG.error("Error getting policies; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+ LOG.error("Error getting policies; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in policies. secureMode={}, user={},
response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in policies. secureMode={}, response={},
serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
}
ret = null;
@@ -185,8 +183,8 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting policies; service not found.
secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting policies; service not found.
secureMode={}, response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
@@ -196,7 +194,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final
long lastKnownVersion,
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting policies. secureMode={}, user={},
response={}, serviceName={}", isSecureMode, user, resp, serviceName);
+ LOG.warn("Error getting policies. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
ret = null;
}
@@ -211,8 +209,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
LOG.debug("==> RangerAdminRESTClient.getRolesIfUpdated({}, {})",
lastKnownRoleVersion, lastActivationTimeInMillis);
final RangerRoles ret;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -225,7 +222,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("Checking Roles updated as user : {}", user);
+ LOG.debug("Checking Roles");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -239,7 +236,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
return null;
});
} else {
- LOG.debug("Checking Roles updated as user : {}", user);
+ LOG.debug("Checking Roles (non-secure)");
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam;
@@ -250,12 +247,12 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
if (response == null) {
- LOG.error("Error getting Roles; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+ LOG.error("Error getting Roles; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in Roles. secureMode={}, user={},
response={}, serviceName={}, lastKnownRoleVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName,
lastKnownRoleVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in Roles. secureMode={}, response={},
serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName, lastKnownRoleVersion,
lastActivationTimeInMillis);
}
ret = null;
@@ -264,8 +261,8 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting Roles; service not found. secureMode={},
user={}, response={}, serviceName={}, lastKnownRoleVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, response.getStatus(), serviceName,
lastKnownRoleVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting Roles; service not found. secureMode={},
response={}, serviceName={}, lastKnownRoleVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(), serviceName,
lastKnownRoleVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
@@ -275,7 +272,7 @@ public RangerRoles getRolesIfUpdated(final long
lastKnownRoleVersion, final long
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting Roles. secureMode={}, user={},
response={}, serviceName={}", isSecureMode, user, resp, serviceName);
+ LOG.warn("Error getting Roles. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
ret = null;
}
@@ -290,8 +287,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
LOG.debug("==> RangerAdminRESTClient.createRole({})", request);
final RangerRole ret;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE;
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -301,7 +297,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("create role as user {}", user);
+ LOG.debug("Create role");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -321,7 +317,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -343,8 +339,7 @@ public RangerRole createRole(final RangerRole request)
throws Exception {
public void dropRole(final String execUser, final String roleName) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.dropRole({})", roleName);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -355,7 +350,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("drop role as user {}", user);
+ LOG.debug("Drop role");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -377,7 +372,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
} else if (response.getStatus() != HttpServletResponse.SC_OK &&
response.getStatus() != HttpServletResponse.SC_NO_CONTENT) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("createRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -393,8 +388,7 @@ public void dropRole(final String execUser, final String
roleName) throws Except
public List<String> getAllRoles(final String execUser) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getAllRoles()");
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES;
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -405,7 +399,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("get roles as user {}", user);
+ LOG.debug("Get roles");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -428,7 +422,7 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("getAllRoles() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("getAllRoles() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -451,14 +445,13 @@ public List<String> getAllRoles(final String execUser)
throws Exception {
public List<String> getUserRoles(final String execUser) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getUserRoles({})", execUser);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser;
final Cookie sessionId = this.sessionId;
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("get roles as user {}", user);
+ LOG.debug("Get roles");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -481,7 +474,7 @@ public List<String> getUserRoles(final String execUser)
throws Exception {
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("getUserRoles() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("getUserRoles() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -504,8 +497,7 @@ public List<String> getUserRoles(final String execUser)
throws Exception {
public RangerRole getRole(final String execUser, final String roleName)
throws Exception {
LOG.debug("==> RangerAdminRESTClient.getRole({}, {})", execUser,
roleName);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName;
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -515,7 +507,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
queryParams.put(RangerRESTUtils.REST_PARAM_EXEC_USER, execUser);
if (isSecureMode) {
- LOG.debug("get role info as user {}", user);
+ LOG.debug("Get role info");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -538,7 +530,7 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
if (response.getStatus() != HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("getRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("getRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() ==
HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -561,14 +553,13 @@ public RangerRole getRole(final String execUser, final
String roleName) throws E
public void grantRole(final GrantRevokeRoleRequest request) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.grantRole({})", request);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam;
final Cookie sessionId = this.sessionId;
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("grant role as user {}", user);
+ LOG.debug("Grant role");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -588,7 +579,7 @@ public void grantRole(final GrantRevokeRoleRequest request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("grantRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("grantRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -606,14 +597,13 @@ public void grantRole(final GrantRevokeRoleRequest
request) throws Exception {
public void revokeRole(final GrantRevokeRoleRequest request) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.revokeRole({})", request);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam;
final Cookie sessionId = this.sessionId;
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("revoke role as user {}", user);
+ LOG.debug("Revoke role");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -633,7 +623,7 @@ public void revokeRole(final GrantRevokeRoleRequest
request) throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("revokeRole() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("revokeRole() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -651,8 +641,7 @@ public void revokeRole(final GrantRevokeRoleRequest
request) throws Exception {
public void grantAccess(final GrantRevokeRequest request) throws Exception
{
LOG.debug("==> RangerAdminRESTClient.grantAccess({})", request);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -661,7 +650,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("grantAccess as user {}", user);
+ LOG.debug("GrantAccess");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -685,7 +674,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("grantAccess() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("grantAccess() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -703,8 +692,7 @@ public void grantAccess(final GrantRevokeRequest request)
throws Exception {
public void revokeAccess(final GrantRevokeRequest request) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.revokeAccess({})", request);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -713,7 +701,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("revokeAccess as user {}", user);
+ LOG.debug("RevokeAccess");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -737,7 +725,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
if (response != null && response.getStatus() !=
HttpServletResponse.SC_OK) {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.error("revokeAccess() failed: HTTP status={}, message={},
isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode,
(isSecureMode ? (", user=" + user) : ""));
+ LOG.error("revokeAccess() failed: HTTP status={}, message={},
isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode);
if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) {
throw new AccessControlException();
@@ -755,8 +743,7 @@ public void revokeAccess(final GrantRevokeRequest request)
throws Exception {
public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion,
final long lastActivationTimeInMillis) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated({}, {}):
", lastKnownVersion, lastActivationTimeInMillis);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -769,7 +756,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("getServiceTagsIfUpdated as user {}", user);
+ LOG.debug("getServiceTagsIfUpdated");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -794,12 +781,12 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
if (response == null) {
- LOG.error("Error getting tags; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+ LOG.error("Error getting tags; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in tags. secureMode={}, user={},
response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in tags. secureMode={}, response={},
serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
}
ret = null;
@@ -808,8 +795,8 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting tags; service not found. secureMode={},
user={}, response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting tags; service not found. secureMode={},
response={}, serviceName={}, lastKnownVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
@@ -819,7 +806,7 @@ public ServiceTags getServiceTagsIfUpdated(final long
lastKnownVersion, final lo
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting tags. secureMode={}, user={}, response={},
serviceName={}", isSecureMode, user, resp, serviceName);
+ LOG.warn("Error getting tags. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
ret = null;
}
@@ -834,8 +821,7 @@ public List<String> getTagTypes(String pattern) throws
Exception {
LOG.debug("==> RangerAdminRESTClient.getTagTypes({}): ", pattern);
final String relativeURL =
RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -845,7 +831,7 @@ public List<String> getTagTypes(String pattern) throws
Exception {
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("getTagTypes as user {}", user);
+ LOG.debug("getTagTypes");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -883,8 +869,7 @@ public List<String> getTagTypes(String pattern) throws
Exception {
public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getUserStoreIfUpdated({}, {})",
lastKnownUserStoreVersion, lastActivationTimeInMillis);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -897,7 +882,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
final ClientResponse response;
if (isSecureMode) {
- LOG.debug("Checking UserStore updated as user : {}", user);
+ LOG.debug("Checking UserStore if updated");
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<ClientResponse>) ()
-> {
try {
@@ -911,7 +896,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
return null;
});
} else {
- LOG.debug("Checking UserStore updated as user : {}", user);
+ LOG.debug("Checking UserStore updated");
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam;
@@ -924,12 +909,12 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (response == null || response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
if (response == null) {
- LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+ LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in UserStore. secureMode={}, user={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in UserStore. secureMode={}, response={},
serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -938,8 +923,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting UserStore; service not found.
secureMode={}, user={}, response={}, serviceName={},
lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, user, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting UserStore; service not found.
secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
@@ -949,7 +934,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else {
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting UserStore. secureMode={}, user={},
response={}, serviceName={}", isSecureMode, user, resp, serviceName);
+ LOG.warn("Error getting UserStore. secureMode={}, response={},
serviceName={}", isSecureMode, resp, serviceName);
ret = null;
}
@@ -963,8 +948,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long
lastActivationTimeInMillis) throws Exception {
LOG.debug("==> RangerAdminRESTClient.getGdsInfoIfUpdated({}, {})",
lastKnownVersion, lastActivationTimeInMillis);
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
final Cookie sessionId = this.sessionId;
final Map<String, String> queryParams = new HashMap<>();
@@ -974,7 +958,7 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- LOG.debug("Checking for updated GdsInfo: secureMode={}, user={},
serviceName={}", isSecureMode, user, serviceName);
+ LOG.debug("Checking for updated GdsInfo: secureMode={},
serviceName={}", isSecureMode, serviceName);
final ClientResponse response;
@@ -1003,21 +987,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
if (response == null) {
ret = null;
- LOG.error("Error getting GdsInfo - received NULL response:
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+ LOG.error("Error getting GdsInfo - received NULL response:
secureMode={}, serviceName={}", isSecureMode, serviceName);
} else if (response.getStatus() ==
HttpServletResponse.SC_NOT_MODIFIED) {
ret = null;
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.debug("No change in GdsInfo: secureMode={}, user={},
response={}, serviceName={}, lastKnownGdsVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
+ LOG.debug("No change in GdsInfo: secureMode={}, response={},
serviceName={}, lastKnownGdsVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName, lastKnownVersion,
lastActivationTimeInMillis);
} else if (response.getStatus() == HttpServletResponse.SC_OK) {
ret = JsonUtilsV2.readResponse(response, ServiceGdsInfo.class);
} else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) {
ret = null;
- LOG.error("Error getting GdsInfo - service not found:
secureMode={}, user={}, response={}, serviceName={},
lastKnownGdsVersion={},lastActivationTimeInMillis={}",
- isSecureMode, user, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting GdsInfo - service not found:
secureMode={}, response={}, serviceName={},
lastKnownGdsVersion={},lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(), serviceName,
lastKnownVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.getEntity(String.class) : null;
@@ -1029,8 +1013,8 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
RESTResponse resp = RESTResponse.fromClientResponse(response);
- LOG.warn("Error getting GdsInfo: unexpected status code {}:
secureMode={}, user={}, response={}, serviceName={}",
- response.getStatus(), isSecureMode, user, resp,
serviceName);
+ LOG.warn("Error getting GdsInfo: unexpected status code {}:
secureMode={}, response={}, serviceName={}",
+ response.getStatus(), isSecureMode, resp, serviceName);
}
LOG.debug("<== RangerAdminRESTClient.getGdsInfoIfUpdated({}, {}):
ret={}", lastKnownVersion, lastActivationTimeInMillis, ret);
@@ -1038,6 +1022,11 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long
lastKnownVersion, long lastActiva
return ret;
}
+ @Override
+ public boolean isAuthenticationEnabled() {
+ return restClient.isAuthFilterPresent() ||
super.isAuthenticationEnabled();
+ }
+
private void init(String url, String sslConfigFileName, int
restClientConnTimeOutMs, int restClientReadTimeOutMs, int
restClientMaxRetryAttempts, int restClientRetryIntervalMs, Configuration
config) {
LOG.debug("==> RangerAdminRESTClient.init({}, {})", url,
sslConfigFileName);
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
index 4be6d0214..02b375a84 100644
---
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -147,6 +147,10 @@ public String getPassword() {
return mPassword;
}
+ public boolean isAuthFilterPresent() {
+ return jwtAuthFilter != null || basicAuthFilter != null;
+ }
+
public int getRestClientConnTimeOutMs() {
return mRestClientConnTimeOutMs;
}
diff --git
a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
index 550983ee3..549051b7d 100644
---
a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
+++
b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java
@@ -95,4 +95,13 @@ public void test03_defaultNoOpMethodsReturnNullOrNoThrow()
throws Exception {
Assertions.assertNull(c.getUserStoreIfUpdated(1L, 2L));
Assertions.assertNull(c.getGdsInfoIfUpdated(1L, 2L));
}
+
+ @Test
+ public void test04_isSecureEndpointAccess() {
+ DummyClient c = new DummyClient();
+ Configuration cfg = new Configuration(false);
+ cfg.setBoolean("ranger.plugin.forceSecureEndpointAccess", true);
+ c.init("svc", "app", "ranger.plugin", cfg);
+ Assertions.assertTrue(c.isAuthenticationEnabled());
+ }
}
diff --git
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
index e5866d2dd..5c363d36c 100644
---
a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
+++
b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java
@@ -28,7 +28,6 @@
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -287,8 +286,7 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
final RangerUserStore ret;
final Response response;
- final UserGroupInformation user = MiscUtil.getUGILoginUser();
- final boolean isSecureMode = isKerberosEnabled(user);
+ final boolean isSecureMode = isAuthenticationEnabled();
Map<String, String> queryParams = new HashMap<>();
queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_USERSTORE_VERSION,
Long.toString(lastKnownUserStoreVersion));
@@ -298,8 +296,6 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
if (isSecureMode) {
- LOG.debug("Checking UserStore updated as user: {}", user);
-
response =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
try {
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam;
@@ -312,8 +308,6 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
return null;
});
} else {
- LOG.debug("Checking UserStore updated as user: {}", user);
-
String relativeURL =
RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam;
response = get(queryParams, relativeURL);
@@ -321,12 +315,12 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
if (response == null || response.getStatus() == 304) { // NOT_MODIFIED
if (response == null) {
- LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+ LOG.error("Error getting UserStore; Received NULL response!!.
secureMode={}, serviceName={}", isSecureMode, serviceName);
} else {
String resp = response.hasEntity() ?
response.readEntity(String.class) : null;
- LOG.debug("No change in UserStore. secureMode={}, user={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.debug("No change in UserStore. secureMode={}, response={},
serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
}
ret = null;
@@ -337,8 +331,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else if (response.getStatus() == 404) { // NOT_FOUND
ret = null;
- LOG.error("Error getting UserStore; service not found.
secureMode={}, user={}, response={}, serviceName={},
lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
- isSecureMode, user, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.error("Error getting UserStore; service not found.
secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
+ isSecureMode, response.getStatus(), serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
String exceptionMsg = response.hasEntity() ?
response.readEntity(String.class) : null;
@@ -348,8 +342,8 @@ public RangerUserStore getUserStoreIfUpdated(long
lastKnownUserStoreVersion, lon
} else {
String resp = response.hasEntity() ?
response.readEntity(String.class) : null;
- LOG.warn("Error getting UserStore. secureMode={}, user={},
response={}, serviceName={}, lastKnownUserStoreVersion={},
lastActivationTimeInMillis={}",
- isSecureMode, user, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
+ LOG.warn("Error getting UserStore. secureMode={}, response={},
serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
+ isSecureMode, resp, serviceName,
lastKnownUserStoreVersion, lastActivationTimeInMillis);
ret = null;
}
@@ -599,7 +593,7 @@ private ServicePolicies
getServicePoliciesIfUpdatedWithCred(final long lastKnown
policyDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled()));
break;
}
@@ -665,7 +659,7 @@ private ServicePolicies
getServicePoliciesIfUpdatedWithCookie(final long lastKno
isValidPolicyDownloadSessionCookie = false;
body =
response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled()));
break;
}
@@ -687,10 +681,8 @@ private Response
getRangerAdminPolicyDownloadResponse(final long lastKnownVersio
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS,
Boolean.toString(supportsPolicyDeltas));
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- if (isSecureMode()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service policy if updated as user : {}",
MiscUtil.getUGILoginUser());
- }
+ if (isAuthenticationEnabled()) {
+ LOG.debug("Checking Service policy if updated");
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURL(true), policyDownloadSessionId));
} else {
@@ -804,7 +796,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final
long lastKnownVersion,
tagDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForTagDownload(isAuthenticationEnabled()));
break;
}
@@ -891,10 +883,8 @@ private Response getTagsDownloadResponse(final long
lastKnownVersion, final long
queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS,
Boolean.toString(supportsTagDeltas));
queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES,
pluginCapabilities);
- if (isSecureMode()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Service tags if updated as user : {}",
MiscUtil.getUGILoginUser());
- }
+ if (isAuthenticationEnabled()) {
+ LOG.debug("Checking Service tags if updated");
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId));
} else {
@@ -1006,7 +996,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final
long lastKnownRoleVers
roleDownloadSessionId = null;
body = response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isAuthenticationEnabled()));
break;
}
@@ -1073,7 +1063,7 @@ private RangerRoles
getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe
isValidRoleDownloadSessionCookie = false;
body =
response.readEntity(String.class);
- LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isSecureMode()));
+ LOG.warn("Unexpected: Received status[{}] with body[{}] form
url[{}]", httpResponseCode, body,
getRelativeURLForRoleDownload(isAuthenticationEnabled()));
break;
}
@@ -1094,10 +1084,8 @@ private Response getRoleDownloadResponse(final long
lastKnownRoleVersion, final
queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
- if (isSecureMode()) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("Checking Roles if updated as user : {}",
MiscUtil.getUGILoginUser());
- }
+ if (isAuthenticationEnabled()) {
+ LOG.debug("Checking Roles if updated");
ret =
MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () ->
get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId));
} else {
@@ -1156,10 +1144,6 @@ private void
setCookieReceivedFromRoleDownloadSession(Response response) {
}
}
- private boolean isSecureMode() {
- return isKerberosEnabled(MiscUtil.getUGILoginUser());
- }
-
// We get date from the policy manager as unix long! This deserializer
exists to deal with it. Remove this class once we start send date/time per RFC
3339
public static class GsonUnixDateDeserializer implements
JsonDeserializer<Date> {
@Override
