This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch RANGER-4076_master in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 3939863120557be063b7bc4f11faf864d552a87e Author: Pradeep AgrawaL <[email protected]> AuthorDate: Tue Feb 24 07:00:25 2026 +0530 Revert "RANGER-5488: Allow clients to access secure API endpoints in Ranger admin forcibly via config (#849)" This reverts commit 370edde40a2efefb93c5feefdae6bcac4aa2b708. --- .../admin/client/AbstractRangerAdminClient.java | 15 +- .../ranger/admin/client/RangerAdminRESTClient.java | 172 +++++++++++---------- .../plugin/policyengine/RangerPluginContext.java | 20 --- .../ranger/plugin/service/RangerBasePlugin.java | 5 - .../ranger/plugin/util/RangerRESTClient.java | 4 - .../client/TestAbstractRangerAdminClient.java | 9 -- .../admin/client/RangerAdminJersey2RESTClient.java | 54 ++++--- 7 files changed, 124 insertions(+), 155 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java index 551111f0c..d22a87d42 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java @@ -23,7 +23,6 @@ import com.google.gson.GsonBuilder; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; @@ -44,8 +43,6 @@ public abstract class AbstractRangerAdminClient implements RangerAdminClient { private boolean forceNonKerberos; - private boolean forceSecureEndpointAccess; - @Override public void init(String serviceName, String appId, String configPropertyPrefix, Configuration config) { Gson gson = null; @@ -57,8 +54,7 @@ public void init(String serviceName, String appId, String configPropertyPrefix, } this.gson = gson; - this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false); - this.forceSecureEndpointAccess = config.getBoolean(configPropertyPrefix + ".forceSecureEndpointAccess", false); + this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false); } @Override @@ -131,21 +127,12 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva return null; } - public boolean isAuthenticationEnabled() { - return forceSecureEndpointAccess || isKerberosEnabled(); - } - - public boolean isKerberosEnabled() { - return isKerberosEnabled(MiscUtil.getUGILoginUser()); - } - public boolean isKerberosEnabled(UserGroupInformation user) { final boolean ret; if (forceNonKerberos) { ret = false; } else { - LOG.debug("UGI user: {}", user); ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials(); } diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index 59e2c8cfe..847dfe160 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -22,12 +22,12 @@ import com.fasterxml.jackson.core.type.TypeReference; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.http.HttpStatus; import org.apache.ranger.admin.client.datatype.RESTResponse; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; import org.apache.ranger.authorization.utils.StringUtil; -import org.apache.ranger.plugin.authn.JwtProvider; import org.apache.ranger.plugin.model.RangerRole; import org.apache.ranger.plugin.util.GrantRevokeRequest; import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; @@ -131,7 +131,8 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, LOG.debug("==> RangerAdminRESTClient.getServicePoliciesIfUpdated({}, {})", lastKnownVersion, lastActivationTimeInMillis); final ServicePolicies ret; - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -145,7 +146,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, final Response response; if (isSecureMode) { - LOG.debug("Checking Service policy if updated"); + LOG.debug("Checking Service policy if updated as user : {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -170,12 +171,12 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { if (response == null) { - LOG.error("Error getting policies; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.error("Error getting policies; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in policies. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.debug("No change in policies. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); } ret = null; @@ -184,8 +185,8 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting policies; service not found. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.error("Error getting policies; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -195,7 +196,7 @@ public ServicePolicies getServicePoliciesIfUpdated(final long lastKnownVersion, } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting policies. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); + LOG.warn("Error getting policies. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); ret = null; } @@ -210,7 +211,8 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long LOG.debug("==> RangerAdminRESTClient.getRolesIfUpdated({}, {})", lastKnownRoleVersion, lastActivationTimeInMillis); final RangerRoles ret; - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -223,7 +225,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long final Response response; if (isSecureMode) { - LOG.debug("Checking Roles"); + LOG.debug("Checking Roles updated as user : {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -237,7 +239,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long return null; }); } else { - LOG.debug("Checking Roles (non-secure)"); + LOG.debug("Checking Roles updated as user : {}", user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_GROUP_ROLES + serviceNameUrlParam; @@ -248,12 +250,12 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED || response.getStatus() == HttpServletResponse.SC_NO_CONTENT) { if (response == null) { - LOG.error("Error getting Roles; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.error("Error getting Roles; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in Roles. secureMode={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); + LOG.debug("No change in Roles. secureMode={}, user={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); } ret = null; @@ -262,8 +264,8 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting Roles; service not found. secureMode={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", - isSecureMode, response.getStatus(), serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); + LOG.error("Error getting Roles; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownRoleVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, response.getStatus(), serviceName, lastKnownRoleVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -273,7 +275,7 @@ public RangerRoles getRolesIfUpdated(final long lastKnownRoleVersion, final long } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting Roles. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); + LOG.warn("Error getting Roles. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); ret = null; } @@ -288,7 +290,8 @@ public RangerRole createRole(final RangerRole request) throws Exception { LOG.debug("==> RangerAdminRESTClient.createRole({})", request); final RangerRole ret; - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE; final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -298,7 +301,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { final Response response; if (isSecureMode) { - LOG.debug("Create role"); + LOG.debug("create role as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -318,7 +321,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -340,7 +343,8 @@ public RangerRole createRole(final RangerRole request) throws Exception { public void dropRole(final String execUser, final String roleName) throws Exception { LOG.debug("==> RangerAdminRESTClient.dropRole({})", roleName); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -351,7 +355,7 @@ public void dropRole(final String execUser, final String roleName) throws Except final Response response; if (isSecureMode) { - LOG.debug("Drop role"); + LOG.debug("drop role as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -373,7 +377,7 @@ public void dropRole(final String execUser, final String roleName) throws Except } else if (response.getStatus() != HttpServletResponse.SC_OK && response.getStatus() != HttpServletResponse.SC_NO_CONTENT) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("createRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -389,7 +393,8 @@ public void dropRole(final String execUser, final String roleName) throws Except public List<String> getAllRoles(final String execUser) throws Exception { LOG.debug("==> RangerAdminRESTClient.getAllRoles()"); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES; final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -400,7 +405,7 @@ public List<String> getAllRoles(final String execUser) throws Exception { final Response response; if (isSecureMode) { - LOG.debug("Get roles"); + LOG.debug("get roles as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -423,7 +428,7 @@ public List<String> getAllRoles(final String execUser) throws Exception { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("getAllRoles() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("getAllRoles() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -446,13 +451,14 @@ public List<String> getAllRoles(final String execUser) throws Exception { public List<String> getUserRoles(final String execUser) throws Exception { LOG.debug("==> RangerAdminRESTClient.getUserRoles({})", execUser); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser; final Cookie sessionId = this.sessionId; final Response response; if (isSecureMode) { - LOG.debug("Get roles"); + LOG.debug("get roles as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -475,7 +481,7 @@ public List<String> getUserRoles(final String execUser) throws Exception { if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("getUserRoles() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("getUserRoles() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -498,7 +504,8 @@ public List<String> getUserRoles(final String execUser) throws Exception { public RangerRole getRole(final String execUser, final String roleName) throws Exception { LOG.debug("==> RangerAdminRESTClient.getRole({}, {})", execUser, roleName); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName; final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -508,7 +515,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E queryParams.put(RangerRESTUtils.REST_PARAM_EXEC_USER, execUser); if (isSecureMode) { - LOG.debug("Get role info"); + LOG.debug("get role info as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -531,7 +538,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E if (response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("getRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("getRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -554,13 +561,14 @@ public RangerRole getRole(final String execUser, final String roleName) throws E public void grantRole(final GrantRevokeRoleRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.grantRole({})", request); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam; final Cookie sessionId = this.sessionId; final Response response; if (isSecureMode) { - LOG.debug("Grant role"); + LOG.debug("grant role as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -580,7 +588,7 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("grantRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("grantRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -598,13 +606,14 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception { public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.revokeRole({})", request); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam; final Cookie sessionId = this.sessionId; final Response response; if (isSecureMode) { - LOG.debug("Revoke role"); + LOG.debug("revoke role as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -624,7 +633,7 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("revokeRole() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("revokeRole() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -642,7 +651,8 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { public void grantAccess(final GrantRevokeRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.grantAccess({})", request); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -651,7 +661,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { final Response response; if (isSecureMode) { - LOG.debug("GrantAccess"); + LOG.debug("grantAccess as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -675,7 +685,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("grantAccess() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("grantAccess() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -693,7 +703,8 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { public void revokeAccess(final GrantRevokeRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.revokeAccess({})", request); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -702,7 +713,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { final Response response; if (isSecureMode) { - LOG.debug("RevokeAccess"); + LOG.debug("revokeAccess as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -726,7 +737,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { if (response != null && response.getStatus() != HttpServletResponse.SC_OK) { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.error("revokeAccess() failed: HTTP status={}, message={}, isSecure={}", response.getStatus(), resp.getMessage(), isSecureMode); + LOG.error("revokeAccess() failed: HTTP status={}, message={}, isSecure={}{}", response.getStatus(), resp.getMessage(), isSecureMode, (isSecureMode ? (", user=" + user) : "")); if (response.getStatus() == HttpServletResponse.SC_UNAUTHORIZED) { throw new AccessControlException(); @@ -744,7 +755,8 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { LOG.debug("==> RangerAdminRESTClient.getServiceTagsIfUpdated({}, {}): ", lastKnownVersion, lastActivationTimeInMillis); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -757,7 +769,7 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo final Response response; if (isSecureMode) { - LOG.debug("getServiceTagsIfUpdated"); + LOG.debug("getServiceTagsIfUpdated as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -782,12 +794,12 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { if (response == null) { - LOG.error("Error getting tags; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.error("Error getting tags; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in tags. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.debug("No change in tags. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); } ret = null; @@ -796,8 +808,8 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting tags; service not found. secureMode={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", - isSecureMode, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.error("Error getting tags; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -807,7 +819,7 @@ public ServiceTags getServiceTagsIfUpdated(final long lastKnownVersion, final lo } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting tags. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); + LOG.warn("Error getting tags. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); ret = null; } @@ -822,7 +834,8 @@ public List<String> getTagTypes(String pattern) throws Exception { LOG.debug("==> RangerAdminRESTClient.getTagTypes({}): ", pattern); final String relativeURL = RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES; - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -832,7 +845,7 @@ public List<String> getTagTypes(String pattern) throws Exception { final Response response; if (isSecureMode) { - LOG.debug("getTagTypes"); + LOG.debug("getTagTypes as user {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -870,7 +883,8 @@ public List<String> getTagTypes(String pattern) throws Exception { public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, long lastActivationTimeInMillis) throws Exception { LOG.debug("==> RangerAdminRESTClient.getUserStoreIfUpdated({}, {})", lastKnownUserStoreVersion, lastActivationTimeInMillis); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -883,7 +897,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon final Response response; if (isSecureMode) { - LOG.debug("Checking UserStore if updated"); + LOG.debug("Checking UserStore updated as user : {}", user); response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { @@ -897,7 +911,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon return null; }); } else { - LOG.debug("Checking UserStore updated"); + LOG.debug("Checking UserStore updated as user : {}", user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam; @@ -910,12 +924,12 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon if (response == null || response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { if (response == null) { - LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.debug("No change in UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); } ret = null; @@ -924,8 +938,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting UserStore; service not found. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.error("Error getting UserStore; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -935,7 +949,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else { RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting UserStore. secureMode={}, response={}, serviceName={}", isSecureMode, resp, serviceName); + LOG.warn("Error getting UserStore. secureMode={}, user={}, response={}, serviceName={}", isSecureMode, user, resp, serviceName); ret = null; } @@ -949,7 +963,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception { LOG.debug("==> RangerAdminRESTClient.getGdsInfoIfUpdated({}, {})", lastKnownVersion, lastActivationTimeInMillis); - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); final Cookie sessionId = this.sessionId; final Map<String, String> queryParams = new HashMap<>(); @@ -959,7 +974,7 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - LOG.debug("Checking for updated GdsInfo: secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.debug("Checking for updated GdsInfo: secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); final Response response; @@ -988,21 +1003,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva if (response == null) { ret = null; - LOG.error("Error getting GdsInfo - received NULL response: secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.error("Error getting GdsInfo - received NULL response: secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); } else if (response.getStatus() == HttpServletResponse.SC_NOT_MODIFIED) { ret = null; RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.debug("No change in GdsInfo: secureMode={}, response={}, serviceName={}, lastKnownGdsVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.debug("No change in GdsInfo: secureMode={}, user={}, response={}, serviceName={}, lastKnownGdsVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownVersion, lastActivationTimeInMillis); } else if (response.getStatus() == HttpServletResponse.SC_OK) { ret = JsonUtilsV2.readResponse(response, ServiceGdsInfo.class); } else if (response.getStatus() == HttpServletResponse.SC_NOT_FOUND) { ret = null; - LOG.error("Error getting GdsInfo - service not found: secureMode={}, response={}, serviceName={}, lastKnownGdsVersion={},lastActivationTimeInMillis={}", - isSecureMode, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); + LOG.error("Error getting GdsInfo - service not found: secureMode={}, user={}, response={}, serviceName={}, lastKnownGdsVersion={},lastActivationTimeInMillis={}", + isSecureMode, user, response.getStatus(), serviceName, lastKnownVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -1014,8 +1029,8 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva RESTResponse resp = RESTResponse.fromClientResponse(response); - LOG.warn("Error getting GdsInfo: unexpected status code {}: secureMode={}, response={}, serviceName={}", - response.getStatus(), isSecureMode, resp, serviceName); + LOG.warn("Error getting GdsInfo: unexpected status code {}: secureMode={}, user={}, response={}, serviceName={}", + response.getStatus(), isSecureMode, user, resp, serviceName); } LOG.debug("<== RangerAdminRESTClient.getGdsInfoIfUpdated({}, {}): ret={}", lastKnownVersion, lastActivationTimeInMillis, ret); @@ -1023,17 +1038,6 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva return ret; } - @Override - public boolean isAuthenticationEnabled() { - return (restClient != null && restClient.isAuthFilterPresent()) || super.isAuthenticationEnabled(); - } - - public void setJwtProvider(JwtProvider jwtProvider) { - if (restClient != null) { - restClient.setJwtProvider(jwtProvider); - } - } - private void init(String url, String sslConfigFileName, int restClientConnTimeOutMs, int restClientReadTimeOutMs, int restClientMaxRetryAttempts, int restClientRetryIntervalMs, Configuration config) { LOG.debug("==> RangerAdminRESTClient.init({}, {})", url, sslConfigFileName); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java index db6668cda..234262504 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java @@ -23,8 +23,6 @@ import org.apache.ranger.admin.client.RangerAdminClient; import org.apache.ranger.admin.client.RangerAdminRESTClient; import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; -import org.apache.ranger.plugin.authn.DefaultJwtProvider; -import org.apache.ranger.plugin.authn.JwtProvider; import org.apache.ranger.plugin.model.RangerPolicy; import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher; import org.apache.ranger.plugin.service.RangerAuthContext; @@ -42,14 +40,12 @@ public class RangerPluginContext { private final RangerPluginConfig config; private final Map<String, Map<RangerPolicy.RangerPolicyResource, RangerResourceMatcher>> resourceMatchers = new HashMap<>(); private final ReentrantReadWriteLock lock = new ReentrantReadWriteLock(true); // fair lock - private JwtProvider jwtProvider; private RangerAuthContext authContext; private RangerAuthContextListener authContextListener; private RangerAdminClient adminClient; public RangerPluginContext(RangerPluginConfig config) { this.config = config; - this.jwtProvider = new DefaultJwtProvider(config.getPropertyPrefix() + ".policy.rest.client", config); } public RangerPluginConfig getConfig() { @@ -155,9 +151,6 @@ public RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) { if (ret == null) { ret = new RangerAdminRESTClient(); - if (jwtProvider != null) { - ((RangerAdminRESTClient) ret).setJwtProvider(jwtProvider); - } } ret.init(pluginConfig.getServiceName(), pluginConfig.getAppId(), pluginConfig.getPropertyPrefix(), pluginConfig); @@ -170,19 +163,6 @@ public RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) { return ret; } - public void registerJWTProvider(JwtProvider jwtProvider) { - this.jwtProvider = jwtProvider; - - RangerAdminRESTClient restClient = (adminClient instanceof RangerAdminRESTClient) ? (RangerAdminRESTClient) adminClient : null; - if (restClient != null) { - restClient.setJwtProvider(jwtProvider); - } - } - - public JwtProvider getJwtProvider() { - return jwtProvider; - } - void cleanResourceMatchers() { LOG.debug("==> cleanResourceMatchers()"); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java index 82292ad25..fac244d44 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java @@ -32,7 +32,6 @@ import org.apache.ranger.authorization.hadoop.config.RangerAuditConfig; import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig; import org.apache.ranger.authorization.utils.StringUtil; -import org.apache.ranger.plugin.authn.JwtProvider; import org.apache.ranger.plugin.contextenricher.RangerAdminGdsInfoRetriever; import org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever; import org.apache.ranger.plugin.contextenricher.RangerContextEnricher; @@ -303,10 +302,6 @@ public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseAC return baseACLs; } - public void registerJwtProvider(JwtProvider jwtProvider) { - pluginContext.registerJWTProvider(jwtProvider); - } - public String getServiceType() { return pluginConfig.getServiceType(); } diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java index fec6cde0a..da471e0c5 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java @@ -151,10 +151,6 @@ public String getPassword() { return mPassword; } - public boolean isAuthFilterPresent() { - return jwtAuthFilter != null || basicAuthFilter != null; - } - public int getRestClientConnTimeOutMs() { return mRestClientConnTimeOutMs; } diff --git a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java index 549051b7d..550983ee3 100644 --- a/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java +++ b/agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java @@ -95,13 +95,4 @@ public void test03_defaultNoOpMethodsReturnNullOrNoThrow() throws Exception { Assertions.assertNull(c.getUserStoreIfUpdated(1L, 2L)); Assertions.assertNull(c.getGdsInfoIfUpdated(1L, 2L)); } - - @Test - public void test04_isSecureEndpointAccess() { - DummyClient c = new DummyClient(); - Configuration cfg = new Configuration(false); - cfg.setBoolean("ranger.plugin.forceSecureEndpointAccess", true); - c.init("svc", "app", "ranger.plugin", cfg); - Assertions.assertTrue(c.isAuthenticationEnabled()); - } } diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java index 991e9b255..a1e9c917b 100644 --- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java +++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java @@ -28,6 +28,7 @@ import org.apache.commons.lang3.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.AccessControlException; +import org.apache.hadoop.security.UserGroupInformation; import org.apache.ranger.audit.provider.MiscUtil; import org.apache.ranger.authorization.utils.StringUtil; import org.apache.ranger.plugin.util.GrantRevokeRequest; @@ -286,7 +287,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon final RangerUserStore ret; final Response response; - final boolean isSecureMode = isAuthenticationEnabled(); + final UserGroupInformation user = MiscUtil.getUGILoginUser(); + final boolean isSecureMode = isKerberosEnabled(user); Map<String, String> queryParams = new HashMap<>(); queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_USERSTORE_VERSION, Long.toString(lastKnownUserStoreVersion)); @@ -296,6 +298,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); if (isSecureMode) { + LOG.debug("Checking UserStore updated as user: {}", user); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> { try { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam; @@ -308,6 +312,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon return null; }); } else { + LOG.debug("Checking UserStore updated as user: {}", user); + String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam; response = get(queryParams, relativeURL); @@ -315,12 +321,12 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon if (response == null || response.getStatus() == 304) { // NOT_MODIFIED if (response == null) { - LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName); + LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName); } else { String resp = response.hasEntity() ? response.readEntity(String.class) : null; - LOG.debug("No change in UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.debug("No change in UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); } ret = null; @@ -331,8 +337,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else if (response.getStatus() == 404) { // NOT_FOUND ret = null; - LOG.error("Error getting UserStore; service not found. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.error("Error getting UserStore; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null; @@ -342,8 +348,8 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon } else { String resp = response.hasEntity() ? response.readEntity(String.class) : null; - LOG.warn("Error getting UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", - isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); + LOG.warn("Error getting UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", + isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis); ret = null; } @@ -595,7 +601,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown policyDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode())); break; } @@ -661,7 +667,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno isValidPolicyDownloadSessionCookie = false; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode())); break; } @@ -683,8 +689,10 @@ private Response getRangerAdminPolicyDownloadResponse(final long lastKnownVersio queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, Boolean.toString(supportsPolicyDeltas)); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - if (isAuthenticationEnabled()) { - LOG.debug("Checking Service policy if updated"); + if (isSecureMode()) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Service policy if updated as user : {}", MiscUtil.getUGILoginUser()); + } ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURL(true), policyDownloadSessionId)); } else { @@ -798,7 +806,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion, tagDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isAuthenticationEnabled())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode())); break; } @@ -885,8 +893,10 @@ private Response getTagsDownloadResponse(final long lastKnownVersion, final long queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS, Boolean.toString(supportsTagDeltas)); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - if (isAuthenticationEnabled()) { - LOG.debug("Checking Service tags if updated"); + if (isSecureMode()) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Service tags if updated as user : {}", MiscUtil.getUGILoginUser()); + } ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId)); } else { @@ -998,7 +1008,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final long lastKnownRoleVers roleDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isAuthenticationEnabled())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode())); break; } @@ -1065,7 +1075,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe isValidRoleDownloadSessionCookie = false; body = response.readEntity(String.class); - LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isAuthenticationEnabled())); + LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode())); break; } @@ -1086,8 +1096,10 @@ private Response getRoleDownloadResponse(final long lastKnownRoleVersion, final queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName); - if (isAuthenticationEnabled()) { - LOG.debug("Checking Roles if updated"); + if (isSecureMode()) { + if (LOG.isDebugEnabled()) { + LOG.debug("Checking Roles if updated as user : {}", MiscUtil.getUGILoginUser()); + } ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId)); } else { @@ -1146,6 +1158,10 @@ private void setCookieReceivedFromRoleDownloadSession(Response response) { } } + private boolean isSecureMode() { + return isKerberosEnabled(MiscUtil.getUGILoginUser()); + } + // We get date from the policy manager as unix long! This deserializer exists to deal with it. Remove this class once we start send date/time per RFC 3339 public static class GsonUnixDateDeserializer implements JsonDeserializer<Date> { @Override
