ramackri commented on PR #1006:
URL: https://github.com/apache/ranger/pull/1006#issuecomment-4667975577
## Knox packaging & Java 17 — clarification for reviewers
`plugins-docker-build` had **two separate Knox issues**; the Jersey/HK2 JARs
and the JDK 17 SSL startup fix address different problems.
### 1. Java 17 + Knox 2.0.0 (gateway won't start)
Knox 2.0.0 fails on JDK 17 during SSL keystore generation:
```
IllegalAccessException: ... cannot access class
sun.security.x509.X509CertInfo
(module java.base does not export sun.security.x509 to unnamed module)
```
Knox 2.0.0 predates upstream **KNOX-3210**, which adds JDK 17
`--add-exports` / `--add-opens` in `knox-functions.sh`. We source
`knox-jdk17-env.sh` from `knox-env.sh` with the same flags newer Knox releases
add automatically (`8268e4b79`).
### 2. Auditserver packaging gap (runtime classpath)
Docker Knox enables auditserver in `ranger-knox-plugin-install.properties`:
```
XAAUDIT.AUDITSERVER.ENABLE=true
```
The auditserver destination (`RangerAuditServerDestination`) posts audits
via `RangerRESTClient` → **Glassfish Jersey 2** client. Plugin tarballs use an
**explicit dependency whitelist** in `knox-agent.xml`; only JARs listed under
`<includes>` are copied to `lib/ranger-knox-plugin-impl/`.
| JAR group | Why it's needed |
|-----------|-----------------|
| `jersey-client`, `jersey-common`, `jersey-entity-filtering` | JAX-RS HTTP
client core |
| `jersey-hk2` + `hk2-api` / `hk2-locator` / `hk2-utils` /
`aopalliance-repackaged` | Jersey 2 injection (replaces Jersey 1.x wiring) |
| `javax.inject` | `@Inject` API used by HK2 |
| `jersey-media-json-jackson` + Jackson JAX-RS jars | JSON serialization for
audit POST bodies |
| `jetty-client` | HTTP transport for Jersey client |
This is the same stack already whitelisted in `hdfs-agent.xml`,
`hive-agent.xml`, `storm-agent.xml`, and `pdp.xml`.
**RANGER-5632 context:** #999 removed `ranger-audit-dest-solr` /
`ranger-audit-dest-hdfs` from plugin assemblies. Knox never had Jersey
explicitly whitelisted before this PR — unlike HDFS/Hive. So this change brings
Knox in line with other auditserver-enabled plugins; it is not "5632 deleted
Jersey from the whitelist."
**Without the packaging fix:** gateway may still start (audit classes load
lazily), but audit delivery fails at runtime with `ClassNotFoundException` for
`org.glassfish.jersey.*` / `org.glassfish.hk2.*` — audits are silently dropped.
### Summary
| Fix | File | Addresses |
|-----|------|-----------|
| JDK 17 module exports | `scripts/knox/knox-jdk17-env.sh`,
`ranger-knox-setup.sh` | Gateway crash on startup |
| Jersey/HK2/Jackson whitelist | `distro/src/main/assembly/knox-agent.xml` |
Auditserver REST client classpath |
| Gateway log tail | `scripts/knox/ranger-knox.sh` | Faster CI diagnosis
when gateway exits |
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
