ramackri opened a new pull request, #1015: URL: https://github.com/apache/ranger/pull/1015
## Summary Fixes audit delivery failures for **Kafka** and **HBase** plugins when the audit destination is **auditserver** (Tier 3 / central audit pipeline). - **Kafka (RANGER-5642):** Whitelist the Glassfish Jersey REST/JSON client stack in `plugin-kafka.xml` so `RangerAuditServerDestination` can POST JSON audits without `MessageBodyWriter not found for media type=application/json`. - **HBase (RANGER-5644):** Same gap in `hbase-agent.xml` — add the missing Jersey HK2/JSON writer dependencies alongside the partial Jersey entries already present. Aligns Kafka/HBase packaging with plugins that already ship this stack for auditserver (HDFS, Hive, Ozone, Knox). ## Problem When `XAAUDIT.AUDITSERVER.ENABLE=true`, plugins use `RangerRESTClient` (Jersey 2) to send audits to the central audit ingestor. Ranger plugin assemblies **whitelist** dependencies explicitly into `lib/*-plugin-impl/`; transitive deps are not copied unless listed. Kafka and HBase included `ranger-audit-dest-auditserver` but were missing key Jersey runtime JARs. At runtime the plugin fails during audit init or first REST POST: ``` MessageBodyWriter not found for media type=application/json, type=class org.apache.ranger.audit.model.AuthAuditEvent, genericType=class org.apache.ranger.audit.model.AuthAuditEvent ``` | Plugin | Symptom | Root cause | |--------|---------|------------| | Kafka | Audits never reach audit ingestor when auditserver destination enabled | `plugin-kafka.xml` lacked `jersey-client`, `jersey-common`, `jersey-hk2`, `javax.inject`, `jakarta.ws.rs-api` | | HBase | Same `MessageBodyWriter` error in RegionServer/Master logs | `hbase-agent.xml` had `jersey-client` + `jersey-common` only; missing HK2/JSON writer stack | **Not in scope:** [RANGER-5643](https://issues.apache.org/jira/browse/RANGER-5643) (Solr audit dispatcher Kerberos) and full multi-file Docker Compose Solr E2E wiring. ## Changes | Area | File | Change | |------|------|--------| | Kafka packaging | `distro/src/main/assembly/plugin-kafka.xml` | Add to `lib/ranger-kafka-plugin-impl` whitelist: `jersey-client`, `jersey-common`, `jersey-hk2`, `javax.inject`, `jakarta.ws.rs-api` | | HBase packaging | `distro/src/main/assembly/hbase-agent.xml` | Add to `lib/ranger-hbase-plugin-impl` whitelist: `jersey-entity-filtering`, `jersey-hk2`, `jersey-media-json-jackson`, `javax.inject` | No Java source, POM, or plugin logic changes — packaging only. ## Related - Jira: [RANGER-5642](https://issues.apache.org/jira/browse/RANGER-5642) (Kafka) - Jira: [RANGER-5644](https://issues.apache.org/jira/browse/RANGER-5644) (HBase) - Prior auditserver packaging fixes: RANGER-5632 (#999), Ozone/Knox Jersey whitelist (#1006 / RANGER-5637) ## Test plan - [x] Assembly XML static check — confirmed `plugin-kafka.xml` and `hbase-agent.xml` list required Jersey artifacts (`jersey-client`, `jersey-common`, `jersey-hk2`, `jersey-media-json-jackson`, `javax.inject`, etc.) - [ ] Rebuild Kafka/HBase plugin tarballs after merge: ```bash mvn package -Pranger-kafka-plugin -pl :ranger-kafka-plugin -am -DskipTests mvn package -Pranger-hbase-plugin -pl :ranger-hbase-plugin -am -DskipTests ``` - [ ] Confirm fat tarballs (multi-MB) contain Jersey + auditserver JARs under `lib/*-plugin-impl/`: ```bash tar tzf target/ranger-*-kafka-plugin.tar.gz | grep -E 'plugin-impl/(jersey|ranger-audit-dest-auditserver|javax\.inject)' tar tzf target/ranger-*-hbase-plugin.tar.gz | grep -E 'plugin-impl/(jersey|ranger-audit-dest-auditserver|javax\.inject)' ``` - [ ] Enable auditserver destination; generate access events; confirm no `MessageBodyWriter` in plugin logs and audits reach audit ingestor ## Notes for reviewers - Same class of fix as Ozone/Knox Jersey whitelist changes (#1006). - Customers must rebuild and redeploy Kafka/HBase plugin tarballs after merge. Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
