ramackri opened a new pull request, #1017: URL: https://github.com/apache/ranger/pull/1017
## Summary Fixes HTTP **403** failures when Ranger Docker plugins send audits to audit-ingestor with the audit-server destination enabled ([RANGER-5645](https://issues.apache.org/jira/browse/RANGER-5645)). This is **authorization**, not authentication — Kerberos/SPNEGO succeeds; ingestor rejects the request because the mapped service short name is missing from `ranger.audit.ingestor.service.<repo>.allowed.users`. - Add complete `allowed.users` entries in shipped `ranger-audit-ingestor-site.xml` for all Docker Policy Manager repos - Extend `auth_to_local` rules so service principals map to the same short names as `policy.download.auth.users` - Align `create-ranger-services.py` (Ozone `ozone,om,scm,dn`; add `dev_atlas`, `dev_kudu`, `dev_nifi`) - Add troubleshooting doc: `audit-server/README-AUDIT-INGESTOR-SERVICE-ALLOWLIST.md` ## Problem Plugins POST to `/audit/access?serviceName=<repo>`. Without a matching allowlist entry, ingestor returns: ``` HTTP status: 403, Response: {"message":"User is not authorized to send audit events",...} ``` **Example (Kafka):** `dev_kafka` needs `ranger.audit.ingestor.service.dev_kafka.allowed.users=kafka` **Example (KMS):** ingestor log: `Unauthorized user: user=rangerkms ... service=dev_kms` → needs `allowed.users=rangerkms` | HTTP | Meaning | |------|---------| | **401** | Kerberos/SPNEGO auth failed | | **403** | Auth OK; user not on allowlist for that repo | ## Changes | File | Change | |------|--------| | `audit-server/audit-ingestor/.../ranger-audit-ingestor-site.xml` | Add `allowed.users` for 13 Docker repos + plugin `auth_to_local` rules | | `dev-support/ranger-docker/scripts/admin/create-ranger-services.py` | Ozone multi-user; Atlas/Kudu/NiFi services | | `audit-server/README-AUDIT-INGESTOR-SERVICE-ALLOWLIST.md` | Troubleshooting guide (401 vs 403, root causes, verification) | | `audit-server/scripts/README.md` | Link to allowlist troubleshooting doc | ### Shipped allowlist (Docker dev repos) | Repo | `allowed.users` | |------|-----------------| | `dev_hdfs` | `hdfs` | | `dev_yarn` | `yarn` | | `dev_hive` | `hive` | | `dev_hbase` | `hbase` | | `dev_kafka` | `kafka` | | `dev_knox` | `knox` | | `dev_kms` | `rangerkms` | | `dev_trino` | `trino` | | `dev_ozone` | `ozone,om,scm,dn` | | `dev_solr` | `solr` | | `dev_atlas` | `atlas` | | `dev_kudu` | `kudu` | | `dev_nifi` | `nifi` | No Java source changes — config and documentation only. ## Test plan - [ ] Rebuild/redeploy audit-ingestor from updated site XML - [ ] Restart audit-ingestor pod/container - [ ] Run `create-ranger-services.py` in Docker (idempotent) - [ ] Trigger audits from Kafka plugin → no 403 in plugin logs - [ ] Trigger audits from KMS plugin → no 403; ingestor accepts `rangerkms` for `dev_kms` - [ ] Verify ingestor log shows no `Unauthorized user` for configured repos - [ ] (Optional) Confirm audits reach Kafka/Solr downstream ## Related - Jira: [RANGER-5645](https://issues.apache.org/jira/browse/RANGER-5645) - Doc: `audit-server/README-AUDIT-INGESTOR-SERVICE-ALLOWLIST.md` Made with [Cursor](https://cursor.com) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
