[jira] [Created] (RANGER-5650) KMS plugin: package Jackson/Jersey audit client JARs in kms.xml for audit-server delivery

Thu, 18 Jun 2026 08:58:10 -0700 

Ramachandran Krishnan created RANGER-5650:
---------------------------------------------

             Summary: KMS plugin: package Jackson/Jersey audit client JARs in 
kms.xml for audit-server delivery
                 Key: RANGER-5650
                 URL: https://issues.apache.org/jira/browse/RANGER-5650
             Project: Ranger
          Issue Type: Task
          Components: Ranger
            Reporter: Ramachandran Krishnan
            Assignee: Ramachandran Krishnan
             Fix For: 3.0.0


When KMS is configured to send audits to the audit-server / audit ingestor 
({{{}xasecure.audit.destination.auditserver=true{}}}), audit batch POSTs fail 
unless {{ranger-kms-plugin-impl}} includes a self-contained Jackson + Jersey 
client stack. The KMS Ranger plugin runs behind {{RangerPluginClassLoader}} 
inside the KMS Tomcat WAR; it cannot rely on the WAR’s {{WEB-INF/lib}} 
classpath for audit REST.
h3. Problem

Without the fix, KMS plugin audits fail at runtime with errors such as:
 * {{LinkageError}} / {{NoClassDefFoundError: JsonUtilsV2}} 
({{{}ObjectMapper{}}} loader constraint violation)
 * {{ClassCastException}} on {{WadlAutoDiscoverable}} / Jersey ServiceLoader SPI
 * {{MultiException}} / HK2 injection failures on audit REST client
 * KMS HTTP 500 on key operations after plugin-impl classpath is misaligned

Audits do not reach the ingestor → Kafka → Solr pipeline; Admin Audit → Access 
shows no new {{dev_kms}} events.


h3. Root cause
||Aspect||Detail||
|Deployment|Built-in / Docker KMS embeds the plugin in 
{{ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl/}} (assembly: 
{{distro/src/main/assembly/kms.xml}})|
|Classloader|{{RangerPluginClassLoader}} isolates plugin-impl from parent WAR 
classloader|
|WAR|KMS WAR also ships Jersey/Jackson for KMS REST — duplication in both 
places is intentional|
|Standalone tarball|{{plugin-kms.xml}} → external {{enable-kms-plugin.sh}} path 
— out of scope for built-in KMS fix|
h3. Proposed fix

Update {{distro/src/main/assembly/kms.xml}} only — whitelist audit client 
dependencies in the {{ranger-kms-plugin-impl}} dependency set:

Add to plugin-impl:
 * Jackson: {{{}jackson-annotations{}}}, {{{}jackson-core{}}}, 
{{{}jackson-databind{}}}, {{{}jackson-jaxrs-base{}}}, 
{{{}jackson-jaxrs-json-provider{}}}, {{jackson-module-jaxb-annotations}}
 * JAX-RS / inject: {{{}jakarta.ws.rs-api{}}}, {{javax.inject}}
 * Jersey: {{{}jersey-client{}}}, {{{}jersey-common{}}}, 
{{{}jersey-entity-filtering{}}}, {{{}jersey-media-json-jackson{}}}, 
{{{}jersey-hk2{}}}, {{jersey-server}}
 * HK2: {{{}hk2-api{}}}, {{{}hk2-locator{}}}, {{{}hk2-utils{}}}, {{{}hk2{}}}, 
{{hk2-core}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to