[
https://issues.apache.org/jira/browse/RANGER-5650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramachandran Krishnan resolved RANGER-5650.
-------------------------------------------
Resolution: Fixed
> KMS plugin: package Jackson/Jersey audit client JARs in kms.xml for
> audit-server delivery
> -----------------------------------------------------------------------------------------
>
> Key: RANGER-5650
> URL: https://issues.apache.org/jira/browse/RANGER-5650
> Project: Ranger
> Issue Type: Task
> Components: Ranger
> Reporter: Ramachandran Krishnan
> Assignee: Ramachandran Krishnan
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When KMS is configured to send audits to the audit-server / audit ingestor
> ({{{}xasecure.audit.destination.auditserver=true{}}}), audit batch POSTs fail
> unless {{ranger-kms-plugin-impl}} includes a self-contained Jackson + Jersey
> client stack. The KMS Ranger plugin runs behind {{RangerPluginClassLoader}}
> inside the KMS Tomcat WAR; it cannot rely on the WAR’s {{WEB-INF/lib}}
> classpath for audit REST.
> h3. Problem
> Without the fix, KMS plugin audits fail at runtime with errors such as:
> * {{LinkageError}} / {{NoClassDefFoundError: JsonUtilsV2}}
> ({{{}ObjectMapper{}}} loader constraint violation)
> * {{ClassCastException}} on {{WadlAutoDiscoverable}} / Jersey ServiceLoader
> SPI
> * {{MultiException}} / HK2 injection failures on audit REST client
> * KMS HTTP 500 on key operations after plugin-impl classpath is misaligned
> Audits do not reach the ingestor → Kafka → Solr pipeline; Admin Audit →
> Access shows no new {{dev_kms}} events.
> h3. Root cause
> ||Aspect||Detail||
> |Deployment|Built-in / Docker KMS embeds the plugin in
> {{ews/webapp/WEB-INF/lib/ranger-kms-plugin-impl/}} (assembly:
> {{distro/src/main/assembly/kms.xml}})|
> |Classloader|{{RangerPluginClassLoader}} isolates plugin-impl from parent WAR
> classloader|
> |WAR|KMS WAR also ships Jersey/Jackson for KMS REST — duplication in both
> places is intentional|
> |Standalone tarball|{{plugin-kms.xml}} → external {{enable-kms-plugin.sh}}
> path — out of scope for built-in KMS fix|
> h3. Proposed fix
> Update {{distro/src/main/assembly/kms.xml}} only — whitelist audit client
> dependencies in the {{ranger-kms-plugin-impl}} dependency set:
> Add to plugin-impl:
> * Jackson: {{{}jackson-annotations{}}}, {{{}jackson-core{}}},
> {{{}jackson-databind{}}}, {{{}jackson-jaxrs-base{}}},
> {{{}jackson-jaxrs-json-provider{}}}, {{jackson-module-jaxb-annotations}}
> * JAX-RS / inject: {{{}jakarta.ws.rs-api{}}}, {{javax.inject}}
> * Jersey: {{{}jersey-client{}}}, {{{}jersey-common{}}},
> {{{}jersey-entity-filtering{}}}, {{{}jersey-media-json-jackson{}}},
> {{{}jersey-hk2{}}}, {{jersey-server}}
> * HK2: {{{}hk2-api{}}}, {{{}hk2-locator{}}}, {{{}hk2-utils{}}}, {{{}hk2{}}},
> {{hk2-core}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
