Ramachandran Krishnan created RANGER-5661:
---------------------------------------------

             Summary: Fix Kafka plugin packaging for broker-delegate 
classloading on Kafka 3.9+
                 Key: RANGER-5661
                 URL: https://issues.apache.org/jira/browse/RANGER-5661
             Project: Ranger
          Issue Type: Task
          Components: Ranger
            Reporter: Ramachandran Krishnan
            Assignee: Ramachandran Krishnan
             Fix For: 3.0.0


h3. Summary

{{RangerKafkaAuthorizer}} fails to start on Kafka 3.9.x when the assembled 
{{ranger-kafka-plugin-impl}} ships jars already provided by the broker 
classpath (Jackson, Jersey/HK2, {{{}kafka-clients{}}}, SLF4J/log4j, JAX-RS 
APIs). This causes {{{}LinkageError{}}}, {{{}ClassCastException{}}}, or policy 
REST client failures during broker startup.

This ticket fixes the *upstream packaging* so the plugin tarball is complete 
and the impl directory uses a *broker-delegate* model: shim + classloader on 
the broker classpath, implementation jars without duplicate broker libraries.
h3. Problem
 * {{plugin-kafka.xml}} assembly references {{plugin-kafka/template/}} for 
{{{}install/conf.templates/default{}}}, but the template directory was never 
committed — tarball assembly / {{enable-kafka-plugin.sh}} can be incomplete 
(same class of issue as YARN in RANGER-5660).
 * {{ranger-kafka-plugin-impl}} currently bundles dependencies that Kafka 3.9 
already loads (notably Jackson 2.16, Jersey 2.x, HK2, {{{}kafka-clients{}}}, 
SLF4J, reload4j/log4j).
 * Without excluding *both* {{javax.ws.rs:javax.ws.rs-api}} and 
{{{}jakarta.ws.rs:jakarta.ws.rs-api{}}}, the plugin classloader can still 
resolve a different JAX-RS API than the broker, causing {{ClassCastException}} 
on Jersey types even when Jackson/Jersey jars are excluded.

h3. Proposed fix (upstream)
||File||Change||
|{{plugin-kafka/template/configuration.xml}}|*Add* empty Hadoop-style template 
so assembly produces {{install/conf.templates/default/configuration.xml}}|
|{{distro/src/main/assembly/plugin-kafka.xml}}|*Exclude* broker-supplied 
artifacts from {{{}ranger-kafka-plugin-impl{}}}: Jackson (*), Jersey (*), HK2 
(*), {{{}kafka-clients{}}}, SLF4J (*), log4j/reload4j (*), 
{{{}javax.ws.rs-api{}}}, {{jakarta.ws.rs-api}}|
h3. Design notes
 * Kafka uses *broker-delegate* classloading (exclude host jars from impl; 
child-first plugin classloader falls back to broker classpath). This differs 
from HDFS/YARN, which keep Jackson in impl with child-first classloader

h3. Manual testing

Tested on Kafka *3.9.1* with Kerberos ({{{}SASL_PLAINTEXT{}}}) and 
{{{}authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer{}}}.
 # {{mvn package -Pranger-kafka-plugin}} (distro assembly) completed 
successfully.
 # Assembled {{ranger-*-kafka-plugin.tar.gz}} contains 
{{install/conf.templates/enable/}} and 
{{{}install/conf.templates/default/configuration.xml{}}}.
 # {{ranger-kafka-plugin-impl}} contains *no* jackson, jersey, hk2, 
{{{}kafka-clients{}}}, slf4j, reload4j/log4j, or ws.rs API jars 
(broker-delegated).
 # Kafka broker started cleanly with {{RangerKafkaAuthorizer}} enabled (no 
{{LinkageError}} / {{ClassCastException}} on startup).
 # Authorization: {{testuser2}} console produce to a restricted topic → 
{*}denied{*}; {{testuser1}} with allow policy → {*}allowed{*}.

h3. Acceptance criteria
 * Kafka plugin tarball includes complete {{conf.templates}} from assembly
 * Clean Kafka 3.9.x broker startup with {{RangerKafkaAuthorizer}}
 * No duplicate broker classpath libraries in {{ranger-kafka-plugin-impl}}
 * Topic publish/consume authorization enforced per Ranger policies

h2. Related work
 * RANGER-5660 — analogous YARN plugin packaging / {{conf.templates}} / 
enable-path fix



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to