RANGER-5488: Allow clients to access secure API endpoints in Ranger admin forcibly via config

Author: kumaab

agents-common/src/main/java/org/apache/ranger/admin/client/AbstractRangerAdminClient.java

@@ -23,6 +23,7 @@
 import com.google.gson.GsonBuilder;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.plugin.model.RangerRole;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
@@ -42,6 +43,7 @@ public abstract class AbstractRangerAdminClient implements RangerAdminClient {
     protected Gson gson;
 
     private boolean forceNonKerberos;
+    private boolean forceSecureEndpointAccess;
 
     @Override
     public void init(String serviceName, String appId, String configPropertyPrefix, Configuration config) {
@@ -54,7 +56,8 @@ public void init(String serviceName, String appId, String configPropertyPrefix,
         }
 
         this.gson             = gson;
-        this.forceNonKerberos = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
+        this.forceNonKerberos          = config.getBoolean(configPropertyPrefix + ".forceNonKerberos", false);
+        this.forceSecureEndpointAccess = config.getBoolean(configPropertyPrefix + ".forceSecureEndpointAccess", false);
     }
 
     @Override
@@ -127,12 +130,21 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva
         return null;
     }
 
+    public boolean isAuthenticationEnabled() {
+        return forceSecureEndpointAccess || isKerberosEnabled();
+    }
+
+    public boolean isKerberosEnabled() {
+        return isKerberosEnabled(MiscUtil.getUGILoginUser());
+    }
+
     public boolean isKerberosEnabled(UserGroupInformation user) {
         final boolean ret;
 
         if (forceNonKerberos) {
             ret = false;
         } else {
+            LOG.debug("UGI user: {}", user);
             ret = user != null && UserGroupInformation.isSecurityEnabled() && user.hasKerberosCredentials();
         }
 

agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java

@@ -23,8 +23,6 @@
 import org.apache.ranger.admin.client.RangerAdminClient;
 import org.apache.ranger.admin.client.RangerAdminRESTClient;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
-import org.apache.ranger.plugin.authn.DefaultJwtProvider;
-import org.apache.ranger.plugin.authn.JwtProvider;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
 import org.apache.ranger.plugin.service.RangerAuthContext;
@@ -42,14 +40,12 @@ public class RangerPluginContext {
     private final RangerPluginConfig                                                         config;
     private final Map<String, Map<RangerPolicy.RangerPolicyResource, RangerResourceMatcher>> resourceMatchers = new HashMap<>();
     private final ReentrantReadWriteLock                                                     lock             = new ReentrantReadWriteLock(true); // fair lock
-    private       JwtProvider                                                                jwtProvider;
     private       RangerAuthContext                                                          authContext;
     private       RangerAuthContextListener                                                  authContextListener;
     private       RangerAdminClient                                                          adminClient;
 
     public RangerPluginContext(RangerPluginConfig config) {
         this.config = config;
-        this.jwtProvider = new DefaultJwtProvider(config.getPropertyPrefix() + ".policy.rest.client", config);
     }
 
     public RangerPluginConfig getConfig() {
@@ -155,9 +151,6 @@ public RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) {
 
         if (ret == null) {
             ret = new RangerAdminRESTClient();
-            if (jwtProvider != null) {
-                ((RangerAdminRESTClient) ret).setJwtProvider(jwtProvider);
-            }
         }
 
         ret.init(pluginConfig.getServiceName(), pluginConfig.getAppId(), pluginConfig.getPropertyPrefix(), pluginConfig);
@@ -170,19 +163,6 @@ public RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) {
         return ret;
     }
 
-    public void registerJWTProvider(JwtProvider jwtProvider) {
-        this.jwtProvider = jwtProvider;
-
-        RangerAdminRESTClient restClient = (adminClient instanceof RangerAdminRESTClient) ? (RangerAdminRESTClient) adminClient : null;
-        if (restClient != null) {
-            restClient.setJwtProvider(jwtProvider);
-        }
-    }
-
-    public JwtProvider getJwtProvider() {
-        return jwtProvider;
-    }
-
     void cleanResourceMatchers() {
         LOG.debug("==> cleanResourceMatchers()");
 

agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java

@@ -32,7 +32,6 @@
 import org.apache.ranger.authorization.hadoop.config.RangerAuditConfig;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.apache.ranger.authorization.utils.StringUtil;
-import org.apache.ranger.plugin.authn.JwtProvider;
 import org.apache.ranger.plugin.contextenricher.RangerAdminGdsInfoRetriever;
 import org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever;
 import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
@@ -303,10 +302,6 @@ public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseAC
         return baseACLs;
     }
 
-    public void registerJwtProvider(JwtProvider jwtProvider) {
-        pluginContext.registerJWTProvider(jwtProvider);
-    }
-
     public String getServiceType() {
         return pluginConfig.getServiceType();
     }

agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java

@@ -98,6 +98,7 @@ public class RangerRESTClient {
     private          String       mPassword;
     private          boolean      mIsSSL;
     private          String       jwt;
+    private          String       authHeader;
     private          String       mKeyStoreURL;
     private          String       mKeyStoreAlias;
     private          String       mKeyStoreFile;
@@ -151,6 +152,10 @@ public String getPassword() {
         return mPassword;
     }
 
+    public boolean isAuthHeaderPresent() {
+        return authHeader != null;
+    }
+
     public int getRestClientConnTimeOutMs() {
         return mRestClientConnTimeOutMs;
     }
@@ -278,7 +283,6 @@ public boolean verify(String urlHostName, SSLSession session) {
         // Validate that MOXy prevention is properly configured
         RangerJersey2ClientBuilder.validateAntiMoxyConfiguration(config);
 
-        final String authHeader;
         if (StringUtils.isNotEmpty(jwt)) { // use JWT if present
             authHeader = JWT_HEADER_PREFIX + jwt;
             LOG.info("Registering JWT auth header in REST client");

agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java

@@ -95,4 +95,13 @@ public void test03_defaultNoOpMethodsReturnNullOrNoThrow() throws Exception {
         Assertions.assertNull(c.getUserStoreIfUpdated(1L, 2L));
         Assertions.assertNull(c.getGdsInfoIfUpdated(1L, 2L));
     }
+
+    @Test
+    void test04_isSecureEndpointAccess() {
+        DummyClient   c   = new DummyClient();
+        Configuration cfg = new Configuration(false);
+        cfg.setBoolean("ranger.plugin.forceSecureEndpointAccess", true);
+        c.init("svc", "app", "ranger.plugin", cfg);
+        Assertions.assertTrue(c.isAuthenticationEnabled());
+    }
 }

agents-common/src/test/java/org/apache/ranger/admin/client/TestAbstractRangerAdminClient.java

@@ -28,7 +28,6 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.AccessControlException;
-import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
@@ -287,8 +286,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon
 
         final RangerUserStore      ret;
         final Response             response;
-        final UserGroupInformation user         = MiscUtil.getUGILoginUser();
-        final boolean              isSecureMode = isKerberosEnabled(user);
+        final boolean isSecureMode = isAuthenticationEnabled();
         Map<String, String>        queryParams  = new HashMap<>();
 
         queryParams.put(RangerRESTUtils.REST_PARAM_LAST_KNOWN_USERSTORE_VERSION, Long.toString(lastKnownUserStoreVersion));
@@ -298,8 +296,6 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon
         queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities);
 
         if (isSecureMode) {
-            LOG.debug("Checking UserStore updated as user: {}", user);
-
             response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> {
                 try {
                     String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam;
@@ -312,21 +308,18 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon
                 return null;
             });
         } else {
-            LOG.debug("Checking UserStore updated as user: {}", user);
-
             String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USERSTORE + serviceNameUrlParam;
 
             response = get(queryParams, relativeURL);
         }
 
         if (response == null || response.getStatus() == 304) { // NOT_MODIFIED
             if (response == null) {
-                LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, user={}, serviceName={}", isSecureMode, user, serviceName);
+                LOG.error("Error getting UserStore; Received NULL response!!. secureMode={}, serviceName={}", isSecureMode, serviceName);
             } else {
                 String resp = response.hasEntity() ? response.readEntity(String.class) : null;
 
-                LOG.debug("No change in UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
-                        isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
+                LOG.debug("No change in UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
             }
 
             ret = null;
@@ -337,8 +330,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon
         } else if (response.getStatus() == 404) { // NOT_FOUND
             ret = null;
 
-            LOG.error("Error getting UserStore; service not found. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
-                    isSecureMode, user, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
+            LOG.error("Error getting UserStore; service not found. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", isSecureMode, response.getStatus(), serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
 
             String exceptionMsg = response.hasEntity() ? response.readEntity(String.class) : null;
 
@@ -348,8 +340,7 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon
         } else {
             String resp = response.hasEntity() ? response.readEntity(String.class) : null;
 
-            LOG.warn("Error getting UserStore. secureMode={}, user={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}",
-                    isSecureMode, user, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
+            LOG.warn("Error getting UserStore. secureMode={}, response={}, serviceName={}, lastKnownUserStoreVersion={}, lastActivationTimeInMillis={}", isSecureMode, resp, serviceName, lastKnownUserStoreVersion, lastActivationTimeInMillis);
 
             ret = null;
         }
@@ -601,7 +592,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown
                 policyDownloadSessionId = null;
                 body                    = response.readEntity(String.class);
 
-                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode()));
+                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled()));
                 break;
         }
 
@@ -667,7 +658,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno
                 isValidPolicyDownloadSessionCookie = false;
                 body                               = response.readEntity(String.class);
 
-                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isSecureMode()));
+                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURL(isAuthenticationEnabled()));
                 break;
         }
 
@@ -689,10 +680,8 @@ private Response getRangerAdminPolicyDownloadResponse(final long lastKnownVersio
         queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, Boolean.toString(supportsPolicyDeltas));
         queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities);
 
-        if (isSecureMode()) {
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Checking Service policy if updated as user : {}", MiscUtil.getUGILoginUser());
-            }
+        if (isAuthenticationEnabled()) {
+            LOG.debug("Checking Service policy if updated");
 
             ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURL(true), policyDownloadSessionId));
         } else {
@@ -806,7 +795,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion,
                 tagDownloadSessionId = null;
                 body                 = response.readEntity(String.class);
 
-                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode()));
+                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForTagDownload(isAuthenticationEnabled()));
                 break;
         }
 
@@ -893,10 +882,8 @@ private Response getTagsDownloadResponse(final long lastKnownVersion, final long
         queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS, Boolean.toString(supportsTagDeltas));
         queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities);
 
-        if (isSecureMode()) {
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Checking Service tags if updated as user : {}", MiscUtil.getUGILoginUser());
-            }
+        if (isAuthenticationEnabled()) {
+            LOG.debug("Checking Service tags if updated");
 
             ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId));
         } else {
@@ -1008,7 +995,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final long lastKnownRoleVers
                 roleDownloadSessionId = null;
                 body                  = response.readEntity(String.class);
 
-                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode()));
+                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isAuthenticationEnabled()));
 
                 break;
         }
@@ -1075,7 +1062,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe
                 isValidRoleDownloadSessionCookie = false;
                 body                             = response.readEntity(String.class);
 
-                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode()));
+                LOG.warn("Unexpected: Received status[{}] with body[{}] form url[{}]", httpResponseCode, body, getRelativeURLForRoleDownload(isAuthenticationEnabled()));
 
                 break;
         }
@@ -1096,10 +1083,8 @@ private Response getRoleDownloadResponse(final long lastKnownRoleVersion, final
         queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId);
         queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, clusterName);
 
-        if (isSecureMode()) {
-            if (LOG.isDebugEnabled()) {
-                LOG.debug("Checking Roles if updated as user : {}", MiscUtil.getUGILoginUser());
-            }
+        if (isAuthenticationEnabled()) {
+            LOG.debug("Checking Roles if updated");
 
             ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction<Response>) () -> get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId));
         } else {
@@ -1158,10 +1143,6 @@ private void setCookieReceivedFromRoleDownloadSession(Response response) {
         }
     }
 
-    private boolean isSecureMode() {
-        return isKerberosEnabled(MiscUtil.getUGILoginUser());
-    }
-
     // We get date from the policy manager as unix long!  This deserializer exists to deal with it.  Remove this class once we start send date/time per RFC 3339
     public static class GsonUnixDateDeserializer implements JsonDeserializer<Date> {
         @Override

knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java

@@ -418,7 +418,7 @@ public void test12_policies_secure_mode_uses_secure_url() throws Exception {
         RangerAdminJersey2RESTClient underTest = spy(new RangerAdminJersey2RESTClient());
         underTest.client = clientMock;
         underTest.init(SERVICE, APPID, PREFIX, conf);
-        doReturn(true).when(underTest).isKerberosEnabled(ArgumentMatchers.any());
+        doReturn(true).when(underTest).isKerberosEnabled();
 
         Map<String, NewCookie> cookies = new HashMap<>();
         cookies.put(COOKIE_NAME, new NewCookie(COOKIE_NAME, "v"));
@@ -457,7 +457,7 @@ public void test13_tags_secure_mode_uses_secure_url() throws Exception {
         RangerAdminJersey2RESTClient underTest = spy(new RangerAdminJersey2RESTClient());
         underTest.client = clientMock;
         underTest.init(SERVICE, APPID, PREFIX, conf);
-        doReturn(true).when(underTest).isKerberosEnabled(ArgumentMatchers.any());
+        doReturn(true).when(underTest).isKerberosEnabled();
 
         Map<String, NewCookie> cookies = new HashMap<>();
         cookies.put(COOKIE_NAME, new NewCookie(COOKIE_NAME, "v"));
@@ -495,7 +495,7 @@ public void test14_roles_secure_mode_uses_secure_url() throws Exception {
         RangerAdminJersey2RESTClient underTest = spy(new RangerAdminJersey2RESTClient());
         underTest.client = clientMock;
         underTest.init(SERVICE, APPID, PREFIX, conf);
-        doReturn(true).when(underTest).isKerberosEnabled(ArgumentMatchers.any());
+        doReturn(true).when(underTest).isKerberosEnabled();
 
         Map<String, NewCookie> cookies = new HashMap<>();
         cookies.put(COOKIE_NAME, new NewCookie(COOKIE_NAME, "v"));
@@ -533,7 +533,7 @@ public void test15_userstore_secure_mode_uses_secure_url() throws Exception {
         RangerAdminJersey2RESTClient underTest = spy(new RangerAdminJersey2RESTClient());
         underTest.client = clientMock;
         underTest.init(SERVICE, APPID, PREFIX, conf);
-        doReturn(true).when(underTest).isKerberosEnabled(ArgumentMatchers.any());
+        doReturn(true).when(underTest).isKerberosEnabled();
 
         when(response200.getStatus()).thenReturn(200);
         when(response200.readEntity(String.class)).thenReturn("{}");