From f58a47e2dddf17ec3c20814b6dc99b50ba96c92a Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Tue, 6 Aug 2024 05:15:01 -0700 Subject: [PATCH] RANGER-4891: replaced use of PrivilegedAction with PrivilegedExceptionAction in calls to UserGroupInformation.doAs() --- .../destination/HDFSAuditDestination.java | 14 +- .../audit/provider/LocalFileLogBuffer.java | 13 +- .../provider/kafka/KafkaAuditProvider.java | 28 +- .../admin/client/RangerAdminRESTClient.java | 333 ++++++++---------- .../RangerUserStoreRefresher.java | 22 +- .../java/org/apache/ranger/RangerClient.java | 28 +- .../client/RangerAdminJersey2RESTClient.java | 106 ++---- .../services/storm/client/StormClient.java | 13 +- .../sink/tagadmin/TagAdminRESTSink.java | 19 +- 9 files changed, 250 insertions(+), 326 deletions(-) diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java index 3449d76025..4ad8dfd985 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/destination/HDFSAuditDestination.java @@ -20,7 +20,7 @@ package org.apache.ranger.audit.destination; import java.io.File; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collection; import java.util.List; @@ -130,13 +130,15 @@ public void flush() { if (logger.isDebugEnabled()) { logger.debug("==> HDFSAuditDestination.flush() called. name={}", getName()); } - MiscUtil.executePrivilegedAction(new PrivilegedAction() { - @Override - public Void run() { + try { + MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { auditWriter.flush(); return null; - } - }); + }); + } catch (Exception excp) { + logger.error("HDFSAuditDestination.flush() failed", excp); + } + if (logger.isDebugEnabled()) { logger.debug("<== HDFSAuditDestination.flush() called. name={}", getName()); } diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/LocalFileLogBuffer.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/LocalFileLogBuffer.java index 4dc195dc7e..d720ebcccb 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/LocalFileLogBuffer.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/LocalFileLogBuffer.java @@ -32,7 +32,7 @@ import java.io.OutputStreamWriter; import java.io.UnsupportedEncodingException; import java.io.Writer; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.Arrays; import java.util.Comparator; import java.util.TreeSet; @@ -415,14 +415,15 @@ public void run() { return; } - loginUser.doAs(new PrivilegedAction() { - @Override - public Integer run() { + try { + loginUser.doAs((PrivilegedExceptionAction) () -> { doRun(); return 0; - } - }); + }); + } catch (Exception excp) { + mLogger.error("DestinationDispatcherThread.run(): failed", excp); + } } private void doRun() { diff --git a/agents-audit/src/main/java/org/apache/ranger/audit/provider/kafka/KafkaAuditProvider.java b/agents-audit/src/main/java/org/apache/ranger/audit/provider/kafka/KafkaAuditProvider.java index 3df53aed73..3a452c22a6 100644 --- a/agents-audit/src/main/java/org/apache/ranger/audit/provider/kafka/KafkaAuditProvider.java +++ b/agents-audit/src/main/java/org/apache/ranger/audit/provider/kafka/KafkaAuditProvider.java @@ -16,7 +16,7 @@ */ package org.apache.ranger.audit.provider.kafka; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.Collection; import java.util.HashMap; import java.util.Map; @@ -74,13 +74,7 @@ public void init(Properties props) { LOG.info("Connecting to Kafka producer using properties:" + kakfaProps.toString()); - producer = MiscUtil.executePrivilegedAction(new PrivilegedAction>() { - @Override - public Producer run(){ - Producer producer = new KafkaProducer(kakfaProps); - return producer; - }; - }); + producer = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction>) () -> new KafkaProducer<>(kakfaProps)); initDone = true; } @@ -115,12 +109,9 @@ public boolean log(AuditEventBase event) { final ProducerRecord keyedMessage = new ProducerRecord( topic, message); - MiscUtil.executePrivilegedAction(new PrivilegedAction() { - @Override - public Void run(){ - producer.send(keyedMessage); - return null; - }; + MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + producer.send(keyedMessage); + return null; }); } else { @@ -169,12 +160,9 @@ public void stop() { LOG.info("stop() called"); if (producer != null) { try { - MiscUtil.executePrivilegedAction(new PrivilegedAction() { - @Override - public Void run() { - producer.close(); - return null; - }; + MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + producer.close(); + return null; }); } catch (Throwable t) { LOG.error("Error closing Kafka producer"); diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java index b62ca4f23b..70bd818ddf 100644 --- a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java +++ b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java @@ -39,7 +39,7 @@ import javax.ws.rs.core.Cookie; import javax.ws.rs.core.NewCookie; import java.io.UnsupportedEncodingException; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -163,7 +163,7 @@ public RangerRole createRole(final RangerRole request) throws Exception { RangerRole ret = null; - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_CREATE_ROLE; @@ -172,21 +172,19 @@ public RangerRole createRole(final RangerRole request) throws Exception { queryParams.put(RangerRESTUtils.SERVICE_NAME_PARAM, serviceNameUrlParam); if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; + if (LOG.isDebugEnabled()) { + LOG.debug("create role as user " + user); + } + + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { try { - clientRes = restClient.post(relativeURL, queryParams, request); + return restClient.post(relativeURL, queryParams, request); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } - return clientRes; - } - }; - if (LOG.isDebugEnabled()) { - LOG.debug("create role as user " + user); - } - response = user.doAs(action); + + return null; + }); } else { response = restClient.post(relativeURL, queryParams, request); } @@ -218,7 +216,7 @@ public void dropRole(final String execUser, final String roleName) throws Except LOG.debug("==> RangerAdminRESTClient.dropRole(" + roleName + ")"); } - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); @@ -229,21 +227,18 @@ public void dropRole(final String execUser, final String roleName) throws Except String relativeURL = RangerRESTUtils.REST_URL_SERVICE_DROP_ROLE + roleName; if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; + if (LOG.isDebugEnabled()) { + LOG.debug("drop role as user " + user); + } + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { try { - clientRes = restClient.delete(relativeURL, queryParams); + return restClient.delete(relativeURL, queryParams); } catch (Exception e) { LOG.error("Failed to get response, Error is : "+e.getMessage()); } - return clientRes; - } - }; - if (LOG.isDebugEnabled()) { - LOG.debug("drop role as user " + user); - } - response = user.doAs(action); + + return null; + }); } else { response = restClient.delete(relativeURL, queryParams); } @@ -273,27 +268,24 @@ public List getUserRoles(final String execUser) throws Exception { List ret = null; String emptyString = ""; - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_USER_ROLES + execUser; if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; - try { - clientRes = restClient.get(relativeURL, null); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientRes; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("get roles as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return restClient.get(relativeURL, null); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { response = restClient.get(relativeURL, null); } @@ -328,7 +320,7 @@ public List getAllRoles(final String execUser) throws Exception { List ret = null; String emptyString = ""; - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ALL_ROLES; @@ -338,21 +330,18 @@ public List getAllRoles(final String execUser) throws Exception { queryParams.put(RangerRESTUtils.REST_PARAM_EXEC_USER, execUser); if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; - try { - clientRes = restClient.get(relativeURL, queryParams); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientRes; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("get roles as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return restClient.get(relativeURL, queryParams); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { response = restClient.get(relativeURL, queryParams); } @@ -386,7 +375,7 @@ public RangerRole getRole(final String execUser, final String roleName) throws E } RangerRole ret = null; - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_ROLE_INFO + roleName; @@ -396,21 +385,18 @@ public RangerRole getRole(final String execUser, final String roleName) throws E queryParams.put(RangerRESTUtils.REST_PARAM_EXEC_USER, execUser); if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientResp = null; - try { - clientResp = restClient.get(relativeURL, queryParams); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("get role info as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return restClient.get(relativeURL, queryParams); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { response = restClient.get(relativeURL, queryParams); } @@ -444,27 +430,24 @@ public void grantRole(final GrantRevokeRoleRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.grantRole(" + request + ")"); } - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ROLE + serviceNameUrlParam; if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientResp = null; - try { - clientResp = restClient.put(relativeURL, null, request); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("grant role as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return restClient.put(relativeURL, null, request); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { response = restClient.put(relativeURL, null, request); } @@ -492,27 +475,24 @@ public void revokeRole(final GrantRevokeRoleRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.revokeRole(" + request + ")"); } - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ROLE + serviceNameUrlParam; if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientResp = null; - try { - clientResp = restClient.put(relativeURL, null, request); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("revoke role as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return restClient.put(relativeURL, null, request); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { response = restClient.put(relativeURL, null, request); } @@ -540,7 +520,7 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.grantAccess(" + request + ")"); } - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); @@ -548,22 +528,20 @@ public void grantAccess(final GrantRevokeRequest request) throws Exception { queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - String relativeURL = RangerRESTUtils.REST_URL_SECURE_SERVICE_GRANT_ACCESS + serviceNameUrlParam; - ClientResponse clientResp = null; - try { - clientResp = restClient.post(relativeURL, queryParams, request); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("grantAccess as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + String relativeURL = RangerRESTUtils.REST_URL_SECURE_SERVICE_GRANT_ACCESS + serviceNameUrlParam; + + return restClient.post(relativeURL, queryParams, request); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GRANT_ACCESS + serviceNameUrlParam; response = restClient.post(relativeURL, queryParams, request); @@ -592,7 +570,7 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { LOG.debug("==> RangerAdminRESTClient.revokeAccess(" + request + ")"); } - ClientResponse response = null; + final ClientResponse response; UserGroupInformation user = MiscUtil.getUGILoginUser(); boolean isSecureMode = isKerberosEnabled(user); @@ -600,22 +578,20 @@ public void revokeAccess(final GrantRevokeRequest request) throws Exception { queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, pluginId); if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - String relativeURL = RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceNameUrlParam; - ClientResponse clientResp = null; - try { - clientResp = restClient.post(relativeURL, queryParams, request); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("revokeAccess as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + String relativeURL = RangerRESTUtils.REST_URL_SECURE_SERVICE_REVOKE_ACCESS + serviceNameUrlParam; + + return restClient.post(relativeURL, queryParams, request); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_REVOKE_ACCESS + serviceNameUrlParam; response = restClient.post(relativeURL, queryParams, request); @@ -692,23 +668,20 @@ public List getTagTypes(String pattern) throws Exception { queryParams.put(RangerRESTUtils.PATTERN_PARAM, pattern); String relativeURL = RangerRESTUtils.REST_URL_LOOKUP_TAG_NAMES; - ClientResponse response = null; + final ClientResponse response; if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientResp = null; - try { - clientResp = restClient.get(relativeURL, queryParams); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("getTagTypes as user " + user); } - response = user.doAs(action); + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return restClient.get(relativeURL, queryParams); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { response = restClient.get(relativeURL, queryParams); } @@ -750,19 +723,17 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon if (LOG.isDebugEnabled()) { LOG.debug("Checking UserStore updated as user : " + user); } - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + serviceNameUrlParam; - try { - clientRes = restClient.get(relativeURL, queryParams); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientRes; + + return restClient.get(relativeURL, queryParams); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); } - }; - response = user.doAs(action); + + return null; + }); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking UserStore updated as user : " + user); @@ -829,19 +800,17 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva LOG.debug("Checking for updated GdsInfo: secureMode={}, user={}, serviceName={}" , isSecureMode, user, serviceName); if (isSecureMode) { - PrivilegedAction action = () -> { - ClientResponse clientRes = null; - String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SECURE_GET_GDSINFO + serviceNameUrlParam; + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { try { - clientRes = restClient.get(relativeURL, queryParams); + String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SECURE_GET_GDSINFO + serviceNameUrlParam; + + return restClient.get(relativeURL, queryParams); } catch (Exception e) { LOG.error("Failed to get response", e); } - return clientRes; - }; - - response = user.doAs(action); + return null; + }); } else { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_GET_GDSINFO + serviceNameUrlParam; @@ -1009,19 +978,17 @@ private ClientResponse getRangerAdminPolicyDownloadResponse(final long lastKnown if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated as user : " + user); } - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { + ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { String relativeURL = RangerRESTUtils.REST_URL_POLICY_GET_FOR_SECURE_SERVICE_IF_UPDATED + serviceNameUrlParam; - ClientResponse clientResp = null; - try { - clientResp = restClient.get(relativeURL, queryParams, policyDownloadSessionId); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; + + return restClient.get(relativeURL, queryParams, policyDownloadSessionId); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); } - }; - ret = user.doAs(action); + + return null; + }); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated with old api call"); @@ -1191,22 +1158,20 @@ private ClientResponse getRangerAdminTagDownloadResponse(final long lastKnownVer queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); if (isSecureMode) { - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - String relativeURL = RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; - ClientResponse clientResp = null; - try { - clientResp = restClient.get(relativeURL, queryParams, tagDownloadSessionId); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientResp; - } - }; if (LOG.isDebugEnabled()) { LOG.debug("getServiceTagsIfUpdated as user " + user); } - ret = user.doAs(action); + ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + String relativeURL = RangerRESTUtils.REST_URL_GET_SECURE_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; + + return restClient.get(relativeURL, queryParams, tagDownloadSessionId); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); + } + + return null; + }); } else { String relativeURL = RangerRESTUtils.REST_URL_GET_SERVICE_TAGS_IF_UPDATED + serviceNameUrlParam; ret = restClient.get(relativeURL, queryParams); @@ -1376,19 +1341,17 @@ private ClientResponse getRangerRolesDownloadResponse(final long lastKnownRoleVe if (LOG.isDebugEnabled()) { LOG.debug("Checking Roles updated as user : " + user); } - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; + ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USER_GROUP_ROLES + serviceNameUrlParam; - try { - clientRes = restClient.get(relativeURL, queryParams, roleDownloadSessionId); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientRes; + + return restClient.get(relativeURL, queryParams, roleDownloadSessionId); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); } - }; - ret = user.doAs(action); + + return null; + }); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Roles updated as user : " + user); diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRefresher.java b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRefresher.java index 5e2629f1c8..97fe181573 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRefresher.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/RangerUserStoreRefresher.java @@ -41,7 +41,7 @@ import java.io.FileWriter; import java.io.FileReader; import java.nio.channels.ClosedByInterruptException; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.HashMap; import java.util.Map; import java.util.concurrent.BlockingQueue; @@ -378,19 +378,17 @@ private RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lo if (LOG.isDebugEnabled()) { LOG.debug("Checking UserStore updated as user : " + user); } - PrivilegedAction action = new PrivilegedAction() { - public ClientResponse run() { - ClientResponse clientRes = null; + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE; - try { - clientRes = rangerRESTClient.get(relativeURL, queryParams); - } catch (Exception e) { - LOG.error("Failed to get response, Error is : "+e.getMessage()); - } - return clientRes; + + return rangerRESTClient.get(relativeURL, queryParams); + } catch (Exception e) { + LOG.error("Failed to get response, Error is : "+e.getMessage()); } - }; - response = user.doAs(action); + + return null; + }); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking UserStore updated as user : " + user); diff --git a/intg/src/main/java/org/apache/ranger/RangerClient.java b/intg/src/main/java/org/apache/ranger/RangerClient.java index e2fcc2581b..a61c13fd21 100644 --- a/intg/src/main/java/org/apache/ranger/RangerClient.java +++ b/intg/src/main/java/org/apache/ranger/RangerClient.java @@ -33,7 +33,7 @@ import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; import org.apache.ranger.plugin.util.RangerRESTClient; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import javax.ws.rs.HttpMethod; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; @@ -169,13 +169,12 @@ public class RangerClient { private final RangerRESTClient restClient; private boolean isSecureMode = false; - private UserGroupInformation ugi = null; private void authInit(String authType, String username, String password) { if (AUTH_KERBEROS.equalsIgnoreCase(authType)) { isSecureMode = true; MiscUtil.loginWithKeyTab(password, username, null); - ugi = MiscUtil.getUGILoginUser(); + UserGroupInformation ugi = MiscUtil.getUGILoginUser(); LOG.info("RangerClient.authInit() UGI user: " + ugi.getUserName() + " principal: " + username); } else { restClient.setBasicAuthInfo(username, password); @@ -528,15 +527,18 @@ private ClientResponse responseHandler(API api, Map params, Obje } if (isSecureMode) { - ugi = MiscUtil.getUGILoginUser(); - clientResponse = ugi.doAs((PrivilegedAction) () -> { - try { - return invokeREST(api,params,request); - } catch (RangerServiceException e) { - LOG.error(e.getMessage()); - } - return null; - }); + try { + clientResponse = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { + try { + return invokeREST(api,params,request); + } catch (RangerServiceException e) { + LOG.error(e.getMessage()); + } + return null; + }); + } catch (Exception excp) { + throw new RangerServiceException(excp); + } } else { clientResponse = invokeREST(api,params,request); } @@ -689,4 +691,4 @@ public API applyUrlFormat(Object... params) throws RangerServiceException { } } } -} \ No newline at end of file +} diff --git a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java index 8cc6c12a66..04ba7a0c4c 100644 --- a/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java +++ b/knox-agent/src/main/java/org/apache/ranger/admin/client/RangerAdminJersey2RESTClient.java @@ -23,7 +23,7 @@ import java.lang.reflect.Type; import java.net.InetAddress; import java.net.UnknownHostException; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.Date; import java.util.HashMap; import java.util.List; @@ -305,20 +305,17 @@ public RangerUserStore getUserStoreIfUpdated(long lastKnownUserStoreVersion, lon LOG.debug("Checking UserStore updated as user: {}", user); } - PrivilegedAction action = () -> { - Response resp = null; - String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + _serviceNameUrlParam; - + response = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> { try { - resp = get(queryParams, relativeURL); + String relativeURL = RangerRESTUtils.REST_URL_SERVICE_SERCURE_GET_USERSTORE + _serviceNameUrlParam; + + return get(queryParams, relativeURL); } catch (Exception e) { LOG.error("Failed to get response", e); } - return resp; - }; - - response = user.doAs(action); + return null; + }); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking UserStore updated as user: {}", user); @@ -539,9 +536,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown final ServicePolicies ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final Response response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); + final Response response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis); int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; @@ -587,7 +582,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCred(final long lastKnown ret = null; policyDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURL(isSecureMode))); + LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURL(isSecureMode()))); break; } @@ -605,9 +600,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno final ServicePolicies ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final Response response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); + final Response response = getRangerAdminPolicyDownloadResponse(lastKnownVersion, lastActivationTimeInMillis); int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; @@ -656,7 +649,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno policyDownloadSessionId = null; isValidPolicyDownloadSessionCookie = false; body = response.readEntity(String.class); - LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURL(isSecureMode))); + LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURL(isSecureMode()))); break; } @@ -667,7 +660,7 @@ private ServicePolicies getServicePoliciesIfUpdatedWithCookie(final long lastKno return ret; } - private Response getRangerAdminPolicyDownloadResponse(final long lastKnownVersion, final long lastActivationTimeInMillis, final UserGroupInformation user, final boolean isSecureMode) throws Exception { + private Response getRangerAdminPolicyDownloadResponse(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminJersey2RESTClient.getRangerAdminPolicyDownloadResponse(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); } @@ -682,23 +675,16 @@ private Response getRangerAdminPolicyDownloadResponse(final long lastKnownVersio queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_POLICY_DELTAS, Boolean.toString(_supportsPolicyDeltas)); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - final String relativeURL = getRelativeURL(isSecureMode); - - if (isSecureMode) { + if (isSecureMode()) { if (LOG.isDebugEnabled()) { - LOG.debug("Checking Service policy if updated as user : " + user); + LOG.debug("Checking Service policy if updated as user : " + MiscUtil.getUGILoginUser()); } - PrivilegedAction action = new PrivilegedAction() { - public Response run() { - return get(queryParams, relativeURL, policyDownloadSessionId); - } - }; - ret = user.doAs(action); + ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> get(queryParams, getRelativeURL(true), policyDownloadSessionId)); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service policy if updated with old api call"); } - ret = get(queryParams, relativeURL, policyDownloadSessionId); + ret = get(queryParams, getRelativeURL(false), policyDownloadSessionId); } if (LOG.isDebugEnabled()) { @@ -755,9 +741,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion, final ServiceTags ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final Response response = getTagsDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); + final Response response = getTagsDownloadResponse(lastKnownVersion, lastActivationTimeInMillis); int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; @@ -803,7 +787,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCred(final long lastKnownVersion, ret = null; tagDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode))); + LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURLForTagDownload(isSecureMode()))); break; } @@ -821,9 +805,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCookie(final long lastKnownVersio final ServiceTags ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final Response response = getTagsDownloadResponse(lastKnownVersion, lastActivationTimeInMillis, user, isSecureMode); + final Response response = getTagsDownloadResponse(lastKnownVersion, lastActivationTimeInMillis); int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; @@ -883,7 +865,7 @@ private ServiceTags getServiceTagsIfUpdatedWithCookie(final long lastKnownVersio return ret; } - private Response getTagsDownloadResponse(final long lastKnownVersion, final long lastActivationTimeInMillis, final UserGroupInformation user, final boolean isSecureMode) throws Exception { + private Response getTagsDownloadResponse(final long lastKnownVersion, final long lastActivationTimeInMillis) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminJersey2RESTClient.getTagsDownloadResponse(" + lastKnownVersion + ", " + lastActivationTimeInMillis + ")"); } @@ -897,23 +879,16 @@ private Response getTagsDownloadResponse(final long lastKnownVersion, final long queryParams.put(RangerRESTUtils.REST_PARAM_SUPPORTS_TAG_DELTAS, Boolean.toString(_supportsTagDeltas)); queryParams.put(RangerRESTUtils.REST_PARAM_CAPABILITIES, pluginCapabilities); - final String relativeURL = getRelativeURLForTagDownload(isSecureMode); - - if (isSecureMode) { + if (isSecureMode()) { if (LOG.isDebugEnabled()) { - LOG.debug("Checking Service tags if updated as user : " + user); + LOG.debug("Checking Service tags if updated as user : " + MiscUtil.getUGILoginUser()); } - PrivilegedAction action = new PrivilegedAction() { - public Response run() { - return get(queryParams, relativeURL, tagDownloadSessionId); - } - }; - ret = user.doAs(action); + ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> get(queryParams, getRelativeURLForTagDownload(true), tagDownloadSessionId)); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Service tags if updated with old api call"); } - ret = get(queryParams, relativeURL, tagDownloadSessionId); + ret = get(queryParams, getRelativeURLForTagDownload(false), tagDownloadSessionId); } if (LOG.isDebugEnabled()) { @@ -969,9 +944,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final long lastKnownRoleVers final RangerRoles ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final Response response = getRoleDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode); + final Response response = getRoleDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis); int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; @@ -1017,7 +990,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCred(final long lastKnownRoleVers ret = null; roleDownloadSessionId = null; body = response.readEntity(String.class); - LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode))); + LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode()))); break; } @@ -1035,9 +1008,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe final RangerRoles ret; - final UserGroupInformation user = MiscUtil.getUGILoginUser(); - final boolean isSecureMode = isKerberosEnabled(user); - final Response response = getRoleDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis, user, isSecureMode); + final Response response = getRoleDownloadResponse(lastKnownRoleVersion, lastActivationTimeInMillis); int httpResponseCode = response == null ? -1 : response.getStatus(); String body = null; @@ -1085,7 +1056,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe roleDownloadSessionId = null; isValidRoleDownloadSessionCookie = false; body = response.readEntity(String.class); - LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode))); + LOG.warn(String.format("Unexpected: Received status[%d] with body[%s] form url[%s]", httpResponseCode, body, getRelativeURLForRoleDownload(isSecureMode()))); break; } @@ -1096,7 +1067,7 @@ private RangerRoles getRangerRolesIfUpdatedWithCookie(final long lastKnownRoleVe return ret; } - private Response getRoleDownloadResponse(final long lastKnownRoleVersion, final long lastActivationTimeInMillis, final UserGroupInformation user, final boolean isSecureMode) throws Exception { + private Response getRoleDownloadResponse(final long lastKnownRoleVersion, final long lastActivationTimeInMillis) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("==> RangerAdminJersey2RESTClient.getRoleDownloadResponse(" + lastKnownRoleVersion + ", " + lastActivationTimeInMillis + ")"); } @@ -1109,23 +1080,16 @@ private Response getRoleDownloadResponse(final long lastKnownRoleVersion, final queryParams.put(RangerRESTUtils.REST_PARAM_PLUGIN_ID, _pluginId); queryParams.put(RangerRESTUtils.REST_PARAM_CLUSTER_NAME, _clusterName); - final String relativeURL = getRelativeURLForRoleDownload(isSecureMode); - - if (isSecureMode) { + if (isSecureMode()) { if (LOG.isDebugEnabled()) { - LOG.debug("Checking Roles if updated as user : " + user); + LOG.debug("Checking Roles if updated as user : " + MiscUtil.getUGILoginUser()); } - PrivilegedAction action = new PrivilegedAction() { - public Response run() { - return get(queryParams, relativeURL, roleDownloadSessionId); - } - }; - ret = user.doAs(action); + ret = MiscUtil.executePrivilegedAction((PrivilegedExceptionAction) () -> get(queryParams, getRelativeURLForRoleDownload(true), roleDownloadSessionId)); } else { if (LOG.isDebugEnabled()) { LOG.debug("Checking Roles if updated with old api call"); } - ret = get(queryParams, relativeURL, roleDownloadSessionId); + ret = get(queryParams, getRelativeURLForRoleDownload(false), roleDownloadSessionId); } if (LOG.isDebugEnabled()) { @@ -1198,4 +1162,8 @@ protected boolean shouldRetry(String currentUrl, int index, int retryAttemptCoun return ret; } + + private boolean isSecureMode() { + return isKerberosEnabled(MiscUtil.getUGILoginUser()); + } } diff --git a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java index 01cb05eab6..30ec2c8b40 100644 --- a/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java +++ b/storm-agent/src/main/java/org/apache/ranger/services/storm/client/StormClient.java @@ -20,7 +20,7 @@ package org.apache.ranger.services.storm.client; import java.io.IOException; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -91,7 +91,7 @@ public List getTopologyList(final String topologyNameMatching, final Lis LOG.debug("Getting Storm topology list for topologyNameMatching : " + topologyNameMatching); } - PrivilegedAction> topologyListGetter = new PrivilegedAction>() { + PrivilegedExceptionAction> topologyListGetter = new PrivilegedExceptionAction>() { @Override public ArrayList run() { if (stormUIUrl == null || stormUIUrl.trim().isEmpty()) { @@ -226,7 +226,7 @@ private ClientResponse getTopologyResponse(String url, Client client) { } public static T executeUnderKerberos(String userName, String password, String lookupPrincipal, String lookupKeytab, String nameRules, - PrivilegedAction action) throws IOException { + PrivilegedExceptionAction action) throws IOException { T ret = null; @@ -276,7 +276,14 @@ public static T executeUnderKerberos(String userName, String password, Strin hdpException.generateResponseDataMap(false, BaseClient.getMessage(se), msgDesc + errMessage, null, null); throw hdpException; + } catch (Exception excp) { + String msgDesc = "executeUnderKerberos: Exception while getting Storm TopologyList."; + HadoopException hdpException = new HadoopException(msgDesc, excp); + LOG.error(msgDesc, excp); + hdpException.generateResponseDataMap(false, + BaseClient.getMessage(excp), msgDesc + errMessage, null, null); + throw hdpException; } finally { if (loginContext != null) { if (subject != null) { diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java index ac0069a939..d657dfe6a2 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java @@ -20,7 +20,7 @@ package org.apache.ranger.tagsync.sink.tagadmin; import java.io.IOException; -import java.security.PrivilegedAction; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.List; import java.util.Properties; @@ -155,19 +155,14 @@ private ServiceTags doUpload(ServiceTags serviceTags) throws Exception { if (LOG.isDebugEnabled()) { LOG.debug("Using Principal = " + userGroupInformation.getUserName()); } - final ServiceTags serviceTag = serviceTags; - ServiceTags ret = userGroupInformation.doAs(new PrivilegedAction() { - @Override - public ServiceTags run() { - try { - return uploadServiceTags(serviceTag); - } catch (Exception e) { - LOG.error("Upload of service-tags failed with message ", e); - } - return null; + return userGroupInformation.doAs((PrivilegedExceptionAction) () -> { + try { + return uploadServiceTags(serviceTags); + } catch (Exception e) { + LOG.error("Upload of service-tags failed with message ", e); } + return null; }); - return ret; } else { LOG.error("Failed to get UserGroupInformation.getLoginUser()"); return null; // This will cause retries !!!