RANGER-5517: remove ranger-plugins-common dependency from kms, embeddedwebserver and shim modules

Author: mneethiraj

distro/src/main/assembly/kms.xml

@@ -42,6 +42,7 @@
                     <include>org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:${hadoop-shaded-guava.version}</include>
                     <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
                     <include>com.google.code.gson:gson</include>
+                    <include>com.sun.jersey:jersey-bundle</include>
                     <include>org.eclipse.persistence:eclipselink</include>
                     <include>org.eclipse.persistence:javax.persistence</include>
                     <include>com.googlecode.log4jdbc:log4jdbc</include>
@@ -214,8 +215,6 @@
                     <include>org.apache.hadoop:hadoop-client-api:jar:${hadoop.version}</include>
                     <include>org.apache.hadoop:hadoop-client-runtime:jar:${hadoop.version}</include>
                     <include>org.apache.solr:solr-solrj:jar:${solr.version}</include>
-                    <include>org.apache.ranger:ranger-authz-api</include>
-                    <include>org.apache.ranger:ranger-plugins-common</include>
                     <include>org.apache.ranger:ugsync-util</include>
                     <include>com.kstruct:gethostname4j:jar:${kstruct.gethostname4j.version}</include>
                     <include>net.java.dev.jna:jna:jar:${jna.version}</include>
@@ -230,7 +229,6 @@
                     <include>org.slf4j:slf4j-api</include>
                     <include>ch.qos.logback:logback-classic:jar:${logback.version}</include>
                     <include>ch.qos.logback:logback-core:jar:${logback.version}</include>
-                    <include>com.sun.jersey:jersey-bundle</include>
                     <include>com.fasterxml.jackson.core:jackson-annotations:jar:${fasterxml.jackson.version}</include>
                     <include>com.fasterxml.jackson.core:jackson-core:jar:${fasterxml.jackson.version}</include>
                     <include>com.fasterxml.jackson.core:jackson-databind:jar:${fasterxml.jackson.version}</include>
@@ -283,6 +281,7 @@
                 <include>org.apache.ranger:ranger-audit-core</include>
                 <include>org.apache.ranger:ranger-audit-dest-hdfs</include>
                 <include>org.apache.ranger:ranger-audit-dest-solr</include>
+                <include>org.apache.ranger:ranger-authz-api</include>
                 <include>org.apache.ranger:ranger-plugins-cred</include>
                 <include>org.apache.ranger:ranger-plugins-common</include>
                 <include>org.apache.ranger:ugsync-util</include>

embeddedwebserver/pom.xml

@@ -91,11 +91,6 @@
             <artifactId>ranger-audit-dest-solr</artifactId>
             <version>${project.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.ranger</groupId>
-            <artifactId>ranger-plugins-common</artifactId>
-            <version>${project.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.tomcat</groupId>
             <artifactId>tomcat-annotations-api</artifactId>

embeddedwebserver/src/main/java/org/apache/hadoop/security/KrbPasswordSaverLoginModule.java

@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.hadoop.security;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.spi.LoginModule;
+
+import java.util.Map;
+
+public class KrbPasswordSaverLoginModule implements LoginModule {
+    public static final String USERNAME_PARAM = "javax.security.auth.login.name";
+    public static final String PASSWORD_PARAM = "javax.security.auth.login.password";
+
+    @SuppressWarnings("rawtypes")
+    private Map sharedState;
+
+    public KrbPasswordSaverLoginModule() {
+    }
+
+    @SuppressWarnings("unchecked")
+    @Override
+    public void initialize(Subject subject, CallbackHandler callbackhandler, Map<String, ?> sharedMap, Map<String, ?> options) {
+        this.sharedState = sharedMap;
+
+        String userName = (options != null) ? (String) options.get(USERNAME_PARAM) : null;
+        String password = (options != null) ? (String) options.get(PASSWORD_PARAM) : null;
+
+        if (userName != null) {
+            this.sharedState.put(USERNAME_PARAM, userName);
+        }
+
+        if (password != null) {
+            this.sharedState.put(PASSWORD_PARAM, password.toCharArray());
+        }
+    }
+
+    @Override
+    public boolean login() throws LoginException {
+        return true;
+    }
+
+    @Override
+    public boolean commit() throws LoginException {
+        return true;
+    }
+
+    @Override
+    public boolean abort() throws LoginException {
+        return true;
+    }
+
+    @Override
+    public boolean logout() throws LoginException {
+        return true;
+    }
+}

embeddedwebserver/src/main/java/org/apache/hadoop/security/SecureClientLogin.java

@@ -0,0 +1,220 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.hadoop.security;
+
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.apache.hadoop.security.authentication.util.KerberosUtil;
+import org.apache.hadoop.util.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import java.io.File;
+import java.io.IOException;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+public class SecureClientLogin {
+    private static final Logger LOG = LoggerFactory.getLogger(SecureClientLogin.class);
+
+    public static final String HOSTNAME_PATTERN = "_HOST";
+
+    private SecureClientLogin() {
+        // to block instantiation
+    }
+
+    public static synchronized Subject loginUserFromKeytab(String user, String path) throws IOException {
+        try {
+            Subject                        subject   = new Subject();
+            SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
+            LoginContext                   login     = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
+
+            subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
+
+            login.login();
+
+            return login.getSubject();
+        } catch (LoginException le) {
+            throw new IOException("Login failure for " + user + " from keytab " + path, le);
+        }
+    }
+
+    public static synchronized Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
+        try {
+            Subject                        subject   = new Subject();
+            SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
+            LoginContext                   login     = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
+
+            KerberosName.setRules(nameRules);
+
+            subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
+
+            login.login();
+
+            return login.getSubject();
+        } catch (LoginException le) {
+            throw new IOException("Login failure for " + user + " from keytab " + path, le);
+        }
+    }
+
+    public static synchronized Subject loginUserWithPassword(String user, String password) throws IOException {
+        try {
+            Subject                        subject   = new Subject();
+            SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(false, user, password);
+            LoginContext                   login     = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
+
+            subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
+
+            login.login();
+
+            return login.getSubject();
+        } catch (LoginException le) {
+            throw new IOException("Login failure for " + user + " using password ****", le);
+        }
+    }
+
+    public static synchronized Subject login(String user) throws IOException {
+        Subject subject = new Subject();
+
+        subject.getPrincipals().add(new User(user));
+
+        return subject;
+    }
+
+    public static Set<Principal> getUserPrincipals(Subject aSubject) {
+        if (aSubject != null) {
+            Set<User> list = aSubject.getPrincipals(User.class);
+
+            return list != null ? new HashSet<>(list) : null;
+        } else {
+            return null;
+        }
+    }
+
+    public static Principal createUserPrincipal(String aLoginName) {
+        return new User(aLoginName);
+    }
+
+    public static boolean isKerberosCredentialExists(String principal, String keytabPath) {
+        boolean isValid = false;
+
+        if (keytabPath != null && !keytabPath.isEmpty()) {
+            File keytabFile = new File(keytabPath);
+
+            if (!keytabFile.exists()) {
+                LOG.warn("{} doesn't exist.", keytabPath);
+            } else if (!keytabFile.canRead()) {
+                LOG.warn("Unable to read {}. Please check the file access permissions for user", keytabPath);
+            } else {
+                isValid = true;
+            }
+        } else {
+            LOG.warn("Can't find keyTab Path : {}", keytabPath);
+        }
+        if (!(principal != null && !principal.isEmpty() && isValid)) {
+            isValid = false;
+
+            LOG.warn("Can't find principal : {}", principal);
+        }
+
+        return isValid;
+    }
+
+    public static String getPrincipal(String principalConfig, String hostName) throws IOException {
+        String[] components = getComponents(principalConfig);
+
+        if (components == null || components.length != 3 || !HOSTNAME_PATTERN.equals(components[1])) {
+            return principalConfig;
+        } else {
+            if (hostName == null) {
+                throw new IOException("Can't replace " + HOSTNAME_PATTERN + " pattern since client ranger.service.host is null");
+            }
+
+            return replacePattern(components, hostName);
+        }
+    }
+
+    private static String[] getComponents(String principalConfig) {
+        if (principalConfig == null) {
+            return null;
+        }
+
+        return principalConfig.split("[/@]");
+    }
+
+    private static String replacePattern(String[] components, String hostname) throws IOException {
+        String fqdn = hostname;
+
+        if (org.apache.commons.lang3.StringUtils.isEmpty(fqdn) || "0.0.0.0".equals(fqdn)) {
+            fqdn = java.net.InetAddress.getLocalHost().getCanonicalHostName();
+        }
+
+        return components[0] + "/" + StringUtils.toLowerCase(fqdn) + "@" + components[2];
+    }
+
+    static class SecureClientLoginConfiguration extends javax.security.auth.login.Configuration {
+        private final Map<String, String> kerberosOptions = new HashMap<>();
+        private       boolean             usePassword;
+
+        public SecureClientLoginConfiguration(boolean useKeyTab, String principal, String credential) {
+            kerberosOptions.put("principal", principal);
+            kerberosOptions.put("debug", "false");
+
+            if (useKeyTab) {
+                kerberosOptions.put("useKeyTab", "true");
+                kerberosOptions.put("keyTab", credential);
+                kerberosOptions.put("doNotPrompt", "true");
+            } else {
+                usePassword = true;
+
+                kerberosOptions.put("useKeyTab", "false");
+                kerberosOptions.put(KrbPasswordSaverLoginModule.USERNAME_PARAM, principal);
+                kerberosOptions.put(KrbPasswordSaverLoginModule.PASSWORD_PARAM, credential);
+                kerberosOptions.put("doNotPrompt", "false");
+                kerberosOptions.put("useFirstPass", "true");
+                kerberosOptions.put("tryFirstPass", "false");
+            }
+
+            kerberosOptions.put("storeKey", "true");
+            kerberosOptions.put("refreshKrb5Config", "true");
+        }
+
+        @Override
+        public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
+            AppConfigurationEntry keytabKerberosLogin = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);
+
+            if (usePassword) {
+                AppConfigurationEntry kerberosPwdSaver = new AppConfigurationEntry(KrbPasswordSaverLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, kerberosOptions);
+
+                return new AppConfigurationEntry[] {kerberosPwdSaver, keytabKerberosLogin};
+            } else {
+                return new AppConfigurationEntry[] {keytabKerberosLogin};
+            }
+        }
+    }
+}

embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServerUtil.java

@@ -20,7 +20,6 @@
 package org.apache.ranger.server.tomcat;
 
 import org.apache.commons.lang3.StringUtils;
-import org.apache.ranger.plugin.util.XMLUtils;
 
 import java.util.ArrayList;
 import java.util.List;

embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/SolrCollectionBootstrapper.java

@@ -25,7 +25,6 @@
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.entity.ByteArrayEntity;
 import org.apache.http.util.EntityUtils;
-import org.apache.ranger.authorization.utils.StringUtil;
 import org.apache.solr.client.solrj.SolrClient;
 import org.apache.solr.client.solrj.SolrServerException;
 import org.apache.solr.client.solrj.impl.CloudSolrClient;
@@ -446,7 +445,7 @@ private File getConfigSetFolder() {
     private static List<String> getZkHosts() {
         List<String> zookeeperHosts = null;
 
-        if (!StringUtil.isEmpty(EmbeddedServerUtil.getConfig(SOLR_ZK_HOSTS))) {
+        if (!StringUtils.isEmpty(EmbeddedServerUtil.getConfig(SOLR_ZK_HOSTS))) {
             String zkHosts = EmbeddedServerUtil.getConfig(SOLR_ZK_HOSTS).trim();
 
             zookeeperHosts = new ArrayList<>(Arrays.asList(zkHosts.split(",")));