Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.0.0
-
None
-
None
-
Cloudera, CDP (CDH) 7.1.3
Hadoop - 3.1.1.7.1.3.0-100
Ranger - 2.0.0.7.1.3.0-100
-
Important
Description
I caught a strange behavior of the ranger admin REST API.
The challenge was started as I saw that the 'cm_kms' service doesn't appear on the UI side however it exists in the REST API response.
Then the trying to get policies list for this service respond by the list that contains the single policy:
[root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy * About to connect() tomy-ranger-server-host port 6080 (#0) * Trying 10.6.120.140... * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) * Server auth using Basic with user 'user' > GET /service/public/v2/api/service/cm_kms/policy HTTP/1.1 > Authorization: Basic ********************* > User-Agent: curl/7.29.0 > Host: my-ranger-server-host:6080 > Accept: */* > < HTTP/1.1 200 OK < Set-Cookie: RANGERADMINSESSIONID=42E2616A84477202A0CB4442C9C4EA88; Path=/; HttpOnly < X-Frame-Options: DENY < X-XSS-Protection: 1; mode=block < Strict-Transport-Security: max-age=31536000; includeSubDomains < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self' < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < X-Content-Type-Options: nosniff < Content-Type: application/json < Transfer-Encoding: chunked < Date: Thu, 29 Oct 2020 07:11:15 GMT < Server: Apache Ranger < [{"id":41,"guid":"52b42504-5798-4340-9da3-8e9188a3592f","isEnabled":true,"version":1,"service":"cm_kms","name":"all - keyname","policyType":0,"policyPriority":0,"description":"Policy for all - keyname","isAuditEnabled":true,"resources":{"keyname":{"values":["*"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"create","isAllowed":true},{"type":"delete","isAllowed":true},{"type":"rollover","isAllowed":true},{"type":"setkeymaterial","isAllowed":true},{"type":"get","isAllowed":true},{"type":"getkeys","isAllowed":true},{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true}],"users":["hdfs"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["hive"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"kms","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
However the request for the specific policy by name 'all - keyname' responded by 404 status:
[root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy/all%20-%20keyname * About to connect() to my-ranger-server-host port 6080 (#0) * Trying 10.6.120.140... * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) * Server auth using Basic with user 'user' > GET /service/public/v2/api/service/cm_kms/policy/all%20-%20keyname HTTP/1.1 > Authorization: Basic *************************** > User-Agent: curl/7.29.0 > Host: my-ranger-server-host:6080 > Accept: */* > < HTTP/1.1 404 Not Found < Set-Cookie: RANGERADMINSESSIONID=2885FFB77C5B83345F5F6C0F4E7CB4D8; Path=/; HttpOnly < X-Frame-Options: DENY < X-XSS-Protection: 1; mode=block < Strict-Transport-Security: max-age=31536000; includeSubDomains < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self' < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < X-Content-Type-Options: nosniff < Content-Type: application/json < Transfer-Encoding: chunked < Date: Thu, 29 Oct 2020 07:43:14 GMT < Server: Apache Ranger < * Connection #0 to host my-ranger-server-host left intact Not found
PUT request to update the policy responds the same way (404), but POST request to create policy with the same name responds by 400 status - a policy with 'all - keyname' already exists
But the similar call chain works (GET list of polcies, GET policy by name) perfectly for the 'cm_hdfs' service policies:
[root@vm path]# curl -XGET -u user:*********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy * About to connect() to my-ranger-server-host port 6080 (#0) * Trying 10.6.120.140... * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) * Server auth using Basic with user 'user' > GET /service/public/v2/api/service/cm_hdfs/policy HTTP/1.1 > Authorization: Basic ************************* > User-Agent: curl/7.29.0 > Host: my-ranger-server-host:6080 > Accept: */* > < HTTP/1.1 200 OK < Set-Cookie: RANGERADMINSESSIONID=9D112823529E0F1695CB94A4C5081C0E; Path=/; HttpOnly < X-Frame-Options: DENY < X-XSS-Protection: 1; mode=block < Strict-Transport-Security: max-age=31536000; includeSubDomains < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self' < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < X-Content-Type-Options: nosniff < Content-Type: application/json < Transfer-Encoding: chunked < Date: Thu, 29 Oct 2020 07:44:32 GMT < Server: Apache Ranger < [{"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false},{"id":2,"guid":"422c3e21-4162-43e8-a884-74791e6e4b39","isEnabled":true,"version":1,"service":"cm_hdfs","name":"kms-audit-path","policyType":0,"policyPriority":0,"description":"Policy for kms-audit-path","isAuditEnabled":true,"resources":{"path":{"values* Connection #0 to host vtutr01-vm0.bdauto.wandisco.com left intact ":["/ranger/audit/kms"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}] [root@vm path]# curl -XGET -u user:**************** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy/all%20-%20path * About to connect() to my-ranger-server-host port 6080 (#0) * Trying 10.6.120.140... * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0) * Server auth using Basic with user 'user' > GET /service/public/v2/api/service/cm_hdfs/policy/all%20-%20path HTTP/1.1 > Authorization: Basic ********************* > User-Agent: curl/7.29.0 > Host: my-ranger-server-host:6080 > Accept: */* > < HTTP/1.1 200 OK < Set-Cookie: RANGERADMINSESSIONID=4179CB624F0F54402CAE4F6158A0082F; Path=/; HttpOnly < X-Frame-Options: DENY < X-XSS-Protection: 1; mode=block < Strict-Transport-Security: max-age=31536000; includeSubDomains < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self' < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < X-Content-Type-Options: nosniff < Content-Type: application/json < Transfer-Encoding: chunked < Date: Thu, 29 Oct 2020 07:45:19 GMT < Server: Apache Ranger < * Connection #0 to host my-ranger-server-host left intact {"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}
And IDE debugger says me that the filtered policies list size is equals to 0 (org.apache.ranger.rest.PublicAPIsv2#getPolicyByName)