Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3063

404 http status response on requesting an existing policy

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.0.0
    • Fix Version/s: None
    • Component/s: admin
    • Labels:
      None
    • Environment:
      Cloudera, CDP (CDH) 7.1.3
      Hadoop - 3.1.1.7.1.3.0-100
      Ranger - 2.0.0.7.1.3.0-100
    • Flags:
      Important

      Description

      I caught a strange behavior of the ranger admin REST API.

      The challenge was started as I saw that the 'cm_kms' service doesn't appear on the UI side however it exists in the REST API response.

      Then the trying to get policies list for this service respond by the list that contains the single policy:

      [root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy
      * About to connect() tomy-ranger-server-host port 6080 (#0)
      *   Trying 10.6.120.140...
      * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
      * Server auth using Basic with user 'user'
      > GET /service/public/v2/api/service/cm_kms/policy HTTP/1.1
      > Authorization: Basic *********************
      > User-Agent: curl/7.29.0
      > Host: my-ranger-server-host:6080
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Set-Cookie: RANGERADMINSESSIONID=42E2616A84477202A0CB4442C9C4EA88; Path=/; HttpOnly
      < X-Frame-Options: DENY
      < X-XSS-Protection: 1; mode=block
      < Strict-Transport-Security: max-age=31536000; includeSubDomains
      < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      < Pragma: no-cache
      < Expires: 0
      < X-Content-Type-Options: nosniff
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Thu, 29 Oct 2020 07:11:15 GMT
      < Server: Apache Ranger
      < 
      [{"id":41,"guid":"52b42504-5798-4340-9da3-8e9188a3592f","isEnabled":true,"version":1,"service":"cm_kms","name":"all - keyname","policyType":0,"policyPriority":0,"description":"Policy for all - keyname","isAuditEnabled":true,"resources":{"keyname":{"values":["*"],"isExcludes":false,"isRecursive":false}},"policyItems":[{"accesses":[{"type":"create","isAllowed":true},{"type":"delete","isAllowed":true},{"type":"rollover","isAllowed":true},{"type":"setkeymaterial","isAllowed":true},{"type":"get","isAllowed":true},{"type":"getkeys","isAllowed":true},{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"generateeek","isAllowed":true}],"users":["hdfs"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true},{"accesses":[{"type":"getmetadata","isAllowed":true},{"type":"decrypteek","isAllowed":true}],"users":["hive"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"kms","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
      

      However the request for the specific policy by name 'all - keyname' responded by 404 status:

      [root@vm path]# curl -XGET -u user:********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_kms/policy/all%20-%20keyname
      * About to connect() to my-ranger-server-host port 6080 (#0)
      *   Trying 10.6.120.140...
      * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
      * Server auth using Basic with user 'user'
      > GET /service/public/v2/api/service/cm_kms/policy/all%20-%20keyname HTTP/1.1
      > Authorization: Basic ***************************
      > User-Agent: curl/7.29.0
      > Host: my-ranger-server-host:6080
      > Accept: */*
      > 
      < HTTP/1.1 404 Not Found
      < Set-Cookie: RANGERADMINSESSIONID=2885FFB77C5B83345F5F6C0F4E7CB4D8; Path=/; HttpOnly
      < X-Frame-Options: DENY
      < X-XSS-Protection: 1; mode=block
      < Strict-Transport-Security: max-age=31536000; includeSubDomains
      < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      < Pragma: no-cache
      < Expires: 0
      < X-Content-Type-Options: nosniff
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Thu, 29 Oct 2020 07:43:14 GMT
      < Server: Apache Ranger
      < 
      * Connection #0 to host my-ranger-server-host left intact
      Not found
      

      PUT request to update the policy responds the same way (404), but POST request to create policy with the same name responds by 400 status - a policy with 'all - keyname' already exists

      But the similar call chain works (GET list of polcies, GET policy by name) perfectly for the 'cm_hdfs' service policies:

      [root@vm path]# curl -XGET -u user:*********** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy
      * About to connect() to my-ranger-server-host port 6080 (#0)
      *   Trying 10.6.120.140...
      * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
      * Server auth using Basic with user 'user'
      > GET /service/public/v2/api/service/cm_hdfs/policy HTTP/1.1
      > Authorization: Basic *************************
      > User-Agent: curl/7.29.0
      > Host: my-ranger-server-host:6080
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Set-Cookie: RANGERADMINSESSIONID=9D112823529E0F1695CB94A4C5081C0E; Path=/; HttpOnly
      < X-Frame-Options: DENY
      < X-XSS-Protection: 1; mode=block
      < Strict-Transport-Security: max-age=31536000; includeSubDomains
      < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      < Pragma: no-cache
      < Expires: 0
      < X-Content-Type-Options: nosniff
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Thu, 29 Oct 2020 07:44:32 GMT
      < Server: Apache Ranger
      < 
      [{"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false},{"id":2,"guid":"422c3e21-4162-43e8-a884-74791e6e4b39","isEnabled":true,"version":1,"service":"cm_hdfs","name":"kms-audit-path","policyType":0,"policyPriority":0,"description":"Policy for kms-audit-path","isAuditEnabled":true,"resources":{"path":{"values* Connection #0 to host vtutr01-vm0.bdauto.wandisco.com left intact
      ":["/ranger/audit/kms"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["keyadmin"],"groups":[],"roles":[],"conditions":[],"delegateAdmin":false}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}]
       
       
       
      [root@vm path]# curl -XGET -u user:**************** -v http://my-ranger-server-host:6080/service/public/v2/api/service/cm_hdfs/policy/all%20-%20path
      * About to connect() to my-ranger-server-host port 6080 (#0)
      *   Trying 10.6.120.140...
      * Connected to my-ranger-server-host (10.6.120.140) port 6080 (#0)
      * Server auth using Basic with user 'user'
      > GET /service/public/v2/api/service/cm_hdfs/policy/all%20-%20path HTTP/1.1
      > Authorization: Basic *********************
      > User-Agent: curl/7.29.0
      > Host: my-ranger-server-host:6080
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Set-Cookie: RANGERADMINSESSIONID=4179CB624F0F54402CAE4F6158A0082F; Path=/; HttpOnly
      < X-Frame-Options: DENY
      < X-XSS-Protection: 1; mode=block
      < Strict-Transport-Security: max-age=31536000; includeSubDomains
      < Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline';font-src 'self'
      < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
      < Pragma: no-cache
      < Expires: 0
      < X-Content-Type-Options: nosniff
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Date: Thu, 29 Oct 2020 07:45:19 GMT
      < Server: Apache Ranger
      < 
      * Connection #0 to host my-ranger-server-host left intact
      {"id":1,"guid":"3c1fafbb-bf6c-4916-9ae5-e36ec28a1071","isEnabled":true,"version":13,"service":"cm_hdfs","name":"all - path","policyType":0,"policyPriority":0,"description":"Policy for all - path","isAuditEnabled":true,"resources":{"path":{"values":["/*"],"isExcludes":false,"isRecursive":true}},"policyItems":[{"accesses":[{"type":"read","isAllowed":true},{"type":"write","isAllowed":true},{"type":"execute","isAllowed":true}],"users":["rangertagsync","hdfs"],"groups":["cloudera-scm","hadoop"],"roles":[],"conditions":[],"delegateAdmin":true}],"denyPolicyItems":[],"allowExceptions":[],"denyExceptions":[],"dataMaskPolicyItems":[],"rowFilterPolicyItems":[],"serviceType":"hdfs","options":{},"validitySchedules":[],"policyLabels":[],"zoneName":"","isDenyAllElse":false}
      

      And IDE debugger says me that the filtered policies list size is equals to 0 (org.apache.ranger.rest.PublicAPIsv2#getPolicyByName)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              vtutrinov Vyacheslav Tutrinov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: