RANGER-5645: Add audit-ingestor service-user allowlist for Docker plugins#1017
Open
ramackri wants to merge 7 commits into
Open
RANGER-5645: Add audit-ingestor service-user allowlist for Docker plugins#1017ramackri wants to merge 7 commits into
ramackri wants to merge 7 commits into
Conversation
…gins Ship per-repo allowed.users and auth_to_local rules so plugins using the audit-server destination are authorized after Kerberos SPNEGO (fixes HTTP 403). Align create-ranger-services.py with policy.download.auth.users for Ozone, Atlas, Kudu, and NiFi. Add troubleshooting README for ingestor 403 errors. Co-authored-by: Cursor <cursoragent@cursor.com>
Consolidate auth_to_local property description (JWT note + plugin rules). Revert audit-server/scripts/README.md and remove troubleshooting README. Co-authored-by: Cursor <cursoragent@cursor.com>
Match original site XML description style with one bullet per RULE line. Co-authored-by: Cursor <cursoragent@cursor.com>
Remove dev_atlas, dev_kudu, and dev_nifi from ingestor allowlist, auth_to_local rules, and create-ranger-services.py (not in Docker stack). Co-authored-by: Cursor <cursoragent@cursor.com>
Create Policy Manager repo for the elasticsearch service type pointing at ranger-opensearch.rangernw:9200 with opensearch download auth users, and add matching ingestor allowlist plus auth_to_local rule. Co-authored-by: Cursor <cursoragent@cursor.com>
Create dev_tag in create-ranger-services.py (matches Policy Manager). Add dev_tag ingestor allowlist (rangertagsync) and auth_to_local rule. Use CDATA so description shows <repo> instead of XML entities. Co-authored-by: Cursor <cursoragent@cursor.com>
…ries Match Policy Manager repos (dev_atlas, dev_kudu, dev_nifi). Drop dev_elasticsearch allowlist, auth_to_local rules, and create-service entry. Co-authored-by: Cursor <cursoragent@cursor.com>
mneethiraj
reviewed
Jun 14, 2026
| RULE:[2:$1/$2@$0]([ndj]n/.*@.*|hdfs/.*@.*)s/.*/hdfs/ | ||
| RULE:[2:$1/$2@$0]([rn]m/.*@.*|yarn/.*@.*)s/.*/yarn/ | ||
| RULE:[2:$1/$2@$0](jhs/.*@.*)s/.*/mapred/ | ||
| RULE:[2:$1/$2@$0](hive/.*@.*)s/.*/hive/ |
Contributor
There was a problem hiding this comment.
Lines 276 to 290, mappings introduced in this PR are already covered by DEFAULT rule; hence there is no need to explicitly specify these mappings.
| 'ranger.plugin.solr.policy.refresh.synchronous':'true'}}) | ||
|
|
||
| services = [hdfs, yarn, hive, hbase, kafka, knox, kms, trino, ozone, solr] | ||
| tag = RangerService({'name': 'dev_tag', 'type': 'tag', |
Contributor
There was a problem hiding this comment.
tag service is automatically created (refer: RANGER-2481). No need to create it explicitly.
| 'policy.download.auth.users': 'ozone', | ||
| 'tag.download.auth.users': 'ozone', | ||
| 'userstore.download.auth.users': 'ozone', | ||
| 'policy.download.auth.users': 'ozone,om,scm,dn', |
Contributor
There was a problem hiding this comment.
Ranger plugin runs only in Ozone Manager (om). Please update this configuration to list only the username associated with Kerberos principal used by om.
| tag = RangerService({'name': 'dev_tag', 'type': 'tag', | ||
| 'configs': {'ranger.plugin.audit.filters': "[ {'accessResult': 'DENIED', 'isAudited': true} ]"}}) | ||
|
|
||
| atlas = RangerService({'name': 'dev_atlas', 'type': 'atlas', |
Contributor
There was a problem hiding this comment.
Ranger docker setup doesn't include Atlas, Kudu, NiFi; hence it is not necessary to create service instances for these.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes HTTP 403 failures when Ranger Docker plugins send audits to audit-ingestor with the audit-server destination enabled (RANGER-5645).
This is authorization, not authentication — Kerberos/SPNEGO succeeds; ingestor rejects the request because the mapped service short name is missing from
ranger.audit.ingestor.service.<repo>.allowed.users.allowed.usersentries in shippedranger-audit-ingestor-site.xmlfor all Docker Policy Manager reposauth_to_localrules so service principals map to the same short names aspolicy.download.auth.userscreate-ranger-services.py(Ozoneozone,om,scm,dn; adddev_atlas,dev_kudu,dev_nifi)audit-server/README-AUDIT-INGESTOR-SERVICE-ALLOWLIST.mdProblem
Plugins POST to
/audit/access?serviceName=<repo>. Without a matching allowlist entry, ingestor returns:Example (Kafka):
dev_kafkaneedsranger.audit.ingestor.service.dev_kafka.allowed.users=kafkaExample (KMS): ingestor log:
Unauthorized user: user=rangerkms ... service=dev_kms→ needsallowed.users=rangerkmsChanges
audit-server/audit-ingestor/.../ranger-audit-ingestor-site.xmlallowed.usersfor 13 Docker repos + pluginauth_to_localrulesdev-support/ranger-docker/scripts/admin/create-ranger-services.pyaudit-server/README-AUDIT-INGESTOR-SERVICE-ALLOWLIST.mdaudit-server/scripts/README.mdShipped allowlist (Docker dev repos)
allowed.usersdev_hdfshdfsdev_yarnyarndev_hivehivedev_hbasehbasedev_kafkakafkadev_knoxknoxdev_kmsrangerkmsdev_trinotrinodev_ozoneozone,om,scm,dndev_solrsolrdev_atlasatlasdev_kudukududev_nifinifi