RANGER-5371: pdp server implementation

authz-api/src/main/java/org/apache/ranger/authz/model/RangerAuthzResult.java

@@ -41,14 +41,25 @@ public RangerAuthzResult() {
     }
 
     public RangerAuthzResult(String requestId) {
-        this(requestId, null);
+        this.requestId = requestId;
+    }
+
+    public RangerAuthzResult(String requestId, AccessDecision decision) {
+        this.requestId = requestId;
+        this.decision  = decision;
     }
 
     public RangerAuthzResult(String requestId, Map<String, PermissionResult> permissions) {
         this.requestId   = requestId;
         this.permissions = permissions;
     }
 
+    public RangerAuthzResult(String requestId, AccessDecision decision, Map<String, PermissionResult> permissions) {
+        this.requestId   = requestId;
+        this.decision    = decision;
+        this.permissions = permissions;
+    }
+
     public String getRequestId() {
         return requestId;
     }

authz-api/src/main/java/org/apache/ranger/authz/model/RangerMultiAuthzResult.java

@@ -39,14 +39,25 @@ public RangerMultiAuthzResult() {
     }
 
     public RangerMultiAuthzResult(String requestId) {
-        this(requestId, null);
+        this.requestId = requestId;
+    }
+
+    public RangerMultiAuthzResult(String requestId, AccessDecision decision) {
+        this.requestId = requestId;
+        this.decision  = decision;
     }
 
     public RangerMultiAuthzResult(String requestId, List<RangerAuthzResult> accesses) {
         this.requestId = requestId;
         this.accesses  = accesses;
     }
 
+    public RangerMultiAuthzResult(String requestId, AccessDecision decision, List<RangerAuthzResult> accesses) {
+        this.requestId = requestId;
+        this.decision  = decision;
+        this.accesses  = accesses;
+    }
+
     public String getRequestId() {
         return requestId;
     }

authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerAuthzPlugin.java

@@ -70,8 +70,8 @@ class RangerAuthzPlugin {
     private final RangerBasePlugin                      plugin;
     private final Map<String, RangerResourceNameParser> rrnTemplates = new HashMap<>();
 
-    public RangerAuthzPlugin(String serviceType, String serviceName, Properties properties) {
-        plugin = new RangerBasePlugin(getPluginConfig(serviceType, serviceName, properties)) {
+    public RangerAuthzPlugin(String serviceType, String serviceName, String appId, Properties properties) {
+        plugin = new RangerBasePlugin(getPluginConfig(serviceType, serviceName, appId, properties)) {
             @Override
             public void setPolicies(ServicePolicies policies) {
                 super.setPolicies(policies);
@@ -407,7 +407,7 @@ private void updateResourceTemplates() {
         }
     }
 
-    private static RangerPluginConfig getPluginConfig(String serviceType, String serviceName, Properties properties) {
-        return new RangerPluginConfig(serviceType, serviceName, null, properties);
+    private static RangerPluginConfig getPluginConfig(String serviceType, String serviceName, String appId, Properties properties) {
+        return new RangerPluginConfig(serviceType, serviceName, appId, properties);
     }
 }

authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerEmbeddedAuthorizer.java

@@ -37,8 +37,10 @@
 
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
 
 import static org.apache.ranger.authz.api.RangerAuthzApiErrorCode.INVALID_REQUEST_SERVICE_NAME_OR_TYPE_MANDATORY;
 import static org.apache.ranger.authz.embedded.RangerEmbeddedAuthzErrorCode.NO_DEFAULT_SERVICE_FOR_SERVICE_TYPE;
@@ -131,6 +133,10 @@ public RangerMultiAuthzResult authorize(RangerMultiAuthzRequest request, RangerA
         return authorize(request, plugin, auditHandler);
     }
 
+    public Set<String> getLoadedServices() {
+        return new HashSet<>(this.plugins.keySet());
+    }
+
     @Override
     protected void validateAccessContext(RangerAccessContext context) throws RangerAuthzException {
         super.validateAccessContext(context);
@@ -218,7 +224,7 @@ private RangerAuthzPlugin getOrCreatePlugin(String serviceName, String serviceTy
 
                     LOG.debug("properties for service {}: {}", serviceName, pluginProperties);
 
-                    ret = new RangerAuthzPlugin(serviceType, serviceName, pluginProperties);
+                    ret = new RangerAuthzPlugin(serviceType, serviceName, appType, pluginProperties);
 
                     plugins.put(serviceName, ret);
                 }

dev-support/ranger-docker/.dockerignore

@@ -5,6 +5,7 @@
 !dist/ranger-*-kms.tar.gz
 !dist/ranger-*-usersync.tar.gz
 !dist/ranger-*-tagsync.tar.gz
+!dist/ranger-*-pdp.tar.gz
 !dist/ranger-*-audit-server.tar.gz
 !dist/ranger-*-audit-consumer-solr.tar.gz
 !dist/ranger-*-audit-consumer-hdfs.tar.gz

dev-support/ranger-docker/.env

@@ -47,6 +47,9 @@ USERSYNC_VERSION=3.0.0-SNAPSHOT
 # Tagsync Configuration
 TAGSYNC_VERSION=3.0.0-SNAPSHOT
 
+# PDP Configuration
+PDP_VERSION=3.0.0-SNAPSHOT
+
 # Solr Configuration
 SOLR_VERSION=8.11.3
 SOLR_PLUGIN_VERSION=3.0.0-SNAPSHOT
@@ -84,4 +87,5 @@ OPENSEARCH_VERSION=1.3.19
 DEBUG_ADMIN=false
 DEBUG_USERSYNC=false
 DEBUG_TAGSYNC=false
+DEBUG_PDP=false
 ENABLE_FILE_SYNC_SOURCE=false

dev-support/ranger-docker/Dockerfile.ranger-pdp

@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG RANGER_BASE_IMAGE=apache/ranger-base
+ARG RANGER_BASE_VERSION=20260123-2-8
+
+FROM ${RANGER_BASE_IMAGE}:${RANGER_BASE_VERSION}
+
+ARG PDP_VERSION
+
+COPY ./dist/ranger-${PDP_VERSION}-pdp.tar.gz /home/ranger/dist/
+COPY ./scripts/pdp/ranger-pdp.sh             ${RANGER_SCRIPTS}/
+
+RUN    tar xvfz /home/ranger/dist/ranger-${PDP_VERSION}-pdp.tar.gz --directory=${RANGER_HOME} \
+    && ln -s ${RANGER_HOME}/ranger-${PDP_VERSION}-pdp ${RANGER_HOME}/pdp \
+    && rm -f /home/ranger/dist/ranger-${PDP_VERSION}-pdp.tar.gz \
+    && mkdir -p /var/log/ranger/pdp /var/run/ranger /etc/ranger/cache \
+    && ln -s ${RANGER_HOME}/pdp/ranger-pdp-services.sh /usr/bin/ranger-pdp-services.sh \
+    && chown -R ranger:ranger ${RANGER_HOME}/pdp/ ${RANGER_SCRIPTS}/ /var/log/ranger/ /var/run/ranger /etc/ranger/ \
+    && chmod 744 ${RANGER_SCRIPTS}/ranger-pdp.sh
+
+USER ranger
+ENTRYPOINT [ "/home/ranger/scripts/ranger-pdp.sh" ]

dev-support/ranger-docker/README.md

@@ -74,14 +74,14 @@ cd dev-support/ranger-docker
 
 ### Run Ranger Services in Containers
 
-#### Bring up ranger-core services: ranger, usersync, tagsync and ranger-kms in containers
+#### Bring up ranger-core services: ranger, usersync, tagsync, pdp and kms in containers
 ~~~
 # To enable file based sync source for usersync do:
 # export ENABLE_FILE_SYNC_SOURCE=true
 
 # valid values for RANGER_DB_TYPE: mysql/postgres/oracle
 
-docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-kms.yml up -d
+docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-pdp.yml -f docker-compose.ranger-kms.yml up -d
 
 # Ranger Admin can be accessed at http://localhost:6080 (admin/rangerR0cks!)
 ~~~
@@ -111,7 +111,7 @@ Similarly, check the `depends` section of the `docker-compose.ranger-service.yam
 #### Bring up all containers
 ~~~
 ./scripts/ozone/ozone-plugin-docker-setup.sh
-docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-kms.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-knox.yml -f docker-compose.ranger-ozone.yml up -d
+docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.yml -f docker-compose.ranger-tagsync.yml -f docker-compose.ranger-pdp.yml -f docker-compose.ranger-kms.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-hbase.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-hive.yml -f docker-compose.ranger-knox.yml -f docker-compose.ranger-ozone.yml up -d
 ~~~
 
 #### To rebuild specific images and start containers with the new image:
@@ -122,4 +122,4 @@ docker compose -f docker-compose.ranger.yml -f docker-compose.ranger-usersync.ym
 #### To bring up audit server, solr and hdfs consumer. Make sure kafka,solr and hdfs containers are running before bring up audit server.
 ~~~
 docker compose  -f docker-compose.ranger.yml -f docker-compose.ranger-hadoop.yml -f docker-compose.ranger-kafka.yml -f docker-compose.ranger-audit-server.yml  up -d
-~~~
+~~~

dev-support/ranger-docker/docker-compose.ranger-pdp.yml

@@ -0,0 +1,61 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+services:
+  ranger-pdp:
+    build:
+      context: .
+      dockerfile: Dockerfile.ranger-pdp
+      args:
+        - RANGER_BASE_IMAGE=${RANGER_BASE_IMAGE}
+        - RANGER_BASE_VERSION=${RANGER_BASE_VERSION}
+        - PDP_VERSION=${PDP_VERSION}
+    image: ranger-pdp
+    container_name: ranger-pdp
+    hostname: ranger-pdp.rangernw
+    volumes:
+      - ./dist/keytabs/ranger-pdp:/etc/keytabs
+      - ./scripts/kdc/krb5.conf:/etc/krb5.conf
+      - ./scripts/hadoop/core-site.xml:/home/ranger/scripts/core-site.xml:ro
+      - ./dist/version:/home/ranger/dist/version:ro
+      - ./scripts/pdp/logback.xml:/opt/ranger/pdp/conf/logback.xml
+      - ./scripts/pdp/ranger-pdp-site.xml:/opt/ranger/pdp/conf/ranger-pdp-site.xml
+    stdin_open: true
+    tty: true
+    networks:
+      - ranger
+    ports:
+      - "6500:6500"
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:6500/health/ready >/dev/null || exit 1"]
+      interval: 20s
+      timeout: 10s
+      retries: 20
+      start_period: 30s
+    depends_on:
+      ranger:
+        condition: service_started
+      ranger-solr:
+        condition: service_started
+    environment:
+      - PDP_VERSION
+      - KERBEROS_ENABLED
+      - DEBUG_PDP=${DEBUG_PDP:-false}
+
+networks:
+  ranger:
+    name: rangernw
+    external: true

dev-support/ranger-docker/scripts/kdc/entrypoint.sh

@@ -90,6 +90,9 @@ function create_keytabs() {
 
   create_principal_and_keytab rangerkms ranger-kms
 
+  create_principal_and_keytab HTTP      ranger-pdp
+  create_principal_and_keytab rangerpdp ranger-pdp
+
   create_principal_and_keytab dn          ranger-hadoop
   create_principal_and_keytab hdfs        ranger-hadoop
   create_principal_and_keytab healthcheck ranger-hadoop
@@ -142,7 +145,7 @@ if [ ! -f $DB_DIR/principal ]; then
   echo "Database initialized"
 
   create_keytabs
-  create_testusers ranger ranger-usersync ranger-tagsync ranger-audit-server ranger-audit-consumer-solr ranger-audit-consumer-hdfs ranger-hadoop ranger-hive ranger-hbase ranger-kafka ranger-solr ranger-knox ranger-kms ranger-ozone ranger-trino ranger-opensearch
+  create_testusers ranger ranger-usersync ranger-tagsync ranger-pdp ranger-audit-server ranger-audit-consumer-solr ranger-audit-consumer-hdfs ranger-hadoop ranger-hive ranger-hbase ranger-kafka ranger-solr ranger-knox ranger-kms ranger-ozone ranger-trino ranger-opensearch
 else
   echo "KDC DB already exists; skipping create"
 fi

dev-support/ranger-docker/scripts/pdp/logback.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<configuration>
+  <property name="pdpLogDir" value="${logdir:-/var/log/ranger/pdp}"/>
+  <property name="pdpHostname" value="${hostname:-unknown-host}"/>
+
+  <appender name="file" class="ch.qos.logback.core.FileAppender">
+    <file>${pdpLogDir}/ranger-pdp-${pdpHostname}.log</file>
+    <append>true</append>
+    <encoder>
+      <pattern>%d{ISO8601} %-5p [%X{requestId}] %c{1} - %m%n</pattern>
+    </encoder>
+  </appender>
+
+  <appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
+    <target>System.out</target>
+    <encoder>
+      <pattern>%d{ISO8601} %-5p [%X{requestId}] %c{1} - %m%n</pattern>
+    </encoder>
+  </appender>
+
+  <logger name="com.sun.jersey.server.wadl.generators.WadlGeneratorJAXBGrammarGenerator" level="OFF"/>
+  <logger name="org.apache.directory.server.core" level="OFF"/>
+  <logger name="org.apache.hadoop.security" level="OFF"/>
+  <logger name="org.apache.hadoop.conf" level="ERROR"/>
+  <logger name="org.apache.hadoop.util.NativeCodeLoader" level="OFF"/>
+
+  <root level="INFO">
+    <appender-ref ref="file"/>
+    <appender-ref ref="stdout"/>
+  </root>
+</configuration>