RANGER-5371: pdp server implementation#899
Open
mneethiraj wants to merge 5 commits intoapache:masterfrom
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Introduces a new Ranger PDP (Policy Decision Point) embedded server module that exposes authorization evaluation over REST, along with Python client support and Docker packaging to run/test it in the dev docker-compose environment.
Changes:
- Add new
pdpMaven module implementing an embedded Tomcat + Jersey REST service with authN filters, request context, health/metrics endpoints, and runtime stats. - Extend the Python integration library with PDP request/response models and a
RangerPDPClient, plus sample client scripts and updated docs. - Add distro assembly + docker-compose/Dockerfile wiring to build and run the PDP in the existing Ranger docker setup (including KDC principals/keytabs).
Reviewed changes
Copilot reviewed 53 out of 53 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| ranger-examples/sample-client/src/main/python/sample_pdp_client.py | New example script for calling PDP REST APIs. |
| ranger-examples/sample-client/src/main/python/sample_kms_client.py | Adds KMS sample client script in examples module. |
| pom.xml | Adds pdp module to reactor build profiles. |
| pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpRequestContextFilterTest.java | Tests request-id propagation + MDC cleanup. |
| pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java | Tests authN filter handler registration behavior. |
| pdp/src/test/java/org/apache/ranger/pdp/security/KerberosAuthHandlerTest.java | Tests Kerberos principal short-name mapping logic. |
| pdp/src/test/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandlerTest.java | Tests trusted-header auth handler behavior. |
| pdp/src/test/java/org/apache/ranger/pdp/rest/RangerPdpRESTTest.java | Tests REST resource authz/delegation gating + metrics counters. |
| pdp/src/test/java/org/apache/ranger/pdp/config/RangerPdpConfigTest.java | Tests system-property overrides and port parsing fallback. |
| pdp/src/test/java/org/apache/ranger/pdp/RangerPdpStatusServletTest.java | Tests metrics and loaded-service count (has Checkstyle issues). |
| pdp/src/test/java/org/apache/ranger/pdp/RangerPdpStatsTest.java | Tests request counters and latency calculations. |
| pdp/src/main/resources/ranger-pdp-default.xml | Default PDP config (port, authN, connector limits, audit, etc.). |
| pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpRequestContextFilter.java | Adds request-id header/MDC wiring for correlation. |
| pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java | Adds pluggable authN filter (header/jwt/kerberos). |
| pdp/src/main/java/org/apache/ranger/pdp/security/PdpAuthNHandler.java | Defines authN handler contract/result model. |
| pdp/src/main/java/org/apache/ranger/pdp/security/KerberosAuthNHandler.java | Implements SPNEGO/Kerberos authN handler. |
| pdp/src/main/java/org/apache/ranger/pdp/security/JwtAuthNHandler.java | Implements JWT bearer authN handler via ranger-authn. |
| pdp/src/main/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandler.java | Implements trusted-header authN handler. |
| pdp/src/main/java/org/apache/ranger/pdp/rest/RangerPdpREST.java | REST endpoints: authorize, authorizeMulti, permissions + delegation enforcement + stats. |
| pdp/src/main/java/org/apache/ranger/pdp/rest/RangerPdpApplication.java | Jersey ResourceConfig bootstrapping and HK2 bindings. |
| pdp/src/main/java/org/apache/ranger/pdp/model/ErrorResponse.java | Simple JSON error response payload. |
| pdp/src/main/java/org/apache/ranger/pdp/config/RangerPdpConstants.java | Centralized PDP config keys and servlet/request attributes. |
| pdp/src/main/java/org/apache/ranger/pdp/config/RangerPdpConfig.java | Loads/overrides PDP configuration from default/site/system properties. |
| pdp/src/main/java/org/apache/ranger/pdp/RangerPdpStatusServlet.java | Implements /health/* and /metrics endpoints (metric type issue). |
| pdp/src/main/java/org/apache/ranger/pdp/RangerPdpStats.java | Runtime counters/flags for readiness/metrics. |
| pdp/src/main/java/org/apache/ranger/pdp/RangerPdpServer.java | Embedded Tomcat server bootstrapping, filters, Jersey, health/metrics, access logs. |
| pdp/scripts/ranger-pdp.sh | Init-style wrapper for starting/stopping PDP service. |
| pdp/scripts/ranger-pdp-services.sh | Service runner script (start/run/stop/restart/version). |
| pdp/pom.xml | New Maven module definition and dependencies for PDP server. |
| pdp/conf.dist/ranger-pdp-site.xml | Distribution config template for PDP. |
| pdp/conf.dist/logback.xml | Default logback config (stdout). |
| pdp/conf.dist/README-k8s.md | Kubernetes notes (contains a metrics/doc mismatch). |
| intg/src/main/python/apache_ranger/model/ranger_authz.py | Adds Python authz request/response models used by PDP client. |
| intg/src/main/python/apache_ranger/model/init.py | Exports new authz model symbols. |
| intg/src/main/python/apache_ranger/exceptions.py | Improves parsing of error payloads (adds support for message). |
| intg/src/main/python/apache_ranger/client/ranger_pdp_client.py | Adds Python client for PDP REST APIs. |
| intg/src/main/python/apache_ranger/client/init.py | Exports RangerPDPClient and authz model symbols. |
| intg/src/main/python/README.md | Documents Python clients including PDP client usage examples. |
| distro/src/main/assembly/pdp.xml | Adds distro assembly descriptor for PDP tarball. |
| distro/pom.xml | Registers PDP assembly and adds provided dependency. |
| dev-support/ranger-docker/scripts/pdp/ranger-pdp.sh | Container entrypoint script for PDP. |
| dev-support/ranger-docker/scripts/pdp/ranger-pdp-site.xml | Docker-specific PDP configuration (Kerberos enabled). |
| dev-support/ranger-docker/scripts/pdp/logback.xml | Docker logback config (file + stdout). |
| dev-support/ranger-docker/scripts/kdc/entrypoint.sh | Adds KDC principals/keytabs and test user for PDP. |
| dev-support/ranger-docker/docker-compose.ranger-pdp.yml | Adds docker-compose service definition for PDP. |
| dev-support/ranger-docker/README.md | Updates docker-compose instructions to include PDP. |
| dev-support/ranger-docker/Dockerfile.ranger-pdp | Adds Dockerfile to package PDP distro into an image. |
| dev-support/ranger-docker/.env | Adds PDP_VERSION and DEBUG_PDP. |
| dev-support/ranger-docker/.dockerignore | Allows inclusion of PDP tarball in docker build context. |
| authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerEmbeddedAuthorizer.java | Exposes loaded-services set; passes appId to plugin. |
| authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerAuthzPlugin.java | Adds appId plumbing into RangerPluginConfig creation. |
| authz-api/src/main/java/org/apache/ranger/authz/model/RangerMultiAuthzResult.java | Adds constructors supporting decision field. |
| authz-api/src/main/java/org/apache/ranger/authz/model/RangerAuthzResult.java | Adds constructors supporting decision field. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pdp/src/test/java/org/apache/ranger/pdp/RangerPdpStatusServletTest.java
Outdated
Show resolved
Hide resolved
pdp/src/main/java/org/apache/ranger/pdp/RangerPdpStatusServlet.java
Outdated
Show resolved
Hide resolved
pdp/src/test/java/org/apache/ranger/pdp/RangerPdpStatusServletTest.java
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 53 out of 53 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
authz-embedded/src/main/java/org/apache/ranger/authz/embedded/RangerEmbeddedAuthorizer.java
Show resolved
Hide resolved
pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 53 out of 53 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java
Show resolved
Hide resolved
Comment on lines
+33
to
+45
| if [ -f "${pidf}" ]; then | ||
| pid=$(cat "$pidf") | ||
| fi | ||
|
|
||
| case $1 in | ||
| start) | ||
| if [ "${pid}" != "" ]; then | ||
| echo "Ranger PDP Service is already running [pid=${pid}]" | ||
| exit 1 | ||
| else | ||
| echo "Starting Ranger PDP Service." | ||
| /bin/su --login "${LINUX_USER}" -c "${BIN_PATH}/${MOD_NAME} start" | ||
| fi |
There was a problem hiding this comment.
The init wrapper only checks whether the pidfile contains any value; it doesn't verify the PID is actually running. A stale pidfile will block start (and can misreport status). Consider validating ps -p "$pid" before treating it as running, and removing the pidfile if the PID is not alive (or delegating the check to ranger-pdp-services.sh).
Comment on lines
+169
to
+187
| if [ -f "$pidf" ]; then | ||
| pid=$(cat "$pidf") | ||
| else | ||
| pid=$(ps -ef | grep java | grep -- '-Dproc_rangerpdp' | grep -v grep | awk '{ print $2 }') | ||
| if [ "$pid" != "" ]; then | ||
| echo "pid file (${pidf}) not found; taking pid from 'ps' output." | ||
| else | ||
| echo "Ranger PDP Service is not running." | ||
| exit 0 | ||
| fi | ||
| fi | ||
|
|
||
| echo "Stopping Ranger PDP Service (pid=${pid})..." | ||
| kill -15 "$pid" | ||
|
|
||
| for ((i=0; i<NR_ITER_FOR_SHUTDOWN_CHECK; i++)); do | ||
| sleep $WAIT_TIME_FOR_SHUTDOWN | ||
| if ps -p "$pid" > /dev/null 2>&1; then | ||
| echo "Shutdown in progress. Checking again in ${WAIT_TIME_FOR_SHUTDOWN}s..." |
There was a problem hiding this comment.
In the STOP path when the pidfile is missing, pid=$(ps ... awk ...) can expand to multiple PIDs (or include newlines). Because the script later runs kill -15 "$pid" and ps -p "$pid", a multi-PID value will be treated as a single argument and can cause stop to fail. Consider selecting a single PID (e.g., first match) or iterating over all matches, and avoid quoting a whitespace-separated PID list if the intent is to handle multiple PIDs.
mneethiraj
requested review from
kulkabhay,
kumaab,
pradeepagrawal8184,
sneethiraj,
spolavarpau1 and
vperiasamy
sneethiraj
approved these changes
Mar 31, 2026
kumaab
reviewed
Mar 31, 2026
|
|
||
| private final RangerAuthzConfig config; | ||
| private final String appType; | ||
| private final Map<String, RangerAuthzPlugin> plugins = new HashMap<>(); |
Contributor
There was a problem hiding this comment.
ConcurrentHashMap here offers better concurrency and scalability as it uses fine-grained locking mechanism (lock striping) as compared to synchronized on plugins in L219 which synchronizes on the whole map. It's suggested to use ConcurrentHashMap and simplifying getOrCreatePlugin() accordingly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
How was this patch tested?