Fang-Yu Rao created IMPALA-13732:
------------------------------------
Summary: Do not send a GrantRevokeRequest with null fields to
Ranger server in AuthorizationStmtTest if possible
Key: IMPALA-13732
URL: https://issues.apache.org/jira/browse/IMPALA-13732
Project: IMPALA
Issue Type: Task
Components: Frontend
Reporter: Fang-Yu Rao
Assignee: Fang-Yu Rao
To support JDK 17,
[RANGER-4806|https://github.com/apache/ranger/commit/10b87936b21c84c67a3e429e8da89f3098c74d3d#diff-011851df995a106cc0701ebb13b0f3824b4f5aeb1af0f0f118c29e1d0bf677c1]
switched from {{com.google.gson.Gson}} to
{{org.apache.ranger.authorization.utils.JsonUtils}} when producing the json
payloads that will be sent to the Ranger server from the Ranger plug-in. This,
however, changed the behavior of *RangerRESTClient#toJson()* in
[RangerRESTClient.java|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java].
For instance, before IMPALA-13722, in a related test case in Impala, Impala's
test framework sent the following resource in its {{GrantRevokeRequest}} that
was going to be sent to the Ranger service to revoke some privilege from a
specified user.
{code:java}
"database" -> "*"
"column" -> "*"
"table" -> "*"
"url" -> null
{code}
Under the covers, *RangerRESTClient#toJson()* is called to convert the
{{GrantRevokeRequest}} above to a json object, which in turn is sent to the
Ranger server as follows in
[RangerRESTClient.java|https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java]
where '{{{}obj{}}}' corresponds to that {{GrantRevokeRequest}}
{code:java}
public ClientResponse post(String relativeUrl, Map<String, String> params,
Object obj) throws Exception {
...
finalResponse =
webResource.accept(RangerRESTUtils.REST_EXPECTED_MIME_TYPE).type(RangerRESTUtils.REST_MIME_TYPE_JSON).post(ClientResponse.class,
toJson(obj));
...
}
{code}
Before RANGER-4806, {{toJson(obj)}} above evaluated to the following when
{{com.google.gson.Gson}} was used.
{code:java}
{
"accessTypes": [
"create"
],
"clientIPAddress": "127.0.0.1",
"clusterName": "test-cluster",
"delegateAdmin": false,
"enableAudit": true,
"grantor": "admin",
"grantorGroups": [
"admin"
],
"groups": [],
"isRecursive": false,
"replaceExistingPermissions": false,
"resource": {
"column": "*",
"database": "*",
"table": "*"
},
"roles": [],
"users": [
"non_owner"
]
}
{code}
After RANGER-4806, {{toJson(obj)}} above evaluates to the following after we
switched to {{{}org.apache.ranger.authorization.utils.JsonUtils{}}}. It could
be seen that after RANGER-4806, Impala would send to the Ranger server a null
'{{{}url{}}}' and the Ranger server does not like '{{{}url{}}}' being null so
we hit the issue in IMPALA-13722.
But we also found that other than the value of '{{{}url{}}}', there are still
other fields whose values are null. The fix for IMPALA-13722 only addressed the
issue related to the field of '{{{}url{}}}' but not other fields. We don't know
whether or not Ranger will add other null checks in the future. To avoid the
such breakage seen in IMPALA-13722, we should avoid sending a
{{GrantRevokeRequest}} with null fields if possible.
{code:java}
{
"accessTypes": [
"create"
],
"clientIPAddress": "127.0.0.1",
"clientType": null,
"clusterName": "test-cluster",
"delegateAdmin": false,
"enableAudit": true,
"forwardedAddresses": null,
"grantor": "admin",
"grantorGroups": [
"admin"
],
"groups": [],
"isRecursive": false,
"ownerUser": null,
"remoteIPAddress": null,
"replaceExistingPermissions": false,
"requestData": null,
"resource": {
"column": "*",
"database": "*",
"table": "*",
"url": null
},
"roles": [],
"sessionId": null,
"users": [
"non_owner"
],
"zoneName": null
}
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
