RANGER-5496: Decouple JWT lifecycle from Ranger plugin via pluggable JWT provider (#857)

kumaab · mneethiraj · web-flow · commit 0ea5ec5e80f6 · 2026-02-25T09:50:11.000-08:00
Co-authored-by: Madhan Neethiraj &lt;madhan@apache.org&gt;
diff --git a/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java b/agents-common/src/main/java/org/apache/ranger/admin/client/RangerAdminRESTClient.java
@@ -28,6 +28,7 @@
 import org.apache.ranger.audit.provider.MiscUtil;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.authn.JwtProvider;
 import org.apache.ranger.plugin.model.RangerRole;
 import org.apache.ranger.plugin.util.GrantRevokeRequest;
 import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
@@ -1024,7 +1025,13 @@ public ServiceGdsInfo getGdsInfoIfUpdated(long lastKnownVersion, long lastActiva
 
     @Override
     public boolean isAuthenticationEnabled() {
-        return restClient.isAuthFilterPresent() || super.isAuthenticationEnabled();
+        return (restClient != null && restClient.isAuthFilterPresent()) || super.isAuthenticationEnabled();
+    }
+
+    public void setJwtProvider(JwtProvider jwtProvider) {
+        if (restClient != null) {
+            restClient.setJwtProvider(jwtProvider);
+        }
     }
 
     private void init(String url, String sslConfigFileName, int restClientConnTimeOutMs, int restClientReadTimeOutMs, int restClientMaxRetryAttempts, int restClientRetryIntervalMs, Configuration config) {
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/authn/DefaultJwtProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/authn/DefaultJwtProvider.java
@@ -0,0 +1,123 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.authn;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+
+public class DefaultJwtProvider implements JwtProvider {
+    private static final Logger LOG = LoggerFactory.getLogger(DefaultJwtProvider.class);
+
+    public static final String JWT_SOURCE     = ".jwt.source";
+    public static final String JWT_ENV        = ".jwt.env";
+    public static final String JWT_FILE       = ".jwt.file";
+    public static final String JWT_CRED_FILE  = ".jwt.cred.file";
+    public static final String JWT_CRED_ALIAS = ".jwt.cred.alias";
+
+    private final String jwtEnvVar;
+    private final String jwtFilePath;
+    private final String jwtCredFilePath;
+    private final String jwtCredAlias;
+    private       long   jwtFileLastModified;
+    private       long   jwtCredFileLastCheckedAt;
+
+    private volatile String jwt;
+
+    public DefaultJwtProvider(String propertyPrefix, Configuration config) {
+        String jwtSrc = config.get(propertyPrefix + JWT_SOURCE);
+
+        if (jwtSrc == null) {
+            jwtSrc = "";
+        }
+
+        switch (jwtSrc) {
+            case "env":
+                this.jwtEnvVar       = config.get(propertyPrefix + JWT_ENV);
+                this.jwtFilePath     = null;
+                this.jwtCredFilePath = null;
+                this.jwtCredAlias    = null;
+                break;
+
+            case "file":
+                this.jwtEnvVar       = null;
+                this.jwtFilePath     = config.get(propertyPrefix + JWT_FILE);
+                this.jwtCredFilePath = null;
+                this.jwtCredAlias    = null;
+                break;
+
+            case "cred":
+                this.jwtEnvVar       = null;
+                this.jwtFilePath     = null;
+                this.jwtCredFilePath = config.get(propertyPrefix + JWT_CRED_FILE);
+                this.jwtCredAlias    = config.get(propertyPrefix + JWT_CRED_ALIAS);
+                break;
+
+            default:
+                this.jwtEnvVar       = null;
+                this.jwtFilePath     = null;
+                this.jwtCredFilePath = null;
+                this.jwtCredAlias    = null;
+                break;
+        }
+    }
+
+    @Override
+    public String getJwt() {
+        if (StringUtils.isNotEmpty(jwtEnvVar)) {
+            jwt = System.getenv(jwtEnvVar);
+        } else if (StringUtils.isNotEmpty(jwtFilePath)) {
+            File jwtFile = new File(jwtFilePath);
+
+            if (jwtFile.lastModified() != jwtFileLastModified && jwtFile.canRead()) {
+                try (BufferedReader reader = new BufferedReader(new FileReader(jwtFile))) {
+                    String line;
+
+                    while ((line = reader.readLine()) != null) {
+                        if (StringUtils.isNotBlank(line) && !line.startsWith("#")) {
+                            break;
+                        }
+                    }
+
+                    jwt                 = line;
+                    jwtFileLastModified = jwtFile.lastModified();
+                } catch (IOException e) {
+                    LOG.error("Failed to read JWT from file: {}", jwtFilePath, e);
+                }
+            }
+        } else if (StringUtils.isNotEmpty(jwtCredFilePath) && StringUtils.isNotEmpty(jwtCredAlias)) {
+            long currentTime = System.currentTimeMillis();
+
+            if ((currentTime - jwtCredFileLastCheckedAt) > 60_000) { // last check should be more than 1 minute ago
+                jwt                      = RangerCredentialProvider.getInstance().getCredentialString(jwtCredFilePath, jwtCredAlias);
+                jwtCredFileLastCheckedAt = currentTime;
+            }
+        }
+
+        return jwt;
+    }
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/authn/JwtProvider.java b/agents-common/src/main/java/org/apache/ranger/plugin/authn/JwtProvider.java
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.authn;
+
+public interface JwtProvider {
+    String getJwt();
+}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java b/agents-common/src/main/java/org/apache/ranger/plugin/policyengine/RangerPluginContext.java
@@ -23,6 +23,8 @@
 import org.apache.ranger.admin.client.RangerAdminClient;
 import org.apache.ranger.admin.client.RangerAdminRESTClient;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
+import org.apache.ranger.plugin.authn.DefaultJwtProvider;
+import org.apache.ranger.plugin.authn.JwtProvider;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.resourcematcher.RangerResourceMatcher;
 import org.apache.ranger.plugin.service.RangerAuthContext;
@@ -40,12 +42,14 @@ public class RangerPluginContext {
     private final RangerPluginConfig                                                         config;
     private final Map<String, Map<RangerPolicy.RangerPolicyResource, RangerResourceMatcher>> resourceMatchers = new HashMap<>();
     private final ReentrantReadWriteLock                                                     lock             = new ReentrantReadWriteLock(true); // fair lock
+    private       JwtProvider                                                                jwtProvider;
     private       RangerAuthContext                                                          authContext;
     private       RangerAuthContextListener                                                  authContextListener;
     private       RangerAdminClient                                                          adminClient;
 
     public RangerPluginContext(RangerPluginConfig config) {
         this.config = config;
+        this.jwtProvider = new DefaultJwtProvider(config.getPropertyPrefix() + ".policy.rest.client", config);
     }
 
     public RangerPluginConfig getConfig() {
@@ -151,6 +155,9 @@ public RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) {
 
         if (ret == null) {
             ret = new RangerAdminRESTClient();
+            if (jwtProvider != null) {
+                ((RangerAdminRESTClient) ret).setJwtProvider(jwtProvider);
+            }
         }
 
         ret.init(pluginConfig.getServiceName(), pluginConfig.getAppId(), pluginConfig.getPropertyPrefix(), pluginConfig);
@@ -163,6 +170,19 @@ public RangerAdminClient createAdminClient(RangerPluginConfig pluginConfig) {
         return ret;
     }
 
+    public void registerJWTProvider(JwtProvider jwtProvider) {
+        this.jwtProvider = jwtProvider;
+
+        RangerAdminRESTClient restClient = (adminClient instanceof RangerAdminRESTClient) ? (RangerAdminRESTClient) adminClient : null;
+        if (restClient != null) {
+            restClient.setJwtProvider(jwtProvider);
+        }
+    }
+
+    public JwtProvider getJwtProvider() {
+        return jwtProvider;
+    }
+
     void cleanResourceMatchers() {
         LOG.debug("==> cleanResourceMatchers()");
 
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java b/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java
@@ -32,6 +32,7 @@
 import org.apache.ranger.authorization.hadoop.config.RangerAuditConfig;
 import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
 import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.authn.JwtProvider;
 import org.apache.ranger.plugin.contextenricher.RangerAdminGdsInfoRetriever;
 import org.apache.ranger.plugin.contextenricher.RangerAdminUserStoreRetriever;
 import org.apache.ranger.plugin.contextenricher.RangerContextEnricher;
@@ -302,6 +303,10 @@ public static RangerResourceACLs getMergedResourceACLs(RangerResourceACLs baseAC
         return baseACLs;
     }
 
+    public void registerJwtProvider(JwtProvider jwtProvider) {
+        pluginContext.registerJWTProvider(jwtProvider);
+    }
+
     public String getServiceType() {
         return pluginConfig.getServiceType();
     }
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerRESTClient.java
@@ -37,6 +37,7 @@
 import org.apache.ranger.authorization.hadoop.utils.RangerCredentialProvider;
 import org.apache.ranger.authorization.utils.JsonUtils;
 import org.apache.ranger.authorization.utils.StringUtil;
+import org.apache.ranger.plugin.authn.JwtProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -49,11 +50,9 @@
 import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.Response;
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
-import java.io.FileReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyManagementException;
@@ -109,6 +108,7 @@ public class RangerRESTClient {
     private          int          lastKnownActiveUrlIndex;
     private volatile Client       client;
     private volatile Client       cookieAuthClient;
+    private          JwtProvider  jwtProvider;
     private          ClientFilter jwtAuthFilter;
     private          ClientFilter basicAuthFilter;
 
@@ -190,6 +190,10 @@ public void setBasicAuthInfo(String username, String password) {
         setBasicAuthFilter(username, password);
     }
 
+    public void setJwtProvider(JwtProvider jwtProvider) {
+        this.jwtProvider = jwtProvider;
+    }
+
     public WebResource getResource(String relativeUrl) {
         return getClient().resource(getUrl() + relativeUrl);
     }
@@ -773,14 +777,16 @@ private Client buildClient() {
         return client;
     }
 
-    private void setJWTFilter(String jwtAsString) {
-        if (StringUtils.isNotBlank(jwtAsString)) {
+    private void setJWTFilter() {
+        JwtProvider jwtProvider = this.jwtProvider;
+        if (jwtProvider != null) {
             LOG.info("Registering JWT auth header in REST client");
-
             jwtAuthFilter = new ClientFilter() {
                 @Override
                 public ClientResponse handle(ClientRequest clientRequest) throws ClientHandlerException {
-                    clientRequest.getHeaders().add("Authorization", JWT_HEADER_PREFIX + jwtAsString);
+                    String jwt = jwtProvider.getJwt();
+
+                    clientRequest.getHeaders().putSingle("Authorization", JWT_HEADER_PREFIX + jwt);
 
                     return getNext().handle(clientRequest);
                 }
@@ -827,67 +833,16 @@ private void init(Configuration config) {
             }
         }
 
-        String jwtAsString = fetchJWT(propertyPrefix, config);
         String username    = config.get(propertyPrefix + ".policy.rest.client.username");
         String password    = config.get(propertyPrefix + ".policy.rest.client.password");
 
-        setJWTFilter(jwtAsString);
+        setJWTFilter();
 
         if (StringUtils.isNotBlank(username) && StringUtils.isNotBlank(password)) {
             setBasicAuthFilter(username, password);
         }
     }
 
-    private String fetchJWT(String propertyPrefix, Configuration config) {
-        final String jwtSrc = config.get(propertyPrefix + ".policy.rest.client.jwt.source");
-
-        if (StringUtils.isNotEmpty(jwtSrc)) {
-            switch (jwtSrc) {
-                case "env":
-                    String jwtEnvVar = config.get(propertyPrefix + ".policy.rest.client.jwt.env");
-                    if (StringUtils.isNotEmpty(jwtEnvVar)) {
-                        String jwt = System.getenv(jwtEnvVar);
-                        if (StringUtils.isNotBlank(jwt)) {
-                            return jwt;
-                        }
-                    }
-                    break;
-                case "file":
-                    String jwtFilePath = config.get(propertyPrefix + ".policy.rest.client.jwt.file");
-                    if (StringUtils.isNotEmpty(jwtFilePath)) {
-                        File jwtFile = new File(jwtFilePath);
-                        if (jwtFile.exists()) {
-                            try (BufferedReader reader = new BufferedReader(new FileReader(jwtFile))) {
-                                String line = null;
-                                while ((line = reader.readLine()) != null) {
-                                    if (StringUtils.isNotBlank(line) && !line.startsWith("#")) {
-                                        return line;
-                                    }
-                                }
-                            } catch (IOException e) {
-                                LOG.error("Failed to read JWT from file: {}", jwtFilePath, e);
-                            }
-                        }
-                    }
-                    break;
-                case "cred":
-                    String credFilePath = config.get(propertyPrefix + ".policy.rest.client.jwt.cred.file");
-                    String credAlias = config.get(propertyPrefix + ".policy.rest.client.jwt.cred.alias");
-                    if (StringUtils.isNotEmpty(credFilePath) && StringUtils.isNotEmpty(credAlias)) {
-                        String jwt = RangerCredentialProvider.getInstance().getCredentialString(credFilePath, credAlias);
-                        if (StringUtils.isNotBlank(jwt)) {
-                            return jwt;
-                        }
-                    }
-                    break;
-            }
-        } else {
-            LOG.info("JWT source not configured, proceeding without JWT");
-        }
-
-        return null;
-    }
-
     private boolean isSslEnabled(String url) {
         return !StringUtils.isEmpty(url) && url.toLowerCase().startsWith("https");
     }
