RANGER-5479: Remove dependency on hadoop libs in ranger-authn (#836)

Author: kumaab

ranger-authn/pom.xml

@@ -65,18 +65,6 @@
             <version>${commons.text.version}</version>
         </dependency>
 
-        <dependency>
-            <groupId>org.apache.hadoop</groupId>
-            <artifactId>hadoop-client-api</artifactId>
-            <version>${hadoop.version}</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.apache.hadoop</groupId>
-            <artifactId>hadoop-client-runtime</artifactId>
-            <version>${hadoop.version}</version>
-        </dependency>
-
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

ranger-authn/src/main/java/org/apache/ranger/authz/handler/RangerAuth.java

@@ -18,15 +18,13 @@
  */
 package org.apache.ranger.authz.handler;
 
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-
 public class RangerAuth {
     private String    userName;
     private AuthType  type;
     private boolean   isAuthenticated;
 
-    public RangerAuth(final AuthenticationToken authenticationToken, AuthType type) {
-        this.userName        = authenticationToken.getName();
+    public RangerAuth(String username, AuthType type) {
+        this.userName        = username;
         this.isAuthenticated = true;
         this.type            = type;
     }

ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerDefaultJwtAuthHandler.java

@@ -25,7 +25,6 @@
 import com.nimbusds.jwt.proc.DefaultJWTProcessor;
 import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
 import org.apache.ranger.authz.handler.RangerAuth;
 
 import javax.servlet.ServletRequest;
@@ -82,11 +81,10 @@ public RangerAuth authenticate(HttpServletRequest httpServletRequest) {
         String     jwtAuthHeaderStr = getJwtAuthHeader(httpServletRequest);
         String     jwtCookieStr     = StringUtils.isBlank(jwtAuthHeaderStr) ? getJwtCookie(httpServletRequest) : null;
         String     doAsUser         = httpServletRequest.getParameter(DO_AS_PARAMETER);
+        String     username         = authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser);
 
-        AuthenticationToken authenticationToken = authenticate(jwtAuthHeaderStr, jwtCookieStr, doAsUser);
-
-        if (authenticationToken != null) {
-            rangerAuth = new RangerAuth(authenticationToken, RangerAuth.AuthType.JWT_JWKS);
+        if (username != null) {
+            rangerAuth = new RangerAuth(username, RangerAuth.AuthType.JWT_JWKS);
         }
 
         return rangerAuth;

ranger-authn/src/main/java/org/apache/ranger/authz/handler/jwt/RangerJwtAuthHandler.java

@@ -22,17 +22,17 @@
 import com.nimbusds.jose.JWSObject;
 import com.nimbusds.jose.JWSVerifier;
 import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
 import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jose.proc.JWSKeySelector;
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jose.util.X509CertUtils;
 import com.nimbusds.jwt.SignedJWT;
 import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
-import org.apache.hadoop.security.authentication.util.CertificateUtil;
 import org.apache.ranger.authz.handler.RangerAuthHandler;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -82,7 +82,7 @@ public void initialize(final Properties config) throws Exception {
 
         // setup JWT provider public key if configured
         if (StringUtils.isNotBlank(pemPublicKey)) {
-            verifier = new RSASSAVerifier(CertificateUtil.parseRSAPublicKey(pemPublicKey));
+            verifier = new RSASSAVerifier(RSAKey.parse(X509CertUtils.parse(pemPublicKey)));
         } else if (StringUtils.isBlank(jwksProviderUrl)) {
             throw new Exception("RangerJwtAuthHandler: Mandatory configs ('jwks.provider-url' & 'jwt.public-key') are missing, must provide atleast one.");
         }
@@ -106,12 +106,11 @@ public void initialize(final Properties config) throws Exception {
 
     public abstract ConfigurableJWTProcessor<SecurityContext> getJwtProcessor(JWSKeySelector<SecurityContext> keySelector);
 
-    protected AuthenticationToken authenticate(final String jwtAuthHeader, final String jwtCookie, final String doAsUser) {
+    protected String authenticate(final String jwtAuthHeader, final String jwtCookie, final String doAsUser) {
         if (LOG.isDebugEnabled()) {
             LOG.debug("===>>> RangerJwtAuthHandler.authenticate()");
         }
 
-        AuthenticationToken token = null;
         if (shouldProceedAuth(jwtAuthHeader, jwtCookie)) {
             String serializedJWT = getJWT(jwtAuthHeader, jwtCookie);
 
@@ -132,7 +131,7 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str
                             LOG.debug("RangerJwtAuthHandler.authenticate(): Issuing AuthenticationToken for user: [{}]", userName);
                             LOG.debug("RangerJwtAuthHandler.authenticate(): Authentication successful for user [{}] and doAs user is [{}]", jwtToken.getJWTClaimsSet().getSubject(), doAsUser);
                         }
-                        token = new AuthenticationToken(userName, userName, TYPE);
+                        return userName;
                     } else {
                         LOG.warn("RangerJwtAuthHandler.authenticate(): Validation failed for JWT token: [{}] ", jwtToken.serialize());
                     }
@@ -148,7 +147,7 @@ protected AuthenticationToken authenticate(final String jwtAuthHeader, final Str
             LOG.debug("<<<=== RangerJwtAuthHandler.authenticate()");
         }
 
-        return token;
+        return null;
     }
 
     protected String getJWT(final String jwtAuthHeader, final String jwtCookie) {
@@ -267,13 +266,11 @@ protected boolean validateAudiences(final SignedJWT jwtToken) {
         boolean valid = false;
         try {
             List<String> tokenAudienceList = jwtToken.getJWTClaimsSet().getAudience();
-            // if there were no expected audiences configured then just
-            // consider any audience acceptable
+            // if there were no expected audiences configured then just consider any audience acceptable
             if (audiences == null) {
                 valid = true;
             } else {
-                // if any of the configured audiences is found then consider it
-                // acceptable
+                // if any of the configured audiences is found then consider it acceptable
                 for (String aud : tokenAudienceList) {
                     if (audiences.contains(aud)) {
                         if (LOG.isDebugEnabled()) {
@@ -294,8 +291,8 @@ protected boolean validateAudiences(final SignedJWT jwtToken) {
     }
 
     /**
-     * Validate that the expiration time of the JWT token has not been violated. If
-     * it has then throw an AuthenticationException. Override this method in
+     * Validate that the expiration time of the JWT has not been violated. If
+     * it has, then throw an AuthenticationException. Override this method in
      * subclasses in order to customize the expiration validation behavior.
      *
      * @param jwtToken the token that contains the expiration date to validate

security-admin/src/test/java/org/apache/ranger/security/web/filter/TestRangerJwtAuthFilter.java

@@ -18,7 +18,6 @@
  */
 package org.apache.ranger.security.web.filter;
 
-import org.apache.hadoop.security.authentication.server.AuthenticationToken;
 import org.apache.ranger.authz.handler.RangerAuth;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.MethodOrderer;
@@ -89,8 +88,7 @@ public void testDoFilter_setsAuthenticationWhenAuthenticateSucceeds() throws Ser
         ServletResponse res = Mockito.mock(ServletResponse.class);
         FilterChain chain = Mockito.mock(FilterChain.class);
 
-        AuthenticationToken token = new AuthenticationToken("alice", "alice", "ranger-jwt");
-        RangerAuth rangerAuth = new RangerAuth(token, RangerAuth.AuthType.JWT_JWKS);
+        RangerAuth rangerAuth = new RangerAuth("alice", RangerAuth.AuthType.JWT_JWKS);
 
         doReturn(rangerAuth).when(filter).authenticate(any(HttpServletRequest.class));