apache
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docs.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎authz-remote/README.md‎
Lines changed: 73 additions & 0 deletions b/‎authz-remote/README.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎authz-remote/pom.xml‎
Lines changed: 71 additions & 0 deletions b/‎authz-remote/pom.xml‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎authz-remote/src/conf/ranger-authz-remote.properties‎
Lines changed: 48 additions & 0 deletions b/‎authz-remote/src/conf/ranger-authz-remote.properties‎
Lines changed: 48 additions & 0 deletions
@@ -18,7 +18,7 @@ name: docs
 
 on:
   push:
-    branches: [ ranger_5353, master ]
+    branches: [ dev, master ]
 
 permissions:
   contents: write
 
@@ -0,0 +1,73 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to You under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+# Ranger Authz Remote Client
+
+The `authz-remote` module implements the `ranger-authz-api` authorizer interface and forwards authorization checks to Ranger PDP Service over HTTP(S).
+
+## Configs
+
+### PDP endpoint
+
+Configure the PDP base URL with **`ranger.authz.remote.pdp.url`**.  
+Other timeouts, TLS, and optional HTTP headers are documented under the same prefix in **`authz-remote/src/conf/ranger-authz-remote.properties`** and **`RangerRemoteAuthzConfig`**.
+
+### Authentication modes
+
+Client authentication is controlled by **`ranger.authz.remote.authn.type`**. Three modes are supported:
+
+- **`header`** (default) — Header-based authentication. Set **`ranger.authz.remote.header.<header_name>=<header_value>`**
+  - example: Set `ranger.authz.remote.header.X-Forwarded-User=test-user`, this header will be passed in all authz calls to PDP Server.
+
+- **`jwt`** 
+  - Set **`ranger.authz.remote.authn.jwt.source`** to **`env`** or **`file`**.  
+  - For **`env`**, set **`ranger.authz.remote.authn.jwt.env`** as the name of the environment variable containing JWT.  
+  - For **`file`**, set **`ranger.authz.remote.authn.jwt.file`** to the token file path.
+
+- **`kerberos`** — SPNEGO from a keytab. Set **`ranger.authz.remote.authn.kerberos.principal`** and **`ranger.authz.remote.authn.kerberos.keytab`**. Optionally set **`ranger.authz.remote.authn.kerberos.debug`** to `true` for JDK Kerberos diagnostics.
+
+## Examples
+
+For an end-to-end example (load configuration from a properties file, pass request as JSON, and call the authorizer), see:
+
+`ranger-examples/sample-client/src/main/java/org/apache/ranger/examples/pdpclient/RemoteAuthzClient.java`  
+**OR** run these commands after unzipping sample-client tarball: `ranger-<version>-sample-client.tar.gz`:
+
+```bash
+# request.json contains the authz request body, and ranger-authz-remote.properties contains the client configs
+
+# header based authn example
+java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-header.properties
+
+# jwt based authn with env variable example
+java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json
+
+# kerberos based authn example
+java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-kerberos.properties
+```
+
+Add the dependency (for **applications** that use Ranger for authorization) to your project:
+
+```xml
+<dependency>
+  <groupId>org.apache.ranger</groupId>
+  <artifactId>authz-remote</artifactId>
+  <version>${ranger.version}</version>
+</dependency>
+```
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+  
+      http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.apache.ranger</groupId>
+        <artifactId>ranger</artifactId>
+        <version>3.0.0-SNAPSHOT</version>
+        <relativePath>..</relativePath>
+    </parent>
+
+    <artifactId>authz-remote</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Ranger Authorization Remote Client</name>
+    <description>Ranger Authorization - Remote PDP client</description>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${fasterxml.jackson.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents</groupId>
+            <artifactId>httpclient</artifactId>
+            <version>${httpcomponents.httpclient.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-authz-api</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>${junit.jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>${junit.jupiter.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>
@@ -0,0 +1,48 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ranger.authorizer.impl.class=org.apache.ranger.authz.remote.RangerRemoteAuthorizer
+ranger.authz.remote.pdp.url=http://localhost:6500
+ranger.authz.remote.pdp.connect.timeout.ms=5000
+ranger.authz.remote.pdp.read.timeout.ms=30000
+
+# ranger.authz.remote.authn.type=header|jwt|kerberos
+ranger.authz.remote.authn.type=jwt
+
+# required if ranger.authz.remote.authn.type=header
+ranger.authz.remote.authn.header.X-Forwarded-User=test-user
+
+# required if ranger.authz.remote.authn.type=kerberos
+ranger.authz.remote.authn.kerberos.principal=
+ranger.authz.remote.authn.kerberos.keytab=
+# ranger.authz.remote.authn.kerberos.debug=true
+#
+# Optional Kerberos / JAAS
+# ranger.authz.remote.authn.kerberos.jaas.context.name=RangerRemoteClientKerberos
+# ranger.authz.remote.authn.kerberos.jaas.login.module=com.sun.security.auth.module.Krb5LoginModule
+# ranger.authz.remote.authn.kerberos.jaas.store.key=true
+# ranger.authz.remote.authn.kerberos.jaas.is.initiator=true
+# ranger.authz.remote.authn.kerberos.jaas.do.not.prompt=true
+# ranger.authz.remote.authn.kerberos.jaas.use.ticket.cache=false
+# ranger.authz.remote.authn.kerberos.jaas.refresh.krb5.config=true
+# ranger.authz.remote.authn.kerberos.spnego.strip.port=true
+# ranger.authz.remote.authn.kerberos.spnego.use.canonical.hostname=true
+
+# required if ranger.authz.remote.authn.type=jwt
+# ranger.authz.remote.authn.jwt.source=env|file
+ranger.authz.remote.authn.jwt.source=env
+ranger.authz.remote.authn.jwt.env=RANGER_PDP_JWT
+# ranger.authz.remote.authn.jwt.source=file
+# ranger.authz.remote.authn.jwt.file=/path/to/jwt-token.txt