RANGER-5645: Add audit-ingestor service-user allowlist for Docker plugins#1017
Merged
Conversation
…gins Ship per-repo allowed.users and auth_to_local rules so plugins using the audit-server destination are authorized after Kerberos SPNEGO (fixes HTTP 403). Align create-ranger-services.py with policy.download.auth.users for Ozone, Atlas, Kudu, and NiFi. Add troubleshooting README for ingestor 403 errors. Co-authored-by: Cursor <cursoragent@cursor.com>
Consolidate auth_to_local property description (JWT note + plugin rules). Revert audit-server/scripts/README.md and remove troubleshooting README. Co-authored-by: Cursor <cursoragent@cursor.com>
Match original site XML description style with one bullet per RULE line. Co-authored-by: Cursor <cursoragent@cursor.com>
Remove dev_atlas, dev_kudu, and dev_nifi from ingestor allowlist, auth_to_local rules, and create-ranger-services.py (not in Docker stack). Co-authored-by: Cursor <cursoragent@cursor.com>
Create Policy Manager repo for the elasticsearch service type pointing at ranger-opensearch.rangernw:9200 with opensearch download auth users, and add matching ingestor allowlist plus auth_to_local rule. Co-authored-by: Cursor <cursoragent@cursor.com>
Create dev_tag in create-ranger-services.py (matches Policy Manager). Add dev_tag ingestor allowlist (rangertagsync) and auth_to_local rule. Use CDATA so description shows <repo> instead of XML entities. Co-authored-by: Cursor <cursoragent@cursor.com>
…ries Match Policy Manager repos (dev_atlas, dev_kudu, dev_nifi). Drop dev_elasticsearch allowlist, auth_to_local rules, and create-service entry. Co-authored-by: Cursor <cursoragent@cursor.com>
mneethiraj
reviewed
Jun 14, 2026
Remove redundant auth_to_local plugin rules covered by DEFAULT, restrict Ozone to om-only, and drop tag/atlas/kudu/nifi from create-ranger-services.py per Docker stack scope. Co-authored-by: Cursor <cursoragent@cursor.com>
RESTRICTED-FINAL deny-exception uses isAccessedBefore(activation_date); fixture dates were 2026/06/15 so TestPolicyEngine_hiveForTag_filebased failed on/after that day (unrelated to ingestor allowlist changes). Use 2099/12/31 in tag test fixtures so CI stays stable. Co-authored-by: Cursor <cursoragent@cursor.com>
…lity
parallelStream() on a shared RangerPolicyEngine caused intermittent
failures (e.g. hdfs_resourcespec {USER} path policy) under CI load.
Co-authored-by: Cursor <cursoragent@cursor.com>
mneethiraj
reviewed
Jun 15, 2026
- Remove dev_tag, dev_atlas, dev_kudu, dev_nifi allowlist entries (not applicable to Docker audit-ingestor scope per review) - Revert agents-common test fixture and TestPolicyEngine changes; tag date updates belong in separate RANGER-5647 PR - Restore parallelStream() in TestPolicyEngine per review Co-authored-by: Cursor <cursoragent@cursor.com>
4 tasks
mneethiraj
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes RANGER-5645: HTTP 403 when Ranger Docker plugins send audits to audit-ingestor with the audit-server destination enabled.
This is authorization, not authentication — Kerberos/SPNEGO succeeds; ingestor rejects the request because the mapped service short name is missing from
ranger.audit.ingestor.service.<repo>.allowed.users.Problem
Plugins POST to
/audit/access?serviceName=<repo>. Without a matching allowlist entry, ingestor returns:Solution
ranger.audit.ingestor.service.<repo>.allowed.usersfor Docker resource services in shippedranger-audit-ingestor-site.xml.auth_to_localdescription (DEFAULT rule maps most plugin principals; no extra plugin-specific RULE lines needed).create-ranger-services.py:policy.download.auth.users=om(plugin runs on OM only).Review feedback addressed (@mneethiraj)
auth_to_localRULE lines redundant vs DEFAULTdev_tagincreate-ranger-services.py(RANGER-2481)omonlycreate-ranger-services.pydev_tag(tag services do not send resource audits)parallelStream()inTestPolicyEngineChanges
audit-server/audit-ingestor/.../ranger-audit-ingestor-site.xmlallowed.usersfor Docker resource repos; updatedauth_to_localdocsdev-support/ranger-docker/scripts/admin/create-ranger-services.pyozone→omShipped allowlist (Docker resource services)
allowed.usersdev_hdfshdfsdev_yarnyarndev_hivehivedev_hbasehbasedev_kafkakafkadev_knoxknoxdev_kmsrangerkmsdev_trinotrinodev_ozoneomdev_solrsolrTest plan
TestPolicyEngine_hiveForTag_filebasedon master)