RANGER-5550: introduce authz-remote library to support minimal java client integration for plugins

[kumaab]

What changes were proposed in this pull request?

Introduce a module authz-remote as a minimal java client to connect with PDP Server, using authz-api.

• Added support for 3 authn modes: Header, JWT, Kerberos
• Add TLS support, tested via unit tests.
• Add README to demo usages of authz-remote lib and linked it to mkdocs.

How was this patch tested?

Tested these sample commands from inside ranger-pdp container:

# header based authn
/opt/java/openjdk/bin/java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-header.properties

# jwt based authn with env variable
/opt/java/openjdk/bin/java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json

# kerberos based authn
/opt/java/openjdk/bin/java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-kerberos.properties

Received responses for each authn mode, sample-logs:

ranger@ranger-pdp:/tmp/ranger-3.0.0-SNAPSHOT-sample-client$ /opt/java/openjdk/bin/java -cp "lib/*" org.apache.ranger.examples.pdpclient.RemoteAuthzClient request.json ranger-authz-remote-authn-header.properties
Loaded request from: request.json
Loaded properties from: ranger-authz-remote-authn-header.properties
00:52:01,728 |-INFO in ch.qos.logback.classic.LoggerContext[default] - This is logback-classic version 1.3.14
00:52:01,729 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - No custom configurators were discovered as a service.
00:52:01,729 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - Trying to configure with ch.qos.logback.classic.joran.SerializedModelConfigurator
00:52:01,729 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - Constructed configurator of type class ch.qos.logback.classic.joran.SerializedModelConfigurator
00:52:01,730 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.scmo]
00:52:01,730 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback.scmo]
00:52:01,730 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - ch.qos.logback.classic.joran.SerializedModelConfigurator.configure() call lasted 1 milliseconds. ExecutionStatus=INVOKE_NEXT_IF_ANY
00:52:01,730 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - Trying to configure with ch.qos.logback.classic.util.DefaultJoranConfigurator
00:52:01,730 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - Constructed configurator of type class ch.qos.logback.classic.util.DefaultJoranConfigurator
00:52:01,730 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Could NOT find resource [logback-test.xml]
00:52:01,730 |-INFO in ch.qos.logback.classic.LoggerContext[default] - Found resource [logback.xml] at [jar:file:/tmp/ranger-3.0.0-SNAPSHOT-sample-client/lib/sample-client-3.0.0-SNAPSHOT.jar!/logback.xml]
00:52:01,730 |-WARN in ch.qos.logback.classic.util.DefaultJoranConfigurator@323b36e0 - Resource [logback.xml] occurs multiple times on the classpath.
00:52:01,730 |-WARN in ch.qos.logback.classic.util.DefaultJoranConfigurator@323b36e0 - Resource [logback.xml] occurs at [jar:file:/tmp/ranger-3.0.0-SNAPSHOT-sample-client/lib/sample-client-3.0.0-SNAPSHOT.jar!/logback.xml]
00:52:01,730 |-WARN in ch.qos.logback.classic.util.DefaultJoranConfigurator@323b36e0 - Resource [logback.xml] occurs at [jar:file:/tmp/ranger-3.0.0-SNAPSHOT-sample-client/lib/ranger-intg-3.0.0-SNAPSHOT.jar!/logback.xml]
00:52:01,734 |-INFO in ch.qos.logback.core.joran.spi.ConfigurationWatchList@44ebcd03 - URL [jar:file:/tmp/ranger-3.0.0-SNAPSHOT-sample-client/lib/sample-client-3.0.0-SNAPSHOT.jar!/logback.xml] is not of type file
00:52:01,803 |-INFO in ch.qos.logback.core.model.processor.AppenderModelHandler - Processing appender named [console]
00:52:01,803 |-INFO in ch.qos.logback.core.model.processor.AppenderModelHandler - About to instantiate appender of type [ch.qos.logback.core.ConsoleAppender]
00:52:01,806 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.classic.encoder.PatternLayoutEncoder] for [encoder] property
00:52:01,821 |-INFO in ch.qos.logback.classic.model.processor.RootLoggerModelHandler - Setting level of ROOT logger to INFO
00:52:01,821 |-INFO in ch.qos.logback.core.model.processor.AppenderRefModelHandler - Attaching appender named [console] to Logger[ROOT]
00:52:01,822 |-INFO in ch.qos.logback.core.model.processor.DefaultProcessor@694abbdc - End of configuration.
00:52:01,822 |-INFO in ch.qos.logback.classic.joran.JoranConfigurator@2e005c4b - Registering current configuration as safe fallback point
00:52:01,822 |-INFO in ch.qos.logback.classic.util.ContextInitializer@5af3afd9 - ch.qos.logback.classic.util.DefaultJoranConfigurator.configure() call lasted 92 milliseconds. ExecutionStatus=DO_NOT_INVOKE_NEXT_IF_ANY

2026-04-30 00:52:01.825 INFO  - creating authorizer implementation of type: org.apache.ranger.authz.remote.RangerRemoteAuthorizer
{
  "requestId" : "hive-access-request",
  "decision" : "ALLOW",
  "permissions" : {
    "select" : {
      "permission" : "select",
      "access" : {
        "decision" : "ALLOW",
        "policy" : {
          "id" : 9,
          "version" : 1
        }
      }
    }
  }
}

[mneethiraj]

@kumaab - this PR will be ready once support for JWT authentication is added (using configurations ranger.authz.remote.auth.type=jwt, and other properties to read JWT from file/env/cred-file).

[kumaab]

@kumaab - this PR will be ready once support for JWT authentication is added (using configurations ranger.authz.remote.auth.type=jwt, and other properties to read JWT from file/env/cred-file).

Support for jwt has been added with 2 options: env/file. cred-file option introduced more dependencies (hadoop) hence has been dropped to keep the client lib minimalistic.