RANGER-4563: Exclude transitive Jetty libraries from Ranger Maven modules

agents-audit/dest-solr/pom.xml

@@ -114,6 +114,12 @@
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-client</artifactId>
             <version>${jetty-client.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>*</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

agents-common/pom.xml

@@ -55,6 +55,10 @@
                     <groupId>jakarta.activation</groupId>
                     <artifactId>jakarta.activation-api</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -105,6 +109,10 @@
                     <groupId>com.sun.jersey.contribs</groupId>
                     <artifactId>*</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -120,6 +128,10 @@
                     <groupId>com.sun.jersey.contribs</groupId>
                     <artifactId>*</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -161,6 +173,10 @@
                     <groupId>org.apache.logging.log4j</groupId>
                     <artifactId>*</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.slf4j</groupId>
                     <artifactId>*</artifactId>

agents-cred/pom.xml

@@ -60,16 +60,34 @@
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-auth</artifactId>
             <version>${hadoop.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-client-api</artifactId>
             <version>${hadoop.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-client-runtime</artifactId>
             <version>${hadoop.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

audit-server/audit-dispatcher/dispatcher-common/pom.xml

@@ -71,6 +71,10 @@
                     <groupId>log4j</groupId>
                     <artifactId>*</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.slf4j</groupId>
                     <artifactId>*</artifactId>

audit-server/audit-dispatcher/dispatcher-hdfs/pom.xml

@@ -97,6 +97,10 @@
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-client-api</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
@@ -126,6 +130,10 @@
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-client-api</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.slf4j</groupId>
                     <artifactId>*</artifactId>

audit-server/audit-ingestor/pom.xml

@@ -163,6 +163,10 @@
                     <groupId>org.codehaus.jackson</groupId>
                     <artifactId>*</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.slf4j</groupId>
                     <artifactId>*</artifactId>

audit-server/pom.xml

@@ -115,12 +115,24 @@
                 <groupId>org.apache.hadoop</groupId>
                 <artifactId>hadoop-azure</artifactId>
                 <version>${hadoop.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.eclipse.jetty</groupId>
+                        <artifactId>*</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
 
             <dependency>
                 <groupId>org.apache.hadoop</groupId>
                 <artifactId>hadoop-common</artifactId>
                 <version>${hadoop.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.eclipse.jetty</groupId>
+                        <artifactId>*</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <dependency>
                 <groupId>org.apache.hadoop</groupId>

credentialbuilder/pom.xml

@@ -105,6 +105,10 @@
                     <groupId>org.apache.zookeeper</groupId>
                     <artifactId>zookeeper</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
                 <exclusion>
                     <groupId>org.slf4j</groupId>
                     <artifactId>*</artifactId>

dev-support/ranger-docker/scripts/hadoop/ranger-hadoop-setup.sh

@@ -66,6 +66,14 @@ else
     echo "WARNING: Tez directory not found at /opt/tez"
 fi
 
+# Audit spool dirs (Solr/HDFS/audit-server destinations)
+mkdir -p /var/log/hadoop/hdfs/audit/solr/spool \
+         /var/log/hadoop/hdfs/audit/hdfs/spool \
+         /var/log/hadoop/hdfs/audit/audit-ingestor/spool \
+         /var/log/hadoop/hdfs/audit/archive
+chown -R hdfs:hadoop /var/log/hadoop/hdfs/audit
+chmod -R 775 /var/log/hadoop/hdfs/audit
+
 cd ${RANGER_HOME}/ranger-hdfs-plugin
 ./enable-hdfs-plugin.sh
 

dev-support/ranger-docker/scripts/hadoop/ranger-hdfs-plugin-install.properties

@@ -20,11 +20,11 @@ COMPONENT_INSTALL_DIR_NAME=/opt/hadoop
 CUSTOM_USER=hdfs
 CUSTOM_GROUP=hadoop
 
-XAAUDIT.AUDITSERVER.ENABLE=true
+XAAUDIT.AUDITSERVER.ENABLE=false
 XAAUDIT.AUDITSERVER.URL=http://ranger-audit-ingestor.rangernw:7081
 XAAUDIT.AUDITSERVER.FILE_SPOOL_DIR=/var/log/hadoop/hdfs/audit/audit-ingestor/spool
 
-XAAUDIT.SOLR.IS_ENABLED=false
+XAAUDIT.SOLR.IS_ENABLED=true
 XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
 XAAUDIT.SOLR.SOLR_URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
@@ -43,7 +43,7 @@ XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
 XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
 XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
 
-XAAUDIT.SOLR.ENABLE=false
+XAAUDIT.SOLR.ENABLE=true
 XAAUDIT.SOLR.URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
 XAAUDIT.SOLR.USER=NONE
 XAAUDIT.SOLR.PASSWORD=NONE

dev-support/ranger-docker/scripts/hadoop/test-hdfs-audit-to-solr.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+# Verify HDFS plugin writes authorization audits to Solr ranger_audits core
+set -euo pipefail
+
+SOLR_HOST="${SOLR_HOST:-ranger-solr.rangernw}"
+SOLR_BASE="http://${SOLR_HOST}:8983"
+REPO="${REPO:-dev_hdfs}"
+HADOOP_HOST="${HADOOP_HOST:-ranger-hadoop.rangernw}"
+
+pass() { echo "PASS: $*"; }
+fail() { echo "FAIL: $*"; exit 1; }
+
+echo "=== 1. Hadoop + HDFS plugin healthy ==="
+docker exec ranger-hadoop bash -c 'ps aux | grep org.apache.hadoop.hdfs.server.namenode.NameNode | grep -v grep' | grep -q NameNode || fail "NameNode not running"
+docker exec ranger-hadoop grep -A1 'xasecure.audit.destination.solr</name>' /opt/hadoop/etc/hadoop/ranger-hdfs-audit.xml | grep -q '<value>true</value>' || fail "Solr audit not enabled in ranger-hdfs-audit.xml"
+docker exec ranger-hadoop test -d /var/log/hadoop/hdfs/audit/solr/spool || fail "Solr audit spool dir missing"
+pass "HDFS stack up (Solr audit enabled, spool dir present)"
+
+echo "=== 2. Solr ranger_audits core reachable ==="
+docker exec ranger-solr bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_h
+  kdestroy -q 2>/dev/null || true
+  kinit -kt /etc/keytabs/HTTP.keytab HTTP/${SOLR_HOST}@EXAMPLE.COM
+  curl -sf --negotiate -u : '${SOLR_BASE}/solr/ranger_audits/select?q=repo:${REPO}&rows=0&wt=json' >/dev/null
+" || fail "Cannot query ranger_audits"
+pass "Solr audit core reachable"
+
+echo "=== 3. Baseline audit count (repo=${REPO}) ==="
+before=$(docker exec ranger-solr bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_h
+  kinit -kt /etc/keytabs/HTTP.keytab HTTP/${SOLR_HOST}@EXAMPLE.COM
+  curl -s --negotiate -u : '${SOLR_BASE}/solr/ranger_audits/select?q=repo:${REPO}&rows=0&wt=json'
+" | grep -o '"numFound":[0-9]*' | head -1 | grep -o '[0-9]*')
+echo "Before: ${before}"
+
+echo "=== 4. HDFS access (testuser1) to generate audit ==="
+docker exec ranger-hadoop bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_u
+  kdestroy -q 2>/dev/null || true
+  kinit -kt /etc/keytabs/testuser1.keytab testuser1/${HADOOP_HOST}@EXAMPLE.COM
+  klist
+  /opt/hadoop/bin/hdfs dfs -ls /
+  /opt/hadoop/bin/hdfs dfs -ls /tmp
+  /opt/hadoop/bin/hdfs dfs -stat '%n' /user/testuser1 2>/dev/null || /opt/hadoop/bin/hdfs dfs -ls /user
+"
+
+echo "Waiting 25s for Solr audit flush..."
+sleep 25
+
+after=$(docker exec ranger-solr bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_h
+  kinit -kt /etc/keytabs/HTTP.keytab HTTP/${SOLR_HOST}@EXAMPLE.COM
+  curl -s --negotiate -u : '${SOLR_BASE}/solr/ranger_audits/select?q=repo:${REPO}&rows=0&wt=json'
+" | grep -o '"numFound":[0-9]*' | head -1 | grep -o '[0-9]*')
+echo "After: ${after}"
+
+[ "${after}" -gt "${before}" ] || fail "HDFS audit count did not increase (${before} -> ${after})"
+pass "HDFS audit write to Solr (${before} -> ${after})"
+
+echo ""
+echo "=== ALL HDFS->SOLR AUDIT CHECKS PASSED ==="

dev-support/ranger-docker/scripts/hbase/ranger-hbase-plugin-install.properties

@@ -20,14 +20,14 @@ COMPONENT_INSTALL_DIR_NAME=/opt/hbase
 CUSTOM_USER=hbase
 CUSTOM_GROUP=hadoop
 
-XAAUDIT.AUDITSERVER.ENABLE=true
+XAAUDIT.AUDITSERVER.ENABLE=false
 XAAUDIT.AUDITSERVER.URL=http://ranger-audit-ingestor.rangernw:7081
 XAAUDIT.AUDITSERVER.FILE_SPOOL_DIR=/var/log/hadoop/hbase/audit/audit-ingestor/spool
 
 XAAUDIT.SUMMARY.ENABLE=true
 UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true
 
-XAAUDIT.SOLR.IS_ENABLED=false
+XAAUDIT.SOLR.IS_ENABLED=true
 XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
 XAAUDIT.SOLR.SOLR_URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
@@ -46,7 +46,7 @@ XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
 XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
 XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
 
-XAAUDIT.SOLR.ENABLE=false
+XAAUDIT.SOLR.ENABLE=true
 XAAUDIT.SOLR.URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
 XAAUDIT.SOLR.USER=NONE
 XAAUDIT.SOLR.PASSWORD=NONE

dev-support/ranger-docker/scripts/hbase/ranger-hbase-setup.sh

@@ -32,7 +32,9 @@ fi
 
 cp ${RANGER_SCRIPTS}/hbase-site.xml /opt/hbase/conf/hbase-site.xml
 cp ${RANGER_SCRIPTS}/core-site.xml  /opt/hbase/conf/core-site.xml
-chown -R hbase:hadoop /opt/hbase/
+mkdir -p /var/log/hadoop/hbase/audit/solr/spool \
+         /var/log/hadoop/hbase/audit/audit-ingestor/spool
+chown -R hbase:hadoop /opt/hbase/ /var/log/hadoop/hbase
 
 cd ${RANGER_HOME}/ranger-hbase-plugin
 ./enable-hbase-plugin.sh

dev-support/ranger-docker/scripts/hbase/test-hbase-audit-to-solr.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+# Verify HBase plugin writes authorization audits to Solr ranger_audits core
+set -euo pipefail
+
+SOLR_HOST="${SOLR_HOST:-ranger-solr.rangernw}"
+SOLR_BASE="http://${SOLR_HOST}:8983"
+REPO="${REPO:-dev_hbase}"
+HBASE_HOST="${HBASE_HOST:-ranger-hbase.rangernw}"
+
+pass() { echo "PASS: $*"; }
+fail() { echo "FAIL: $*"; exit 1; }
+
+echo "=== 1. HBase + plugin healthy ==="
+docker exec ranger-hbase bash -c 'ps aux | grep org.apache.hadoop.hbase.master.HMaster | grep -v grep' | grep -q HMaster || fail "HMaster not running"
+docker exec ranger-hbase grep -A1 'xasecure.audit.destination.solr</name>' /opt/hbase/conf/ranger-hbase-audit.xml | grep -q '<value>true</value>' || fail "Solr audit not enabled in ranger-hbase-audit.xml"
+docker exec ranger-hbase test -d /var/log/hadoop/hbase/audit/solr/spool || fail "Solr audit spool dir missing"
+pass "HBase stack up (Solr audit enabled, spool dir present)"
+
+echo "=== 2. Solr ranger_audits core reachable ==="
+docker exec ranger-solr bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_h
+  kdestroy -q 2>/dev/null || true
+  kinit -kt /etc/keytabs/HTTP.keytab HTTP/${SOLR_HOST}@EXAMPLE.COM
+  curl -sf --negotiate -u : '${SOLR_BASE}/solr/ranger_audits/select?q=repo:${REPO}&rows=0&wt=json' >/dev/null
+" || fail "Cannot query ranger_audits"
+pass "Solr audit core reachable"
+
+echo "=== 3. Baseline audit count (repo=${REPO}) ==="
+before=$(docker exec ranger-solr bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_h
+  kinit -kt /etc/keytabs/HTTP.keytab HTTP/${SOLR_HOST}@EXAMPLE.COM
+  curl -s --negotiate -u : '${SOLR_BASE}/solr/ranger_audits/select?q=repo:${REPO}&rows=0&wt=json'
+" | grep -o '"numFound":[0-9]*' | head -1 | grep -o '[0-9]*')
+echo "Before: ${before}"
+
+echo "=== 4. HBase access (testuser1) to generate audit ==="
+set +e
+docker exec ranger-hbase bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_u
+  kdestroy -q 2>/dev/null || true
+  kinit -kt /etc/keytabs/testuser1.keytab testuser1/${HBASE_HOST}@EXAMPLE.COM
+  klist
+  TABLE=test_ranger_audit_\$(date +%s)
+  echo \"create '\${TABLE}', 'cf'\" | /opt/hbase/bin/hbase shell -n 2>&1 || true
+  echo 'list' | /opt/hbase/bin/hbase shell -n 2>&1 || true
+"
+set -e
+
+echo "Waiting 30s for Solr audit flush..."
+sleep 30
+
+after=$(docker exec ranger-solr bash -c "
+  export KRB5CCNAME=FILE:/tmp/cc_h
+  kinit -kt /etc/keytabs/HTTP.keytab HTTP/${SOLR_HOST}@EXAMPLE.COM
+  curl -s --negotiate -u : '${SOLR_BASE}/solr/ranger_audits/select?q=repo:${REPO}&rows=0&wt=json'
+" | grep -o '"numFound":[0-9]*' | head -1 | grep -o '[0-9]*')
+echo "After: ${after}"
+
+[ "${after}" -gt "${before}" ] || fail "HBase audit count did not increase (${before} -> ${after})"
+pass "HBase audit write to Solr (${before} -> ${after})"
+
+echo ""
+echo "=== ALL HBASE->SOLR AUDIT CHECKS PASSED ==="

dev-support/ranger-docker/scripts/hive/ranger-hive-plugin-install.properties

@@ -21,11 +21,11 @@ UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true
 CUSTOM_USER=hive
 CUSTOM_GROUP=hadoop
 
-XAAUDIT.AUDITSERVER.ENABLE=true
+XAAUDIT.AUDITSERVER.ENABLE=false
 XAAUDIT.AUDITSERVER.URL=http://ranger-audit-ingestor.rangernw:7081
 XAAUDIT.AUDITSERVER.FILE_SPOOL_DIR=/var/log/hive/audit/audit-ingestor/spool
 
-XAAUDIT.SOLR.IS_ENABLED=false
+XAAUDIT.SOLR.IS_ENABLED=true
 XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
 XAAUDIT.SOLR.SOLR_URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
@@ -44,7 +44,7 @@ XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
 XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
 XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
 
-XAAUDIT.SOLR.ENABLE=false
+XAAUDIT.SOLR.ENABLE=true
 XAAUDIT.SOLR.URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
 XAAUDIT.SOLR.USER=NONE
 XAAUDIT.SOLR.PASSWORD=NONE