You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Vipin Rathor <v....@gmail.com> on 2018/12/07 02:39:12 UTC
Review Request 69519: RANGER-2306 : Knox Plugin doesn't pass
X-Forwarded-for remote address to Ranger
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69519/
-----------------------------------------------------------
Review request for ranger.
Bugs: RANGER-2306
https://issues.apache.org/jira/browse/RANGER-2306
Repository: ranger
Description
-------
Please help review. Thanks in advance !
Diffs
-----
knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java d248785d48ff22de25de1ccbc4caa6f2ca9edbee
knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java f84a3e03dd4b8ef5dc581b3810873fdeacc5b718
Diff: https://reviews.apache.org/r/69519/diff/1/
Testing
-------
Tested with the following cURL command to simulate load balancer:
curl -ivk --header "X-Forwarded-For:172.26.68.210" -u hr1:BadPass#1 "https://172.25.39.164:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"
Without this patch, above request failed with "403 Forbidden" since correct IP was not passed to Ranger policy engine. This can be seen in the debug log below:
2018-12-06 20:42:15,049 DEBUG policyengine.RangerPolicyEngineImpl (RangerPolicyEngineImpl.java:preProcess(240)) - ==> RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={service=WEBHDFS; topology=default; } }} accessType={allow} user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 06 20:42:15 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={} remoteIPAddress={null} clientType={null} action={allow} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} })
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using X-Forward-For...
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(249)) - No X-Forwarded-For addresses in the access-request
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.215
After applying the patch, above cURL request passes with "200 OK" and with the following debug logs (note the forwardedAdresses value and Old and New IP address values):
2018-12-06 20:48:52,239 DEBUG policyengine.RangerPolicyEngineImpl (RangerPolicyEngineImpl.java:preProcess(240)) - ==> RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={service=WEBHDFS; topology=default; } }} accessType={allow} user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 06 20:48:52 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={172.26.68.210 172.26.68.215} remoteIPAddress={172.26.68.215} clientType={null} action={allow} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} })
2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using X-Forward-For...
2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.210
Thanks,
Vipin Rathor
Re: Review Request 69519: RANGER-2306 : Knox Plugin doesn't pass
X-Forwarded-for remote address to Ranger
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69519/#review211107
-----------------------------------------------------------
Ship it!
Ship It!
- Ramesh Mani
On Dec. 7, 2018, 2:39 a.m., Vipin Rathor wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/69519/
> -----------------------------------------------------------
>
> (Updated Dec. 7, 2018, 2:39 a.m.)
>
>
> Review request for ranger.
>
>
> Bugs: RANGER-2306
> https://issues.apache.org/jira/browse/RANGER-2306
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Please help review. Thanks in advance !
>
>
> Diffs
> -----
>
> knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java d248785d48ff22de25de1ccbc4caa6f2ca9edbee
> knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java f84a3e03dd4b8ef5dc581b3810873fdeacc5b718
>
>
> Diff: https://reviews.apache.org/r/69519/diff/1/
>
>
> Testing
> -------
>
> Tested with the following cURL command to simulate load balancer:
> curl -ivk --header "X-Forwarded-For:172.26.68.210" -u hr1:BadPass#1 "https://172.25.39.164:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS"
>
> Without this patch, above request failed with "403 Forbidden" since correct IP was not passed to Ranger policy engine. This can be seen in the debug log below:
> 2018-12-06 20:42:15,049 DEBUG policyengine.RangerPolicyEngineImpl (RangerPolicyEngineImpl.java:preProcess(240)) - ==> RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={service=WEBHDFS; topology=default; } }} accessType={allow} user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 06 20:42:15 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={} remoteIPAddress={null} clientType={null} action={allow} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} })
> 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using X-Forward-For...
> 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(249)) - No X-Forwarded-For addresses in the access-request
> 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.215
>
>
> After applying the patch, above cURL request passes with "200 OK" and with the following debug logs (note the forwardedAdresses value and Old and New IP address values):
> 2018-12-06 20:48:52,239 DEBUG policyengine.RangerPolicyEngineImpl (RangerPolicyEngineImpl.java:preProcess(240)) - ==> RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={service=WEBHDFS; topology=default; } }} accessType={allow} user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 06 20:48:52 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={172.26.68.210 172.26.68.215} remoteIPAddress={172.26.68.215} clientType={null} action={allow} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} })
> 2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using X-Forward-For...
> 2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.210
>
>
> Thanks,
>
> Vipin Rathor
>
>