You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2019/08/18 18:48:33 UTC

[ranger] branch master updated: RANGER-2538: Ranger policy import calls via knox trusted proxy failing

This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 527ab5a  RANGER-2538: Ranger policy import calls via knox trusted proxy failing
527ab5a is described below

commit 527ab5a8da9cdb4158b454dbdc382246974dddae
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Sat Aug 17 16:02:26 2019 -0700

    RANGER-2538: Ranger policy import calls via knox trusted proxy failing
---
 .../security/web/filter/RangerKrbFilter.java       | 60 +++++++++++++++++-----
 1 file changed, 48 insertions(+), 12 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index d73ced1..f2856d3 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -40,11 +40,14 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 
+import java.io.EOFException;
 import java.io.IOException;
 import java.security.Principal;
 import java.text.SimpleDateFormat;
 import java.util.*;
 
+import static com.google.common.io.ByteStreams.skipFully;
+
 @InterfaceAudience.Private
 @InterfaceStability.Unstable
 public class RangerKrbFilter implements Filter {
@@ -429,6 +432,8 @@ public class RangerKrbFilter implements Filter {
     HttpServletResponse httpResponse = (HttpServletResponse) response;
     boolean isHttps = "https".equals(httpRequest.getScheme());
     boolean allowTrustedProxy = PropertiesUtil.getBooleanProperty(ALLOW_TRUSTED_PROXY, false);
+    long contentLength = httpRequest.getContentLength();
+
     try {
       boolean newToken = false;
       AuthenticationToken token;
@@ -442,6 +447,7 @@ public class RangerKrbFilter implements Filter {
         authenticationEx = ex;
         token = null;
       }
+
       if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
         if (token == null) {
           if (LOG.isDebugEnabled()) {
@@ -496,6 +502,9 @@ public class RangerKrbFilter implements Filter {
     }
     if (unauthorizedResponse) {
       if (!httpResponse.isCommitted()) {
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("create auth cookie");
+        }
         createAuthCookie(httpResponse, "", getCookieDomain(),
                 getCookiePath(), 0, isHttps);
         // If response code is 401. Then WWW-Authenticate Header should be
@@ -514,18 +523,45 @@ public class RangerKrbFilter implements Filter {
             if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) && !allowTrustedProxy){
         	  ((HttpServletResponse)response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "");
                 filterChain.doFilter(request, response);
-        	}else{
-                boolean chk = true;
-	            Collection<String> headerNames = httpResponse.getHeaderNames();
-	            for(String headerName : headerNames){
-	                String value = httpResponse.getHeader(headerName);
-	                if("Set-Cookie".equalsIgnoreCase(headerName) && value.startsWith("RANGERADMINSESSIONID")){
-	                    chk = false;
-	                    break;
-	                }
-	            }
-	            String authHeader = httpRequest.getHeader("Authorization");
-	            if(authHeader == null && chk){
+            }else{
+              if (allowTrustedProxy) {
+                String expectHeader = httpRequest.getHeader("Expect");
+                if (LOG.isDebugEnabled()) {
+                  LOG.debug("expect header in request = " + expectHeader);
+                  LOG.debug("http response code = " + httpResponse.getStatus());
+                }
+                if (expectHeader != null && expectHeader.startsWith("100")) {
+                  if (LOG.isDebugEnabled()) {
+                    LOG.debug("skipping 100 continue!!");
+                  }
+                  if (contentLength <= 0) {
+                    Integer maxContentLen = Integer.MAX_VALUE;
+                    contentLength = maxContentLen.longValue();
+                    try {
+                      if (LOG.isDebugEnabled()) {
+                        LOG.debug("Skipping content length of " + contentLength);
+                      }
+                      skipFully(request.getInputStream(), contentLength);
+                    } catch (EOFException ex) {
+                      LOG.info(ex.getMessage());
+                    }
+                  }
+                }
+              }
+              boolean chk = true;
+              Collection<String> headerNames = httpResponse.getHeaderNames();
+              if (LOG.isDebugEnabled()) {
+                LOG.debug("reponse header names = " + headerNames);
+              }
+              for(String headerName : headerNames){
+                String value = httpResponse.getHeader(headerName);
+                if("Set-Cookie".equalsIgnoreCase(headerName) && value.startsWith("RANGERADMINSESSIONID")){
+                  chk = false;
+                  break;
+                }
+              }
+              String authHeader = httpRequest.getHeader("Authorization");
+              if(authHeader == null && chk){
 	            	filterChain.doFilter(request, response);
 	            }else if(authHeader != null && authHeader.startsWith("Basic")){
 	                filterChain.doFilter(request, response);