You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2019/08/18 18:48:33 UTC
[ranger] branch master updated: RANGER-2538: Ranger policy import
calls via knox trusted proxy failing
This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 527ab5a RANGER-2538: Ranger policy import calls via knox trusted proxy failing
527ab5a is described below
commit 527ab5a8da9cdb4158b454dbdc382246974dddae
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Sat Aug 17 16:02:26 2019 -0700
RANGER-2538: Ranger policy import calls via knox trusted proxy failing
---
.../security/web/filter/RangerKrbFilter.java | 60 +++++++++++++++++-----
1 file changed, 48 insertions(+), 12 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index d73ced1..f2856d3 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -40,11 +40,14 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
+import java.io.EOFException;
import java.io.IOException;
import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.*;
+import static com.google.common.io.ByteStreams.skipFully;
+
@InterfaceAudience.Private
@InterfaceStability.Unstable
public class RangerKrbFilter implements Filter {
@@ -429,6 +432,8 @@ public class RangerKrbFilter implements Filter {
HttpServletResponse httpResponse = (HttpServletResponse) response;
boolean isHttps = "https".equals(httpRequest.getScheme());
boolean allowTrustedProxy = PropertiesUtil.getBooleanProperty(ALLOW_TRUSTED_PROXY, false);
+ long contentLength = httpRequest.getContentLength();
+
try {
boolean newToken = false;
AuthenticationToken token;
@@ -442,6 +447,7 @@ public class RangerKrbFilter implements Filter {
authenticationEx = ex;
token = null;
}
+
if (authHandler.managementOperation(token, httpRequest, httpResponse)) {
if (token == null) {
if (LOG.isDebugEnabled()) {
@@ -496,6 +502,9 @@ public class RangerKrbFilter implements Filter {
}
if (unauthorizedResponse) {
if (!httpResponse.isCommitted()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("create auth cookie");
+ }
createAuthCookie(httpResponse, "", getCookieDomain(),
getCookiePath(), 0, isHttps);
// If response code is 401. Then WWW-Authenticate Header should be
@@ -514,18 +523,45 @@ public class RangerKrbFilter implements Filter {
if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) && !allowTrustedProxy){
((HttpServletResponse)response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "");
filterChain.doFilter(request, response);
- }else{
- boolean chk = true;
- Collection<String> headerNames = httpResponse.getHeaderNames();
- for(String headerName : headerNames){
- String value = httpResponse.getHeader(headerName);
- if("Set-Cookie".equalsIgnoreCase(headerName) && value.startsWith("RANGERADMINSESSIONID")){
- chk = false;
- break;
- }
- }
- String authHeader = httpRequest.getHeader("Authorization");
- if(authHeader == null && chk){
+ }else{
+ if (allowTrustedProxy) {
+ String expectHeader = httpRequest.getHeader("Expect");
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("expect header in request = " + expectHeader);
+ LOG.debug("http response code = " + httpResponse.getStatus());
+ }
+ if (expectHeader != null && expectHeader.startsWith("100")) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("skipping 100 continue!!");
+ }
+ if (contentLength <= 0) {
+ Integer maxContentLen = Integer.MAX_VALUE;
+ contentLength = maxContentLen.longValue();
+ try {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Skipping content length of " + contentLength);
+ }
+ skipFully(request.getInputStream(), contentLength);
+ } catch (EOFException ex) {
+ LOG.info(ex.getMessage());
+ }
+ }
+ }
+ }
+ boolean chk = true;
+ Collection<String> headerNames = httpResponse.getHeaderNames();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("reponse header names = " + headerNames);
+ }
+ for(String headerName : headerNames){
+ String value = httpResponse.getHeader(headerName);
+ if("Set-Cookie".equalsIgnoreCase(headerName) && value.startsWith("RANGERADMINSESSIONID")){
+ chk = false;
+ break;
+ }
+ }
+ String authHeader = httpRequest.getHeader("Authorization");
+ if(authHeader == null && chk){
filterChain.doFilter(request, response);
}else if(authHeader != null && authHeader.startsWith("Basic")){
filterChain.doFilter(request, response);