You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@gmail.com> on 2019/05/13 13:25:56 UTC
Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication in
Ranger HA environment
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
Bugs: RANGER-2423
https://issues.apache.org/jira/browse/RANGER-2423
Repository: ranger
Description
-------
**Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox request originURL is the LB URL. However
If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to either of Ranger host. It is expected that behaviour of originURL should not change irrespective of ranger ssl/non ssl mode.
Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin URL than LB URL.
**Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java 8a6c39b8f
Diff: https://reviews.apache.org/r/70632/diff/1/
Testing
-------
Scenario tested when LB is simple and SSL enabled.
1.Tested Ranger HA with knoxproxy
2.Tested Ranger HA with Knoxsso
3.Tested Ranger HA with knoxproxy and knoxSSO
4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)
Thanks,
Pradeep Agrawal
Re: Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication
in Ranger HA environment
Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/#review215221
-----------------------------------------------------------
Ship it!
Ship It!
- Velmurugan Periasamy
On May 13, 2019, 1:25 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70632/
> -----------------------------------------------------------
>
> (Updated May 13, 2019, 1:25 p.m.)
>
>
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2423
> https://issues.apache.org/jira/browse/RANGER-2423
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to either of Ranger host. It is expected that behaviour of originURL should not change irrespective of ranger ssl/non ssl mode.
>
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin URL than LB URL.
>
> **Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java 8a6c39b8f
>
>
> Diff: https://reviews.apache.org/r/70632/diff/1/
>
>
> Testing
> -------
>
> Scenario tested when LB is simple and SSL enabled.
> 1.Tested Ranger HA with knoxproxy
> 2.Tested Ranger HA with Knoxsso
> 3.Tested Ranger HA with knoxproxy and knoxSSO
> 4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)
>
>
> Thanks,
>
> Pradeep Agrawal
>
>
Re: Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication
in Ranger HA environment
Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/#review215215
-----------------------------------------------------------
Ship it!
Ship It!
- Ramesh Mani
On May 13, 2019, 1:25 p.m., Pradeep Agrawal wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70632/
> -----------------------------------------------------------
>
> (Updated May 13, 2019, 1:25 p.m.)
>
>
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2423
> https://issues.apache.org/jira/browse/RANGER-2423
>
>
> Repository: ranger
>
>
> Description
> -------
>
> **Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to either of Ranger host. It is expected that behaviour of originURL should not change irrespective of ranger ssl/non ssl mode.
>
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin URL than LB URL.
>
> **Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java 8a6c39b8f
>
>
> Diff: https://reviews.apache.org/r/70632/diff/1/
>
>
> Testing
> -------
>
> Scenario tested when LB is simple and SSL enabled.
> 1.Tested Ranger HA with knoxproxy
> 2.Tested Ranger HA with Knoxsso
> 3.Tested Ranger HA with knoxproxy and knoxSSO
> 4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)
>
>
> Thanks,
>
> Pradeep Agrawal
>
>