You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@gmail.com> on 2019/05/13 13:25:56 UTC

Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication in Ranger HA environment

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Bugs: RANGER-2423
    https://issues.apache.org/jira/browse/RANGER-2423


Repository: ranger


Description
-------

**Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox request originURL is the LB URL. However
If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to either of Ranger host. It is expected that behaviour of originURL should not change irrespective of ranger ssl/non ssl mode.

Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin URL than LB URL. 

**Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java 8a6c39b8f 


Diff: https://reviews.apache.org/r/70632/diff/1/


Testing
-------

Scenario tested when LB is simple and SSL enabled.
1.Tested Ranger HA with knoxproxy 
2.Tested Ranger HA with Knoxsso
3.Tested Ranger HA with knoxproxy and knoxSSO
4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)


Thanks,

Pradeep Agrawal

Re: Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication in Ranger HA environment

Posted by Velmurugan Periasamy <vp...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/#review215221
-----------------------------------------------------------


Ship it!




Ship It!

- Velmurugan Periasamy


On May 13, 2019, 1:25 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70632/
> -----------------------------------------------------------
> 
> (Updated May 13, 2019, 1:25 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2423
>     https://issues.apache.org/jira/browse/RANGER-2423
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to either of Ranger host. It is expected that behaviour of originURL should not change irrespective of ranger ssl/non ssl mode.
> 
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin URL than LB URL. 
> 
> **Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java 8a6c39b8f 
> 
> 
> Diff: https://reviews.apache.org/r/70632/diff/1/
> 
> 
> Testing
> -------
> 
> Scenario tested when LB is simple and SSL enabled.
> 1.Tested Ranger HA with knoxproxy 
> 2.Tested Ranger HA with Knoxsso
> 3.Tested Ranger HA with knoxproxy and knoxSSO
> 4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication in Ranger HA environment

Posted by Ramesh Mani <rm...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/#review215215
-----------------------------------------------------------


Ship it!




Ship It!

- Ramesh Mani


On May 13, 2019, 1:25 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70632/
> -----------------------------------------------------------
> 
> (Updated May 13, 2019, 1:25 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2423
>     https://issues.apache.org/jira/browse/RANGER-2423
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to either of Ranger host. It is expected that behaviour of originURL should not change irrespective of ranger ssl/non ssl mode.
> 
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin URL than LB URL. 
> 
> **Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java 8a6c39b8f 
> 
> 
> Diff: https://reviews.apache.org/r/70632/diff/1/
> 
> 
> Testing
> -------
> 
> Scenario tested when LB is simple and SSL enabled.
> 1.Tested Ranger HA with knoxproxy 
> 2.Tested Ranger HA with Knoxsso
> 3.Tested Ranger HA with knoxproxy and knoxSSO
> 4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>