You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Kirby Zhou <ki...@gmail.com> on 2022/03/07 09:41:46 UTC

Review Request 73892: RANGER-3635: avoid create http session by kerberos

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73892/
-----------------------------------------------------------

Review request for ranger.


Bugs: RANGER-3635
    https://issues.apache.org/jira/browse/RANGER-3635


Repository: ranger


Description
-------

Avoid create http session by kerberos to reduce secuity risk.

Now, kerberos authed request will create a http session with cookie "RANGERADMINSESSIONID".

As long as we keep visiting ranger, even if kerberos ticket expires, the cookie will never expire.

It is a risk.

BTW: The cookie 'hadoop.auth' is safe, It will expire in a certain time.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 6b002cff994dd431a83ef46f10ee839fb83dafbb 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java e02813fec0a8eff1611c38c53e3ed09d724b6ddd 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java 2d3308b999c6ab575325777d14e3ab0a6661f2a0 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java 9f83daf9aa854f5caaaf8943056bea293a19c290 
  security-admin/src/main/resources/conf.dist/security-applicationContext.xml 7db9c3850e47cab038e1d545c7285b98bfc76fb4 


Diff: https://reviews.apache.org/r/73892/diff/1/


Testing
-------

Test:

setup a kerberized ranger.

At client side: 

#] kinit freeman
#] curl -u: --negotiate -v --resolve kirbytest01.sa:6080:127.0.0.1 http://kirbytest01.sa:6080/service/plugins/secure/policies/download/hdfsdev
< HTTP/1.1 200 OK
< WWW-Authenticate: Negotiate oYHtMIHqoAMKAQChCwYJKoZIhvcSAQIComoEaGBmBgkqhkiG9xIBAgICAG9XMFWgAwIBBaEDAgEPokkwR6ADAgEXokAEPploxXUkppEwoB5N8hYSUIoG5lFwsk7tMuTav64Pgc+2hXcsbyFHBRZ9Lf6Mv5gmzE1p/2UbPoiLt3hgC75xo2oEaGBmBgkqhkiG9xIBAgICAG9XMFWgAwIBBaEDAgEPokkwR6ADAgEXokAEPploxXUkppEwoB5N8hYSUIoG5lFwsk7tMuTav64Pgc+2hXcsbyFHBRZ9Lf6Mv5gmzE1p/2UbPoiLt3hgC75x
< Set-Cookie: hadoop.auth="u=freeman&p=freeman@SA&t=kerberos&e=1646631665337&s=4lFpYsz/aUDS6aVL4V7909qKUMdUPXt7i/hTncSRqxY="; Path=/
……

Check "Set-Cookie: RANGERADMINSESSIONID" in the responsed header, If it is not found, it means success patched.


Thanks,

Kirby Zhou