You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Kirby Zhou <ki...@gmail.com> on 2022/03/07 09:41:46 UTC
Review Request 73892: RANGER-3635: avoid create http session by kerberos
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73892/
-----------------------------------------------------------
Review request for ranger.
Bugs: RANGER-3635
https://issues.apache.org/jira/browse/RANGER-3635
Repository: ranger
Description
-------
Avoid create http session by kerberos to reduce secuity risk.
Now, kerberos authed request will create a http session with cookie "RANGERADMINSESSIONID".
As long as we keep visiting ranger, even if kerberos ticket expires, the cookie will never expire.
It is a risk.
BTW: The cookie 'hadoop.auth' is safe, It will expire in a certain time.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 6b002cff994dd431a83ef46f10ee839fb83dafbb
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java e02813fec0a8eff1611c38c53e3ed09d724b6ddd
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java 2d3308b999c6ab575325777d14e3ab0a6661f2a0
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java 9f83daf9aa854f5caaaf8943056bea293a19c290
security-admin/src/main/resources/conf.dist/security-applicationContext.xml 7db9c3850e47cab038e1d545c7285b98bfc76fb4
Diff: https://reviews.apache.org/r/73892/diff/1/
Testing
-------
Test:
setup a kerberized ranger.
At client side:
#] kinit freeman
#] curl -u: --negotiate -v --resolve kirbytest01.sa:6080:127.0.0.1 http://kirbytest01.sa:6080/service/plugins/secure/policies/download/hdfsdev
< HTTP/1.1 200 OK
< WWW-Authenticate: Negotiate oYHtMIHqoAMKAQChCwYJKoZIhvcSAQIComoEaGBmBgkqhkiG9xIBAgICAG9XMFWgAwIBBaEDAgEPokkwR6ADAgEXokAEPploxXUkppEwoB5N8hYSUIoG5lFwsk7tMuTav64Pgc+2hXcsbyFHBRZ9Lf6Mv5gmzE1p/2UbPoiLt3hgC75xo2oEaGBmBgkqhkiG9xIBAgICAG9XMFWgAwIBBaEDAgEPokkwR6ADAgEXokAEPploxXUkppEwoB5N8hYSUIoG5lFwsk7tMuTav64Pgc+2hXcsbyFHBRZ9Lf6Mv5gmzE1p/2UbPoiLt3hgC75x
< Set-Cookie: hadoop.auth="u=freeman&p=freeman@SA&t=kerberos&e=1646631665337&s=4lFpYsz/aUDS6aVL4V7909qKUMdUPXt7i/hTncSRqxY="; Path=/
……
Check "Set-Cookie: RANGERADMINSESSIONID" in the responsed header, If it is not found, it means success patched.
Thanks,
Kirby Zhou