You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2019/10/09 10:26:29 UTC

[ranger] branch master updated: RANGER-2600: Added more Auth Types for login in Ranger audits with review comments

This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new b58257d  RANGER-2600: Added more Auth Types for login in Ranger audits with review comments
b58257d is described below

commit b58257d23a904f5b046b0777a0497ceb7ea093d4
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Wed Oct 9 15:55:53 2019 +0530

    RANGER-2600: Added more Auth Types for login in Ranger audits with review comments
---
 .../org/apache/ranger/entity/XXAuthSession.java    | 17 +++++++++++++-
 .../web/filter/RangerKRBAuthenticationFilter.java  |  1 +
 .../RangerSecurityContextFormationFilter.java      | 23 +++++++++++++++++--
 .../org/apache/ranger/util/RangerEnumUtil.java     | 26 ++++++++++++++++++++++
 .../src/main/webapp/scripts/utils/XAEnums.js       |  5 ++++-
 5 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java b/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java
index c277158..079cda5 100644
--- a/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java
+++ b/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java
@@ -112,9 +112,24 @@ public class XXAuthSession extends XXDBBase implements java.io.Serializable {
 	public static final int AUTH_TYPE_PASSWORD = 1;
 
 	/**
+	 * AUTH_TYPE_KERBEROS is an element of enum AuthType. Its value is "AUTH_TYPE_KERBEROS".
+	 */
+	public static final int AUTH_TYPE_KERBEROS = 2;
+
+	/**
+	 * AUTH_TYPE_SSO is an element of enum AuthType. Its value is "AUTH_TYPE_SSO".
+	 */
+	public static final int AUTH_TYPE_SSO = 3;
+
+	/**
+	 * AUTH_TYPE_TRUSTED_PROXY is an element of enum AuthType. Its value is "AUTH_TYPE_TRUSTED_PROXY".
+	 */
+	public static final int AUTH_TYPE_TRUSTED_PROXY = 4;
+
+	/**
 	 * Max value for enum AuthType_MAX
 	 */
-	public static final int AuthType_MAX = 1;
+	public static final int AuthType_MAX = 4;
 
 
 
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
index 5c825d8..b38d9d9 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -276,6 +276,7 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
 							authentication = getGrantedAuthority(authentication);
 							SecurityContextHolder.getContext().setAuthentication(authentication);
 							request.setAttribute("spnegoEnabled", true);
+							request.setAttribute("trustedProxyEnabled", true);
 							LOG.info("Logged into Ranger as doAsUser = " + doAsUser + ", by authenticatedUser=" + authToken.getUserName());
 						}
 
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index eb40cfd..99fb21f 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -120,9 +120,9 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
 				context.setRequestContext(requestContext);
 
 				RangerContextHolder.setSecurityContext(context);
-
+				int authType = getAuthType(httpRequest);
 				UserSessionBase userSession = sessionMgr.processSuccessLogin(
-						XXAuthSession.AUTH_TYPE_PASSWORD, userAgent, httpRequest);
+						authType, userAgent, httpRequest);
 
 				if (userSession != null) {
 
@@ -150,4 +150,23 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
 			RangerContextHolder.resetOpContext();
 		}
 	}
+
+	private int getAuthType(HttpServletRequest request) {
+		int authType;
+		Object ssoEnabledObj = request.getAttribute("ssoEnabled");
+		Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+
+		if (ssoEnabled) {
+			authType = XXAuthSession.AUTH_TYPE_SSO;
+		} else if (request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")){
+			if (request.getAttribute("trustedProxyEnabled") != null && (boolean)request.getAttribute("trustedProxyEnabled")) {
+				authType = XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
+			} else {
+				authType = XXAuthSession.AUTH_TYPE_KERBEROS;
+			}
+		} else {
+			authType = XXAuthSession.AUTH_TYPE_PASSWORD;
+		}
+		return authType;
+	}
 }
diff --git a/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java b/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
index 059b75a..8d97d85 100644
--- a/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
@@ -1962,6 +1962,32 @@ public class RangerEnumUtil {
 
 	vEnum.getElementList().add(vElement);
 
+	vElement = new VEnumElement();
+	vElement.setElementName("AUTH_TYPE_KERBEROS");
+	vElement.setElementValue(2);
+	vElement.setElementLabel("Kerberos");
+	vElement.setRbKey("xa.enum.AuthType.AUTH_TYPE_KERBEROS");
+	vElement.setEnumName(vEnum.getEnumName());
+
+	vEnum.getElementList().add(vElement);
+
+	vElement = new VEnumElement();
+	vElement.setElementName("AUTH_TYPE_SSO");
+	vElement.setElementValue(3);
+	vElement.setElementLabel("SingleSignOn");
+	vElement.setRbKey("xa.enum.AuthType.AUTH_TYPE_SSO");
+	vElement.setEnumName(vEnum.getEnumName());
+
+	vEnum.getElementList().add(vElement);
+
+	vElement = new VEnumElement();
+	vElement.setElementName("AUTH_TYPE_TRUSTED_PROXY");
+	vElement.setElementValue(4);
+	vElement.setElementLabel("Trusted Proxy");
+	vElement.setRbKey("xa.enum.AuthType.AUTH_TYPE_TRUSTED_PROXY");
+	vElement.setEnumName(vEnum.getEnumName());
+
+	vEnum.getElementList().add(vElement);
 
 	///////////////////////////////////
 	// XResponse::ResponseStatus
diff --git a/security-admin/src/main/webapp/scripts/utils/XAEnums.js b/security-admin/src/main/webapp/scripts/utils/XAEnums.js
index a4a4e0b..fd711fa 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAEnums.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAEnums.js
@@ -146,7 +146,10 @@ define(function(require) {
 
 	XAEnums.AuthType = mergeParams(XAEnums.AuthType, {
 		AUTH_TYPE_UNKNOWN:{value:0, label:'Unknown', rbkey:'xa.enum.AuthType.AUTH_TYPE_UNKNOWN', tt: 'lbl.AuthType_AUTH_TYPE_UNKNOWN'},
-		AUTH_TYPE_PASSWORD:{value:1, label:'Username/Password', rbkey:'xa.enum.AuthType.AUTH_TYPE_PASSWORD', tt: 'lbl.AuthType_AUTH_TYPE_PASSWORD'}
+		AUTH_TYPE_PASSWORD:{value:1, label:'Username/Password', rbkey:'xa.enum.AuthType.AUTH_TYPE_PASSWORD', tt: 'lbl.AuthType_AUTH_TYPE_PASSWORD'},
+		AUTH_TYPE_KERBEROS:{value:2, label:'Kerberos', rbkey:'xa.enum.AuthType.AUTH_TYPE_KERBEROS', tt: 'lbl.AuthType_AUTH_TYPE_KERBEROS'},
+		AUTH_TYPE_SSO:{value:3, label:'SingleSignOn', rbkey:'xa.enum.AuthType.AUTH_TYPE_SSO', tt: 'lbl.AuthType_AUTH_TYPE_SSO'},
+		AUTH_TYPE_TRUSTED_PROXY:{value:4, label:'Trusted Proxy', rbkey:'xa.enum.AuthType.AUTH_TYPE_TRUSTED_PROXY', tt: 'lbl.AuthType_AUTH_TYPE_TRUSTED_PROXY'}
 	});
 
 	XAEnums.BooleanValue = mergeParams(XAEnums.BooleanValue, {