You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2019/10/09 10:26:29 UTC
[ranger] branch master updated: RANGER-2600: Added more Auth Types
for login in Ranger audits with review comments
This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new b58257d RANGER-2600: Added more Auth Types for login in Ranger audits with review comments
b58257d is described below
commit b58257d23a904f5b046b0777a0497ceb7ea093d4
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Wed Oct 9 15:55:53 2019 +0530
RANGER-2600: Added more Auth Types for login in Ranger audits with review comments
---
.../org/apache/ranger/entity/XXAuthSession.java | 17 +++++++++++++-
.../web/filter/RangerKRBAuthenticationFilter.java | 1 +
.../RangerSecurityContextFormationFilter.java | 23 +++++++++++++++++--
.../org/apache/ranger/util/RangerEnumUtil.java | 26 ++++++++++++++++++++++
.../src/main/webapp/scripts/utils/XAEnums.js | 5 ++++-
5 files changed, 68 insertions(+), 4 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java b/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java
index c277158..079cda5 100644
--- a/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java
+++ b/security-admin/src/main/java/org/apache/ranger/entity/XXAuthSession.java
@@ -112,9 +112,24 @@ public class XXAuthSession extends XXDBBase implements java.io.Serializable {
public static final int AUTH_TYPE_PASSWORD = 1;
/**
+ * AUTH_TYPE_KERBEROS is an element of enum AuthType. Its value is "AUTH_TYPE_KERBEROS".
+ */
+ public static final int AUTH_TYPE_KERBEROS = 2;
+
+ /**
+ * AUTH_TYPE_SSO is an element of enum AuthType. Its value is "AUTH_TYPE_SSO".
+ */
+ public static final int AUTH_TYPE_SSO = 3;
+
+ /**
+ * AUTH_TYPE_TRUSTED_PROXY is an element of enum AuthType. Its value is "AUTH_TYPE_TRUSTED_PROXY".
+ */
+ public static final int AUTH_TYPE_TRUSTED_PROXY = 4;
+
+ /**
* Max value for enum AuthType_MAX
*/
- public static final int AuthType_MAX = 1;
+ public static final int AuthType_MAX = 4;
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
index 5c825d8..b38d9d9 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
@@ -276,6 +276,7 @@ public class RangerKRBAuthenticationFilter extends RangerKrbFilter {
authentication = getGrantedAuthority(authentication);
SecurityContextHolder.getContext().setAuthentication(authentication);
request.setAttribute("spnegoEnabled", true);
+ request.setAttribute("trustedProxyEnabled", true);
LOG.info("Logged into Ranger as doAsUser = " + doAsUser + ", by authenticatedUser=" + authToken.getUserName());
}
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index eb40cfd..99fb21f 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -120,9 +120,9 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
context.setRequestContext(requestContext);
RangerContextHolder.setSecurityContext(context);
-
+ int authType = getAuthType(httpRequest);
UserSessionBase userSession = sessionMgr.processSuccessLogin(
- XXAuthSession.AUTH_TYPE_PASSWORD, userAgent, httpRequest);
+ authType, userAgent, httpRequest);
if (userSession != null) {
@@ -150,4 +150,23 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
RangerContextHolder.resetOpContext();
}
}
+
+ private int getAuthType(HttpServletRequest request) {
+ int authType;
+ Object ssoEnabledObj = request.getAttribute("ssoEnabled");
+ Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+
+ if (ssoEnabled) {
+ authType = XXAuthSession.AUTH_TYPE_SSO;
+ } else if (request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")){
+ if (request.getAttribute("trustedProxyEnabled") != null && (boolean)request.getAttribute("trustedProxyEnabled")) {
+ authType = XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
+ } else {
+ authType = XXAuthSession.AUTH_TYPE_KERBEROS;
+ }
+ } else {
+ authType = XXAuthSession.AUTH_TYPE_PASSWORD;
+ }
+ return authType;
+ }
}
diff --git a/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java b/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
index 059b75a..8d97d85 100644
--- a/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/util/RangerEnumUtil.java
@@ -1962,6 +1962,32 @@ public class RangerEnumUtil {
vEnum.getElementList().add(vElement);
+ vElement = new VEnumElement();
+ vElement.setElementName("AUTH_TYPE_KERBEROS");
+ vElement.setElementValue(2);
+ vElement.setElementLabel("Kerberos");
+ vElement.setRbKey("xa.enum.AuthType.AUTH_TYPE_KERBEROS");
+ vElement.setEnumName(vEnum.getEnumName());
+
+ vEnum.getElementList().add(vElement);
+
+ vElement = new VEnumElement();
+ vElement.setElementName("AUTH_TYPE_SSO");
+ vElement.setElementValue(3);
+ vElement.setElementLabel("SingleSignOn");
+ vElement.setRbKey("xa.enum.AuthType.AUTH_TYPE_SSO");
+ vElement.setEnumName(vEnum.getEnumName());
+
+ vEnum.getElementList().add(vElement);
+
+ vElement = new VEnumElement();
+ vElement.setElementName("AUTH_TYPE_TRUSTED_PROXY");
+ vElement.setElementValue(4);
+ vElement.setElementLabel("Trusted Proxy");
+ vElement.setRbKey("xa.enum.AuthType.AUTH_TYPE_TRUSTED_PROXY");
+ vElement.setEnumName(vEnum.getEnumName());
+
+ vEnum.getElementList().add(vElement);
///////////////////////////////////
// XResponse::ResponseStatus
diff --git a/security-admin/src/main/webapp/scripts/utils/XAEnums.js b/security-admin/src/main/webapp/scripts/utils/XAEnums.js
index a4a4e0b..fd711fa 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAEnums.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAEnums.js
@@ -146,7 +146,10 @@ define(function(require) {
XAEnums.AuthType = mergeParams(XAEnums.AuthType, {
AUTH_TYPE_UNKNOWN:{value:0, label:'Unknown', rbkey:'xa.enum.AuthType.AUTH_TYPE_UNKNOWN', tt: 'lbl.AuthType_AUTH_TYPE_UNKNOWN'},
- AUTH_TYPE_PASSWORD:{value:1, label:'Username/Password', rbkey:'xa.enum.AuthType.AUTH_TYPE_PASSWORD', tt: 'lbl.AuthType_AUTH_TYPE_PASSWORD'}
+ AUTH_TYPE_PASSWORD:{value:1, label:'Username/Password', rbkey:'xa.enum.AuthType.AUTH_TYPE_PASSWORD', tt: 'lbl.AuthType_AUTH_TYPE_PASSWORD'},
+ AUTH_TYPE_KERBEROS:{value:2, label:'Kerberos', rbkey:'xa.enum.AuthType.AUTH_TYPE_KERBEROS', tt: 'lbl.AuthType_AUTH_TYPE_KERBEROS'},
+ AUTH_TYPE_SSO:{value:3, label:'SingleSignOn', rbkey:'xa.enum.AuthType.AUTH_TYPE_SSO', tt: 'lbl.AuthType_AUTH_TYPE_SSO'},
+ AUTH_TYPE_TRUSTED_PROXY:{value:4, label:'Trusted Proxy', rbkey:'xa.enum.AuthType.AUTH_TYPE_TRUSTED_PROXY', tt: 'lbl.AuthType_AUTH_TYPE_TRUSTED_PROXY'}
});
XAEnums.BooleanValue = mergeParams(XAEnums.BooleanValue, {