You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Pradeep Agrawal <pr...@freestoneinfotech.com> on 2016/11/08 13:56:14 UTC

Review Request 53568: RANGER-1212 : Support for two way ssl authentication in Ranger HA environment

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53568/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.


Bugs: RANGER-1212
    https://issues.apache.org/jira/browse/RANGER-1212


Repository: ranger


Description
-------

**Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment then load balancer doesn't forward client certificate to Ranger and Authentication fails due to certificate issue. In SSL environment usually client sends SSL certificate with request attribute to Ranger for authentication but whenever such request is sent via load balancer; load balancer could not pass the received certificate to Ranger and authentication fails.

**Note :** This is happening only in the unsecured environment as client certificate is mandatory at Ranger end; while in the secured environment, authentication is done through Kerberos ticket so client certificate is not required.

**Proposed Solution :** Since load balancer is unable to pass client certificate with request attribute we can configure load balancer to pass client certifacte with request header. To enable this configuration at load balancer end we need to add below line and enable load balancer to add request header received from client.

                        RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" 

Load balancer shall send the client certificate in PEM format, proposed patch shall read the PEM format certificate from request header and parse it. Since Ranger requires X509 format certificate to authenticate the request, proposed patch contains those changes to parse the certifacte in X509 format.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 9e72f42 

Diff: https://reviews.apache.org/r/53568/diff/


Testing
-------

**Steps Performed(with patch):**
1. Installed ranger-admin on two nodes from Build having changes of proposed patch.
2. Configured Ranger admin in SSL mode.
3. Configured load balancer in SSL mode with both the node of ranger-admin.
4. Created truststore of load balancer self signed keystore.
5. Created a truststore for the hdfs plugin and added the public key of ranger admin as trusted entry into it.
6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer copied the truststore file generated from load balancer machine(file generated from step 4) to HDFS node.
7. Generated HDFS truststore in PEM format to configure that in load balancer machine.
8. Created ranger_lb_crt.pem file in load balancer machine and added the content of file created from previous step.
9. In load balancer machine configured the path of file created in previous step.
10. Added below line in load balancer config file.
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
11. Started ranger-admin, hdfs and load balancer.

**Expected behaviour :** Ranger plugin should able to communicate to Ranger admin and download the policies.

**Actual behaviour :** Ranger plugin was able to communicate to Ranger admin and download the policies.


Thanks,

Pradeep Agrawal

Re: Review Request 53568: RANGER-1212 : Support for two way ssl authentication in Ranger HA environment

Posted by Colm O hEigeartaigh <co...@apache.org>.

> On Nov. 8, 2016, 2:33 p.m., Colm O hEigeartaigh wrote:
> > One problem with this solution is that TLS client authentication is no longer enforced - instead just the certificate is retrieved from a HTTP header. What's to stop a malicious client just including a valid (public) certificate in the header to impersonate someone else?
> 
> Pradeep Agrawal wrote:
>     Can you provide more details how to impersonate as someone else by using his valid public certificate. I would like to reproduce this.

Well according to the proposal the client certificate will be retrieved from a HTTP header, so a malicious client could just copy in the certificate of another client into the same header?


- Colm


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53568/#review155289
-----------------------------------------------------------


On Nov. 8, 2016, 1:56 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53568/
> -----------------------------------------------------------
> 
> (Updated Nov. 8, 2016, 1:56 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1212
>     https://issues.apache.org/jira/browse/RANGER-1212
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment then load balancer doesn't forward client certificate to Ranger and Authentication fails due to certificate issue. In SSL environment usually client sends SSL certificate with request attribute to Ranger for authentication but whenever such request is sent via load balancer; load balancer could not pass the received certificate to Ranger and authentication fails.
> 
> **Note :** This is happening only in the unsecured environment as client certificate is mandatory at Ranger end; while in the secured environment, authentication is done through Kerberos ticket so client certificate is not required.
> 
> **Proposed Solution :** Since load balancer is unable to pass client certificate with request attribute we can configure load balancer to pass client certifacte with request header. To enable this configuration at load balancer end we need to add below line and enable load balancer to add request header received from client.
> 
>                         RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" 
> 
> Load balancer shall send the client certificate in PEM format, proposed patch shall read the PEM format certificate from request header and parse it. Since Ranger requires X509 format certificate to authenticate the request, proposed patch contains those changes to parse the certifacte in X509 format.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 9e72f42 
> 
> Diff: https://reviews.apache.org/r/53568/diff/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> 1. Installed ranger-admin on two nodes from Build having changes of proposed patch.
> 2. Configured Ranger admin in SSL mode.
> 3. Configured load balancer in SSL mode with both the node of ranger-admin.
> 4. Created truststore of load balancer self signed keystore.
> 5. Created a truststore for the hdfs plugin and added the public key of ranger admin as trusted entry into it.
> 6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer copied the truststore file generated from load balancer machine(file generated from step 4) to HDFS node.
> 7. Generated HDFS truststore in PEM format to configure that in load balancer machine.
> 8. Created ranger_lb_crt.pem file in load balancer machine and added the content of file created from previous step.
> 9. In load balancer machine configured the path of file created in previous step.
> 10. Added below line in load balancer config file.
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> 11. Started ranger-admin, hdfs and load balancer.
> 
> **Expected behaviour :** Ranger plugin should able to communicate to Ranger admin and download the policies.
> 
> **Actual behaviour :** Ranger plugin was able to communicate to Ranger admin and download the policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 53568: RANGER-1212 : Support for two way ssl authentication in Ranger HA environment

Posted by Pradeep Agrawal <pr...@freestoneinfotech.com>.

> On Nov. 8, 2016, 2:33 p.m., Colm O hEigeartaigh wrote:
> > One problem with this solution is that TLS client authentication is no longer enforced - instead just the certificate is retrieved from a HTTP header. What's to stop a malicious client just including a valid (public) certificate in the header to impersonate someone else?

Can you provide more details how to impersonate as someone else by using his valid public certificate. I would like to reproduce this.


- Pradeep


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53568/#review155289
-----------------------------------------------------------


On Nov. 8, 2016, 1:56 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53568/
> -----------------------------------------------------------
> 
> (Updated Nov. 8, 2016, 1:56 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1212
>     https://issues.apache.org/jira/browse/RANGER-1212
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment then load balancer doesn't forward client certificate to Ranger and Authentication fails due to certificate issue. In SSL environment usually client sends SSL certificate with request attribute to Ranger for authentication but whenever such request is sent via load balancer; load balancer could not pass the received certificate to Ranger and authentication fails.
> 
> **Note :** This is happening only in the unsecured environment as client certificate is mandatory at Ranger end; while in the secured environment, authentication is done through Kerberos ticket so client certificate is not required.
> 
> **Proposed Solution :** Since load balancer is unable to pass client certificate with request attribute we can configure load balancer to pass client certifacte with request header. To enable this configuration at load balancer end we need to add below line and enable load balancer to add request header received from client.
> 
>                         RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" 
> 
> Load balancer shall send the client certificate in PEM format, proposed patch shall read the PEM format certificate from request header and parse it. Since Ranger requires X509 format certificate to authenticate the request, proposed patch contains those changes to parse the certifacte in X509 format.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 9e72f42 
> 
> Diff: https://reviews.apache.org/r/53568/diff/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> 1. Installed ranger-admin on two nodes from Build having changes of proposed patch.
> 2. Configured Ranger admin in SSL mode.
> 3. Configured load balancer in SSL mode with both the node of ranger-admin.
> 4. Created truststore of load balancer self signed keystore.
> 5. Created a truststore for the hdfs plugin and added the public key of ranger admin as trusted entry into it.
> 6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer copied the truststore file generated from load balancer machine(file generated from step 4) to HDFS node.
> 7. Generated HDFS truststore in PEM format to configure that in load balancer machine.
> 8. Created ranger_lb_crt.pem file in load balancer machine and added the content of file created from previous step.
> 9. In load balancer machine configured the path of file created in previous step.
> 10. Added below line in load balancer config file.
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> 11. Started ranger-admin, hdfs and load balancer.
> 
> **Expected behaviour :** Ranger plugin should able to communicate to Ranger admin and download the policies.
> 
> **Actual behaviour :** Ranger plugin was able to communicate to Ranger admin and download the policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Re: Review Request 53568: RANGER-1212 : Support for two way ssl authentication in Ranger HA environment

Posted by Colm O hEigeartaigh <co...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53568/#review155289
-----------------------------------------------------------



One problem with this solution is that TLS client authentication is no longer enforced - instead just the certificate is retrieved from a HTTP header. What's to stop a malicious client just including a valid (public) certificate in the header to impersonate someone else?

- Colm O hEigeartaigh


On Nov. 8, 2016, 1:56 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53568/
> -----------------------------------------------------------
> 
> (Updated Nov. 8, 2016, 1:56 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1212
>     https://issues.apache.org/jira/browse/RANGER-1212
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment then load balancer doesn't forward client certificate to Ranger and Authentication fails due to certificate issue. In SSL environment usually client sends SSL certificate with request attribute to Ranger for authentication but whenever such request is sent via load balancer; load balancer could not pass the received certificate to Ranger and authentication fails.
> 
> **Note :** This is happening only in the unsecured environment as client certificate is mandatory at Ranger end; while in the secured environment, authentication is done through Kerberos ticket so client certificate is not required.
> 
> **Proposed Solution :** Since load balancer is unable to pass client certificate with request attribute we can configure load balancer to pass client certifacte with request header. To enable this configuration at load balancer end we need to add below line and enable load balancer to add request header received from client.
> 
>                         RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" 
> 
> Load balancer shall send the client certificate in PEM format, proposed patch shall read the PEM format certificate from request header and parse it. Since Ranger requires X509 format certificate to authenticate the request, proposed patch contains those changes to parse the certifacte in X509 format.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 9e72f42 
> 
> Diff: https://reviews.apache.org/r/53568/diff/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> 1. Installed ranger-admin on two nodes from Build having changes of proposed patch.
> 2. Configured Ranger admin in SSL mode.
> 3. Configured load balancer in SSL mode with both the node of ranger-admin.
> 4. Created truststore of load balancer self signed keystore.
> 5. Created a truststore for the hdfs plugin and added the public key of ranger admin as trusted entry into it.
> 6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer copied the truststore file generated from load balancer machine(file generated from step 4) to HDFS node.
> 7. Generated HDFS truststore in PEM format to configure that in load balancer machine.
> 8. Created ranger_lb_crt.pem file in load balancer machine and added the content of file created from previous step.
> 9. In load balancer machine configured the path of file created in previous step.
> 10. Added below line in load balancer config file.
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> 11. Started ranger-admin, hdfs and load balancer.
> 
> **Expected behaviour :** Ranger plugin should able to communicate to Ranger admin and download the policies.
> 
> **Actual behaviour :** Ranger plugin was able to communicate to Ranger admin and download the policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>