You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2020/03/20 21:45:37 UTC
[ranger] branch master updated: RANGER-2762: Setting ssoEnabled
flag in the user session if request is from trusted proxy case or if the
request is from knox sso case
This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3c37e7a RANGER-2762: Setting ssoEnabled flag in the user session if request is from trusted proxy case or if the request is from knox sso case
3c37e7a is described below
commit 3c37e7aea13539f086766a78e2afa3859f9edde4
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Fri Mar 20 12:14:49 2020 -0700
RANGER-2762: Setting ssoEnabled flag in the user session if request is from trusted proxy case or if the request is from knox sso case
---
.../src/main/java/org/apache/ranger/biz/SessionMgr.java | 13 +++++++++++++
.../apache/ranger/security/web/filter/RangerKrbFilter.java | 4 +++-
.../web/filter/RangerSecurityContextFormationFilter.java | 12 +++++-------
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index ce09c36..b542a43 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -176,6 +176,19 @@ public class SessionMgr {
userSession.setSpnegoEnabled(true);
}
+ Boolean ssoEnabled;
+ if (authType == XXAuthSession.AUTH_TYPE_TRUSTED_PROXY) {
+ ssoEnabled = true;
+ } else {
+ Object ssoEnabledObj = httpRequest.getAttribute("ssoEnabled");
+ ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+ }
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("session id = " + userSession.getLoginId() + " ssoenabled = " + ssoEnabled);
+ }
+ userSession.setSSOEnabled(ssoEnabled);
+
resetUserSessionForProfiles(userSession);
resetUserModulePermission(userSession);
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index b7b2b2a..223a991 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -523,7 +523,9 @@ public class RangerKrbFilter implements Filter {
agents = RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT;
}
parseBrowserUserAgents(agents);
- if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) && !allowTrustedProxy){
+ String doAsUser = request.getParameter("doAs");
+ if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) &&
+ (!allowTrustedProxy || (allowTrustedProxy && StringUtils.isEmpty(doAsUser))) ){
((HttpServletResponse)response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "");
filterChain.doFilter(request, response);
}else{
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index 99fb21f..6cc3a81 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -125,11 +125,6 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
authType, userAgent, httpRequest);
if (userSession != null) {
-
- Object ssoEnabledObj = request.getAttribute("ssoEnabled");
- Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
- userSession.setSSOEnabled(ssoEnabled);
-
if (userSession.getClientTimeOffsetInMinute() == 0) {
userSession.setClientTimeOffsetInMinute(clientTimeOffset);
}
@@ -158,8 +153,11 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
if (ssoEnabled) {
authType = XXAuthSession.AUTH_TYPE_SSO;
- } else if (request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")){
- if (request.getAttribute("trustedProxyEnabled") != null && (boolean)request.getAttribute("trustedProxyEnabled")) {
+ } else if (request.getAttribute("spnegoEnabled") != null && Boolean.valueOf(String.valueOf(request.getAttribute("spnegoEnabled")))){
+ if (request.getAttribute("trustedProxyEnabled") != null && Boolean.valueOf(String.valueOf(request.getAttribute("trustedProxyEnabled")))) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Setting auth type as trusted proxy");
+ }
authType = XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
} else {
authType = XXAuthSession.AUTH_TYPE_KERBEROS;