You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2020/03/20 21:45:37 UTC

[ranger] branch master updated: RANGER-2762: Setting ssoEnabled flag in the user session if request is from trusted proxy case or if the request is from knox sso case

This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 3c37e7a  RANGER-2762: Setting ssoEnabled flag in the user session if request is from trusted proxy case or if the request is from knox sso case
3c37e7a is described below

commit 3c37e7aea13539f086766a78e2afa3859f9edde4
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Fri Mar 20 12:14:49 2020 -0700

    RANGER-2762: Setting ssoEnabled flag in the user session if request is from trusted proxy case or if the request is from knox sso case
---
 .../src/main/java/org/apache/ranger/biz/SessionMgr.java     | 13 +++++++++++++
 .../apache/ranger/security/web/filter/RangerKrbFilter.java  |  4 +++-
 .../web/filter/RangerSecurityContextFormationFilter.java    | 12 +++++-------
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index ce09c36..b542a43 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -176,6 +176,19 @@ public class SessionMgr {
 				userSession.setSpnegoEnabled(true);
 			}
 
+			Boolean ssoEnabled;
+			if (authType == XXAuthSession.AUTH_TYPE_TRUSTED_PROXY) {
+				ssoEnabled = true;
+			} else {
+				Object ssoEnabledObj = httpRequest.getAttribute("ssoEnabled");
+				ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+			}
+
+			if (logger.isDebugEnabled()) {
+				logger.debug("session id = " + userSession.getLoginId() + " ssoenabled = " + ssoEnabled);
+			}
+			userSession.setSSOEnabled(ssoEnabled);
+
 			resetUserSessionForProfiles(userSession);
 			resetUserModulePermission(userSession);
 
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index b7b2b2a..223a991 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -523,7 +523,9 @@ public class RangerKrbFilter implements Filter {
               agents = RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT;
             }
             parseBrowserUserAgents(agents);
-            if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) && !allowTrustedProxy){
+            String doAsUser = request.getParameter("doAs");
+            if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) &&
+                    (!allowTrustedProxy || (allowTrustedProxy && StringUtils.isEmpty(doAsUser))) ){
         	  ((HttpServletResponse)response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "");
                 filterChain.doFilter(request, response);
             }else{
diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index 99fb21f..6cc3a81 100644
--- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -125,11 +125,6 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
 						authType, userAgent, httpRequest);
 
 				if (userSession != null) {
-
-					Object ssoEnabledObj = request.getAttribute("ssoEnabled");
-					Boolean ssoEnabled = ssoEnabledObj != null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
-					userSession.setSSOEnabled(ssoEnabled);
-
 					if (userSession.getClientTimeOffsetInMinute() == 0) {
 						userSession.setClientTimeOffsetInMinute(clientTimeOffset);
 					}
@@ -158,8 +153,11 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
 
 		if (ssoEnabled) {
 			authType = XXAuthSession.AUTH_TYPE_SSO;
-		} else if (request.getAttribute("spnegoEnabled") != null && (boolean)request.getAttribute("spnegoEnabled")){
-			if (request.getAttribute("trustedProxyEnabled") != null && (boolean)request.getAttribute("trustedProxyEnabled")) {
+		} else if (request.getAttribute("spnegoEnabled") != null && Boolean.valueOf(String.valueOf(request.getAttribute("spnegoEnabled")))){
+			if (request.getAttribute("trustedProxyEnabled") != null && Boolean.valueOf(String.valueOf(request.getAttribute("trustedProxyEnabled")))) {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Setting auth type as trusted proxy");
+				}
 				authType = XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
 			} else {
 				authType = XXAuthSession.AUTH_TYPE_KERBEROS;