You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2018/12/12 19:46:27 UTC
ranger git commit: RANGER-2306 : Add support for X-Forwarded-for header in Knox plugin

Repository: ranger
Updated Branches:
  refs/heads/master e483c201e -> 3d282ccbf


RANGER-2306 : Add support for X-Forwarded-for header in Knox plugin

Signed-off-by: Ramesh Mani <rm...@H12544.local>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3d282ccb
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3d282ccb
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3d282ccb

Branch: refs/heads/master
Commit: 3d282ccbff805aee28e08f95729c1bb72cd1c33e
Parents: e483c20
Author: Vipin Rathor <v....@gmail.com>
Authored: Thu Dec 6 15:46:01 2018 -0800
Committer: Ramesh Mani <rm...@H12544.local>
Committed: Wed Dec 12 11:45:53 2018 -0800

----------------------------------------------------------------------
 .../authorization/knox/KnoxRangerPlugin.java    | 13 ++++++++++
 .../authorization/knox/RangerPDPKnoxFilter.java | 26 +++++++++++++++++---
 2 files changed, 36 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/3d282ccb/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
index d248785..814aedd 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
@@ -19,6 +19,7 @@
 
 package org.apache.ranger.authorization.knox;
 
+import java.util.List;
 import java.util.Set;
 
 import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.AccessType;
@@ -56,6 +57,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
 		Set<String> _groups;
 		String _clientIp;
 		String _clusterName;
+		String _remoteIp;
+		List<String> _forwardedAddresses;
 		
 		RequestBuilder service(String service) {
 			_service = service;
@@ -81,6 +84,14 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
 			_clusterName = clusterName;
 			return this;
 		}
+		RequestBuilder remoteIp(String remoteIp) {
+			_remoteIp = remoteIp;
+			return this;
+		}
+		RequestBuilder forwardedAddresses(List<String> forwardedAddresses) {
+			_forwardedAddresses = forwardedAddresses;
+			return this;
+		}
 		void verifyBuildable() {
 			if (_topology == null) throw new IllegalStateException("_topology can't be null!");
 			if (_service == null) throw new IllegalStateException("_service can't be null!");
@@ -101,6 +112,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
 			request.setUserGroups(_groups);
 			request.setResource(resource);
 			request.setClusterName(_clusterName);
+			request.setRemoteIPAddress(_remoteIp);
+			request.setForwardedAddresses(_forwardedAddresses);
 			return request;
 		}
 	}

http://git-wip-us.apache.org/repos/asf/ranger/blob/3d282ccb/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
index f84a3e0..e75f314 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
@@ -21,7 +21,9 @@ package org.apache.ranger.authorization.knox;
 import java.io.IOException;
 import java.security.AccessController;
 import java.security.Principal;
+import java.util.Arrays;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import javax.security.auth.Subject;
@@ -31,6 +33,7 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.logging.Log;
@@ -40,6 +43,7 @@ import org.apache.knox.gateway.security.GroupPrincipal;
 import org.apache.knox.gateway.security.ImpersonatedPrincipal;
 import org.apache.knox.gateway.security.PrimaryPrincipal;
 import org.apache.ranger.audit.provider.MiscUtil;
+import org.apache.ranger.authorization.knox.KnoxRangerPlugin.RequestBuilder;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -131,21 +135,25 @@ public class RangerPDPKnoxFilter implements Filter {
 
 		String clientIp = request.getRemoteAddr();
 		String clusterName = plugin.getClusterName();
+		List<String> forwardedAddresses = getForwardedAddresses(request);
 
 		if (LOG.isDebugEnabled()) {
 			LOG.debug("Checking access primaryUser: " + primaryUser
 					+ ", impersonatedUser: " + impersonatedUser
 					+ ", effectiveUser: " + user + ", groups: " + groups
-					+ ", clientIp: " + clientIp + ", clusterName: "
-					+ clusterName);
+					+ ", clientIp: " + clientIp + ", clusterName: " + clusterName
+			    + ", remoteIp: " + clientIp + ", forwardedAddresses: " + forwardedAddresses);
 		}
-		RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder()
+
+		RangerAccessRequest accessRequest = new RequestBuilder()
 			.service(serviceName)
 			.topology(topologyName)
 			.user(user)
 			.groups(groups)
 			.clientIp(clientIp)
 			.clusterName(clusterName)
+			.remoteIp(clientIp)
+			.forwardedAddresses(forwardedAddresses)
 			.build();
 
 		boolean accessAllowed = false;
@@ -169,6 +177,18 @@ public class RangerPDPKnoxFilter implements Filter {
 		}
 	}
 
+	private List<String> getForwardedAddresses(ServletRequest request) {
+		List<String> forwardedAddresses = null;
+		if (request instanceof HttpServletRequest) {
+			HttpServletRequest httpRequest = (HttpServletRequest) request;
+			String xForwardedFor = httpRequest.getHeader("X-Forwarded-For");
+			if(xForwardedFor != null) {
+				forwardedAddresses = Arrays.asList(xForwardedFor.split(","));
+			}
+		}
+		return forwardedAddresses;
+	}
+
 	private void sendForbidden(HttpServletResponse res) {
 		sendErrorCode(res, 403);
 	}