You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2018/12/12 19:46:27 UTC
ranger git commit: RANGER-2306 : Add support for X-Forwarded-for
header in Knox plugin
Repository: ranger
Updated Branches:
refs/heads/master e483c201e -> 3d282ccbf
RANGER-2306 : Add support for X-Forwarded-for header in Knox plugin
Signed-off-by: Ramesh Mani <rm...@H12544.local>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3d282ccb
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3d282ccb
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3d282ccb
Branch: refs/heads/master
Commit: 3d282ccbff805aee28e08f95729c1bb72cd1c33e
Parents: e483c20
Author: Vipin Rathor <v....@gmail.com>
Authored: Thu Dec 6 15:46:01 2018 -0800
Committer: Ramesh Mani <rm...@H12544.local>
Committed: Wed Dec 12 11:45:53 2018 -0800
----------------------------------------------------------------------
.../authorization/knox/KnoxRangerPlugin.java | 13 ++++++++++
.../authorization/knox/RangerPDPKnoxFilter.java | 26 +++++++++++++++++---
2 files changed, 36 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/3d282ccb/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
index d248785..814aedd 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
@@ -19,6 +19,7 @@
package org.apache.ranger.authorization.knox;
+import java.util.List;
import java.util.Set;
import org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.AccessType;
@@ -56,6 +57,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
Set<String> _groups;
String _clientIp;
String _clusterName;
+ String _remoteIp;
+ List<String> _forwardedAddresses;
RequestBuilder service(String service) {
_service = service;
@@ -81,6 +84,14 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
_clusterName = clusterName;
return this;
}
+ RequestBuilder remoteIp(String remoteIp) {
+ _remoteIp = remoteIp;
+ return this;
+ }
+ RequestBuilder forwardedAddresses(List<String> forwardedAddresses) {
+ _forwardedAddresses = forwardedAddresses;
+ return this;
+ }
void verifyBuildable() {
if (_topology == null) throw new IllegalStateException("_topology can't be null!");
if (_service == null) throw new IllegalStateException("_service can't be null!");
@@ -101,6 +112,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
request.setUserGroups(_groups);
request.setResource(resource);
request.setClusterName(_clusterName);
+ request.setRemoteIPAddress(_remoteIp);
+ request.setForwardedAddresses(_forwardedAddresses);
return request;
}
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/3d282ccb/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
----------------------------------------------------------------------
diff --git a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
index f84a3e0..e75f314 100644
--- a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
+++ b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
@@ -21,7 +21,9 @@ package org.apache.ranger.authorization.knox;
import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
+import java.util.Arrays;
import java.util.HashSet;
+import java.util.List;
import java.util.Set;
import javax.security.auth.Subject;
@@ -31,6 +33,7 @@ import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
@@ -40,6 +43,7 @@ import org.apache.knox.gateway.security.GroupPrincipal;
import org.apache.knox.gateway.security.ImpersonatedPrincipal;
import org.apache.knox.gateway.security.PrimaryPrincipal;
import org.apache.ranger.audit.provider.MiscUtil;
+import org.apache.ranger.authorization.knox.KnoxRangerPlugin.RequestBuilder;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -131,21 +135,25 @@ public class RangerPDPKnoxFilter implements Filter {
String clientIp = request.getRemoteAddr();
String clusterName = plugin.getClusterName();
+ List<String> forwardedAddresses = getForwardedAddresses(request);
if (LOG.isDebugEnabled()) {
LOG.debug("Checking access primaryUser: " + primaryUser
+ ", impersonatedUser: " + impersonatedUser
+ ", effectiveUser: " + user + ", groups: " + groups
- + ", clientIp: " + clientIp + ", clusterName: "
- + clusterName);
+ + ", clientIp: " + clientIp + ", clusterName: " + clusterName
+ + ", remoteIp: " + clientIp + ", forwardedAddresses: " + forwardedAddresses);
}
- RangerAccessRequest accessRequest = new KnoxRangerPlugin.RequestBuilder()
+
+ RangerAccessRequest accessRequest = new RequestBuilder()
.service(serviceName)
.topology(topologyName)
.user(user)
.groups(groups)
.clientIp(clientIp)
.clusterName(clusterName)
+ .remoteIp(clientIp)
+ .forwardedAddresses(forwardedAddresses)
.build();
boolean accessAllowed = false;
@@ -169,6 +177,18 @@ public class RangerPDPKnoxFilter implements Filter {
}
}
+ private List<String> getForwardedAddresses(ServletRequest request) {
+ List<String> forwardedAddresses = null;
+ if (request instanceof HttpServletRequest) {
+ HttpServletRequest httpRequest = (HttpServletRequest) request;
+ String xForwardedFor = httpRequest.getHeader("X-Forwarded-For");
+ if(xForwardedFor != null) {
+ forwardedAddresses = Arrays.asList(xForwardedFor.split(","));
+ }
+ }
+ return forwardedAddresses;
+ }
+
private void sendForbidden(HttpServletResponse res) {
sendErrorCode(res, 403);
}