You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Vishal Suvagia via Review Board <no...@reviews.apache.org> on 2022/04/04 13:04:25 UTC

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/
-----------------------------------------------------------

(Updated April 4, 2022, 1:04 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

Updated patch to remove unnecessary changes.


Bugs: RANGER-2704
    https://issues.apache.org/jira/browse/RANGER-2704


Repository: ranger


Description
-------

Need to support browser login using kerberos authentication. Added a logout for an unauthenticated user to redirect to the login page.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 0a1128613dca50fe67ea3f891261f1ee449c46db 


Diff: https://reviews.apache.org/r/72024/diff/2/


Testing (updated)
-------

Veriried kerberos ticket authentication is working on a kerberized browser.


Steps to test for a kerberized browser:
#1) For Kerberized browsers:
    #1> To open Chrome in kerberos enabled mode need to run below command:
       google-chrome --auth-server-whitelist="*ranger.testserver.com"
    #2> For Firefox, need to go to about:configs and then search for negotiate and then add the host domain    
        ranger.testserver.com to the property "network.negotiate-auth.trusted-uris"
#2) Perform kinit with the required user.
#3) Open the Ranger Admin portal using FQDN of the server host.


Known Issue: If there is no valid kerberos ticket, user lands on a blank page and a short hack is to either append locallogin to the URL or refresh the browser tab to redirect to the login page.
P.S: this issue is not observed on Google Chrome browser


File Attachments (updated)
----------------

RANGER-2704.patch
  https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
RANGER-2704.02.patch
  https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch


Thanks,

Vishal Suvagia

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

Posted by Dhaval Shah <dh...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224293
-----------------------------------------------------------


Ship it!




Ship It!

- Dhaval Shah


On April 5, 2022, 12:24 p.m., Vishal Suvagia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> -----------------------------------------------------------
> 
> (Updated April 5, 2022, 12:24 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
>     https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Need to support browser login using kerberos authentication. Added a logout for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> -------
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
>     #1> To open Chrome in kerberos enabled mode need to run below command:
>        google-chrome --auth-server-whitelist="*ranger.testserver.com"
>     #2> For Firefox, need to go to about:configs and then search for negotiate and then add the host domain    
>         ranger.testserver.com to the property "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> Known Issue: If there is no valid kerberos ticket, user lands on a blank page and a short hack is to either append locallogin to the URL or refresh the browser tab to redirect to the login page.
> P.S: this issue is not observed on Google Chrome browser
> 
> 
> File Attachments
> ----------------
> 
> RANGER-2704.patch
>   https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> RANGER-2704.02.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
> RANGER-2704.03.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/05/31e52557-051e-40ba-bc34-5dc6418e06f8__RANGER-2704.03.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

Posted by Mehul Parikh <xs...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224271
-----------------------------------------------------------


Ship it!




Ship It!

- Mehul Parikh


On April 5, 2022, 12:24 p.m., Vishal Suvagia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> -----------------------------------------------------------
> 
> (Updated April 5, 2022, 12:24 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
>     https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Need to support browser login using kerberos authentication. Added a logout for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> -------
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
>     #1> To open Chrome in kerberos enabled mode need to run below command:
>        google-chrome --auth-server-whitelist="*ranger.testserver.com"
>     #2> For Firefox, need to go to about:configs and then search for negotiate and then add the host domain    
>         ranger.testserver.com to the property "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> Known Issue: If there is no valid kerberos ticket, user lands on a blank page and a short hack is to either append locallogin to the URL or refresh the browser tab to redirect to the login page.
> P.S: this issue is not observed on Google Chrome browser
> 
> 
> File Attachments
> ----------------
> 
> RANGER-2704.patch
>   https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> RANGER-2704.02.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
> RANGER-2704.03.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/05/31e52557-051e-40ba-bc34-5dc6418e06f8__RANGER-2704.03.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/
-----------------------------------------------------------

(Updated April 5, 2022, 12:24 p.m.)


Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.


Changes
-------

updated changes to address review comments.


Bugs: RANGER-2704
    https://issues.apache.org/jira/browse/RANGER-2704


Repository: ranger


Description
-------

Need to support browser login using kerberos authentication. Added a logout for an unauthenticated user to redirect to the login page.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 0a1128613dca50fe67ea3f891261f1ee449c46db 


Diff: https://reviews.apache.org/r/72024/diff/2/


Testing
-------

Veriried kerberos ticket authentication is working on a kerberized browser.


Steps to test for a kerberized browser:
#1) For Kerberized browsers:
    #1> To open Chrome in kerberos enabled mode need to run below command:
       google-chrome --auth-server-whitelist="*ranger.testserver.com"
    #2> For Firefox, need to go to about:configs and then search for negotiate and then add the host domain    
        ranger.testserver.com to the property "network.negotiate-auth.trusted-uris"
#2) Perform kinit with the required user.
#3) Open the Ranger Admin portal using FQDN of the server host.


Known Issue: If there is no valid kerberos ticket, user lands on a blank page and a short hack is to either append locallogin to the URL or refresh the browser tab to redirect to the login page.
P.S: this issue is not observed on Google Chrome browser


File Attachments (updated)
----------------

RANGER-2704.patch
  https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
RANGER-2704.02.patch
  https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
RANGER-2704.03.patch
  https://reviews.apache.org/media/uploaded/files/2022/04/05/31e52557-051e-40ba-bc34-5dc6418e06f8__RANGER-2704.03.patch


Thanks,

Vishal Suvagia

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

Posted by Vishal Suvagia via Review Board <no...@reviews.apache.org>.


> On April 4, 2022, 1:31 p.m., bhavik patel wrote:
> > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
> > Lines 607 (patched)
> > <https://reviews.apache.org/r/72024/diff/2/?file=2266637#file2266637line607>
> >
> >     same method is there in RangerKrbFilter class

This is required to check for a kerberos authenticated user to redirect the user to login page once the user performs logout.


- Vishal


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224245
-----------------------------------------------------------


On April 5, 2022, 12:24 p.m., Vishal Suvagia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> -----------------------------------------------------------
> 
> (Updated April 5, 2022, 12:24 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
>     https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Need to support browser login using kerberos authentication. Added a logout for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> -------
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
>     #1> To open Chrome in kerberos enabled mode need to run below command:
>        google-chrome --auth-server-whitelist="*ranger.testserver.com"
>     #2> For Firefox, need to go to about:configs and then search for negotiate and then add the host domain    
>         ranger.testserver.com to the property "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> Known Issue: If there is no valid kerberos ticket, user lands on a blank page and a short hack is to either append locallogin to the URL or refresh the browser tab to redirect to the login page.
> P.S: this issue is not observed on Google Chrome browser
> 
> 
> File Attachments
> ----------------
> 
> RANGER-2704.patch
>   https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> RANGER-2704.02.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
> RANGER-2704.03.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/05/31e52557-051e-40ba-bc34-5dc6418e06f8__RANGER-2704.03.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>

Re: Review Request 72024: RANGER-2704 : Support browser login using kerberized authentication.

Posted by bhavik patel <bh...@gmail.com>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72024/#review224245
-----------------------------------------------------------




security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
Lines 126 (patched)
<https://reviews.apache.org/r/72024/#comment313125>

    Initialisation is not required here.



security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
Lines 607 (patched)
<https://reviews.apache.org/r/72024/#comment313124>

    same method is there in RangerKrbFilter class


- bhavik patel


On April 4, 2022, 1:04 p.m., Vishal Suvagia wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72024/
> -----------------------------------------------------------
> 
> (Updated April 4, 2022, 1:04 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2704
>     https://issues.apache.org/jira/browse/RANGER-2704
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Need to support browser login using kerberos authentication. Added a logout for an unauthenticated user to redirect to the login page.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java 223a991c76bae7d25f5ce89604d0a8a90d426fe5 
>   security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java abbf2d983beb30b59e5d3f6429d6fc226f735793 
>   security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 0a1128613dca50fe67ea3f891261f1ee449c46db 
> 
> 
> Diff: https://reviews.apache.org/r/72024/diff/2/
> 
> 
> Testing
> -------
> 
> Veriried kerberos ticket authentication is working on a kerberized browser.
> 
> 
> Steps to test for a kerberized browser:
> #1) For Kerberized browsers:
>     #1> To open Chrome in kerberos enabled mode need to run below command:
>        google-chrome --auth-server-whitelist="*ranger.testserver.com"
>     #2> For Firefox, need to go to about:configs and then search for negotiate and then add the host domain    
>         ranger.testserver.com to the property "network.negotiate-auth.trusted-uris"
> #2) Perform kinit with the required user.
> #3) Open the Ranger Admin portal using FQDN of the server host.
> 
> 
> Known Issue: If there is no valid kerberos ticket, user lands on a blank page and a short hack is to either append locallogin to the URL or refresh the browser tab to redirect to the login page.
> P.S: this issue is not observed on Google Chrome browser
> 
> 
> File Attachments
> ----------------
> 
> RANGER-2704.patch
>   https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch
> RANGER-2704.02.patch
>   https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch
> 
> 
> Thanks,
> 
> Vishal Suvagia
> 
>