ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mehul Parikh (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (RANGER-2227) Visiting Ranger Admin UI forces subsequent requests to other services redirect to HTTPS
Date Thu, 27 Sep 2018 10:25:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Mehul Parikh reassigned RANGER-2227:

    Assignee: Nitin Galave

> Visiting Ranger Admin UI forces subsequent requests to other services redirect to HTTPS
> ---------------------------------------------------------------------------------------
>                 Key: RANGER-2227
>                 URL: https://issues.apache.org/jira/browse/RANGER-2227
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 1.1.0
>            Reporter: Vipin Rathor
>            Assignee: Nitin Galave
>            Priority: Critical
> *Problem Description:*
>  Visiting Ranger Admin UI in any browser (Firefox / Chrome) sets the HTTP Strict Transport
Security (HSTS) header for the host where Ranger is running. Any subsequent request to other
service on the same host (e.g. YARN RM UI etc.) over HTTP would get redirected to HTTPS because
of this header and due to change in browser behavior recently: [Firefox|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]
and [Chrome|https://www.chromium.org/hsts].
>  Ideally, these headers should be configurable, so that admin can set them as per requirement.
Like the way Knox expose this via [configuration|https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security],
I recently reported similar in Knox via KNOX-1434
> *Impact:*
>  All the non-SSL requests to other services get redirected automatically to HTTPS and
would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or some other error.
> *Expected Behavior:*
>  1. Unless HSTS is specifically enabled for Ranger Admin UI, it should not set HSTS header.
Therefore, there should be a configurable option to enable/disable HSTS.
>  2. HSTS should be disabled by default for Ranger Admin.
> *Steps to reproduce:*
>  1. Install & configure Ranger with SSL and a trusted CA (no self-signed)
>  2. Also configure few other services like RM, Oozie on the same Ranger Admin host
>  3. Once Ranger is up, visit Ranger Admin UI
>  4. Now, in the same browser session, visit any non-SSL service running on the same Ranger
host (like RM UI, Oozie UI).
>  5. Browser will redirect this HTTP request to HTTPS.
>  6. If one can carefully clear the HSTS header in browser, then redirection will stop
until the next time one visits Ranger Admin UI again.
> *Workaround:*
>  Currently the workaround is to open Ranger Admin UI in a separate browser OR move Ranger
Admin service to a host where other UI services are not installed.

This message was sent by Atlassian JIRA

View raw message