ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Review Request 53568: RANGER-1212 : Support for two way ssl authentication in Ranger HA environment
Date Thu, 22 Dec 2016 12:38:19 GMT


> On Nov. 8, 2016, 2:33 p.m., Colm O hEigeartaigh wrote:
> > One problem with this solution is that TLS client authentication is no longer enforced
- instead just the certificate is retrieved from a HTTP header. What's to stop a malicious
client just including a valid (public) certificate in the header to impersonate someone else?
> 
> Pradeep Agrawal wrote:
>     Can you provide more details how to impersonate as someone else by using his valid
public certificate. I would like to reproduce this.

Well according to the proposal the client certificate will be retrieved from a HTTP header,
so a malicious client could just copy in the certificate of another client into the same header?


- Colm


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53568/#review155289
-----------------------------------------------------------


On Nov. 8, 2016, 1:56 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53568/
> -----------------------------------------------------------
> 
> (Updated Nov. 8, 2016, 1:56 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay Kulkarni,
Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-1212
>     https://issues.apache.org/jira/browse/RANGER-1212
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment then load
balancer doesn't forward client certificate to Ranger and Authentication fails due to certificate
issue. In SSL environment usually client sends SSL certificate with request attribute to Ranger
for authentication but whenever such request is sent via load balancer; load balancer could
not pass the received certificate to Ranger and authentication fails.
> 
> **Note :** This is happening only in the unsecured environment as client certificate
is mandatory at Ranger end; while in the secured environment, authentication is done through
Kerberos ticket so client certificate is not required.
> 
> **Proposed Solution :** Since load balancer is unable to pass client certificate with
request attribute we can configure load balancer to pass client certifacte with request header.
To enable this configuration at load balancer end we need to add below line and enable load
balancer to add request header received from client.
> 
>                         RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" 
> 
> Load balancer shall send the client certificate in PEM format, proposed patch shall read
the PEM format certificate from request header and parse it. Since Ranger requires X509 format
certificate to authenticate the request, proposed patch contains those changes to parse the
certifacte in X509 format.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 9e72f42 
> 
> Diff: https://reviews.apache.org/r/53568/diff/
> 
> 
> Testing
> -------
> 
> **Steps Performed(with patch):**
> 1. Installed ranger-admin on two nodes from Build having changes of proposed patch.
> 2. Configured Ranger admin in SSL mode.
> 3. Configured load balancer in SSL mode with both the node of ranger-admin.
> 4. Created truststore of load balancer self signed keystore.
> 5. Created a truststore for the hdfs plugin and added the public key of ranger admin
as trusted entry into it.
> 6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer copied the
truststore file generated from load balancer machine(file generated from step 4) to HDFS node.
> 7. Generated HDFS truststore in PEM format to configure that in load balancer machine.
> 8. Created ranger_lb_crt.pem file in load balancer machine and added the content of file
created from previous step.
> 9. In load balancer machine configured the path of file created in previous step.
> 10. Added below line in load balancer config file.
> RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
> 11. Started ranger-admin, hdfs and load balancer.
> 
> **Expected behaviour :** Ranger plugin should able to communicate to Ranger admin and
download the policies.
> 
> **Actual behaviour :** Ranger plugin was able to communicate to Ranger admin and download
the policies.
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message