ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pradeep Agrawal <pradeepagrawal8...@gmail.com>
Subject Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication in Ranger HA environment
Date Mon, 13 May 2019 13:25:56 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/
-----------------------------------------------------------

Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Madhan
Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh Mani, Sailaja Polavarapu, and Velmurugan
Periasamy.


Bugs: RANGER-2423
    https://issues.apache.org/jira/browse/RANGER-2423


Repository: ranger


Description
-------

**Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox
request originURL is the LB URL. However
If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to
either of Ranger host. It is expected that behaviour of originURL should not change irrespective
of ranger ssl/non ssl mode.

Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header
doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin
URL than LB URL. 

**Proposed Solution:** If LB is SSL then proposed patch shall accept the X-Forwarded-Proto
and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.


Diffs
-----

  security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
8a6c39b8f 


Diff: https://reviews.apache.org/r/70632/diff/1/


Testing
-------

Scenario tested when LB is simple and SSL enabled.
1.Tested Ranger HA with knoxproxy 
2.Tested Ranger HA with Knoxsso
3.Tested Ranger HA with knoxproxy and knoxSSO
4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)


Thanks,

Pradeep Agrawal


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message