ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pradeep Agrawal (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-2423) Ranger KnoxSSO authentication in Ranger HA environment
Date Tue, 14 May 2019 04:01:00 GMT

     [ https://issues.apache.org/jira/browse/RANGER-2423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Pradeep Agrawal updated RANGER-2423:
------------------------------------
    Description: 
*Problem Description:*  If Ranger LB is non ssl and KnoxSSO is enabled then for the Knox
request originURL is the LB URL. However
If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes to
either of Ranger host. It is expected that behaviour of originURL should not change irrespective
of ranger ssl/non ssl mode.

Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL header
doesn't work. if these headers are not sent from LB then forward URL becomes the actual ranger-admin
URL than LB URL. 

*Proposed Solution:* If LB is SSL then proposed patch shall accept the X-Forwarded-Proto and
X-Forwarded-SSL headers and will ensure the origin URL is LB URL.

To send X-Forwarded-Proto and X-Forwarded-SSL Headers from Apache Httpd LB end, add below
lines in LB config file.

RequestHeader set "X-Forwarded-Proto" expr=%\{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%\{HTTPS}

 

> Ranger KnoxSSO authentication in Ranger HA environment 
> -------------------------------------------------------
>
>                 Key: RANGER-2423
>                 URL: https://issues.apache.org/jira/browse/RANGER-2423
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Pradeep Agrawal
>            Assignee: Pradeep Agrawal
>            Priority: Major
>             Fix For: 2.0.0
>
>         Attachments: 0001-RANGER-2423-Ranger-KnoxSSO-authentication-in-Ranger-.patch
>
>
> *Problem Description:*  If Ranger LB is non ssl and KnoxSSO is enabled then for the
Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL changes
to either of Ranger host. It is expected that behaviour of originURL should not change irrespective
of ranger ssl/non ssl mode.
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and X-Forwarded-SSL
header doesn't work. if these headers are not sent from LB then forward URL becomes the actual
ranger-admin URL than LB URL. 
> *Proposed Solution:* If LB is SSL then proposed patch shall accept the X-Forwarded-Proto
and X-Forwarded-SSL headers and will ensure the origin URL is LB URL.
> To send X-Forwarded-Proto and X-Forwarded-SSL Headers from Apache Httpd LB end, add
below lines in LB config file.
> RequestHeader set "X-Forwarded-Proto" expr=%\{REQUEST_SCHEME}
> RequestHeader set "X-Forwarded-SSL" expr=%\{HTTPS}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message