ranger git commit: RANGER-2306 : Add support for X-Forwarded-for header in Knox plugin

Wed, 12 Dec 2018 11:46:43 -0800 

Repository: ranger
Updated Branches:
  refs/heads/master e483c201e -> 3d282ccbf


RANGER-2306 : Add support for X-Forwarded-for header in Knox plugin

Signed-off-by: Ramesh Mani <[email protected]>


Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/3d282ccb
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/3d282ccb
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/3d282ccb

Branch: refs/heads/master
Commit: 3d282ccbff805aee28e08f95729c1bb72cd1c33e
Parents: e483c20
Author: Vipin Rathor <[email protected]>
Authored: Thu Dec 6 15:46:01 2018 -0800
Committer: Ramesh Mani <[email protected]>
Committed: Wed Dec 12 11:45:53 2018 -0800

----------------------------------------------------------------------
 .../authorization/knox/KnoxRangerPlugin.java    | 13 ++++++++++
 .../authorization/knox/RangerPDPKnoxFilter.java | 26 +++++++++++++++++---
 2 files changed, 36 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/ranger/blob/3d282ccb/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
----------------------------------------------------------------------
diff --git 
a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
 
b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
index d248785..814aedd 100644
--- 
a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
+++ 
b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
@@ -19,6 +19,7 @@
 
 package org.apache.ranger.authorization.knox;
 
+import java.util.List;
 import java.util.Set;
 
 import 
org.apache.ranger.authorization.knox.KnoxRangerPlugin.KnoxConstants.AccessType;
@@ -56,6 +57,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
                Set<String> _groups;
                String _clientIp;
                String _clusterName;
+               String _remoteIp;
+               List<String> _forwardedAddresses;
                
                RequestBuilder service(String service) {
                        _service = service;
@@ -81,6 +84,14 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
                        _clusterName = clusterName;
                        return this;
                }
+               RequestBuilder remoteIp(String remoteIp) {
+                       _remoteIp = remoteIp;
+                       return this;
+               }
+               RequestBuilder forwardedAddresses(List<String> 
forwardedAddresses) {
+                       _forwardedAddresses = forwardedAddresses;
+                       return this;
+               }
                void verifyBuildable() {
                        if (_topology == null) throw new 
IllegalStateException("_topology can't be null!");
                        if (_service == null) throw new 
IllegalStateException("_service can't be null!");
@@ -101,6 +112,8 @@ public class KnoxRangerPlugin extends RangerBasePlugin {
                        request.setUserGroups(_groups);
                        request.setResource(resource);
                        request.setClusterName(_clusterName);
+                       request.setRemoteIPAddress(_remoteIp);
+                       request.setForwardedAddresses(_forwardedAddresses);
                        return request;
                }
        }

http://git-wip-us.apache.org/repos/asf/ranger/blob/3d282ccb/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
----------------------------------------------------------------------
diff --git 
a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
 
b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
index f84a3e0..e75f314 100644
--- 
a/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
+++ 
b/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
@@ -21,7 +21,9 @@ package org.apache.ranger.authorization.knox;
 import java.io.IOException;
 import java.security.AccessController;
 import java.security.Principal;
+import java.util.Arrays;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import javax.security.auth.Subject;
@@ -31,6 +33,7 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.logging.Log;
@@ -40,6 +43,7 @@ import org.apache.knox.gateway.security.GroupPrincipal;
 import org.apache.knox.gateway.security.ImpersonatedPrincipal;
 import org.apache.knox.gateway.security.PrimaryPrincipal;
 import org.apache.ranger.audit.provider.MiscUtil;
+import org.apache.ranger.authorization.knox.KnoxRangerPlugin.RequestBuilder;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.util.RangerPerfTracer;
@@ -131,21 +135,25 @@ public class RangerPDPKnoxFilter implements Filter {
 
                String clientIp = request.getRemoteAddr();
                String clusterName = plugin.getClusterName();
+               List<String> forwardedAddresses = 
getForwardedAddresses(request);
 
                if (LOG.isDebugEnabled()) {
                        LOG.debug("Checking access primaryUser: " + primaryUser
                                        + ", impersonatedUser: " + 
impersonatedUser
                                        + ", effectiveUser: " + user + ", 
groups: " + groups
-                                       + ", clientIp: " + clientIp + ", 
clusterName: "
-                                       + clusterName);
+                                       + ", clientIp: " + clientIp + ", 
clusterName: " + clusterName
+                           + ", remoteIp: " + clientIp + ", 
forwardedAddresses: " + forwardedAddresses);
                }
-               RangerAccessRequest accessRequest = new 
KnoxRangerPlugin.RequestBuilder()
+
+               RangerAccessRequest accessRequest = new RequestBuilder()
                        .service(serviceName)
                        .topology(topologyName)
                        .user(user)
                        .groups(groups)
                        .clientIp(clientIp)
                        .clusterName(clusterName)
+                       .remoteIp(clientIp)
+                       .forwardedAddresses(forwardedAddresses)
                        .build();
 
                boolean accessAllowed = false;
@@ -169,6 +177,18 @@ public class RangerPDPKnoxFilter implements Filter {
                }
        }
 
+       private List<String> getForwardedAddresses(ServletRequest request) {
+               List<String> forwardedAddresses = null;
+               if (request instanceof HttpServletRequest) {
+                       HttpServletRequest httpRequest = (HttpServletRequest) 
request;
+                       String xForwardedFor = 
httpRequest.getHeader("X-Forwarded-For");
+                       if(xForwardedFor != null) {
+                               forwardedAddresses = 
Arrays.asList(xForwardedFor.split(","));
+                       }
+               }
+               return forwardedAddresses;
+       }
+
        private void sendForbidden(HttpServletResponse res) {
                sendErrorCode(res, 403);
        }

Reply via email to