This is an automated email from the ASF dual-hosted git repository.
spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 3c37e7a RANGER-2762: Setting ssoEnabled flag in the user session if
request is from trusted proxy case or if the request is from knox sso case
3c37e7a is described below
commit 3c37e7aea13539f086766a78e2afa3859f9edde4
Author: Sailaja Polavarapu <[email protected]>
AuthorDate: Fri Mar 20 12:14:49 2020 -0700
RANGER-2762: Setting ssoEnabled flag in the user session if request is from
trusted proxy case or if the request is from knox sso case
---
.../src/main/java/org/apache/ranger/biz/SessionMgr.java | 13 +++++++++++++
.../apache/ranger/security/web/filter/RangerKrbFilter.java | 4 +++-
.../web/filter/RangerSecurityContextFormationFilter.java | 12 +++++-------
3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
index ce09c36..b542a43 100644
--- a/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
+++ b/security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java
@@ -176,6 +176,19 @@ public class SessionMgr {
userSession.setSpnegoEnabled(true);
}
+ Boolean ssoEnabled;
+ if (authType == XXAuthSession.AUTH_TYPE_TRUSTED_PROXY) {
+ ssoEnabled = true;
+ } else {
+ Object ssoEnabledObj =
httpRequest.getAttribute("ssoEnabled");
+ ssoEnabled = ssoEnabledObj != null ?
Boolean.valueOf(String.valueOf(ssoEnabledObj)) :
PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
+ }
+
+ if (logger.isDebugEnabled()) {
+ logger.debug("session id = " +
userSession.getLoginId() + " ssoenabled = " + ssoEnabled);
+ }
+ userSession.setSSOEnabled(ssoEnabled);
+
resetUserSessionForProfiles(userSession);
resetUserModulePermission(userSession);
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index b7b2b2a..223a991 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -523,7 +523,9 @@ public class RangerKrbFilter implements Filter {
agents = RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT;
}
parseBrowserUserAgents(agents);
-
if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT))
&& !allowTrustedProxy){
+ String doAsUser = request.getParameter("doAs");
+
if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT))
&&
+ (!allowTrustedProxy || (allowTrustedProxy &&
StringUtils.isEmpty(doAsUser))) ){
((HttpServletResponse)response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE,
"");
filterChain.doFilter(request, response);
}else{
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
index 99fb21f..6cc3a81 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
@@ -125,11 +125,6 @@ public class RangerSecurityContextFormationFilter extends
GenericFilterBean {
authType, userAgent,
httpRequest);
if (userSession != null) {
-
- Object ssoEnabledObj =
request.getAttribute("ssoEnabled");
- Boolean ssoEnabled = ssoEnabledObj !=
null ? Boolean.valueOf(String.valueOf(ssoEnabledObj)) :
PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
- userSession.setSSOEnabled(ssoEnabled);
-
if
(userSession.getClientTimeOffsetInMinute() == 0) {
userSession.setClientTimeOffsetInMinute(clientTimeOffset);
}
@@ -158,8 +153,11 @@ public class RangerSecurityContextFormationFilter extends
GenericFilterBean {
if (ssoEnabled) {
authType = XXAuthSession.AUTH_TYPE_SSO;
- } else if (request.getAttribute("spnegoEnabled") != null &&
(boolean)request.getAttribute("spnegoEnabled")){
- if (request.getAttribute("trustedProxyEnabled") != null
&& (boolean)request.getAttribute("trustedProxyEnabled")) {
+ } else if (request.getAttribute("spnegoEnabled") != null &&
Boolean.valueOf(String.valueOf(request.getAttribute("spnegoEnabled")))){
+ if (request.getAttribute("trustedProxyEnabled") != null
&&
Boolean.valueOf(String.valueOf(request.getAttribute("trustedProxyEnabled")))) {
+ if (logger.isDebugEnabled()) {
+ logger.debug("Setting auth type as
trusted proxy");
+ }
authType =
XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
} else {
authType = XXAuthSession.AUTH_TYPE_KERBEROS;
