Repository: incubator-ranger Updated Branches: refs/heads/master 321c9d963 -> fcb2ad322
RANGER-1023 : Handle requests from non-kerberized browser when Ranger is kerberized Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/fcb2ad32 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/fcb2ad32 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/fcb2ad32 Branch: refs/heads/master Commit: fcb2ad322bf4528dc085b57dac0b7d8bcf431728 Parents: 321c9d9 Author: Ankita Sinha <[email protected]> Authored: Tue Jun 21 10:38:08 2016 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Tue Jun 21 17:05:53 2016 -0400 ---------------------------------------------------------------------- .../web/filter/RangerCSRFPreventionFilter.java | 2 +- .../security/web/filter/RangerKrbFilter.java | 67 ++++++++++++++++---- .../conf.dist/ranger-admin-default-site.xml | 5 +- 3 files changed, 58 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fcb2ad32/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java index 69a9d17..88e4b5a 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerCSRFPreventionFilter.java @@ -44,7 +44,7 @@ public class RangerCSRFPreventionFilter implements Filter { public static final boolean isCSRF_ENABLED = PropertiesUtil.getBooleanProperty("ranger.rest-csrf.enabled", true); public static final String BROWSER_USER_AGENT_PARAM = "ranger.rest-csrf.browser-useragents-regex"; - public static final String BROWSER_USER_AGENTS_DEFAULT = "^Mozilla.*,^Opera.*"; + public static final String BROWSER_USER_AGENTS_DEFAULT = "^Mozilla.*,^Opera.*,^Chrome.*"; public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "ranger.rest-csrf.methods-to-ignore"; public static final String METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE"; public static final String CUSTOM_HEADER_PARAM = "ranger.rest-csrf.custom-header"; http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fcb2ad32/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java index 120f098..eb16c76 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java @@ -24,6 +24,7 @@ import org.apache.hadoop.security.authentication.server.AuthenticationToken; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.authentication.util.*; +import org.apache.ranger.common.PropertiesUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -43,6 +44,8 @@ import java.io.IOException; import java.security.Principal; import java.text.SimpleDateFormat; import java.util.*; +import java.util.regex.Matcher; +import java.util.regex.Pattern; @InterfaceAudience.Private @InterfaceStability.Unstable @@ -102,6 +105,10 @@ public class RangerKrbFilter implements Filter { public static final String SIGNER_SECRET_PROVIDER_ATTRIBUTE = "signer.secret.provider.object"; + private static final String BROWSER_USER_AGENT_PARAM = "ranger.krb.browser-useragents-regex"; + + private Set<Pattern> browserUserAgents; + private Properties config; private Signer signer; private SignerSecretProvider secretProvider; @@ -498,21 +505,30 @@ public class RangerKrbFilter implements Filter { errCode = HttpServletResponse.SC_FORBIDDEN; } if (authenticationEx == null) { - boolean chk = true; - Collection<String> headerNames = httpResponse.getHeaderNames(); - for(String headerName : headerNames){ - String value = httpResponse.getHeader(headerName); - if(headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("RANGERADMINSESSIONID")){ - chk = false; - break; - } - } - String authHeader = httpRequest.getHeader("Authorization"); - if(authHeader == null && chk){ - filterChain.doFilter(request, response); - }else if(authHeader != null && authHeader.startsWith("Basic")){ - filterChain.doFilter(request, response); + String agents = PropertiesUtil.getProperty(BROWSER_USER_AGENT_PARAM, RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT); + if (agents == null) { + agents = RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT; } + parseBrowserUserAgents(agents); + if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT))){ + filterChain.doFilter(request, response); + }else{ + boolean chk = true; + Collection<String> headerNames = httpResponse.getHeaderNames(); + for(String headerName : headerNames){ + String value = httpResponse.getHeader(headerName); + if(headerName.equalsIgnoreCase("Set-Cookie") && value.startsWith("RANGERADMINSESSIONID")){ + chk = false; + break; + } + } + String authHeader = httpRequest.getHeader("Authorization"); + if(authHeader == null && chk){ + filterChain.doFilter(request, response); + }else if(authHeader != null && authHeader.startsWith("Basic")){ + filterChain.doFilter(request, response); + } + } } else { httpResponse.sendError(errCode, authenticationEx.getMessage()); } @@ -572,5 +588,28 @@ public class RangerKrbFilter implements Filter { sb.append("; HttpOnly"); resp.addHeader("Set-Cookie", sb.toString()); } + + void parseBrowserUserAgents(String userAgents) { + String[] agentsArray = userAgents.split(","); + browserUserAgents = new HashSet<Pattern>(); + for (String patternString : agentsArray) { + browserUserAgents.add(Pattern.compile(patternString)); + } + } + + protected boolean isBrowser(String userAgent) { + if (userAgent == null) { + return false; + } + if (browserUserAgents != null){ + for (Pattern pattern : browserUserAgents) { + Matcher matcher = pattern.matcher(userAgent); + if (matcher.matches()) { + return true; + } + } + } + return false; + } } http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/fcb2ad32/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml ---------------------------------------------------------------------- diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml index a2ed79a..c91e7fc 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml @@ -483,5 +483,8 @@ <name>ranger.rest-csrf.browser-useragents-regex</name> <value>^Mozilla.*,^Opera.*,^Chrome.*</value> </property> - + <property> + <value>ranger.krb.browser-useragents-regex</value> + <value>^Mozilla.*,^Opera.*,^Chrome.*</value> + </property> </configuration>
