[jira] [Created] (RANGER-2227) Visiting Ranger Admin UI forces subsequent requests to other services redirect to HTTPS

Fri, 14 Sep 2018 11:55:21 -0700 

Vipin Rathor created RANGER-2227:
------------------------------------

             Summary: Visiting Ranger Admin UI forces subsequent requests to 
other services redirect to HTTPS
                 Key: RANGER-2227
                 URL: https://issues.apache.org/jira/browse/RANGER-2227
             Project: Ranger
          Issue Type: Bug
          Components: admin
    Affects Versions: 1.1.0
            Reporter: Vipin Rathor


*Problem Description:*
 Visiting Ranger Admin UI in any browser (Firefox / Chrome) sets the HTTP 
Strict Transport Security (HSTS) header for the host where Ranger is running. 
Any subsequent request to other service on the same host (e.g. YARN RM UI etc.) 
over HTTP would get redirected to HTTPS because of this header and due to 
change in browser behavior recently: 
[Firefox|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]
 and [Chrome|https://www.chromium.org/hsts].


 Ideally, these headers should be configurable, so that admin can set them as 
per requirement. Like the way Knox expose this via 
[configuration|https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security],
 I recently reported similar in Knox via KNOX-1434

*Impact:*
 All the non-SSL requests to other services get redirected automatically to 
HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or some 
other error.

*Expected Behavior:*
 1. Unless HSTS is specifically enabled for Ranger Admin UI, it should not set 
HSTS header. Therefore, there should be a configurable option to enable/disable 
HSTS.
 2. HSTS should be disabled by default for Ranger Admin.

*Steps to reproduce:*
 1. Install & configure Ranger with SSL and a trusted CA (no self-signed)
 2. Also configure few other services like RM, Oozie on the same Ranger Admin 
host
 3. Once Ranger is up, visit Ranger Admin UI
 4. Now, in the same browser session, visit any non-SSL service running on the 
same Ranger host (like RM UI, Oozie UI).
 5. Browser will redirect this HTTP request to HTTPS.
 6. If one can carefully clear the HSTS header in browser, then redirection 
will stop until the next time one visits Ranger Admin UI again.

*Workaround:*
 Currently the workaround is to open Ranger Admin UI in a separate browser OR 
move Ranger Admin service to a host where other UI services are not installed.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to