[
https://issues.apache.org/jira/browse/RANGER-2227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mehul Parikh reassigned RANGER-2227:
------------------------------------
Assignee: Nitin Galave
> Visiting Ranger Admin UI forces subsequent requests to other services
> redirect to HTTPS
> ---------------------------------------------------------------------------------------
>
> Key: RANGER-2227
> URL: https://issues.apache.org/jira/browse/RANGER-2227
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 1.1.0
> Reporter: Vipin Rathor
> Assignee: Nitin Galave
> Priority: Critical
>
> *Problem Description:*
> Visiting Ranger Admin UI in any browser (Firefox / Chrome) sets the HTTP
> Strict Transport Security (HSTS) header for the host where Ranger is running.
> Any subsequent request to other service on the same host (e.g. YARN RM UI
> etc.) over HTTP would get redirected to HTTPS because of this header and due
> to change in browser behavior recently:
> [Firefox|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]
> and [Chrome|https://www.chromium.org/hsts].
> Ideally, these headers should be configurable, so that admin can set them as
> per requirement. Like the way Knox expose this via
> [configuration|https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security],
> I recently reported similar in Knox via KNOX-1434
> *Impact:*
> All the non-SSL requests to other services get redirected automatically to
> HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or
> some other error.
> *Expected Behavior:*
> 1. Unless HSTS is specifically enabled for Ranger Admin UI, it should not
> set HSTS header. Therefore, there should be a configurable option to
> enable/disable HSTS.
> 2. HSTS should be disabled by default for Ranger Admin.
> *Steps to reproduce:*
> 1. Install & configure Ranger with SSL and a trusted CA (no self-signed)
> 2. Also configure few other services like RM, Oozie on the same Ranger Admin
> host
> 3. Once Ranger is up, visit Ranger Admin UI
> 4. Now, in the same browser session, visit any non-SSL service running on
> the same Ranger host (like RM UI, Oozie UI).
> 5. Browser will redirect this HTTP request to HTTPS.
> 6. If one can carefully clear the HSTS header in browser, then redirection
> will stop until the next time one visits Ranger Admin UI again.
> *Workaround:*
> Currently the workaround is to open Ranger Admin UI in a separate browser OR
> move Ranger Admin service to a host where other UI services are not installed.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
