Review Request 69519: RANGER-2306 : Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

Thu, 06 Dec 2018 18:39:30 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69519/
-----------------------------------------------------------

Review request for ranger.


Bugs: RANGER-2306
    https://issues.apache.org/jira/browse/RANGER-2306


Repository: ranger


Description
-------

Please help review. Thanks in advance !


Diffs
-----

  
knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
 d248785d48ff22de25de1ccbc4caa6f2ca9edbee 
  
knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
 f84a3e03dd4b8ef5dc581b3810873fdeacc5b718 


Diff: https://reviews.apache.org/r/69519/diff/1/


Testing
-------

Tested with the following cURL command to simulate load balancer:
curl -ivk --header "X-Forwarded-For:172.26.68.210" -u hr1:BadPass#1 
"https://172.25.39.164:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS";

Without this patch, above request failed with "403 Forbidden" since correct IP 
was not passed to Ranger policy engine. This can be seen in the debug log below:
2018-12-06 20:42:15,049 DEBUG policyengine.RangerPolicyEngineImpl 
(RangerPolicyEngineImpl.java:preProcess(240)) - ==> 
RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null}
 elements={service=WEBHDFS; topology=default; } }} accessType={allow} 
user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 
06 20:42:15 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={} 
remoteIPAddress={null} clientType={null} action={allow} requestData={null} 
sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} })
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using 
X-Forward-For...
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(249)) - No 
X-Forwarded-For addresses in the access-request
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old 
Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.215


After applying the patch, above cURL request passes with "200 OK" and with the 
following debug logs (note the forwardedAdresses value and Old and New IP 
address values):
2018-12-06 20:48:52,239 DEBUG policyengine.RangerPolicyEngineImpl 
(RangerPolicyEngineImpl.java:preProcess(240)) - ==> 
RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null}
 elements={service=WEBHDFS; topology=default; } }} accessType={allow} 
user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 
06 20:48:52 UTC 2018} clientIPAddress={172.26.68.215} 
forwardedAddresses={172.26.68.210 172.26.68.215} 
remoteIPAddress={172.26.68.215} clientType={null} action={allow} 
requestData={null} sessionId={null} resourceMatchingScope={SELF} 
clusterName={c1141} context={} })
2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using 
X-Forward-For...
2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old 
Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.210


Thanks,

Vipin Rathor

Reply via email to