----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69519/#review211107 -----------------------------------------------------------
Ship it! Ship It! - Ramesh Mani On Dec. 7, 2018, 2:39 a.m., Vipin Rathor wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69519/ > ----------------------------------------------------------- > > (Updated Dec. 7, 2018, 2:39 a.m.) > > > Review request for ranger. > > > Bugs: RANGER-2306 > https://issues.apache.org/jira/browse/RANGER-2306 > > > Repository: ranger > > > Description > ------- > > Please help review. Thanks in advance ! > > > Diffs > ----- > > > knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java > d248785d48ff22de25de1ccbc4caa6f2ca9edbee > > knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java > f84a3e03dd4b8ef5dc581b3810873fdeacc5b718 > > > Diff: https://reviews.apache.org/r/69519/diff/1/ > > > Testing > ------- > > Tested with the following cURL command to simulate load balancer: > curl -ivk --header "X-Forwarded-For:172.26.68.210" -u hr1:BadPass#1 > "https://172.25.39.164:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS" > > Without this patch, above request failed with "403 Forbidden" since correct > IP was not passed to Ranger policy engine. This can be seen in the debug log > below: > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerPolicyEngineImpl > (RangerPolicyEngineImpl.java:preProcess(240)) - ==> > RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} > elements={service=WEBHDFS; topology=default; } }} accessType={allow} > user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu > Dec 06 20:42:15 UTC 2018} clientIPAddress={172.26.68.215} > forwardedAddresses={} remoteIPAddress={null} clientType={null} action={allow} > requestData={null} sessionId={null} resourceMatchingScope={SELF} > clusterName={c1141} context={} }) > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl > (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using > X-Forward-For... > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl > (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(249)) - No > X-Forwarded-For addresses in the access-request > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl > (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old > Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.215 > > > After applying the patch, above cURL request passes with "200 OK" and with > the following debug logs (note the forwardedAdresses value and Old and New IP > address values): > 2018-12-06 20:48:52,239 DEBUG policyengine.RangerPolicyEngineImpl > (RangerPolicyEngineImpl.java:preProcess(240)) - ==> > RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} > elements={service=WEBHDFS; topology=default; } }} accessType={allow} > user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu > Dec 06 20:48:52 UTC 2018} clientIPAddress={172.26.68.215} > forwardedAddresses={172.26.68.210 172.26.68.215} > remoteIPAddress={172.26.68.215} clientType={null} action={allow} > requestData={null} sessionId={null} resourceMatchingScope={SELF} > clusterName={c1141} context={} }) > 2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl > (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using > X-Forward-For... > 2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl > (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old > Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.210 > > > Thanks, > > Vipin Rathor > >