Re: Review Request 70632: RANGER-2423: Ranger KnoxSSO authentication in Ranger HA environment

Mon, 13 May 2019 07:25:16 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/70632/#review215215
-----------------------------------------------------------


Ship it!




Ship It!

- Ramesh Mani


On May 13, 2019, 1:25 p.m., Pradeep Agrawal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/70632/
> -----------------------------------------------------------
> 
> (Updated May 13, 2019, 1:25 p.m.)
> 
> 
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay 
> Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh 
> Mani, Sailaja Polavarapu, and Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2423
>     https://issues.apache.org/jira/browse/RANGER-2423
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> **Problem Description: ** If Ranger LB is non ssl and KnoxSSO is enabled then 
> for the Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request 
> originURL changes to either of Ranger host. It is expected that behaviour of 
> originURL should not change irrespective of ranger ssl/non ssl mode.
> 
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and 
> X-Forwarded-SSL header doesn't work. if these headers are not sent from LB 
> then forward URL becomes the actual ranger-admin URL than LB URL. 
> 
> **Proposed Solution:** If LB is SSL then proposed patch shall accept the 
> X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL 
> is LB URL.
> 
> 
> Diffs
> -----
> 
>   
> security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java
>  8a6c39b8f 
> 
> 
> Diff: https://reviews.apache.org/r/70632/diff/1/
> 
> 
> Testing
> -------
> 
> Scenario tested when LB is simple and SSL enabled.
> 1.Tested Ranger HA with knoxproxy 
> 2.Tested Ranger HA with Knoxsso
> 3.Tested Ranger HA with knoxproxy and knoxSSO
> 4.Tested Ranger HA with Knoxsso through curl(using hadoop-jwt token)
> 
> 
> Thanks,
> 
> Pradeep Agrawal
> 
>

Reply via email to