[jira] [Updated] (RANGER-2423) Ranger KnoxSSO authentication in Ranger HA environment

Mon, 13 May 2019 21:01:23 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-2423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pradeep Agrawal updated RANGER-2423:
------------------------------------
    Description: 
*Problem Description:*  If Ranger LB is non ssl and KnoxSSO is enabled then for 
the Knox request originURL is the LB URL. However
If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request originURL 
changes to either of Ranger host. It is expected that behaviour of originURL 
should not change irrespective of ranger ssl/non ssl mode.

Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and 
X-Forwarded-SSL header doesn't work. if these headers are not sent from LB then 
forward URL becomes the actual ranger-admin URL than LB URL. 

*Proposed Solution:* If LB is SSL then proposed patch shall accept the 
X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL is 
LB URL.

To send X-Forwarded-Proto and X-Forwarded-SSL Headers from Apache Httpd LB end, 
add below lines in LB config file.

RequestHeader set "X-Forwarded-Proto" expr=%\{REQUEST_SCHEME}
RequestHeader set "X-Forwarded-SSL" expr=%\{HTTPS}

 

> Ranger KnoxSSO authentication in Ranger HA environment 
> -------------------------------------------------------
>
>                 Key: RANGER-2423
>                 URL: https://issues.apache.org/jira/browse/RANGER-2423
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Pradeep Agrawal
>            Assignee: Pradeep Agrawal
>            Priority: Major
>             Fix For: 2.0.0
>
>         Attachments: 
> 0001-RANGER-2423-Ranger-KnoxSSO-authentication-in-Ranger-.patch
>
>
> *Problem Description:*  If Ranger LB is non ssl and KnoxSSO is enabled then 
> for the Knox request originURL is the LB URL. However
> If Ranger LB is ssl and KnoxSSO is enabled then for the Knox request 
> originURL changes to either of Ranger host. It is expected that behaviour of 
> originURL should not change irrespective of ranger ssl/non ssl mode.
> Currently if Ranger LB is SSL enabled then sending X-Forwarded-Proto and 
> X-Forwarded-SSL header doesn't work. if these headers are not sent from LB 
> then forward URL becomes the actual ranger-admin URL than LB URL. 
> *Proposed Solution:* If LB is SSL then proposed patch shall accept the 
> X-Forwarded-Proto and X-Forwarded-SSL headers and will ensure the origin URL 
> is LB URL.
> To send X-Forwarded-Proto and X-Forwarded-SSL Headers from Apache Httpd LB 
> end, add below lines in LB config file.
> RequestHeader set "X-Forwarded-Proto" expr=%\{REQUEST_SCHEME}
> RequestHeader set "X-Forwarded-SSL" expr=%\{HTTPS}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to