> On June 29, 2019, 2:58 a.m., Don Bosco Durai wrote: > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java > > Lines 280 (patched) > > <https://reviews.apache.org/r/70893/diff/1/?file=2151380#file2151380line280> > > > > Just curios, what happens if the request URL is https and > > xForwardedProt is http? Is it a valid combination? > > > > Also, any reason, we are not checking just for "http:"? Instead, 2 > > conditions?
=>I don't think its a valid combination but it may happen. Usually, xForwardedProto is either provided as header by user or it can be overridden by proxy/load-balancer. if its decided by proxy/load-balancer then it will be according to the request but user may make a mistake by putting http rather actually https is needed. line 283 will make the forwardURL similar to the requestURL and will ignore the xForwardedProto value. => When load balancer is in https and ranger is in http and knoxSSO is enabled and if x-forwarded-host is not provided then we can assume that the request can be forwarded to the same host from where the request is coming here though LB is in ssl, received requestURL was in http(bit strange may be LB issue probably similar to https://stackoverflow.com/questions/29469929/why-does-request-getrequesturl-return-non-https-url) so to handle this situation I am considering xForwardedProto value which was https so replacing http with https. since i am using startsWith() method and https starts with http so just for http case i need to add extra condition here as i want to replace http only and avoid wrong replaces like https -> httpss if requestURL contains https then line 283 shall make the requestURL to be a forwardURL. If there is a better way to handle this please advice. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/70893/#review216240 ----------------------------------------------------------- On June 19, 2019, 4:22 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/70893/ > ----------------------------------------------------------- > > (Updated June 19, 2019, 4:22 p.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Nikhil P, Nitin Galave, Ramesh > Mani, Sailaja Polavarapu, and Velmurugan Periasamy. > > > Bugs: RANGER-2477 > https://issues.apache.org/jira/browse/RANGER-2477 > > > Repository: ranger > > > Description > ------- > > Ranger is unable to forward the request to Ranger if LB is SSL and KnoxSSO is > enabled and x-forwarded-host header is not forwarded from LB. Usually Ranger > expects that x-forwarded-host shall be provided by LB so current > implementation forward the request to the same host but does not change the > protocol to https if LB is also SSL(x-forwarded-proto) > > Proposed solution: proposed patch contains changes which shall replace the > x-forwarded-proto value in the request URL if request URL contains protocol > http while x-forwarded-proto value is https. > > > Diffs > ----- > > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java > c3fbe9c23 > > > Diff: https://reviews.apache.org/r/70893/diff/1/ > > > Testing > ------- > > Tested knoxsso, knox proxy and ranger HA based authentications. > > > Thanks, > > Pradeep Agrawal > >
