[jira] [Commented] (RANGER-3602) Can not access RestAPI when Ranger authenticated with Kerberos.

[kirby zhou (Jira)]

    [ 
https://issues.apache.org/jira/browse/RANGER-3602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17484139#comment-17484139
 ] 

kirby zhou commented on RANGER-3602:
------------------------------------

I think I found the reason:

in security-applicationContext.xml
{code:java}
<security:http pattern="/service/assets/policyList/*" security="none"/>
<security:http pattern="/service/assets/resources/grant" security="none"/>
<security:http pattern="/service/assets/resources/revoke" security="none"/>
<security:http pattern="/service/plugins/policies/download/*" security="none"/>
<security:http pattern="/service/plugins/services/grant/*" security="none"/>
<security:http pattern="/service/plugins/services/revoke/*" security="none"/>
<security:http pattern="/service/tags/download/*" security="none"/>
<security:http pattern="/service/roles/download/*" security="none"/> {code}
The code above prevent a group of APIs to be autenticated by 
krbAuthenticationFilter [ 
org.apache.ranger.security.web.filter.RangerKRBAuthenticationFilter ].

And RangerBizUtil.failUnauthenticatedIfNotAllowed with deny request without 
Auth when kerberos enabled.

So they can only be visited with ranger.admin.allow.unauthenticated.access = 
true.

I don't know the motive for doing this.

 

 

So What is the best practice when kerberos enabled ? 

Is "unauthenticated.access = true" ? Maybe somebody think download policy, tags 
and roles can be public. But what about grant and revoke ? It looks dangerous.

 

> Can not access RestAPI when Ranger authenticated with Kerberos.
> ---------------------------------------------------------------
>
>                 Key: RANGER-3602
>                 URL: https://issues.apache.org/jira/browse/RANGER-3602
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 2.2.0
>            Reporter: kirby zhou
>            Priority: Major
>
> When I configured Ranger with Kerberos. I can not access its Restful API with 
> ranger.admin.allow.unauthenticated.access = false
>  
> {code:java}
> # ranger.admin.allow.unauthenticated.access = false in ranger-admin-site.xml
> ]$ curl -v 'http://localhost:6080/service/plugins/policies/download/kmsdev' 
> < HTTP/1.1 200 OK
> # ranger.admin.allow.unauthenticated.access = true in ranger-admin-site.xml
> ]$ kinit freeman@SA 
> Password for freeman@SA: 
> ]$ klist
> Ticket cache: KCM:1000
> Default principal: freeman@SA
> ]$ curl -v -u: --negotiate 
> 'http://localhost:6080/service/plugins/policies/download/kmsdev'
> *   Trying ::1...
> * TCP_NODELAY set
> * Connected to localhost (::1) port 6080 (#0)
> > GET /service/plugins/policies/download/kmsdev HTTP/1.1
> > Host: localhost:6080
> > User-Agent: curl/7.61.1
> > Accept: */*
> > 
> < HTTP/1.1 404 Not Found
> < Content-Length: 0
> < Date: Thu, 27 Jan 2022 12:30:26 GMT
> < Server: Apache Ranger
> < 
> * Connection #0 to host localhost left intact{code}
>  
>  
> CURL even do not have chance to do Authenticaion.
>  
> My configurations:
> core-site.xml
>  
> {code:java}
> <configuration>
>   <property>
>     <name>hadoop.security.authentication</name>
>     <value>kerberos</value>
>   </property>
>   <property>
>     <name>hadoop.security.authorization</name>
>     <value>true</value>
>   </property>
>   <property>
>     <name>hadoop.security.auth_to_local</name>
>     <value>
> RULE:[1:$1@$0](^.*$)s/^(.*)@.*$/$1/
> RULE:[2:$1@$0](^.*$)s/^(.*)@.*$/$1/
> DEFAULT
>     </value>
>   </property>
> </configuration> {code}
>  
>  
> ranger-admin-kms.xml
>  
> {code:java}
> <configuration>
> ...
>        <property>
>                 <name>ranger.service.https.attrib.ssl.enabled</name>
>                 <value>false</value>
>         </property>
>         <property>
>                 <name>ranger.service.host</name>
>                 <value>localhost</value>
>         </property>
>         <property>
>                 <name>ranger.service.http.port</name>
>                 <value>6080</value>
>         </property>
>        <property>
>                 <name>ranger.admin.kerberos.keytab</name>
>                 
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
>         </property>
>         <property>
>                 <name>ranger.spnego.kerberos.principal</name>
>                 <value>HTTP/kirbytest01.sa@SA</value>
>         </property>
>         <property>
>                 <name>ranger.spnego.kerberos.keytab</name>
>                 
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
>         </property>
>         <property>
>                 <name>ranger.lookup.kerberos.principal</name>
>                 <value>rangerlookup/kirbytest01.sa@SA</value>
>         </property>
>         <property>
>                 <name>ranger.lookup.kerberos.keytab</name>
>                 
> <value>/sensorsdata/main/program/rogue/ranger_admin/conf/ranger.keytab</value>
>         </property>
>         <property>
>                 <name>ranger.admin.allow.unauthenticated.access</name>
>                 <value>false</value>
>                 <!-- it is default -->
>         </property>
> ...
> </configuration> {code}
>  
> Workaround:
> set "ranger.admin.allow.unauthenticated.access" = "true" in 
> ranger-admin-site.xml 
>  
> I have no idea now.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)