-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/73881/
-----------------------------------------------------------
Review request for ranger.
Bugs: RANGER-3619
https://issues.apache.org/jira/browse/RANGER-3619
Repository: ranger
Description
-------
REST API should return 403-Forbidden when authenticated client is not allowed
to access API to avoid crash Ranger Clients.
Now, some API returns 401-Unauthorized instead of 403-Forbidden when client is
already passed authentication but now allowed to do something.
In general, this will not cause any serious problems. However, there is a flaw
in the SPNEGO protocol implementation of Java HTTPUrlConnection. It causes the
Client to throw an unexpected exception. This will trouble the operators and
developers.
Let me show you how it happens:
For example:
The RangerAdminClient inside KMS want to access API
"/service/secure/policies/download", but the principal is not in the allowlist.
RangerAdminClient is based on Jersey-Client
JerseyClient sends a HTTP-request to Ranger Service without authentication
information
Tomcat/Spring inside Ranger returns 401 with HTTP header “WWW-Authentication:
Neogotiate”
JerseyClient sends request again with Kerberos/SPNEGO authentication tokens.
Tomcat/Spring inside Ranger accept the authentication, then call
ServiceRest::getSecureServicePoliciesIfUpdated to reply the API calling.
ServiceRest::getSecureServicePoliciesIfUpdated checks allowlist of “kms
service”, and refuse client with 401.
Tomcat/Spring inside Ranger returns 401 with HTTP header “WWW-Authentication:
Neogotiate….” for notifying RangerAdminClient the authentication is passed.
Now, there is a malformed state. HTTP-status code told client authenticate is
failed, but HTTP header told client authentication is passed.
In the RangerAdminClient side,
sun.net.www.protocol.http.HttpURLConnection.getInputStream0() see the second
401.
'inNegotiate' = true, so it is in the progress of Negotiate.
It checks that: if "WWW-Authenticate: Negotiate" exist then disable negotiate
for following code to avoid try Negotiate once again.
But "WWW-Authenticate: Negotiate xczsd324…" does not the rule above.
So HttpURLConnection calls AuthenticationInfo.sendHeaders to generate a new
request header.
Wow, Null exception happens.
Logs "ERROR RangerAdminRESTClient - Error getting policies; Received NULL
response!!. secureMode=true, user=… (auth:KERBEROS), serviceName=kmsdev"
Log of KMS: "ERROR RangerAdminRESTClient - Failed to get response, Error is :
java.lang.RuntimeException: java.lang.NullPointerException"
This log makes admin confused.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java
1ec1df0a3d09577c52e503532d5aea87ad6cd72d
security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java
935435044624a38ce7b0b9c7401e3f3dbacc0f65
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java
8109968e4d55de9e7875fb56590e50522fba32cb
security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java
e3cdef1c2ba6411cf4d4a26cd49e56e9017f3e93
security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java
098188e3b9f1f837727c7d279a4fab1f0aa84e34
security-admin/src/main/java/org/apache/ranger/rest/TagREST.java
10f91e037180a50287b8d0b0fa0ea3eec0d7f415
security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java
451805321d050dda06a0f2b66a9b945411632e2f
security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
5d7cbdc679c010a7b88c85324e6f9912cba29fe6
security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
223a991c76bae7d25f5ce89604d0a8a90d426fe5
Diff: https://reviews.apache.org/r/73881/diff/1/
Testing
-------
Thanks,
Kirby Zhou
