> On March 1, 2022, 3:25 a.m., Kirby Zhou wrote: > > What will happens at following situation? > > > > 1. A kerberosized browser with unauthorized principal want to login to > > ranger by HTML form using another user/password. > > > > 2. A kerberosized browser with different KDC want to login to ranger by by > > HTML form using another user/password. > > Vishal Suvagia wrote: > Hi Kirby Zhou, > There is a flag to enable/disable kerberos based authentication for > Ranger UI, it is disabled by default. If the kerberos auth is enabled by > setting the flag and any user wants to use user/password credentials to login > to Ranger UI it can be done by appending the "/locallogin" to the Ranger URL. > For e.g : If url for Ranger UI is http://abc.cluster.com:6080 then the > local-login url will be http://abc.cluster.com:6080/locallogin > using this url, user can get the login page and enter the > required user/password credentials. > > Kirby Zhou wrote: > I known that: If a browser without kerberos try to access > kerberos-enabled Ranger UI, it will be forwarded to > http://abc.cluster.com:6080/login.jsp > > What I donot know is that: a kerbero-authenticated browser, but its > kerberos ticket is rejected by Ranger UI by many ways, what will happen. > > Should I have to let my browser logout kerberos? Or I have to add > /locallogin by hand in address bar?
Q) A kerbero-authenticated browser, but its kerberos ticket is rejected by Ranger UI by many ways, what will happen. A) If the ticket is invalid, user will be redirected to the Ranger Login page. If it does land on a blank page, user can perform a refresh to get the login page. - Vishal ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72024/#review224105 ----------------------------------------------------------- On April 4, 2022, 1:04 p.m., Vishal Suvagia wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72024/ > ----------------------------------------------------------- > > (Updated April 4, 2022, 1:04 p.m.) > > > Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-2704 > https://issues.apache.org/jira/browse/RANGER-2704 > > > Repository: ranger > > > Description > ------- > > Need to support browser login using kerberos authentication. Added a logout > for an unauthenticated user to redirect to the login page. > > > Diffs > ----- > > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java > 223a991c76bae7d25f5ce89604d0a8a90d426fe5 > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java > abbf2d983beb30b59e5d3f6429d6fc226f735793 > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml > 0a1128613dca50fe67ea3f891261f1ee449c46db > > > Diff: https://reviews.apache.org/r/72024/diff/2/ > > > Testing > ------- > > Veriried kerberos ticket authentication is working on a kerberized browser. > > > Steps to test for a kerberized browser: > #1) For Kerberized browsers: > #1> To open Chrome in kerberos enabled mode need to run below command: > google-chrome --auth-server-whitelist="*ranger.testserver.com" > #2> For Firefox, need to go to about:configs and then search for > negotiate and then add the host domain > ranger.testserver.com to the property > "network.negotiate-auth.trusted-uris" > #2) Perform kinit with the required user. > #3) Open the Ranger Admin portal using FQDN of the server host. > > > Known Issue: If there is no valid kerberos ticket, user lands on a blank page > and a short hack is to either append locallogin to the URL or refresh the > browser tab to redirect to the login page. > P.S: this issue is not observed on Google Chrome browser > > > File Attachments > ---------------- > > RANGER-2704.patch > > https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch > RANGER-2704.02.patch > > https://reviews.apache.org/media/uploaded/files/2022/04/04/6e737bec-e640-4459-922c-353793172b12__RANGER-2704.02.patch > > > Thanks, > > Vishal Suvagia > >
