[
https://issues.apache.org/jira/browse/RANGER-3778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542374#comment-17542374
]
kirby zhou commented on RANGER-3778:
------------------------------------
More explanation:
InRangerAuthenticationProvider.java
{code:java}
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
if (isSsoEnabled()) {
if (authentication != null) {
authentication = getSSOAuthentication(authentication);
if (authentication != null && authentication.isAuthenticated()) {
return authentication;
}
}
} else {
String sha256PasswordUpdateDisable =
PropertiesUtil.getProperty("ranger.sha256Password.update.disable", "false");
if (rangerAuthenticationMethod==null) {
rangerAuthenticationMethod="NONE";
}
if (authentication != null && rangerAuthenticationMethod != null) {
if ("LDAP".equalsIgnoreCase(rangerAuthenticationMethod)) {
authentication = getLdapAuthentication(authentication);
if (authentication!=null && authentication.isAuthenticated()) {
return authentication;
} else {
authentication=getLdapBindAuthentication(authentication);
if (authentication != null && authentication.isAuthenticated()) {
return authentication;
}
}
}
// ...
// Following are JDBC
if (authentication != null && authentication.getName() != null &&
sessionMgr.isLoginIdLocked(authentication.getName())) {
logger.debug("Failed to authenticate since user account is locked");
throw new
LockedException(messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked",
"User account is locked"));
}
if (this.isFipsEnabled) {
try {
authentication = getJDBCAuthentication(authentication,"");
} catch (Exception e) {
logger.error("JDBC Authentication failure: ", e);
throw e;
}
return authentication;
}
String encoder="SHA256";
try {
authentication = getJDBCAuthentication(authentication,encoder);
} catch (Exception e) {
logger.debug("JDBC Authentication failure: ", e);
}
// ...
return authentication;
} // if authentication != null
} // if isSSO
return authentication;
} {code}
{code:java}
private Authentication getLdapAuthentication(Authentication authentication) {
try {
// getting ldap settings
// ...
String userName = authentication.getName();
String userPassword = "";
if (authentication.getCredentials() != null) {
userPassword = authentication.getCredentials().toString();
}
// populating LDAP context source with LDAP URL and user-DN-pattern
// ...
LdapAuthenticationProvider ldapAuthenticationProvider = ...;
// getting user authenticated
if (userName != null && userPassword != null
&& !userName.trim().isEmpty()
&& !userPassword.trim().isEmpty()) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(
rangerLdapDefaultRole));
final UserDetails principal = new User(userName, userPassword,
grantedAuths);
final Authentication finalAuthentication = new
UsernamePasswordAuthenticationToken(
principal, userPassword, grantedAuths);
authentication = ldapAuthenticationProvider
.authenticate(finalAuthentication);
authentication=getAuthenticationWithGrantedAuthority(authentication);
return authentication;
} else {
return authentication;
}
} catch (Exception e) {
logger.debug("LDAP Authentication Failed:", e);
}
return authentication;
}{code}
The isAuthenticated() property of the authentication object of the user logged
via kerberos is true, and its Password property is empty.
And getLdapAuthentication / getJDBCAuthentication / ... will do thing if its
input's password property is empty.
Therefore, calling RangerAuthenticationProvider in
RangerKRBAuthenticationFilter is meaningless.
> Kerberos Login cause NullPointerException
> -----------------------------------------
>
> Key: RANGER-3778
> URL: https://issues.apache.org/jira/browse/RANGER-3778
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 3.0.0, 2.3.0
> Reporter: kirby zhou
> Priority: Blocker
>
> Related to RANGER-3737
> I found NullPointerException happens again with kerberos login, this time is
> due to sessionMgr.
> The reason is that: sometimes RangerAuthenticationProvider is not managed by
> spring but created by new in RangerKRBAuthenticationFilter
> {code:java}
> RangerAuthenticationProvider authenticationProvider = new
> RangerAuthenticationProvider();
> Authentication authentication =
> authenticationProvider.authenticate(finalAuthentication);
> {code}
> Only beans managed by spring is ensured to auto-wire its members. So at that
> situation, userMgr and sessionMgr are both null.
> But I do not know why we call authenticationProvider.authenticate here.
> I have traced the code, After a series of condition judgments, the
> authentication object passed in was returned finally without any
> modification. And nothing happens such like register new session, access
> database... Because at that point, user is already authenticated by Kerberos.
> Something like that should work
> {code:java}
> ---
> a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
> +++
> b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
> @@ -297,9 +297,7 @@ protected void doFilter(FilterChain filterChain,
> final Authentication
> finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "",
> grantedAuths);
> WebAuthenticationDetails webDetails =
> new WebAuthenticationDetails(request);
> ((AbstractAuthenticationToken)
> finalAuthentication).setDetails(webDetails);
> - RangerAuthenticationProvider
> authenticationProvider = new RangerAuthenticationProvider();
> - Authentication authentication =
> authenticationProvider.authenticate(finalAuthentication);
> - authentication =
> getGrantedAuthority(authentication);
> + Authentication authentication =
> getGrantedAuthority(finalAuthentication);
> if (authentication != null &&
> authentication.isAuthenticated()) {
> if
> (request.getParameterMap().containsKey("doAs")) {
> if
> (!response.isCommitted()) {
> {code}
> Just for discuss
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
