[
https://issues.apache.org/jira/browse/RANGER-3778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17543763#comment-17543763
]
kirby zhou commented on RANGER-3778:
------------------------------------
At first, I explain the code I removed, they are divided into two parts.
1. Calling of RangerAuthenticationProvider in
RangerKRBAuthenticationFilter.doFilter(FilterChain filterChain, ...)
Because login via Kerberos is always get a authenticated Authentication Object
without password here, and RangerAuthenticationProvider will not do anything
with such a input argument. So I suggest to remove such an object.
And kerberos generally exists in parallel as a supplement to conventional www
authentication methods such as JDBC. It has nothing to do with the
ranger.authentication.method property used to control
RangerAuthenticationProvider.
2. Verification of cookie in RangerKRBAuthenticationFilter.doFilter(...,
FilterChain filterChain)
This code is wrong and meaningless. The truly correct code is calling getToken
in RangerKrbFilter.doFilter(..., FilterChain filterChain) which is called as
"super.doFilter" in RangerKRBAuthenticationFilter.doFilter(..., FilterChain
filterChain).
BTW: getToken is correct but also useless, because ranger admin set 2 cookies:
RANGERADMINSESSION and hadoop.auth when login via kerberos. The Cooke
RANGERADMINSESSION always takes precedence as I mentioned in
https://issues.apache.org/jira/browse/RANGER-3635
Then, I discuss autowire.
Ideally, RangerAuthenticationProvider should be used everywhere as a bean or
called by ProviderManager or spring, instead of being created by new in
multi-place.
1. I don't know any pretty method to wire a bean field when
RangerAuthenticationProvider is created with new instead of wire.
2. Using “@autowire RangeAuthenticationProvider authProvider" doesn't seem
necessary as discussed before.
There are another similar problem in RangerSSOAuthenticationFilter.java.
RangeAuthenticationProvider is created by new also in
RangerSSOAuthenticationFilter.java, and the code modified the provider object.
{code:java}
// public void doFilter(ServletRequest servletRequest, ServletResponse
servletResponse, FilterChain filterChain)
RangerAuthenticationProvider authenticationProvider = new
RangerAuthenticationProvider();
authenticationProvider.setSsoEnabled(ssoEnabled); // modify provider here.
Authentication authentication =
authenticationProvider.authenticate(finalAuthentication);
authentication = getGrantedAuthority(authentication);
SecurityContextHolder.getContext().setAuthentication(authentication);
{code}
And the code in RangeAuthenticationProvider completely short-circuits
subsequent visits to userMgr and SessionMgr in SSO state.
{code:java}
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
if (isSsoEnabled()) {
if (authentication != null) {
authentication = getSSOAuthentication(authentication);
if (authentication != null && authentication.isAuthenticated()) {
return authentication;
}
}
} else {
// ...
}
return authentication;
}
private Authentication getSSOAuthentication(Authentication authentication)
throws AuthenticationException{
return authentication;
}
{code}
It also seems meaningless. I'm confused by this magic code.
Perhaps this confusion stems from the fact that Ranger kerberos filter is a
hybrid of hadoop and spring.
> Kerberos Login cause NullPointerException
> -----------------------------------------
>
> Key: RANGER-3778
> URL: https://issues.apache.org/jira/browse/RANGER-3778
> Project: Ranger
> Issue Type: Bug
> Components: admin
> Affects Versions: 3.0.0, 2.3.0
> Reporter: kirby zhou
> Priority: Blocker
>
> Related to RANGER-3737
> I found NullPointerException happens again with kerberos login, this time is
> due to sessionMgr.
> The reason is that: sometimes RangerAuthenticationProvider is not managed by
> spring but created by new in RangerKRBAuthenticationFilter
> {code:java}
> RangerAuthenticationProvider authenticationProvider = new
> RangerAuthenticationProvider();
> Authentication authentication =
> authenticationProvider.authenticate(finalAuthentication);
> {code}
> Only beans managed by spring is ensured to auto-wire its members. So at that
> situation, userMgr and sessionMgr are both null.
> But I do not know why we call authenticationProvider.authenticate here.
> I have traced the code, After a series of condition judgments, the
> authentication object passed in was returned finally without any
> modification. And nothing happens such like register new session, access
> database... Because at that point, user is already authenticated by Kerberos.
> Something like that should work
> {code:java}
> ---
> a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
> +++
> b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKRBAuthenticationFilter.java
> @@ -297,9 +297,7 @@ protected void doFilter(FilterChain filterChain,
> final Authentication
> finalAuthentication = new UsernamePasswordAuthenticationToken(principal, "",
> grantedAuths);
> WebAuthenticationDetails webDetails =
> new WebAuthenticationDetails(request);
> ((AbstractAuthenticationToken)
> finalAuthentication).setDetails(webDetails);
> - RangerAuthenticationProvider
> authenticationProvider = new RangerAuthenticationProvider();
> - Authentication authentication =
> authenticationProvider.authenticate(finalAuthentication);
> - authentication =
> getGrantedAuthority(authentication);
> + Authentication authentication =
> getGrantedAuthority(finalAuthentication);
> if (authentication != null &&
> authentication.isAuthenticated()) {
> if
> (request.getParameterMap().containsKey("doAs")) {
> if
> (!response.isCommitted()) {
> {code}
> Just for discuss
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
