vyommani opened a new pull request, #1062:
URL: https://github.com/apache/ranger/pull/1062

   ### Problem
   
   `security="none"` on the plugin download endpoints (`gds`, 
`plugins/policies`,
   `tags`, `roles`, `xusers`) skipped Spring Security's whole filter chain for
   exact URL matches, so Basic auth credentials were silently dropped and the
   request was treated as anonymous. Because the pattern was a single-segment
   wildcard (`*`), a trailing slash accidentally escaped the bypass and hit the
   normal authenticated chain instead - so the same URL behaved differently
   depending on a trailing slash:
   
   GET .../download/dev_hive?...   -u admin:pass   -> 400 (creds dropped)
   GET .../download/dev_hive/?...  -u admin:pass   -> 200 (creds processed)
   
   On a Kerberized admin there was a second issue: 
`RangerKRBAuthenticationFilter`
   forces a SPNEGO challenge on any request with no existing auth, regardless of
   Spring Security's authorization rules - so even after fixing the URL 
matching,
   anonymous requests were still rejected with `401` regardless of
   `ranger.admin.allow.unauthenticated.download.access`.
   
   ### Fix
   
   1. **`security-applicationContext.xml`** - removed these 5 endpoints from
      `security="none"`, added `permitAll` `intercept-url` entries instead, 
using
      `**` so matching is slash-insensitive. `permitAll` only removes the
      authorization requirement, not authentication - credentials are still
      validated when present, and 
`RangerBizUtil.failUnauthenticatedDownloadIfNotAllowed()`
      remains the actual gatekeeper for anonymous access.
   2. **`RangerKRBAuthenticationFilter.java`** - skip the forced SPNEGO 
challenge
      only when the URL is one of these 5 endpoints *and* no `Authorization` 
header
      is present. Requests that do present credentials (Negotiate or Basic) are
      unaffected.
   3. Added unit tests for the new URL-matching and bypass logic.
   
   `services/grant`/`services/revoke` share the same defect but are 
policy-mutating
   endpoints, intentionally left out - tracked as a follow-up.
   
   **Note:** invalid/malformed credentials now get a `401` instead of silently
   falling back to anonymous - a deliberate, more-correct behavior change.
   
   ### Testing
   
   Verified on a live docker environment with Kerberos enabled, across all 5
   endpoints x slash/no-slash x anonymous/valid-creds/invalid-creds x
   `ranger.admin.allow.unauthenticated.download.access`=true/false:
   
   - Slash and no-slash now always return the same result (the original bug).
   - Flag `false`: anonymous -> `400`, valid creds -> `200`.
   - Flag `true`: anonymous -> `200` (this was still `401` before the
     `RangerKRBAuthenticationFilter` fix).
   - Invalid credentials -> `401` on all 5 endpoints, both flag states.
   - Live SPNEGO ticket (`kinit` + `curl --negotiate`) against flag=`false`
     returned `200` with `hadoop.auth` cookie showing the real authenticated
     principal - confirms real Kerberos credentials are still fully validated,
     not waved through by the bypass.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to