-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53568/
-----------------------------------------------------------
Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay
Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj,
and Velmurugan Periasamy.
Bugs: RANGER-1212
https://issues.apache.org/jira/browse/RANGER-1212
Repository: ranger
Description
-------
**Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment
then load balancer doesn't forward client certificate to Ranger and
Authentication fails due to certificate issue. In SSL environment usually
client sends SSL certificate with request attribute to Ranger for
authentication but whenever such request is sent via load balancer; load
balancer could not pass the received certificate to Ranger and authentication
fails.
**Note :** This is happening only in the unsecured environment as client
certificate is mandatory at Ranger end; while in the secured environment,
authentication is done through Kerberos ticket so client certificate is not
required.
**Proposed Solution :** Since load balancer is unable to pass client
certificate with request attribute we can configure load balancer to pass
client certifacte with request header. To enable this configuration at load
balancer end we need to add below line and enable load balancer to add request
header received from client.
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
Load balancer shall send the client certificate in PEM format, proposed patch
shall read the PEM format certificate from request header and parse it. Since
Ranger requires X509 format certificate to authenticate the request, proposed
patch contains those changes to parse the certifacte in X509 format.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java
9e72f42
Diff: https://reviews.apache.org/r/53568/diff/
Testing
-------
**Steps Performed(with patch):**
1. Installed ranger-admin on two nodes from Build having changes of proposed
patch.
2. Configured Ranger admin in SSL mode.
3. Configured load balancer in SSL mode with both the node of ranger-admin.
4. Created truststore of load balancer self signed keystore.
5. Created a truststore for the hdfs plugin and added the public key of ranger
admin as trusted entry into it.
6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer
copied the truststore file generated from load balancer machine(file generated
from step 4) to HDFS node.
7. Generated HDFS truststore in PEM format to configure that in load balancer
machine.
8. Created ranger_lb_crt.pem file in load balancer machine and added the
content of file created from previous step.
9. In load balancer machine configured the path of file created in previous
step.
10. Added below line in load balancer config file.
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
11. Started ranger-admin, hdfs and load balancer.
**Expected behaviour :** Ranger plugin should able to communicate to Ranger
admin and download the policies.
**Actual behaviour :** Ranger plugin was able to communicate to Ranger admin
and download the policies.
Thanks,
Pradeep Agrawal
