This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 0a39904 RANGER-2688: Make cookie name configurable
0a39904 is described below
commit 0a39904ac134736d1eeeb03ae83069c9896c8f97
Author: Pradeep <prad...@apache.org>
AuthorDate: Mon Jan 20 16:28:33 2020 +0530
RANGER-2688: Make cookie name configurable
---
.../ranger/plugin/util/RangerCommonConstants.java | 27 ++++++++++++++++++++++
.../org/apache/ranger/common/PropertiesUtil.java | 11 +++++++++
.../security/web/filter/RangerKrbFilter.java | 5 +++-
.../main/resources/conf.dist/ranger-admin-site.xml | 4 ++++
.../conf.dist/security-applicationContext.xml | 2 +-
tagsync/conf/templates/ranger-tagsync-template.xml | 4 ++++
.../ranger/tagsync/process/TagSyncConfig.java | 12 ++++++++++
.../tagsync/sink/tagadmin/TagAdminRESTSink.java | 6 +++--
.../src/main/resources/ranger-tagsync-default.xml | 4 ++++
tagsync/src/main/resources/ranger-tagsync-site.xml | 4 ++++
.../process/LdapPolicyMgrUserGroupBuilder.java | 15 ++++++------
.../unixusersync/config/UserGroupSyncConfig.java | 12 ++++++++++
.../conf.dist/ranger-ugsync-default.xml | 4 ++++
.../scripts/templates/ranger-ugsync-template.xml | 4 ++++
14 files changed, 103 insertions(+), 11 deletions(-)
diff --git
a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
new file mode 100644
index 0000000..5ecb280
--- /dev/null
+++
b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java
@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.plugin.util;
+
+public class RangerCommonConstants {
+
+ public static final String PROP_COOKIE_NAME =
"ranger.admin.cookie.name";
+ public static final String DEFAULT_COOKIE_NAME = "RANGERADMINSESSIONID";
+
+}
\ No newline at end of file
diff --git
a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
index ee8ce8d..43bbdfb 100644
--- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
+++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java
@@ -36,6 +36,7 @@ import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.RangerBizUtil;
import org.apache.ranger.credentialapi.CredentialReader;
+import org.apache.ranger.plugin.util.RangerCommonConstants;
import org.springframework.beans.BeansException;
import
org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;
@@ -302,6 +303,16 @@ public class PropertiesUtil extends
PropertyPlaceholderConfigurer {
}
}
}
+
+ if (propertiesMap != null &&
propertiesMap.containsKey(RangerCommonConstants.PROP_COOKIE_NAME)) {
+ String cookieName =
propertiesMap.get(RangerCommonConstants.PROP_COOKIE_NAME);
+ if (StringUtils.isBlank(cookieName)) {
+ cookieName = RangerCommonConstants.DEFAULT_COOKIE_NAME;
+ }
+ propertiesMap.put(RangerCommonConstants.PROP_COOKIE_NAME,
cookieName);
+ props.put(RangerCommonConstants.PROP_COOKIE_NAME, cookieName);
+ }
+
super.processProperties(beanFactory, props);
}
diff --git
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
index f2856d3..b7b2b2a 100644
---
a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
+++
b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java
@@ -25,6 +25,7 @@ import
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHa
import
org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.*;
import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.plugin.util.RangerCommonConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -119,6 +120,7 @@ public class RangerKrbFilter implements Filter {
private long validity;
private String cookieDomain;
private String cookiePath;
+ private String cookieName;
/**
* <p>Initializes the authentication filter and signer secret provider.</p>
@@ -157,6 +159,7 @@ public class RangerKrbFilter implements Filter {
cookieDomain = config.getProperty(COOKIE_DOMAIN, null);
cookiePath = config.getProperty(COOKIE_PATH, null);
+ cookieName = config.getProperty(RangerCommonConstants.PROP_COOKIE_NAME,
RangerCommonConstants.DEFAULT_COOKIE_NAME);
}
protected void initializeAuthHandler(String authHandlerClassName,
FilterConfig filterConfig)
@@ -555,7 +558,7 @@ public class RangerKrbFilter implements Filter {
}
for(String headerName : headerNames){
String value = httpResponse.getHeader(headerName);
- if("Set-Cookie".equalsIgnoreCase(headerName) &&
value.startsWith("RANGERADMINSESSIONID")){
+ if("Set-Cookie".equalsIgnoreCase(headerName) &&
value.startsWith(cookieName)){
chk = false;
break;
}
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index 2e584a7..298f02b 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -328,4 +328,8 @@
<value></value>
<description>Maximum no. of retry to setup
solr</description>
</property>
+ <property>
+ <name>ranger.admin.cookie.name</name>
+ <value>RANGERADMINSESSIONID</value>
+ </property>
</configuration>
diff --git
a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
index 2e7a891..c359971 100644
---
a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
+++
b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml
@@ -65,7 +65,7 @@
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd";>
<security:custom-filter position="LAST"
ref="userContextFormationFilter"/>
<security:access-denied-handler error-page="/login.jsp"/>
- <security:logout delete-cookies="RANGERADMINSESSIONID,xa_rmc"
logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" />
+ <security:logout delete-cookies="${ranger.admin.cookie.name}"
logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" />
<http-basic
entry-point-ref="authenticationProcessingFilterEntryPoint"/>
</security:http>
diff --git a/tagsync/conf/templates/ranger-tagsync-template.xml
b/tagsync/conf/templates/ranger-tagsync-template.xml
index 41aacbf..b8bfbf5 100644
--- a/tagsync/conf/templates/ranger-tagsync-template.xml
+++ b/tagsync/conf/templates/ranger-tagsync-template.xml
@@ -103,4 +103,8 @@
<name>ranger.tagsync.source.atlasrest.ssl.config.filename</name>
<value></value>
</property>
+ <property>
+ <name>ranger.tagsync.dest.ranger.session.cookie.name</name>
+ <value>RANGERADMINSESSIONID</value>
+ </property>
</configuration>
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
index 6d27b02..c4173da 100644
--- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
+++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java
@@ -35,6 +35,7 @@ import java.util.Enumeration;
import java.util.Properties;
import org.apache.ranger.credentialapi.CredentialReader;
+import org.apache.ranger.plugin.util.RangerCommonConstants;
public class TagSyncConfig extends Configuration {
private static final Logger LOG = Logger.getLogger(TagSyncConfig.class);
@@ -84,6 +85,8 @@ public class TagSyncConfig extends Configuration {
private static final String
TAGSYNC_SOURCE_RETRY_INITIALIZATION_INTERVAL_PROP =
"ranger.tagsync.source.retry.initialization.interval.millis";
public static final String TAGSYNC_RANGER_COOKIE_ENABLED_PROP =
"ranger.tagsync.cookie.enabled";
+ public static final String TAGSYNC_TAGADMIN_COOKIE_NAME_PROP =
"ranger.tagsync.dest.ranger.session.cookie.name";
+
private static final String DEFAULT_TAGADMIN_USERNAME = "rangertagsync";
private static final String DEFAULT_ATLASREST_USERNAME = "admin";
private static final String DEFAULT_ATLASREST_PASSWORD = "admin";
@@ -213,6 +216,15 @@ public class TagSyncConfig extends Configuration {
return val == null || Boolean.valueOf(val.trim());
}
+ static public String getRangerAdminCookieName(Properties prop) {
+ String ret = RangerCommonConstants.DEFAULT_COOKIE_NAME;
+ String val =
prop.getProperty(TAGSYNC_TAGADMIN_COOKIE_NAME_PROP);
+ if (StringUtils.isNotBlank(val)) {
+ ret = val;
+ }
+ return ret;
+ }
+
static public String getTagSyncLogdir(Properties prop) {
return prop.getProperty(TAGSYNC_LOGDIR_PROP);
}
diff --git
a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
index 5d32cc0..011e2cc 100644
---
a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
+++
b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java
@@ -61,6 +61,7 @@ public class TagAdminRESTSink implements TagSink, Runnable {
List<NewCookie> cookieList=new ArrayList<>();
private boolean isRangerCookieEnabled;
+ private String rangerAdminCookieName;
private RangerRESTClient tagRESTClient = null;
@@ -85,6 +86,7 @@ public class TagAdminRESTSink implements TagSink, Runnable {
rangerAdminConnectionCheckInterval =
TagSyncConfig.getTagAdminConnectionCheckInterval(properties);
isKerberized =
TagSyncConfig.getTagsyncKerberosIdentity(properties) != null;
isRangerCookieEnabled =
TagSyncConfig.isTagSyncRangerCookieEnabled(properties);
+
rangerAdminCookieName=TagSyncConfig.getRangerAdminCookieName(properties);
sessionId=null;
if (LOG.isDebugEnabled()) {
@@ -278,7 +280,7 @@ public class TagAdminRESTSink implements TagSink, Runnable {
cookieList =
response.getCookies();
// save cookie received from
credentials session login
for (NewCookie cookie :
cookieList) {
- if
(cookie.getName().equalsIgnoreCase("RANGERADMINSESSIONID")) {
+ if
(cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
sessionId =
cookie.toCookie();
isValidRangerCookie = true;
break;
@@ -322,7 +324,7 @@ public class TagAdminRESTSink implements TagSink, Runnable {
|| response.getStatus() ==
HttpServletResponse.SC_OK) {
List<NewCookie> respCookieList =
response.getCookies();
for (NewCookie respCookie : respCookieList) {
- if
(respCookie.getName().equalsIgnoreCase("RANGERADMINSESSIONID")) {
+ if
(respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) {
if
(!(sessionId.getValue().equalsIgnoreCase(respCookie.toCookie().getValue()))) {
sessionId =
respCookie.toCookie();
}
diff --git a/tagsync/src/main/resources/ranger-tagsync-default.xml
b/tagsync/src/main/resources/ranger-tagsync-default.xml
index 08afc42..1034bc6 100644
--- a/tagsync/src/main/resources/ranger-tagsync-default.xml
+++ b/tagsync/src/main/resources/ranger-tagsync-default.xml
@@ -37,4 +37,8 @@
<name>ranger.tagsync.dest.ranger.username</name>
<value>rangertagsync</value>
</property>
+ <property>
+ <name>ranger.tagsync.dest.ranger.session.cookie.name</name>
+ <value>RANGERADMINSESSIONID</value>
+ </property>
</configuration>
diff --git a/tagsync/src/main/resources/ranger-tagsync-site.xml
b/tagsync/src/main/resources/ranger-tagsync-site.xml
index 9a14c1c..0b9ef84 100644
--- a/tagsync/src/main/resources/ranger-tagsync-site.xml
+++ b/tagsync/src/main/resources/ranger-tagsync-site.xml
@@ -97,6 +97,10 @@
<name>ranger.tagsync.cookie.enabled</name>
<value>true</value>
</property>
+ <property>
+ <name>ranger.tagsync.dest.ranger.session.cookie.name</name>
+ <value>RANGERADMINSESSIONID</value>
+ </property>
<!-- Ranger-tagsync uses the following two properties to derive name of
Ranger Service in a Federated or non-Federated HDFS setup -->
diff --git
a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
index b469e92..8017395 100644
---
a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
+++
b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java
@@ -80,7 +80,6 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
private static final String GROUP_SOURCE_EXTERNAL ="1";
- private static final String RANGER_ADMIN_COOKIE_NAME =
"RANGERADMINSESSIONID";
private static String LOCAL_HOSTNAME = "unknown";
private String recordsToPullPerCall = "1000";
private boolean isMockRun = false;
@@ -104,7 +103,7 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
Map<String, String> userMap = new LinkedHashMap<String, String>();
Map<String, String> groupMap = new LinkedHashMap<String, String>();
private boolean isRangerCookieEnabled;
-
+ private String rangerCookieName;
static {
try {
LOCAL_HOSTNAME =
java.net.InetAddress.getLocalHost().getCanonicalHostName();
@@ -118,6 +117,8 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
policyMgrBaseUrl = config.getPolicyManagerBaseURL();
isMockRun = config.isMockRunEnabled();
isRangerCookieEnabled = config.isUserSyncRangerCookieEnabled();
+ rangerCookieName = config.getRangerAdminCookieName();
+
if (isMockRun) {
LOG.setLevel(Level.DEBUG);
}
@@ -623,7 +624,7 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
||
response.getStatus() == HttpServletResponse.SC_OK) {
cookieList =
response.getCookies();
for (NewCookie cookie :
cookieList) {
- if
(cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) {
+ if
(cookie.getName().equalsIgnoreCase(rangerCookieName)) {
sessionId = cookie.toCookie();
isValidRangerCookie = true;
break;
@@ -939,7 +940,7 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
} else if (clientResp.getStatus() ==
HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() ==
HttpServletResponse.SC_OK) {
List<NewCookie> respCookieList =
clientResp.getCookies();
for (NewCookie cookie : respCookieList) {
- if
(cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) {
+ if
(cookie.getName().equalsIgnoreCase(rangerCookieName)) {
if
(!(sessionId.getValue().equalsIgnoreCase(cookie.toCookie().getValue()))) {
sessionId =
cookie.toCookie();
}
@@ -990,7 +991,7 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
} else if (clientResp.getStatus() ==
HttpServletResponse.SC_OK || clientResp.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
cookieList = clientResp.getCookies();
for (NewCookie cookie : cookieList) {
- if
(cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) {
+ if
(cookie.getName().equalsIgnoreCase(rangerCookieName)) {
sessionId = cookie.toCookie();
isValidRangerCookie = true;
LOG.info("valid cookie saved ");
@@ -1037,7 +1038,7 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
} else if (clientResp.getStatus() ==
HttpServletResponse.SC_OK || clientResp.getStatus() ==
HttpServletResponse.SC_NO_CONTENT) {
cookieList = clientResp.getCookies();
for (NewCookie cookie : cookieList) {
- if
(cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) {
+ if
(cookie.getName().equalsIgnoreCase(rangerCookieName)) {
sessionId = cookie.toCookie();
isValidRangerCookie = true;
LOG.info("valid cookie saved ");
@@ -1088,7 +1089,7 @@ private static final Logger LOG =
Logger.getLogger(LdapPolicyMgrUserGroupBuilder
} else if (clientResp.getStatus() ==
HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() ==
HttpServletResponse.SC_OK) {
List<NewCookie> respCookieList =
clientResp.getCookies();
for (NewCookie cookie : respCookieList) {
- if
(cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) {
+ if
(cookie.getName().equalsIgnoreCase(rangerCookieName)) {
if
(!(sessionId.getValue().equalsIgnoreCase(cookie.toCookie().getValue()))) {
sessionId =
cookie.toCookie();
}
diff --git
a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
index 1d4e37f..a041345 100644
---
a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
+++
b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java
@@ -26,8 +26,10 @@ import java.util.Properties;
import java.util.Set;
import java.util.StringTokenizer;
+import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.ranger.credentialapi.CredentialReader;
+import org.apache.ranger.plugin.util.RangerCommonConstants;
import org.apache.ranger.plugin.util.XMLUtils;
import org.apache.ranger.usergroupsync.UserGroupSink;
import org.apache.ranger.usergroupsync.UserGroupSource;
@@ -236,6 +238,8 @@ public class UserGroupSyncConfig {
private static final String USERSYNC_RANGER_COOKIE_ENABLED_PROP =
"ranger.usersync.cookie.enabled";
+ private static final String RANGER_ADMIN_COOKIE_NAME_PROPS =
"ranger.usersync.dest.ranger.session.cookie.name";
+
private Properties prop = new Properties();
private static volatile UserGroupSyncConfig me = null;
@@ -939,6 +943,14 @@ public class UserGroupSyncConfig {
return val == null || Boolean.valueOf(val.trim());
}
+ public String getRangerAdminCookieName() {
+ String ret = RangerCommonConstants.DEFAULT_COOKIE_NAME;
+ String val = prop.getProperty(RANGER_ADMIN_COOKIE_NAME_PROPS);
+ if (StringUtils.isNotBlank(val)) {
+ ret = val;
+ }
+ return ret;
+ }
public String getRoleDelimiter() {
if (prop != null && prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) {
diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml
b/unixauthservice/conf.dist/ranger-ugsync-default.xml
index e2e014b..0f88aa3 100644
--- a/unixauthservice/conf.dist/ranger-ugsync-default.xml
+++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml
@@ -69,4 +69,8 @@
<name>ranger.usersync.cookie.enabled</name>
<value>true</value>
</property>
+ <property>
+ <name>ranger.usersync.dest.ranger.session.cookie.name</name>
+ <value>RANGERADMINSESSIONID</value>
+ </property>
</configuration>
diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml
b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
index 0c2d1fc..0cacc95 100644
--- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml
+++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml
@@ -225,4 +225,8 @@
<name>ranger.usersync.group.based.role.assignment.rules</name>
<value></value>
</property>
+ <property>
+ <name>ranger.usersync.dest.ranger.session.cookie.name</name>
+ <value>RANGERADMINSESSIONID</value>
+ </property>
</configuration>
