This is an automated email from the ASF dual-hosted git repository. pradeep pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push: new 0a39904 RANGER-2688: Make cookie name configurable 0a39904 is described below commit 0a39904ac134736d1eeeb03ae83069c9896c8f97 Author: Pradeep <prad...@apache.org> AuthorDate: Mon Jan 20 16:28:33 2020 +0530 RANGER-2688: Make cookie name configurable --- .../ranger/plugin/util/RangerCommonConstants.java | 27 ++++++++++++++++++++++ .../org/apache/ranger/common/PropertiesUtil.java | 11 +++++++++ .../security/web/filter/RangerKrbFilter.java | 5 +++- .../main/resources/conf.dist/ranger-admin-site.xml | 4 ++++ .../conf.dist/security-applicationContext.xml | 2 +- tagsync/conf/templates/ranger-tagsync-template.xml | 4 ++++ .../ranger/tagsync/process/TagSyncConfig.java | 12 ++++++++++ .../tagsync/sink/tagadmin/TagAdminRESTSink.java | 6 +++-- .../src/main/resources/ranger-tagsync-default.xml | 4 ++++ tagsync/src/main/resources/ranger-tagsync-site.xml | 4 ++++ .../process/LdapPolicyMgrUserGroupBuilder.java | 15 ++++++------ .../unixusersync/config/UserGroupSyncConfig.java | 12 ++++++++++ .../conf.dist/ranger-ugsync-default.xml | 4 ++++ .../scripts/templates/ranger-ugsync-template.xml | 4 ++++ 14 files changed, 103 insertions(+), 11 deletions(-) diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java new file mode 100644 index 0000000..5ecb280 --- /dev/null +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/RangerCommonConstants.java @@ -0,0 +1,27 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ranger.plugin.util; + +public class RangerCommonConstants { + + public static final String PROP_COOKIE_NAME = "ranger.admin.cookie.name"; + public static final String DEFAULT_COOKIE_NAME = "RANGERADMINSESSIONID"; + +} \ No newline at end of file diff --git a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java index ee8ce8d..43bbdfb 100644 --- a/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java +++ b/security-admin/src/main/java/org/apache/ranger/common/PropertiesUtil.java @@ -36,6 +36,7 @@ import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.apache.ranger.biz.RangerBizUtil; import org.apache.ranger.credentialapi.CredentialReader; +import org.apache.ranger.plugin.util.RangerCommonConstants; import org.springframework.beans.BeansException; import org.springframework.beans.factory.config.ConfigurableListableBeanFactory; import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer; @@ -302,6 +303,16 @@ public class PropertiesUtil extends PropertyPlaceholderConfigurer { } } } + + if (propertiesMap != null && propertiesMap.containsKey(RangerCommonConstants.PROP_COOKIE_NAME)) { + String cookieName = propertiesMap.get(RangerCommonConstants.PROP_COOKIE_NAME); + if (StringUtils.isBlank(cookieName)) { + cookieName = RangerCommonConstants.DEFAULT_COOKIE_NAME; + } + propertiesMap.put(RangerCommonConstants.PROP_COOKIE_NAME, cookieName); + props.put(RangerCommonConstants.PROP_COOKIE_NAME, cookieName); + } + super.processProperties(beanFactory, props); } diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java index f2856d3..b7b2b2a 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java @@ -25,6 +25,7 @@ import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHa import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler; import org.apache.hadoop.security.authentication.util.*; import org.apache.ranger.common.PropertiesUtil; +import org.apache.ranger.plugin.util.RangerCommonConstants; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -119,6 +120,7 @@ public class RangerKrbFilter implements Filter { private long validity; private String cookieDomain; private String cookiePath; + private String cookieName; /** * <p>Initializes the authentication filter and signer secret provider.</p> @@ -157,6 +159,7 @@ public class RangerKrbFilter implements Filter { cookieDomain = config.getProperty(COOKIE_DOMAIN, null); cookiePath = config.getProperty(COOKIE_PATH, null); + cookieName = config.getProperty(RangerCommonConstants.PROP_COOKIE_NAME, RangerCommonConstants.DEFAULT_COOKIE_NAME); } protected void initializeAuthHandler(String authHandlerClassName, FilterConfig filterConfig) @@ -555,7 +558,7 @@ public class RangerKrbFilter implements Filter { } for(String headerName : headerNames){ String value = httpResponse.getHeader(headerName); - if("Set-Cookie".equalsIgnoreCase(headerName) && value.startsWith("RANGERADMINSESSIONID")){ + if("Set-Cookie".equalsIgnoreCase(headerName) && value.startsWith(cookieName)){ chk = false; break; } diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml index 2e584a7..298f02b 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml @@ -328,4 +328,8 @@ <value></value> <description>Maximum no. of retry to setup solr</description> </property> + <property> + <name>ranger.admin.cookie.name</name> + <value>RANGERADMINSESSIONID</value> + </property> </configuration> diff --git a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml index 2e7a891..c359971 100644 --- a/security-admin/src/main/resources/conf.dist/security-applicationContext.xml +++ b/security-admin/src/main/resources/conf.dist/security-applicationContext.xml @@ -65,7 +65,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd"> <security:custom-filter position="LAST" ref="userContextFormationFilter"/> <security:access-denied-handler error-page="/login.jsp"/> - <security:logout delete-cookies="RANGERADMINSESSIONID,xa_rmc" logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" /> + <security:logout delete-cookies="${ranger.admin.cookie.name}" logout-url="/logout" success-handler-ref="customLogoutSuccessHandler" /> <http-basic entry-point-ref="authenticationProcessingFilterEntryPoint"/> </security:http> diff --git a/tagsync/conf/templates/ranger-tagsync-template.xml b/tagsync/conf/templates/ranger-tagsync-template.xml index 41aacbf..b8bfbf5 100644 --- a/tagsync/conf/templates/ranger-tagsync-template.xml +++ b/tagsync/conf/templates/ranger-tagsync-template.xml @@ -103,4 +103,8 @@ <name>ranger.tagsync.source.atlasrest.ssl.config.filename</name> <value></value> </property> + <property> + <name>ranger.tagsync.dest.ranger.session.cookie.name</name> + <value>RANGERADMINSESSIONID</value> + </property> </configuration> diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java index 6d27b02..c4173da 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/process/TagSyncConfig.java @@ -35,6 +35,7 @@ import java.util.Enumeration; import java.util.Properties; import org.apache.ranger.credentialapi.CredentialReader; +import org.apache.ranger.plugin.util.RangerCommonConstants; public class TagSyncConfig extends Configuration { private static final Logger LOG = Logger.getLogger(TagSyncConfig.class); @@ -84,6 +85,8 @@ public class TagSyncConfig extends Configuration { private static final String TAGSYNC_SOURCE_RETRY_INITIALIZATION_INTERVAL_PROP = "ranger.tagsync.source.retry.initialization.interval.millis"; public static final String TAGSYNC_RANGER_COOKIE_ENABLED_PROP = "ranger.tagsync.cookie.enabled"; + public static final String TAGSYNC_TAGADMIN_COOKIE_NAME_PROP = "ranger.tagsync.dest.ranger.session.cookie.name"; + private static final String DEFAULT_TAGADMIN_USERNAME = "rangertagsync"; private static final String DEFAULT_ATLASREST_USERNAME = "admin"; private static final String DEFAULT_ATLASREST_PASSWORD = "admin"; @@ -213,6 +216,15 @@ public class TagSyncConfig extends Configuration { return val == null || Boolean.valueOf(val.trim()); } + static public String getRangerAdminCookieName(Properties prop) { + String ret = RangerCommonConstants.DEFAULT_COOKIE_NAME; + String val = prop.getProperty(TAGSYNC_TAGADMIN_COOKIE_NAME_PROP); + if (StringUtils.isNotBlank(val)) { + ret = val; + } + return ret; + } + static public String getTagSyncLogdir(Properties prop) { return prop.getProperty(TAGSYNC_LOGDIR_PROP); } diff --git a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java index 5d32cc0..011e2cc 100644 --- a/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java +++ b/tagsync/src/main/java/org/apache/ranger/tagsync/sink/tagadmin/TagAdminRESTSink.java @@ -61,6 +61,7 @@ public class TagAdminRESTSink implements TagSink, Runnable { List<NewCookie> cookieList=new ArrayList<>(); private boolean isRangerCookieEnabled; + private String rangerAdminCookieName; private RangerRESTClient tagRESTClient = null; @@ -85,6 +86,7 @@ public class TagAdminRESTSink implements TagSink, Runnable { rangerAdminConnectionCheckInterval = TagSyncConfig.getTagAdminConnectionCheckInterval(properties); isKerberized = TagSyncConfig.getTagsyncKerberosIdentity(properties) != null; isRangerCookieEnabled = TagSyncConfig.isTagSyncRangerCookieEnabled(properties); + rangerAdminCookieName=TagSyncConfig.getRangerAdminCookieName(properties); sessionId=null; if (LOG.isDebugEnabled()) { @@ -278,7 +280,7 @@ public class TagAdminRESTSink implements TagSink, Runnable { cookieList = response.getCookies(); // save cookie received from credentials session login for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase("RANGERADMINSESSIONID")) { + if (cookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { sessionId = cookie.toCookie(); isValidRangerCookie = true; break; @@ -322,7 +324,7 @@ public class TagAdminRESTSink implements TagSink, Runnable { || response.getStatus() == HttpServletResponse.SC_OK) { List<NewCookie> respCookieList = response.getCookies(); for (NewCookie respCookie : respCookieList) { - if (respCookie.getName().equalsIgnoreCase("RANGERADMINSESSIONID")) { + if (respCookie.getName().equalsIgnoreCase(rangerAdminCookieName)) { if (!(sessionId.getValue().equalsIgnoreCase(respCookie.toCookie().getValue()))) { sessionId = respCookie.toCookie(); } diff --git a/tagsync/src/main/resources/ranger-tagsync-default.xml b/tagsync/src/main/resources/ranger-tagsync-default.xml index 08afc42..1034bc6 100644 --- a/tagsync/src/main/resources/ranger-tagsync-default.xml +++ b/tagsync/src/main/resources/ranger-tagsync-default.xml @@ -37,4 +37,8 @@ <name>ranger.tagsync.dest.ranger.username</name> <value>rangertagsync</value> </property> + <property> + <name>ranger.tagsync.dest.ranger.session.cookie.name</name> + <value>RANGERADMINSESSIONID</value> + </property> </configuration> diff --git a/tagsync/src/main/resources/ranger-tagsync-site.xml b/tagsync/src/main/resources/ranger-tagsync-site.xml index 9a14c1c..0b9ef84 100644 --- a/tagsync/src/main/resources/ranger-tagsync-site.xml +++ b/tagsync/src/main/resources/ranger-tagsync-site.xml @@ -97,6 +97,10 @@ <name>ranger.tagsync.cookie.enabled</name> <value>true</value> </property> + <property> + <name>ranger.tagsync.dest.ranger.session.cookie.name</name> + <value>RANGERADMINSESSIONID</value> + </property> <!-- Ranger-tagsync uses the following two properties to derive name of Ranger Service in a Federated or non-Federated HDFS setup --> diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java index b469e92..8017395 100644 --- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java +++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java @@ -80,7 +80,6 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder private static final String GROUP_SOURCE_EXTERNAL ="1"; - private static final String RANGER_ADMIN_COOKIE_NAME = "RANGERADMINSESSIONID"; private static String LOCAL_HOSTNAME = "unknown"; private String recordsToPullPerCall = "1000"; private boolean isMockRun = false; @@ -104,7 +103,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder Map<String, String> userMap = new LinkedHashMap<String, String>(); Map<String, String> groupMap = new LinkedHashMap<String, String>(); private boolean isRangerCookieEnabled; - + private String rangerCookieName; static { try { LOCAL_HOSTNAME = java.net.InetAddress.getLocalHost().getCanonicalHostName(); @@ -118,6 +117,8 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder policyMgrBaseUrl = config.getPolicyManagerBaseURL(); isMockRun = config.isMockRunEnabled(); isRangerCookieEnabled = config.isUserSyncRangerCookieEnabled(); + rangerCookieName = config.getRangerAdminCookieName(); + if (isMockRun) { LOG.setLevel(Level.DEBUG); } @@ -623,7 +624,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder || response.getStatus() == HttpServletResponse.SC_OK) { cookieList = response.getCookies(); for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + if (cookie.getName().equalsIgnoreCase(rangerCookieName)) { sessionId = cookie.toCookie(); isValidRangerCookie = true; break; @@ -939,7 +940,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder } else if (clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() == HttpServletResponse.SC_OK) { List<NewCookie> respCookieList = clientResp.getCookies(); for (NewCookie cookie : respCookieList) { - if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + if (cookie.getName().equalsIgnoreCase(rangerCookieName)) { if (!(sessionId.getValue().equalsIgnoreCase(cookie.toCookie().getValue()))) { sessionId = cookie.toCookie(); } @@ -990,7 +991,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder } else if (clientResp.getStatus() == HttpServletResponse.SC_OK || clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT) { cookieList = clientResp.getCookies(); for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + if (cookie.getName().equalsIgnoreCase(rangerCookieName)) { sessionId = cookie.toCookie(); isValidRangerCookie = true; LOG.info("valid cookie saved "); @@ -1037,7 +1038,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder } else if (clientResp.getStatus() == HttpServletResponse.SC_OK || clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT) { cookieList = clientResp.getCookies(); for (NewCookie cookie : cookieList) { - if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + if (cookie.getName().equalsIgnoreCase(rangerCookieName)) { sessionId = cookie.toCookie(); isValidRangerCookie = true; LOG.info("valid cookie saved "); @@ -1088,7 +1089,7 @@ private static final Logger LOG = Logger.getLogger(LdapPolicyMgrUserGroupBuilder } else if (clientResp.getStatus() == HttpServletResponse.SC_NO_CONTENT || clientResp.getStatus() == HttpServletResponse.SC_OK) { List<NewCookie> respCookieList = clientResp.getCookies(); for (NewCookie cookie : respCookieList) { - if (cookie.getName().equalsIgnoreCase(RANGER_ADMIN_COOKIE_NAME)) { + if (cookie.getName().equalsIgnoreCase(rangerCookieName)) { if (!(sessionId.getValue().equalsIgnoreCase(cookie.toCookie().getValue()))) { sessionId = cookie.toCookie(); } diff --git a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java index 1d4e37f..a041345 100644 --- a/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java +++ b/ugsync/src/main/java/org/apache/ranger/unixusersync/config/UserGroupSyncConfig.java @@ -26,8 +26,10 @@ import java.util.Properties; import java.util.Set; import java.util.StringTokenizer; +import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.ranger.credentialapi.CredentialReader; +import org.apache.ranger.plugin.util.RangerCommonConstants; import org.apache.ranger.plugin.util.XMLUtils; import org.apache.ranger.usergroupsync.UserGroupSink; import org.apache.ranger.usergroupsync.UserGroupSource; @@ -236,6 +238,8 @@ public class UserGroupSyncConfig { private static final String USERSYNC_RANGER_COOKIE_ENABLED_PROP = "ranger.usersync.cookie.enabled"; + private static final String RANGER_ADMIN_COOKIE_NAME_PROPS = "ranger.usersync.dest.ranger.session.cookie.name"; + private Properties prop = new Properties(); private static volatile UserGroupSyncConfig me = null; @@ -939,6 +943,14 @@ public class UserGroupSyncConfig { return val == null || Boolean.valueOf(val.trim()); } + public String getRangerAdminCookieName() { + String ret = RangerCommonConstants.DEFAULT_COOKIE_NAME; + String val = prop.getProperty(RANGER_ADMIN_COOKIE_NAME_PROPS); + if (StringUtils.isNotBlank(val)) { + ret = val; + } + return ret; + } public String getRoleDelimiter() { if (prop != null && prop.containsKey(ROLE_ASSIGNMENT_LIST_DELIMITER)) { diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml b/unixauthservice/conf.dist/ranger-ugsync-default.xml index e2e014b..0f88aa3 100644 --- a/unixauthservice/conf.dist/ranger-ugsync-default.xml +++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml @@ -69,4 +69,8 @@ <name>ranger.usersync.cookie.enabled</name> <value>true</value> </property> + <property> + <name>ranger.usersync.dest.ranger.session.cookie.name</name> + <value>RANGERADMINSESSIONID</value> + </property> </configuration> diff --git a/unixauthservice/scripts/templates/ranger-ugsync-template.xml b/unixauthservice/scripts/templates/ranger-ugsync-template.xml index 0c2d1fc..0cacc95 100644 --- a/unixauthservice/scripts/templates/ranger-ugsync-template.xml +++ b/unixauthservice/scripts/templates/ranger-ugsync-template.xml @@ -225,4 +225,8 @@ <name>ranger.usersync.group.based.role.assignment.rules</name> <value></value> </property> + <property> + <name>ranger.usersync.dest.ranger.session.cookie.name</name> + <value>RANGERADMINSESSIONID</value> + </property> </configuration>