This is an automated email from the ASF dual-hosted git repository. mehul pushed a commit to branch ranger-2.3 in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push: new bcd501a8d RANGER-2704 : Support browser login using kerberized authentication. bcd501a8d is described below commit bcd501a8d88135e1917019463a47d2349e16a166 Author: Vishal Suvagia <vishalsuva...@apache.org> AuthorDate: Mon Feb 28 19:06:55 2022 +0530 RANGER-2704 : Support browser login using kerberized authentication. Issue: Need to support browser login using kerberos authentication. Changes: Added changes to enable Ranger Admin to support kerberos ticket based login. Testing: Veriried kerberos ticket authentication is working on a kerberized browser. Signed-off-by: Mehul Parikh <me...@apache.org> --- .../security/web/filter/RangerKrbFilter.java | 18 ++++++-- .../web/filter/RangerSSOAuthenticationFilter.java | 49 ++++++++++++++++++++++ .../conf.dist/ranger-admin-default-site.xml | 4 ++ 3 files changed, 68 insertions(+), 3 deletions(-) diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java index 223a991c7..801b0974a 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java @@ -111,6 +111,8 @@ public class RangerKrbFilter implements Filter { static final String ALLOW_TRUSTED_PROXY = "ranger.authentication.allow.trustedproxy"; + private static final String supportKerberosAuthForBrowserLoginConfig = "ranger.allow.kerberos.auth.login.browser"; + private String[] browserUserAgents; private Properties config; @@ -121,6 +123,8 @@ public class RangerKrbFilter implements Filter { private String cookieDomain; private String cookiePath; private String cookieName; + private boolean isKerberosEnabled = false; + private boolean supportKerberosAuthForBrowserLogin = false; /** * <p>Initializes the authentication filter and signer secret provider.</p> @@ -160,6 +164,8 @@ public class RangerKrbFilter implements Filter { cookieDomain = config.getProperty(COOKIE_DOMAIN, null); cookiePath = config.getProperty(COOKIE_PATH, null); cookieName = config.getProperty(RangerCommonConstants.PROP_COOKIE_NAME, RangerCommonConstants.DEFAULT_COOKIE_NAME); + isKerberosEnabled = (PropertiesUtil.getProperty("hadoop.security.authentication", "simple").equalsIgnoreCase("kerberos")); + supportKerberosAuthForBrowserLogin = PropertiesUtil.getBooleanProperty(supportKerberosAuthForBrowserLoginConfig, false); } protected void initializeAuthHandler(String authHandlerClassName, FilterConfig filterConfig) @@ -504,6 +510,7 @@ public class RangerKrbFilter implements Filter { LOG.warn("Authentication exception: " + ex.getMessage(), ex); } if (unauthorizedResponse) { + String doAsUser = request.getParameter("doAs"); if (!httpResponse.isCommitted()) { if (LOG.isDebugEnabled()) { LOG.debug("create auth cookie"); @@ -514,7 +521,7 @@ public class RangerKrbFilter implements Filter { // present.. reset to 403 if not found.. if ((errCode == HttpServletResponse.SC_UNAUTHORIZED) && (!httpResponse.containsHeader( - KerberosAuthenticator.WWW_AUTHENTICATE))) { + KerberosAuthenticator.WWW_AUTHENTICATE) && !isKerberosEnabled && !supportKerberosAuthForBrowserLogin)) { errCode = HttpServletResponse.SC_FORBIDDEN; } if (authenticationEx == null) { @@ -523,12 +530,17 @@ public class RangerKrbFilter implements Filter { agents = RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT; } parseBrowserUserAgents(agents); - String doAsUser = request.getParameter("doAs"); if(isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) && - (!allowTrustedProxy || (allowTrustedProxy && StringUtils.isEmpty(doAsUser))) ){ + (!allowTrustedProxy || (allowTrustedProxy && StringUtils.isEmpty(doAsUser))) && !supportKerberosAuthForBrowserLogin){ ((HttpServletResponse)response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, ""); filterChain.doFilter(request, response); }else{ + if (isKerberosEnabled && isBrowser(httpRequest.getHeader(RangerCSRFPreventionFilter.HEADER_USER_AGENT)) && supportKerberosAuthForBrowserLogin) { + if (LOG.isDebugEnabled()) { + LOG.debug("Kerberos and ticket based browser login is enabled setting header to authenticate ticket based login for user."); + } + ((HttpServletResponse) response).setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE); + } if (allowTrustedProxy) { String expectHeader = httpRequest.getHeader("Expect"); if (LOG.isDebugEnabled()) { diff --git a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java index abbf2d983..63079d7ca 100644 --- a/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java +++ b/security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java @@ -251,6 +251,32 @@ public class RangerSSOAuthenticationFilter implements Filter { url = url.replace(RestUtil.LOCAL_LOGIN_URL, ""); LOG.warn("There is an active session and if you want local login to ranger, try this on a separate browser"); ((HttpServletResponse)servletResponse).sendRedirect(url); + } else if (!ssoEnabled && ((HttpServletRequest) servletRequest).getRequestURI().contains(RestUtil.LOCAL_LOGIN_URL) && !isAuthenticated() && + ( isWebUserAgent(userAgent) || isBrowserAgent(userAgent))) { + // if sso is not enabled and request has locallogin then need to redirect user to the login page. + String url = ((HttpServletRequest) servletRequest).getRequestURI().replace(RestUtil.LOCAL_LOGIN_URL+"/", ""); + url = url.replace(RestUtil.LOCAL_LOGIN_URL, "login.jsp"); + // invalidating session + if (LOG.isDebugEnabled()) { + LOG.debug("Request does not have any authentication and contains local login url redirecting to login page."); + } + ((HttpServletRequest) servletRequest).getSession().invalidate(); + + ((HttpServletResponse)servletResponse).sendRedirect(url); + } else if (!ssoEnabled && !((HttpServletRequest) servletRequest).getRequestURI().contains(RestUtil.LOCAL_LOGIN_URL) && !isAuthenticated() && + ( isWebUserAgent(userAgent) || isBrowserAgent(userAgent)) && !isKerberosAuthEnabled()) { + // if sso is not enabled and request has is from browser and user is not authenticated and browser kerberos auth is not enabled + // then need to redirect user to the login page. + String url = ((HttpServletRequest) servletRequest).getRequestURI() ; + if (!url.contains("login.jsp")) { + url = url + "login.jsp"; + } + // invalidating session + if (LOG.isDebugEnabled()) { + LOG.debug("Request does not have any authentication, redirecting to login page."); + } + ((HttpServletRequest) servletRequest).getSession().invalidate(); + ((HttpServletResponse)servletResponse).sendRedirect(url); } //if sso is not enable or the request is not from browser then proceed further with next filter else { @@ -576,4 +602,27 @@ public class RangerSSOAuthenticationFilter implements Filter { } return loginURL; } + + + protected boolean isBrowserAgent(String userAgent) { + boolean isWeb = false; + String agents = PropertiesUtil.getProperty("ranger.krb.browser-useragents-regex", RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT); + if (agents == null) { + agents = RangerCSRFPreventionFilter.BROWSER_USER_AGENTS_DEFAULT; + } + String[] browserUserAgents = agents.split(","); + if (browserUserAgents.length > 0 && userAgent != null) { + for (String ua : browserUserAgents) { + if (userAgent.toLowerCase().startsWith(ua.toLowerCase())) { + isWeb = true; + break; + } + } + } + return isWeb; + } + + protected boolean isKerberosAuthEnabled() { + return PropertiesUtil.getBooleanProperty("ranger.allow.kerberos.auth.login.browser", false); + } } diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml index f95b802fb..e8544c681 100644 --- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml +++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml @@ -636,4 +636,8 @@ <name>ranger.tomcat.work.dir</name> <value></value> </property> + <property> + <name>ranger.allow.kerberos.auth.login.browser</name> + <value>false</value> + </property> </configuration>