> On March 1, 2022, 3:25 a.m., Kirby Zhou wrote: > > What will happens at following situation? > > > > 1. A kerberosized browser with unauthorized principal want to login to > > ranger by HTML form using another user/password. > > > > 2. A kerberosized browser with different KDC want to login to ranger by by > > HTML form using another user/password.
Hi Kirby Zhou, There is a flag to enable/disable kerberos based authentication for Ranger UI, it is disabled by default. If the kerberos auth is enabled by setting the flag and any user wants to use user/password credentials to login to Ranger UI it can be done by appending the "/locallogin" to the Ranger URL. For e.g : If url for Ranger UI is http://abc.cluster.com:6080 then the local-login url will be http://abc.cluster.com:6080/locallogin using this url, user can get the login page and enter the required user/password credentials. - Vishal ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72024/#review224105 ----------------------------------------------------------- On Feb. 28, 2022, 7:35 p.m., Vishal Suvagia wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72024/ > ----------------------------------------------------------- > > (Updated Feb. 28, 2022, 7:35 p.m.) > > > Review request for ranger, Ankita Sinha, Dhaval Shah, Dineshkumar Yadav, > Gautam Borad, Jayendra Parab, Kishor Gollapalliwar, Abhay Kulkarni, Madhan > Neethiraj, Mehul Parikh, Pradeep Agrawal, Ramesh Mani, Sailaja Polavarapu, > and Velmurugan Periasamy. > > > Bugs: RANGER-2704 > https://issues.apache.org/jira/browse/RANGER-2704 > > > Repository: ranger > > > Description > ------- > > Need to support browser login using kerberos authentication. Added a logout > for an unauthenticated user to redirect to the login page. > > > Diffs > ----- > > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java > 223a991c76bae7d25f5ce89604d0a8a90d426fe5 > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSSOAuthenticationFilter.java > abbf2d983beb30b59e5d3f6429d6fc226f735793 > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml > 0a1128613dca50fe67ea3f891261f1ee449c46db > > > Diff: https://reviews.apache.org/r/72024/diff/2/ > > > Testing > ------- > > Veriried kerberos ticket authentication is working on a kerberized browser. > > > Steps to test for a kerberized browser: > #1) For Kerberized browsers: > #1> To open Chrome in kerberos enabled mode need to run below command: > google-chrome --auth-server-whitelist="*ranger.testserver.com" > #2> For Firefox, need to go to about:configs and then search for > negotiate and then add the host domain > ranger.testserver.com to the property > "network.negotiate-auth.trusted-uris" > #2) Perform kinit with the required user. > #3) Open the Ranger Admin portal using FQDN of the server host. > > > File Attachments > ---------------- > > RANGER-2704.patch > > https://reviews.apache.org/media/uploaded/files/2020/01/17/8c9682ca-1ade-4281-89e7-d43a8af09300__RANGER-2704.patch > > > Thanks, > > Vishal Suvagia > >
