----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/73881/#review224327 -----------------------------------------------------------
Ship it! Ship It! - Ramesh Mani On April 7, 2022, 6:21 a.m., Kirby Zhou wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/73881/ > ----------------------------------------------------------- > > (Updated April 7, 2022, 6:21 a.m.) > > > Review request for ranger. > > > Bugs: RANGER-3619 > https://issues.apache.org/jira/browse/RANGER-3619 > > > Repository: ranger > > > Description > ------- > > REST API should return 403-Forbidden when authenticated client is not allowed > to access API to avoid crash Ranger Clients. > > > Now, some API returns 401-Unauthorized instead of 403-Forbidden when client > is already passed authentication but not allowed to do something. > In general, this will not cause any serious problems, but there is a flaw in > the SPNEGO protocol implementation of Java HTTPUrlConnection. It causes the > Client to throw an unexpected exception. This will trouble the operators and > developers. > > Let me show you how it happens: > > For example: > > The RangerAdminClient inside KMS want to access API > "/service/secure/policies/download", but the principal is not in the > allowlist. > > RangerAdminClient is based on Jersey-Client > JerseyClient sends a HTTP-request to Ranger Service without authentication > information > Tomcat/Spring inside Ranger returns 401 with HTTP header “WWW-Authentication: > Neogotiate” > JerseyClient sends request again with Kerberos/SPNEGO authentication tokens. > Tomcat/Spring inside Ranger accept the authentication, then call > ServiceRest::getSecureServicePoliciesIfUpdated to reply the API calling. > ServiceRest::getSecureServicePoliciesIfUpdated checks allowlist of “kms > service”, and refuse client with 401. > Tomcat/Spring inside Ranger returns 401 with HTTP header “WWW-Authentication: > Neogotiate….” for notifying RangerAdminClient the authentication is passed. > > Now, there is a malformed state. HTTP-status code told client authenticate is > failed, but HTTP header told client authentication is passed. > > In the RangerAdminClient side, > > sun.net.www.protocol.http.HttpURLConnection.getInputStream0() see the second > 401. > 'inNegotiate' = true, so it is in the progress of Negotiate. > It checks that: if "WWW-Authenticate: Negotiate" exist then disable negotiate > for following code to avoid try Negotiate once again. > But "WWW-Authenticate: Negotiate xczsd324…" does not the rule above. > So HttpURLConnection calls AuthenticationInfo.sendHeaders to generate a new > request header. > Wow, Null exception happens. > > Logs "ERROR RangerAdminRESTClient - Error getting policies; Received NULL > response!!. secureMode=true, user=… (auth:KERBEROS), serviceName=kmsdev" > > Log of KMS: "ERROR RangerAdminRESTClient - Failed to get response, Error is : > java.lang.RuntimeException: java.lang.NullPointerException" > > > This log makes admin confused, and no not know how to fix it. > > My patch fixes the return code of http, thus avoiding these problems. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java > 1ec1df0a3d09577c52e503532d5aea87ad6cd72d > security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java > 935435044624a38ce7b0b9c7401e3f3dbacc0f65 > security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java > 8109968e4d55de9e7875fb56590e50522fba32cb > security-admin/src/main/java/org/apache/ranger/rest/RoleREST.java > e3cdef1c2ba6411cf4d4a26cd49e56e9017f3e93 > security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java > 098188e3b9f1f837727c7d279a4fab1f0aa84e34 > security-admin/src/main/java/org/apache/ranger/rest/TagREST.java > 10f91e037180a50287b8d0b0fa0ea3eec0d7f415 > security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java > 451805321d050dda06a0f2b66a9b945411632e2f > > security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java > 5d7cbdc679c010a7b88c85324e6f9912cba29fe6 > > security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerKrbFilter.java > 223a991c76bae7d25f5ce89604d0a8a90d426fe5 > > > Diff: https://reviews.apache.org/r/73881/diff/1/ > > > Testing > ------- > > > Thanks, > > Kirby Zhou > >
