> On Nov. 8, 2016, 2:33 p.m., Colm O hEigeartaigh wrote: > > One problem with this solution is that TLS client authentication is no > > longer enforced - instead just the certificate is retrieved from a HTTP > > header. What's to stop a malicious client just including a valid (public) > > certificate in the header to impersonate someone else?
Can you provide more details how to impersonate as someone else by using his valid public certificate. I would like to reproduce this. - Pradeep ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53568/#review155289 ----------------------------------------------------------- On Nov. 8, 2016, 1:56 p.m., Pradeep Agrawal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53568/ > ----------------------------------------------------------- > > (Updated Nov. 8, 2016, 1:56 p.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Gautam Borad, Abhay > Kulkarni, Madhan Neethiraj, Mehul Parikh, Ramesh Mani, Selvamohan Neethiraj, > and Velmurugan Periasamy. > > > Bugs: RANGER-1212 > https://issues.apache.org/jira/browse/RANGER-1212 > > > Repository: ranger > > > Description > ------- > > **Problem Statement : ** If SSL is enabled in Ranger unsecured HA environment > then load balancer doesn't forward client certificate to Ranger and > Authentication fails due to certificate issue. In SSL environment usually > client sends SSL certificate with request attribute to Ranger for > authentication but whenever such request is sent via load balancer; load > balancer could not pass the received certificate to Ranger and authentication > fails. > > **Note :** This is happening only in the unsecured environment as client > certificate is mandatory at Ranger end; while in the secured environment, > authentication is done through Kerberos ticket so client certificate is not > required. > > **Proposed Solution :** Since load balancer is unable to pass client > certificate with request attribute we can configure load balancer to pass > client certifacte with request header. To enable this configuration at load > balancer end we need to add below line and enable load balancer to add > request header received from client. > > RequestHeader set SSL_CLIENT_CERT > "%{SSL_CLIENT_CERT}s" > > Load balancer shall send the client certificate in PEM format, proposed patch > shall read the PEM format certificate from request header and parse it. Since > Ranger requires X509 format certificate to authenticate the request, proposed > patch contains those changes to parse the certifacte in X509 format. > > > Diffs > ----- > > security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java > 9e72f42 > > Diff: https://reviews.apache.org/r/53568/diff/ > > > Testing > ------- > > **Steps Performed(with patch):** > 1. Installed ranger-admin on two nodes from Build having changes of proposed > patch. > 2. Configured Ranger admin in SSL mode. > 3. Configured load balancer in SSL mode with both the node of ranger-admin. > 4. Created truststore of load balancer self signed keystore. > 5. Created a truststore for the hdfs plugin and added the public key of > ranger admin as trusted entry into it. > 6. To enable HDFS Plugin to communicate to Ranger Admin via load balancer > copied the truststore file generated from load balancer machine(file > generated from step 4) to HDFS node. > 7. Generated HDFS truststore in PEM format to configure that in load balancer > machine. > 8. Created ranger_lb_crt.pem file in load balancer machine and added the > content of file created from previous step. > 9. In load balancer machine configured the path of file created in previous > step. > 10. Added below line in load balancer config file. > RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" > 11. Started ranger-admin, hdfs and load balancer. > > **Expected behaviour :** Ranger plugin should able to communicate to Ranger > admin and download the policies. > > **Actual behaviour :** Ranger plugin was able to communicate to Ranger admin > and download the policies. > > > Thanks, > > Pradeep Agrawal > >
