from:"Vipin Rathor"

[jira] [Commented] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

2018-12-12 Thread Vipin Rathor (JIRA)



[ 
https://issues.apache.org/jira/browse/RANGER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16719581#comment-16719581
 ] 

Vipin Rathor commented on RANGER-2306:
--

Thanks [~rmani] for review and commit. Appreciate it!

> Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
> -
>
> Key: RANGER-2306
> URL: https://issues.apache.org/jira/browse/RANGER-2306
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 1.2.0
>Reporter: Vipin Rathor
>Priority: Major
> Fix For: 2.0.0, 1.2.1
>
> Attachments: 
> 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch
>
>
> *Problem Description:*
>  IP-based Knox policies doesn't work when Knox is behind a Load Balancer. 
> Because currently Ranger Knox plugin doesn't accept & pass on the 
> "X-Forwarded-for" header to Ranger policy engine.
> *Impact:*
> In an environment where Knox is running behind a Load Balancer and Knox has a 
> Ranger policy to allow/deny access to Hadoop services based on client IP 
> addresses, this won't work as expected due to this bug.
> *Expected Behavior:*
>  1. Knox plugin should process "X-Forwarded-for" header received from Load 
> Balancer and pass it on to policy engine in the form of 
> 'RangerAccessRequestImpl.forwardedAdresses'.
> *Steps to reproduce:*
>  1. Install & configure Knox behind a Load Balancer
> 2. Enable Ranger Knox plugin
> 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and 
> "ranger.plugin.knox.trusted.proxy.ipaddresses="
> 4. Define a Knox policy to allow access to user from designated client IP(s)
> 5. Try to access any WebHDFS (for example) resource via Knox via Load 
> Balancer for designated client host.
> *Workaround:*
> None



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

2018-12-06 Thread Vipin Rathor (JIRA)



[ 
https://issues.apache.org/jira/browse/RANGER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16712275#comment-16712275
 ] 

Vipin Rathor commented on RANGER-2306:
--

Review Request:
[https://reviews.apache.org/r/69519/]

 

> Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
> -
>
> Key: RANGER-2306
> URL: https://issues.apache.org/jira/browse/RANGER-2306
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 1.2.0
>Reporter: Vipin Rathor
>Priority: Major
> Attachments: 
> 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch
>
>
> *Problem Description:*
>  IP-based Knox policies doesn't work when Knox is behind a Load Balancer. 
> Because currently Ranger Knox plugin doesn't accept & pass on the 
> "X-Forwarded-for" header to Ranger policy engine.
> *Impact:*
> In an environment where Knox is running behind a Load Balancer and Knox has a 
> Ranger policy to allow/deny access to Hadoop services based on client IP 
> addresses, this won't work as expected due to this bug.
> *Expected Behavior:*
>  1. Knox plugin should process "X-Forwarded-for" header received from Load 
> Balancer and pass it on to policy engine in the form of 
> 'RangerAccessRequestImpl.forwardedAdresses'.
> *Steps to reproduce:*
>  1. Install & configure Knox behind a Load Balancer
> 2. Enable Ranger Knox plugin
> 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and 
> "ranger.plugin.knox.trusted.proxy.ipaddresses="
> 4. Define a Knox policy to allow access to user from designated client IP(s)
> 5. Try to access any WebHDFS (for example) resource via Knox via Load 
> Balancer for designated client host.
> *Workaround:*
> None



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Review Request 69519: RANGER-2306 : Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

2018-12-06 Thread Vipin Rathor


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/69519/
---

Review request for ranger.


Bugs: RANGER-2306
https://issues.apache.org/jira/browse/RANGER-2306


Repository: ranger


Description
---

Please help review. Thanks in advance !


Diffs
-

  
knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java
 d248785d48ff22de25de1ccbc4caa6f2ca9edbee 
  
knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java
 f84a3e03dd4b8ef5dc581b3810873fdeacc5b718 


Diff: https://reviews.apache.org/r/69519/diff/1/


Testing
---

Tested with the following cURL command to simulate load balancer:
curl -ivk --header "X-Forwarded-For:172.26.68.210" -u hr1:BadPass#1 
"https://172.25.39.164:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS";

Without this patch, above request failed with "403 Forbidden" since correct IP 
was not passed to Ranger policy engine. This can be seen in the debug log below:
2018-12-06 20:42:15,049 DEBUG policyengine.RangerPolicyEngineImpl 
(RangerPolicyEngineImpl.java:preProcess(240)) - ==> 
RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null}
 elements={service=WEBHDFS; topology=default; } }} accessType={allow} 
user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 
06 20:42:15 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={} 
remoteIPAddress={null} clientType={null} action={allow} requestData={null} 
sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} })
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using 
X-Forward-For...
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(249)) - No 
X-Forwarded-For addresses in the access-request
2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old 
Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.215


After applying the patch, above cURL request passes with "200 OK" and with the 
following debug logs (note the forwardedAdresses value and Old and New IP 
address values):
2018-12-06 20:48:52,239 DEBUG policyengine.RangerPolicyEngineImpl 
(RangerPolicyEngineImpl.java:preProcess(240)) - ==> 
RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null}
 elements={service=WEBHDFS; topology=default; } }} accessType={allow} 
user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 
06 20:48:52 UTC 2018} clientIPAddress={172.26.68.215} 
forwardedAddresses={172.26.68.210 172.26.68.215} 
remoteIPAddress={172.26.68.215} clientType={null} action={allow} 
requestData={null} sessionId={null} resourceMatchingScope={SELF} 
clusterName={c1141} context={} })
2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using 
X-Forward-For...
2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl 
(RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old 
Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.210


Thanks,

Vipin Rathor

[jira] [Updated] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

2018-12-06 Thread Vipin Rathor (JIRA)



 [ 
https://issues.apache.org/jira/browse/RANGER-2306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vipin Rathor updated RANGER-2306:
-
Attachment: 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch

> Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
> -
>
> Key: RANGER-2306
> URL: https://issues.apache.org/jira/browse/RANGER-2306
> Project: Ranger
>  Issue Type: Bug
>  Components: plugins
>Affects Versions: 1.2.0
>Reporter: Vipin Rathor
>Priority: Major
> Attachments: 
> 0001-RANGER-2306-Add-support-for-X-Forwarded-for-header-i.patch
>
>
> *Problem Description:*
>  IP-based Knox policies doesn't work when Knox is behind a Load Balancer. 
> Because currently Ranger Knox plugin doesn't accept & pass on the 
> "X-Forwarded-for" header to Ranger policy engine.
> *Impact:*
> In an environment where Knox is running behind a Load Balancer and Knox has a 
> Ranger policy to allow/deny access to Hadoop services based on client IP 
> addresses, this won't work as expected due to this bug.
> *Expected Behavior:*
>  1. Knox plugin should process "X-Forwarded-for" header received from Load 
> Balancer and pass it on to policy engine in the form of 
> 'RangerAccessRequestImpl.forwardedAdresses'.
> *Steps to reproduce:*
>  1. Install & configure Knox behind a Load Balancer
> 2. Enable Ranger Knox plugin
> 3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and 
> "ranger.plugin.knox.trusted.proxy.ipaddresses="
> 4. Define a Knox policy to allow access to user from designated client IP(s)
> 5. Try to access any WebHDFS (for example) resource via Knox via Load 
> Balancer for designated client host.
> *Workaround:*
> None



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

2018-12-06 Thread Vipin Rathor (JIRA)

Vipin Rathor created RANGER-2306:


 Summary: Knox Plugin doesn't pass X-Forwarded-for remote address 
to Ranger
 Key: RANGER-2306
 URL: https://issues.apache.org/jira/browse/RANGER-2306
 Project: Ranger
  Issue Type: Bug
  Components: plugins
Affects Versions: 1.2.0
Reporter: Vipin Rathor


*Problem Description:*
 IP-based Knox policies doesn't work when Knox is behind a Load Balancer. 
Because currently Ranger Knox plugin doesn't accept & pass on the 
"X-Forwarded-for" header to Ranger policy engine.

*Impact:*
In an environment where Knox is running behind a Load Balancer and Knox has a 
Ranger policy to allow/deny access to Hadoop services based on client IP 
addresses, this won't work as expected due to this bug.

*Expected Behavior:*
 1. Knox plugin should process "X-Forwarded-for" header received from Load 
Balancer and pass it on to policy engine in the form of 
'RangerAccessRequestImpl.forwardedAdresses'.

*Steps to reproduce:*
 1. Install & configure Knox behind a Load Balancer
2. Enable Ranger Knox plugin
3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and 
"ranger.plugin.knox.trusted.proxy.ipaddresses="
4. Define a Knox policy to allow access to user from designated client IP(s)
5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer 
for designated client host.

*Workaround:*
None



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (RANGER-2227) Visiting Ranger Admin UI forces subsequent requests to other services redirect to HTTPS

2018-09-14 Thread Vipin Rathor (JIRA)

Vipin Rathor created RANGER-2227:

Summary: Visiting Ranger Admin UI forces subsequent requests to
other services redirect to HTTPS
Key: RANGER-2227
URL: https://issues.apache.org/jira/browse/RANGER-2227
Project: Ranger
Issue Type: Bug
Components: admin
Affects Versions: 1.1.0
Reporter: Vipin Rathor

*Problem Description:*
Visiting Ranger Admin UI in any browser (Firefox / Chrome) sets the HTTP
Strict Transport Security (HSTS) header for the host where Ranger is running.
Any subsequent request to other service on the same host (e.g. YARN RM UI etc.)
over HTTP would get redirected to HTTPS because of this header and due to
change in browser behavior recently:
[Firefox|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]
and [Chrome|https://www.chromium.org/hsts].

Ideally, these headers should be configurable, so that admin can set them as
per requirement. Like the way Knox expose this via
[configuration|https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security],
I recently reported similar in Knox via KNOX-1434

*Impact:*
All the non-SSL requests to other services get redirected automatically to
HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or some
other error.

*Expected Behavior:*
1. Unless HSTS is specifically enabled for Ranger Admin UI, it should not set
HSTS header. Therefore, there should be a configurable option to enable/disable
HSTS.
2. HSTS should be disabled by default for Ranger Admin.

*Steps to reproduce:*
1. Install & configure Ranger with SSL and a trusted CA (no self-signed)
2. Also configure few other services like RM, Oozie on the same Ranger Admin
host
3. Once Ranger is up, visit Ranger Admin UI
4. Now, in the same browser session, visit any non-SSL service running on the
same Ranger host (like RM UI, Oozie UI).
5. Browser will redirect this HTTP request to HTTPS.
6. If one can carefully clear the HSTS header in browser, then redirection
will stop until the next time one visits Ranger Admin UI again.

*Workaround:*
Currently the workaround is to open Ranger Admin UI in a separate browser OR
move Ranger Admin service to a host where other UI services are not installed.

--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [VOTE] Apache Ranger Release 1.1.0-rc2

2018-07-06 Thread Vipin Rathor

+1 (NB)
- able to download/extract/build Apache Ranger 1.1.0-rc2 with all the tests
and RAT checks
- Successfully verified PGP signature and all the hashes

Thank you Vel for this.

On Fri, Jul 6, 2018 at 1:06 PM, Don Bosco Durai  wrote:

> +1
>
> - Build went through with test and RAT check enabled
> - Verified SHA1
>
> Vel, thanks for putting this together.
>
> Bosco
>
> On 7/5/18, 12:56 PM, "Velmurugan Periasamy"  wrote:
>
> Hello Rangers:
>
> Thank you for your contribution to Apache Ranger community. Apache
> Ranger 1.1.0 release candidate #2 is now available for a vote within dev
> community. Note: RC1 (https://dist.apache.org/repos/dist/dev/ranger/1.1.0-
> rc1/) is canceled due to https://issues.apache.org/jira/browse/RANGER-1951.
>
>
> Links to RC2 release artifacts are given below. Kindly request all
> Rangers (Dev's & PMC members) to review and vote on this release.
>
>
> Git tag for the release:
> https://github.com/apache/ranger/tree/ranger-1.1.0-rc2 (last commit
> id:  1732536f1de4ac3f1699f660e089385487004261)
>
>
> Sources for the release:
> https://dist.apache.org/repos/dist/dev/ranger/1.1.0-rc2/
> apache-ranger-1.1.0.tar.gz
>
>
> Source release verification:
>
> PGP Signature:
> https://dist.apache.org/repos/dist/dev/ranger/1.1.0-rc2/
> apache-ranger-1.1.0.tar.gz.asc
>
> MD5/SHA Hashes:
> https://dist.apache.org/repos/dist/dev/ranger/1.1.0-rc2/
> apache-ranger-1.1.0.tar.gz.mds
> https://dist.apache.org/repos/dist/dev/ranger/1.1.0-rc2/
> apache-ranger-1.1.0.tar.gz.sha1
> https://dist.apache.org/repos/dist/dev/ranger/1.1.0-rc2/
> apache-ranger-1.1.0.tar.gz.sha256
> https://dist.apache.org/repos/dist/dev/ranger/1.1.0-rc2/
> apache-ranger-1.1.0.tar.gz.sha512
>
>
> Keys to verify the signature of the release artifact are available at:
> https://dist.apache.org/repos/dist/release/ranger/KEYS
>
>
> Release Notes:
> https://cwiki.apache.org/confluence/display/RANGER/
> Apache+Ranger+1.1.0+-+Release+Notes
>
>
> Build verification steps can be found at:
>http://ranger.apache.org/quick_start_guide.html
>
>
> The vote will be open for at least 72 hours or until necessary number
> of votes are reached.
> [ ] +1  approve
> [ ] +0  no opinion
> [ ] -1  disapprove (and reason why)
>
> Here is my +1
>
> Thank you,
> Vel
>
>
>


-- 
-Rathor

[jira] [Commented] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

[jira] [Commented] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

Review Request 69519: RANGER-2306 : Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

[jira] [Updated] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

[jira] [Created] (RANGER-2306) Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

[jira] [Created] (RANGER-2227) Visiting Ranger Admin UI forces subsequent requests to other services redirect to HTTPS

Re: [VOTE] Apache Ranger Release 1.1.0-rc2

7 matches

Site Navigation

Mail list logo

Footer information