RANGER-5499: Add support for header based authentication#873
RANGER-5499: Add support for header based authentication#873kumaab wants to merge 7 commits intoapache:masterfrom
Conversation
...ity-admin/src/main/java/org/apache/ranger/security/web/filter/RangerHeaderPreAuthFilter.java
Outdated
Show resolved
Hide resolved
...ity-admin/src/main/java/org/apache/ranger/security/web/filter/RangerHeaderPreAuthFilter.java
Outdated
Show resolved
Hide resolved
...ity-admin/src/main/java/org/apache/ranger/security/web/filter/RangerHeaderPreAuthFilter.java
Outdated
Show resolved
Hide resolved
...ity-admin/src/main/java/org/apache/ranger/security/web/filter/RangerHeaderPreAuthFilter.java
Outdated
Show resolved
Hide resolved
security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
Outdated
Show resolved
Hide resolved
...rc/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
Outdated
Show resolved
Hide resolved
...rc/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java
Outdated
Show resolved
Hide resolved
|
|
||
| private final Object principal; | ||
| private final AuthMechanism authMechanism; | ||
| private final int authType; |
There was a problem hiding this comment.
authType and authMechanism seem to capture the same details. For example, given a authMechanism can there be different authType values or vice-versa? If not, I suggest dropping authMechanism (and the enum) from here.
There was a problem hiding this comment.
Different authMechanism's can map to the sameauthType. for ex: both HEADER and KERBEROS authMechanism map to AUTH_TYPE_TRUSTED_PROXY authType. AuthMechanism can have more enum values once the existing filters migrate to use RangerAuthenticationToken.
There was a problem hiding this comment.
Mapping for authMechanisms HEADER and KERBEROS to AUTH_TYPE_TRUSTED_PROXY doesn't seem correct. Consider the following mappings:
BASIC=>XXAuthSession.AUTH_TYPE_PASSWORDKERBEROS=>XXAuthSession.AUTH_TYPE_KERBEROSSSO=>XXAuthSession.AUTH_TYPE_SSOHEADER=>XXAuthSession.AUTH_TYPE_TRUSTED_PROXY
| private final Object principal; | ||
| private final AuthMechanism authMechanism; | ||
| private final int authType; | ||
| private final String requestId; |
There was a problem hiding this comment.
Why is it necessary to capture requestId in RangerAuthenticationToken? I sugest dropping it.
There was a problem hiding this comment.
It's used in the last filter RangerSecurityContextFormationFilter:
String requestId = (auth instanceof RangerAuthenticationToken) ? ((RangerAuthenticationToken) auth).getRequestId() : null;
There was a problem hiding this comment.
requestId shouldn't be tied to a session; instead it should be read from each request header.
2 participants
What changes were proposed in this pull request?
Ranger servers currently support multiple authentication mechanisms, including Kerberos, username/password (LDAP, local users), JWT, SSO. To support deployments behind proxy servers that handle authentication, Ranger servers should support header based authentication. When this authentication is enabled, Ranger should look for configured HTTP headers to find the username and request-id.
How was this patch tested?
Pending CI