From dev-return-20123-archive-asf-public=cust-asf.ponee.io@ranger.apache.org Fri Dec 7 06:58:48 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 97552180647 for ; Fri, 7 Dec 2018 06:58:47 +0100 (CET) Received: (qmail 86505 invoked by uid 500); 7 Dec 2018 05:58:46 -0000 Mailing-List: contact dev-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list dev@ranger.apache.org Received: (qmail 86488 invoked by uid 99); 7 Dec 2018 05:58:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 07 Dec 2018 05:58:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 9465AC8FCB; Fri, 7 Dec 2018 05:58:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.702 X-Spam-Level: ** X-Spam-Status: No, score=2.702 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, KAM_BADIPHTTP=2, KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_MED=-2.3, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 4RNnzxlr27qu; Fri, 7 Dec 2018 05:58:44 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id B4F1A60D6C; Fri, 7 Dec 2018 05:48:28 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 61827E00B4; Fri, 7 Dec 2018 05:48:28 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id 3BAA0C40248; Fri, 7 Dec 2018 05:48:28 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============7516537215243655053==" MIME-Version: 1.0 Subject: Re: Review Request 69519: RANGER-2306 : Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger From: Ramesh Mani To: Vipin Rathor , Ramesh Mani , ranger Date: Fri, 07 Dec 2018 05:48:28 -0000 Message-ID: <20181207054828.2338.75915@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: Ramesh Mani X-ReviewGroup: ranger X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/69519/ X-Sender: Ramesh Mani X-ReviewBoard-ShipIt: 1 References: <20181207023912.2338.45599@reviews-vm2.apache.org> In-Reply-To: <20181207023912.2338.45599@reviews-vm2.apache.org> X-ReviewBoard-ShipIt-Only: 1 Reply-To: Ramesh Mani X-ReviewRequest-Repository: ranger --===============7516537215243655053== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/69519/#review211107 ----------------------------------------------------------- Ship it! Ship It! - Ramesh Mani On Dec. 7, 2018, 2:39 a.m., Vipin Rathor wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/69519/ > ----------------------------------------------------------- > > (Updated Dec. 7, 2018, 2:39 a.m.) > > > Review request for ranger. > > > Bugs: RANGER-2306 > https://issues.apache.org/jira/browse/RANGER-2306 > > > Repository: ranger > > > Description > ------- > > Please help review. Thanks in advance ! > > > Diffs > ----- > > knox-agent/src/main/java/org/apache/ranger/authorization/knox/KnoxRangerPlugin.java d248785d48ff22de25de1ccbc4caa6f2ca9edbee > knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java f84a3e03dd4b8ef5dc581b3810873fdeacc5b718 > > > Diff: https://reviews.apache.org/r/69519/diff/1/ > > > Testing > ------- > > Tested with the following cURL command to simulate load balancer: > curl -ivk --header "X-Forwarded-For:172.26.68.210" -u hr1:BadPass#1 "https://172.25.39.164:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS" > > Without this patch, above request failed with "403 Forbidden" since correct IP was not passed to Ranger policy engine. This can be seen in the debug log below: > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerPolicyEngineImpl (RangerPolicyEngineImpl.java:preProcess(240)) - ==> RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={service=WEBHDFS; topology=default; } }} accessType={allow} user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 06 20:42:15 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={} remoteIPAddress={null} clientType={null} action={allow} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} }) > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using X-Forward-For... > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(249)) - No X-Forwarded-For addresses in the access-request > 2018-12-06 20:42:15,049 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.215 > > > After applying the patch, above cURL request passes with "200 OK" and with the following debug logs (note the forwardedAdresses value and Old and New IP address values): > 2018-12-06 20:48:52,239 DEBUG policyengine.RangerPolicyEngineImpl (RangerPolicyEngineImpl.java:preProcess(240)) - ==> RangerPolicyEngineImpl.preProcess(RangerAccessRequestImpl={resource={RangerResourceImpl={ownerUser={null} elements={service=WEBHDFS; topology=default; } }} accessType={allow} user={hr1} userGroups={HDP Ranger Admins hr hadoop-users } accessTime={Thu Dec 06 20:48:52 UTC 2018} clientIPAddress={172.26.68.215} forwardedAddresses={172.26.68.210 172.26.68.215} remoteIPAddress={172.26.68.215} clientType={null} action={allow} requestData={null} sessionId={null} resourceMatchingScope={SELF} clusterName={c1141} context={} }) > 2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(232)) - Using X-Forward-For... > 2018-12-06 20:48:52,239 DEBUG policyengine.RangerAccessRequestImpl (RangerAccessRequestImpl.java:extractAndSetClientIPAddress(255)) - Old Remote/Client IP Address=172.26.68.215, new IP Address=172.26.68.210 > > > Thanks, > > Vipin Rathor > > --===============7516537215243655053==--