RANGER-5677: Plugin REST endpoints silently ignore supplied credentia…#1062
Open
vyommani wants to merge 1 commit into
Open
RANGER-5677: Plugin REST endpoints silently ignore supplied credentia…#1062vyommani wants to merge 1 commit into
vyommani wants to merge 1 commit into
Conversation
…ls due to security=none filter bypass; authentication outcome depends on a trailing slash
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
security="none"on the plugin download endpoints (gds,plugins/policies,tags,roles,xusers) skipped Spring Security's whole filter chain forexact URL matches, so Basic auth credentials were silently dropped and the
request was treated as anonymous. Because the pattern was a single-segment
wildcard (
*), a trailing slash accidentally escaped the bypass and hit thenormal authenticated chain instead - so the same URL behaved differently
depending on a trailing slash:
GET .../download/dev_hive?... -u admin:pass -> 400 (creds dropped)
GET .../download/dev_hive/?... -u admin:pass -> 200 (creds processed)
On a Kerberized admin there was a second issue:
RangerKRBAuthenticationFilterforces a SPNEGO challenge on any request with no existing auth, regardless of
Spring Security's authorization rules - so even after fixing the URL matching,
anonymous requests were still rejected with
401regardless ofranger.admin.allow.unauthenticated.download.access.Fix
security-applicationContext.xml- removed these 5 endpoints fromsecurity="none", addedpermitAllintercept-urlentries instead, using**so matching is slash-insensitive.permitAllonly removes theauthorization requirement, not authentication - credentials are still
validated when present, and
RangerBizUtil.failUnauthenticatedDownloadIfNotAllowed()remains the actual gatekeeper for anonymous access.
RangerKRBAuthenticationFilter.java- skip the forced SPNEGO challengeonly when the URL is one of these 5 endpoints and no
Authorizationheaderis present. Requests that do present credentials (Negotiate or Basic) are
unaffected.
services/grant/services/revokeshare the same defect but are policy-mutatingendpoints, intentionally left out - tracked as a follow-up.
Note: invalid/malformed credentials now get a
401instead of silentlyfalling back to anonymous - a deliberate, more-correct behavior change.
Testing
Verified on a live docker environment with Kerberos enabled, across all 5
endpoints x slash/no-slash x anonymous/valid-creds/invalid-creds x
ranger.admin.allow.unauthenticated.download.access=true/false:false: anonymous ->400, valid creds ->200.true: anonymous ->200(this was still401before theRangerKRBAuthenticationFilterfix).401on all 5 endpoints, both flag states.kinit+curl --negotiate) against flag=falsereturned
200withhadoop.authcookie showing the real authenticatedprincipal - confirms real Kerberos credentials are still fully validated,
not waved through by the bypass.