RANGER-5499: Add support for header based authentication (#873)

Co-authored-by: Madhan Neethiraj <madhan@apache.org>
Co-authored-by: Cursor AI (assisted) <noreply@cursor.com>

Author: 3 people

mkdocs/.gitignore

@@ -0,0 +1 @@
+.cache/

security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerAuthenticationToken.java

@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.security.web.filter;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+
+public class RangerAuthenticationToken extends AbstractAuthenticationToken {
+    private static final long serialVersionUID = 1L;
+
+    private final Object principal;
+    private final int    authType;
+
+    public RangerAuthenticationToken(UserDetails principal, Collection<? extends GrantedAuthority> authorities, int authType) {
+        super(authorities);
+
+        this.principal = principal;
+        this.authType  = authType;
+
+        super.setAuthenticated(true);
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return principal;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return null;
+    }
+
+    public int getAuthType() {
+        return authType;
+    }
+}

security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerHeaderPreAuthFilter.java

@@ -0,0 +1,117 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.security.web.filter;
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.ranger.biz.UserMgr;
+import org.apache.ranger.common.PropertiesUtil;
+import org.apache.ranger.entity.XXAuthSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+import org.springframework.web.filter.GenericFilterBean;
+
+import javax.annotation.PostConstruct;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public class RangerHeaderPreAuthFilter extends GenericFilterBean {
+    private static final Logger LOG = LoggerFactory.getLogger(RangerHeaderPreAuthFilter.class);
+
+    public static final String PROP_HEADER_AUTH_ENABLED        = "ranger.admin.authn.header.enabled";
+    public static final String PROP_USERNAME_HEADER_NAME       = "ranger.admin.authn.header.username";
+    public static final String PROP_REQUEST_ID_HEADER_NAME     = "ranger.admin.authn.header.requestid";
+
+    private boolean headerAuthEnabled;
+    private String  userNameHeaderName;
+
+    @Autowired
+    UserMgr userMgr;
+
+    @PostConstruct
+    public void initialize(FilterConfig filterConfig) throws ServletException {
+        headerAuthEnabled  = PropertiesUtil.getBooleanProperty(PROP_HEADER_AUTH_ENABLED, false);
+        userNameHeaderName = PropertiesUtil.getProperty(PROP_USERNAME_HEADER_NAME);
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest  httpRequest  = (HttpServletRequest) request;
+
+        if (headerAuthEnabled) {
+            Authentication existingAuthn = SecurityContextHolder.getContext().getAuthentication();
+
+            if (existingAuthn == null || !existingAuthn.isAuthenticated()) {
+                String username = StringUtils.trimToNull(httpRequest.getHeader(userNameHeaderName));
+
+                if (StringUtils.isNotBlank(username)) {
+                    List<GrantedAuthority>    grantedAuthorities = getAuthoritiesFromRanger(username);
+                    final UserDetails         principal          = new User(username, "", grantedAuthorities);
+                    RangerAuthenticationToken authToken          = new RangerAuthenticationToken(principal, grantedAuthorities, XXAuthSession.AUTH_TYPE_TRUSTED_PROXY);
+
+                    authToken.setDetails(new WebAuthenticationDetails(httpRequest));
+
+                    SecurityContextHolder.getContext().setAuthentication(authToken);
+
+                    LOG.debug("Authenticated request using trusted headers for user={}", username);
+                } else {
+                    LOG.debug("Username header '{}' is missing or empty in the request!", userNameHeaderName);
+                }
+            }
+        } else {
+            LOG.debug("Header-based authentication is disabled!");
+        }
+
+        chain.doFilter(request, response);
+    }
+
+    /**
+     * Loads authorities from Ranger DB
+     */
+    private List<GrantedAuthority> getAuthoritiesFromRanger(String username) {
+        List<GrantedAuthority> ret = new ArrayList<>();
+        Collection<String>    roleList = userMgr.getRolesByLoginId(username);
+
+        if (roleList != null) {
+            for (String role : roleList) {
+                if (StringUtils.isNotBlank(role)) {
+                    ret.add(new SimpleGrantedAuthority(role));
+                }
+            }
+        }
+
+        return ret;
+    }
+}

security-admin/src/main/java/org/apache/ranger/security/web/filter/RangerSecurityContextFormationFilter.java

@@ -22,6 +22,7 @@
  */
 package org.apache.ranger.security.web.filter;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.ranger.biz.SessionMgr;
 import org.apache.ranger.biz.XUserMgr;
 import org.apache.ranger.common.GUIDUtil;
@@ -33,6 +34,8 @@
 import org.apache.ranger.security.context.RangerContextHolder;
 import org.apache.ranger.security.context.RangerSecurityContext;
 import org.apache.ranger.util.RestUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -50,6 +53,8 @@
 import java.io.IOException;
 
 public class RangerSecurityContextFormationFilter extends GenericFilterBean {
+    private static final Logger LOG = LoggerFactory.getLogger(RangerSecurityContextFormationFilter.class);
+
     public static final String AKA_SC_SESSION_KEY = "AKA_SECURITY_CONTEXT";
     public static final String USER_AGENT         = "User-Agent";
 
@@ -65,10 +70,12 @@ public class RangerSecurityContextFormationFilter extends GenericFilterBean {
     @Autowired
     GUIDUtil guidUtil;
 
-    String testIP;
+    private final String testIP;
+    private final String requestIdHeaderName;
 
     public RangerSecurityContextFormationFilter() {
-        testIP = PropertiesUtil.getProperty("xa.env.ip");
+        this.testIP              = PropertiesUtil.getProperty("xa.env.ip");
+        this.requestIdHeaderName = PropertiesUtil.getProperty(RangerHeaderPreAuthFilter.PROP_REQUEST_ID_HEADER_NAME);
     }
 
     /*
@@ -113,15 +120,15 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
                 requestContext.setIpAddress(reqIP);
                 requestContext.setUserAgent(userAgent);
                 requestContext.setDeviceType(httpUtil.getDeviceType(httpRequest));
-                requestContext.setServerRequestId(guidUtil.genGUID());
+                requestContext.setServerRequestId(getRequestId(auth, httpRequest));
                 requestContext.setRequestURL(httpRequest.getRequestURI());
                 requestContext.setClientTimeOffsetInMinute(clientTimeOffset);
 
                 context.setRequestContext(requestContext);
 
                 RangerContextHolder.setSecurityContext(context);
 
-                int             authType    = getAuthType(httpRequest);
+                int             authType    = getAuthType(auth, httpRequest);
                 UserSessionBase userSession = sessionMgr.processSuccessLogin(authType, userAgent, httpRequest);
 
                 if (userSession != null) {
@@ -160,25 +167,36 @@ private void setupAdminOpContext(ServletRequest request) {
         }
     }
 
-    private int getAuthType(HttpServletRequest request) {
-        int     authType;
+    private int getAuthType(Authentication auth, HttpServletRequest request) {
+        if (auth instanceof RangerAuthenticationToken) {
+            return ((RangerAuthenticationToken) auth).getAuthType();
+        }
+
         Object  ssoEnabledObj = request.getAttribute("ssoEnabled");
         boolean ssoEnabled    = ssoEnabledObj != null ? Boolean.parseBoolean(String.valueOf(ssoEnabledObj)) : PropertiesUtil.getBooleanProperty("ranger.sso.enabled", false);
 
         if (ssoEnabled) {
-            authType = XXAuthSession.AUTH_TYPE_SSO;
+            return XXAuthSession.AUTH_TYPE_SSO;
         } else if (request.getAttribute("spnegoEnabled") != null && Boolean.parseBoolean(String.valueOf(request.getAttribute("spnegoEnabled")))) {
             if (request.getAttribute("trustedProxyEnabled") != null && Boolean.parseBoolean(String.valueOf(request.getAttribute("trustedProxyEnabled")))) {
-                logger.debug("Setting auth type as trusted proxy");
+                LOG.debug("Setting auth type as trusted proxy");
 
-                authType = XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
+                return XXAuthSession.AUTH_TYPE_TRUSTED_PROXY;
             } else {
-                authType = XXAuthSession.AUTH_TYPE_KERBEROS;
+                return XXAuthSession.AUTH_TYPE_KERBEROS;
             }
-        } else {
-            authType = XXAuthSession.AUTH_TYPE_PASSWORD;
         }
 
-        return authType;
+        return XXAuthSession.AUTH_TYPE_PASSWORD;
+    }
+
+    private String getRequestId(Authentication auth, HttpServletRequest request) {
+        String ret = null;
+
+        if (requestIdHeaderName != null && auth instanceof RangerAuthenticationToken && ((RangerAuthenticationToken) auth).getAuthType() == XXAuthSession.AUTH_TYPE_TRUSTED_PROXY) {
+            ret = StringUtils.trimToNull(request.getHeader(requestIdHeaderName));
+        }
+
+        return ret != null ? ret : guidUtil.genGUID();
     }
 }

security-admin/src/main/resources/conf.dist/ranger-admin-site.xml

@@ -271,6 +271,20 @@
 		<value>Mozilla,chrome</value>
 	</property>
 	<!-- SSO Properties Ends-->
+	<!-- Trusted header auth properties start -->
+	<property>
+		<name>ranger.admin.authn.header.enabled</name>
+		<value>false</value>
+	</property>
+	<property>
+		<name>ranger.admin.authn.header.username</name>
+		<value>x-awc-username</value>
+	</property>
+	<property>
+		<name>ranger.admin.authn.header.requestid</name>
+		<value>x-awc-requestid</value>
+	</property>
+	<!-- Trusted header auth properties end -->
 	<!-- Kerberos Properties starts-->	
 	<property>
 		<name>ranger.admin.kerberos.token.valid.seconds</name>

security-admin/src/main/resources/conf.dist/security-applicationContext.xml

@@ -64,6 +64,7 @@ http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
 		</security:headers>
 		<security:session-management session-fixation-protection="newSession" />
 		<intercept-url pattern="/**" access="isAuthenticated()"/>
+		<security:custom-filter position="PRE_AUTH_FILTER" ref="headerPreAuthFilter" />
 		<custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />
 		<security:custom-filter ref="rangerJwtAuthWrapper" before="SERVLET_API_SUPPORT_FILTER" />
 		<security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
@@ -115,6 +116,9 @@ http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd">
 	<beans:bean id="mdcFilter" class="org.apache.ranger.security.web.filter.RangerMDCFilter">
     </beans:bean>
 
+	<beans:bean id="headerPreAuthFilter" class="org.apache.ranger.security.web.filter.RangerHeaderPreAuthFilter">
+    </beans:bean>
+
     <beans:bean id="ssoAuthenticationFilter" class="org.apache.ranger.security.web.filter.RangerSSOAuthenticationFilter">
     </beans:bean>