From ff1bd8c0875330a1b5bf247e082782c6f0ad4a9d Mon Sep 17 00:00:00 2001 From: Abhishek Kumar Date: Wed, 27 May 2026 15:48:46 -0700 Subject: [PATCH 1/3] RANGER-5617: Set PDP header authn config values to null --- dev-support/ranger-docker/scripts/pdp/ranger-pdp-site.xml | 1 + intg/src/main/python/README.md | 4 ++-- pdp/conf.dist/ranger-pdp-site.xml | 3 ++- .../java/org/apache/ranger/pdp/config/RangerPdpConfig.java | 2 +- .../apache/ranger/pdp/security/HttpHeaderAuthNHandler.java | 2 +- .../org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java | 4 +++- pdp/src/main/resources/ranger-pdp-default.xml | 3 ++- 7 files changed, 12 insertions(+), 7 deletions(-) diff --git a/dev-support/ranger-docker/scripts/pdp/ranger-pdp-site.xml b/dev-support/ranger-docker/scripts/pdp/ranger-pdp-site.xml index db867d7442b..e012711f997 100644 --- a/dev-support/ranger-docker/scripts/pdp/ranger-pdp-site.xml +++ b/dev-support/ranger-docker/scripts/pdp/ranger-pdp-site.xml @@ -109,6 +109,7 @@ true + ranger.pdp.authn.header.username X-Forwarded-User diff --git a/intg/src/main/python/README.md b/intg/src/main/python/README.md index a8c0c26710c..fd6b2e2c04d 100644 --- a/intg/src/main/python/README.md +++ b/intg/src/main/python/README.md @@ -141,8 +141,8 @@ Authentication options: - install dependency: `pip install requests-kerberos` - use `HTTPKerberosAuth()` as `auth` in `RangerPDPClient` - **Trusted header** - - pass caller header (default `X-Forwarded-User`, configurable by `ranger.pdp.authn.header.username`) - - recommended only behind a trusted proxy + - pass caller header (must be configured using `ranger.pdp.authn.header.username`) + - only behind a trusted proxy - **JWT bearer** - pass `Authorization: Bearer ` in request headers diff --git a/pdp/conf.dist/ranger-pdp-site.xml b/pdp/conf.dist/ranger-pdp-site.xml index ddf2ff9346c..fde66f26111 100644 --- a/pdp/conf.dist/ranger-pdp-site.xml +++ b/pdp/conf.dist/ranger-pdp-site.xml @@ -138,9 +138,10 @@ + ranger.pdp.authn.header.username - X-Forwarded-User + HTTP header name from which the authenticated username is read. diff --git a/pdp/src/main/java/org/apache/ranger/pdp/config/RangerPdpConfig.java b/pdp/src/main/java/org/apache/ranger/pdp/config/RangerPdpConfig.java index 11aea39ea85..c0e956dcb69 100644 --- a/pdp/src/main/java/org/apache/ranger/pdp/config/RangerPdpConfig.java +++ b/pdp/src/main/java/org/apache/ranger/pdp/config/RangerPdpConfig.java @@ -140,7 +140,7 @@ public boolean isHeaderAuthnEnabled() { } public String getHeaderAuthnUsername() { - return get(RangerPdpConstants.PROP_AUTHN_HEADER_USERNAME, "X-Forwarded-User"); + return get(RangerPdpConstants.PROP_AUTHN_HEADER_USERNAME, ""); } // --- JWT bearer token auth --- diff --git a/pdp/src/main/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandler.java b/pdp/src/main/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandler.java index 60df86dafa7..0d8f8aacdd8 100644 --- a/pdp/src/main/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandler.java +++ b/pdp/src/main/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandler.java @@ -50,7 +50,7 @@ public class HttpHeaderAuthNHandler implements PdpAuthNHandler { @Override public void init(Properties config) { - usernameHeader = config.getProperty(RangerPdpConstants.PROP_AUTHN_HEADER_USERNAME, "X-Forwarded-User"); + usernameHeader = config.getProperty(RangerPdpConstants.PROP_AUTHN_HEADER_USERNAME); LOG.info("HttpHeaderAuthHandler initialized; username header={}", usernameHeader); } diff --git a/pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java b/pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java index 32d04ef0a47..e425464a7a3 100644 --- a/pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java +++ b/pdp/src/main/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilter.java @@ -150,7 +150,9 @@ private PdpAuthNHandler createHandler(String type, FilterConfig filterConfig) { switch (type) { case "header": - ret = getBoolean(filterConfig, RangerPdpConstants.PROP_AUTHN_HEADER_ENABLED) ? new HttpHeaderAuthNHandler() : null; + ret = getBoolean(filterConfig, RangerPdpConstants.PROP_AUTHN_HEADER_ENABLED) && + StringUtils.isNotBlank(filterConfig.getInitParameter(RangerPdpConstants.PROP_AUTHN_HEADER_USERNAME)) + ? new HttpHeaderAuthNHandler() : null; break; case "jwt": ret = getBoolean(filterConfig, RangerPdpConstants.PROP_AUTHN_JWT_ENABLED) ? new JwtAuthNHandler() : null; diff --git a/pdp/src/main/resources/ranger-pdp-default.xml b/pdp/src/main/resources/ranger-pdp-default.xml index ddf2ff9346c..fde66f26111 100644 --- a/pdp/src/main/resources/ranger-pdp-default.xml +++ b/pdp/src/main/resources/ranger-pdp-default.xml @@ -138,9 +138,10 @@ + ranger.pdp.authn.header.username - X-Forwarded-User + HTTP header name from which the authenticated username is read. From bd490e2f9c2cb7aeef350f1711644020e5cd8073 Mon Sep 17 00:00:00 2001 From: Abhishek Kumar Date: Wed, 27 May 2026 15:58:20 -0700 Subject: [PATCH 2/3] Update test --- .../ranger/pdp/security/HttpHeaderAuthNHandlerTest.java | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pdp/src/test/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandlerTest.java b/pdp/src/test/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandlerTest.java index c497be90863..1bd2a574634 100644 --- a/pdp/src/test/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandlerTest.java +++ b/pdp/src/test/java/org/apache/ranger/pdp/security/HttpHeaderAuthNHandlerTest.java @@ -29,10 +29,11 @@ import java.util.Properties; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNull; public class HttpHeaderAuthNHandlerTest { @Test - public void testAuthenticate_usesDefaultHeaderName() { + public void testAuthenticate_usesNoHeaderName() { HttpHeaderAuthNHandler handler = new HttpHeaderAuthNHandler(); Properties config = new Properties(); @@ -41,9 +42,9 @@ public void testAuthenticate_usesDefaultHeaderName() { HttpServletRequest request = requestWithHeader("X-Forwarded-User", "alice"); PdpAuthNHandler.Result result = handler.authenticate(request, null); - assertEquals(PdpAuthNHandler.Result.Status.AUTHENTICATED, result.getStatus()); - assertEquals("alice", result.getUserName()); - assertEquals(HttpHeaderAuthNHandler.AUTH_TYPE, result.getAuthType()); + assertEquals(PdpAuthNHandler.Result.Status.SKIP, result.getStatus()); + assertNull(result.getUserName()); + assertNull(result.getAuthType()); } @Test From 6a8666e0264c38ef61599b3af4a3a82757f038dd Mon Sep 17 00:00:00 2001 From: Abhishek Kumar Date: Wed, 27 May 2026 16:21:17 -0700 Subject: [PATCH 3/3] Update test 2 --- .../org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java | 1 + 1 file changed, 1 insertion(+) diff --git a/pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java b/pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java index 0d0e183c558..3f29ac313e9 100644 --- a/pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java +++ b/pdp/src/test/java/org/apache/ranger/pdp/security/RangerPdpAuthNFilterTest.java @@ -55,6 +55,7 @@ public void testInit_registersHeaderHandlerWhenEnabled() throws Exception { params.put(RangerPdpConstants.PROP_AUTHN_TYPES, "header"); params.put(RangerPdpConstants.PROP_AUTHN_HEADER_ENABLED, "true"); + params.put(RangerPdpConstants.PROP_AUTHN_HEADER_USERNAME, "Some-X-Header"); filter.init(new TestFilterConfig(params));