[knox] branch master updated: KNOX-2829 - Impersonation is disabled if knox.token.impersonation.enabled is not added in the KNOXTOKEN service configuration (#657)

Tue, 25 Oct 2022 07:07:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new ccddcc8df KNOX-2829 - Impersonation is disabled if 
knox.token.impersonation.enabled is not added in the KNOXTOKEN service 
configuration (#657)
ccddcc8df is described below

commit ccddcc8df1b4676c692fc1b1bd4093e4ffcef2c2
Author: Sandor Molnar <[email protected]>
AuthorDate: Tue Oct 25 16:07:37 2022 +0200

    KNOX-2829 - Impersonation is disabled if knox.token.impersonation.enabled 
is not added in the KNOXTOKEN service configuration (#657)
    
    In addition to changing this poorly chosen default, some helpful logging is 
added.
---
 .../org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java    | 4 ++++
 .../apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java   | 2 ++
 .../knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java      | 8 ++++++++
 .../org/apache/knox/gateway/service/knoxtoken/TokenResource.java  | 5 +++--
 .../knox/gateway/service/knoxtoken/TokenServiceMessages.java      | 3 +++
 5 files changed, 20 insertions(+), 2 deletions(-)

diff --git 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
index 06bde79b0..2b493a2da 100755
--- 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
+++ 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/HadoopAuthMessages.java
@@ -50,4 +50,8 @@ public interface HadoopAuthMessages {
 
   @Message(level=MessageLevel.WARN, text="{1} alias is NOT stored on neither 
topology ({0}) nor gateway levels.")
   void noAliasStored(String cluster, String alias);
+
+  @Message(level=MessageLevel.DEBUG, text="Refreshing proxyuser config in {0} 
topology with prefix {1} and config {2}")
+  void refreshProxyuserConfig(String topology, String prefix, String 
properties);
+
 }
diff --git 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
index a12a21bcc..44c202fff 100755
--- 
a/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
+++ 
b/gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java
@@ -114,11 +114,13 @@ public class HadoopAuthFilter extends
 
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
+    final String topologyName = (String) 
filterConfig.getInitParameter("clusterName");
     // Return a {@link Configuration} instance with the proxy user
     // (<code>hadoop.proxyuser.*</code>) properties set using parameter 
information
     // from the filterConfig.
     final Configuration conf = 
AuthFilterUtils.getProxyUserConfiguration(filterConfig, PROXYUSER_PREFIX);
     ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
+    LOG.refreshProxyuserConfig(topologyName, PROXYUSER_PREFIX, 
conf.getPropsWithPrefix(PROXYUSER_PREFIX).toString());
 
     Collection<String> ignoredServices = null;
 
diff --git 
a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
 
b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
index e466ea54e..0920a56b6 100644
--- 
a/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
+++ 
b/gateway-provider-security-hadoopauth/src/test/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilterTest.java
@@ -138,6 +138,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     
expect(filterConfig.getServletContext()).andReturn(servletContext).atLeastOnce();
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(null).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
     Properties configProperties = createMock(Properties.class);
     
expect(configProperties.getProperty("signature.secret.file")).andReturn("signature.secret.file").atLeastOnce();
@@ -201,6 +202,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("config.prefix")).andReturn("some.prefix").atLeastOnce();
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(null).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
 
     
EasyMock.expect(response.encodeRedirectURL(SERVICE_URL)).andReturn(SERVICE_URL);
@@ -248,6 +250,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     /* update the default list to use favicon.ico */
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(request_semicolon_path).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
     HttpServletResponse response = 
EasyMock.createNiceMock(HttpServletResponse.class);
     /* capture errors */
@@ -306,6 +309,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     /* update the default list to use favicon.ico */
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(request_semicolon_path).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
     HttpServletResponse response = 
EasyMock.createNiceMock(HttpServletResponse.class);
     /* capture errors */
@@ -364,6 +368,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     /* update the default list to use favicon.ico */
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(request_semicolon_path).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
     HttpServletResponse response = 
EasyMock.createNiceMock(HttpServletResponse.class);
     /* capture errors */
@@ -422,6 +427,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     /* update the default list to use favicon.ico */
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(request_semicolon_path).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
     HttpServletResponse response = 
EasyMock.createNiceMock(HttpServletResponse.class);
     /* capture errors */
@@ -481,6 +487,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn("false").anyTimes();
     /* update the default list to use favicon.ico */
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(request_semicolon_path).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
 
     HttpServletResponse response = 
EasyMock.createNiceMock(HttpServletResponse.class);
     /* capture errors */
@@ -554,6 +561,7 @@ public class HadoopAuthFilterTest {
     
expect(filterConfig.getInitParameter("config.prefix")).andReturn("some.prefix").atLeastOnce();
     
expect(filterConfig.getInitParameter("support.jwt")).andReturn(supportJwt).anyTimes();
     
expect(filterConfig.getInitParameter("hadoop.auth.unauthenticated.path.list")).andReturn(null).anyTimes();
+    
expect(filterConfig.getInitParameter("clusterName")).andReturn("topology1").anyTimes();
     final boolean isJwtSupported = Boolean.parseBoolean(supportJwt);
     if (isJwtSupported) {
       
expect(filterConfig.getInitParameter(JWTFederationFilter.KNOX_TOKEN_AUDIENCES)).andReturn(null).anyTimes();
diff --git 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index e93f369e7..5c2fd4ca8 100644
--- 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -274,7 +274,7 @@ public class TokenResource {
     // management status (i.e. even if token state management is enabled users
     // should be able to opt-out token impersonation
     final String impersonationEnabledValue = 
context.getInitParameter(IMPERSONATION_ENABLED_PARAM);
-    impersonationEnabled = impersonationEnabledValue == null ? Boolean.TRUE : 
Boolean.parseBoolean(impersonationEnabledValue);
+    impersonationEnabled = impersonationEnabledValue == null ? Boolean.FALSE : 
Boolean.parseBoolean(impersonationEnabledValue);
 
     // If server-managed token expiration is configured, set the token state 
service
     if (isServerManagedTokenStateEnabled()) {
@@ -327,6 +327,7 @@ public class TokenResource {
       if (impersonationEnabled) {
         final Configuration conf = 
AuthFilterUtils.getProxyUserConfiguration(context, PROXYUSER_PREFIX);
         ProxyUsers.refreshSuperUserGroupsConfiguration(conf, PROXYUSER_PREFIX);
+        log.refreshProxyuserConfig(topologyName, PROXYUSER_PREFIX, 
conf.getPropsWithPrefix(PROXYUSER_PREFIX).toString());
       }
     }
     setTokenStateServiceStatusMap();
@@ -730,7 +731,7 @@ public class TokenResource {
           AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser);
           createdBy = userName;
           userName = doAsUser;
-          log.tokenImpersonationSuccess(userName, doAsUser);
+          log.tokenImpersonationSuccess(createdBy, doAsUser);
         } catch (AuthorizationException e) {
           log.tokenImpersonationFailed(e);
           return Response.status(Response.Status.FORBIDDEN).entity("{ \"" + 
e.getMessage() + "\" }").build();
diff --git 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
index 4fe620933..b0b4eb3f6 100644
--- 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
+++ 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceMessages.java
@@ -95,4 +95,7 @@ public interface TokenServiceMessages {
 
   @Message( level = MessageLevel.DEBUG, text = "Token impersonation failed: 
{0}" )
   void tokenImpersonationFailed(@StackTrace Throwable t);
+
+  @Message(level=MessageLevel.DEBUG, text="Refreshing proxyuser config in {0} 
topology with prefix {1} and config {2}")
+  void refreshProxyuserConfig(String topology, String prefix, String 
properties);
 }

Reply via email to