[jira] [Commented] (KNOX-1740) Add Trusted Proxy Support to Knox

Tue, 02 Jul 2019 07:08:44 -0700 


    [ 
https://issues.apache.org/jira/browse/KNOX-1740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16877004#comment-16877004
 ] 

ASF subversion and git services commented on KNOX-1740:
-------------------------------------------------------

Commit 13f141188185b872a3f522b3582574828922b8cf in knox's branch 
refs/heads/v1.3.0 from Robert Levas
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=13f1411 ]

KNOX-1740 - Add Trusted Proxy Support to Knox (#106)



> Add Trusted Proxy Support to Knox
> ---------------------------------
>
>                 Key: KNOX-1740
>                 URL: https://issues.apache.org/jira/browse/KNOX-1740
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Robert Levas
>            Priority: Major
>             Fix For: 1.3.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> There are token exchange scenarios where an application may want to acquire a 
> KnoxToken on behalf of a user authenticated by the application. We need to 
> implement a version of the Hadoop Trusted Proxy/Impersonation pattern for 
> Knox at the topology level.
> This includes:
>  * Principal assertion method (doAs query param)
>  * Config within topology for trusted principals, groups that they are 
> allowed to impersonate, users that they are allowed to impersonate, ip 
> address from which requests are expected
>  * Make part of the identity assertion provider since this is the provider 
> that determines which identity to assert to the down stream service
>  * Config will need to be qualified by service due to the multiple services 
> per topology
>  Example to indicate trusted service principals, hosts, groups:
> {code:xml}
> <param>
>   <name>hadoop.proxyuser.hive.hosts</name>
>   <value>10.222.0.0/16,10.113.221.221</value>
> </param>
> <param>
>   <name>hadoop.proxyuser.hive.users</name>
>   <value>user1,user2</value>
> </param>
> <param>
>   <name>hadoop.proxyuser.hive.groups</name>
>   <value>users</value>
> </param>
> {code}
> Putting the above in identity assertion provider - or any providers for that 
> matter will potentially impact sharing of provider configs.
>  However, it is inappropriate to make it global config within 
> gateway-site.xml as this would be bad across tenants and clusters - and 
> therefore topologies.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to