[jira] [Work logged] (KNOX-2020) Enhance hadoop-jwt cookie to interact with the AWS ecosystem

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2020?focusedWorklogId=317045&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-317045
 ]

ASF GitHub Bot logged work on KNOX-2020:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 23/Sep/19 23:47
            Start Date: 23/Sep/19 23:47
    Worklog Time Spent: 10m 
      Work Description: sharad-oss commented on pull request #153: KNOX-2020 
AWS federation support added to hadoop-jwt cookie.
URL: https://github.com/apache/knox/pull/153
 
 
   This contribution enhances the Hadoop JWT cookie to contain AWS credentials 
to interact with the AWS ecosystem. This is done via an optional configuration 
when using SAML for authentication. The account admin can set up AWS federation 
with SAML 
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html).
 The SAML Response in such a case will contain the Identity Provider (IDP) 
injected Role. Simple Token Service (STS) is invoked for AssumeRoleWithSaml 
using this SAML Response for credentials, and on  success a cookie is added to 
the browser. The value for this cookie is the Base 64 encoded credentials. The 
TTL for this cookie matches the TTL for AWS credentials. From there on the 
usual Knox flow continues.
   
   Knox will add the hadoop-jwt cookie that is understood by the Hadoop 
ecosystem.  A JWT provides standard info about the subject, TTL and claims. We 
enhance the claims to contain the AWS credentials by using the info in the 
previously stashed aws cookie. This way the Hadoop ecosystem services can now 
interact with AWS services too. The lifetime for the cookies matches the life 
of AWS credentials.
   
   ## What changes were proposed in this pull request?
   The Pac4j filter has been modified to optionally do AWS federation. This 
change has no effect if the configuration is not enabled.
   A new security module gateway-provider-security-aws handles all the logic to 
do SAML federation and adding an AWS cookie.
   This module receives the SAML Response and federates into AWS, and assume 
the first role in the assertion. This could be enhanced in future to determine 
which Role to pick. AWS credentials are stashed in a cookie for further usage 
(after the redirect happens in the filter). At the end it returns back to the 
pac4j filter with a cookie added to the response.
   
   Methods to issue JWT token have been enhanced to take custom claims as 
parameters. 
   
   In KnoxSSO we enhance the hadoop-jwt cookie with the contents from the AWS 
cookie.
   This is done by using custom claims. The procured AWS credentials are added 
to the JWT claims. Please look at the testing section for how the cookie looks 
like after the change. Note the cookie is unaffected if the option to do AWS 
SAML federation  is not turned on.
   
   Knox token has also been modified to reflect the new token format.
   
   ## How was this patch tested?
   
   Ran all unit tests
   Tested on an EC2 deployment (AWS EMR). The knoxtoken 
(/knoxtoken/api/v1/token) looks like
   ```
   {
     "sub": "[sharad]",
     "aud": "tokenbased",
     "iss": "KNOXSSO",
     "aws-session": 
"eyJ1c2VybmFtZSI6InNoYXJrYWxhQGdtYWlsLmNvbSIsIkFXU0FjY2Vzc0tleUlkIjoiQVNJQVNTRkFaVFBBV0tGWTdVNFMiLCJBV1NTZWNyZXRLZXkiOiJYT01yS0FHdFBNakdaWi91SlJibzM2eFhzRFlwT0RzU1IvWlA1N2RQIiwic2Vzc2lvblRva2VuIjoiRlFvR1pYSXZZWGR6RUZFYURDNE8vS0NVZ2pNNWFYY0luaUtsQWh1dTNvK2NkTEoyNmwxMzdKNVI1dFNROUZKUHIzQ2Y4SGJhdHMzc1pWSzJZeUlGTFZGcjJUTXBCZjBxVjZTQ2ZYSzZwUzZ2L3hHeFZvZGl2L1VOVzZLclBEeUhkbEtPT3lKdVBncGdPRkdoakdSZUw3YTBqSmNpVUhZalVhRmo4UVd5R2lkM05xRVFzeTVQRlEwalM0SmFZUkU0K04yczlycWhxSWF4K1hreDBEb0gzWGl1Y2RDVUtBQVcwK0NNaHB3eGV1d2paZDIwZGJNOTFOTTVsR2dNbmxZdzBiNjdPdXlwUDI3T0NoeU9TYkdGVVJtbC9DY3YrbjNwMFA2RVY0Q3pJbnZlUjBRN28zL0tDQmRsdGF2Mi9zWXUzSDZ0N0pXVE9ZYUJvUHhralZzTENlZmN2OXRJc2Q3bGx4cmxsUEhmRUZBMmJIOXRaa0xOQlY2alE4NmRzL1NlS09ZTlJBTnNaTmJOckxZOTlJekR2NmdPQklaVWlTNXZ4aUY4ajZMVEs2VjBLSnV2NitzRiIsImV4cGlyYXRpb24iOjE1NjgzMzUyNzUwMDB9",
     "exp": 1568367676
   }
   The AWS credentials are in Base 64 encoded format, and the exp matches the 
AWS credentials exp.
   ```
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 317045)
    Remaining Estimate: 0h
            Time Spent: 10m

> Enhance hadoop-jwt cookie to interact with the AWS ecosystem
> ------------------------------------------------------------
>
>                 Key: KNOX-2020
>                 URL: https://issues.apache.org/jira/browse/KNOX-2020
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: KnoxSSO, Server
>            Reporter: Sharad
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> It's desirable to access AWS managed services while accessing resources using 
> Apache Knox. AWS provides SAML for federation, and we could enhance the SAML 
> login flow in Knox to interact with AWS, and enhance the hadoop-jwt cookie 
> with AWS credentials. The cookie now gives the gateway to interact with other 
> AWS services like S3, DDB, EC2 etc (as defined by the IDP admin in the AWS 
> Role that gets injected in SAML assertion).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)