[
https://issues.apache.org/jira/browse/KNOX-2556?focusedWorklogId=571502&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-571502
]
ASF GitHub Bot logged work on KNOX-2556:
----------------------------------------
Author: ASF GitHub Bot
Created on: 24/Mar/21 21:01
Start Date: 24/Mar/21 21:01
Worklog Time Spent: 10m
Work Description: pzampino opened a new pull request #424:
URL: https://github.com/apache/knox/pull/424
## What changes were proposed in this pull request?
Added JWTProvider support for specifying the unique identifier associated
with Knox JWTs as a HTTP Basic password (username=TokenPasscode, password=UUID)
when server-managed token state is enabled.
Example:
curl -ivku TokenPasscode:$PASSCODE
"https://localhost:8443/gateway/proxy-token/webhdfs/v1/tmp?op=LISTSTATUS";
## How was this patch tested?
I've added
org.apache.knox.gateway.provider.federation.TokenIDAsHTTPBasicCredsFederationFilterTest
and executed all the exising Knox tests (mvn -Ppackage,release clean package).
I've manually tested by:
- Enabling server-managed token state in the homepage deployment of KNOXTOKEN
- Defining a provider configuration with the JWTProvider (with
server-managed token state enabled)
- Defining a descriptor that references that provider config
- Generated a token using the homepage facility
- curl -ivku TokenPasscode:$PASSCODE
"https://localhost:8443/gateway/proxy-token/webhdfs/v1/tmp?op=LISTSTATUS";
I've also done some manual testing with server-managed token state DISABLED
to verify the behavior.
I could not find any existing tests for
org.apache.knox.gateway.hadoopauth.filter.HadoopAuthPostFilter, so I haven't
yet added any tests to verify the associated changes.
I may add more negative test cases to
org.apache.knox.gateway.provider.federation.TokenIDAsHTTPBasicCredsFederationFilterTest
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 571502)
Remaining Estimate: 0h
Time Spent: 10m
> Enhance JWTProvider to accept knox.id as Passcode Token
> -------------------------------------------------------
>
> Key: KNOX-2556
> URL: https://issues.apache.org/jira/browse/KNOX-2556
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Philip Zampino
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This enhancement enables the use of the previously internal knox.id as a
> Passcode Token for accessing proxied resources as an Authorization Bearer
> token or HTTP Basic password. This id has been used to bind incoming
> KnoxTokens (JWT) that embed such an id to the metadata in the Token State
> Server in order to provide server side state management.
> The motivation for this is the fact that certain 3rd party BI tooling such as
> tableau not only have the inability to set a bearer token but also have size
> limitations on the password field used to collect the username and password
> credentials.
> We will need to enhance the current JWTProvider to not require an actual JWT
> but the Passcode Token will represent the same backend metadata.
> This does mean that Passcode Tokens can only be used with the Token State
> Server functionality enabled for both the KnoxToken service and the
> JWTProvider federation provider.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
