[jira] [Work logged] (KNOX-2710) Identity assertion provider for services without doAs support

Tue, 08 Mar 2022 04:03:05 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2710?focusedWorklogId=738101&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-738101
 ]

ASF GitHub Bot logged work on KNOX-2710:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Mar/22 12:02
            Start Date: 08/Mar/22 12:02
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request #544:
URL: https://github.com/apache/knox/pull/544


   ## What changes were proposed in this pull request?
   This PR adds a new identity assertion provider `NoDoAsProvider` that does 
not add doAs parameter at the end of the query string. This is needed for 
services that do not tolerate addition of query params like RStudio.
   
   This feature can be enabled using `<policies>` in service.xml for proxied 
service. e.g.
   ```
   <policies>
                        <policy role="webappsec"/>
                        <policy role="authentication"/>
                        <policy role="rewrite"/>
                        <policy role="authorization"/>
                        <policy role="identity-assertion" 
name="NoDoAsProvider"/>
        </policies>
   ```
   
   **NOTE**: to use `identity-assertion` you need to use `authentication` 
policy.
   ## How was this patch tested?
   This patch was tested locally
   
   ```
   
        2022-03-07 16:22:22,919 346c6508-0750-4d40-bd33-739e10e76e59 WARN  
knox.gateway (DefaultDispatch.java:executeOutboundRequest(183)) - Connection 
exception dispatching request: 
http://localhost:50070/webhdfs/v1/tmp/hello.txt?op=create 
org.apache.http.conn.HttpHostConnectException: Connect to localhost:50070 
[localhost/127.0.0.1, localhost/0:0:0:0:0:0:0:1] failed: Connection refused 
(Connection refused)
   
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 738101)
    Remaining Estimate: 0h
            Time Spent: 10m

> Identity assertion provider for services without doAs support
> -------------------------------------------------------------
>
>                 Key: KNOX-2710
>                 URL: https://issues.apache.org/jira/browse/KNOX-2710
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> There might be services (e.g. RStudio) which do not support trusted proxy and 
> that might break with the doAs parameter at the end of the URL. We need to be 
> able to implement an identity assertion provider that can skip doAs and which 
> is configurable.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to