[GitHub] [knox] smolnar82 opened a new pull request #545: KNOX-2714 - Added doAs support to KnoxToken service

Fri, 11 Mar 2022 00:06:03 -0800 


smolnar82 opened a new pull request #545:
URL: https://github.com/apache/knox/pull/545


   ## What changes were proposed in this pull request?
   
   Implemented the changes described in 
[KNOX-2714](https://issues.apache.org/jira/browse/KNOX-2714).
   
   ## How was this patch tested?
   
   TODO: adding unit tests
   
   Manual testing is done:
   1. Logged in as the `admin` user
   2. Created a token for the `admin` user itself
   3. Created tokens for different machine users: `sandormolnar` and `tom`
   <img width="1742" alt="Screenshot 2022-03-11 at 8 38 22" 
src="https://user-images.githubusercontent.com/34065904/157825474-55307d9a-a0ea-435f-ad8d-7063bf0954ab.png";>
   <img width="1756" alt="Screenshot 2022-03-11 at 8 38 48" 
src="https://user-images.githubusercontent.com/34065904/157825489-904268e0-b01e-4276-9d2b-f8eaad4ab208.png";>
   <img width="1758" alt="Screenshot 2022-03-11 at 8 39 28" 
src="https://user-images.githubusercontent.com/34065904/157825497-e081e691-ccea-444d-ae87-a7e9ea067834.png";>
   <img width="1784" alt="Screenshot 2022-03-11 at 8 52 45" 
src="https://user-images.githubusercontent.com/34065904/157825506-b5fbfc7b-e3bc-4164-bf8e-4b24112d05c9.png";>
   
   ```
   postgres=> select * from knox_token_metadata;
                  token_id               |  md_name  |                          
               md_value                                         
   
--------------------------------------+-----------+------------------------------------------------------------------------------------------
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | comment   | token for admin
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | userName  | admin
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | enabled   | true
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | passcode  | 
emzvv73vv71Ie++/ve+/ve+/vQHvv70kaWwLJu+/ve+/vXjRmu+/vdG1OR/vv71b77+977+977+9LA==
   
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | comment   | token for sandormolnar
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | userName  | sandormolnar
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | createdBy | admin
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | enabled   | true
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | passcode  | 
77+9Ne+/vRdkYwzElXgbRe+/ve+/ve+/vWNUUO+/vSsfNO+/vU/vv71k77+9O3jvv73vv710
   
    8e17c9d5-ca59-4672-802f-f6c20287deec | comment   | token for tom in 
accountant team
    8e17c9d5-ca59-4672-802f-f6c20287deec | userName  | tom
    8e17c9d5-ca59-4672-802f-f6c20287deec | createdBy | admin
    8e17c9d5-ca59-4672-802f-f6c20287deec | enabled   | true
    8e17c9d5-ca59-4672-802f-f6c20287deec | passcode  | 
77+977+977+9ce+/vRPvv70+Iu+/vXJl77+9ce+/vSrvv71777+977+977+977+9Mcu6M3nvv73vv71eKu+/vQ==
   (14 rows)
   ```
   4. Removed `knox.token.proxyuser.admin.users` and changed 
`knox.token.proxyuser.admin.groups` to `accountant` in the homepage topology 
(by default 'admin' is allowed to impersonate everyone). Then I tried to create 
a token on behalf of `bob` who is not in the `accountant` group (he's a 
researcher):
   ```
   $ id bob
   uid=505(bob) gid=20(staff) groups=20(staff),504(research)
   The result, as expected, is 403
   ```
   <img width="1757" alt="Screenshot 2022-03-11 at 8 46 11" 
src="https://user-images.githubusercontent.com/34065904/157825949-a9b9986c-012b-4b1a-b55f-55c11d214516.png";>
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to