[jira] [Work logged] (KNOX-2714) Adding doAs support for KnoxToken service

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2714?focusedWorklogId=739916&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-739916
 ]

ASF GitHub Bot logged work on KNOX-2714:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Mar/22 08:05
            Start Date: 11/Mar/22 08:05
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request #545:
URL: https://github.com/apache/knox/pull/545


   ## What changes were proposed in this pull request?
   
   Implemented the changes described in 
[KNOX-2714](https://issues.apache.org/jira/browse/KNOX-2714).
   
   ## How was this patch tested?
   
   TODO: adding unit tests
   
   Manual testing is done:
   1. Logged in as the `admin` user
   2. Created a token for the `admin` user itself
   3. Created tokens for different machine users: `sandormolnar` and `tom`
   <img width="1742" alt="Screenshot 2022-03-11 at 8 38 22" 
src="https://user-images.githubusercontent.com/34065904/157825474-55307d9a-a0ea-435f-ad8d-7063bf0954ab.png";>
   <img width="1756" alt="Screenshot 2022-03-11 at 8 38 48" 
src="https://user-images.githubusercontent.com/34065904/157825489-904268e0-b01e-4276-9d2b-f8eaad4ab208.png";>
   <img width="1758" alt="Screenshot 2022-03-11 at 8 39 28" 
src="https://user-images.githubusercontent.com/34065904/157825497-e081e691-ccea-444d-ae87-a7e9ea067834.png";>
   <img width="1784" alt="Screenshot 2022-03-11 at 8 52 45" 
src="https://user-images.githubusercontent.com/34065904/157825506-b5fbfc7b-e3bc-4164-bf8e-4b24112d05c9.png";>
   
   ```
   postgres=> select * from knox_token_metadata;
                  token_id               |  md_name  |                          
               md_value                                         
   
--------------------------------------+-----------+------------------------------------------------------------------------------------------
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | comment   | token for admin
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | userName  | admin
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | enabled   | true
    8ceb8731-5b73-4983-9c9d-ff2712c76daa | passcode  | 
emzvv73vv71Ie++/ve+/ve+/vQHvv70kaWwLJu+/ve+/vXjRmu+/vdG1OR/vv71b77+977+977+9LA==
   
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | comment   | token for sandormolnar
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | userName  | sandormolnar
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | createdBy | admin
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | enabled   | true
    80ce72a3-221d-49e6-971d-d4d4886d29d0 | passcode  | 
77+9Ne+/vRdkYwzElXgbRe+/ve+/ve+/vWNUUO+/vSsfNO+/vU/vv71k77+9O3jvv73vv710
   
    8e17c9d5-ca59-4672-802f-f6c20287deec | comment   | token for tom in 
accountant team
    8e17c9d5-ca59-4672-802f-f6c20287deec | userName  | tom
    8e17c9d5-ca59-4672-802f-f6c20287deec | createdBy | admin
    8e17c9d5-ca59-4672-802f-f6c20287deec | enabled   | true
    8e17c9d5-ca59-4672-802f-f6c20287deec | passcode  | 
77+977+977+9ce+/vRPvv70+Iu+/vXJl77+9ce+/vSrvv71777+977+977+977+9Mcu6M3nvv73vv71eKu+/vQ==
   (14 rows)
   ```
   4. Removed `knox.token.proxyuser.admin.users` and changed 
`knox.token.proxyuser.admin.groups` to `accountant` in the homepage topology 
(by default 'admin' is allowed to impersonate everyone). Then I tried to create 
a token on behalf of `bob` who is not in the `accountant` group (he's a 
researcher):
   ```
   $ id bob
   uid=505(bob) gid=20(staff) groups=20(staff),504(research)
   The result, as expected, is 403
   ```
   <img width="1757" alt="Screenshot 2022-03-11 at 8 46 11" 
src="https://user-images.githubusercontent.com/34065904/157825949-a9b9986c-012b-4b1a-b55f-55c11d214516.png";>
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 739916)
    Remaining Estimate: 0h
            Time Spent: 10m

> Adding doAs support for KnoxToken service
> -----------------------------------------
>
>                 Key: KNOX-2714
>                 URL: https://issues.apache.org/jira/browse/KNOX-2714
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> As of now, authenticated users are allowed to acquire a Knox token for 
> themselves only. That is, the username the token is created for is fetched 
> from the request’s user principal. The goal is to be able to generate a Knox 
> token on behalf of somebody else.
> To be able to do this, we need to enhance the current KnoxToken service API 
> to support a new query parameter called doAs. For instance:
> {noformat}
> curl -iku admin:admin-password -X GET 
> 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?doAs=bob’
> {noformat}
> In this case, the generated token will not belong to the _‘admin’_ user, but 
> it’s going to be created for {_}‘bob’{_}.
> The newly introduced ‘doAs’ is an optional parameter: if not defined, the 
> generated token will belong to the authenticated user (in the above sample: 
> {_}‘admin’{_}).
> Of course, we need to provide a way to control who can generate tokens for 
> who, so the following service-level configuration should be added too (they 
> will be defined in the given topology for the KNOXTOKEN service):
>  * {{knox.token.proxyuser.$username.users}} - indicates the list of users for 
> whom {{$username}} is allowed to create tokens. It is possible to set this to 
> a 1-element list using the ‘*’ wildcard which means $username can generate 
> tokens for everyone. Defaults to an empty list that is equivalent to 
> {{$username}} is not allowed to impersonate anyone.
>  * {{{}knox{}}}{{{}.token{}}}{{{}.proxyuser.$username.groups{}}} - indicates 
> the list of group names for whose members $username is allowed to create 
> tokens for. It is possible to set this to a 1-element list using the ‘*’ 
> wildcard which means $username can generate tokens for members of any group. 
> Defaults to an empty list that is equivalent to {{$username}} is not allowed 
> to impersonate members from any group.
>  * {{{}knox{}}}{{{}.token{}}}{{{}.proxyuser.$username.hosts{}}} - indicates a 
> list of hostnames from where the requests are allowed to be accepted in case 
> the doAs parameter is used when creating Knox Tokens. It is possible to set 
> this to a 1-element list using the ‘*’ wildcard which means $username can 
> generate tokens from any host. Defaults to an empty list that is equivalent 
> to {{$username}} is not allowed to create tokens from any host.
> Please note this configuration is applied only if the newly introduced doAs 
> query parameter is present. Applying these whitelists should be in OR 
> relation: if any of the declared conditions is evaluated to {_}true{_}, the 
> token can be created using the doAs parameter for the target user.
> Let’s see some samples using the above curl command and assume that _‘bob’_ 
> is a member of the _‘accountants’_ group.
> |*knox.token.proxyuser.admin.users*|*knox.token.proxyuser.admin.groups*|*Result*|
> |Not Set|Not Set|403|
> |tom, jerry|Not Set|403|
> |bob, tom, jerry|Not Set|200|
> |bob, tom, jerry|managers|200|
> |tom, jerry|managers|403|
> |Not Set|managers|403|
> |Not Set|managers, accountants|200|
> |tom, jerry|managers, accountants|200|



--
This message was sent by Atlassian Jira
(v8.20.1#820001)