[
https://issues.apache.org/jira/browse/KNOX-2714?focusedWorklogId=742069&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-742069
]
ASF GitHub Bot logged work on KNOX-2714:
----------------------------------------
Author: ASF GitHub Bot
Created on: 16/Mar/22 07:45
Start Date: 16/Mar/22 07:45
Worklog Time Spent: 10m
Work Description: smolnar82 commented on a change in pull request #545:
URL: https://github.com/apache/knox/pull/545#discussion_r827708026
##########
File path:
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/TokenStateServiceMessages.java
##########
@@ -246,4 +246,7 @@
@Message(level = MessageLevel.ERROR, text = "An error occurred while
fetching tokens for user {0} from the database : {1}")
void errorFetchingTokensForUserFromDatabase(String userName, String
errorMessage, @StackTrace(level = MessageLevel.DEBUG) Exception e);
+
+ @Message(level = MessageLevel.ERROR, text = "An error occurred while
fetching 'doAs' tokens for user {0} from the database : {1}")
Review comment:
Ack.
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAccessTokenAssertionFilter.java
##########
@@ -140,15 +139,9 @@ public void doFilter(ServletRequest request,
ServletResponse response,
private String getAccessToken(final String principalName, String
serviceName, long expires) {
String accessToken = null;
- Principal p = new Principal() {
- @Override
- public String getName() {
- return principalName;
- }
- };
JWT token;
try {
- final JWTokenAttributes jwtAttributes = new
JWTokenAttributesBuilder().setPrincipal(p).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
+ final JWTokenAttributes jwtAttributes = new
JWTokenAttributesBuilder().setUserName(principalName).setAudiences(serviceName).setAlgorithm(signatureAlgorithm).setExpires(expires).build();
Review comment:
It's actually the name of the user principal who creates the token. I
can rename this variable if you want.
The change here is that instead of saving the entire `Principal` object we
only save the principal name as `userName` in the token.
##########
File path:
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
##########
@@ -672,7 +682,24 @@ private Response getAuthenticationToken() {
.getAttribute(GatewayServices.GATEWAY_SERVICES_ATTRIBUTE);
JWTokenAuthority ts = services.getService(ServiceType.TOKEN_SERVICE);
- Principal p = request.getUserPrincipal();
+
+ String userName = request.getUserPrincipal().getName();
+ String createdBy = null;
+ // checking the doAs user only makes sense if tokens are managed (this is
where we store the userName information)
+ if (tokenStateService != null) {
+ final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ if (doAsUser != null && !doAsUser.equals(userName)) {
+ try {
+ //this call will authorize the doAs request
+ AuthFilterUtils.getProxyRequest(request, doAsUser);
Review comment:
Ack.
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTAuthCodeAssertionFilter.java
##########
@@ -65,7 +65,7 @@ public void doFilter(ServletRequest request, ServletResponse
response,
principalName = mapper.mapUserPrincipal(principalName);
JWT authCode;
try {
- authCode = authority.issueToken(new
JWTokenAttributesBuilder().setPrincipal(subject).setAlgorithm(signatureAlgorithm).build());
+ authCode = authority.issueToken(new
JWTokenAttributesBuilder().setUserName(principalName).setAlgorithm(signatureAlgorithm).build());
Review comment:
The same as above.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 742069)
Time Spent: 0.5h (was: 20m)
> Adding doAs support for KnoxToken service
> -----------------------------------------
>
> Key: KNOX-2714
> URL: https://issues.apache.org/jira/browse/KNOX-2714
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> As of now, authenticated users are allowed to acquire a Knox token for
> themselves only. That is, the username the token is created for is fetched
> from the request’s user principal. The goal is to be able to generate a Knox
> token on behalf of somebody else.
> To be able to do this, we need to enhance the current KnoxToken service API
> to support a new query parameter called doAs. For instance:
> {noformat}
> curl -iku admin:admin-password -X GET
> 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?doAs=bob’
> {noformat}
> In this case, the generated token will not belong to the _‘admin’_ user, but
> it’s going to be created for {_}‘bob’{_}.
> The newly introduced ‘doAs’ is an optional parameter: if not defined, the
> generated token will belong to the authenticated user (in the above sample:
> {_}‘admin’{_}).
> Of course, we need to provide a way to control who can generate tokens for
> who, so the following service-level configuration should be added too (they
> will be defined in the given topology for the KNOXTOKEN service):
> * {{knox.token.proxyuser.$username.users}} - indicates the list of users for
> whom {{$username}} is allowed to create tokens. It is possible to set this to
> a 1-element list using the ‘*’ wildcard which means $username can generate
> tokens for everyone. Defaults to an empty list that is equivalent to
> {{$username}} is not allowed to impersonate anyone.
> * {{{}knox{}}}{{{}.token{}}}{{{}.proxyuser.$username.groups{}}} - indicates
> the list of group names for whose members $username is allowed to create
> tokens for. It is possible to set this to a 1-element list using the ‘*’
> wildcard which means $username can generate tokens for members of any group.
> Defaults to an empty list that is equivalent to {{$username}} is not allowed
> to impersonate members from any group.
> * {{{}knox{}}}{{{}.token{}}}{{{}.proxyuser.$username.hosts{}}} - indicates a
> list of hostnames from where the requests are allowed to be accepted in case
> the doAs parameter is used when creating Knox Tokens. It is possible to set
> this to a 1-element list using the ‘*’ wildcard which means $username can
> generate tokens from any host. Defaults to an empty list that is equivalent
> to {{$username}} is not allowed to create tokens from any host.
> Please note this configuration is applied only if the newly introduced doAs
> query parameter is present. Applying these whitelists should be in OR
> relation: if any of the declared conditions is evaluated to {_}true{_}, the
> token can be created using the doAs parameter for the target user.
> Let’s see some samples using the above curl command and assume that _‘bob’_
> is a member of the _‘accountants’_ group.
> |*knox.token.proxyuser.admin.users*|*knox.token.proxyuser.admin.groups*|*Result*|
> |Not Set|Not Set|403|
> |tom, jerry|Not Set|403|
> |bob, tom, jerry|Not Set|200|
> |bob, tom, jerry|managers|200|
> |tom, jerry|managers|403|
> |Not Set|managers|403|
> |Not Set|managers, accountants|200|
> |tom, jerry|managers, accountants|200|
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
