moresandeep opened a new pull request, #579:
URL: https://github.com/apache/knox/pull/579
## What changes were proposed in this pull request?
Impersonation Params should be configurable so that Knox can scrub these
params before sending it out to the backend services. There could be cases
where some services might use their own impersonation params (similar to doAs
used by Knox). Including these parameters in request could have unknown side
effects. In order to prevent these issue, Impersonation Params should be
configurable.
The PR proposes adding `impersonation.params` parameter to the
`identity-assertion` provider. e.g.
```
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>impersonation.params</name>
<value>customID</value>
</param>
</provider>
```
Adding this parameter tells Knox to scrub this parameter from the dispatched
request.
e.g.
```
2022-05-18 07:06:12,733 cde0df3d-5fc8-4b7a-8b96-0f828f4e524e WARN
knox.gateway
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(212))
- Possible identity spoofing attempt - impersonation parameter removed:
customID
```
## How was this patch tested?
This patch was tested locally
Logs without `impersonation.params`
```
2022-05-18 07:11:02,332 aadcfc0f-5159-4c50-bacb-0308a496ad32 DEBUG
knox.gateway (UrlRewriteProcessor.java:rewrite(162)) - Rewrote URL:
https://localhost:8443/gateway/sandbox/weather/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring,
direction: IN via implicit rule: WEATHER/weather/inbound to URL:
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring
2022-05-18 07:11:02,333 aadcfc0f-5159-4c50-bacb-0308a496ad32 DEBUG
knox.gateway (DefaultDispatch.java:executeOutboundRequest(157)) - Dispatch
request: GET
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring&user.name=guest
```
Logs with `impersonation.params`
```
557732afcfe106bfc955b9da04fb14&customID=somerandomestring, direction: IN via
implicit rule: WEATHER/weather/inbound to URL:
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring
2022-05-18 07:06:12,733 cde0df3d-5fc8-4b7a-8b96-0f828f4e524e WARN
knox.gateway
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(212))
- Possible identity spoofing attempt - impersonation parameter removed:
customID
2022-05-18 07:06:12,738 cde0df3d-5fc8-4b7a-8b96-0f828f4e524e DEBUG
knox.gateway (DefaultDispatch.java:executeOutboundRequest(157)) - Dispatch
request: GET
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&user.name=guest
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
