[jira] [Work logged] (KNOX-2726) Impersonation Params Declared by Service Definitions

Wed, 18 May 2022 04:51:03 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2726?focusedWorklogId=771829&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-771829
 ]

ASF GitHub Bot logged work on KNOX-2726:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/May/22 11:50
            Start Date: 18/May/22 11:50
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request, #579:
URL: https://github.com/apache/knox/pull/579

   ## What changes were proposed in this pull request?
   Impersonation Params should be configurable so that Knox can scrub these 
params before sending it out to the backend services. There could be cases 
where some services might use their own impersonation params (similar to doAs 
used by Knox). Including these parameters in request could have unknown side 
effects. In order to prevent these issue, Impersonation Params should be 
configurable. 
   
   The PR proposes adding `impersonation.params` parameter to the 
`identity-assertion` provider. e.g.
   ```
         <provider>
               <role>identity-assertion</role>
               <name>Default</name>
               <enabled>true</enabled>
                        <param>
                                <name>impersonation.params</name>
                                <value>customID</value>
                            </param>
           </provider>
   ```
   Adding this parameter tells Knox to scrub this parameter from the dispatched 
request. 
   e.g. 
   ```
   2022-05-18 07:06:12,733 cde0df3d-5fc8-4b7a-8b96-0f828f4e524e WARN  
knox.gateway 
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(212))
 - Possible identity spoofing attempt - impersonation parameter removed: 
customID
   ```
   
   
   ## How was this patch tested?
   This patch was tested locally
   
   Logs without `impersonation.params` 
   
   ```
   2022-05-18 07:11:02,332 aadcfc0f-5159-4c50-bacb-0308a496ad32 DEBUG 
knox.gateway (UrlRewriteProcessor.java:rewrite(162)) - Rewrote URL: 
https://localhost:8443/gateway/sandbox/weather/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring,
 direction: IN via implicit rule: WEATHER/weather/inbound to URL: 
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring
   2022-05-18 07:11:02,333 aadcfc0f-5159-4c50-bacb-0308a496ad32 DEBUG 
knox.gateway (DefaultDispatch.java:executeOutboundRequest(157)) - Dispatch 
request: GET 
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring&user.name=guest
   ```
   
   Logs with `impersonation.params`
   
   ```
   557732afcfe106bfc955b9da04fb14&customID=somerandomestring, direction: IN via 
implicit rule: WEATHER/weather/inbound to URL: 
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&customID=somerandomestring
   2022-05-18 07:06:12,733 cde0df3d-5fc8-4b7a-8b96-0f828f4e524e WARN  
knox.gateway 
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(212))
 - Possible identity spoofing attempt - impersonation parameter removed: 
customID
   2022-05-18 07:06:12,738 cde0df3d-5fc8-4b7a-8b96-0f828f4e524e DEBUG 
knox.gateway (DefaultDispatch.java:executeOutboundRequest(157)) - Dispatch 
request: GET 
http://api.openweathermap.org:80/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&user.name=guest
   ```




Issue Time Tracking
-------------------

            Worklog Id:     (was: 771829)
    Remaining Estimate: 0h
            Time Spent: 10m

> Impersonation Params Declared by Service Definitions
> ----------------------------------------------------
>
>                 Key: KNOX-2726
>                 URL: https://issues.apache.org/jira/browse/KNOX-2726
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
>  has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters 
> from proxied requests. Rather than maintaining a hard-coded list of these 
> params, service definitions should be able to declare them such that they 
> would be available at runtime to 
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be 
> defined by the service definitions, and eliminate the need for Knox runtime 
> code changes when new impersonation params need to be handled.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to