[jira] [Work logged] (KNOX-2726) Impersonation Params Declared by Service Definitions

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2726?focusedWorklogId=772810&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-772810
 ]

ASF GitHub Bot logged work on KNOX-2726:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/May/22 12:33
            Start Date: 20/May/22 12:33
    Worklog Time Spent: 10m 
      Work Description: zeroflag commented on code in PR #579:
URL: https://github.com/apache/knox/pull/579#discussion_r878096155


##########
gateway-provider-identity-assertion-common/pom.xml:
##########
@@ -85,8 +85,23 @@
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-util</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.jboss.shrinkwrap.descriptors</groupId>

Review Comment:
   Do we only use these dependencies from the test? If yes, can we change the 
scope?



##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -55,9 +56,16 @@ public class CommonIdentityAssertionFilter extends 
AbstractIdentityAssertionFilt
 
   public static final String GROUP_PRINCIPAL_MAPPING = 
"group.principal.mapping";
   public static final String PRINCIPAL_MAPPING = "principal.mapping";
+  /* Service specific impersonation params that needs to be scrubbed */
+  public static final String IMPERSONATION_PARAMS = "impersonation.params";

Review Comment:
   Can't we use the same constant here that is defined in the abstract class?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 772810)
    Time Spent: 20m  (was: 10m)

> Impersonation Params Declared by Service Definitions
> ----------------------------------------------------
>
>                 Key: KNOX-2726
>                 URL: https://issues.apache.org/jira/browse/KNOX-2726
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
>  has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters 
> from proxied requests. Rather than maintaining a hard-coded list of these 
> params, service definitions should be able to declare them such that they 
> would be available at runtime to 
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be 
> defined by the service definitions, and eliminate the need for Knox runtime 
> code changes when new impersonation params need to be handled.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)