[jira] [Work logged] (KNOX-2726) Impersonation Params Declared by Service Definitions

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2726?focusedWorklogId=772953&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-772953
 ]

ASF GitHub Bot logged work on KNOX-2726:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/May/22 18:17
            Start Date: 20/May/22 18:17
    Worklog Time Spent: 10m 
      Work Description: zeroflag commented on code in PR #579:
URL: https://github.com/apache/knox/pull/579#discussion_r878427534


##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -55,9 +56,16 @@ public class CommonIdentityAssertionFilter extends 
AbstractIdentityAssertionFilt
 
   public static final String GROUP_PRINCIPAL_MAPPING = 
"group.principal.mapping";
   public static final String PRINCIPAL_MAPPING = "principal.mapping";
+  /* Service specific impersonation params that needs to be scrubbed */
+  public static final String IMPERSONATION_PARAMS = "impersonation.params";

Review Comment:
   @smolnar82 there is already a constant like this in 
AbstractIdentityAsserterDeploymentContributor.java





Issue Time Tracking
-------------------

    Worklog Id:     (was: 772953)
    Time Spent: 1h  (was: 50m)

> Impersonation Params Declared by Service Definitions
> ----------------------------------------------------
>
>                 Key: KNOX-2726
>                 URL: https://issues.apache.org/jira/browse/KNOX-2726
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
>  has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters 
> from proxied requests. Rather than maintaining a hard-coded list of these 
> params, service definitions should be able to declare them such that they 
> would be available at runtime to 
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be 
> defined by the service definitions, and eliminate the need for Knox runtime 
> code changes when new impersonation params need to be handled.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)