smolnar82 opened a new pull request, #625:
URL: https://github.com/apache/knox/pull/625
## What changes were proposed in this pull request?
A brand new Maven module was created where all authentication-, and
authorization-related REST API endpoints can/should be added in the future.
Within this module, a new Knox service type was added called
`KNOX-AUTH-SERVICE`, which should be added into any Knox topology like this:
```
<service>
<role>KNOX-AUTH-SERVICE</role>
</service>
```
In this JIRA I already implemented one REST API endpoint with a very simple
job: If a valid principal is found in the incoming request, a header is added
to the response (by default `X-Knox-Actor-ID`) with the principal name. In
addition, if the authenticated subject has (have) group(s), they are added into
comma-separated entries in the header(s) of the default form
`X-Knox-Actor-Groups-#num`. Each group header has a character limit of 1000 to
keep them reasonably sized. The header names can be customized via
configuration properties.
## How was this patch tested?
Implemented new unit test cases as well as run the following manual steps:
1. Added the above-referenced new Knox service to the sandbox topology
2. Executed the following `curl` commands and verified the `X-Knox-Actor-ID`
header was properly populated.
```
$ curl -iku guest:guest-password
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 16:33:27 GMT
Set-Cookie: KNOXSESSIONID=node01qn1mbdr94rhswx5i66zrdn5r0.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 22-Aug-2022 16:33:27 GMT; SameSite=lax
X-Knox-Actor-ID: guest
Content-Length: 0
$ curl -iku tom:tom-password
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 16:33:45 GMT
Set-Cookie: KNOXSESSIONID=node01w44u6anaenbvils5k1rx956n1.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 22-Aug-2022 16:33:45 GMT; SameSite=lax
X-Knox-Actor-ID: tom
Content-Length: 0
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 16:33:57 GMT
Set-Cookie: KNOXSESSIONID=node062oijrd1x3821y26a9dx71ghw2.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 22-Aug-2022 16:33:57 GMT; SameSite=lax
X-Knox-Actor-ID: admin
Content-Length: 0
```
3. Updated the `identity-assertion` provider in the sandbox topology with
group mapping (it was easier than configuring the demo LDAP factory to lookup
groups) as follows:
```
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>group.principal.mapping</name
<value>admin=longGroupName1,longGroupName2,...,longGroupName99</value>
</param>
</provider>
```
4. Executed one of the above `curl` commands and verified the group headers
were populated as expected:
```
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Wed, 24 Aug 2022 06:15:15 GMT
Set-Cookie: KNOXSESSIONID=node01aj8n7bjlmw8r1g8kfawtjlqx01.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Tue, 23-Aug-2022 06:15:15 GMT; SameSite=lax
X-Knox-Actor-ID: admin
X-Knox-Actor-Groups-1:
longGroupName49,longGroupName48,longGroupName47,longGroupName46,longGroupName45,longGroupName44,longGroupName43,longGroupName42,longGroupName41,longGroupName40,longGroupName59,longGroupName58,longGroupName57,longGroupName56,longGroupName55,longGroupName54,longGroupName53,longGroupName52,longGroupName51,longGroupName50,longGroupName69,longGroupName68,longGroupName67,longGroupName66,longGroupName65,longGroupName64,longGroupName63,longGroupName62,longGroupName61,longGroupName60,longGroupName2,longGroupName3,longGroupName4,longGroupName5,longGroupName1,longGroupName79,longGroupName6,longGroupName7,longGroupName8,longGroupName9,longGroupName70,longGroupName78,longGroupName77,longGroupName76,longGroupName75,longGroupName74,longGroupName73,longGroupName72,longGroupName71,longGroupName81,longGroupName80,longGroupName89,longGroupName88,longGroupName87,longGroupName86,longGroupName85,longGroupName84,longGroupName83,longGroupName82,longGroupName19,longGroupName18,longG
roupName17,longGroupName16
X-Knox-Actor-Groups-2:
longGroupName15,longGroupName14,longGroupName13,longGroupName92,longGroupName91,longGroupName90,longGroupName12,longGroupName11,longGroupName99,longGroupName10,longGroupName98,longGroupName97,longGroupName96,longGroupName95,longGroupName94,longGroupName93,longGroupName29,longGroupName28,longGroupName27,longGroupName26,longGroupName25,longGroupName24,longGroupName23,longGroupName22,longGroupName21,longGroupName20,longGroupName39,longGroupName38,longGroupName37,longGroupName36,longGroupName35,longGroupName34,longGroupName33,longGroupName32,longGroupName31,longGroupName30
Content-Length: 0
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
