[jira] [Work logged] (KNOX-2792) New Knox service to add custom auth headers in the response

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2792?focusedWorklogId=803500&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-803500
 ]

ASF GitHub Bot logged work on KNOX-2792:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Aug/22 08:11
            Start Date: 25/Aug/22 08:11
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #625:
URL: https://github.com/apache/knox/pull/625

   ## What changes were proposed in this pull request?
   
   A brand new Maven module was created where all authentication-, and 
authorization-related REST API endpoints can/should be added in the future. 
Within this module, a new Knox service type was added called 
`KNOX-AUTH-SERVICE`, which should be added into any Knox topology like this:
   ```
       <service>
            <role>KNOX-AUTH-SERVICE</role>
       </service>
   ```
   
   In this JIRA I already implemented one REST API endpoint with a very simple 
job: If a valid principal is found in the incoming request, a header is added 
to the response (by default `X-Knox-Actor-ID`) with the principal name. In 
addition, if the authenticated subject has (have) group(s), they are added into 
comma-separated entries in the header(s) of the default form 
`X-Knox-Actor-Groups-#num`. Each group header has a character limit of 1000 to 
keep them reasonably sized. The header names can be customized via 
configuration properties.
   
   ## How was this patch tested?
   
   Implemented new unit test cases as well as run the following manual steps:
   1. Added the above-referenced new Knox service to the sandbox topology
   2. Executed the following `curl` commands and verified the `X-Knox-Actor-ID` 
header was properly populated.
   ```
   $ curl -iku guest:guest-password 
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
   HTTP/1.1 200 OK
   Date: Tue, 23 Aug 2022 16:33:27 GMT
   Set-Cookie: KNOXSESSIONID=node01qn1mbdr94rhswx5i66zrdn5r0.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Mon, 22-Aug-2022 16:33:27 GMT; SameSite=lax
   X-Knox-Actor-ID: guest
   Content-Length: 0
   
   $ curl -iku tom:tom-password 
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
   HTTP/1.1 200 OK
   Date: Tue, 23 Aug 2022 16:33:45 GMT
   Set-Cookie: KNOXSESSIONID=node01w44u6anaenbvils5k1rx956n1.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Mon, 22-Aug-2022 16:33:45 GMT; SameSite=lax
   X-Knox-Actor-ID: tom
   Content-Length: 0
   
   $ curl -iku admin:admin-password 
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
   HTTP/1.1 200 OK
   Date: Tue, 23 Aug 2022 16:33:57 GMT
   Set-Cookie: KNOXSESSIONID=node062oijrd1x3821y26a9dx71ghw2.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Mon, 22-Aug-2022 16:33:57 GMT; SameSite=lax
   X-Knox-Actor-ID: admin
   Content-Length: 0
   ```
   3. Updated the `identity-assertion` provider in the sandbox topology with 
group mapping (it was easier than configuring the demo LDAP factory to lookup 
groups) as follows:
   ```
           <provider>
               <role>identity-assertion</role>
               <name>Default</name>
               <enabled>true</enabled>
               <param>
                   <name>group.principal.mapping</name
                   
<value>admin=longGroupName1,longGroupName2,...,longGroupName99</value>
               </param>
           </provider>
   ```
   4. Executed one of the above `curl` commands and verified the group headers 
were populated as expected:
   ```
   $ curl -iku admin:admin-password 
https://localhost:8443/gateway/sandbox/auth/api/v1/pre
   HTTP/1.1 200 OK
   Date: Wed, 24 Aug 2022 06:15:15 GMT
   Set-Cookie: KNOXSESSIONID=node01aj8n7bjlmw8r1g8kfawtjlqx01.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Tue, 23-Aug-2022 06:15:15 GMT; SameSite=lax
   X-Knox-Actor-ID: admin
   X-Knox-Actor-Groups-1: 
longGroupName49,longGroupName48,longGroupName47,longGroupName46,longGroupName45,longGroupName44,longGroupName43,longGroupName42,longGroupName41,longGroupName40,longGroupName59,longGroupName58,longGroupName57,longGroupName56,longGroupName55,longGroupName54,longGroupName53,longGroupName52,longGroupName51,longGroupName50,longGroupName69,longGroupName68,longGroupName67,longGroupName66,longGroupName65,longGroupName64,longGroupName63,longGroupName62,longGroupName61,longGroupName60,longGroupName2,longGroupName3,longGroupName4,longGroupName5,longGroupName1,longGroupName79,longGroupName6,longGroupName7,longGroupName8,longGroupName9,longGroupName70,longGroupName78,longGroupName77,longGroupName76,longGroupName75,longGroupName74,longGroupName73,longGroupName72,longGroupName71,longGroupName81,longGroupName80,longGroupName89,longGroupName88,longGroupName87,longGroupName86,longGroupName85,longGroupName84,longGroupName83,longGroupName82,longGroupName19,longGroupName18,longGroupName17,longGroupName16
   X-Knox-Actor-Groups-2: 
longGroupName15,longGroupName14,longGroupName13,longGroupName92,longGroupName91,longGroupName90,longGroupName12,longGroupName11,longGroupName99,longGroupName10,longGroupName98,longGroupName97,longGroupName96,longGroupName95,longGroupName94,longGroupName93,longGroupName29,longGroupName28,longGroupName27,longGroupName26,longGroupName25,longGroupName24,longGroupName23,longGroupName22,longGroupName21,longGroupName20,longGroupName39,longGroupName38,longGroupName37,longGroupName36,longGroupName35,longGroupName34,longGroupName33,longGroupName32,longGroupName31,longGroupName30
   Content-Length: 0
   ```
   
   
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 803500)
    Remaining Estimate: 0h
            Time Spent: 10m

> New Knox service to add custom auth headers in the response
> -----------------------------------------------------------
>
>                 Key: KNOX-2792
>                 URL: https://issues.apache.org/jira/browse/KNOX-2792
>             Project: Apache Knox
>          Issue Type: Sub-task
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> A simple REST service is needed to perform centralized authentication and 
> authorization of incoming requests. Combined with nginx's external 
> authentication capability it allows for every request to be checked for valid 
> authentication before being forwarded to the upstream service.
> If a valid principal is found, a header is added to the response, by default 
> {{X-Knox-Actor-ID}}, with the principal. In addition, if the authenticated 
> subject has groups, these are added into comma-separated headers of the 
> default form {{X-Knox-Actor-Groups-num}}. Each group header has a character 
> limit of 1000 to keep them reasonably sized. The header names can be 
> customized via configuration properties.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)