[
https://issues.apache.org/jira/browse/KNOX-2800?focusedWorklogId=806692&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-806692
]
ASF GitHub Bot logged work on KNOX-2800:
----------------------------------------
Author: ASF GitHub Bot
Created on: 07/Sep/22 12:45
Start Date: 07/Sep/22 12:45
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #631:
URL: https://github.com/apache/knox/pull/631
## What changes were proposed in this pull request?
When `knox.token.user.limit.exceeded.action` is set to `REMOVE_OLDEST`, Knox
tries to revoke the oldest tokens of the given user for who the token was
created. It's true for impersonated tokens too.
However, to be able to revoke a token one of the following conditions should
be true:
- the revoker is either configured using the `knox.token.renewer.whitelist`
parameter
- or, the revoker should remove its own token (see KNOX-2664)
The second condition was not updated though when the token-impersonation was
implemented. From now on Knox considers a token an `own` token if either the
`userName` metadata or the `createdBy` metadata matches the revoker subject
(prior to this change we only considered the `userName` metadata).
## How was this patch tested?
Added a new unit test case to prevent us from regression as well as executed
manual testing as follows:
- configured Knox this way:
- `gateway.knox.token.limit.per.user = 5` (gateway-site.xml)
- `knox.token.user.limit.exceeded.action = REMOVE_OLDEST` (homepage.xml)
- ` knox.token.proxyuser.guest.users = bob` (homepage.xml)
- ` knox.token.proxyuser.guest.hosts = *` (homepage.xml)
- logged into the Knox Home page as `guest`
- generated 6 tokens for user `bob` on the Token Generation UI
- confirmed that only 5 tokens were created for `bob`
<img width="1685" alt="Screenshot 2022-09-07 at 14 44 49"
src="https://user-images.githubusercontent.com/34065904/188881401-c89bea58-7714-47a6-bc09-bccf512c0065.png";>
```
2022-09-07 14:26:45,257 53f0bba2-a632-4f87-bbb9-466fee64c8f8 WARN
knox.gateway
(IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(212))
- Possible identity spoofing attempt - impersonation parameter removed: doAs
2022-09-07 14:26:45,258 53f0bba2-a632-4f87-bbb9-466fee64c8f8 ERROR
service.knoxtoken (TokenResource.java:getAuthenticationToken(767)) - Unable to
get token for user bob: token limit exceeded
2022-09-07 14:26:45,259 53f0bba2-a632-4f87-bbb9-466fee64c8f8 INFO
service.knoxtoken (TokenResource.java:getAuthenticationToken(773)) - Revoking
bob's oldest token d07cdeb9...72d5bca353c4 ...
2022-09-07 14:26:45,259 53f0bba2-a632-4f87-bbb9-466fee64c8f8 INFO
token.state (AliasBasedTokenStateService.java:removeTokens(437)) - Removing
token state aliases
2022-09-07 14:26:45,270 53f0bba2-a632-4f87-bbb9-466fee64c8f8 INFO
token.state (AliasBasedTokenStateService.java:removeTokens(444)) - Removed
token state aliases for d07cdeb9...72d5bca353c4
2022-09-07 14:26:45,270 53f0bba2-a632-4f87-bbb9-466fee64c8f8 INFO
service.knoxtoken (TokenResource.java:revoke(591)) - Knox Token service
(homepage) revoked token d07cde...a353c4 (d07cdeb9...72d5bca353c4)
(renewer=guest)
2022-09-07 14:26:45,273 53f0bba2-a632-4f87-bbb9-466fee64c8f8 INFO
service.knoxtoken (TokenResource.java:getAuthenticationToken(817)) - Knox Token
service (homepage) issued token eyJqa3...3wSCSw (4329fcd2...7adf1dfda2c3)
2022-09-07 14:26:48,103 INFO token.state
(AliasBasedTokenStateService.java:persistTokenState(242)) - Creating token
state aliases
2022-09-07 14:26:48,426 INFO token.state
(AliasBasedTokenStateService.java:persistTokenState(251)) - Created token state
aliases for 4329fcd2...7adf1dfda2c3
```
Issue Time Tracking
-------------------
Worklog Id: (was: 806692)
Remaining Estimate: 0h
Time Spent: 10m
> Knox tokens created for impersonated user doesn't honor configured per user
> limit value
> ---------------------------------------------------------------------------------------
>
> Key: KNOX-2800
> URL: https://issues.apache.org/jira/browse/KNOX-2800
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 1.3.0
> Reporter: J.Andreina
> Assignee: Sandor Molnar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Steps*
> 1. Set below configurations
> gateway.knox.token.limit.per.user = 5
> gateway.knox.token.user.limit.exceeded.action = REMOVE_OLDEST
> knox.token.proxyuser.hrt_qa.users=hrt_1
> knox.token.proxyuser.hrt_qa.hosts=*
> 2. Login to token generation page as hrt_qa user
> 3. Fetch 10 token with impersonation field set to "hrt_1"
> *Expected Result:*
> hrt_qa should be allowed to create only 5 tokens with impersonated user set
> to hrt_1
> *{color:red}Issue:{color}*
> Tokens created for impersonated user doesnt honor configured per user limit
> value
> ie. hrt_qa user is able to create any number of tokens as hrt_1
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
![https://user-images.githubusercontent.com/34065904/188881401-c89bea58-7714-47a6-bc09-bccf512c0065.png"](https://user-images.githubusercontent.com/34065904/188881401-c89bea58-7714-47a6-bc09-bccf512c0065.png"){kind=link}