[jira] [Work logged] (KNOX-2831) Knox token impersonation in multiple topologies

Thu, 27 Oct 2022 03:02:04 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2831?focusedWorklogId=820907&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-820907
 ]

ASF GitHub Bot logged work on KNOX-2831:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 27/Oct/22 10:01
            Start Date: 27/Oct/22 10:01
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #660:
URL: https://github.com/apache/knox/pull/660

   ## What changes were proposed in this pull request?
   
   TODO
   
   ## How was this patch tested?
   
   TODO
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 820907)
    Remaining Estimate: 0h
            Time Spent: 10m

> Knox token impersonation in multiple topologies
> -----------------------------------------------
>
>                 Key: KNOX-2831
>                 URL: https://issues.apache.org/jira/browse/KNOX-2831
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Critical
>             Fix For: 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> With KNOX-2714, users can create tokens on behalf of others by configuring 
> [Knox Token 
> Impersonation|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Token+impersonation]
>  in the {{KNOXTOKEN}} service.
> However, when there are multiple topologies with the {{KNOXTOKEN}} service 
> and they have different proxyuser configurations the feature breaks as 
> follows:
>  - {{topology1}} enables {{user1}} to create tokens for {{targetUser1}}
>  - {{topology2}} enables {{user2 to create tokens for targetUser2}}
> Let's see this flow:
>  # get a token for {{targetUser1}} by {{user1}} - this succeeds
>  # get a token for {{targetUser2}} by {{user2}} - this succeeds
>  # get another token for {{targetUser1}} by {{user1}} - this fails
> The reason is that Knox's {{KNOXTOKEN}} service uses Hadoop's 
> {{ProxyUsers.refreshSuperUserGroupsConfiguration(Configuration conf, String 
> proxyUserPrefix)}} which the 2nd call overrides in the {{init}} method of 
> that servlet. So the 3rd call will fail because the previous configuration on 
> that topology is lost.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to