[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=828308&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-828308
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 23/Nov/22 10:47
Start Date: 23/Nov/22 10:47
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #681:
URL: https://github.com/apache/knox/pull/681
## What changes were proposed in this pull request?
//TODO
## How was this patch tested?
Manual test cases executed on the token generation page:
1. Impersonation thru ProxyUser config is disabled and user mapping is not
configured
- logged in as the 'admin' user
- generated a token without the doAs param: userName=admin; createdBy was
not added
- generated a token with the doAs=bob param: userName=admin; createdBy was
not added
2. Impersonation thru ProxyUser config is enabled and user mapping is not
configured
- proxyuser config was set to: hadoop.proxyuser.admin.[users|groups|hosts] =
*
- logged in as the 'admin' user
- generated a token without the doAs param: userName=admin; createdBy was
not added
- generated a token with the doAs=bob param: userName=bob; createdBy=admin
- tested negative case too: removed
hadoop.proxyuser.admin.[users|groups|hosts] = *
- logged in as the 'admin' user
- generated a token without the doAs param: userName=admin; createdBy was
not added
- generated a token with the doAs=bob param: token creation failed (User:
admin is not allowed to impersonate bob)
3. Impersonation thru ProxyUser config is disabled and user mapping is
configured
- user mapping was set to: principal.mapping = admin=sam
- logged in the 'admin' user
- generated a token without the doAs param: userName=sam; createdBy=admin
- generated a token with the doAs=bob param: userName=sam; createdBy=admin
4. Impersonation thru ProxyUser config is enabled and user mapping is
configured
- proxyuser config was set to: hadoop.proxyuser.admin.[users|groups|hosts] =
*
- user mapping was set to: principal.mapping = admin=sam
- logged in the 'admin' user
- generated a token without the doAs param: userName=sam; createdBy=admin
- generated a token with the doAs=bob param: userName=bob; createdBy=admin
- re-configured user mapping to: principal.mapping = bob=tom
- did not touch the proxyuser config
- logged in the 'admin' user
- generated a token without the doAs param: userName=admin; createdBy was
not added
- generated a token with the doAs=bob param: userName=tom; createdBy=admin
//TODO: testing in a secure (Kerberos-enabled) cluster
Issue Time Tracking
-------------------
Worklog Id: (was: 828308)
Remaining Estimate: 0h
Time Spent: 10m
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
