[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=828686&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-828686
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 24/Nov/22 11:31
Start Date: 24/Nov/22 11:31
Worklog Time Spent: 10m
Work Description: zeroflag commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1031406217
##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -187,21 +216,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+ String mappedPrincipalName = null;
+ try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
Review Comment:
I see that the impersonation mapping is happening before the existing
principal/group mapping, in a transitive way.
So if a `user1` comes in, with doAs = `user2`, and `user2` is mapped to
`user3` (via principal-principal mapping) then the final user is going to be
`user3`. Correct?
I'm not sure if this is what I would want if explicitly specified `user2` as
the impersonated user, in my request. I find this chain of mapping a bit
confusing. An alternative way would be to ignore the principal-principal
mapping when the impersonated user is explicitly specified in the request? I'm
not sure which one is the best though.
Issue Time Tracking
-------------------
Worklog Id: (was: 828686)
Time Spent: 20m (was: 10m)
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
