[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter

[GitBox]

smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1034635599


##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java:
##########
@@ -50,4 +51,16 @@ public interface IdentityAsserterMessages {
 
   @Message( level = MessageLevel.INFO, text = "Using configured impersonation 
parameters: {0}")
   void impersonationConfig(String config);
+
+  @Message( level = MessageLevel.WARN, text = "Configured proxyuser parameters 
are IGNORED because the HadoopAuth filter already has them.")

Review Comment:
   Ack; I'll change that.



##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws 
ServletException {
         throw new ServletException("Unable to load principal mapping table.", 
e);
       }
     }
-    virtualGroupMapper = new 
VirtualGroupMapper(loadVirtualGroups(filterConfig));
-    String impersonationListFromConfig = 
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
-    if (impersonationListFromConfig == null || 
impersonationListFromConfig.isEmpty()) {
-      impersonationListFromConfig = 
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
-    }
-    initImpersonationParamsList(impersonationListFromConfig);
+
+    //subsequent iterations on filterConfig.getInitParameterNames() would not 
work if we simply used that as an enumeration

Review Comment:
   I'll add a more detailed explanation in the code too: `getInitParameters()` 
returns an enumeration and the first time we iterate thru on its element we can 
process the parameter names (`hasMoreElements` returns `true`). The subsequent 
calls, however, will not succeed because `getInitParameters()` returns the same 
object where the `hasMoreElements` returns `false`. In this class, the first 
event is populating virtual group mapping and then we do the same for proxyuser 
config.



##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws 
ServletException {
         throw new ServletException("Unable to load principal mapping table.", 
e);
       }
     }
-    virtualGroupMapper = new 
VirtualGroupMapper(loadVirtualGroups(filterConfig));
-    String impersonationListFromConfig = 
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
-    if (impersonationListFromConfig == null || 
impersonationListFromConfig.isEmpty()) {
-      impersonationListFromConfig = 
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
-    }
-    initImpersonationParamsList(impersonationListFromConfig);
+
+    //subsequent iterations on filterConfig.getInitParameterNames() would not 
work if we simply used that as an enumeration
+    final List<String> initParameterNames = 
filterConfig.getInitParameterNames() == null ? Collections.emptyList()
+        : Collections.list(filterConfig.getInitParameterNames());
+
+    virtualGroupMapper = new 
VirtualGroupMapper(loadVirtualGroups(filterConfig, initParameterNames));
+
+    initImpersonationParamsList(filterConfig);
+    initProxyUserConfiguration(filterConfig, initParameterNames);
   }
 
-  /**
+  /*
    * Initialize the impersonation params list.
    * This list contains query params that needs to be scrubbed
    * from the outgoing request.
-   * @param impersonationListFromConfig
-   * @return
    */
-  private void initImpersonationParamsList(final String 
impersonationListFromConfig) {
+  private void initImpersonationParamsList(FilterConfig filterConfig) {
+    String impersonationListFromConfig = 
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
+    if (impersonationListFromConfig == null || 
impersonationListFromConfig.isEmpty()) {
+      impersonationListFromConfig = 
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
+    }
+
     /* Add default impersonation params */
     impersonationParamsList.add(DOAS_PRINCIPAL_PARAM);
     impersonationParamsList.add(PRINCIPAL_PARAM);
-    if(null == impersonationListFromConfig || 
impersonationListFromConfig.isEmpty()) {
-      return;
-    } else {
+
+    if (impersonationListFromConfig != null && 
!impersonationListFromConfig.isEmpty()) {
       /* Add configured impersonation params */
       LOG.impersonationConfig(impersonationListFromConfig);
       final StringTokenizer t = new 
StringTokenizer(impersonationListFromConfig, ",");
-      while(t.hasMoreElements()) {
+      while (t.hasMoreElements()) {
         final String token = t.nextToken().trim();
-        if(!impersonationParamsList.contains(token)) {
+        if (!impersonationParamsList.contains(token)) {
           impersonationParamsList.add(token);
         }
       }
     }
   }
 
-  private Map<String, AbstractSyntaxTree> loadVirtualGroups(FilterConfig 
filterConfig) {
+  private void initProxyUserConfiguration(FilterConfig filterConfig, 
List<String> initParameterNames) {
+    final String impersonationEnabledValue = 
filterConfig.getInitParameter(IMPERSONATION_ENABLED_PARAM);
+    this.impersonationEnabled = impersonationEnabledValue == null ? 
Boolean.FALSE : Boolean.parseBoolean(impersonationEnabledValue);

Review Comment:
   Because my IDE put it there :) It really does not matter, but since it's 
very rare that we use in Knox's codebase I'll remove that from here.



##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java:
##########
@@ -50,4 +51,16 @@ public interface IdentityAsserterMessages {
 
   @Message( level = MessageLevel.INFO, text = "Using configured impersonation 
parameters: {0}")
   void impersonationConfig(String config);
+
+  @Message( level = MessageLevel.WARN, text = "Configured proxyuser parameters 
are IGNORED because the HadoopAuth filter already has them.")
+  void ignoreProxyuserConfig();
+
+  @Message( level = MessageLevel.DEBUG, text = "doAsUser = {0}, RemoteUser = 
{1} , RemoteAddress = {2}" )
+  void hadoopAuthDoAsUser(String doAsUser, String remoteUser, String 
remoteAddr);

Review Comment:
   It's kind of correlating to Hadoop's authentication in a way such as it uses 
the Hadoop authorization library for proxyuser authorization.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org