[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=829899&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-829899
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 29/Nov/22 22:24
Start Date: 29/Nov/22 22:24
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1035343473
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -720,19 +705,21 @@ private Response getAuthenticationToken() {
String createdBy = null;
// checking the doAs user only makes sense if tokens are managed (this is
where we store the userName information)
// and if impersonation is enabled
- if (impersonationEnabled && tokenStateService != null) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
- if (doAsUser != null && !doAsUser.equals(userName)) {
- try {
- //this call will authorize the doAs request
- AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser,
getTopologyName(), TokenServiceDeploymentContributor.ROLE);
- createdBy = userName;
- userName = doAsUser;
- log.tokenImpersonationSuccess(createdBy, doAsUser);
- } catch (AuthorizationException e) {
- log.tokenImpersonationFailed(e);
- return Response.status(Response.Status.FORBIDDEN).entity("{ \"" +
e.getMessage() + "\" }").build();
+ if (tokenStateService != null) {
+ final String realUserName = (String)
request.getAttribute(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE);
+ final Subject subject = SubjectUtils.getCurrentSubject();
+ if (subject != null && SubjectUtils.isImpersonating(subject)) {
+ String primaryPrincipalName =
SubjectUtils.getPrimaryPrincipalName(subject);
+ String impersonatedPrincipalName =
SubjectUtils.getImpersonatedPrincipalName(subject);
+ if (!primaryPrincipalName.equals(impersonatedPrincipalName)) {
+ createdBy = primaryPrincipalName;
+ userName = impersonatedPrincipalName;
+ log.tokenImpersonationSuccess(createdBy, userName);
}
+ } else if (StringUtils.isNotBlank(realUserName) &&
!realUserName.equals(userName)) {
+ // real user name is set by HadoopAuth filter for impersonated
requests (part of 'doAs' processing)
+ createdBy = realUserName;
Review Comment:
I agree that using the Subject Principals as the vehicle for communicating
this information would be ideal.
##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -187,21 +219,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+ String mappedPrincipalName = null;
+ try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
+ } catch(AuthorizationException e) {
+ LOG.hadoopAuthProxyUserFailed(e);
+ HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse)
response, HttpServletResponse.SC_FORBIDDEN, e);
+ return;
+ }
- String mappedPrincipalName = mapUserPrincipalBase(principalName);
+ // mapping principal name using user principal mapping (if configured)
+ mappedPrincipalName = mapUserPrincipalBase(mappedPrincipalName);
mappedPrincipalName = mapUserPrincipal(mappedPrincipalName);
+
String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName,
subject);
String[] groups = mapGroupPrincipals(mappedPrincipalName, subject);
String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName,
combine(subject, groups), request).toArray(new String[0]);
groups = combineGroupMappings(mappedGroups, groups);
groups = combineGroupMappings(virtualGroups, groups);
- HttpServletRequestWrapper wrapper = wrapHttpServletRequest(
- request, mappedPrincipalName);
+ HttpServletRequestWrapper wrapper = wrapHttpServletRequest(request,
mappedPrincipalName);
+
continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName,
unique(groups));
}
+ private String handleProxyUserImpersonation(ServletRequest request, String
principalName) throws AuthorizationException {
+ if (impersonationEnabled) {
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
+ if (doAsUser != null && !doAsUser.equals(principalName)) {
+ LOG.hadoopAuthDoAsUser(doAsUser, principalName,
request.getRemoteAddr());
+ if (principalName != null) {
+ AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest)
request, principalName, doAsUser, topologyName, ROLE);
+ LOG.hadoopAuthProxyUserSuccess();
+ return doAsUser;
Review Comment:
+1
Issue Time Tracking
-------------------
Worklog Id: (was: 829899)
Time Spent: 2h (was: 1h 50m)
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
