[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834238&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834238
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 16/Dec/22 21:26
Start Date: 16/Dec/22 21:26
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1051151340
##########
gateway-provider-identity-assertion-common/pom.xml:
##########
@@ -97,7 +97,14 @@
<groupId>org.jboss.shrinkwrap</groupId>
<artifactId>shrinkwrap-api</artifactId>
</dependency>
-
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
Review Comment:
This is needed by hadoop-common?
##########
gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java:
##########
@@ -128,19 +124,19 @@ protected boolean
enforceAclAuthorizationPolicy(ServletRequest request,
boolean groupAccess = false;
boolean ipAddrAccess;
- Subject subject = Subject.getSubject(AccessController.getContext());
- Principal primaryPrincipal =
(Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
- log.primaryPrincipal(primaryPrincipal.getName());
- Object[] impersonations =
subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
- if (impersonations.length > 0) {
- log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
- userAccess = checkUserAcls((Principal)impersonations[0]);
+ final Subject subject = SubjectUtils.getCurrentSubject();
Review Comment:
Could this be simplified to
`
effectivePrincipalName = SubjectUtils.getCurrentEffectivePrincipalName();
log.effectivePrincipal(effectivePrincipalName);
userAccess = checkUserAcls(effectivePrincipalName);
`
Issue Time Tracking
-------------------
Worklog Id: (was: 834238)
Time Spent: 3.5h (was: 3h 20m)
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 3.5h
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
