[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834362&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834362
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 18/Dec/22 12:03
Start Date: 18/Dec/22 12:03
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1051587615
##########
gateway-provider-identity-assertion-common/pom.xml:
##########
@@ -97,7 +97,14 @@
<groupId>org.jboss.shrinkwrap</groupId>
<artifactId>shrinkwrap-api</artifactId>
</dependency>
-
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
Review Comment:
Looks like the guava dependency is used for testing, if so perhaps just
changing the scope to testing might work?
##########
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java:
##########
@@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain,
HttpServletRequest request, Htt
HttpServletRequest proxyRequest = null;
final String remoteUser = request.getRemoteUser();
if (!ignoreDoAs(remoteUser)) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
if (doAsUser != null && !doAsUser.equals(remoteUser)) {
LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr());
if (request.getUserPrincipal() != null) {
try {
- proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser,
topologyName, HadoopAuthDeploymentContributor.NAME);
+ proxyRequest = AuthFilterUtils.getProxyRequest(request,
request.getUserPrincipal().getName(), doAsUser, topologyName,
HadoopAuthDeploymentContributor.NAME);
Review Comment:
nit: we are passing the request object, so
request.getUserPrincipal().getName() can be deduced from it, additional param
seems redundant.
Issue Time Tracking
-------------------
Worklog Id: (was: 834362)
Time Spent: 4h 10m (was: 4h)
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
