[jira] [Work logged] (KNOX-2839) Refactor impersonation from KnoxToken service

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834560&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834560
 ]

ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/Dec/22 14:24
            Start Date: 19/Dec/22 14:24
    Worklog Time Spent: 10m 
      Work Description: pzampino commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1052256852


##########
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java:
##########
@@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain, 
HttpServletRequest request, Htt
     HttpServletRequest proxyRequest = null;
     final String remoteUser = request.getRemoteUser();
     if (!ignoreDoAs(remoteUser)) {
-      final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+      final String doAsUser = 
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
       if (doAsUser != null && !doAsUser.equals(remoteUser)) {
         LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr());
         if (request.getUserPrincipal() != null) {
           try {
-            proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser, 
topologyName, HadoopAuthDeploymentContributor.NAME);
+            proxyRequest = AuthFilterUtils.getProxyRequest(request, 
request.getUserPrincipal().getName(), doAsUser, topologyName, 
HadoopAuthDeploymentContributor.NAME);

Review Comment:
   @moresandeep, That's making an assumption that the principal name is ALWAYS 
gotten from the request.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 834560)
    Time Spent: 4h 20m  (was: 4h 10m)

> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
>                 Key: KNOX-2839
>                 URL: https://issues.apache.org/jira/browse/KNOX-2839
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Blocker
>             Fix For: 2.0.0
>
>          Time Spent: 4h 20m
>  Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using 
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser 
> authorization happens to be on service level, but it should be executed 
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the 
> following:
>  * impersonation support should be done in Knox's identity assertion layer 
> and not in the services
>  * the proxuyser authorization in HadoopAuth filter should be left as-is. 
> When someone configures them in two places (HadoopAuth authentication and in 
> identity-assertion), a WARN-level message should indicate that one on the 
> identity-assertion level will be ignored.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)