[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834712&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834712
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Dec/22 09:07
Start Date: 20/Dec/22 09:07
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1053069990
##########
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java:
##########
@@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain,
HttpServletRequest request, Htt
HttpServletRequest proxyRequest = null;
final String remoteUser = request.getRemoteUser();
if (!ignoreDoAs(remoteUser)) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
if (doAsUser != null && !doAsUser.equals(remoteUser)) {
LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr());
if (request.getUserPrincipal() != null) {
try {
- proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser,
topologyName, HadoopAuthDeploymentContributor.NAME);
+ proxyRequest = AuthFilterUtils.getProxyRequest(request,
request.getUserPrincipal().getName(), doAsUser, topologyName,
HadoopAuthDeploymentContributor.NAME);
Review Comment:
@pzampino is right. It's not guaranteed that we'll use the principal name
from the request when this method is called. In this particular case, this is
true, but we may keep the `remoteUserName` parameter.
To make it even cleaner, I'll add a method overloading that will only have
the `request` parameter and use it to get the user principal from it.
Issue Time Tracking
-------------------
Worklog Id: (was: 834712)
Time Spent: 5h (was: 4h 50m)
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 5h
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
