[jira] [Commented] (KNOX-2839) Refactor impersonation from KnoxToken service

Thu, 22 Dec 2022 11:16:05 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-2839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17651395#comment-17651395
 ] 

ASF subversion and git services commented on KNOX-2839:
-------------------------------------------------------

Commit 6a4d5dfb4cca531a3adda0e6330cc806d0192249 in knox's branch 
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=6a4d5dfb4 ]

KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 
'doAs' query parameter (#681)

With this change, the previously added ProxyUser configuration for KnoxToken 
impersonation is removed becuase the same can be achieved with the appropriate 
identity-assertion configuration.

Another very important change is that Knox's HadoopAuth filter no longer sets 
the 'doAs' user as primary principal. Instead, it's passed down as an 
ImpersonatedPrincipal and the original user (real user) remains the 
PrimaryPrincipal in the underlying security context (Subject).

> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
>                 Key: KNOX-2839
>                 URL: https://issues.apache.org/jira/browse/KNOX-2839
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Blocker
>             Fix For: 2.0.0
>
>          Time Spent: 5h 50m
>  Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using 
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser 
> authorization happens to be on service level, but it should be executed 
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the 
> following:
>  * impersonation support should be done in Knox's identity assertion layer 
> and not in the services
>  * the proxuyser authorization in HadoopAuth filter should be left as-is. 
> When someone configures them in two places (HadoopAuth authentication and in 
> identity-assertion), a WARN-level message should indicate that one on the 
> identity-assertion level will be ignored.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to