[
https://issues.apache.org/jira/browse/KNOX-2974?focusedWorklogId=887829&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-887829
]
ASF GitHub Bot logged work on KNOX-2974:
----------------------------------------
Author: ASF GitHub Bot
Created on: 30/Oct/23 11:11
Start Date: 30/Oct/23 11:11
Worklog Time Spent: 10m
Work Description: moresandeep opened a new pull request, #813:
URL: https://github.com/apache/knox/pull/813
## What changes were proposed in this pull request?
- New endpoint 'auth/api/v1/extauthz' (similar to `auth/api/v1/pre`) that
accepts HTTP verbs other than GET
- If configured ignores additional context path params
e.g.
```
knox git:(KNOX-2974) curl -X POST -iku guest:guest-password
https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz
HTTP/1.1 200 OK
Date: Mon, 30 Oct 2023 11:04:54 GMT
Set-Cookie: KNOXSESSIONID=node01fu988w96ue8n19ot0yixrdt6s7.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Sun, 29-Oct-2023 11:04:54 GMT; SameSite=lax
X-Knox-Actor-ID: guest
Content-Length: 0
```
```
knox git:(KNOX-2974) curl -X POST -iku guest:guest-password
https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz/xyz
HTTP/1.1 200 OK
Date: Mon, 30 Oct 2023 11:05:28 GMT
Set-Cookie: KNOXSESSIONID=node04574919y5ed372i1cdy8i25h8.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Sun, 29-Oct-2023 11:05:28 GMT; SameSite=lax
X-Knox-Actor-ID: guest
Content-Length: 0
```
Configuration parameter to enable/disable ignoring extra path (`/xyz` in
previous example) is `ignore.additional.path`
```
<service>
<role>KNOX-AUTH-SERVICE</role>
<param>
<name>preauth.auth.header.actor.id.name</name>
<value>X-Knox-Actor-ID</value>
</param>
<param>
<name>preauth.auth.header.actor.groups.prefix</name>
<value>X-Knox-Actor-Groups</value>
</param>
<param>
<name>ignore.additional.path</name>
<value>true</value>
</param>
......
</service>
```
**NOTE**: this endpoint is based on `auth/api/v1/pre` so all the option that
are supported by
[auth/api/v1/pre](https://knox.apache.org/books/knox-2-0-0/user-guide.html#auth/api/v1/pre)
are supported by `auth/api/v1/extauthz`
## How was this patch tested?
This patch was tested locally
Issue Time Tracking
-------------------
Worklog Id: (was: 887829)
Remaining Estimate: 0h
Time Spent: 10m
> Add a new endpoint like 'pre' that supports other verbs and ignores paths
> -------------------------------------------------------------------------
>
> Key: KNOX-2974
> URL: https://issues.apache.org/jira/browse/KNOX-2974
> Project: Apache Knox
> Issue Type: New Feature
> Components: docker, Server
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Knox can be used as an [external authorizer for Istio
> |https://istio.io/v1.10/blog/2021/better-external-authz/]. In this model
> Istio forwards the request to the external authorizer and depending on the
> results the request then either errors out with 401 or 403 OR proceeds to
> it's intended destination after successful authentication and authorization
> by Knox.
> Here the request is getting forwarded and Knox acts as a "filter". This means
> the "pre" endpoint should support all the HTTP verbs and it should have the
> ability to ignore additional paths that may be appended by Istio.
> This JIRA is to address these issues by creating a new service "extauthz"
> that addresses these issues without changing existing "pre" service to
> prevent breakage.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
