[PR] KNOX-2974 - Add a new endpoint 'extauthz' similar to pre that accepts HTTP verbs other than GET and if configured ignores additional context path params [knox]

Mon, 30 Oct 2023 04:12:47 -0700 


moresandeep opened a new pull request, #813:
URL: https://github.com/apache/knox/pull/813

   ## What changes were proposed in this pull request?
   
   - New endpoint 'auth/api/v1/extauthz'  (similar to `auth/api/v1/pre`) that 
accepts  HTTP verbs other than GET 
   - If configured ignores additional context path params
   
   e.g.
   ```
   knox git:(KNOX-2974) curl -X POST -iku guest:guest-password 
https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz
   HTTP/1.1 200 OK
   Date: Mon, 30 Oct 2023 11:04:54 GMT
   Set-Cookie: KNOXSESSIONID=node01fu988w96ue8n19ot0yixrdt6s7.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Sun, 29-Oct-2023 11:04:54 GMT; SameSite=lax
   X-Knox-Actor-ID: guest
   Content-Length: 0
   ```
   
   ```
   knox git:(KNOX-2974) curl -X POST -iku guest:guest-password 
https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz/xyz
   HTTP/1.1 200 OK
   Date: Mon, 30 Oct 2023 11:05:28 GMT
   Set-Cookie: KNOXSESSIONID=node04574919y5ed372i1cdy8i25h8.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Sun, 29-Oct-2023 11:05:28 GMT; SameSite=lax
   X-Knox-Actor-ID: guest
   Content-Length: 0
   ```
   
   Configuration parameter to enable/disable ignoring extra path (`/xyz` in 
previous example) is `ignore.additional.path`
   
   ```
   <service>
             <role>KNOX-AUTH-SERVICE</role>
             <param>
               <name>preauth.auth.header.actor.id.name</name>
               <value>X-Knox-Actor-ID</value>
             </param>
             <param>
               <name>preauth.auth.header.actor.groups.prefix</name>
               <value>X-Knox-Actor-Groups</value>
             </param>
             <param>
               <name>ignore.additional.path</name>
               <value>true</value>
             </param>
                 ......
        </service>
   ```
   
   **NOTE**: this endpoint is based on `auth/api/v1/pre` so all the option that 
are supported by 
[auth/api/v1/pre](https://knox.apache.org/books/knox-2-0-0/user-guide.html#auth/api/v1/pre)
 are supported by `auth/api/v1/extauthz`
   
   ## How was this patch tested?
   
   This patch was tested locally


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to