[jira] [Created] (KNOX-3048) Surrogate proxy user configuration for all Knox admin users

Wed, 26 Jun 2024 08:56:04 -0700 

Philip Zampino created KNOX-3048:
------------------------------------

             Summary: Surrogate proxy user configuration for all Knox admin 
users
                 Key: KNOX-3048
                 URL: https://issues.apache.org/jira/browse/KNOX-3048
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
    Affects Versions: 2.0.0
            Reporter: Philip Zampino
            Assignee: Philip Zampino
             Fix For: 2.1.0


Need the ability to configure proxy user impersonation configuration for all 
those users who are Knox admin users.

Currently topologies require such configuration for every "end user" who is 
designated as a Knox admin to perform impersonation. This results in too much 
config in the topology, and represent an administration burden.

The proposal is to add a reserved username (e.g., KNOX_ADMIN), for which the 
surrogate proxy user config could be defined (once) in the topology, for which 
authenticated users would be validated against their membership in the Knox 
admin group before being permitted to perform impersonation.

*Example provider configuration with "surrogate" Knox Admin proxyuser*
{code:java}
        <provider>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <enabled>true</enabled>
            <param>
                <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
                <value>gateway.group.config.</value>
            </param>
            <param>
                <name>hadoop.proxyuser.KNOX_ADMIN.groups</name>
                <value>NONE</value>
            </param>
            <param>
                <name>hadoop.proxyuser.KNOX_ADMIN.hosts</name>
                <value>NONE</value>
            </param>
            <param>
                <name>hadoop.proxyuser.impersonation.enabled</name>
                <value>false</value>
            </param>
        </provider> {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to