[
https://issues.apache.org/jira/browse/KNOX-3048?focusedWorklogId=970820&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-970820
]
ASF GitHub Bot logged work on KNOX-3048:
----------------------------------------
Author: ASF GitHub Bot
Created on: 27/May/25 15:02
Start Date: 27/May/25 15:02
Worklog Time Spent: 10m
Work Description: lmccay commented on PR #1043:
URL: https://github.com/apache/knox/pull/1043#issuecomment-2912866647
> > @moresandeep - why add a new provider for this and not just add it to
common so that it is available everywhere that extends that?
>
> Good point, I thought about that but decided against it in favor of code
separation. Since all of the implementations use Common any bug might affect
all the providers. Not all providers need this the ones that need this feature
are virtual groups (already included in default) and hadoop-group-lookup so i
decided to create a new provider that supports these.
>
> Putting this in common will be easy but this is not really common feature
that can be used by all the other providers. Do you anticipate this to be used
by others? i can move this common in that case.
Okay, I am not sure that I like where it is but may need more coffee. It
seems like the extension of impersonation that you are adding is decoupled from
the default impersonation we have in common. That feels wrong but maybe there
is a reason.
It also appears to extend the HadoopGroupsProvider which I can understand as
a possible dependency, meaning you would otherwise need two providers but
putting the extension in common would give you that as well.
I'll also point out that the mode has my head spinning a bit and I need to
spend more time understanding that and possible edge cases. @pzampino - can you
provide another set of eyes and opinion?
Issue Time Tracking
-------------------
Worklog Id: (was: 970820)
Time Spent: 2h 50m (was: 2h 40m)
> Surrogate proxy user configuration for user groups
> --------------------------------------------------
>
> Key: KNOX-3048
> URL: https://issues.apache.org/jira/browse/KNOX-3048
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Philip Zampino
> Assignee: Sandeep More
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> *Problem Statement:*
> Currently Knox has the ability for specific users (say for e.g. {{sp_user}})
> to impersonate other users (say for e.g.{{ot_user}}). This is driven by
> configs defined in a topology. Currently these configs are needed for each
> user that impersonates other users (i.e. {{sp_user}}), this can get out of
> hand quickly and can be difficult to maintain.
> To solve this problem the proposed solution uses a group level impersonation
> configuration. This configuration will be based on the virtual groups feature
> that is already available in Knox. With this new configuration we can have
> specific users who belong to a virtual group/s (based on conditions such as
> {{(match groups 'analyst|scientist') }}) impersonate other users. This will
> significantly cut down on the config properties and keep them readable and
> maintainable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
