[
https://issues.apache.org/jira/browse/KNOX-3337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar updated KNOX-3337:
--------------------------------
Description:
Currently, the KnoxLdapService provides user and group information directly
from its configured LDAP backend. In many deployment scenarios, particularly in
modern cloud-native environments, there is a requirement to map these
LDAP-authenticated identities and their group memberships to higher-level
application roles managed by an external source.
This JIRA introduces a pluggable role lookup mechanism within KnoxLdapService
that allows Knox to intercept group resolution and instead populate roles from
either a local configuration file (for testing purposes) or a remote REST API.
*Key Features*
1. *Pluggable Interface:* Introduction of LdapRolesLookup to allow for
extensible lookup strategies.
2. *REST Implementation:* A client implementation that POSTs user ID and
group lists to a configured endpoint to retrieve role mappings, following a
specific OpenAPI schema.
3. *File-based Implementation:* A JSON-based lookup strategy for static
environments, using the same data structure as the REST API.
4. *Configuration-driven:* New gateway-site.xml properties to toggle lookup
types and configure endpoints or file paths.
*Proposed Configuration*
* {{{}gateway.ldap.roles.lookup.strategy{}}}: Enables the lookup (file or
rest).
* {{{}gateway.ldap.roles.lookup.rest.api.endpoint{}}}: The destination URL for
REST lookups.
* {{{}gateway.ldap.roles.lookup.file.path{}}}: the file path which points to
the JSON mapping file.
*Data Contract:*
The implementation will exchange JSON payloads containing a user_id and an
array of groups, receiving a response containing a list of RoleAssignment
objects (consisting of scope and name).
This enhancement will allow for more dynamic and flexible authorization
workflows in Knox-managed environments.
was:
Currently, the KnoxLdapService provides user and group information directly
from its configured LDAP backend. In many deployment scenarios, particularly in
modern cloud-native environments, there is a requirement to map these
LDAP-authenticated identities and their group memberships to higher-level
application roles managed by an external source.
This JIRA introduces a pluggable role lookup mechanism within KnoxLdapService
that allows Knox to intercept group resolution and instead populate roles from
either a local configuration file (for testing purposes) or a remote REST API.
{*}Key Features:{*}{*}{*}
1. *Pluggable Interface:* Introduction of LdapRolesLookup to allow for
extensible lookup strategies.
2. *REST Implementation:* A client implementation that POSTs user ID and
group lists to a configured endpoint to retrieve role mappings, following a
specific OpenAPI schema.
3. *File-based Implementation:* A JSON-based lookup strategy for static
environments, using the same data structure as the REST API.
4. *Configuration-driven:* New gateway-site.xml properties to toggle lookup
types and configure endpoints or file paths.
{*}Proposed Configuration:{*}{*}{*}
* gateway.ldap.roles.lookup.strategy: Enables the lookup (file or rest).
* gateway.ldap.roles.lookup.rest.api.endpoint: The destination URL for REST
lookups.
* gateway.ldap.roles.lookup.file.path: the file path which points to the JSON
mapping file.
{*}Data Contract:{*}{*}{*}
The implementation will exchange JSON payloads containing a user_id and an
array of groups, receiving a response containing a list of RoleAssignment
objects (consisting of scope and name).
This enhancement will allow for more dynamic and flexible authorization
workflows in Knox-managed environments.
> Enhance KnoxLdapService with Pluggable Role Lookup Support
> ----------------------------------------------------------
>
> Key: KNOX-3337
> URL: https://issues.apache.org/jira/browse/KNOX-3337
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 3.0.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 3.0.0
>
>
> Currently, the KnoxLdapService provides user and group information directly
> from its configured LDAP backend. In many deployment scenarios, particularly
> in modern cloud-native environments, there is a requirement to map these
> LDAP-authenticated identities and their group memberships to higher-level
> application roles managed by an external source.
> This JIRA introduces a pluggable role lookup mechanism within KnoxLdapService
> that allows Knox to intercept group resolution and instead populate roles
> from either a local configuration file (for testing purposes) or a remote
> REST API.
> *Key Features*
> 1. *Pluggable Interface:* Introduction of LdapRolesLookup to allow for
> extensible lookup strategies.
> 2. *REST Implementation:* A client implementation that POSTs user ID and
> group lists to a configured endpoint to retrieve role mappings, following a
> specific OpenAPI schema.
> 3. *File-based Implementation:* A JSON-based lookup strategy for static
> environments, using the same data structure as the REST API.
> 4. *Configuration-driven:* New gateway-site.xml properties to toggle
> lookup types and configure endpoints or file paths.
> *Proposed Configuration*
> * {{{}gateway.ldap.roles.lookup.strategy{}}}: Enables the lookup (file or
> rest).
> * {{{}gateway.ldap.roles.lookup.rest.api.endpoint{}}}: The destination URL
> for REST lookups.
> * {{{}gateway.ldap.roles.lookup.file.path{}}}: the file path which points to
> the JSON mapping file.
> *Data Contract:*
> The implementation will exchange JSON payloads containing a user_id and an
> array of groups, receiving a response containing a list of RoleAssignment
> objects (consisting of scope and name).
>
> This enhancement will allow for more dynamic and flexible authorization
> workflows in Knox-managed environments.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
