[jira] [Work logged] (KNOX-2839) Refactor impersonation from KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834322=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834322 ] ASF GitHub Bot logged work on KNOX-2839: Author: ASF GitHub Bot Created on: 17/Dec/22 18:34 Start Date: 17/Dec/22 18:34 Worklog Time Spent: 10m Work Description: lmccay commented on PR #681: URL: https://github.com/apache/knox/pull/681#issuecomment-1356376592 This is a much larger change than I anticipated, @smolnar82! This has obviously been a lot of work. Thank you for it. Issue Time Tracking --- Worklog Id: (was: 834322) Time Spent: 4h (was: 3h 50m) > Refactor impersonation from KnoxToken service > - > > Key: KNOX-2839 > URL: https://issues.apache.org/jira/browse/KNOX-2839 > Project: Apache Knox > Issue Type: Task > Components: Server >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 4h > Remaining Estimate: 0h > > With KNOX-2714, end-users can create tokens on behalf of other users using > Hadoop's impersonation mechanism. > The problem with the current implementation is that the proxyuser > authorization happens to be on service level, but it should be executed > sooner. > As discussed offline with [~lmccay] and [~pzampino] we agreed on the > following: > * impersonation support should be done in Knox's identity assertion layer > and not in the services > * the proxuyser authorization in HadoopAuth filter should be left as-is. > When someone configures them in two places (HadoopAuth authentication and in > identity-assertion), a WARN-level message should indicate that one on the > identity-assertion level will be ignored. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2839) Refactor impersonation from KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834321=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834321 ] ASF GitHub Bot logged work on KNOX-2839: Author: ASF GitHub Bot Created on: 17/Dec/22 18:34 Start Date: 17/Dec/22 18:34 Worklog Time Spent: 10m Work Description: lmccay commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1051440369 ## gateway-provider-identity-assertion-common/pom.xml: ## @@ -97,7 +97,14 @@ org.jboss.shrinkwrap shrinkwrap-api - + +org.apache.hadoop +hadoop-common + + +com.google.guava +guava Review Comment: Does this also mean that ALL identity assertion providers now have a dependency on hadoop common? That is a rather heavy dependency if not needed. Guava is also problematic with mixed versions and stuff. If this wasn't already a dependency then we will need to be careful with things like Ranger Knox plugin coming into the mix. Issue Time Tracking --- Worklog Id: (was: 834321) Time Spent: 3h 50m (was: 3h 40m) > Refactor impersonation from KnoxToken service > - > > Key: KNOX-2839 > URL: https://issues.apache.org/jira/browse/KNOX-2839 > Project: Apache Knox > Issue Type: Task > Components: Server >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 3h 50m > Remaining Estimate: 0h > > With KNOX-2714, end-users can create tokens on behalf of other users using > Hadoop's impersonation mechanism. > The problem with the current implementation is that the proxyuser > authorization happens to be on service level, but it should be executed > sooner. > As discussed offline with [~lmccay] and [~pzampino] we agreed on the > following: > * impersonation support should be done in Knox's identity assertion layer > and not in the services > * the proxuyser authorization in HadoopAuth filter should be left as-is. > When someone configures them in two places (HadoopAuth authentication and in > identity-assertion), a WARN-level message should indicate that one on the > identity-assertion level will be ignored. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [knox] lmccay commented on pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
lmccay commented on PR #681: URL: https://github.com/apache/knox/pull/681#issuecomment-1356376592 This is a much larger change than I anticipated, @smolnar82! This has obviously been a lot of work. Thank you for it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] lmccay commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
lmccay commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1051440369 ## gateway-provider-identity-assertion-common/pom.xml: ## @@ -97,7 +97,14 @@ org.jboss.shrinkwrap shrinkwrap-api - + +org.apache.hadoop +hadoop-common + + +com.google.guava +guava Review Comment: Does this also mean that ALL identity assertion providers now have a dependency on hadoop common? That is a rather heavy dependency if not needed. Guava is also problematic with mixed versions and stuff. If this wasn't already a dependency then we will need to be careful with things like Ranger Knox plugin coming into the mix. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Work logged] (KNOX-2839) Refactor impersonation from KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=834320=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-834320 ] ASF GitHub Bot logged work on KNOX-2839: Author: ASF GitHub Bot Created on: 17/Dec/22 18:31 Start Date: 17/Dec/22 18:31 Worklog Time Spent: 10m Work Description: lmccay commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1051439950 ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: Why is this commented out here, just a convenience? Will these comment survive an admin ui read/save? ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: If impersonation.enabled defaults to false then why do we need to comment them out? Issue Time Tracking --- Worklog Id: (was: 834320) Time Spent: 3h 40m (was: 3.5h) > Refactor impersonation from KnoxToken service > - > > Key: KNOX-2839 > URL: https://issues.apache.org/jira/browse/KNOX-2839 > Project: Apache Knox > Issue Type: Task > Components: Server >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 3h 40m > Remaining Estimate: 0h > > With KNOX-2714, end-users can create tokens on behalf of other users using > Hadoop's impersonation mechanism. > The problem with the current implementation is that the proxyuser > authorization happens to be on service level, but it should be executed > sooner. > As discussed offline with [~lmccay] and [~pzampino] we agreed on the > following: > * impersonation support should be done in Knox's identity assertion layer > and not in the services > * the proxuyser authorization in HadoopAuth filter should be left as-is. > When someone configures them in two places (HadoopAuth authentication and in > identity-assertion), a WARN-level message should indicate that one on the > identity-assertion level will be ignored. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [knox] lmccay commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
lmccay commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1051439950 ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: Why is this commented out here, just a convenience? Will these comment survive an admin ui read/save? ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: If impersonation.enabled defaults to false then why do we need to comment them out? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
