[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1053077654
##
gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java:
##
@@ -128,19 +124,19 @@ protected boolean
enforceAclAuthorizationPolicy(ServletRequest request,
boolean groupAccess = false;
boolean ipAddrAccess;
-Subject subject = Subject.getSubject(AccessController.getContext());
-Principal primaryPrincipal =
(Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
-log.primaryPrincipal(primaryPrincipal.getName());
-Object[] impersonations =
subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
-if (impersonations.length > 0) {
- log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
- userAccess = checkUserAcls((Principal)impersonations[0]);
+final Subject subject = SubjectUtils.getCurrentSubject();
Review Comment:
Done.
##
gateway-provider-identity-assertion-common/pom.xml:
##
@@ -97,7 +97,14 @@
org.jboss.shrinkwrap
shrinkwrap-api
-
+
+org.apache.hadoop
+hadoop-common
+
+
+com.google.guava
+guava
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1053077074
##
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java:
##
@@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain,
HttpServletRequest request, Htt
HttpServletRequest proxyRequest = null;
final String remoteUser = request.getRemoteUser();
if (!ignoreDoAs(remoteUser)) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
if (doAsUser != null && !doAsUser.equals(remoteUser)) {
LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr());
if (request.getUserPrincipal() != null) {
try {
-proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser,
topologyName, HadoopAuthDeploymentContributor.NAME);
+proxyRequest = AuthFilterUtils.getProxyRequest(request,
request.getUserPrincipal().getName(), doAsUser, topologyName,
HadoopAuthDeploymentContributor.NAME);
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053077392 ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: Done. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1053069990
##
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java:
##
@@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain,
HttpServletRequest request, Htt
HttpServletRequest proxyRequest = null;
final String remoteUser = request.getRemoteUser();
if (!ignoreDoAs(remoteUser)) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
if (doAsUser != null && !doAsUser.equals(remoteUser)) {
LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr());
if (request.getUserPrincipal() != null) {
try {
-proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser,
topologyName, HadoopAuthDeploymentContributor.NAME);
+proxyRequest = AuthFilterUtils.getProxyRequest(request,
request.getUserPrincipal().getName(), doAsUser, topologyName,
HadoopAuthDeploymentContributor.NAME);
Review Comment:
@pzampino is right. It's not guaranteed that we'll use the principal name
from the request when this method is called. In this particular case, this is
true, but we have to keep the `remoteUserName` parameter so that clients can
explicitly set it based on their needs.
To make it even cleaner, I'll add a method overloading that will only have
the `request` parameter and use it to get the user principal from it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1053069990
##
gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java:
##
@@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain,
HttpServletRequest request, Htt
HttpServletRequest proxyRequest = null;
final String remoteUser = request.getRemoteUser();
if (!ignoreDoAs(remoteUser)) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
if (doAsUser != null && !doAsUser.equals(remoteUser)) {
LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr());
if (request.getUserPrincipal() != null) {
try {
-proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser,
topologyName, HadoopAuthDeploymentContributor.NAME);
+proxyRequest = AuthFilterUtils.getProxyRequest(request,
request.getUserPrincipal().getName(), doAsUser, topologyName,
HadoopAuthDeploymentContributor.NAME);
Review Comment:
@pzampino is right. It's not guaranteed that we'll use the principal name
from the request when this method is called. In this particular case, this is
true, but we may keep the `remoteUserName` parameter.
To make it even cleaner, I'll add a method overloading that will only have
the `request` parameter and use it to get the user principal from it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053066261 ## gateway-provider-identity-assertion-common/pom.xml: ## @@ -97,7 +97,14 @@ org.jboss.shrinkwrap shrinkwrap-api - + +org.apache.hadoop +hadoop-common + + +com.google.guava +guava Review Comment: hadoop-common is needed due to the newly introduced logic: AuthoriztionException is thrown in case proxyuser-based impersonation is not authorized. To mitigate this I'll create our own exception and util classes in gateway-spi (where we already have everything in place) and propagate/use these new exception/class down the line. Guava was added because of the `@VisibleForTesting` annotation which we really do not need, so I'll remove it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1052987748 ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: Nice catch; I'll fix it soon (the comment remained there from testing). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1052987528
##
gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java:
##
@@ -128,19 +124,19 @@ protected boolean
enforceAclAuthorizationPolicy(ServletRequest request,
boolean groupAccess = false;
boolean ipAddrAccess;
-Subject subject = Subject.getSubject(AccessController.getContext());
-Principal primaryPrincipal =
(Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
-log.primaryPrincipal(primaryPrincipal.getName());
-Object[] impersonations =
subject.getPrincipals(ImpersonatedPrincipal.class).toArray();
-if (impersonations.length > 0) {
- log.impersonatedPrincipal(((Principal)impersonations[0]).getName());
- userAccess = checkUserAcls((Principal)impersonations[0]);
+final Subject subject = SubjectUtils.getCurrentSubject();
Review Comment:
Nice catch; I'll fix it soon.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1045689517
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java:
##
@@ -176,6 +172,6 @@ private Subject createSubjectFromToken(JWTToken token) {
// To modify the Principals Set, the caller must have
AuthPermission("modifyPrincipals").
// To modify the public credential Set, the caller must have
AuthPermission("modifyPublicCredentials").
// To modify the private credential Set, the caller must have
AuthPermission("modifyPrivateCredentials").
-return new javax.security.auth.Subject(true, principals, emptySet,
emptySet);
+return new javax.security.auth.Subject(true, principals,
Collections.emptySet(), Collections.emptySet());
Review Comment:
This is a valid question. The answer is that it's even better than the
implementation before due to the very same reason you described: once this
subject is created, the principals cannot be modified. In lower layers, like in
identity assertion, if someone wants to proceed with different principals, a
new Subject has to be created and call `Subject.doAs`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1045668894
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##
@@ -187,21 +219,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+String mappedPrincipalName = null;
+try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
+} catch(AuthorizationException e) {
+ LOG.hadoopAuthProxyUserFailed(e);
+ HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse)
response, HttpServletResponse.SC_FORBIDDEN, e);
+ return;
+}
-String mappedPrincipalName = mapUserPrincipalBase(principalName);
+// mapping principal name using user principal mapping (if configured)
+mappedPrincipalName = mapUserPrincipalBase(mappedPrincipalName);
mappedPrincipalName = mapUserPrincipal(mappedPrincipalName);
+
String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName,
subject);
String[] groups = mapGroupPrincipals(mappedPrincipalName, subject);
String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName,
combine(subject, groups), request).toArray(new String[0]);
groups = combineGroupMappings(mappedGroups, groups);
groups = combineGroupMappings(virtualGroups, groups);
-HttpServletRequestWrapper wrapper = wrapHttpServletRequest(
-request, mappedPrincipalName);
+HttpServletRequestWrapper wrapper = wrapHttpServletRequest(request,
mappedPrincipalName);
+
continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName,
unique(groups));
}
+ private String handleProxyUserImpersonation(ServletRequest request, String
principalName) throws AuthorizationException {
+if (impersonationEnabled) {
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
+ if (doAsUser != null && !doAsUser.equals(principalName)) {
+LOG.hadoopAuthDoAsUser(doAsUser, principalName,
request.getRemoteAddr());
+if (principalName != null) {
+ AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest)
request, principalName, doAsUser, topologyName, ROLE);
+ LOG.hadoopAuthProxyUserSuccess();
+ return doAsUser;
Review Comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1044360473
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -720,19 +705,21 @@ private Response getAuthenticationToken() {
String createdBy = null;
// checking the doAs user only makes sense if tokens are managed (this is
where we store the userName information)
// and if impersonation is enabled
-if (impersonationEnabled && tokenStateService != null) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
- if (doAsUser != null && !doAsUser.equals(userName)) {
-try {
- //this call will authorize the doAs request
- AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser,
getTopologyName(), TokenServiceDeploymentContributor.ROLE);
- createdBy = userName;
- userName = doAsUser;
- log.tokenImpersonationSuccess(createdBy, doAsUser);
-} catch (AuthorizationException e) {
- log.tokenImpersonationFailed(e);
- return Response.status(Response.Status.FORBIDDEN).entity("{ \"" +
e.getMessage() + "\" }").build();
+if (tokenStateService != null) {
+ final String realUserName = (String)
request.getAttribute(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE);
+ final Subject subject = SubjectUtils.getCurrentSubject();
+ if (subject != null && SubjectUtils.isImpersonating(subject)) {
+String primaryPrincipalName =
SubjectUtils.getPrimaryPrincipalName(subject);
+String impersonatedPrincipalName =
SubjectUtils.getImpersonatedPrincipalName(subject);
+if (!primaryPrincipalName.equals(impersonatedPrincipalName)) {
+ createdBy = primaryPrincipalName;
+ userName = impersonatedPrincipalName;
+ log.tokenImpersonationSuccess(createdBy, userName);
Review Comment:
This is now fixed above in HadoopAuthFilter as we discussed offline.
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##
@@ -187,21 +219,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+String mappedPrincipalName = null;
+try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
+} catch(AuthorizationException e) {
+ LOG.hadoopAuthProxyUserFailed(e);
+ HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse)
response, HttpServletResponse.SC_FORBIDDEN, e);
+ return;
+}
-String mappedPrincipalName = mapUserPrincipalBase(principalName);
+// mapping principal name using user principal mapping (if configured)
+mappedPrincipalName = mapUserPrincipalBase(mappedPrincipalName);
mappedPrincipalName = mapUserPrincipal(mappedPrincipalName);
+
String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName,
subject);
String[] groups = mapGroupPrincipals(mappedPrincipalName, subject);
String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName,
combine(subject, groups), request).toArray(new String[0]);
groups = combineGroupMappings(mappedGroups, groups);
groups = combineGroupMappings(virtualGroups, groups);
-HttpServletRequestWrapper wrapper = wrapHttpServletRequest(
-request, mappedPrincipalName);
+HttpServletRequestWrapper wrapper = wrapHttpServletRequest(request,
mappedPrincipalName);
+
continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName,
unique(groups));
}
+ private String handleProxyUserImpersonation(ServletRequest request, String
principalName) throws AuthorizationException {
+if (impersonationEnabled) {
+ final String doAsUser =
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
+ if (doAsUser != null && !doAsUser.equals(principalName)) {
+LOG.hadoopAuthDoAsUser(doAsUser, principalName,
request.getRemoteAddr());
+if (principalName != null) {
+ AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest)
request, principalName, doAsUser, topologyName, ROLE);
+ LOG.hadoopAuthProxyUserSuccess();
Review Comment:
We have that information in 3 lines above. This is "just" another
complementary log entry that helps us while debugging to see if proxy user
authorization succeeded.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1035551478
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -720,19 +705,21 @@ private Response getAuthenticationToken() {
String createdBy = null;
// checking the doAs user only makes sense if tokens are managed (this is
where we store the userName information)
// and if impersonation is enabled
-if (impersonationEnabled && tokenStateService != null) {
- final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
- if (doAsUser != null && !doAsUser.equals(userName)) {
-try {
- //this call will authorize the doAs request
- AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser,
getTopologyName(), TokenServiceDeploymentContributor.ROLE);
- createdBy = userName;
- userName = doAsUser;
- log.tokenImpersonationSuccess(createdBy, doAsUser);
-} catch (AuthorizationException e) {
- log.tokenImpersonationFailed(e);
- return Response.status(Response.Status.FORBIDDEN).entity("{ \"" +
e.getMessage() + "\" }").build();
+if (tokenStateService != null) {
+ final String realUserName = (String)
request.getAttribute(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE);
+ final Subject subject = SubjectUtils.getCurrentSubject();
+ if (subject != null && SubjectUtils.isImpersonating(subject)) {
+String primaryPrincipalName =
SubjectUtils.getPrimaryPrincipalName(subject);
+String impersonatedPrincipalName =
SubjectUtils.getImpersonatedPrincipalName(subject);
+if (!primaryPrincipalName.equals(impersonatedPrincipalName)) {
+ createdBy = primaryPrincipalName;
+ userName = impersonatedPrincipalName;
+ log.tokenImpersonationSuccess(createdBy, userName);
}
+ } else if (StringUtils.isNotBlank(realUserName) &&
!realUserName.equals(userName)) {
+// real user name is set by HadoopAuth filter for impersonated
requests (part of 'doAs' processing)
+createdBy = realUserName;
Review Comment:
@pzampino , @lmccay - I agree too. However, the way how the HadoopAuthFilter
and the IdentityAssertionFilter handle impersonation is different:
- the first uses a wrapped HTTP request down the line, where the
`getRemoteUser` and `getUserPrincipal` methods are overridden
- whereas the second uses `Subject.doAs` with the configured principals
I also prefer the 2nd way but given we are close to the release I'm not sure
if changing the `HadoopAuthFilter` behavior to use `Subject.doAs` is a good
idea.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1034908229
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##
@@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws
ServletException {
throw new ServletException("Unable to load principal mapping table.",
e);
}
}
-virtualGroupMapper = new
VirtualGroupMapper(loadVirtualGroups(filterConfig));
-String impersonationListFromConfig =
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
-if (impersonationListFromConfig == null ||
impersonationListFromConfig.isEmpty()) {
- impersonationListFromConfig =
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
-}
-initImpersonationParamsList(impersonationListFromConfig);
+
+//subsequent iterations on filterConfig.getInitParameterNames() would not
work if we simply used that as an enumeration
+final List initParameterNames =
filterConfig.getInitParameterNames() == null ? Collections.emptyList()
+: Collections.list(filterConfig.getInitParameterNames());
+
+virtualGroupMapper = new
VirtualGroupMapper(loadVirtualGroups(filterConfig, initParameterNames));
+
+initImpersonationParamsList(filterConfig);
+initProxyUserConfiguration(filterConfig, initParameterNames);
}
- /**
+ /*
* Initialize the impersonation params list.
* This list contains query params that needs to be scrubbed
* from the outgoing request.
- * @param impersonationListFromConfig
- * @return
*/
- private void initImpersonationParamsList(final String
impersonationListFromConfig) {
+ private void initImpersonationParamsList(FilterConfig filterConfig) {
+String impersonationListFromConfig =
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
+if (impersonationListFromConfig == null ||
impersonationListFromConfig.isEmpty()) {
+ impersonationListFromConfig =
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
+}
+
/* Add default impersonation params */
impersonationParamsList.add(DOAS_PRINCIPAL_PARAM);
impersonationParamsList.add(PRINCIPAL_PARAM);
-if(null == impersonationListFromConfig ||
impersonationListFromConfig.isEmpty()) {
- return;
-} else {
+
+if (impersonationListFromConfig != null &&
!impersonationListFromConfig.isEmpty()) {
/* Add configured impersonation params */
LOG.impersonationConfig(impersonationListFromConfig);
final StringTokenizer t = new
StringTokenizer(impersonationListFromConfig, ",");
- while(t.hasMoreElements()) {
+ while (t.hasMoreElements()) {
final String token = t.nextToken().trim();
-if(!impersonationParamsList.contains(token)) {
+if (!impersonationParamsList.contains(token)) {
impersonationParamsList.add(token);
}
}
}
}
- private Map loadVirtualGroups(FilterConfig
filterConfig) {
+ private void initProxyUserConfiguration(FilterConfig filterConfig,
List initParameterNames) {
+final String impersonationEnabledValue =
filterConfig.getInitParameter(IMPERSONATION_ENABLED_PARAM);
+this.impersonationEnabled = impersonationEnabledValue == null ?
Boolean.FALSE : Boolean.parseBoolean(impersonationEnabledValue);
Review Comment:
Fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1034907903
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java:
##
@@ -50,4 +51,16 @@ public interface IdentityAsserterMessages {
@Message( level = MessageLevel.INFO, text = "Using configured impersonation
parameters: {0}")
void impersonationConfig(String config);
+
+ @Message( level = MessageLevel.WARN, text = "Configured proxyuser parameters
are IGNORED because the HadoopAuth filter already has them.")
Review Comment:
Fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1034635599
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java:
##
@@ -50,4 +51,16 @@ public interface IdentityAsserterMessages {
@Message( level = MessageLevel.INFO, text = "Using configured impersonation
parameters: {0}")
void impersonationConfig(String config);
+
+ @Message( level = MessageLevel.WARN, text = "Configured proxyuser parameters
are IGNORED because the HadoopAuth filter already has them.")
Review Comment:
Ack; I'll change that.
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##
@@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws
ServletException {
throw new ServletException("Unable to load principal mapping table.",
e);
}
}
-virtualGroupMapper = new
VirtualGroupMapper(loadVirtualGroups(filterConfig));
-String impersonationListFromConfig =
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
-if (impersonationListFromConfig == null ||
impersonationListFromConfig.isEmpty()) {
- impersonationListFromConfig =
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
-}
-initImpersonationParamsList(impersonationListFromConfig);
+
+//subsequent iterations on filterConfig.getInitParameterNames() would not
work if we simply used that as an enumeration
Review Comment:
I'll add a more detailed explanation in the code too: `getInitParameters()`
returns an enumeration and the first time we iterate thru on its element we can
process the parameter names (`hasMoreElements` returns `true`). The subsequent
calls, however, will not succeed because `getInitParameters()` returns the same
object where the `hasMoreElements` returns `false`. In this class, the first
event is populating virtual group mapping and then we do the same for proxyuser
config.
##
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##
@@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws
ServletException {
throw new ServletException("Unable to load principal mapping table.",
e);
}
}
-virtualGroupMapper = new
VirtualGroupMapper(loadVirtualGroups(filterConfig));
-String impersonationListFromConfig =
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
-if (impersonationListFromConfig == null ||
impersonationListFromConfig.isEmpty()) {
- impersonationListFromConfig =
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
-}
-initImpersonationParamsList(impersonationListFromConfig);
+
+//subsequent iterations on filterConfig.getInitParameterNames() would not
work if we simply used that as an enumeration
+final List initParameterNames =
filterConfig.getInitParameterNames() == null ? Collections.emptyList()
+: Collections.list(filterConfig.getInitParameterNames());
+
+virtualGroupMapper = new
VirtualGroupMapper(loadVirtualGroups(filterConfig, initParameterNames));
+
+initImpersonationParamsList(filterConfig);
+initProxyUserConfiguration(filterConfig, initParameterNames);
}
- /**
+ /*
* Initialize the impersonation params list.
* This list contains query params that needs to be scrubbed
* from the outgoing request.
- * @param impersonationListFromConfig
- * @return
*/
- private void initImpersonationParamsList(final String
impersonationListFromConfig) {
+ private void initImpersonationParamsList(FilterConfig filterConfig) {
+String impersonationListFromConfig =
filterConfig.getInitParameter(IMPERSONATION_PARAMS);
+if (impersonationListFromConfig == null ||
impersonationListFromConfig.isEmpty()) {
+ impersonationListFromConfig =
filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS);
+}
+
/* Add default impersonation params */
impersonationParamsList.add(DOAS_PRINCIPAL_PARAM);
impersonationParamsList.add(PRINCIPAL_PARAM);
-if(null == impersonationListFromConfig ||
impersonationListFromConfig.isEmpty()) {
- return;
-} else {
+
+if (impersonationListFromConfig != null &&
!impersonationListFromConfig.isEmpty()) {
/* Add configured impersonation params */
LOG.impersonationConfig(impersonationListFromConfig);
final StringTokenizer t = new
StringTokenizer(impersonationListFromConfig, ",");
- while(t.hasMoreElements()) {
+ while (t.hasMoreElements()) {
final String token = t.nextToken().trim();
-if(!impersonationParamsList.contains(token)) {
+if (!impersonationParamsList.contains(token)) {
impersonationParamsList.add(token);
}
}
