[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053077654 ## gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java: ## @@ -128,19 +124,19 @@ protected boolean enforceAclAuthorizationPolicy(ServletRequest request, boolean groupAccess = false; boolean ipAddrAccess; -Subject subject = Subject.getSubject(AccessController.getContext()); -Principal primaryPrincipal = (Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]; -log.primaryPrincipal(primaryPrincipal.getName()); -Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray(); -if (impersonations.length > 0) { - log.impersonatedPrincipal(((Principal)impersonations[0]).getName()); - userAccess = checkUserAcls((Principal)impersonations[0]); +final Subject subject = SubjectUtils.getCurrentSubject(); Review Comment: Done. ## gateway-provider-identity-assertion-common/pom.xml: ## @@ -97,7 +97,14 @@ org.jboss.shrinkwrap shrinkwrap-api - + +org.apache.hadoop +hadoop-common + + +com.google.guava +guava Review Comment: Done. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053077074 ## gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java: ## @@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request, Htt HttpServletRequest proxyRequest = null; final String remoteUser = request.getRemoteUser(); if (!ignoreDoAs(remoteUser)) { - final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS); + final String doAsUser = request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS); if (doAsUser != null && !doAsUser.equals(remoteUser)) { LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr()); if (request.getUserPrincipal() != null) { try { -proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser, topologyName, HadoopAuthDeploymentContributor.NAME); +proxyRequest = AuthFilterUtils.getProxyRequest(request, request.getUserPrincipal().getName(), doAsUser, topologyName, HadoopAuthDeploymentContributor.NAME); Review Comment: Done. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053077392 ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: Done. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053069990 ## gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java: ## @@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request, Htt HttpServletRequest proxyRequest = null; final String remoteUser = request.getRemoteUser(); if (!ignoreDoAs(remoteUser)) { - final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS); + final String doAsUser = request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS); if (doAsUser != null && !doAsUser.equals(remoteUser)) { LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr()); if (request.getUserPrincipal() != null) { try { -proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser, topologyName, HadoopAuthDeploymentContributor.NAME); +proxyRequest = AuthFilterUtils.getProxyRequest(request, request.getUserPrincipal().getName(), doAsUser, topologyName, HadoopAuthDeploymentContributor.NAME); Review Comment: @pzampino is right. It's not guaranteed that we'll use the principal name from the request when this method is called. In this particular case, this is true, but we have to keep the `remoteUserName` parameter so that clients can explicitly set it based on their needs. To make it even cleaner, I'll add a method overloading that will only have the `request` parameter and use it to get the user principal from it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053069990 ## gateway-provider-security-hadoopauth/src/main/java/org/apache/knox/gateway/hadoopauth/filter/HadoopAuthFilter.java: ## @@ -200,12 +202,12 @@ protected void doFilter(FilterChain filterChain, HttpServletRequest request, Htt HttpServletRequest proxyRequest = null; final String remoteUser = request.getRemoteUser(); if (!ignoreDoAs(remoteUser)) { - final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS); + final String doAsUser = request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS); if (doAsUser != null && !doAsUser.equals(remoteUser)) { LOG.hadoopAuthDoAsUser(doAsUser, remoteUser, request.getRemoteAddr()); if (request.getUserPrincipal() != null) { try { -proxyRequest = AuthFilterUtils.getProxyRequest(request, doAsUser, topologyName, HadoopAuthDeploymentContributor.NAME); +proxyRequest = AuthFilterUtils.getProxyRequest(request, request.getUserPrincipal().getName(), doAsUser, topologyName, HadoopAuthDeploymentContributor.NAME); Review Comment: @pzampino is right. It's not guaranteed that we'll use the principal name from the request when this method is called. In this particular case, this is true, but we may keep the `remoteUserName` parameter. To make it even cleaner, I'll add a method overloading that will only have the `request` parameter and use it to get the user principal from it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1053066261 ## gateway-provider-identity-assertion-common/pom.xml: ## @@ -97,7 +97,14 @@ org.jboss.shrinkwrap shrinkwrap-api - + +org.apache.hadoop +hadoop-common + + +com.google.guava +guava Review Comment: hadoop-common is needed due to the newly introduced logic: AuthoriztionException is thrown in case proxyuser-based impersonation is not authorized. To mitigate this I'll create our own exception and util classes in gateway-spi (where we already have everything in place) and propagate/use these new exception/class down the line. Guava was added because of the `@VisibleForTesting` annotation which we really do not need, so I'll remove it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1052987748 ## gateway-release/home/conf/topologies/homepage.xml: ## @@ -60,6 +60,24 @@ identity-assertion Default true + Review Comment: Nice catch; I'll fix it soon (the comment remained there from testing). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1052987528 ## gateway-provider-security-authz-acls/src/main/java/org/apache/knox/gateway/filter/AclsAuthorizationFilter.java: ## @@ -128,19 +124,19 @@ protected boolean enforceAclAuthorizationPolicy(ServletRequest request, boolean groupAccess = false; boolean ipAddrAccess; -Subject subject = Subject.getSubject(AccessController.getContext()); -Principal primaryPrincipal = (Principal)subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]; -log.primaryPrincipal(primaryPrincipal.getName()); -Object[] impersonations = subject.getPrincipals(ImpersonatedPrincipal.class).toArray(); -if (impersonations.length > 0) { - log.impersonatedPrincipal(((Principal)impersonations[0]).getName()); - userAccess = checkUserAcls((Principal)impersonations[0]); +final Subject subject = SubjectUtils.getCurrentSubject(); Review Comment: Nice catch; I'll fix it soon. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1045689517 ## gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AccessTokenFederationFilter.java: ## @@ -176,6 +172,6 @@ private Subject createSubjectFromToken(JWTToken token) { // To modify the Principals Set, the caller must have AuthPermission("modifyPrincipals"). // To modify the public credential Set, the caller must have AuthPermission("modifyPublicCredentials"). // To modify the private credential Set, the caller must have AuthPermission("modifyPrivateCredentials"). -return new javax.security.auth.Subject(true, principals, emptySet, emptySet); +return new javax.security.auth.Subject(true, principals, Collections.emptySet(), Collections.emptySet()); Review Comment: This is a valid question. The answer is that it's even better than the implementation before due to the very same reason you described: once this subject is created, the principals cannot be modified. In lower layers, like in identity assertion, if someone wants to proceed with different principals, a new Subject has to be created and call `Subject.doAs`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1045668894 ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java: ## @@ -187,21 +219,46 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha } String principalName = getPrincipalName(subject); +String mappedPrincipalName = null; +try { + mappedPrincipalName = handleProxyUserImpersonation(request, principalName); +} catch(AuthorizationException e) { + LOG.hadoopAuthProxyUserFailed(e); + HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse) response, HttpServletResponse.SC_FORBIDDEN, e); + return; +} -String mappedPrincipalName = mapUserPrincipalBase(principalName); +// mapping principal name using user principal mapping (if configured) +mappedPrincipalName = mapUserPrincipalBase(mappedPrincipalName); mappedPrincipalName = mapUserPrincipal(mappedPrincipalName); + String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName, subject); String[] groups = mapGroupPrincipals(mappedPrincipalName, subject); String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName, combine(subject, groups), request).toArray(new String[0]); groups = combineGroupMappings(mappedGroups, groups); groups = combineGroupMappings(virtualGroups, groups); -HttpServletRequestWrapper wrapper = wrapHttpServletRequest( -request, mappedPrincipalName); +HttpServletRequestWrapper wrapper = wrapHttpServletRequest(request, mappedPrincipalName); + continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, unique(groups)); } + private String handleProxyUserImpersonation(ServletRequest request, String principalName) throws AuthorizationException { +if (impersonationEnabled) { + final String doAsUser = request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS); + if (doAsUser != null && !doAsUser.equals(principalName)) { +LOG.hadoopAuthDoAsUser(doAsUser, principalName, request.getRemoteAddr()); +if (principalName != null) { + AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest) request, principalName, doAsUser, topologyName, ROLE); + LOG.hadoopAuthProxyUserSuccess(); + return doAsUser; Review Comment: Done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1044360473 ## gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java: ## @@ -720,19 +705,21 @@ private Response getAuthenticationToken() { String createdBy = null; // checking the doAs user only makes sense if tokens are managed (this is where we store the userName information) // and if impersonation is enabled -if (impersonationEnabled && tokenStateService != null) { - final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS); - if (doAsUser != null && !doAsUser.equals(userName)) { -try { - //this call will authorize the doAs request - AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser, getTopologyName(), TokenServiceDeploymentContributor.ROLE); - createdBy = userName; - userName = doAsUser; - log.tokenImpersonationSuccess(createdBy, doAsUser); -} catch (AuthorizationException e) { - log.tokenImpersonationFailed(e); - return Response.status(Response.Status.FORBIDDEN).entity("{ \"" + e.getMessage() + "\" }").build(); +if (tokenStateService != null) { + final String realUserName = (String) request.getAttribute(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE); + final Subject subject = SubjectUtils.getCurrentSubject(); + if (subject != null && SubjectUtils.isImpersonating(subject)) { +String primaryPrincipalName = SubjectUtils.getPrimaryPrincipalName(subject); +String impersonatedPrincipalName = SubjectUtils.getImpersonatedPrincipalName(subject); +if (!primaryPrincipalName.equals(impersonatedPrincipalName)) { + createdBy = primaryPrincipalName; + userName = impersonatedPrincipalName; + log.tokenImpersonationSuccess(createdBy, userName); Review Comment: This is now fixed above in HadoopAuthFilter as we discussed offline. ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java: ## @@ -187,21 +219,46 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha } String principalName = getPrincipalName(subject); +String mappedPrincipalName = null; +try { + mappedPrincipalName = handleProxyUserImpersonation(request, principalName); +} catch(AuthorizationException e) { + LOG.hadoopAuthProxyUserFailed(e); + HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse) response, HttpServletResponse.SC_FORBIDDEN, e); + return; +} -String mappedPrincipalName = mapUserPrincipalBase(principalName); +// mapping principal name using user principal mapping (if configured) +mappedPrincipalName = mapUserPrincipalBase(mappedPrincipalName); mappedPrincipalName = mapUserPrincipal(mappedPrincipalName); + String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName, subject); String[] groups = mapGroupPrincipals(mappedPrincipalName, subject); String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName, combine(subject, groups), request).toArray(new String[0]); groups = combineGroupMappings(mappedGroups, groups); groups = combineGroupMappings(virtualGroups, groups); -HttpServletRequestWrapper wrapper = wrapHttpServletRequest( -request, mappedPrincipalName); +HttpServletRequestWrapper wrapper = wrapHttpServletRequest(request, mappedPrincipalName); + continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, unique(groups)); } + private String handleProxyUserImpersonation(ServletRequest request, String principalName) throws AuthorizationException { +if (impersonationEnabled) { + final String doAsUser = request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS); + if (doAsUser != null && !doAsUser.equals(principalName)) { +LOG.hadoopAuthDoAsUser(doAsUser, principalName, request.getRemoteAddr()); +if (principalName != null) { + AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest) request, principalName, doAsUser, topologyName, ROLE); + LOG.hadoopAuthProxyUserSuccess(); Review Comment: We have that information in 3 lines above. This is "just" another complementary log entry that helps us while debugging to see if proxy user authorization succeeded. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1035551478 ## gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java: ## @@ -720,19 +705,21 @@ private Response getAuthenticationToken() { String createdBy = null; // checking the doAs user only makes sense if tokens are managed (this is where we store the userName information) // and if impersonation is enabled -if (impersonationEnabled && tokenStateService != null) { - final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS); - if (doAsUser != null && !doAsUser.equals(userName)) { -try { - //this call will authorize the doAs request - AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser, getTopologyName(), TokenServiceDeploymentContributor.ROLE); - createdBy = userName; - userName = doAsUser; - log.tokenImpersonationSuccess(createdBy, doAsUser); -} catch (AuthorizationException e) { - log.tokenImpersonationFailed(e); - return Response.status(Response.Status.FORBIDDEN).entity("{ \"" + e.getMessage() + "\" }").build(); +if (tokenStateService != null) { + final String realUserName = (String) request.getAttribute(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE); + final Subject subject = SubjectUtils.getCurrentSubject(); + if (subject != null && SubjectUtils.isImpersonating(subject)) { +String primaryPrincipalName = SubjectUtils.getPrimaryPrincipalName(subject); +String impersonatedPrincipalName = SubjectUtils.getImpersonatedPrincipalName(subject); +if (!primaryPrincipalName.equals(impersonatedPrincipalName)) { + createdBy = primaryPrincipalName; + userName = impersonatedPrincipalName; + log.tokenImpersonationSuccess(createdBy, userName); } + } else if (StringUtils.isNotBlank(realUserName) && !realUserName.equals(userName)) { +// real user name is set by HadoopAuth filter for impersonated requests (part of 'doAs' processing) +createdBy = realUserName; Review Comment: @pzampino , @lmccay - I agree too. However, the way how the HadoopAuthFilter and the IdentityAssertionFilter handle impersonation is different: - the first uses a wrapped HTTP request down the line, where the `getRemoteUser` and `getUserPrincipal` methods are overridden - whereas the second uses `Subject.doAs` with the configured principals I also prefer the 2nd way but given we are close to the release I'm not sure if changing the `HadoopAuthFilter` behavior to use `Subject.doAs` is a good idea. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1034908229 ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java: ## @@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws ServletException { throw new ServletException("Unable to load principal mapping table.", e); } } -virtualGroupMapper = new VirtualGroupMapper(loadVirtualGroups(filterConfig)); -String impersonationListFromConfig = filterConfig.getInitParameter(IMPERSONATION_PARAMS); -if (impersonationListFromConfig == null || impersonationListFromConfig.isEmpty()) { - impersonationListFromConfig = filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS); -} -initImpersonationParamsList(impersonationListFromConfig); + +//subsequent iterations on filterConfig.getInitParameterNames() would not work if we simply used that as an enumeration +final List initParameterNames = filterConfig.getInitParameterNames() == null ? Collections.emptyList() +: Collections.list(filterConfig.getInitParameterNames()); + +virtualGroupMapper = new VirtualGroupMapper(loadVirtualGroups(filterConfig, initParameterNames)); + +initImpersonationParamsList(filterConfig); +initProxyUserConfiguration(filterConfig, initParameterNames); } - /** + /* * Initialize the impersonation params list. * This list contains query params that needs to be scrubbed * from the outgoing request. - * @param impersonationListFromConfig - * @return */ - private void initImpersonationParamsList(final String impersonationListFromConfig) { + private void initImpersonationParamsList(FilterConfig filterConfig) { +String impersonationListFromConfig = filterConfig.getInitParameter(IMPERSONATION_PARAMS); +if (impersonationListFromConfig == null || impersonationListFromConfig.isEmpty()) { + impersonationListFromConfig = filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS); +} + /* Add default impersonation params */ impersonationParamsList.add(DOAS_PRINCIPAL_PARAM); impersonationParamsList.add(PRINCIPAL_PARAM); -if(null == impersonationListFromConfig || impersonationListFromConfig.isEmpty()) { - return; -} else { + +if (impersonationListFromConfig != null && !impersonationListFromConfig.isEmpty()) { /* Add configured impersonation params */ LOG.impersonationConfig(impersonationListFromConfig); final StringTokenizer t = new StringTokenizer(impersonationListFromConfig, ","); - while(t.hasMoreElements()) { + while (t.hasMoreElements()) { final String token = t.nextToken().trim(); -if(!impersonationParamsList.contains(token)) { +if (!impersonationParamsList.contains(token)) { impersonationParamsList.add(token); } } } } - private Map loadVirtualGroups(FilterConfig filterConfig) { + private void initProxyUserConfiguration(FilterConfig filterConfig, List initParameterNames) { +final String impersonationEnabledValue = filterConfig.getInitParameter(IMPERSONATION_ENABLED_PARAM); +this.impersonationEnabled = impersonationEnabledValue == null ? Boolean.FALSE : Boolean.parseBoolean(impersonationEnabledValue); Review Comment: Fixed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1034907903 ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java: ## @@ -50,4 +51,16 @@ public interface IdentityAsserterMessages { @Message( level = MessageLevel.INFO, text = "Using configured impersonation parameters: {0}") void impersonationConfig(String config); + + @Message( level = MessageLevel.WARN, text = "Configured proxyuser parameters are IGNORED because the HadoopAuth filter already has them.") Review Comment: Fixed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [knox] smolnar82 commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter
smolnar82 commented on code in PR #681: URL: https://github.com/apache/knox/pull/681#discussion_r1034635599 ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/IdentityAsserterMessages.java: ## @@ -50,4 +51,16 @@ public interface IdentityAsserterMessages { @Message( level = MessageLevel.INFO, text = "Using configured impersonation parameters: {0}") void impersonationConfig(String config); + + @Message( level = MessageLevel.WARN, text = "Configured proxyuser parameters are IGNORED because the HadoopAuth filter already has them.") Review Comment: Ack; I'll change that. ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java: ## @@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws ServletException { throw new ServletException("Unable to load principal mapping table.", e); } } -virtualGroupMapper = new VirtualGroupMapper(loadVirtualGroups(filterConfig)); -String impersonationListFromConfig = filterConfig.getInitParameter(IMPERSONATION_PARAMS); -if (impersonationListFromConfig == null || impersonationListFromConfig.isEmpty()) { - impersonationListFromConfig = filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS); -} -initImpersonationParamsList(impersonationListFromConfig); + +//subsequent iterations on filterConfig.getInitParameterNames() would not work if we simply used that as an enumeration Review Comment: I'll add a more detailed explanation in the code too: `getInitParameters()` returns an enumeration and the first time we iterate thru on its element we can process the parameter names (`hasMoreElements` returns `true`). The subsequent calls, however, will not succeed because `getInitParameters()` returns the same object where the `hasMoreElements` returns `false`. In this class, the first event is populating virtual group mapping and then we do the same for proxyuser config. ## gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java: ## @@ -84,57 +98,86 @@ public void init(FilterConfig filterConfig) throws ServletException { throw new ServletException("Unable to load principal mapping table.", e); } } -virtualGroupMapper = new VirtualGroupMapper(loadVirtualGroups(filterConfig)); -String impersonationListFromConfig = filterConfig.getInitParameter(IMPERSONATION_PARAMS); -if (impersonationListFromConfig == null || impersonationListFromConfig.isEmpty()) { - impersonationListFromConfig = filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS); -} -initImpersonationParamsList(impersonationListFromConfig); + +//subsequent iterations on filterConfig.getInitParameterNames() would not work if we simply used that as an enumeration +final List initParameterNames = filterConfig.getInitParameterNames() == null ? Collections.emptyList() +: Collections.list(filterConfig.getInitParameterNames()); + +virtualGroupMapper = new VirtualGroupMapper(loadVirtualGroups(filterConfig, initParameterNames)); + +initImpersonationParamsList(filterConfig); +initProxyUserConfiguration(filterConfig, initParameterNames); } - /** + /* * Initialize the impersonation params list. * This list contains query params that needs to be scrubbed * from the outgoing request. - * @param impersonationListFromConfig - * @return */ - private void initImpersonationParamsList(final String impersonationListFromConfig) { + private void initImpersonationParamsList(FilterConfig filterConfig) { +String impersonationListFromConfig = filterConfig.getInitParameter(IMPERSONATION_PARAMS); +if (impersonationListFromConfig == null || impersonationListFromConfig.isEmpty()) { + impersonationListFromConfig = filterConfig.getServletContext().getInitParameter(IMPERSONATION_PARAMS); +} + /* Add default impersonation params */ impersonationParamsList.add(DOAS_PRINCIPAL_PARAM); impersonationParamsList.add(PRINCIPAL_PARAM); -if(null == impersonationListFromConfig || impersonationListFromConfig.isEmpty()) { - return; -} else { + +if (impersonationListFromConfig != null && !impersonationListFromConfig.isEmpty()) { /* Add configured impersonation params */ LOG.impersonationConfig(impersonationListFromConfig); final StringTokenizer t = new StringTokenizer(impersonationListFromConfig, ","); - while(t.hasMoreElements()) { + while (t.hasMoreElements()) { final String token = t.nextToken().trim(); -if(!impersonationParamsList.contains(token)) { +if (!impersonationParamsList.contains(token)) { impersonationParamsList.add(token); } }