(knox) branch master updated: KNOX-3185 - Knox token limit per user is now configurable on the topology level too (#1080)

Wed, 03 Sep 2025 09:53:27 -0700 

This is an automated email from the ASF dual-hosted git repository.

smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 044ad1c36 KNOX-3185 - Knox token limit per user is now configurable on 
the topology level too (#1080)
044ad1c36 is described below

commit 044ad1c36231940464921172fc6f86373c2bba79
Author: Sandor Molnar <[email protected]>
AuthorDate: Wed Sep 3 18:53:18 2025 +0200

    KNOX-3185 - Knox token limit per user is now configurable on the topology 
level too (#1080)
---
 .../apache/knox/gateway/service/knoxtoken/TokenResource.java  | 11 +++++++++++
 .../gateway/service/knoxtoken/TokenServiceResourceTest.java   |  9 ++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
index e0904b8a4..f856ce699 100644
--- 
a/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
+++ 
b/gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java
@@ -140,6 +140,7 @@ public class TokenResource {
   private static final String TSS_MAXIMUM_LIFETIME_TEXT = 
"maximumLifetimeText";
   private static final String LIFESPAN_INPUT_ENABLED_PARAM = 
TOKEN_PARAM_PREFIX + "lifespan.input.enabled";
   private static final String LIFESPAN_INPUT_ENABLED_TEXT = 
"lifespanInputEnabled";
+  static final String KNOX_TOKEN_USER_LIMIT_PER_USER = TOKEN_PARAM_PREFIX + 
"limit.per.user";
   static final String KNOX_TOKEN_USER_LIMIT_EXCEEDED_ACTION = 
TOKEN_PARAM_PREFIX + "user.limit.exceeded.action";
   private static final String METADATA_QUERY_PARAM_PREFIX = "md_";
   private static final long TOKEN_TTL_DEFAULT = 30000L;
@@ -300,6 +301,16 @@ public class TokenResource {
       tokenMAC = new TokenMAC(gatewayConfig.getKnoxTokenHashAlgorithm(), 
aliasService.getPasswordFromAliasForGateway(TokenMAC.KNOX_TOKEN_HASH_KEY_ALIAS_NAME));
 
       tokenLimitPerUser = gatewayConfig.getMaximumNumberOfTokensPerUser();
+      final String tokenLimitPerUserParam = 
context.getInitParameter(KNOX_TOKEN_USER_LIMIT_PER_USER);
+      if (StringUtils.isNotBlank(tokenLimitPerUserParam)) {
+        try {
+          tokenLimitPerUser = Integer.parseInt(tokenLimitPerUserParam);
+        } catch (final NumberFormatException nfe) {
+          log.invalidConfigValue(topologyName, KNOX_TOKEN_USER_LIMIT_PER_USER, 
tokenLimitPerUserParam, nfe);
+          log.generalInfoMessage("Using the gateway-level token limit per user 
configuration.");
+        }
+      }
+
       final String userLimitExceededActionParam = 
context.getInitParameter(KNOX_TOKEN_USER_LIMIT_EXCEEDED_ACTION);
       if (userLimitExceededActionParam != null) {
         userLimitExceededAction = 
UserLimitExceededAction.valueOf(userLimitExceededActionParam);
diff --git 
a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
 
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
index edb1df6ef..230e8aacc 100644
--- 
a/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
+++ 
b/gateway-service-knoxtoken/src/test/java/org/apache/knox/gateway/service/knoxtoken/TokenServiceResourceTest.java
@@ -21,6 +21,7 @@ import static 
org.apache.knox.gateway.config.impl.GatewayConfigImpl.KNOX_TOKEN_U
 import static 
org.apache.knox.gateway.config.impl.GatewayConfigImpl.KNOX_TOKEN_USER_LIMIT_DEFAULT;
 import static 
org.apache.knox.gateway.service.knoxtoken.TokenResource.KNOX_TOKEN_ISSUER;
 import static 
org.apache.knox.gateway.service.knoxtoken.TokenResource.KNOX_TOKEN_USER_LIMIT_EXCEEDED_ACTION;
+import static 
org.apache.knox.gateway.service.knoxtoken.TokenResource.KNOX_TOKEN_USER_LIMIT_PER_USER;
 import static 
org.apache.knox.gateway.service.knoxtoken.TokenResource.TOKEN_INCLUDE_GROUPS_IN_JWT_ALLOWED;
 import static 
org.apache.knox.gateway.services.security.token.JWTokenAttributes.DEFAULT_ISSUER;
 import static 
org.apache.knox.gateway.services.security.token.impl.JWTToken.KNOX_GROUPS_CLAIM;
@@ -1113,7 +1114,13 @@ public class TokenServiceResourceTest {
 
   private void testLimitingTokensPerUser(int configuredLimit, int 
numberOfTokens, boolean revokeOldestToken) throws Exception {
     final Map<String, String> contextExpectations = new HashMap<>();
-    contextExpectations.put(KNOX_TOKEN_USER_LIMIT, 
String.valueOf(configuredLimit));
+    //Setting token limit on gateway/topology level
+    if (configuredLimit > 0) {
+      contextExpectations.put(KNOX_TOKEN_USER_LIMIT_PER_USER, 
String.valueOf(configuredLimit));
+    } else {
+      contextExpectations.put(KNOX_TOKEN_USER_LIMIT, 
String.valueOf(configuredLimit));
+    }
+
     if (revokeOldestToken) {
       contextExpectations.put(KNOX_TOKEN_USER_LIMIT_EXCEEDED_ACTION, 
TokenResource.UserLimitExceededAction.REMOVE_OLDEST.name());
     }

Reply via email to