[jira] [Updated] (KNOX-399) Allow Anonymous Access to Select API Patterns

Wed, 23 Dec 2015 06:58:41 -0800 

     [ 
https://issues.apache.org/jira/browse/KNOX-399?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay updated KNOX-399:
-----------------------------
    Fix Version/s:     (was: 0.7.0)
                   Future

> Allow Anonymous Access to Select API Patterns
> ---------------------------------------------
>
>                 Key: KNOX-399
>                 URL: https://issues.apache.org/jira/browse/KNOX-399
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: Future
>
>
> Certain resource URLs will require/allow anonymous access.
> For instance, admin/api/v1/version shouldn't require authentication - since 
> it may be used to determine which contract to use or some other non-request 
> processing book keeping.
> What I have in mind is a scheme wherein a given API service contributor will 
> communicate the patternsForAnonymousAccess in addition to packages and 
> patterns that it does today. The base class jersey contributor can noop the 
> method for backward compatibility.
> As the base class jersey contributor loops through the patterns to add 
> filters for, it will check whether each pattern is a member of the anonymous 
> access group and if so add an anonymous authentication filter instead of the 
> one configured in the topology. The anonymous authentication provider will 
> simply create a Subject with principal of anonymous and no groups. It will 
> then be up to identity assertion role mapping to add any groups to the 
> Subject. Something like "everyone" group would make sense and could then be 
> used in SLA acls for access decisions.
> The rest of the API will likely be protected with acls for role of "admin". 
> The administrator role would need to be added to LDAP groups or also added 
> through the identity assertion provider based on specific principal names.
> I think that this will allow for an API with up to two authentication levels:
> 1. the configured authentication/federation provider for the topology that is 
> hosting the API
> 2. anonymous access to a subset of the API



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to