Larry McCay created KNOX-1740:
---------------------------------
Summary: Add Trusted Proxy Support to Knox
Key: KNOX-1740
URL: https://issues.apache.org/jira/browse/KNOX-1740
Project: Apache Knox
Issue Type: Improvement
Components: Server
Reporter: Larry McCay
Assignee: Larry McCay
Fix For: 1.3.0
There are token exchange scenarios where an application may want to acquire a
KnoxToken on behalf of a user authenticated by the application. We need to
implement a version of the Hadoop Trusted Proxy/Impersonation pattern for Knox
at the topology level.
This includes:
* Principal assertion method (possibilities: doAs query param, path segment
within an API, HTTP header)
* Config within topology for trusted principals, groups that they are allowed
to impersonate, users that they are allowed to impersonate, ip address from
which requests are expected
* Make part of the identity assertion provider since this is the provider that
determines which identity to assert to the down stream service
* Config will need to be qualified by service due to the multiple services per
topology
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
