[ 
https://issues.apache.org/jira/browse/KNOX-1740?focusedWorklogId=270867&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-270867
 ]

ASF GitHub Bot logged work on KNOX-1740:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Jul/19 13:23
            Start Date: 02/Jul/19 13:23
    Worklog Time Spent: 10m 
      Work Description: rlevas commented on issue #108: KNOX-1740 - Add Trusted 
Proxy Support to Knox
URL: https://github.com/apache/knox/pull/108#issuecomment-507675003
 
 
   > @rlevas were there any major differences here? I can always cherry pick 
the commit from PR #106
   
   Nope.. there are no differences.  I just applied the patch to this branch 
and submitted the PR (after re-testing, of course. :) )
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 270867)
    Time Spent: 1h  (was: 50m)

> Add Trusted Proxy Support to Knox
> ---------------------------------
>
>                 Key: KNOX-1740
>                 URL: https://issues.apache.org/jira/browse/KNOX-1740
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Robert Levas
>            Priority: Major
>             Fix For: 1.3.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> There are token exchange scenarios where an application may want to acquire a 
> KnoxToken on behalf of a user authenticated by the application. We need to 
> implement a version of the Hadoop Trusted Proxy/Impersonation pattern for 
> Knox at the topology level.
> This includes:
>  * Principal assertion method (doAs query param)
>  * Config within topology for trusted principals, groups that they are 
> allowed to impersonate, users that they are allowed to impersonate, ip 
> address from which requests are expected
>  * Make part of the identity assertion provider since this is the provider 
> that determines which identity to assert to the down stream service
>  * Config will need to be qualified by service due to the multiple services 
> per topology
>  Example to indicate trusted service principals, hosts, groups:
> {code:xml}
> <param>
>   <name>hadoop.proxyuser.hive.hosts</name>
>   <value>10.222.0.0/16,10.113.221.221</value>
> </param>
> <param>
>   <name>hadoop.proxyuser.hive.users</name>
>   <value>user1,user2</value>
> </param>
> <param>
>   <name>hadoop.proxyuser.hive.groups</name>
>   <value>users</value>
> </param>
> {code}
> Putting the above in identity assertion provider - or any providers for that 
> matter will potentially impact sharing of provider configs.
>  However, it is inappropriate to make it global config within 
> gateway-site.xml as this would be bad across tenants and clusters - and 
> therefore topologies.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to