[
https://issues.apache.org/jira/browse/KNOX-2839?focusedWorklogId=829433&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-829433
]
ASF GitHub Bot logged work on KNOX-2839:
----------------------------------------
Author: ASF GitHub Bot
Created on: 28/Nov/22 19:05
Start Date: 28/Nov/22 19:05
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1033944407
##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -187,21 +216,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+ String mappedPrincipalName = null;
+ try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
Review Comment:
I think the principal mapping is orthogonal to the requests that are
received by Knox. In the case without impersonation, the authenticated user
will be mapped to whatever is configured. Similarly, with impersonation, the
authenticated user (e.g., user1) is requesting to act on behalf of another user
(e.g., user2), who is then mapped to user3 just as in the non-impersonation
scenario.
Issue Time Tracking
-------------------
Worklog Id: (was: 829433)
Time Spent: 40m (was: 0.5h)
> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
> Key: KNOX-2839
> URL: https://issues.apache.org/jira/browse/KNOX-2839
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using
> Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser
> authorization happens to be on service level, but it should be executed
> sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the
> following:
> * impersonation support should be done in Knox's identity assertion layer
> and not in the services
> * the proxuyser authorization in HadoopAuth filter should be left as-is.
> When someone configures them in two places (HadoopAuth authentication and in
> identity-assertion), a WARN-level message should indicate that one on the
> identity-assertion level will be ignored.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
