[GitHub] [knox] pzampino commented on a diff in pull request #681: KNOX-2839 - Identity assertion provider handles Hadoop ProxyUser auth using the 'doAs' query parameter

Tue, 29 Nov 2022 14:24:08 -0800 


pzampino commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1035343473


##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -720,19 +705,21 @@ private Response getAuthenticationToken() {
     String createdBy = null;
     // checking the doAs user only makes sense if tokens are managed (this is 
where we store the userName information)
     // and if impersonation is enabled
-    if (impersonationEnabled && tokenStateService != null) {
-      final String doAsUser = request.getParameter(QUERY_PARAMETER_DOAS);
-      if (doAsUser != null && !doAsUser.equals(userName)) {
-        try {
-          //this call will authorize the doAs request
-          AuthFilterUtils.authorizeImpersonationRequest(request, doAsUser, 
getTopologyName(), TokenServiceDeploymentContributor.ROLE);
-          createdBy = userName;
-          userName = doAsUser;
-          log.tokenImpersonationSuccess(createdBy, doAsUser);
-        } catch (AuthorizationException e) {
-          log.tokenImpersonationFailed(e);
-          return Response.status(Response.Status.FORBIDDEN).entity("{ \"" + 
e.getMessage() + "\" }").build();
+    if (tokenStateService != null) {
+      final String realUserName = (String) 
request.getAttribute(AuthFilterUtils.REAL_USER_NAME_ATTRIBUTE);
+      final Subject subject = SubjectUtils.getCurrentSubject();
+      if (subject != null && SubjectUtils.isImpersonating(subject)) {
+        String primaryPrincipalName = 
SubjectUtils.getPrimaryPrincipalName(subject);
+        String impersonatedPrincipalName = 
SubjectUtils.getImpersonatedPrincipalName(subject);
+        if (!primaryPrincipalName.equals(impersonatedPrincipalName)) {
+          createdBy = primaryPrincipalName;
+          userName = impersonatedPrincipalName;
+          log.tokenImpersonationSuccess(createdBy, userName);
         }
+      } else if (StringUtils.isNotBlank(realUserName) && 
!realUserName.equals(userName)) {
+        // real user name is set by HadoopAuth filter for impersonated 
requests (part of 'doAs' processing)
+        createdBy = realUserName;

Review Comment:
   I agree that using the Subject Principals as the vehicle for communicating 
this information would be ideal.



##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -187,21 +219,46 @@ public void doFilter(ServletRequest request, 
ServletResponse response, FilterCha
     }
 
     String principalName = getPrincipalName(subject);
+    String mappedPrincipalName = null;
+    try {
+      mappedPrincipalName = handleProxyUserImpersonation(request, 
principalName);
+    } catch(AuthorizationException e) {
+      LOG.hadoopAuthProxyUserFailed(e);
+      HttpExceptionUtils.createServletExceptionResponse((HttpServletResponse) 
response, HttpServletResponse.SC_FORBIDDEN, e);
+      return;
+    }
 
-    String mappedPrincipalName = mapUserPrincipalBase(principalName);
+    // mapping principal name using user principal mapping (if configured)
+    mappedPrincipalName = mapUserPrincipalBase(mappedPrincipalName);
     mappedPrincipalName = mapUserPrincipal(mappedPrincipalName);
+
     String[] mappedGroups = mapGroupPrincipalsBase(mappedPrincipalName, 
subject);
     String[] groups = mapGroupPrincipals(mappedPrincipalName, subject);
     String[] virtualGroups = virtualGroupMapper.mapGroups(mappedPrincipalName, 
combine(subject, groups), request).toArray(new String[0]);
     groups = combineGroupMappings(mappedGroups, groups);
     groups = combineGroupMappings(virtualGroups, groups);
 
-    HttpServletRequestWrapper wrapper = wrapHttpServletRequest(
-        request, mappedPrincipalName);
+    HttpServletRequestWrapper wrapper = wrapHttpServletRequest(request, 
mappedPrincipalName);
+
 
     continueChainAsPrincipal(wrapper, response, chain, mappedPrincipalName, 
unique(groups));
   }
 
+  private String handleProxyUserImpersonation(ServletRequest request, String 
principalName) throws AuthorizationException {
+    if (impersonationEnabled) {
+      final String doAsUser = 
request.getParameter(AuthFilterUtils.QUERY_PARAMETER_DOAS);
+      if (doAsUser != null && !doAsUser.equals(principalName)) {
+        LOG.hadoopAuthDoAsUser(doAsUser, principalName, 
request.getRemoteAddr());
+        if (principalName != null) {
+          AuthFilterUtils.authorizeImpersonationRequest((HttpServletRequest) 
request, principalName, doAsUser, topologyName, ROLE);
+          LOG.hadoopAuthProxyUserSuccess();
+          return doAsUser;

Review Comment:
   +1



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to