moresandeep opened a new pull request, #875:
URL: https://github.com/apache/knox/pull/875
## What changes were proposed in this pull request?
This change proposes a new authorization provider `PathAclsAuthz` that
authorized based on request path. Authorization is done based on path matching
similar to rewrite rules.
Format is very similar to AclsAuthz provider with an addition of path. The
format is
`{path};{users};{groups}:{ips}`
One important thing to note here is that the path is not plural, there has
to be one and only one path defined.
In case one wants multiple paths they can define multiple rules with rule
name as a parameter e.g.
KNOXTOKEN.{rule_name}.path.acl
_These are special cases for rule names_
This rule will be applied to ALL services defined in the topology
```
<param>
<name>path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
```
This rule will be applied to only the service {service_name}
```
<param>
<name>{service_name}.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
```
ALL of these rules will be applied to service {service_name}.
_NOTE_: {rule_1} and {rule_2} can be any unique names.
```
<param>
<name>{service_name}.{rule_1}.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
<param>
<name>{service_name}.{rule_2}.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
```
Following are concrete examples of the the above rules:
1. This rule will be applied to ALL services defined in the topology
```
<provider>
<role>authorization</role>
<name>PathAclsAuthz</name>
<enabled>true</enabled>
<param>
<name>path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
</provider>
```
2. This rule will be applied to only to KNOXTOKEN service
```
<provider>
<role>authorization</role>
<name>PathAclsAuthz</name>
<enabled>true</enabled>
<param>
<name>KNOXTOKEN.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
</provider>
```
3. All of these rules will be applied to only to KNOXTOKEN service
```
<provider>
<role>authorization</role>
<name>PathAclsAuthz</name>
<enabled>true</enabled>
<param>
<name>KNOXTOKEN.rule_1.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
<param>
<name>KNOXTOKEN.rule_2.path.acl</name>
<value>https://*:*/**/knoxtoken/foo/**;knox;*;*</value>
</param>
<param>
<name>KNOXTOKEN.rule_3.path.acl</name>
<value>https://*:*/**/knoxtoken/bar/**;sam;admin;*</value>
</param>
</provider>
```
## How was this patch tested?
This patch was tested locally
```
curl -ivku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* start date: Mar 5 19:59:57 2024 GMT
* expire date: Mar 5 19:59:57 2025 GMT
* issuer: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET /gateway/sandbox/knoxtoken/api/v1/token HTTP/1.1
> Host: localhost:8443
> Authorization: Basic YWRtaW46YWRtaW4tcGFzc3dvcmQ=
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Mar 2024 20:30:59 GMT
Date: Tue, 05 Mar 2024 20:30:59 GMT
< Set-Cookie: KNOXSESSIONID=node0nt5x5i2yaz2dhj3vyicmwp2k5.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Set-Cookie: KNOXSESSIONID=node0nt5x5i2yaz2dhj3vyicmwp2k5.node0;
Path=/gateway/sandbox; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 04-Mar-2024 20:30:59 GMT; SameSite=lax
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 04-Mar-2024 20:30:59 GMT; SameSite=lax
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 2300
Content-Length: 2300
.......
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
