[
https://issues.apache.org/jira/browse/KNOX-2998?focusedWorklogId=908420&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908420
]
ASF GitHub Bot logged work on KNOX-2998:
----------------------------------------
Author: ASF GitHub Bot
Created on: 05/Mar/24 20:49
Start Date: 05/Mar/24 20:49
Worklog Time Spent: 10m
Work Description: moresandeep opened a new pull request, #875:
URL: https://github.com/apache/knox/pull/875
## What changes were proposed in this pull request?
This change proposes a new authorization provider `PathAclsAuthz` that
authorized based on request path. Authorization is done based on path matching
similar to rewrite rules.
Format is very similar to AclsAuthz provider with an addition of path. The
format is
`{path};{users};{groups}:{ips}`
One important thing to note here is that the path is not plural, there has
to be one and only one path defined.
In case one wants multiple paths they can define multiple rules with rule
name as a parameter e.g.
KNOXTOKEN.{rule_name}.path.acl
_These are special cases for rule names_
This rule will be applied to ALL services defined in the topology
```
<param>
<name>path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
```
This rule will be applied to only the service {service_name}
```
<param>
<name>{service_name}.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
```
ALL of these rules will be applied to service {service_name}.
_NOTE_: {rule_1} and {rule_2} can be any unique names.
```
<param>
<name>{service_name}.{rule_1}.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
<param>
<name>{service_name}.{rule_2}.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
```
Following are concrete examples of the the above rules:
1. This rule will be applied to ALL services defined in the topology
```
<provider>
<role>authorization</role>
<name>PathAclsAuthz</name>
<enabled>true</enabled>
<param>
<name>path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
</provider>
```
2. This rule will be applied to only to KNOXTOKEN service
```
<provider>
<role>authorization</role>
<name>PathAclsAuthz</name>
<enabled>true</enabled>
<param>
<name>KNOXTOKEN.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
</provider>
```
3. All of these rules will be applied to only to KNOXTOKEN service
```
<provider>
<role>authorization</role>
<name>PathAclsAuthz</name>
<enabled>true</enabled>
<param>
<name>KNOXTOKEN.rule_1.path.acl</name>
<value>https://*:*/**/knoxtoken/api/**;admin;*;*</value>
</param>
<param>
<name>KNOXTOKEN.rule_2.path.acl</name>
<value>https://*:*/**/knoxtoken/foo/**;knox;*;*</value>
</param>
<param>
<name>KNOXTOKEN.rule_3.path.acl</name>
<value>https://*:*/**/knoxtoken/bar/**;sam;admin;*</value>
</param>
</provider>
```
## How was this patch tested?
This patch was tested locally
```
curl -ivku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* start date: Mar 5 19:59:57 2024 GMT
* expire date: Mar 5 19:59:57 2025 GMT
* issuer: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET /gateway/sandbox/knoxtoken/api/v1/token HTTP/1.1
> Host: localhost:8443
> Authorization: Basic YWRtaW46YWRtaW4tcGFzc3dvcmQ=
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Mar 2024 20:30:59 GMT
Date: Tue, 05 Mar 2024 20:30:59 GMT
< Set-Cookie: KNOXSESSIONID=node0nt5x5i2yaz2dhj3vyicmwp2k5.node0;
Path=/gateway/sandbox; Secure; HttpOnly
Set-Cookie: KNOXSESSIONID=node0nt5x5i2yaz2dhj3vyicmwp2k5.node0;
Path=/gateway/sandbox; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 04-Mar-2024 20:30:59 GMT; SameSite=lax
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0;
Expires=Mon, 04-Mar-2024 20:30:59 GMT; SameSite=lax
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 2300
Content-Length: 2300
.......
```
Issue Time Tracking
-------------------
Worklog Id: (was: 908420)
Remaining Estimate: 0h
Time Spent: 10m
> Path based authorization
> ------------------------
>
> Key: KNOX-2998
> URL: https://issues.apache.org/jira/browse/KNOX-2998
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> We will need a new acls extension (similar to AclsAuthz) to support this
> functionality. Following, is an example of how this might look.
>
> {code:java}
> <param>
> <name>path.KNOX-AUTH-SERVICE.acl</name>
> <value>/foo/* [,
> *|path...];username[,*|username...];group[,*|group...];ipaddr[,*|ipaddr...]</value>
> </param>
> {code}
> This new extension (`path` in the above example) will work with
> CompositeAuthz and follow the same pattern as AclsAuthz provider.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
