[
https://issues.apache.org/jira/browse/KNOX-3023?focusedWorklogId=917092&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917092
]
ASF GitHub Bot logged work on KNOX-3023:
----------------------------------------
Author: ASF GitHub Bot
Created on: 01/May/24 00:08
Start Date: 01/May/24 00:08
Worklog Time Spent: 10m
Work Description: moresandeep opened a new pull request, #903:
URL: https://github.com/apache/knox/pull/903
## What changes were proposed in this pull request?
This PR extends configurable dispatch to optionally add authenticated
principal and groups to the outbound request as headers (header names are
configurable). By default this feature is turned off and will only be enabled
if users update the dispatch config in service defition with param
`shouldIncludePrincipalAndGroups` (demonstrated below)
Following properties are configurable on dispatch
- `shouldIncludePrincipalAndGroups` Should the principal and groups be
passed to the dispatched request as request params.
- `actorIdHeaderName` Header name for the principal, default value is
X-Knox-Actor-ID
- `actorGroupsHeaderPrefix` Prefix for header containing groups, default
value is X-Knox-Actor-Groups. Note: header names are assigned as
X-Knox-Actor-Groups-1, X-Knox-Actor-Groups-2, depending on number of groups.
Each header i.e. X-Knox-Actor-Groups-1 can have max 1000 groups, next set of
groups will be part of X-Knox-Actor-Groups-2 header and so on.
- `groupFilterPattern` Regex patten to filter groups on, default value is
`.*`. This is useful when you only want specific groups to flow through
dispatch.
Complete service definition example:
```
<service role="WEATHER" name="weather" version="0.0.1">
<routes>
<route path="/weather/**"/>
</routes>
<dispatch
classname="org.apache.knox.gateway.dispatch.ConfigurableDispatch">
<param>
<name>shouldIncludePrincipalAndGroups</name>
<value>true</value>
</param>
<param>
<name>actorIdHeaderName</name>
<value>X-Apache-Actor-ID</value>
</param>
</dispatch>
</service>
```
Example of dispatched request headers.
```
GET
/data/2.5/forecast/city?id=524901&APPID=54557732afcfe106bfc955b9da04fb14&user.name=sam
HTTP/1.1
X-Request-Id: 39df3e87-f0ee-4dbd-bece-795186bf7be4
X-Forwarded-For: [0:0:0:0:0:0:0:1]
X-Forwarded-Proto: https
X-Forwarded-Port: 8443
X-Forwarded-Host: localhost:8443
X-Forwarded-Server: localhost
X-Forwarded-Context: /gateway/sandbox2
Accept: */*
User-Agent: curl/8.4.0
X-Apache-Actor-ID: sam
X-Knox-Actor-Groups-1: users
Host: localhost:50070
Connection: Keep-Alive
```
## How was this patch tested?
This patch was tested locally.
Issue Time Tracking
-------------------
Worklog Id: (was: 917092)
Remaining Estimate: 0h
Time Spent: 10m
> Extend the Hadoop proxyuser dispatch to optionally include groups in a header
> in addition to doAs
> -------------------------------------------------------------------------------------------------
>
> Key: KNOX-3023
> URL: https://issues.apache.org/jira/browse/KNOX-3023
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently Hadoop proxyuser dispatch does not have a mechanism to relay user
> groups. This JIRA tried to address this problem. This can be done similar to
> what we have done in [Knox Auth
> Service|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Knox+Auth+Service]
> `auth/api/v1/pre` endpoint where a header is added to the response (by
> default X-Knox-Actor-ID) with the principal name to the response. In this
> case these headers will be added to outgoing requests.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
