[
https://issues.apache.org/jira/browse/KNOX-3048?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino updated KNOX-3048:
---------------------------------
Description:
It would be useful to allow the ability to configure proxy user impersonation
configuration for all those users belonging to a particular group.
For example, topologies currently require such configuration for every "end
user" who is designated as a Knox admin to perform impersonation for the token
API. This potentially results in too much config in a topology, and represents
an administration burden on Knox admins.
The proposal is to add support for groups, for which the surrogate proxy user
config could be defined (once) in the topology, for which authenticated users
would be validated against their membership in the configured group before
being permitted to perform impersonation.
This can be supported by adding a qualifying prefix (e.g., GRP__) to a group
name, and the ACL will be created.
*Example provider configuration with "surrogate" admin group proxyuser
configuration*
{code:java}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>hadoop.proxyuser.impersonation.enabled</name>
<value>true</value>
</param>
<param>
<name>hadoop.proxyuser.GRP__admin.users</name>
<value>*</value>
</param>
<param>
<name>hadoop.proxyuser.GRP__admin.groups</name>
<value>*</value>
</param>
<param>
<name>hadoop.proxyuser.GRP__admin.hosts</name>
<value>NONE</value>
</param>
</provider> {code}
With this type of configuration, an extension of
_org.apache.hadoop.security.authorize.DefaultImpersonationProvider_
can be implemented, overriding the following method
_public void authorize(UserGroupInformation user, String remoteAddress) throws
AuthorizationException_
to catch the AuthorizationException resulting from the lack of any
user-specific ACL, and check for ACLs associated with the impersonating user's
groups.
was:
Need the ability to configure proxy user impersonation configuration for all
those users who are Knox admin users.
Currently topologies require such configuration for every "end user" who is
designated as a Knox admin to perform impersonation. This results in too much
config in the topology, and represent an administration burden.
The proposal is to add a reserved username (e.g., KNOX_ADMIN), for which the
surrogate proxy user config could be defined (once) in the topology, for which
authenticated users would be validated against their membership in the Knox
admin group before being permitted to perform impersonation.
*Example provider configuration with "surrogate" Knox Admin proxyuser*
{code:java}
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>CENTRAL_GROUP_CONFIG_PREFIX</name>
<value>gateway.group.config.</value>
</param>
<param>
<name>hadoop.proxyuser.KNOX_ADMIN.groups</name>
<value>NONE</value>
</param>
<param>
<name>hadoop.proxyuser.KNOX_ADMIN.hosts</name>
<value>NONE</value>
</param>
<param>
<name>hadoop.proxyuser.impersonation.enabled</name>
<value>false</value>
</param>
</provider> {code}
> Surrogate proxy user configuration for all Knox admin users
> -----------------------------------------------------------
>
> Key: KNOX-3048
> URL: https://issues.apache.org/jira/browse/KNOX-3048
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Philip Zampino
> Assignee: Philip Zampino
> Priority: Major
> Fix For: 2.1.0
>
>
> It would be useful to allow the ability to configure proxy user impersonation
> configuration for all those users belonging to a particular group.
> For example, topologies currently require such configuration for every "end
> user" who is designated as a Knox admin to perform impersonation for the
> token API. This potentially results in too much config in a topology, and
> represents an administration burden on Knox admins.
> The proposal is to add support for groups, for which the surrogate proxy user
> config could be defined (once) in the topology, for which authenticated users
> would be validated against their membership in the configured group before
> being permitted to perform impersonation.
> This can be supported by adding a qualifying prefix (e.g., GRP__) to a group
> name, and the ACL will be created.
> *Example provider configuration with "surrogate" admin group proxyuser
> configuration*
> {code:java}
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> <param>
> <name>hadoop.proxyuser.impersonation.enabled</name>
> <value>true</value>
> </param>
> <param>
> <name>hadoop.proxyuser.GRP__admin.users</name>
> <value>*</value>
> </param>
> <param>
> <name>hadoop.proxyuser.GRP__admin.groups</name>
> <value>*</value>
> </param>
> <param>
> <name>hadoop.proxyuser.GRP__admin.hosts</name>
> <value>NONE</value>
> </param>
> </provider> {code}
> With this type of configuration, an extension of
> _org.apache.hadoop.security.authorize.DefaultImpersonationProvider_
> can be implemented, overriding the following method
> _public void authorize(UserGroupInformation user, String remoteAddress)
> throws AuthorizationException_
> to catch the AuthorizationException resulting from the lack of any
> user-specific ACL, and check for ACLs associated with the impersonating
> user's groups.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
