[
https://issues.apache.org/jira/browse/KNOX-3096?focusedWorklogId=958815&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-958815
]
ASF GitHub Bot logged work on KNOX-3096:
----------------------------------------
Author: ASF GitHub Bot
Created on: 25/Feb/25 20:39
Start Date: 25/Feb/25 20:39
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #994:
URL: https://github.com/apache/knox/pull/994#discussion_r1970510390
##########
gateway-provider-security-authc-remote/src/main/java/org/apache/knox/gateway/filter/RemoteAuthFilter.java:
##########
@@ -0,0 +1,249 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.filter;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import org.apache.knox.gateway.RemoteAuthMessages;
+import org.apache.knox.gateway.audit.api.Action;
+import org.apache.knox.gateway.audit.api.ActionOutcome;
+import org.apache.knox.gateway.audit.api.AuditContext;
+import org.apache.knox.gateway.audit.api.AuditService;
+import org.apache.knox.gateway.audit.api.AuditServiceFactory;
+import org.apache.knox.gateway.audit.api.Auditor;
+import org.apache.knox.gateway.audit.api.ResourceType;
+import org.apache.knox.gateway.audit.log4j.audit.AuditConstants;
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.security.GroupPrincipal;
+import org.apache.knox.gateway.security.PrimaryPrincipal;
+import org.apache.knox.gateway.services.GatewayServices;
+import org.apache.knox.gateway.services.ServiceType;
+import org.apache.knox.gateway.services.security.KeystoreService;
+import org.apache.knox.gateway.services.security.KeystoreServiceException;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.Subject;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.security.KeyStore;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+public class RemoteAuthFilter implements Filter {
+
+ private static final String CONFIG_REMOTE_AUTH_URL = "remote.auth.url";
+ private static final String CONFIG_INCLUDE_HEADERS =
"remote.auth.include.headers";
+ private static final String CONFIG_CACHE_KEY_HEADER =
"remote.auth.cache.key";
+ private static final String CONFIG_EXPIRE_AFTER = "remote.auth.expire.after";
+ private static final String DEFAULT_CACHE_KEY_HEADER = "Authorization";
+ private static final String CONFIG_USER_HEADER = "remote.auth.user.header";
+ private static final String CONFIG_GROUP_HEADER = "remote.auth.group.header";
+
+ private String remoteAuthUrl;
+ private List<String> includeHeaders;
+ private String cacheKeyHeader;
+ private String userHeader;
+ private String groupHeader;
+ /*
+ For Testing
+ */
+ HttpURLConnection httpURLConnection;
+
+ Cache<String, Subject> authenticationCache;
+
+ private static final AuditService auditService =
AuditServiceFactory.getAuditService();
+ private static final Auditor auditor = auditService.getAuditor(
+ AuditConstants.DEFAULT_AUDITOR_NAME,
AuditConstants.KNOX_SERVICE_NAME, AuditConstants.KNOX_COMPONENT_NAME );
+ private final RemoteAuthMessages LOGGER = MessagesFactory.get(
RemoteAuthMessages.class );
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ remoteAuthUrl = filterConfig.getInitParameter(CONFIG_REMOTE_AUTH_URL);
+ if (remoteAuthUrl == null || remoteAuthUrl.isEmpty()) {
+ LOGGER.missingRequiredParameter(CONFIG_REMOTE_AUTH_URL);
+ throw new ServletException(CONFIG_REMOTE_AUTH_URL + " is a missing
required param.");
+ }
+ includeHeaders =
Arrays.asList(filterConfig.getInitParameter(CONFIG_INCLUDE_HEADERS).split(","));
+ cacheKeyHeader = filterConfig.getInitParameter(CONFIG_CACHE_KEY_HEADER) !=
null ? filterConfig
+ .getInitParameter(CONFIG_CACHE_KEY_HEADER) :
DEFAULT_CACHE_KEY_HEADER;
+ String cachetime = filterConfig.getInitParameter(CONFIG_EXPIRE_AFTER);
+ if (cachetime != null) {
+ int expireAfterMinutes = Integer.parseInt(cachetime);
+ authenticationCache = CacheBuilder.newBuilder()
+ .expireAfterWrite(expireAfterMinutes, TimeUnit.MINUTES)
+ .build();
+ }
+
+ userHeader = filterConfig.getInitParameter(CONFIG_USER_HEADER);
+ if (userHeader == null || userHeader.isEmpty()) {
+ LOGGER.missingRequiredParameter(CONFIG_USER_HEADER);
+ throw new ServletException(CONFIG_USER_HEADER + " is a missing required
param.");
+ }
+
+ groupHeader = filterConfig.getInitParameter(CONFIG_GROUP_HEADER);
Review Comment:
Yeah, well this was going to require a follow on for the list which was why
I didn't make it default to begin with. I'll make it default for now but we
will need a follow on for the list.
Issue Time Tracking
-------------------
Worklog Id: (was: 958815)
Time Spent: 50m (was: 40m)
> Remote Authentication Provider for Levaraging other Knox Instances
> ------------------------------------------------------------------
>
> Key: KNOX-3096
> URL: https://issues.apache.org/jira/browse/KNOX-3096
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Time Spent: 50m
> Remaining Estimate: 0h
>
> There are various possibilities for leveraging the authentication
> capabilities across Knox instances. One compelling reason is for
> containerized Knox instances within k8s that would like to accept CLIENT_ID
> and CLIENT_SECRET or Passcode tokens but do not have a local database
> provisioned. These Knox instances can accept the tokens by delegating the
> authentication to a remote instance configured with the appropriate database
> or other details that may not be available to all other instances. It will
> need to cache authentication results for a short but meaningful enough time
> to reduce the chance of authentication storms against the remote server. At
> the same time, authentication can't outlive a change in the user's status any
> dangerous amount of time. Perhaps default to 5 mins.
> It should allow for the configuration of all relevant possible items such as:
> 1. remote authentication server url (likely to the KNOX-AUTH-SERVICE API)
> 2. truststore location
> 3. truststore password/alias
> 4. headers to include in the call to the remote server from the request being
> processed
> 5. expected headers from the response to include the user and groups
> 6. interval in mins for cache of authentication result to reduce
> authentication storms to remote server
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
