[jira] [Work started] (KNOX-3048) Surrogate proxy user configuration for user groups

Tue, 22 Apr 2025 11:43:03 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3048?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on KNOX-3048 started by Sandeep More.
------------------------------------------
> Surrogate proxy user configuration for user groups
> --------------------------------------------------
>
>                 Key: KNOX-3048
>                 URL: https://issues.apache.org/jira/browse/KNOX-3048
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 2.1.0
>
>
> It would be useful to allow the ability to configure proxy user impersonation 
> configuration for all those users belonging to a particular group.
> For example, topologies currently require such configuration for every "end 
> user" who is designated as a Knox admin to perform impersonation for the 
> token API. This potentially results in too much config in a topology, and 
> represents an administration burden on Knox admins.
> The proposal is to add support for groups, for which the surrogate proxy user 
> config could be defined (once) in the topology, for which authenticated users 
> would be validated against their membership in the configured group before 
> being permitted to perform impersonation.
> This can be supported by adding a qualifying prefix (e.g., GRP__) to a group 
> name, and the ACL will be created.
> *Example provider configuration with "surrogate" admin group proxyuser 
> configuration*
> {code:java}
>         <provider>
>             <role>identity-assertion</role>
>             <name>Default</name>
>             <enabled>true</enabled>
>             <param>
>                  <name>hadoop.proxyuser.impersonation.enabled</name>
>                  <value>true</value>
>              </param>
>             <param>
>                  <name>hadoop.proxyuser.GRP__admin.users</name>
>                  <value>*</value>
>              </param> 
>              <param>
>                 <name>hadoop.proxyuser.GRP__admin.groups</name>
>                 <value>*</value>
>             </param>
>             <param>
>                 <name>hadoop.proxyuser.GRP__admin.hosts</name>
>                 <value>NONE</value>
>             </param>
>         </provider> {code}
> With this type of configuration, an extension of 
> _org.apache.hadoop.security.authorize.DefaultImpersonationProvider_
> can be implemented, overriding the following method
> _public void authorize(UserGroupInformation user, String remoteAddress) 
> throws AuthorizationException_
> to catch the AuthorizationException resulting from the lack of any 
> user-specific ACL, and check for ACLs associated with the impersonating 
> user's groups.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to