[ 
https://issues.apache.org/jira/browse/KNOX-3048?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sandeep More updated KNOX-3048:
-------------------------------
    Description: 
*Problem Statement:*
Currently Knox has the ability for specific users (say for e.g. {{sp_user}}) to 
impersonate other users (say for e.g.{{ot_user}}). This is driven by configs 
defined in a topology. Currently these configs are needed for each user that 
impersonates other users (i.e. {{sp_user}}), this can get out of hand quickly 
and can be difficult to maintain.

To solve this problem the proposed solution uses a group level impersonation 
configuration. This configuration will be based on the virtual groups feature 
that is already available in Knox. With this new configuration we can have 
specific users who belong to a virtual group/s (based on conditions such as 
{{(match groups 'analyst|scientist') }}) impersonate other users. This will 
significantly cut down on the config properties and keep them readable and 
maintainable.





  was:
It would be useful to allow the ability to configure proxy user impersonation 
configuration for all those users belonging to a particular group.

For example, topologies currently require such configuration for every "end 
user" who is designated as a Knox admin to perform impersonation for the token 
API. This potentially results in too much config in a topology, and represents 
an administration burden on Knox admins.

The proposal is to add support for groups, for which the surrogate proxy user 
config could be defined (once) in the topology, for which authenticated users 
would be validated against their membership in the configured group before 
being permitted to perform impersonation.

This can be supported by adding a qualifying prefix (e.g., GRP__) to a group 
name, and the ACL will be created.

*Example provider configuration with "surrogate" admin group proxyuser 
configuration*
{code:java}
        <provider>
            <role>identity-assertion</role>
            <name>Default</name>
            <enabled>true</enabled>
            <param>
                 <name>hadoop.proxyuser.impersonation.enabled</name>
                 <value>true</value>
             </param>
            <param>
                 <name>hadoop.proxyuser.GRP__admin.users</name>
                 <value>*</value>
             </param> 
             <param>
                <name>hadoop.proxyuser.GRP__admin.groups</name>
                <value>*</value>
            </param>
            <param>
                <name>hadoop.proxyuser.GRP__admin.hosts</name>
                <value>NONE</value>
            </param>
        </provider> {code}
With this type of configuration, an extension of 

_org.apache.hadoop.security.authorize.DefaultImpersonationProvider_

can be implemented, overriding the following method

_public void authorize(UserGroupInformation user, String remoteAddress) throws 
AuthorizationException_

to catch the AuthorizationException resulting from the lack of any 
user-specific ACL, and check for ACLs associated with the impersonating user's 
groups.

 


> Surrogate proxy user configuration for user groups
> --------------------------------------------------
>
>                 Key: KNOX-3048
>                 URL: https://issues.apache.org/jira/browse/KNOX-3048
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 2.1.0
>
>
> *Problem Statement:*
> Currently Knox has the ability for specific users (say for e.g. {{sp_user}}) 
> to impersonate other users (say for e.g.{{ot_user}}). This is driven by 
> configs defined in a topology. Currently these configs are needed for each 
> user that impersonates other users (i.e. {{sp_user}}), this can get out of 
> hand quickly and can be difficult to maintain.
> To solve this problem the proposed solution uses a group level impersonation 
> configuration. This configuration will be based on the virtual groups feature 
> that is already available in Knox. With this new configuration we can have 
> specific users who belong to a virtual group/s (based on conditions such as 
> {{(match groups 'analyst|scientist') }}) impersonate other users. This will 
> significantly cut down on the config properties and keep them readable and 
> maintainable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to