[
https://issues.apache.org/jira/browse/KNOX-3048?focusedWorklogId=969897&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-969897
]
ASF GitHub Bot logged work on KNOX-3048:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/May/25 20:13
Start Date: 19/May/25 20:13
Worklog Time Spent: 10m
Work Description: moresandeep commented on PR #1043:
URL: https://github.com/apache/knox/pull/1043#issuecomment-2892159271
Following are the major changes in `CommonIdentityAssertionFilter` class
- Centralized “is impersonation enabled” logic
• Old: read IMPERSONATION_ENABLED_PARAM directly from
filterConfig, parsed its boolean value inline
• New: delegated that check to a new helper
- Eliminated duplicate constant
• Removed the class-local static final String
IMPERSONATION_ENABLED_PARAM = AuthFilterUtils.PROXYUSER_PREFIX +
".impersonation.enabled";
• Instead statically import
AuthFilterUtils.IMPERSONATION_ENABLED_PARAM (and added
GROUP_IMPERSONATION_ENABLED_PARAM for future use)
- Helper methods promoted & grouped
• Moved virtualGroupParameterNames(...) and unique(...) up near
the top of the class, declared them private static so all utility logic is
visible before the lifecycle methods.
- No other behavior changes
• All the parsing of advanced principal mappings, virtual-group
loading, doFilter flow, etc., is untouched—only how and where the impersonation
flag is determined was refactored.
Issue Time Tracking
-------------------
Worklog Id: (was: 969897)
Time Spent: 50m (was: 40m)
> Surrogate proxy user configuration for user groups
> --------------------------------------------------
>
> Key: KNOX-3048
> URL: https://issues.apache.org/jira/browse/KNOX-3048
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.0.0
> Reporter: Philip Zampino
> Assignee: Sandeep More
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *Problem Statement:*
> Currently Knox has the ability for specific users (say for e.g. {{sp_user}})
> to impersonate other users (say for e.g.{{ot_user}}). This is driven by
> configs defined in a topology. Currently these configs are needed for each
> user that impersonates other users (i.e. {{sp_user}}), this can get out of
> hand quickly and can be difficult to maintain.
> To solve this problem the proposed solution uses a group level impersonation
> configuration. This configuration will be based on the virtual groups feature
> that is already available in Knox. With this new configuration we can have
> specific users who belong to a virtual group/s (based on conditions such as
> {{(match groups 'analyst|scientist') }}) impersonate other users. This will
> significantly cut down on the config properties and keep them readable and
> maintainable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
