[jira] [Work logged] (KNOX-3048) Surrogate proxy user configuration for user groups

Mon, 19 May 2025 13:15:07 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3048?focusedWorklogId=969899&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-969899
 ]

ASF GitHub Bot logged work on KNOX-3048:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 19/May/25 20:14
            Start Date: 19/May/25 20:14
    Worklog Time Spent: 10m 
      Work Description: moresandeep commented on PR #1043:
URL: https://github.com/apache/knox/pull/1043#issuecomment-2892161299

   
   **Note**: _The following summary is generated using co-pilot_
   
   This pull request refactors the `CommonIdentityAssertionFilter` class and 
its related tests to improve code maintainability, readability, and 
functionality. Key changes include the introduction of a new method for 
checking impersonation provider requirements, reorganization of imports, and 
updates to test cases to align with the refactored implementation.
   
   ### Refactoring and Code Simplification:
   * Introduced the `shouldAddImpersonationProvider` method to encapsulate 
logic for determining if the impersonation provider should be added, replacing 
inline checks. 
(`[gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.javaR170-R180](diffhunk://#diff-4577bd8f7a7a8aa491f44533f5111e9deb9496962b2059d5e0cbb3f1b59c4bfdR170-R180)`)
   * Removed redundant methods `virtualGroupParameterNames` and `unique`, and 
integrated their functionality directly where needed. 
(`[[1]](diffhunk://#diff-4577bd8f7a7a8aa491f44533f5111e9deb9496962b2059d5e0cbb3f1b59c4bfdL207-L211)`,
 
`[[2]](diffhunk://#diff-4577bd8f7a7a8aa491f44533f5111e9deb9496962b2059d5e0cbb3f1b59c4bfdL299-R312)`)
   * Reorganized imports in `CommonIdentityAssertionFilter` to improve clarity 
and remove unused dependencies. 
(`[[1]](diffhunk://#diff-4577bd8f7a7a8aa491f44533f5111e9deb9496962b2059d5e0cbb3f1b59c4bfdL20-L46)`,
 
`[[2]](diffhunk://#diff-4577bd8f7a7a8aa491f44533f5111e9deb9496962b2059d5e0cbb3f1b59c4bfdL65-R90)`)
   
   ### Test Case Updates:
   * Updated test cases in `CommonIdentityAssertionFilterTest` to use the 
refactored `shouldAddImpersonationProvider` method and replaced references to 
the removed `IMPERSONATION_ENABLED_PARAM` constant. 
(`[[1]](diffhunk://#diff-f1e853cfe04089b2ce1381bc562b0d6e96ace1db5ee2c0085fa1dd8bdaaae7dfL286-R264)`,
 
`[[2]](diffhunk://#diff-f1e853cfe04089b2ce1381bc562b0d6e96ace1db5ee2c0085fa1dd8bdaaae7dfL141-R141)`)
   * Reorganized imports in `CommonIdentityAssertionFilterTest` for consistency 
with the refactored implementation. 
(`[[1]](diffhunk://#diff-f1e853cfe04089b2ce1381bc562b0d6e96ace1db5ee2c0085fa1dd8bdaaae7dfL20-R40)`,
 
`[[2]](diffhunk://#diff-f1e853cfe04089b2ce1381bc562b0d6e96ace1db5ee2c0085fa1dd8bdaaae7dfL41-R60)`)
   * Added expectations for new impersonation-related parameters in 
`HadoopAuthFilterTest` to ensure compatibility with the updated implementation. 
(`[[1]](diffhunk://#diff-856be9bd8db07e7ffa4042e3f2943b254b2c6204e1bd7e50c6bfae8fa89e3cf3R148-R149)`,
 
`[[2]](diffhunk://#diff-856be9bd8db07e7ffa4042e3f2943b254b2c6204e1bd7e50c6bfae8fa89e3cf3R214-R215)`,
 
`[[3]](diffhunk://#diff-856be9bd8db07e7ffa4042e3f2943b254b2c6204e1bd7e50c6bfae8fa89e3cf3R266-R267)`,
 
`[[4]](diffhunk://#diff-856be9bd8db07e7ffa4042e3f2943b254b2c6204e1bd7e50c6bfae8fa89e3cf3R329-R330)`,
 
`[[5]](diffhunk://#diff-856be9bd8db07e7ffa4042e3f2943b254b2c6204e1bd7e50c6bfae8fa89e3cf3R392-R393)`)




Issue Time Tracking
-------------------

    Worklog Id:     (was: 969899)
    Time Spent: 1h  (was: 50m)

> Surrogate proxy user configuration for user groups
> --------------------------------------------------
>
>                 Key: KNOX-3048
>                 URL: https://issues.apache.org/jira/browse/KNOX-3048
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> *Problem Statement:*
> Currently Knox has the ability for specific users (say for e.g. {{sp_user}}) 
> to impersonate other users (say for e.g.{{ot_user}}). This is driven by 
> configs defined in a topology. Currently these configs are needed for each 
> user that impersonates other users (i.e. {{sp_user}}), this can get out of 
> hand quickly and can be difficult to maintain.
> To solve this problem the proposed solution uses a group level impersonation 
> configuration. This configuration will be based on the virtual groups feature 
> that is already available in Knox. With this new configuration we can have 
> specific users who belong to a virtual group/s (based on conditions such as 
> {{(match groups 'analyst|scientist') }}) impersonate other users. This will 
> significantly cut down on the config properties and keep them readable and 
> maintainable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to