[jira] [Work logged] (KNOX-3048) Surrogate proxy user configuration for user groups

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3048?focusedWorklogId=969993&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-969993
 ]

ASF GitHub Bot logged work on KNOX-3048:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/May/25 12:37
            Start Date: 20/May/25 12:37
    Worklog Time Spent: 10m 
      Work Description: zeroflag commented on code in PR #1043:
URL: https://github.com/apache/knox/pull/1043#discussion_r2097705549


##########
gateway-spi/src/main/java/org/apache/knox/gateway/util/AuthFilterUtils.java:
##########
@@ -27,227 +39,270 @@
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletContext;
-import javax.servlet.ServletRequest;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
+public class AuthFilterUtils {
+    public static final String DEFAULT_AUTH_UNAUTHENTICATED_PATHS_PARAM = 
"/knoxtoken/api/v1/jwks.json";
+    public static final String PROXYUSER_PREFIX = "hadoop.proxyuser";
+    public static final String PROXYGROUP_PREFIX = "hadoop.proxygroup";
+    public static final String IMPERSONATION_MODE = 
"hadoop.impersonation.mode";
+    public static final String DEFAULT_IMPERSONATION_MODE = "OR";

Review Comment:
   Could you illustrate it with an example, how the OR and AND impersonation 
modes are used?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 969993)
    Time Spent: 1h 20m  (was: 1h 10m)

> Surrogate proxy user configuration for user groups
> --------------------------------------------------
>
>                 Key: KNOX-3048
>                 URL: https://issues.apache.org/jira/browse/KNOX-3048
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.0.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> *Problem Statement:*
> Currently Knox has the ability for specific users (say for e.g. {{sp_user}}) 
> to impersonate other users (say for e.g.{{ot_user}}). This is driven by 
> configs defined in a topology. Currently these configs are needed for each 
> user that impersonates other users (i.e. {{sp_user}}), this can get out of 
> hand quickly and can be difficult to maintain.
> To solve this problem the proposed solution uses a group level impersonation 
> configuration. This configuration will be based on the virtual groups feature 
> that is already available in Knox. With this new configuration we can have 
> specific users who belong to a virtual group/s (based on conditions such as 
> {{(match groups 'analyst|scientist') }}) impersonate other users. This will 
> significantly cut down on the config properties and keep them readable and 
> maintainable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)