[jira] [Created] (KNOX-3188) Add group-based configuration parameter for KnoxToken renewer/revoker access control

Wed, 10 Sep 2025 12:17:52 -0700 

Sandor Molnar created KNOX-3188:
-----------------------------------

             Summary: Add group-based configuration parameter for KnoxToken 
renewer/revoker access control
                 Key: KNOX-3188
                 URL: https://issues.apache.org/jira/browse/KNOX-3188
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
    Affects Versions: 1.6.0, 2.0.0, 2.1.0
            Reporter: Sandor Molnar
            Assignee: Sandor Molnar
             Fix For: 3.0.0


Currently, the {{knox.token.renewer.whitelist}} parameter allows administrators 
to specify a comma-separated list of users who are authorized to invoke 
KnoxToken renewal and revocation APIs. While this works for individual users, 
it does not provide a convenient way to manage authorization at the group level.

In environments where user/group membership is centrally managed (e.g., via 
LDAP, AD, or other identity providers), group-based access control is often 
preferred to simplify configuration and ongoing maintenance. Without group 
support, administrators must list each individual user explicitly, which 
becomes cumbersome and error-prone, especially in larger deployments.

{*}Proposal{*}:
Introduce a new optional configuration parameter (e.g., 
{{{}knox.token.renewer.group.whitelist{}}}) that accepts a comma-separated list 
of groups. Any user belonging to one of the listed groups should be authorized 
to renew or revoke tokens.

{*}Example{*}:
{code:java}
knox.token.renewer.whitelist=alice,bob  
knox.token.renewer.group.whitelist=admins,devops
{code}
 In the above example, both explicitly whitelisted users ({{{}alice{}}}, 
{{{}bob{}}}) and any users belonging to the {{admins}} or {{devops}} groups 
would be allowed to invoke the renewal/revocation APIs.

{*}Benefits{*}:
 * Simplifies administration by allowing group-based access control.

 * Reduces the risk of configuration drift when onboarding or offboarding users.

 * Aligns KnoxToken access control with common enterprise practices for 
authorization management.

{*}Acceptance Criteria{*}:
 * A new configuration parameter {{knox.token.renewer.group.whitelist}} is 
recognized.

 * Token renewal/revocation APIs check both user and group whitelists for 
authorization.

 * Backwards compatibility: existing behavior with 
{{knox.token.renewer.whitelist}} remains unchanged if the group-based parameter 
is not set.

 * Documentation is updated to reflect the new parameter.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to