[PR] KNOX-3188 - Token renewal and revocation should be authorized based on the group membership of the authenticated subject. [knox]

Thu, 11 Sep 2025 03:07:21 -0700 


smolnar82 opened a new pull request, #1083:
URL: https://github.com/apache/knox/pull/1083

   
   ## What changes were proposed in this pull request?
   
   (Please fill in changes proposed in this fix)
   
   ## How was this patch tested?
   
   Updated existing unit tests, added new test cases to cover the new 
functionality and executed them successfully.
   
   Additionally, I conducted manual testing using the OOTB LDAP server with 
different users:
   ```
   analyst  group
   member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
   member: uid=tom,ou=people,dc=hadoop,dc=apache,dc=org
   
   scientist group
   member: uid=sam,ou=people,dc=hadoop,dc=apache,dc=org
   
   admin group
   member: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
   ```
   
   In order for the group-based authorization to work, I changed the `DEFAULT` 
identity assertion filter to `HadoopGroupProvider` in the `homepage` topology 
as well as edited the `gateway-site.xml` and added `sam` and `tom` to 
`gateway.knox.token.management.users.can.see.all.tokens`.
   
   Other than this, I customized the `knox.token.renewer.whitelist` (RW, going 
forward) and `knox.token.renewer.group.whitelist` (GRW, going forward) 
service-level params.
   
   Since token renewal is not exposed on the token management UI, only token 
revocation, I tested using that functionality (they both have been updated the 
same way).
   
   Cases:
   - Logged in user: admin, RW: admin, GRW: empty -> token revocation succeeded 
✅
   - Logged in user: admin, RW: empty, GRW: admin -> token revocation succeeded 
✅
   - Logged in user: sam, RW: empty, GRW: scientist -> token revocation 
succeeded ✅
   - Logged in user: sam, RW: empty, GRW: analyst -> token revocation succeeded 
✅
   - Logged in user: sam, RW: empty, GRW: admin -> token revocation failed ✅
   - Logged in user: tom, RW: empty, GRW: scientist -> token revocation failed ✅
   - Logged in user: tom, RW: empty, GRW: analyst -> token revocation succeeded 
✅
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to