[
https://issues.apache.org/jira/browse/KNOX-3188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandor Molnar resolved KNOX-3188.
---------------------------------
Resolution: Fixed
> Add group-based configuration parameter for KnoxToken renewer/revoker access
> control
> ------------------------------------------------------------------------------------
>
> Key: KNOX-3188
> URL: https://issues.apache.org/jira/browse/KNOX-3188
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.0.0, 1.6.0, 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Currently, the {{knox.token.renewer.whitelist}} parameter allows
> administrators to specify a comma-separated list of users who are authorized
> to invoke KnoxToken renewal and revocation APIs. While this works for
> individual users, it does not provide a convenient way to manage
> authorization at the group level.
> In environments where user/group membership is centrally managed (e.g., via
> LDAP, AD, or other identity providers), group-based access control is often
> preferred to simplify configuration and ongoing maintenance. Without group
> support, administrators must list each individual user explicitly, which
> becomes cumbersome and error-prone, especially in larger deployments.
> {*}Proposal{*}:
> Introduce a new optional configuration parameter (e.g.,
> {{{}knox.token.renewer.group.whitelist{}}}) that accepts a comma-separated
> list of groups. Any user belonging to one of the listed groups should be
> authorized to renew or revoke tokens.
> {*}Example{*}:
> {code:java}
> knox.token.renewer.whitelist=alice,bob
> knox.token.renewer.group.whitelist=admins,devops
> {code}
> In the above example, both explicitly whitelisted users ({{{}alice{}}},
> {{{}bob{}}}) and any users belonging to the {{admins}} or {{devops}} groups
> would be allowed to invoke the renewal/revocation APIs.
> {*}Benefits{*}:
> * Simplifies administration by allowing group-based access control.
> * Reduces the risk of configuration drift when onboarding or offboarding
> users.
> * Aligns KnoxToken access control with common enterprise practices for
> authorization management.
> {*}Acceptance Criteria{*}:
> * A new configuration parameter {{knox.token.renewer.group.whitelist}} is
> recognized.
> * Token renewal/revocation APIs check both user and group whitelists for
> authorization.
> * Backwards compatibility: existing behavior with
> {{knox.token.renewer.whitelist}} remains unchanged if the group-based
> parameter is not set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
