[
https://issues.apache.org/jira/browse/KNOX-3188?focusedWorklogId=982760&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-982760
]
ASF GitHub Bot logged work on KNOX-3188:
----------------------------------------
Author: ASF GitHub Bot
Created on: 11/Sep/25 11:07
Start Date: 11/Sep/25 11:07
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1083:
URL: https://github.com/apache/knox/pull/1083#discussion_r2340209829
##########
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##########
@@ -562,8 +573,15 @@ public Response renew(String token) {
errorCode = ErrorCode.INTERNAL_ERROR;
}
} else {
- String renewer = SubjectUtils.getCurrentEffectivePrincipalName();
- if (allowedRenewers.contains(renewer)) {
+ final String renewer = SubjectUtils.getCurrentEffectivePrincipalName();
+ final Set<GroupPrincipal> groups =
SubjectUtils.getCurrentGroupPrincipals();
+
+ final boolean userAllowed = allowedRenewers.contains(renewer);
Review Comment:
Good idea, I'll submit a new PS soon.
Issue Time Tracking
-------------------
Worklog Id: (was: 982760)
Time Spent: 40m (was: 0.5h)
> Add group-based configuration parameter for KnoxToken renewer/revoker access
> control
> ------------------------------------------------------------------------------------
>
> Key: KNOX-3188
> URL: https://issues.apache.org/jira/browse/KNOX-3188
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 2.0.0, 1.6.0, 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Currently, the {{knox.token.renewer.whitelist}} parameter allows
> administrators to specify a comma-separated list of users who are authorized
> to invoke KnoxToken renewal and revocation APIs. While this works for
> individual users, it does not provide a convenient way to manage
> authorization at the group level.
> In environments where user/group membership is centrally managed (e.g., via
> LDAP, AD, or other identity providers), group-based access control is often
> preferred to simplify configuration and ongoing maintenance. Without group
> support, administrators must list each individual user explicitly, which
> becomes cumbersome and error-prone, especially in larger deployments.
> {*}Proposal{*}:
> Introduce a new optional configuration parameter (e.g.,
> {{{}knox.token.renewer.group.whitelist{}}}) that accepts a comma-separated
> list of groups. Any user belonging to one of the listed groups should be
> authorized to renew or revoke tokens.
> {*}Example{*}:
> {code:java}
> knox.token.renewer.whitelist=alice,bob
> knox.token.renewer.group.whitelist=admins,devops
> {code}
> In the above example, both explicitly whitelisted users ({{{}alice{}}},
> {{{}bob{}}}) and any users belonging to the {{admins}} or {{devops}} groups
> would be allowed to invoke the renewal/revocation APIs.
> {*}Benefits{*}:
> * Simplifies administration by allowing group-based access control.
> * Reduces the risk of configuration drift when onboarding or offboarding
> users.
> * Aligns KnoxToken access control with common enterprise practices for
> authorization management.
> {*}Acceptance Criteria{*}:
> * A new configuration parameter {{knox.token.renewer.group.whitelist}} is
> recognized.
> * Token renewal/revocation APIs check both user and group whitelists for
> authorization.
> * Backwards compatibility: existing behavior with
> {{knox.token.renewer.whitelist}} remains unchanged if the group-based
> parameter is not set.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
