[
https://issues.apache.org/jira/browse/KNOX-3350?focusedWorklogId=1025205&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025205
]
ASF GitHub Bot logged work on KNOX-3350:
----------------------------------------
Author: ASF GitHub Bot
Created on: 15/Jun/26 12:26
Start Date: 15/Jun/26 12:26
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1264:
URL: https://github.com/apache/knox/pull/1264
[KNOX-3350](https://issues.apache.org/jira/browse/KNOX-3350) - Add group
information into the generated JWT in WebSSOResource
## What changes were proposed in this pull request?
This PR introduces the ability to include group information in the JWT
tokens generated by `WebSSOResource` (KnoxSSO).
Key changes include:
* Added a new configuration parameter `knoxsso.token.include.groups` to
control whether group information should be included in the issued JWT.
* Refactored `WebSSOResource` to include a package-protected `groups()`
method, facilitating easier testing and overriding of group retrieval logic.
* Updated `getAuthenticationToken` in `WebSSOResource` to populate the
`groups` claim in `JWTokenAttributes` when the feature is enabled.
* Fixed a typo in the constant name for the new configuration parameter.
* Standardized group retrieval in `TokenResource` by utilizing
`SubjectUtils.getCurrentGroupPrincipalNames()`.
## How was this patch tested?
The changes were verified by adding comprehensive unit tests in
`WebSSOResourceTest`:
* `testIncludeGroupsTrue`: Verifies that groups are correctly included in
the JWT when `knoxsso.token.include.groups` is set to `true`.
* `testIncludeGroupsFalse`: Verifies that groups are excluded when the
parameter is set to `false`.
* `testIncludeGroupsOmitted`: Verifies that the default behavior (when the
parameter is missing) is to exclude groups.
## Integration Tests
I ran manual testing using my local Knox instance against the `knoxsso`
topology. I logged in as `recursiveUser`, verified `hadoop-jwt` (extracted from
DEV tools in Chrome) is generated, then checked its content on `jwt.io`:
1. Without `knoxsso.token.include.groups`:
<img width="1338" height="525" alt="image"
src="https://github.com/user-attachments/assets/c6af3bd7-3ee3-4f20-a968-4bbc38673190";
/>
2. `knoxsso.token.include.groups = false`:
<img width="1332" height="520" alt="image"
src="https://github.com/user-attachments/assets/bdd3ea1d-ecfb-4604-9aa5-311373b8e4c4";
/>
3. `knoxsso.token.include.groups = true`:
<img width="1333" height="626" alt="image"
src="https://github.com/user-attachments/assets/605f9429-abcc-4db0-b6df-09dd880516b5";
/>
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1025205)
Remaining Estimate: 0h
Time Spent: 10m
> Allow group membership information to be included in issued KNOXSSO cookie
> --------------------------------------------------------------------------
>
> Key: KNOX-3350
> URL: https://issues.apache.org/jira/browse/KNOX-3350
> Project: Apache Knox
> Issue Type: Improvement
> Components: KnoxSSO
> Affects Versions: 2.0.0, 2.1.0
> Reporter: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> KNOX-2731 added the ability to include group information (if available), in
> the generated JWTs by the {{KNOXTOKEN}} service.
> It'd be beneficial to decorate the `hadoop-jwt` SSO cookie with groups as
> well (in case if's configured).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
