[jira] [Work logged] (KNOX-3350) Allow group membership information to be included in issued KNOXSSO cookie

Mon, 15 Jun 2026 07:46:10 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3350?focusedWorklogId=1025235&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025235
 ]

ASF GitHub Bot logged work on KNOX-3350:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 15/Jun/26 14:45
            Start Date: 15/Jun/26 14:45
    Worklog Time Spent: 10m 
      Work Description: moresandeep commented on PR #1264:
URL: https://github.com/apache/knox/pull/1264#issuecomment-4709126433

   > @moresandeep - Thanks for your review; I replied back to the default value 
above.
   > 
   > > Subject. For SSO groups are populated from SAML right? can you elaborate 
on how this will Subject groups are populated.
   > 
   > Nope. SAML is one way to authenticate. But we do support other authN 
mechanisms, such as LDAP. In case of LDAP, Knox needs to be configured with the 
`HadoopGroupProvider` for group lookup. If that's configured, Knox will place 
`GroupPrincipal` items in the current Subject during request processing flow. 
Ultimately, we arrive to the `KNOXSSO` service (`WebSSOResource` in the 
codebase), which is a terminating-service (i.e. non-proxying), but at this 
phase the Subject is already decorated and we can read what groups were 
resolved by Knox.
   
   Ahh, i see, that makes sense, don't you think we should also support SAML 
and not just LDAP? IMO we should support a way to fetch groups from SAML too if 
we are supporting fetching groups from other ways too. There have been internal 
requests for this.




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1025235)
    Time Spent: 1h 10m  (was: 1h)

> Allow group membership information to be included in issued KNOXSSO cookie
> --------------------------------------------------------------------------
>
>                 Key: KNOX-3350
>                 URL: https://issues.apache.org/jira/browse/KNOX-3350
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: KnoxSSO
>    Affects Versions: 2.0.0, 2.1.0
>            Reporter: Sandor Molnar
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-2731 added the ability to include group information (if available), in 
> the generated JWTs by the {{KNOXTOKEN}} service.
> It'd be beneficial to decorate the `hadoop-jwt` SSO cookie with groups as 
> well (in case if's configured).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to