rlevas opened a new pull request #106: KNOX-1740 - Add Trusted Proxy Support to Knox URL: https://github.com/apache/knox/pull/106 ## What changes were proposed in this pull request? There are token exchange scenarios where an application may want to acquire a KnoxToken on behalf of a user authenticated by the application. We need to implement a version of the Hadoop Trusted Proxy/Impersonation pattern for Knox at the topology level. This includes: - Principal assertion method (possibilities: doAs query param, path segment within an API, HTTP header) - Config within topology for trusted principals, groups that they are allowed to impersonate, users that they are allowed to impersonate, ip address from which requests are expected - Make part of the identity assertion provider since this is the provider that determines which identity to assert to the down stream service - Config will need to be qualified by service due to the multiple services per topology - (Please fill in changes proposed in this fix) ## How was this patch tested? ``` mvn -T.5C verify -Prelease,package ... [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 16:00 min (Wall Clock) [INFO] Finished at: 2019-07-01T13:58:13-04:00 [INFO] Final Memory: 280M/1728M [INFO] ------------------------------------------------------------------------ ``` Manually tested.... ``` # kinit rlevas rle...@example.com's password: # curl -k --negotiate -u: -X GET "https://knox.local:8443/gateway/dt/knoxtoken/api/v1/token?doAs=userA"; {"access_token":"eyJhbGciOiJSUzI...","endpoint_public_cert":"MIIDaD...","token_type":"Bearer","expires_in":1562008370648}% ``` ``` # kinit jqpublic jqpub...@example.com's password: # curl -k --negotiate -u: -X GET "https://knox.local:8443/gateway/dt/knoxtoken/api/v1/token?doAs=userA"; { "RemoteException" : { "message" : "User: jqpublic is not allowed to impersonate userA", "exception" : "AuthorizationException", "javaClassName" : "org.apache.hadoop.security.authorize.AuthorizationException" } }% ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
