You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/08/25 08:12:00 UTC
[jira] [Work logged] (KNOX-2792) New Knox service to add custom auth headers in the response
[ https://issues.apache.org/jira/browse/KNOX-2792?focusedWorklogId=803500&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-803500 ]
ASF GitHub Bot logged work on KNOX-2792:
----------------------------------------
Author: ASF GitHub Bot
Created on: 25/Aug/22 08:11
Start Date: 25/Aug/22 08:11
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #625:
URL: https://github.com/apache/knox/pull/625
## What changes were proposed in this pull request?
A brand new Maven module was created where all authentication-, and authorization-related REST API endpoints can/should be added in the future. Within this module, a new Knox service type was added called `KNOX-AUTH-SERVICE`, which should be added into any Knox topology like this:
```
<service>
<role>KNOX-AUTH-SERVICE</role>
</service>
```
In this JIRA I already implemented one REST API endpoint with a very simple job: If a valid principal is found in the incoming request, a header is added to the response (by default `X-Knox-Actor-ID`) with the principal name. In addition, if the authenticated subject has (have) group(s), they are added into comma-separated entries in the header(s) of the default form `X-Knox-Actor-Groups-#num`. Each group header has a character limit of 1000 to keep them reasonably sized. The header names can be customized via configuration properties.
## How was this patch tested?
Implemented new unit test cases as well as run the following manual steps:
1. Added the above-referenced new Knox service to the sandbox topology
2. Executed the following `curl` commands and verified the `X-Knox-Actor-ID` header was properly populated.
```
$ curl -iku guest:guest-password https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 16:33:27 GMT
Set-Cookie: KNOXSESSIONID=node01qn1mbdr94rhswx5i66zrdn5r0.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Mon, 22-Aug-2022 16:33:27 GMT; SameSite=lax
X-Knox-Actor-ID: guest
Content-Length: 0
$ curl -iku tom:tom-password https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 16:33:45 GMT
Set-Cookie: KNOXSESSIONID=node01w44u6anaenbvils5k1rx956n1.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Mon, 22-Aug-2022 16:33:45 GMT; SameSite=lax
X-Knox-Actor-ID: tom
Content-Length: 0
$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2022 16:33:57 GMT
Set-Cookie: KNOXSESSIONID=node062oijrd1x3821y26a9dx71ghw2.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Mon, 22-Aug-2022 16:33:57 GMT; SameSite=lax
X-Knox-Actor-ID: admin
Content-Length: 0
```
3. Updated the `identity-assertion` provider in the sandbox topology with group mapping (it was easier than configuring the demo LDAP factory to lookup groups) as follows:
```
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>group.principal.mapping</name
<value>admin=longGroupName1,longGroupName2,...,longGroupName99</value>
</param>
</provider>
```
4. Executed one of the above `curl` commands and verified the group headers were populated as expected:
```
$ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/auth/api/v1/pre
HTTP/1.1 200 OK
Date: Wed, 24 Aug 2022 06:15:15 GMT
Set-Cookie: KNOXSESSIONID=node01aj8n7bjlmw8r1g8kfawtjlqx01.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Tue, 23-Aug-2022 06:15:15 GMT; SameSite=lax
X-Knox-Actor-ID: admin
X-Knox-Actor-Groups-1: longGroupName49,longGroupName48,longGroupName47,longGroupName46,longGroupName45,longGroupName44,longGroupName43,longGroupName42,longGroupName41,longGroupName40,longGroupName59,longGroupName58,longGroupName57,longGroupName56,longGroupName55,longGroupName54,longGroupName53,longGroupName52,longGroupName51,longGroupName50,longGroupName69,longGroupName68,longGroupName67,longGroupName66,longGroupName65,longGroupName64,longGroupName63,longGroupName62,longGroupName61,longGroupName60,longGroupName2,longGroupName3,longGroupName4,longGroupName5,longGroupName1,longGroupName79,longGroupName6,longGroupName7,longGroupName8,longGroupName9,longGroupName70,longGroupName78,longGroupName77,longGroupName76,longGroupName75,longGroupName74,longGroupName73,longGroupName72,longGroupName71,longGroupName81,longGroupName80,longGroupName89,longGroupName88,longGroupName87,longGroupName86,longGroupName85,longGroupName84,longGroupName83,longGroupName82,longGroupName19,longGroupName18,longGroupName17,longGroupName16
X-Knox-Actor-Groups-2: longGroupName15,longGroupName14,longGroupName13,longGroupName92,longGroupName91,longGroupName90,longGroupName12,longGroupName11,longGroupName99,longGroupName10,longGroupName98,longGroupName97,longGroupName96,longGroupName95,longGroupName94,longGroupName93,longGroupName29,longGroupName28,longGroupName27,longGroupName26,longGroupName25,longGroupName24,longGroupName23,longGroupName22,longGroupName21,longGroupName20,longGroupName39,longGroupName38,longGroupName37,longGroupName36,longGroupName35,longGroupName34,longGroupName33,longGroupName32,longGroupName31,longGroupName30
Content-Length: 0
```
Issue Time Tracking
-------------------
Worklog Id: (was: 803500)
Remaining Estimate: 0h
Time Spent: 10m
> New Knox service to add custom auth headers in the response
> -----------------------------------------------------------
>
> Key: KNOX-2792
> URL: https://issues.apache.org/jira/browse/KNOX-2792
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> A simple REST service is needed to perform centralized authentication and authorization of incoming requests. Combined with nginx's external authentication capability it allows for every request to be checked for valid authentication before being forwarded to the upstream service.
> If a valid principal is found, a header is added to the response, by default {{X-Knox-Actor-ID}}, with the principal. In addition, if the authenticated subject has groups, these are added into comma-separated headers of the default form {{X-Knox-Actor-Groups-num}}. Each group header has a character limit of 1000 to keep them reasonably sized. The header names can be customized via configuration properties.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)