You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/06/03 13:44:00 UTC
[jira] [Work logged] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[ https://issues.apache.org/jira/browse/KNOX-2757?focusedWorklogId=778095&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-778095 ]
ASF GitHub Bot logged work on KNOX-2757:
----------------------------------------
Author: ASF GitHub Bot
Created on: 03/Jun/22 13:43
Start Date: 03/Jun/22 13:43
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #590:
URL: https://github.com/apache/knox/pull/590
## What changes were proposed in this pull request?
From now on, in Knox's HadoopGroupProvider, the gateway-level `CENTRAL_GROUP_CONFIG_PREFIX` prefixed parameters are added together with any custom provider-level parameters into the final `HadoopGroupProvider` identity assertion filter of the generated web application.
I also needed to re-factor some code out from the `gateway-server` project that implements certain descriptor-related interfaces from `gateway-spi` as a simple POJO. The new Maven module's name is `gateway-spi-common` and I already see the benefit of having this new project serving the same functionality for other developments in the future.
With this new project we now do not need to create/mock already existing classes that we can re-use in our test classes where mocking isn't a really good option.
## How was this patch tested?
Added new unit tests to check if filter properties are generated as expected. Apart from this, I also tested the fix manually with my local Knox instance using the `Steps to reproduce` information from the corresponding JIRA:
```
<filter>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<class>org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter</class>
<param>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>member</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value>cn</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value>(objectclass=groupOfNames)</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value>guest-password</value>
</param>
<param>
<name>group.mapping.c_env_assignees_1234</name>
<value>(!= 0 (size groups))</value>
</param>
</filter>
```
Issue Time Tracking
-------------------
Worklog Id: (was: 778095)
Remaining Estimate: 0h
Time Spent: 10m
> Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
> ---------------------------------------------------------------------------------------
>
> Key: KNOX-2757
> URL: https://issues.apache.org/jira/browse/KNOX-2757
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> 1. replace the {{Default}} identity-assertion provider in the {{sandbox}} topology with this:
> {noformat}
> <provider>
> <role>identity-assertion</role>
> <name>HadoopGroupProvider</name>
> <enabled>true</enabled>
> <param>
> <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
> <value>gateway.group.config.</value>
> </param>
> <param>
> <name>group.mapping.scientist</name>
> <value>(!= 0 (size groups))</value>
> </param>
> </provider> {noformat}
> 2. wait until Knox redeploys the {{sandbox}} topology and check the generated {{gateway.xml}} in the newly deployed web application
> *Actual results:*
> The {{group.mapping.scientist}} filter parameter is missing; only the params in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
> {noformat}
> <filter>
> <role>identity-assertion</role>
> <name>HadoopGroupProvider</name>
> <class>org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter</class>
> <param>
> <name>hadoop.security.group.mapping.ldap.search.attr.member</name>
> <value>member</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
> <value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
> <value>cn</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping.ldap.url</name>
> <value>ldap://localhost:33389</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping</name>
> <value>org.apache.hadoop.security.LdapGroupsMapping</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
> <value>(objectclass=groupOfNames)</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping.ldap.bind.user</name>
> <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
> </param>
> <param>
> <name>hadoop.security.group.mapping.ldap.bind.password</name>
> <value>guest-password</value>
> </param>
> </filter>
> {noformat}
> *Expected results:*
> Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} provider parameter should be added to the filter.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)