You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Sandor Molnar (Jira)" <ji...@apache.org> on 2022/12/22 20:01:00 UTC

[jira] [Resolved] (KNOX-2839) Refactor impersonation from KnoxToken service

     [ https://issues.apache.org/jira/browse/KNOX-2839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sandor Molnar resolved KNOX-2839.
---------------------------------
    Resolution: Fixed

> Refactor impersonation from KnoxToken service
> ---------------------------------------------
>
>                 Key: KNOX-2839
>                 URL: https://issues.apache.org/jira/browse/KNOX-2839
>             Project: Apache Knox
>          Issue Type: Task
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Blocker
>             Fix For: 2.0.0
>
>          Time Spent: 5h 50m
>  Remaining Estimate: 0h
>
> With KNOX-2714, end-users can create tokens on behalf of other users using Hadoop's impersonation mechanism.
> The problem with the current implementation is that the proxyuser authorization happens to be on service level, but it should be executed sooner.
> As discussed offline with [~lmccay] and [~pzampino] we agreed on the following:
>  * impersonation support should be done in Knox's identity assertion layer and not in the services
>  * the proxuyser authorization in HadoopAuth filter should be left as-is. When someone configures them in two places (HadoopAuth authentication and in identity-assertion), a WARN-level message should indicate that one on the identity-assertion level will be ignored.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)