You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2019/09/23 23:47:33 UTC
[GitHub] [knox] sharad-oss opened a new pull request #153: KNOX-2020 AWS
federation support added to hadoop-jwt cookie.
sharad-oss opened a new pull request #153: KNOX-2020 AWS federation support added to hadoop-jwt cookie.
URL: https://github.com/apache/knox/pull/153
This contribution enhances the Hadoop JWT cookie to contain AWS credentials to interact with the AWS ecosystem. This is done via an optional configuration when using SAML for authentication. The account admin can set up AWS federation with SAML (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html). The SAML Response in such a case will contain the Identity Provider (IDP) injected Role. Simple Token Service (STS) is invoked for AssumeRoleWithSaml using this SAML Response for credentials, and on success a cookie is added to the browser. The value for this cookie is the Base 64 encoded credentials. The TTL for this cookie matches the TTL for AWS credentials. From there on the usual Knox flow continues.
Knox will add the hadoop-jwt cookie that is understood by the Hadoop ecosystem. A JWT provides standard info about the subject, TTL and claims. We enhance the claims to contain the AWS credentials by using the info in the previously stashed aws cookie. This way the Hadoop ecosystem services can now interact with AWS services too. The lifetime for the cookies matches the life of AWS credentials.
## What changes were proposed in this pull request?
The Pac4j filter has been modified to optionally do AWS federation. This change has no effect if the configuration is not enabled.
A new security module gateway-provider-security-aws handles all the logic to do SAML federation and adding an AWS cookie.
This module receives the SAML Response and federates into AWS, and assume the first role in the assertion. This could be enhanced in future to determine which Role to pick. AWS credentials are stashed in a cookie for further usage (after the redirect happens in the filter). At the end it returns back to the pac4j filter with a cookie added to the response.
Methods to issue JWT token have been enhanced to take custom claims as parameters.
In KnoxSSO we enhance the hadoop-jwt cookie with the contents from the AWS cookie.
This is done by using custom claims. The procured AWS credentials are added to the JWT claims. Please look at the testing section for how the cookie looks like after the change. Note the cookie is unaffected if the option to do AWS SAML federation is not turned on.
Knox token has also been modified to reflect the new token format.
## How was this patch tested?
Ran all unit tests
Tested on an EC2 deployment (AWS EMR). The knoxtoken (/knoxtoken/api/v1/token) looks like
```
{
"sub": "[sharad]",
"aud": "tokenbased",
"iss": "KNOXSSO",
"aws-session": "eyJ1c2VybmFtZSI6InNoYXJrYWxhQGdtYWlsLmNvbSIsIkFXU0FjY2Vzc0tleUlkIjoiQVNJQVNTRkFaVFBBV0tGWTdVNFMiLCJBV1NTZWNyZXRLZXkiOiJYT01yS0FHdFBNakdaWi91SlJibzM2eFhzRFlwT0RzU1IvWlA1N2RQIiwic2Vzc2lvblRva2VuIjoiRlFvR1pYSXZZWGR6RUZFYURDNE8vS0NVZ2pNNWFYY0luaUtsQWh1dTNvK2NkTEoyNmwxMzdKNVI1dFNROUZKUHIzQ2Y4SGJhdHMzc1pWSzJZeUlGTFZGcjJUTXBCZjBxVjZTQ2ZYSzZwUzZ2L3hHeFZvZGl2L1VOVzZLclBEeUhkbEtPT3lKdVBncGdPRkdoakdSZUw3YTBqSmNpVUhZalVhRmo4UVd5R2lkM05xRVFzeTVQRlEwalM0SmFZUkU0K04yczlycWhxSWF4K1hreDBEb0gzWGl1Y2RDVUtBQVcwK0NNaHB3eGV1d2paZDIwZGJNOTFOTTVsR2dNbmxZdzBiNjdPdXlwUDI3T0NoeU9TYkdGVVJtbC9DY3YrbjNwMFA2RVY0Q3pJbnZlUjBRN28zL0tDQmRsdGF2Mi9zWXUzSDZ0N0pXVE9ZYUJvUHhralZzTENlZmN2OXRJc2Q3bGx4cmxsUEhmRUZBMmJIOXRaa0xOQlY2alE4NmRzL1NlS09ZTlJBTnNaTmJOckxZOTlJekR2NmdPQklaVWlTNXZ4aUY4ajZMVEs2VjBLSnV2NitzRiIsImV4cGlyYXRpb24iOjE1NjgzMzUyNzUwMDB9",
"exp": 1568367676
}
The AWS credentials are in Base 64 encoded format, and the exp matches the AWS credentials exp.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services