You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/06/23 09:12:00 UTC

[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions

    [ https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557910#comment-17557910 ] 

ASF subversion and git services commented on KNOX-2726:
-------------------------------------------------------

Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ]

KNOX-2726 - Impersonation Params should be configurable (#579)

* KNOX-2726 - Impersonation Params should be configurable

> Impersonation Params Declared by Service Definitions
> ----------------------------------------------------
>
>                 Key: KNOX-2726
>                 URL: https://issues.apache.org/jira/browse/KNOX-2726
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Philip Zampino
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 1.6.2
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_ has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters from proxied requests. Rather than maintaining a hard-coded list of these params, service definitions should be able to declare them such that they would be available at runtime to {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be defined by the service definitions, and eliminate the need for Knox runtime code changes when new impersonation params need to be handled.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)