You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/03/08 12:03:00 UTC

[jira] [Work logged] (KNOX-2710) Identity assertion provider for services without doAs support

     [ https://issues.apache.org/jira/browse/KNOX-2710?focusedWorklogId=738101&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-738101 ]

ASF GitHub Bot logged work on KNOX-2710:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Mar/22 12:02
            Start Date: 08/Mar/22 12:02
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request #544:
URL: https://github.com/apache/knox/pull/544


   ## What changes were proposed in this pull request?
   This PR adds a new identity assertion provider `NoDoAsProvider` that does not add doAs parameter at the end of the query string. This is needed for services that do not tolerate addition of query params like RStudio.
   
   This feature can be enabled using `<policies>` in service.xml for proxied service. e.g.
   ```
   <policies>
   			<policy role="webappsec"/>
   		        <policy role="authentication"/>
   		        <policy role="rewrite"/>
   		        <policy role="authorization"/>
   			<policy role="identity-assertion" name="NoDoAsProvider"/>
   	</policies>
   ```
   
   **NOTE**: to use `identity-assertion` you need to use `authentication` policy.
   ## How was this patch tested?
   This patch was tested locally
   
   ```
   
   	2022-03-07 16:22:22,919 346c6508-0750-4d40-bd33-739e10e76e59 WARN  knox.gateway (DefaultDispatch.java:executeOutboundRequest(183)) - Connection exception dispatching request: http://localhost:50070/webhdfs/v1/tmp/hello.txt?op=create org.apache.http.conn.HttpHostConnectException: Connect to localhost:50070 [localhost/127.0.0.1, localhost/0:0:0:0:0:0:0:1] failed: Connection refused (Connection refused)
   
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 738101)
    Remaining Estimate: 0h
            Time Spent: 10m

> Identity assertion provider for services without doAs support
> -------------------------------------------------------------
>
>                 Key: KNOX-2710
>                 URL: https://issues.apache.org/jira/browse/KNOX-2710
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> There might be services (e.g. RStudio) which do not support trusted proxy and that might break with the doAs parameter at the end of the URL. We need to be able to implement an identity assertion provider that can skip doAs and which is configurable.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)