You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2019/01/19 18:16:00 UTC

[jira] [Created] (KNOX-1740) Add Trusted Proxy Support to Knox

Larry McCay created KNOX-1740:
---------------------------------

             Summary: Add Trusted Proxy Support to Knox
                 Key: KNOX-1740
                 URL: https://issues.apache.org/jira/browse/KNOX-1740
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
            Reporter: Larry McCay
            Assignee: Larry McCay
             Fix For: 1.3.0


There are token exchange scenarios where an application may want to acquire a KnoxToken on behalf of a user authenticated by the application. We need to implement a version of the Hadoop Trusted Proxy/Impersonation pattern for Knox at the topology level.

This includes:

 

* Principal assertion method (possibilities: doAs query param, path segment within an API, HTTP header)
 * Config within topology for trusted principals, groups that they are allowed to impersonate, users that they are allowed to impersonate, ip address from which requests are expected
 * Make part of the identity assertion provider since this is the provider that determines which identity to assert to the down stream service
 * Config will need to be qualified by service due to the multiple services per topology



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)