You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/07/30 21:08:00 UTC
[jira] [Work logged] (KNOX-2413) Add JWT support for HadoopAuth
provider
[ https://issues.apache.org/jira/browse/KNOX-2413?focusedWorklogId=464732&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-464732 ]
ASF GitHub Bot logged work on KNOX-2413:
----------------------------------------
Author: ASF GitHub Bot
Created on: 30/Jul/20 21:07
Start Date: 30/Jul/20 21:07
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request #367:
URL: https://github.com/apache/knox/pull/367
## What changes were proposed in this pull request?
Added a new provider configuration parameter in the `HadoopAuth` security provider to enable end-users to use JWT tokens instead of the usual Hadoop Authentication mechanism if there is a Bearer token defined in the request's `Authorization` header. The new parameter name is `support.jwt`. If that is set to `true` (defaults to `false`) and there is a _valid_ (parsable, non-expired) JWT token in the authorization header Knox will use that token in the HadoopAuth security provider.
## How was this patch tested?
Updated and ran JUnit tests:
```
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 20:01 min (Wall Clock)
[INFO] Finished at: 2020-07-30T22:42:31+02:00
[INFO] Final Memory: 448M/2323M
[INFO] ------------------------------------------------------------------------
```
Additionally, the following E2E test steps were executed:
1. Deployed the Knox Gateway with my changes
2. Added the KNOXTOKEN service into `sandbox` (to be able to get a Knox delegation token)
3. Had the following the `authentication` provider in the `metadata` topology:
```
{
"role": "authentication",
"name": "HadoopAuth",
"enabled": "true",
"params": {
"config.prefix": "hadoop.auth.config",
"hadoop.auth.config.type": "kerberos",
"hadoop.auth.config.signature.secret": "password",
"hadoop.auth.config.simple.anonymous.allowed": "false",
"hadoop.auth.config.token.validity": "1800",
"hadoop.auth.config.cookie.path": "/",
"hadoop.auth.config.kerberos.principal": "HTTP/$GATEWAY_HOST@$REALM",
"hadoop.auth.config.kerberos.keytab": "/$KEYTAB_PATH/knox.keytab",
"hadoop.auth.config.kerberos.name.rules": "DEFAULT",
"support.jwt": "true"
}
```
4. Logged into Kerberos as `knox` and tried to get metadata about the `sandbox` topology using Kerberos:
```
$ curl -s --negotiate -u: -k "http://$GATEWAY_HOST:8444/gateway/metadata/api/v1/metadata/topologies/sandbox"
<?xml version="1.0" encoding="UTF-8"?>
<topologyInformations>
<topologyInformation>
<topology>sandbox</topology>
<pinned>false</pinned>
...
</topologyInformation>
</topologyInformations>
```
5. Obtained a Knox delegation token (using the `KNOXTOKEN` service in sandbox)
6. Tried to get metadata about the `sandbox` topology using the acquired JWT token:
```
$ curl -v -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJrbm94IiwiYXVkIjoiaWRicm9rZXIiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNTk2MTQzNzg4LCJrbm94LmlkIjoiMGM2NTUwZGItNzM4ZS00NjYwLWI1YWMtNGJlN2ZjNTllNzc2In0.KwRWOaye-7lgUN5pG-AV11HvRGwQKT6BSZWSWKOapn8DHaKce5hTaO4eTkHlyIx8kg7zaI65Cq950pC6lQf3Ocznh8DQaqbm_OxgBZQCI6wFl3UTHe1m1BbK7G3HxrOUHLnGUk4g5_z-gv_CN4vQDpgvPCNjC34knOUIeoc7uUHl_IABsQGDa4i57K5Gb9-iBJlhEWwFYEiIA24vE0fL1MnOvmUzypAth6l8x8m3FUpLYLMJOFOT9dXBTXKTklfy7S4pPRW5TFI9kwArhBr5-_KtT-ZZhiPu_LJPjVZHu1LwBgtYE_uJjVzE8RR1T20iYSPub15sPiX4ntUerto1Rg" "http://$GATEWAY_HOST:8444/gateway/metadata/api/v1/metadata/topologies/sandbox"
* About to connect() to $GATEWAY_HOST port 8444 (#0)
* Trying xxx...
* Connected to $GATEWAY_HOST (xxx...) port 8444 (#0)
> GET /gateway/metadata/api/v1/metadata/topologies/sandbox HTTP/1.1
> User-Agent: curl/7.29.0
> Host: $GATEWAY_HOST:8444
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJrbm94IiwiYXVkIjoiaWRicm9rZXIiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNTk2MTQzNzg4LCJrbm94LmlkIjoiMGM2NTUwZGItNzM4ZS00NjYwLWI1YWMtNGJlN2ZjNTllNzc2In0.KwRWOaye-7lgUN5pG-AV11HvRGwQKT6BSZWSWKOapn8DHaKce5hTaO4eTkHlyIx8kg7zaI65Cq950pC6lQf3Ocznh8DQaqbm_OxgBZQCI6wFl3UTHe1m1BbK7G3HxrOUHLnGUk4g5_z-gv_CN4vQDpgvPCNjC34knOUIeoc7uUHl_IABsQGDa4i57K5Gb9-iBJlhEWwFYEiIA24vE0fL1MnOvmUzypAth6l8x8m3FUpLYLMJOFOT9dXBTXKTklfy7S4pPRW5TFI9kwArhBr5-_KtT-ZZhiPu_LJPjVZHu1LwBgtYE_uJjVzE8RR1T20iYSPub15sPiX4ntUerto1Rg
>
< HTTP/1.1 200 OK
< Date: Thu, 30 Jul 2020 20:18:31 GMT
< Content-Type: application/xml
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8"?>
<topologyInformations>
<topologyInformation>
<topology>sandbox</topology>
<pinned>false</pinned>
...
</topologyInformation>
</topologyInformations>
* Connection #0 to host $GATEWAY_HOST left intact
```
7. Checked the `gateway.log` (set the logging level to `DEBUG` before I started the gateway) and found that everything worked as expected
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Issue Time Tracking
-------------------
Worklog Id: (was: 464732)
Remaining Estimate: 0h
Time Spent: 10m
> Add JWT support for HadoopAuth provider
> ---------------------------------------
>
> Key: KNOX-2413
> URL: https://issues.apache.org/jira/browse/KNOX-2413
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
> Affects Versions: 1.5.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 1.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> There is a need for adding JWT support in the HadoopAuth security provider as follows: if the incoming request has a valid JWT token (as a {{bearer}} token) extracted from the {{Authorization}} header the request is then processed on behalf of the user represented by the JWT token (using the existing JWT federation provider). If there is no _valid_ JWT token, the {{HadoopAuth}} authentication filter should do its job as it does today.
> The ability to implement a general composite authentication provider is discussed in KNOX-2411, but we agreed that such a provider would need more planning and maybe a KIP so that this feature should be targeted in a separate JIRA.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)