Details
-
Improvement
-
Status: Resolved
-
Critical
-
Resolution: Fixed
-
None
-
None
-
None
Description
As of now, authenticated users are allowed to acquire a Knox token for themselves only. That is, the username the token is created for is fetched from the request’s user principal. The goal is to be able to generate a Knox token on behalf of somebody else.
To be able to do this, we need to enhance the current KnoxToken service API to support a new query parameter called doAs. For instance:
curl -iku admin:admin-password -X GET 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token?doAs=bob’
In this case, the generated token will not belong to the ‘admin’ user, but it’s going to be created for ‘bob’.
The newly introduced ‘doAs’ is an optional parameter: if not defined, the generated token will belong to the authenticated user (in the above sample: ‘admin’).
Of course, we need to provide a way to control who can generate tokens for who, so the following service-level configuration should be added too (they will be defined in the given topology for the KNOXTOKEN service):
- knox.token.proxyuser.$username.users - indicates the list of users for whom $username is allowed to create tokens. It is possible to set this to a 1-element list using the ‘*’ wildcard which means $username can generate tokens for everyone. Defaults to an empty list that is equivalent to $username is not allowed to impersonate anyone.
- knox.token.proxyuser.$username.groups - indicates the list of group names for whose members $username is allowed to create tokens for. It is possible to set this to a 1-element list using the ‘*’ wildcard which means $username can generate tokens for members of any group. Defaults to an empty list that is equivalent to $username is not allowed to impersonate members from any group.
- knox.token.proxyuser.$username.hosts - indicates a list of hostnames from where the requests are allowed to be accepted in case the doAs parameter is used when creating Knox Tokens. It is possible to set this to a 1-element list using the ‘*’ wildcard which means $username can generate tokens from any host. Defaults to an empty list that is equivalent to $username is not allowed to create tokens from any host.
Please note this configuration is applied only if the newly introduced doAs query parameter is present. The same rules are applied when you set proxyuser configuration in Knox's HadoopAuth security provider therefore Knox token's proxuyser authorization will re-use the existing Hadoop library.
Attachments
Issue Links
- links to