[KNOX-2726] Impersonation Params Declared by Service Definitions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.6.0
Fix Version/s: 1.6.2
Component/s: Server
Labels:
None

Description

org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames() has the following comment:

// TODO: let's have service definitions register their impersonation
// params in a future release and get this list from a central registry.
// This will provide better coverage of protection by removing any
// pre-populated impersonation params.

Currently, Knox excludes some well-known impersonation request parameters from proxied requests. Rather than maintaining a hard-coded list of these params, service definitions should be able to declare them such that they would be available at runtime to org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper.

This will allow service-specific impersonation parameter details to be defined by the service definitions, and eliminate the need for Knox runtime code changes when new impersonation params need to be handled.

Attachments

Issue Links

links to

GitHub Pull Request #579

Activity

People

Assignee:: Sandeep More

Reporter:: Philip Zampino

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/Apr/22 19:16

Updated:: 23/Jun/22 09:18

Resolved:: 23/May/22 17:45

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2.5h