New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KNOX-2020 - AWS federation support added to hadoop-jwt cookie #153
Conversation
The Pac4j filter has been modified to optionally do AWS federation. If enabled using SAML federate into AWS and assume the first role in the assertion. The hadoop-jwt cookie has been enhanced to contain custom claims. The procured AWS credentials are added to the JWT claims.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @sharad-oss. I went through quickly looking at a lot of the dependency handling stuff. I think there are a few places that can be improved to match the other modules in the Knox project.
I'll have to go through in more detail over the next few days and look at the cookie/aws parts in detail.
gateway-provider-security-aws/src/main/java/org/apache/knox/gateway/aws/AwsMessages.java
Outdated
Show resolved
Hide resolved
...ay-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
Outdated
Show resolved
Hide resolved
...ay-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java
Outdated
Show resolved
Hide resolved
@sharad-oss looks like the jdk11 Travis failure might be real as well:
|
@risdenk I wasn't aware Knox was being built on JDK-11 too. My current tests were all done using JDK-8. I will invest some time to build with JDK-11. |
From my comment on JIRA KNOX-2020: @sharad-oss - this looks interesting! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've left a comment on the PR itself and on the KNOX-2020 JIRA but will add it here as well as to request changes.
I'd like to see a one-pager design doc that articulates the usecases, security considerations and end-to-end flow including the provided consumer of the credentials within the gateway.
See the other comments for my security concerns regarding including the credentials in the token.
@lmccay sure will work on the one pager doc soon, and update the JIRA. |
- Removed GSON from project. Using Jackson instead. - Using JDK8 Base64, and not apache-commons codec. - Moved the versions for libraries to parent POM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sharad-oss thanks for the cleanup. Looks a lot better. There are a few remaining items related to dependencies. Also looking forward to reading the design doc @lmccay when you have it ready.
This PR has not been touched for over a year ago; closing it. |
This contribution enhances the Hadoop JWT cookie to contain AWS credentials to interact with the AWS ecosystem. This is done via an optional configuration when using SAML for authentication. The account admin can set up AWS federation with SAML (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html). The SAML Response in such a case will contain the Identity Provider (IDP) injected Role. Simple Token Service (STS) is invoked for AssumeRoleWithSaml using this SAML Response for credentials, and on success a cookie is added to the browser. The value for this cookie is the Base 64 encoded credentials. The TTL for this cookie matches the TTL for AWS credentials. From there on the usual Knox flow continues.
Knox will add the hadoop-jwt cookie that is understood by the Hadoop ecosystem. A JWT provides standard info about the subject, TTL and claims. We enhance the claims to contain the AWS credentials by using the info in the previously stashed aws cookie. This way the Hadoop ecosystem services can now interact with AWS services too. The lifetime for the cookies matches the life of AWS credentials.
What changes were proposed in this pull request?
The Pac4j filter has been modified to optionally do AWS federation. This change has no effect if the configuration is not enabled.
A new security module gateway-provider-security-aws handles all the logic to do SAML federation and adding an AWS cookie.
This module receives the SAML Response and federates into AWS, and assume the first role in the assertion. This could be enhanced in future to determine which Role to pick. AWS credentials are stashed in a cookie for further usage (after the redirect happens in the filter). At the end it returns back to the pac4j filter with a cookie added to the response.
Methods to issue JWT token have been enhanced to take custom claims as parameters.
In KnoxSSO we enhance the hadoop-jwt cookie with the contents from the AWS cookie.
This is done by using custom claims. The procured AWS credentials are added to the JWT claims. Please look at the testing section for how the cookie looks like after the change. Note the cookie is unaffected if the option to do AWS SAML federation is not turned on.
Knox token has also been modified to reflect the new token format.
How was this patch tested?
Ran all unit tests
Tested on an EC2 deployment (AWS EMR). The knoxtoken (/knoxtoken/api/v1/token) looks like