Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KNOX-2714 - Added doAs support to KnoxToken service #545

Merged
merged 1 commit into from Mar 16, 2022
Merged

KNOX-2714 - Added doAs support to KnoxToken service #545

merged 1 commit into from Mar 16, 2022

Conversation

smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Mar 11, 2022
edited

What changes were proposed in this pull request?

Implemented the changes described in KNOX-2714.

How was this patch tested?

Updated existing uni tests as well as added new ones to cover the new functionality.

Manual testing is done:

  1. Logged in as the admin user
  2. Created a token for the admin user itself
  3. Created tokens for different machine users: sandormolnar and tom

Screenshot 2022-03-11 at 8 38 22

Screenshot 2022-03-11 at 8 38 48

Screenshot 2022-03-11 at 8 39 28

Screenshot 2022-03-11 at 8 52 45

postgres=> select * from knox_token_metadata;
               token_id               |  md_name  |                                         md_value                                         
--------------------------------------+-----------+------------------------------------------------------------------------------------------
 8ceb8731-5b73-4983-9c9d-ff2712c76daa | comment   | token for admin
 8ceb8731-5b73-4983-9c9d-ff2712c76daa | userName  | admin
 8ceb8731-5b73-4983-9c9d-ff2712c76daa | enabled   | true
 8ceb8731-5b73-4983-9c9d-ff2712c76daa | passcode  | emzvv73vv71Ie++/ve+/ve+/vQHvv70kaWwLJu+/ve+/vXjRmu+/vdG1OR/vv71b77+977+977+9LA==

 80ce72a3-221d-49e6-971d-d4d4886d29d0 | comment   | token for sandormolnar
 80ce72a3-221d-49e6-971d-d4d4886d29d0 | userName  | sandormolnar
 80ce72a3-221d-49e6-971d-d4d4886d29d0 | createdBy | admin
 80ce72a3-221d-49e6-971d-d4d4886d29d0 | enabled   | true
 80ce72a3-221d-49e6-971d-d4d4886d29d0 | passcode  | 77+9Ne+/vRdkYwzElXgbRe+/ve+/ve+/vWNUUO+/vSsfNO+/vU/vv71k77+9O3jvv73vv710

 8e17c9d5-ca59-4672-802f-f6c20287deec | comment   | token for tom in accountant team
 8e17c9d5-ca59-4672-802f-f6c20287deec | userName  | tom
 8e17c9d5-ca59-4672-802f-f6c20287deec | createdBy | admin
 8e17c9d5-ca59-4672-802f-f6c20287deec | enabled   | true
 8e17c9d5-ca59-4672-802f-f6c20287deec | passcode  | 77+977+977+9ce+/vRPvv70+Iu+/vXJl77+9ce+/vSrvv71777+977+977+977+9Mcu6M3nvv73vv71eKu+/vQ==
(14 rows)
  1. Removed knox.token.proxyuser.admin.users and changed knox.token.proxyuser.admin.groups to accountant in the homepage topology (by default 'admin' is allowed to impersonate everyone). Then I tried to create a token on behalf of bob who is not in the accountant group (he's a researcher):
$ id bob
uid=505(bob) gid=20(staff) groups=20(staff),504(research)
The result, as expected, is 403

Screenshot 2022-03-11 at 8 46 11

@smolnar82 smolnar82 self-assigned this Mar 11, 2022
@smolnar82 smolnar82 requested a review from pzampino March 16, 2022 08:04
pzampino
pzampino approved these changes Mar 16, 2022
View reviewed changes
Copy link
Contributor

@pzampino pzampino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@smolnar82 smolnar82 merged commit 69a92c2 into apache:master Mar 16, 2022
@smolnar82 smolnar82 deleted the KNOX-2714 branch March 16, 2022 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pzampino pzampino pzampino approved these changes

@moresandeep moresandeep Awaiting requested review from moresandeep

@zeroflag zeroflag Awaiting requested review from zeroflag

Assignees

@smolnar82 smolnar82

Labels
knoxtoken
Projects
None yet
Milestone
No milestone
2 participants
@smolnar82 @pzampino