Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KNOX-2982 - Having one disabled one enabled identity-assertion providers doesn't work #832

Merged
merged 1 commit into from
Jan 16, 2024
Merged

KNOX-2982 - Having one disabled one enabled identity-assertion providers doesn't work #832

merged 1 commit into from
Jan 16, 2024

Conversation

zeroflag
Copy link
Contributor

@zeroflag zeroflag commented Jan 9, 2024
edited
Loading

What changes were proposed in this pull request?

When there are multiple providers in one topology, knox gets the first one, without checking if it's enabled or disabled.

Therefore having 2 identity-assertion providers where the first is disabled and the 2nd is enabled, doesn't work.

We should find the first enabled provider instead.

How was this patch tested?

1st provider enabled

<provider>
    <role>identity-assertion</role>
    <name>SwitchCase</name>
    <enabled>true</enabled>
    <param>
        <name>principal.case</name>
        <value>upper</value>
    </param>
    <param> 
        <name>group.principal.case</name>
        <value>upper</value>
    </param>    
</provider>

2nd provider disabled:

<provider>
  <role>identity-assertion</role>
  <name>Regex</name>
  <enabled>false</enabled>
  <param>
    <name>input</name>
    <value>ad(.*)</value>
  </param>  
  <param>   
    <name>output</name>
    <value>{1}max</value>
  </param>      
</provider>
curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive

24/01/09 14:04:50 ||eddb35a8-c6d7-4ae7-9d50-b0b3e50fddaa|audit|127.0.0.1|HIVE|admin|ADMIN||identity-mapping|principal|admin|success|Effective User: ADMIN
24/01/09 14:04:50 ||eddb35a8-c6d7-4ae7-9d50-b0b3e50fddaa|audit|127.0.0.1|HIVE|admin|ADMIN||identity-mapping|principal|ADMIN|success|Groups: []

1st provider disabled

<provider>
    <role>identity-assertion</role>
    <name>SwitchCase</name>
    <enabled>false</enabled>
    <param>
        <name>principal.case</name>
        <value>upper</value>
    </param>
    <param> 
        <name>group.principal.case</name>
        <value>upper</value>
    </param>    
</provider>

2nd provider enabled:

<provider>
  <role>identity-assertion</role>
  <name>Regex</name>
  <enabled>true</enabled>
  <param>
    <name>input</name>
    <value>ad(.*)</value>
  </param>  
  <param>   
    <name>output</name>
    <value>{1}max</value>
  </param>      
</provider>
curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive

24/01/09 14:06:26 ||2d376454-b232-4011-85bd-cdbc526962e6|audit|127.0.0.1|HIVE|admin|minmax||identity-mapping|principal|admin|success|Effective User: minmax
24/01/09 14:06:26 ||2d376454-b232-4011-85bd-cdbc526962e6|audit|127.0.0.1|HIVE|admin|minmax||identity-mapping|principal|minmax|success|Groups: []

Both disabled:

curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive
24/01/10 13:37:15 ||2badf91c-5922-4577-8b59-78dff76558f1|audit|127.0.0.1|HIVE|admin|||authentication|uri|/gateway/sandbox/hive|success|Groups: []

@zeroflag zeroflag marked this pull request as draft January 9, 2024 13:15
@zeroflag zeroflag marked this pull request as ready for review January 10, 2024 12:34
smolnar82
smolnar82 reviewed Jan 16, 2024
View reviewed changes
Copy link
Contributor

@smolnar82 smolnar82 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just had a small question.

gateway-spi/src/main/java/org/apache/knox/gateway/deploy/ServiceDeploymentContributorBase.java Show resolved Hide resolved
@zeroflag zeroflag merged commit 16daa62 into apache:master Jan 16, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smolnar82 smolnar82 smolnar82 approved these changes

@moresandeep moresandeep Awaiting requested review from moresandeep

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zeroflag @smolnar82