KNOX-2998 - Path based authorization provider

[moresandeep]

What changes were proposed in this pull request?

This change proposes a new authorization provider PathAclsAuthz that authorized based on request path. Authorization is done based on path matching similar to rewrite rules.

Format is very similar to AclsAuthz provider with an addition of path. The format is
{path};{users};{groups}:{ips}
One important thing to note here is that the path is not plural, there has to be one and only one path defined.

In case one wants multiple paths they can define multiple rules with rule name as a parameter e.g.
KNOXTOKEN.{rule_name}.path.acl

These are special cases for rule names
This rule will be applied to ALL services defined in the topology

           <param>
                <name>path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>

This rule will be applied to only the service {service_name}

           <param>
                <name>{service_name}.path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>

ALL of these rules will be applied to service {service_name}.
NOTE: {rule_1} and {rule_2} can be any unique names.

           <param>
                <name>{service_name}.{rule_1}.path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>
            <param>
                <name>{service_name}.{rule_2}.path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>

Following are concrete examples of the the above rules:

1. This rule will be applied to ALL services defined in the topology

       <provider>
            <role>authorization</role>
            <name>PathAclsAuthz</name>
            <enabled>true</enabled>
            <param>
                <name>path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>
        </provider>

2. This rule will be applied to only to KNOXTOKEN service

       <provider>
            <role>authorization</role>
            <name>PathAclsAuthz</name>
            <enabled>true</enabled>
            <param>
                <name>KNOXTOKEN.path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>
        </provider>

3. All of these rules will be applied to only to KNOXTOKEN service

       <provider>
            <role>authorization</role>
            <name>PathAclsAuthz</name>
            <enabled>true</enabled>
            <param>
                <name>KNOXTOKEN.rule_1.path.acl</name>
                <value>https://*:*/**/knoxtoken/api/**;admin;*;*</value> 
            </param>
            <param>
                <name>KNOXTOKEN.rule_2.path.acl</name>
                <value>https://*:*/**/knoxtoken/foo/**;knox;*;*</value> 
            </param>
            <param>
                <name>KNOXTOKEN.rule_3.path.acl</name>
                <value>https://*:*/**/knoxtoken/bar/**;sam;admin;*</value> 
            </param>
        </provider>

How was this patch tested?

This patch was tested locally

curl -ivku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
*  start date: Mar  5 19:59:57 2024 GMT
*  expire date: Mar  5 19:59:57 2025 GMT
*  issuer: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET /gateway/sandbox/knoxtoken/api/v1/token HTTP/1.1
> Host: localhost:8443
> Authorization: Basic YWRtaW46YWRtaW4tcGFzc3dvcmQ=
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Mar 2024 20:30:59 GMT
Date: Tue, 05 Mar 2024 20:30:59 GMT
< Set-Cookie: KNOXSESSIONID=node0nt5x5i2yaz2dhj3vyicmwp2k5.node0; Path=/gateway/sandbox; Secure; HttpOnly
Set-Cookie: KNOXSESSIONID=node0nt5x5i2yaz2dhj3vyicmwp2k5.node0; Path=/gateway/sandbox; Secure; HttpOnly
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Mon, 04-Mar-2024 20:30:59 GMT; SameSite=lax
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Mon, 04-Mar-2024 20:30:59 GMT; SameSite=lax
< Content-Type: application/json
Content-Type: application/json
< Content-Length: 2300
Content-Length: 2300

.......