Skip to content

KNOX-3219 - New function in Virtual Group mapper to test request parameters#1112

Merged
smolnar82 merged 1 commit intoapache:masterfrom
smolnar82:KNOX-3219
Nov 27, 2025
Merged

KNOX-3219 - New function in Virtual Group mapper to test request parameters#1112
smolnar82 merged 1 commit intoapache:masterfrom
smolnar82:KNOX-3219

Conversation

@smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented Nov 26, 2025
edited
Loading

KNOX-3129 - New Virtual Group mapping function to check request parameters

What changes were proposed in this pull request?

This PR adds a new Virtual Group mapping function that gets the value (later used for testing the given predicate) from the request parameters.

How was this patch tested?

Added new unit test cases to cover this new function.

Additionally, I applied the following configs in a topology:

        <provider>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <enabled>true</enabled>
            <param>
                <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
                <value>gateway.group.config.</value>
            </param>
            <param>
                <name>group.mapping.non_rejected_requests</name>
                <value>(= (strlen (request-parameter 'impala.doas.user')) 0)</value>
            </param>
        </provider>
        <provider>
            <role>authorization</role>
            <name>AclsAuthz</name>
            <enabled>true</enabled>
            <param>
              <name>webhdfs.acl</name>
              <value>*;non_rejected_requests;*</value>
            </param>
        </provider>

The challenged this topology using the WEBHDFS service with and without the impala.doas.user request parameter and confirmed that the non_rejected_requests group was mapped when the impala.doas.user was not in the request. See the relevant gateway-audit.log entries (check th identity-mapping lines):

25/11/26 11:53:57 ||dcacf4a6-2cf4-4c81-a7d4-ca51b26f2a8f|audit|10.140.118.194|WEBHDFS||||access|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS&impala.doas.user=myUser|unavailable|Request method: GET
25/11/26 11:53:58 ||dcacf4a6-2cf4-4c81-a7d4-ca51b26f2a8f|audit|10.140.118.194|WEBHDFS|knoxui|||authentication|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS&impala.doas.user=myUser|success|
25/11/26 11:53:58 ||dcacf4a6-2cf4-4c81-a7d4-ca51b26f2a8f|audit|10.140.118.194|WEBHDFS|knoxui|||authentication|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS&impala.doas.user=myUser|success|Groups: [admin]
25/11/26 11:53:58 ||dcacf4a6-2cf4-4c81-a7d4-ca51b26f2a8f|audit|10.140.118.194|WEBHDFS|knoxui|||identity-mapping|principal|knoxui|success|Groups: [admin]
25/11/26 11:53:58 ||dcacf4a6-2cf4-4c81-a7d4-ca51b26f2a8f|audit|10.140.118.194|WEBHDFS|knoxui|||authorization|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS&impala.doas.user=myUser|failure|
25/11/26 11:53:58 ||dcacf4a6-2cf4-4c81-a7d4-ca51b26f2a8f|audit|10.140.118.194|WEBHDFS|knoxui|||access|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS&impala.doas.user=myUser|success|Response status: 403
...
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS||||access|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS|unavailable|Request method: GET
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||authentication|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS|success|
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||authentication|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS|success|Groups: [knoxui]
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||identity-mapping|principal|knoxui|success|Groups: [non_rejected_requests, admin]
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||authorization|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS|success|
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||dispatch|uri|https://ccycloud-1.tpayer-knox.root.comops.site:20102/webhdfs/v1/?op=LISTSTATUS&doAs=knoxui|unavailable|Request method: GET
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||dispatch|uri|https://ccycloud-1.tpayer-knox.root.comops.site:20102/webhdfs/v1/?op=LISTSTATUS&doAs=knoxui|success|Response status: 200
25/11/26 11:54:05 ||ec83e82f-43f8-4963-8493-0e22ea09a1bc|audit|10.140.118.194|WEBHDFS|knoxui|||access|uri|/gateway/cdp-proxy-api/webhdfs/v1?op=LISTSTATUS|success|Response status: 200

@smolnar82 smolnar82 self-assigned this Nov 26, 2025
@smolnar82 smolnar82 requested a review from zeroflag November 26, 2025 13:13
@smolnar82 smolnar82 requested a review from hanicz November 26, 2025 13:51
zeroflag
zeroflag approved these changes Nov 26, 2025
View reviewed changes
Copy link
Contributor

@zeroflag zeroflag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@smolnar82 smolnar82 merged commit c9e3266 into apache:master Nov 27, 2025
2 checks passed
@smolnar82 smolnar82 deleted the KNOX-3219 branch November 27, 2025 05:59
moresandeep pushed a commit to moresandeep/knox that referenced this pull request Dec 1, 2025
@smolnar82 @moresandeep
KNOX-3219 - New function in Virtual Group mapper to test request para…
ac9c79a 
…meters (apache#1112)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zeroflag zeroflag zeroflag approved these changes

@moresandeep moresandeep Awaiting requested review from moresandeep

@lmccay lmccay Awaiting requested review from lmccay

@pzampino pzampino Awaiting requested review from pzampino

@bonampak bonampak Awaiting requested review from bonampak

@hanicz hanicz Awaiting requested review from hanicz

Assignees

@smolnar82 smolnar82

Labels

identity-assertion

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@smolnar82 @zeroflag @hanicz