Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KNOX-2974 - Add a new endpoint 'extauthz' similar to pre that accepts HTTP verbs other than GET and if configured ignores additional context path params #813

Merged
merged 1 commit into from
Oct 30, 2023
Merged

KNOX-2974 - Add a new endpoint 'extauthz' similar to pre that accepts HTTP verbs other than GET and if configured ignores additional context path params #813

merged 1 commit into from
Oct 30, 2023

Conversation

moresandeep
Copy link
Contributor

What changes were proposed in this pull request?

  • New endpoint 'auth/api/v1/extauthz' (similar to auth/api/v1/pre) that accepts HTTP verbs other than GET
  • If configured ignores additional context path params

e.g.

knox git:(KNOX-2974) curl -X POST -iku guest:guest-password https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz
HTTP/1.1 200 OK
Date: Mon, 30 Oct 2023 11:04:54 GMT
Set-Cookie: KNOXSESSIONID=node01fu988w96ue8n19ot0yixrdt6s7.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Sun, 29-Oct-2023 11:04:54 GMT; SameSite=lax
X-Knox-Actor-ID: guest
Content-Length: 0

knox git:(KNOX-2974) curl -X POST -iku guest:guest-password https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz/xyz
HTTP/1.1 200 OK
Date: Mon, 30 Oct 2023 11:05:28 GMT
Set-Cookie: KNOXSESSIONID=node04574919y5ed372i1cdy8i25h8.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Sun, 29-Oct-2023 11:05:28 GMT; SameSite=lax
X-Knox-Actor-ID: guest
Content-Length: 0

Configuration parameter to enable/disable ignoring extra path (/xyz in previous example) is ignore.additional.path

<service>
	     <role>KNOX-AUTH-SERVICE</role>
	     <param>
	       <name>preauth.auth.header.actor.id.name</name>
	       <value>X-Knox-Actor-ID</value>
	     </param>
	     <param>
	       <name>preauth.auth.header.actor.groups.prefix</name>
	       <value>X-Knox-Actor-Groups</value>
	     </param>
	     <param>
	       <name>ignore.additional.path</name>
	       <value>true</value>
	     </param>
              ......
	</service>

NOTE: this endpoint is based on auth/api/v1/pre so all the option that are supported by auth/api/v1/pre are supported by auth/api/v1/extauthz

How was this patch tested?

This patch was tested locally

@moresandeep
KNOX-2974 - Add a new endpoint 'extauthz' similar to pre that accepts…
55b613b 
… HTTP verbs other than GET and if confgiured ignores additional context path params
@moresandeep moresandeep merged commit 8e55969 into apache:master Oct 30, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeroflag zeroflag zeroflag approved these changes

@smolnar82 smolnar82 Awaiting requested review from smolnar82

@pzampino pzampino Awaiting requested review from pzampino

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@moresandeep @zeroflag