KNOX-3350: Populate groups in KnoxSSO cookie when configured#1264
KNOX-3350: Populate groups in KnoxSSO cookie when configured#1264smolnar82 wants to merge 1 commit into
Conversation
Test Results22 tests 22 ✅ 2s ⏱️ Results for commit 43eeff0. |
moresandeep
left a comment
moresandeep
left a comment
There was a problem hiding this comment.
@smolnar82 did you check https://issues.apache.org/jira/browse/KNOX-2679?
AFAIK we already have support for groups but it is not hooked up to JWT. We have a param to turn off groups pac4j.session.store.exclude.groups
Looks like this PR includes groups from java Subject. For SSO groups are populated from SAML right? can you elaborate on how this will Subject groups are populated.
I think we should also support hooking up SAML groups here if pac4j.session.store.exclude.groups=false (currently they only show up in pac4j profile cookie)
|
@moresandeep - Thanks for your review; I replied back to the default value above.
Nope. SAML is one way to authenticate. But we do support other authN mechanisms, such as LDAP. |
Ahh, i see, that makes sense, don't you think we should also support SAML and not just LDAP? IMO we should support a way to fetch groups from SAML too if we are supporting fetching groups from other ways too. There have been internal requests for this. |
lmccay
left a comment
lmccay
left a comment
There was a problem hiding this comment.
Please note that the reason we have an option to turn off groups in the cookie is that the cookies get too big and SSO will therefore not work. I don't actually think we should be passing all of the users' group memberships around on every request from the browser and allow the to get stale based on the TTL/expiry of the token and cookie. Also, we shouldn't be getting group memberships from different sources in a deployment. If we get this from the SSO SAML assertion and others are using LDAP Proxy Server then there could be divergence. Overall, I am more -1 on this as a change but if someone wants to use it and they make sure that all group lookup gets the same groups then we can add it but I think that it needs to be disabled by default.
|
@lmccay made a point: cookie size can be an issue. Modern browsers support cookies up to 4K: |
Well, it isn't really clear to me where those groups are even going to be used and what authorization check will see them. Depending on the specific need, we may be able to handle this in another way. |
|
If we decide to go with this PR, we need to add a filter for groups something like |
That's a good idea. Let's figure that out... |
3 participants
KNOX-3350 - Add group information into the generated JWT in WebSSOResource
What changes were proposed in this pull request?
This PR introduces the ability to include group information in the JWT tokens generated by
WebSSOResource(KnoxSSO).Key changes include:
knoxsso.token.include.groupsto control whether group information should be included in the issued JWT.getAuthenticationTokeninWebSSOResourceto populate thegroupsclaim inJWTokenAttributeswhen the feature is enabled.TokenResourceby utilizingSubjectUtils.getCurrentGroupPrincipalNames().How was this patch tested?
The changes were verified by adding comprehensive unit tests in
WebSSOResourceTest:testIncludeGroupsTrue: Verifies that groups are correctly included in the JWT whenknoxsso.token.include.groupsis set totrue.testIncludeGroupsFalse: Verifies that groups are excluded when the parameter is set tofalse.testIncludeGroupsOmitted: Verifies that the default behavior (when the parameter is missing) is to exclude groups.Integration Tests
I ran manual testing using my local Knox instance against the
knoxssotopology. I logged in asrecursiveUser, verifiedhadoop-jwt(extracted from DEV tools in Chrome) is generated, then checked its content onjwt.io:knoxsso.token.include.groups:knoxsso.token.include.groups = false:knoxsso.token.include.groups = true:UI changes
N/A