Skip to content

KNOX-3374: Revert LDAPServer Manager changes. Skip roles lookup if ro…#1301

Open
hanicz wants to merge 1 commit into
apache:masterfrom
hanicz:KNOX-3374-2
Open

KNOX-3374: Revert LDAPServer Manager changes. Skip roles lookup if ro…#1301
hanicz wants to merge 1 commit into
apache:masterfrom
hanicz:KNOX-3374-2

Conversation

@hanicz

@hanicz hanicz commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

…lesLookupInterceptor is enabled

KNOX-3374 - Fix inherited roles missing from auth headers when LDAP roles-lookup interceptor is active

What changes were proposed in this pull request?

Reworked the KNOX-3374 fix per review feedback.

  • Revert previous PR
  • AbstractAuthResource checks for rolesLookupInterceptor enabled.
    1. Interceptor configured: the Subject's GroupPrincipal's are already role names.
    2. Interceptor not configured: Subject has raw groups, lookupRoles call is necessary.
  • New unit tests to verify the behaviour

How was this patch tested?

Unit tests, manual e2e tests

Roles:

[
  { "id": "admin", "type": "user",
    "roles": [ { "scope": "console", "name": "admin" } ] },
  { "id": "me-test-group-a", "type": "group",
    "roles": [ { "scope": "ws-1", "name": "viewer" } ] },
  { "id": "me-test-group-b", "type": "group",
    "roles": [ { "scope": "ws-2", "name": "user" } ] }
]

Tested with rolesLookupInterceptor enabled and disabled

curl -kvs -u admin:admin-password \
  https://localhost:8443/gateway/sandbox/auth/api/v1/extauthz/anything

< username: admin
< roles: ws-1:viewer,console:admin,ws-2:user

Integration Tests

N/A

UI changes

N/A

@hanicz hanicz added the ldap label Jul 9, 2026
@hanicz

hanicz commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@handavid Could you please review the changes?

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Test Results

32 tests   32 ✅  3s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit f0e2377.

@handavid handavid left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hanicz
Can you explain to me your thoughts behind this PR? I don't understand why the AbstractAuthResource needs to do role lookup at all. Can't it just rely on the the KnoxLDAPServerManager to return the appropriate values (either groups or roles as configured)? Is there a use-case where the auth would need to return roles even if the LDAP service is configured to return groups? I find that a little confusing.
Also, I don't think it's really appropriate for auth to condition it's behavior on the configuration of the LDAP proxy. IMO, the LDAP proxy should be a black box to auth and auth should just take whatever the proxy returns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants