Knox as OIDC Provider

.github/workflows/build/Dockerfile

@@ -17,33 +17,39 @@ FROM eclipse-temurin:17-jre
 
 MAINTAINER moresandeep
 
-RUN useradd -ms /bin/bash gateway
-
-# Create directories
-RUN mkdir /knox-runtime
-RUN mkdir /knox-runtime/knoxshell
-
-# Copy artifacts
-COPY knox-temp-artifacts /knox-temp-artifacts-staging
-COPY knoxshell-temp-artifacts /knoxshell-temp-artifacts-staging
-
-# Move runtime to new location
-RUN mv /knox-temp-artifacts-staging/*/* /knox-runtime/ && \
-    mv /knoxshell-temp-artifacts-staging/*/* /knox-runtime/knoxshell/ && \
-    rm -rf /knox-temp-artifacts-staging /knoxshell-temp-artifacts-staging
-
-# Add configuration
-ADD master /knox-runtime/data/security/master
-ADD gateway-site.xml /knox-runtime/conf/gateway-site.xml
-ADD conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
-ADD conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
-ADD conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
-
-ADD conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
+# Install dependencies
+RUN apt-get update && apt-get install -y git && useradd -ms /bin/bash gateway
+
+# Create temporary directories for extraction
+RUN mkdir -p /tmp/knox-artifacts /tmp/knoxshell-artifacts /knox-runtime /knoxshell /knox-runtime/knoxshell
+
+# Copy pre-built tarballs from the local target directory
+# In CI, these are built in the previous step.
+# Locally, these are built by the developer.
+COPY target/*/knox-*.tar.gz /tmp/knox-artifacts/
+COPY target/*/knoxshell-*.tar.gz /tmp/knoxshell-artifacts/
+
+# Extract and move to runtime location
+RUN tar -xvzf /tmp/knox-artifacts/knox-*.tar.gz -C /tmp/knox-artifacts/ && \
+    tar -xvzf /tmp/knoxshell-artifacts/knoxshell-*.tar.gz -C /tmp/knoxshell-artifacts/ && \
+    mv /tmp/knox-artifacts/knox-*/* /knox-runtime/ && \
+    mv /tmp/knoxshell-artifacts/knoxshell-*/* /knox-runtime/knoxshell/ && \
+    rm -rf /tmp/knox-artifacts /tmp/knoxshell-artifacts
+
+# Configuration and scripts
+ADD .github/workflows/build/master /knox-runtime/data/security/master
+ADD .github/workflows/build/gateway-site.xml /knox-runtime/conf/gateway-site.xml
+ADD .github/workflows/build/conf/topologies/knoxtoken.xml /knox-runtime/conf/topologies/knoxtoken.xml
+ADD .github/workflows/build/conf/topologies/health.xml /knox-runtime/conf/topologies/health.xml
+ADD .github/workflows/build/conf/topologies/knoxldap.xml /knox-runtime/conf/topologies/knoxldap.xml
+ADD .github/workflows/build/conf/topologies/remoteauth.xml /knox-runtime/conf/topologies/remoteauth.xml
+ADD .github/workflows/build/conf/topologies/knoxidf-ldap.xml /knox-runtime/conf/topologies/knoxidf-ldap.xml
+ADD .github/workflows/build/conf/topologies/knoxidf-token.xml /knox-runtime/conf/topologies/knoxidf-token.xml
 
 RUN chown -R gateway /knox-runtime/
 
-ADD ldap.sh /ldap.sh
-ADD gateway.sh /gateway.sh
+ADD .github/workflows/build/ldap.sh /ldap.sh
+ADD .github/workflows/build/gateway.sh /gateway.sh
 
-RUN chmod +x /ldap.sh /gateway.sh
+RUN chmod +x /ldap.sh
+RUN chmod +x /gateway.sh

.github/workflows/build/conf/topologies/knoxidf-ldap.xml

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="utf-8"?>
+<topology>
+    <gateway>
+      <provider>
+         <role>authentication</role>
+         <name>ShiroProvider</name>
+         <enabled>true</enabled>
+         <param>
+            <name>main.ldapRealm</name>
+            <value>org.apache.knox.gateway.shirorealm.KnoxLdapRealm</value>
+         </param>
+         <param>
+            <name>main.ldapRealm.userDnTemplate</name>
+            <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
+         </param>
+         <param>
+            <name>main.ldapRealm.contextFactory.url</name>
+            <value>ldap://ldap:33389</value>
+         </param>
+         <param>
+            <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
+            <value>simple</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/.well-known/openid-configuration</name>
+            <value>anon</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/client/register</name>
+            <value>anon</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/authorize/callback</name>
+            <value>anon</value>
+         </param>
+         <param>
+            <name>urls./knoxidf/api/v1/jwks</name>
+            <value>anon</value>
+          </param>
+         <param>
+            <name>urls./**</name>
+            <value>authcBasic</value>
+         </param>
+      </provider>
+      <provider>
+            <role>identity-assertion</role>
+            <name>Default</name>
+            <enabled>true</enabled>
+      </provider>
+    </gateway>
+
+    <service>
+        <role>KNOXIDF</role>
+        <param>
+            <name>knoxidf.knox.token.ttl</name>
+            <value>60000</value>
+        </param>
+        <param>
+            <name>knoxidf.knox.token.limit.per.user</name>
+            <value>-1</value>
+        </param>
+        <param>
+            <name>token.exchange.topology.name</name>
+            <value>knoxidf-token</value>
+        </param>
+    </service>
+</topology>

.github/workflows/build/conf/topologies/knoxidf-token.xml

@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="utf-8"?>
+<topology>
+    <gateway>
+      <provider>
+         <role>federation</role>
+         <name>JWTProvider</name>
+         <enabled>true</enabled>
+         <param>
+            <name>knox.token.exp.server-managed</name>
+            <value>true</value>
+         </param>
+      </provider>
+      <provider>
+            <role>identity-assertion</role>
+            <name>Default</name>
+            <enabled>true</enabled>
+      </provider>
+    </gateway>
+
+    <service>
+        <role>KNOXIDF</role>
+        <param>
+           <name>knoxidf.knox.token.ttl</name>
+           <value>86400000</value>
+        </param>
+        <param>
+            <name>knoxidf.knox.token.limit.per.user</name>
+            <value>-1</value>
+        </param>
+    </service>
+    <service>
+        <role>KNOXTOKEN</role>
+        <param>
+            <name>knox.token.ttl</name>
+            <value>60000</value>
+        </param>
+        <param>
+            <name>knox.token.limit.per.user</name>
+            <value>-1</value>
+        </param>
+    </service>
+</topology>

.github/workflows/compose/docker-compose.yml

@@ -8,32 +8,23 @@
 # http://www.apache.org/licenses/LICENSE-2.0
 # <p>
 # Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 services:
   knox-dev:
     build:
-      context: ../build
-      dockerfile: Dockerfile
-    image: apache/knox-dev:master
-
-  knox-dev-local:
-    build:
-      context: ../build
-      dockerfile: Dockerfile.local
-      args:
-        knoxurl: ${knoxurl:-https://github.com/apache/knox.git}
-        branch: ${branch:-master}
+      context: ../../../
+      dockerfile: .github/workflows/build/Dockerfile
     image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
 
   ldap:
     image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
     command: /ldap.sh
     depends_on:
-      - knox-dev-local
+      - knox-dev
 
   knox:
     image: apache/knox-dev:local-${GITHUB_RUN_ID:-local}-${GITHUB_RUN_ID:-local}
@@ -59,5 +50,3 @@ services:
       && pytest --junitxml=test-results.xml"
     depends_on:
       - knox
-
-

.github/workflows/publish-test-results.yml

@@ -46,5 +46,5 @@ jobs:
           commit: ${{ github.event.workflow_run.head_sha }}
           event_file: artifacts/Event File/event.json
           event_name: ${{ github.event.workflow_run.event }}
-          files: "artifacts/**/*.xml"
+          files: "artifacts/test-results/**/*.xml"
 

.github/workflows/tests.yml

@@ -30,10 +30,6 @@ jobs:
       checks: write
       pull-requests: write
 
-    env:
-      KNOX_URL: "https://github.com/apache/knox.git"
-      BRANCH: "${{ github.head_ref }}"  # PR branch being tested
-
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -54,20 +50,11 @@ jobs:
           -Dshellcheck.skip=true -Dxml.skip=true \
           -s .github/workflows/build/settings.xml
 
-      - name: Extract Artifacts
-        run: |
-          mkdir -p .github/workflows/build/knox-temp-artifacts .github/workflows/build/knoxshell-temp-artifacts
-          # Extract artifacts to the build directory where Dockerfile expects them
-          tar -xvzf target/*/knox-*.tar.gz -C .github/workflows/build/knox-temp-artifacts
-          tar -xvzf target/*/knoxshell-*.tar.gz -C .github/workflows/build/knoxshell-temp-artifacts
-
       - name: Set up Docker Compose
         run: docker compose version
 
       - name: Build Docker Images
         run: |
-          export knoxurl=${KNOX_URL}
-          export branch=${BRANCH:-master}
           # Build only knox-dev which is the runtime image using artifacts
           docker compose -f ./.github/workflows/compose/docker-compose.yml build knox-dev
 
@@ -82,13 +69,43 @@ jobs:
           # Run the tests service defined in docker-compose.yml
           docker compose -f ./.github/workflows/compose/docker-compose.yml up --exit-code-from tests tests
 
+      - name: Collect Knox Logs and Conf
+        if: always()
+        run: |
+          mkdir -p .github/workflows/artifacts/knox-logs
+          mkdir -p .github/workflows/artifacts/knox-conf
+          docker compose -f ./.github/workflows/compose/docker-compose.yml cp knox:/knox-runtime/logs .github/workflows/artifacts/knox-logs
+          docker compose -f ./.github/workflows/compose/docker-compose.yml cp knox:/knox-runtime/conf .github/workflows/artifacts/knox-conf
+
       - name: Upload Test Results
         if: (!cancelled())
         uses: actions/upload-artifact@v4
         with:
           name: test-results
           path: .github/workflows/tests/test-results.xml
 
+      - name: Archive Knox Logs
+        if: always()
+        run: tar -cvzf knox-logs.tar.gz -C .github/workflows/artifacts/knox-logs .
+
+      - name: Upload Knox Logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: knox-logs
+          path: knox-logs.tar.gz
+
+      - name: Archive Knox Conf
+        if: always()
+        run: tar -cvzf knox-conf.tar.gz -C .github/workflows/artifacts/knox-conf .
+
+      - name: Upload Knox Conf
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: knox-conf
+          path: knox-conf.tar.gz
+
       - name: Upload Event File
         uses: actions/upload-artifact@v4
         with: