Security - (Proxy|N-tier|User Impersonation) authentication

About

A proxy authentication is when you are authorized to login (authenticate) in a software on behalf of an other.

This is known as:

Impersonation is a feature which permit to establish a session on behalf of a user without employing the user's credentials (password, …)

Example

HTTP Request

In Kubernetes, 1), they used the following HTTP request headers to perfor an impersonation request:

  • Impersonate-User: The username to act as.
  • Impersonate-Group: A group name to act as. Can be provided multiple times to set multiple groups. Optional. Requires “Impersonate-User”.
  • Impersonate-Extra-( extra name ): A dynamic header used to associate extra fields with the user. Optional. Requires “Impersonate-User”. In order to be preserved consistently, ( extra name ) must be lower-case, and any characters which aren't legal in HTTP header labels MUST be utf8 and percent-encoded.
  • Impersonate-Uid: A unique identifier that represents the user being impersonated. Optional. Requires “Impersonate-User”. Kubernetes does not impose any format requirements on this string.

If the user has the right to impersonate the Impersonate-User or the Impersonate-Group, it will be authenticated with them.

Example: impersonating a user with groups and extra fields

Impersonate-User: [email protected]
Impersonate-Group: developers
Impersonate-Group: admins
Impersonate-Extra-dn: cn=jane,ou=engineers,dc=example,dc=com
Impersonate-Extra-acme.com%2Fproject: some-project
Impersonate-Extra-scopes: view
Impersonate-Extra-scopes: development
Impersonate-Uid: 06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b





Discover More
Card Puncher Data Processing
Ansible PlayBook - Task

A task is a call to an ansible module with arguments located in a play list. Variables can be used in arguments to modules. Tasks are executed top to bottom one at a time, against matched by the...
Card Puncher Data Processing
Architecture - (Client|Server) - (Multi)Tier Architecture

On a application level, the two most common architectures are: client/server and multitier. As internet computing becomes more prevalent in computing environments, many database management systems...
Bip Bursting Properties
BIP - Bursting

To burst in BIP, you just need to fill the Bursting Properties. The SQL Query of the Bursting property defines the bursting properties. parameter in the SQL Query of the data set but also in the...
Yarn Hortonworks
Hadoop Core - Proxy Authentication

proxy authentication in Hadoop See also: A superuser wants to submit job and access hdfs on behalf of a user. The superuser has kerberos credentials but the user doesn’t have any. Example:...
Identification - Impersonation / Proxy

impersonation is when a process or user are taking the identity of another process or user impersonation is also known as proxy. impersonation or proxy is used to: acts as of your were an other...
Kerberos Ticket Manager Ticket Get
Kerberos - (Ticket|Credentials)

Kerberos credentials, or “tickets” are the credentials in Kerberos. There are only two different types for tickets that the KDC issues. Ticket Granting Ticket (TGT). The first ticket obtained is...
Obi Edition
OBIEE - Usage Tracking S_NQ_ACCT Table

The table S_NQ_ACCT is a database table that holds all data log of the usage tracking functionality. Group Column Description BI Server COMPILE_TIME_SEC The time in seconds required to compile...
Saw Object
OBIEE - Web Services API (SOAP,WSDL)

OBIEE web services is an application programming interface (API) that implements SOAP from the presentation service layer. This API can be used to: start and manage web sessions retrieve results...
Saw Object
OBIEE 11G - Impersonate

You can impersonate a user through two mechanisms: the act as functionality or the impersonate authentication through the saw Url The impersonate authentication takes place during a user authentication....
Card Puncher Data Processing
Utility - Runas

Impersonation utility



Share this page:
Follow us:
Task Runner