bharos commented on issue #9767:
URL: https://github.com/apache/gravitino/issues/9767#issuecomment-3780358289
To address the need for a common user mapping abstraction (for OAuth/JWT,
Kerberos, and potentially other authentication methods), we could use the
following design:
1. UserMapping Interface
```
/**
* Interface for mapping principals to usernames.
* Different authentication providers can use different mapping strategies.
*/
public interface UserMapping {
/**
* Maps a principal to a username.
* @param principal the principal to map
* @return the mapped username, or the original principal if no mapping
applies
*/
String map(String principal);
}
```
. Implementations
RegexUserMapping - Flexible pattern-based mapping (works for OAuth,
Kerberos, email, etc.):
```
public class RegexUserMapping implements UserMapping {
private final Pattern pattern;
public RegexUserMapping(String patternStr) {
this.pattern = Pattern.compile(patternStr);
}
@Override
public String map(String principal) {
if (principal == null) return null;
Matcher matcher = pattern.matcher(principal);
if (matcher.find() && matcher.groupCount() >= 1) {
String extracted = matcher.group(1);
return (extracted != null && !extracted.isEmpty()) ? extracted :
principal;
}
return principal;
}
}
```
KerberosUserMapping - Dedicated parser for Kerberos principals:
```
public class KerberosUserMapping implements UserMapping {
@Override
public String map(String principal) {
if (principal == null) return null;
// Kerberos principal format: user[/instance][@REALM]
// Extract user before '/' or '@'
int slash = principal.indexOf('/');
int at = principal.indexOf('@');
int end = (slash >= 0) ? slash : (at >= 0 ? at : principal.length());
return principal.substring(0, end);
}
}
```
Config will then look like
```
For regex-based mapping (default, works for most cases)
gravitino.authenticator.oauth.user-mapping.type=regex
gravitino.authenticator.oauth.user-mapping.pattern=([^/@]+).*
# For Kerberos-specific mapping (if desired)
gravitino.authenticator.kerberos.user-mapping.type=kerberos
```
Questions:
- Is this abstraction preferred, or is it over-engineering for our current
needs?
- I feel regex mapping is usually sufficient for Kerberos, do we really need
a dedicated parser? (Regex like ([^/@]+).* works for most Kerberos cases)
Wondering if we should keep it simple with just regex for now, or implement
the interface-based approach for future extensibility?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
