roryqi commented on code in PR #10503: URL: https://github.com/apache/gravitino/pull/10503#discussion_r2978679038
########## docs/security/how-to-authenticate.md: ########## @@ -117,6 +117,24 @@ GravitinoClient client = GravitinoClient.builder(uri) Gravitino supports principal mapping to transform authenticated principals (from OAuth or Kerberos) into user identities for authorization. By default, Gravitino uses regex-based mapping. +### Group mapping + +Gravitino supports group mapping to transform authenticated groups (from OAuth) into Gravitino groups for authorization. By default, Gravitino uses regex-based mapping. + +#### OAuth group mapping + +For OAuth authentication, groups are extracted from JWT claims (configured via `gravitino.authenticator.oauth.groupsFields`). You can customize how these groups are mapped: + +```text +# Use default regex mapper that extracts everything (passes through unchanged) +gravitino.authenticator.oauth.groupMapper = regex +gravitino.authenticator.oauth.groupMapper.regex.pattern = ^(.*)$ + +# Extract group from a complex string (e.g., /group -> group) +gravitino.authenticator.oauth.groupMapper = regex +gravitino.authenticator.oauth.groupMapper.regex.pattern = ^/(.*) +``` Review Comment: Could u add the document how to add a custom group extractor? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
