Author: more
Date: Fri Nov 3 15:12:35 2017
New Revision: 1814201
URL: http://svn.apache.org/viewvc?rev=1814201&view=rev
Log:
KNOX-1097 - Document regex based identity assertion provider option
Modified:
knox/site/books/knox-0-14-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.14.0/config_id_assertion.md
Modified: knox/site/books/knox-0-14-0/user-guide.html
URL:
http://svn.apache.org/viewvc/knox/site/books/knox-0-14-0/user-guide.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/books/knox-0-14-0/user-guide.html (original)
+++ knox/site/books/knox-0-14-0/user-guide.html Fri Nov 3 15:12:35 2017
@@ -1809,7 +1809,23 @@ session optional pam_keyinit.so f
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
@include password-auth
-</code></pre><h3><a id="Identity+Assertion">Identity Assertion</a> <a
href="#Identity+Assertion"><img
src="markbook-section-link.png"/></a></h3><p>The identity assertion provider
within Knox plays the critical role of communicating the identity principal to
be used within the Hadoop cluster to represent the identity that has been
authenticated at the gateway.</p><p>The general responsibilities of the
identity assertion provider is to interrogate the current Java Subject that has
been established by the authentication or federation provider and:</p>
+</code></pre>
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--><h3><a id="Identity+Assertion">Identity Assertion</a> <a
href="#Identity+Assertion"><img
src="markbook-section-link.png"/></a></h3><p>The identity assertion provider
within Knox plays the critical role of communicating the identity principal to
be used within the Hadoop cluster to represent the identity that has been
authenticated at the gateway.</p><p>The general responsibilities of the
identity assertion provider is to interrogate the current Java Subject that has
been established by the authentication or federation provider and:</p>
<ol>
<li>determine whether it matches any principal mapping rules and apply them
appropriately</li>
<li>determine whether it matches any group principal mapping rules and apply
them</li>
@@ -1922,6 +1938,10 @@ session required pam_env.so user_
<td>lookup</td>
<td>This lookup table provides a simple (albeit limited) way to
translate text in the incoming identities. This configuration takes the form of
“=” separated name values pairs separated by “;”. For
example a lookup setting is “us=USA;ca=CANADA”. The lookup is
invoked in the output setting by surrounding the desired group number in square
brackets (i.e. []). Putting it all together, output setting of
“{1}_[{2}]” combined with input of “(.*)@(.*?)..*” and
lookup of “us=USA;ca=CANADA” will turn “<a
href="mailto:nobody@us.imaginary.tld";>nobody@us.imaginary.tld</a>”
into "<a
href="mailto:nobody@USA"";>nobody@US&#x
41;"</a>.</td>
</tr>
+ <tr>
+ <td>use.original.on.lookup.failure </td>
+ <td>(Optional) Default value is false. If set to true, it will preserve
the original string if there is no match. e.g. In the above lookup case for
email <a
href="mailto:nobody@uk.imaginary.tld";>nobody@uk.imaginary.tld</a>,
it will be transformed to nobody@ , if this property is set to true it will be
transformed to <a
href="mailto:nobody@uk";>nobody@uk</a>.</td>
+ </tr>
</tbody>
</table><p>Within the topology file the provider configuration might look like
this.</p>
<pre><code><provider>
Modified: knox/site/index.html
URL:
http://svn.apache.org/viewvc/knox/site/index.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – REST API and Application Gateway for the
Apache Hadoop Ecosystem</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published:
2017-11-03</li>
</ul>
</div>
Modified: knox/site/issue-tracking.html
URL:
http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Issue Tracking</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published:
2017-11-03</li>
</ul>
</div>
Modified: knox/site/license.html
URL:
http://svn.apache.org/viewvc/knox/site/license.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project License</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published:
2017-11-03</li>
</ul>
</div>
Modified: knox/site/mail-lists.html
URL:
http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Mailing Lists</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published:
2017-11-03</li>
</ul>
</div>
Modified: knox/site/project-info.html
URL:
http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Information</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published:
2017-11-03</li>
</ul>
</div>
Modified: knox/site/team-list.html
URL:
http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Team list</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published:
2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published:
2017-11-03</li>
</ul>
</div>
Modified: knox/trunk/books/0.14.0/config_id_assertion.md
URL:
http://svn.apache.org/viewvc/knox/trunk/books/0.14.0/config_id_assertion.md?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/trunk/books/0.14.0/config_id_assertion.md (original)
+++ knox/trunk/books/0.14.0/config_id_assertion.md Fri Nov 3 15:12:35 2017
@@ -13,7 +13,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---->
+-->
### Identity Assertion ###
The identity assertion provider within Knox plays the critical role of
communicating the identity principal to be used within the Hadoop cluster to
represent the identity that has been authenticated at the gateway.
@@ -156,7 +156,8 @@ Param | Description
------|-----------
input | This is a regular expression that will be applied to the incoming
identity. The most critical part of the regular expression is the group
notation within the expression. In regular expressions, groups are expressed
within parenthesis. For example in the regular expression "(.*)@(.*?)\..*"
there are two groups. When this regular expression is applied to
"[email protected]" group 1 matches "nobody" and group 2 matches "us".
output| This is a template that assembles the result identity. The result is
assembled from the static text and the matched groups from the input regular
expression. In addition, the matched group values can be looked up in the
lookup table. An output value of "{1}_{2}" of will result in "nobody_us".
-lookup| This lookup table provides a simple (albeit limited) way to translate
text in the incoming identities. This configuration takes the form of "="
separated name values pairs separated by ";". For example a lookup setting is
"us=USA;ca=CANADA". The lookup is invoked in the output setting by surrounding
the desired group number in square brackets (i.e. []). Putting it all together,
output setting of "{1}_[{2}]" combined with input of "(.*)@(.*?)\..*" and
lookup of "us=USA;ca=CANADA" will turn "[email protected]" into
"nobody@USA".
+lookup| This lookup table provides a simple (albeit limited) way to translate
text in the incoming identities. This configuration takes the form of "="
separated name values pairs separated by ";". For example a lookup setting is
"us=USA;ca=CANADA". The lookup is invoked in the output setting by surrounding
the desired group number in square brackets (i.e. []). Putting it all together,
output setting of "{1}_[{2}]" combined with input of "(.*)@(.*?)\..*" and
lookup of "us=USA;ca=CANADA" will turn "[email protected]" into
"nobody@USA".
+use.original.on.lookup.failure | (Optional) Default value is false. If set to
true, it will preserve the original string if there is no match. e.g. In the
above lookup case for email [email protected], it will be transformed to
nobody@ , if this property is set to true it will be transformed to nobody@uk.
Within the topology file the provider configuration might look like this.
