[
https://issues.apache.org/jira/browse/KNOX-521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14374994#comment-14374994
]
Larry McCay edited comment on KNOX-521 at 3/22/15 3:12 PM:
-----------------------------------------------------------
Instead of adding this new syntax to the existing identity assertion, we will
add a new identity asserter that can be used.
This identity assertion provider will concatenate an optional prefix
(concat.prefix) to the authenticated user principal and subsequently to an
optional suffix (concat.suffix).
{code}
<provider>
<role>identity-assertion</role>
<name>Concat</name>
<enabled>true</enabled>
<param>
<name>tenant.id</name>
<value>_domain1</value>
</param>
<param>
<name>concat.prefix</name>
<value>sir-</value>
</param>
<param>
<name>concat.suffix</name>
<value>-tenant-1</value>
</param>
</provider>
{code}
In order to better allow for the addition of new assertion providers, the
existing gateway-provider-identity-assertion-pseudo needs to be refactored to
pull those common pieces out into a new
gateway-provider-identity-assertion-common module. All other assertion
providers will then depend directly on the common module. This will greatly
simplify the code needed per provider.
In the end, we will have three assertion provider modules and an enhanced
ability to extend them or add new ones:
# gateway-provider-identity-assertion-common
# gateway-provider-identity-assertion-pseudo (default)
# gateway-provider-identity-assertion-concat
The new concat provider will need to be documented in the users guide and the
ability to extend and add new ones using common will need to be documented in
the dev guide.
was (Author: lmccay):
Instead of adding this new syntax to the existing identity assertion, we will
add a new identity asserter that can be used.
This identity assertion provider will concatenate an optional prefix
(concat.prefix) to the authenticated user principal and subsequently to an
optional suffix (concat.suffix).
In order to better allow for the addition of new assertion providers, the
existing gateway-provider-identity-assertion-pseudo needs to be refactored to
pull those common pieces out into a new
gateway-provider-identity-assertion-common module. All other assertion
providers will then depend directly on the common module. This will greatly
simplify the code needed per provider.
In the end, we will have three assertion provider modules and an enhanced
ability to extend them or add new ones:
# gateway-provider-identity-assertion-common
# gateway-provider-identity-assertion-pseudo (default)
# gateway-provider-identity-assertion-concat
The new concat provider will need to be documented in the users guide and the
ability to extend and add new ones using common will need to be documented in
the dev guide.
> Enhance Principal Mapping to Handle Dynamic Mappings
> ----------------------------------------------------
>
> Key: KNOX-521
> URL: https://issues.apache.org/jira/browse/KNOX-521
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Fix For: 0.6.0
>
>
> We will add the ability to use provider parameters in order to dynamically
> create a disambiguated username for use in the Hadoop cluster.
> This will require unix accounts for the disambiguated name inside the cluster.
> The mapping syntax will be something like the following to dynamically append
> a domain/tenant id to the username:
> {code}
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> <param>
> <name>tenant.id</name>
> <value>_domain1</value>
> </param>
> <param>
> <name>principal.mapping</name>
> <value>*=_PRINCIPAL+$tenant.id</value>
> </param>
> </provider>
> {code}
> The above demonstrates using a dynamic method of adding a tenant.id as a
> suffix for disambiguating users for this topology from users of another.
> Reversing the order of that idea would provide a prefix. This generic
> parameter name approach is very flexible.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
