[jira] [Work logged] (KNOX-2401) Extend ClientCert Authentication Provider for CN as PrimaryPrincipal

Sun, 15 Nov 2020 10:31:53 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2401?focusedWorklogId=512005&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-512005
 ]

ASF GitHub Bot logged work on KNOX-2401:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 15/Nov/20 18:30
            Start Date: 15/Nov/20 18:30
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request #384:
URL: https://github.com/apache/knox/pull/384


   KNOX-2401 - Extend ClientCert Authentication Provider for CN as Pr
   
   Change-Id: I416ae92a0f01f032e4d0ac9bb5e6bf03ce35267c
   
   (It is very **important** that you created an Apache Knox JIRA for this 
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
   
   ## What changes were proposed in this pull request?
   
   Add the ability to configure the attribute of the principal to be used from 
within the X509Certificate.
   
   ## How was this patch tested?
   Manual testing
   
   Please review [Knox Contributing 
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
 before opening a pull request.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 512005)
    Remaining Estimate: 0h
            Time Spent: 10m

> Extend ClientCert Authentication Provider for CN as PrimaryPrincipal
> --------------------------------------------------------------------
>
>                 Key: KNOX-2401
>                 URL: https://issues.apache.org/jira/browse/KNOX-2401
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 1.5.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Currently, the ClientCert authentication provider extracts only the DN from 
> the certificate as the user principal resulting from the authentication event.
> This works fine with the added use of the RegEx identity assertion provider 
> that can transform that principal into an expected username as along as 
> authorization is not required within the gateway at all. Authorization 
> requires group lookup in order to scale the management of authorization 
> policies in Ranger or ACLs for the AuthzAcl provider in Knox.
> This change will add additional configuration to designate a specific 
> attribute to pull from the cert such as CN. This would then allow for the use 
> of the HadoopGroupProvider identity assertion provider to lookup groups for 
> authorization via Knox or Ranger.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to