[
https://issues.apache.org/jira/browse/KNOX-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17232423#comment-17232423
]
ASF subversion and git services commented on KNOX-2401:
-------------------------------------------------------
Commit ed77c70a76f351744d7b62b1ef9cacd753ef0ae6 in knox's branch
refs/heads/master from Larry McCay
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=ed77c70 ]
KNOX-2401 - Extend ClientCert Authentication Provider for CN as
PrimaryPrincipal (#384)
Change-Id: I416ae92a0f01f032e4d0ac9bb5e6bf03ce35267c
> Extend ClientCert Authentication Provider for CN as PrimaryPrincipal
> --------------------------------------------------------------------
>
> Key: KNOX-2401
> URL: https://issues.apache.org/jira/browse/KNOX-2401
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 1.5.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently, the ClientCert authentication provider extracts only the DN from
> the certificate as the user principal resulting from the authentication event.
> This works fine with the added use of the RegEx identity assertion provider
> that can transform that principal into an expected username as along as
> authorization is not required within the gateway at all. Authorization
> requires group lookup in order to scale the management of authorization
> policies in Ranger or ACLs for the AuthzAcl provider in Knox.
> This change will add additional configuration to designate a specific
> attribute to pull from the cert such as CN. This would then allow for the use
> of the HadoopGroupProvider identity assertion provider to lookup groups for
> authorization via Knox or Ranger.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
