[
https://issues.apache.org/jira/browse/KNOX-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay resolved KNOX-2401.
-------------------------------
Resolution: Fixed
> Extend ClientCert Authentication Provider for CN as PrimaryPrincipal
> --------------------------------------------------------------------
>
> Key: KNOX-2401
> URL: https://issues.apache.org/jira/browse/KNOX-2401
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 1.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, the ClientCert authentication provider extracts only the DN from
> the certificate as the user principal resulting from the authentication event.
> This works fine with the added use of the RegEx identity assertion provider
> that can transform that principal into an expected username as along as
> authorization is not required within the gateway at all. Authorization
> requires group lookup in order to scale the management of authorization
> policies in Ranger or ACLs for the AuthzAcl provider in Knox.
> This change will add additional configuration to designate a specific
> attribute to pull from the cert such as CN. This would then allow for the use
> of the HadoopGroupProvider identity assertion provider to lookup groups for
> authorization via Knox or Ranger.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
