[
https://issues.apache.org/jira/browse/KNOX-2707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Magyar updated KNOX-2707:
--------------------------------
Description:
h2. Usage
This adds a more flexible way to map principals to groups than the existing
_group.principal.mapping_ in _CommonIdentityAssertionFilter_.
See the motivations behind this at
https://cwiki.apache.org/confluence/display/KNOX/KIP-16+-+Virtual+Groups+in+Apache+Knox
Example:
{code}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>virtual.group.mapping.vgroup1</name>
<value>(or (username 'tom') (member 'analyst'))</value>
</param>
</provider>
{code}
General usage:
{code}
<name>virtual.group.mapping.VIRTUAL-GROUP-NAME</name>
<value>PREDICATE</value>
{code}
If the PREDICATE evaluates to true the user is added to VIRTUAL-GROUP-NAME.
There can be any number of virtual group mappings within the provider.
h2. Language Syntax
The predicate uses a parenthesized prefix notation language, similar to Lisp.
* Everything in the language is either an atom or a list
* A list is written with its elements separated by whitespace, and surrounded
by parentheses, like (or true false false)
* Lists can be nested to arbitrary level, like (or true (and false true))
* An atom is either a boolean (true/false), a string or a number.
* Strings are single-quoted which makes easier to embed the language into XML
or JSON.
* There is a one to one mapping between the textual syntax and the parser
generated AST. You can always infer the exact AST just by looking at the code.
>From this code the parses generates the following AST:
{code}
(or true (and false true))
{code}
{code}
[or, true, [and, false, true]]
{code}
h2. Evaluation rules
> Virtual Group Mapping Provider
> ------------------------------
>
> Key: KNOX-2707
> URL: https://issues.apache.org/jira/browse/KNOX-2707
> Project: Apache Knox
> Issue Type: New Feature
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> h2. Usage
> This adds a more flexible way to map principals to groups than the existing
> _group.principal.mapping_ in _CommonIdentityAssertionFilter_.
> See the motivations behind this at
> https://cwiki.apache.org/confluence/display/KNOX/KIP-16+-+Virtual+Groups+in+Apache+Knox
> Example:
> {code}
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> <param>
> <name>virtual.group.mapping.vgroup1</name>
> <value>(or (username 'tom') (member 'analyst'))</value>
> </param>
> </provider>
> {code}
> General usage:
> {code}
> <name>virtual.group.mapping.VIRTUAL-GROUP-NAME</name>
> <value>PREDICATE</value>
> {code}
> If the PREDICATE evaluates to true the user is added to VIRTUAL-GROUP-NAME.
> There can be any number of virtual group mappings within the provider.
> h2. Language Syntax
> The predicate uses a parenthesized prefix notation language, similar to Lisp.
> * Everything in the language is either an atom or a list
> * A list is written with its elements separated by whitespace, and surrounded
> by parentheses, like (or true false false)
> * Lists can be nested to arbitrary level, like (or true (and false true))
> * An atom is either a boolean (true/false), a string or a number.
> * Strings are single-quoted which makes easier to embed the language into XML
> or JSON.
> * There is a one to one mapping between the textual syntax and the parser
> generated AST. You can always infer the exact AST just by looking at the code.
> From this code the parses generates the following AST:
> {code}
> (or true (and false true))
> {code}
> {code}
> [or, true, [and, false, true]]
> {code}
> h2. Evaluation rules
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
