[
https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17783700#comment-17783700
]
Attila Magyar edited comment on KNOX-2983 at 11/8/23 11:01 AM:
---------------------------------------------------------------
Here we could utilize the language which was introduced in KNOX-2707. The
expressions of the language are already composable and new functions are very
easy to add.
A combination of the concat and switch case provider would look like this:
{code}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>advanced.principal.mapping</name>
<value>(concat (lowercase username) 'suffix')</value>
</param>
</provider>
{code}
The way it works is that whatever the expression in the
"principal.mapping.advanced" returns, will be the new username (principal).
Complex mapping can be expressed easily as shown in the following example:
{code}
(if (= username "BOB")
(concat (lowercase username) "_suffix")
(uppercase username))
{code}
This will transform "BOB" to "bob_suffix", and any other users other than bob
to its uppercase variant.
We can add a function that takes a regexp pattern, a string and the group names
what we're interested in.
{code}
(regex-template username "AD\\(.*)" "{1}")
{code}
This will transform AD\usr1 to usr1.
Simple cases can be solved with string manipulation as well, without using
regexpes:
{code}
(if (starts-with username "AD\\")
(substring username 3)
username)
{code}
Side note:
If we want to build up the regexp from the primitives of the language, it would
look like this:
{code}
(let ((m (matcher "AD(\.*)" username)))
(if (matches m)
(m 1)
username))
{code}
This might be too much, and it is not needed if we add "regex-template"
function.
We already have uppercase/lowercase functions, the only things which are needed
are: concat, regexp-group, substring. And one special form, for the if
expression.
was (Author: amagyar):
Here we could utilize the language which was introduced in KNOX-2707. The
expressions of the language are already composable and new functions are very
easy to add.
A combination of the concat and switch case provider would look like this:
{code}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>principal.mapping.advanced</name>
<value>(concat (lowercase username) 'suffix')</value>
</param>
</provider>
{code}
The way it works is that whatever the expression in the
"principal.mapping.advanced" returns, will be the new username (principal).
Complex mapping can be expressed easily as shown in the following example:
{code}
(if (= username "BOB")
(concat (lowercase username) "_suffix")
(uppercase username))
{code}
This will transform "BOB" to "bob_suffix", and any other users other than bob
to its uppercase variant.
We can add a function that takes a regexp pattern, a string and the group names
what we're interested in.
{code}
(regex-template username "AD\\(.*)" "{1}")
{code}
This will transform AD\usr1 to usr1.
Simple cases can be solved with string manipulation as well, without using
regexpes:
{code}
(if (starts-with username "AD\\")
(substring username 3)
username)
{code}
Side note:
If we want to build up the regexp from the primitives of the language, it would
look like this:
{code}
(let ((m (matcher "AD(\.*)" username)))
(if (matches m)
(m 1)
username))
{code}
This might be too much, and it is not needed if we add "regex-template"
function.
We already have uppercase/lowercase functions, the only things which are needed
are: concat, regexp-group, substring. And one special form, for the if
expression.
> Combine the functionality of different identity assertion providers
> -------------------------------------------------------------------
>
> Key: KNOX-2983
> URL: https://issues.apache.org/jira/browse/KNOX-2983
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
>
> Currently there is no way to add multiple identity assertion provider and
> combine the functionality of them.
> For example one might want to use the Concat identity assertion filter
> together with the Switch case provider.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
