[jira] [Work logged] (KNOX-2983) Combine the functionality of different identity assertion providers

Thu, 16 Nov 2023 07:10:06 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-2983?focusedWorklogId=890966&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-890966
 ]

ASF GitHub Bot logged work on KNOX-2983:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 16/Nov/23 15:05
            Start Date: 16/Nov/23 15:05
    Worklog Time Spent: 10m 
      Work Description: zeroflag commented on PR #817:
URL: https://github.com/apache/knox/pull/817#issuecomment-1814635567

   @lmccay 
   
   1. Thanks, I renamed it to `expression.principal.mapping`.
   
   2. The `HadoopGroupProvider` extends from CommonIdentityProvider, so it 
inherits all this functionality. I verified it with this config:
   
   
   ```xml
          <provider>
               <role>identity-assertion</role>
               <name>HadoopGroupProvider</name>
               <enabled>true</enabled>
   
               <param>
                   <name>expression.principal.mapping</name>
                   <value>(concat username '_SUFFIX')</value>
               </param>
               <param>
                   <name>group.mapping.vgrp1</name>
                   <value>(starts-with username 'sam')</value>
               </param>
   
               <param>
                   <name>hadoop.security.group.mapping</name>
                   <value>org.apache.hadoop.security.LdapGroupsMapping</value>
               </param>
               <param>
                   <name>hadoop.security.group.mapping.ldap.url</name>
                   <value>ldap://localhost:33389</value>
               </param>
               [....]
         </provider>
   ```
   
   ```bash
   $ curl -v -k -u sam:sam-password https://localhost:8443/gateway/sandbox/hive
   ```
    
   ```
   23/11/16 16:02:14 
||4887dab7-ffa5-4d94-9343-9eedc140fd73|audit|[0:0:0:0:0:0:0:1]|HIVE|sam|sam_SUFFIX||identity-mapping|principal|sam_SUFFIX|success|Groups:
 [vgrp1]
   ```
   
   
   3. The parentheses won't cause any encoding problem. The only thing I can 
think of as a problem is the greater than / less than signs. But those are 
rarely used and they can be encoded.
   
   For example:
   
   ```lisp
   (> (strlen username) 10)
   ```
   
   Should be encoded as:
   
   ```
   (&gt; (strlen username) 10)
   ```




Issue Time Tracking
-------------------

    Worklog Id:     (was: 890966)
    Time Spent: 20m  (was: 10m)

> Combine the functionality of different identity assertion providers
> -------------------------------------------------------------------
>
>                 Key: KNOX-2983
>                 URL: https://issues.apache.org/jira/browse/KNOX-2983
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Currently there is no way to add  multiple identity assertion provider and 
> combine the functionality of them.
> For example one might want to use the Concat identity assertion filter 
> together with the Switch case provider.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to