[
https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Magyar updated KNOX-2983:
--------------------------------
Description:
h2. Motivation
Currently there is no way to add multiple identity assertion providers and
combine the functionality of them. For example one might want to use the Concat
identity assertion together with the Switch case provider. This is not possible
due to a limitation of Knox which only allows having one identity assertion
provider in the topology. Additionally, having a distinct provider for each
functionality has its own limitations that prevents expressing complex mappings.
h2. Expression-Based principal mapping
The idea behind the Expression-Based principal mapping is that it leverages the
language that was introduced by https://issues.apache.org/jira/browse/KNOX-2707.
{code}
<param>
<name>expression.principal.mapping</name>
<!-- expression that returns the new principal -->
<value>...</value>
</param>
{code}
The value of *expression.principal.mapping* must be a valid expression that
evaluates to a string, which will be the new, mapped principal.
For example, in the following example all authenticated users will be mapped to
principal: 'bob'.
{code}
<param>
<name>expression.principal.mapping</name>
<value>'bob'</value>
</param>
{code}
By adding a conditional you can selectively apply the mapping to specific users.
{code}
<param>
<name>expression.principal.mapping</name>
<!-- Only map sam/tom to bob -->
<value>
(if (or (= username 'sam')
(= username 'tom'))
'bob')
</value>
</param>
{code}
When the expression returns *null*, the original principal will be unchanged.
h2. Reference
h3. if
The *if* is an expression (rather than a statement), that has 2 or 3
parameters. When you call it with 2 parameters it will behave like an
*if-then*, when you call it with 3 parameters it will behave like an
*if-then-else* expression.
Returns 1: {code}(if true 1){code}
Returns null: {code}(if false 1){code}
Returns 2: {code}(if false 1 2){code}
Returns 1: {code}(if true 1 2){code}
was:
h2. Motivation
Currently there is no way to add multiple identity assertion providers and
combine the functionality of them. For example one might want to use the Concat
identity assertion together with the Switch case provider. This is not possible
due to a limitation of Knox which only allows having one identity assertion
provider in the topology. Additionally, having a distinct provider for each
functionality has its own limitations that prevents expressing complex mappings.
h2. Expression-Based principal mapping
The idea behind the Expression-Based principal mapping is that it leverages the
language that was introduced by https://issues.apache.org/jira/browse/KNOX-2707.
{code}
<param>
<name>expression.principal.mapping</name>
<!-- expression that returns the new principal -->
<value>...</value>
</param>
{code}
The value of *expression.principal.mapping* must be a valid expression that
evaluates to a string, which will be the new, mapped principal.
For example, in the following example all authenticated users will be mapped to
principal: 'bob'.
{code}
<param>
<name>expression.principal.mapping</name>
<value>'bob'</value>
</param>
{code}
By adding a conditional you can selectively apply the mapping to specific users.
{code}
<param>
<name>expression.principal.mapping</name>
<!-- Only map sam/tom to bob -->
<value>
(if (or (= username 'sam')
(= username 'tom'))
'bob')
</value>
</param>
{code}
When the expression returns *null*, the original principal will be unchanged.
h2. Reference
> Combine the functionality of different identity assertion providers
> -------------------------------------------------------------------
>
> Key: KNOX-2983
> URL: https://issues.apache.org/jira/browse/KNOX-2983
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h2. Motivation
> Currently there is no way to add multiple identity assertion providers and
> combine the functionality of them. For example one might want to use the
> Concat identity assertion together with the Switch case provider. This is not
> possible due to a limitation of Knox which only allows having one identity
> assertion provider in the topology. Additionally, having a distinct provider
> for each functionality has its own limitations that prevents expressing
> complex mappings.
> h2. Expression-Based principal mapping
> The idea behind the Expression-Based principal mapping is that it leverages
> the language that was introduced by
> https://issues.apache.org/jira/browse/KNOX-2707.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <!-- expression that returns the new principal -->
> <value>...</value>
> </param>
> {code}
> The value of *expression.principal.mapping* must be a valid expression that
> evaluates to a string, which will be the new, mapped principal.
> For example, in the following example all authenticated users will be mapped
> to principal: 'bob'.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <value>'bob'</value>
> </param>
> {code}
> By adding a conditional you can selectively apply the mapping to specific
> users.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <!-- Only map sam/tom to bob -->
> <value>
> (if (or (= username 'sam')
> (= username 'tom'))
> 'bob')
> </value>
> </param>
> {code}
> When the expression returns *null*, the original principal will be unchanged.
> h2. Reference
> h3. if
> The *if* is an expression (rather than a statement), that has 2 or 3
> parameters. When you call it with 2 parameters it will behave like an
> *if-then*, when you call it with 3 parameters it will behave like an
> *if-then-else* expression.
> Returns 1: {code}(if true 1){code}
> Returns null: {code}(if false 1){code}
> Returns 2: {code}(if false 1 2){code}
> Returns 1: {code}(if true 1 2){code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
