[jira] [Created] (KNOX-3337) Enhance KnoxLdapService with Pluggable Role Lookup Support

Tue, 02 Jun 2026 03:09:07 -0700 

Sandor Molnar created KNOX-3337:
-----------------------------------

             Summary: Enhance KnoxLdapService with Pluggable Role Lookup Support
                 Key: KNOX-3337
                 URL: https://issues.apache.org/jira/browse/KNOX-3337
             Project: Apache Knox
          Issue Type: Improvement
          Components: Server
    Affects Versions: 3.0.0
            Reporter: Sandor Molnar
            Assignee: Sandor Molnar
             Fix For: 3.0.0


Currently, the KnoxLdapService provides user and group information directly 
from its configured LDAP backend. In many deployment scenarios, particularly in 
modern cloud-native environments, there is a requirement to map these 
LDAP-authenticated identities and their group memberships to higher-level 
application roles managed by an external source.

This JIRA introduces a pluggable role lookup mechanism within KnoxLdapService 
that allows Knox to intercept group resolution and instead populate roles from 
either a local configuration file (for testing purposes) or a remote REST API.

{*}Key Features:{*}{*}{*}

   1. *Pluggable Interface:* Introduction of LdapRolesLookup to allow for 
extensible lookup strategies.

   2. *REST Implementation:* A client implementation that POSTs user ID and 
group lists to a configured endpoint to retrieve role mappings, following a 
specific OpenAPI schema.

   3. *File-based Implementation:* A JSON-based lookup strategy for static 
environments, using the same data structure as the REST API.

   4. *Configuration-driven:* New gateway-site.xml properties to toggle lookup 
types and configure endpoints or file paths.

{*}Proposed Configuration:{*}{*}{*}
 * gateway.ldap.roles.lookup.strategy: Enables the lookup (file or rest).
 * gateway.ldap.roles.lookup.rest.api.endpoint: The destination URL for REST 
lookups.
 * gateway.ldap.roles.lookup.file.path: the file path which points to the JSON 
mapping file.

{*}Data Contract:{*}{*}{*}

  The implementation will exchange JSON payloads containing a user_id and an 
array of groups, receiving a response containing a list of RoleAssignment 
objects (consisting of scope and name).

 

This enhancement will allow for more dynamic and flexible authorization 
workflows in Knox-managed environments.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to