[jira] [Work logged] (KNOX-3340) Enable KnoxLdapService Role Lookup to return either Roles or Groups

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3340?focusedWorklogId=1024600&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1024600
 ]

ASF GitHub Bot logged work on KNOX-3340:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/Jun/26 04:57
            Start Date: 11/Jun/26 04:57
    Worklog Time Spent: 10m 
      Work Description: handavid opened a new pull request, #1258:
URL: https://github.com/apache/knox/pull/1258

   [KNOX-3340](https://issues.apache.org/jira/browse/KNOX-3340) - Add Control 
to LDAPRolesLookupInterceptor
   
   ## What changes were proposed in this pull request?
   
   This commit adds a RolesLookupBypassControl for use with the 
LDAPRolesLookupInterceptor. The LDAPRolesLookupInterceptor will skip role 
mapping if this control is present and true in the request. This lets the 
client decide whether they will receive users' groups or roles.
     
   ## How was this patch tested?
   
   Unit tests were added to cover the new code.
   
   Manual testing was performed. The LDAP Proxy was configured with the 
RolesLookup interceptor and the following `ldapsearch` commands were run.
   ```
   # add control by OID with value "true"
   ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' -e 
"1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953=AQP/" 
'(uid=sam*)' '*'
   
   # add control by OID with value "false"
   ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' -e 
"1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953=AQMA" 
'(uid=sam*)' '*'
   
   # don't add control
   ldapsearch -v -x -H ldap://localhost:3890 -b 'ou=people,DC=proxy,DC=com' 
'(uid=sam*)' '*'
   ```
   
   ## Integration Tests
   no integration tests added
   
   ## UI changes
   no UI changes
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1024600)
    Remaining Estimate: 0h
            Time Spent: 10m

> Enable KnoxLdapService Role Lookup to return either Roles or Groups
> -------------------------------------------------------------------
>
>                 Key: KNOX-3340
>                 URL: https://issues.apache.org/jira/browse/KNOX-3340
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: David Han
>            Assignee: David Han
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The KnoxLdapService, when configured with role lookup will replace all groups 
> in the resulting entries with roles. This Jira provides a mechanism for 
> clients to request the underlying groups instead of the roles. E.g., groups 
> would be needed for some service to admin/manage the mapping between groups 
> and roles.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)