Alex Rudyy created QPID-8374:
--------------------------------
Summary: [Broker-J][ACL] Allow case insensitive mapping of group
members to groups in existing GroupProvider
Key: QPID-8374
URL: https://issues.apache.org/jira/browse/QPID-8374
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Reporter: Alex Rudyy
The user groups currently identified by exact equality of authenticated
principal name and group member name. (See
{{org.apache.qpid.server.security.group.GroupProviderImpl#getGroupPrincipalsForUser}}
and
{{org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl#getGroupPrincipalsForUser}}.)
The user groups are used in in ACL to define rules applicable to multiple
users belonging to the same group. The ACL identities are case insensitive. As
result, any letter case can be used in identities to express the ACL rule. In
many cases, when authenticated principals are coming from external systems like
LDAP, OAUTH2 based providers, etc, and they are case insensitive, it is desired
to have group mapping case insensitive as well, as it is quite easy to make a
mistake and specify the group member using upper cased letters rather than
lower cased, for example, {{cn=Alex,ou=users,dc=qpid,dc=org}} vs
{{cn=alex,ou=users,dc=qpid,dc=org}}.
The existing GroupProviders can be modified to allow case insensitive mapping
of group members to groups. Though, the existing case sensitive group mapping
behaviour should be preserved for backward compatibility reasons. It should be
enabled by default. A special switch (either attribute or/and context variable
) could be provided to make group mapping case insensitive if desired.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
