[
https://issues.apache.org/jira/browse/SHIRO-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208081#comment-16208081
]
Ruslan Dautkhanov commented on SHIRO-631:
-----------------------------------------
Here's auth_to_local description from Kerberos man page
http://web.mit.edu/tsitkova/www/build/krb_admins/conf_files/krb5_conf.html#realms
{noformat}
auth_to_local
This tag allows you to set a general rule for mapping principal names to local
user names. It will be used if there is not an explicit mapping for the
principal name that is being translated. The possible values are:
RULE:exp
The local name will be formulated from exp.
The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n
indicates how many components the target principal should have. If this
matches, then a string will be formed from string, substituting the realm of
the principal for $0 and the n‘th component of the principal for $n (e.g. if
the principal was johndoe/admin then [2:$2$1foo] would result in the string
adminjohndoefoo). If this string matches regexp, then the s//[g] substitution
command will be run over the string. The optional g will cause the substitution
to be global over the string, instead of replacing only the first match in the
string.
DEFAULT
The principal name will be used as the local user name. If the principal has
more than one component or is not in the default realm, this rule is not
applicable and the conversion will fail.
For example:
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auto_to_local = DEFAULT
}
would result in any principal without root or admin as the second component to
be translated with the default rule. A principal with a second component of
admin will become its first component. root will be used as the local name for
any principal with a second component of root. The exception to these two rules
are any principals johndoe/*, which will always get the local name guest.
{noformat}
We use auth_to_local quite often in Hadoop clusters.
Yep, would be nice to have this in Shiro too.
> Principal mapping rules similar to Hadoop's auth_to_local
> ---------------------------------------------------------
>
> Key: SHIRO-631
> URL: https://issues.apache.org/jira/browse/SHIRO-631
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Authorization (access control)
> , Realms
> Environment: HDP 2.6 + Kerberos + AD LDAP multi-domain forest
> Reporter: Hari Sekhon
> Priority: Blocker
>
> Feature Request to add principal mapping rules similar to Hadoop's
> auth_to_local.
> This will allow munging pincipals and rule based remappings to differentiate
> duplicate users in multi-domain Active Directory forests where the LDAP
> results returned from the global catalog include duplicate usernames which
> need to be translated with a prefix/suffix in order to differentiate between
> domains to prevent users from different domains sharing logins, permissions
> etc.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
