Larry McCay created KNOX-2401:
---------------------------------
Summary: Extend ClientCert Authentication Provider for CN as
PrimaryPrincipal
Key: KNOX-2401
URL: https://issues.apache.org/jira/browse/KNOX-2401
Project: Apache Knox
Issue Type: Improvement
Components: Server
Reporter: Larry McCay
Assignee: Larry McCay
Fix For: 1.5.0
Currently, the ClientCert authentication provider extracts only the DN from the
certificate as the user principal resulting from the authentication event.
This works fine with the added use of the RegEx identity assertion provider
that can transform that principal into an expected username as along as
authorization is not required within the gateway at all. Authorization requires
group lookup in order to scale the management of authorization policies in
Ranger or ACLs for the AuthzAcl provider in Knox.
This change will add additional configuration to designate a specific attribute
to pull from the cert such as CN. This would then allow for the use of the
HadoopGroupProvider identity assertion provider to lookup groups for
authorization via Knox or Ranger.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
