You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2015/03/22 16:09:11 UTC

[jira] [Commented] (KNOX-521) Enhance Principal Mapping to Handle Dynamic Mappings

    [ https://issues.apache.org/jira/browse/KNOX-521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14374994#comment-14374994 ] 

Larry McCay commented on KNOX-521:
----------------------------------

Instead of adding this new syntax to the existing identity assertion, we will add a new identity asserter that can be used.
This identity assertion provider will concatenate an optional prefix (concat.prefix) to the authenticated user principal and subsequently to an optional suffix (concat.suffix).

In order to better allow for the addition of new assertion providers, the existing gateway-provider-identity-assertion-pseudo needs to be refactored to pull those common pieces out into a new gateway-provider-identity-assertion-common module. All other assertion providers will then depend directly on the common module. This will greatly simplify the code needed per provider.

In the end, we will have three assertion provider modules and an enhanced ability to extend them or add new ones:

# gateway-provider-identity-assertion-common
# gateway-provider-identity-assertion-pseudo (default)
# gateway-provider-identity-assertion-concat

The new concat provider will need to be documented in the users guide and the ability to extend and add new ones using common will need to be documented in the dev guide.

> Enhance Principal Mapping to Handle Dynamic Mappings
> ----------------------------------------------------
>
>                 Key: KNOX-521
>                 URL: https://issues.apache.org/jira/browse/KNOX-521
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>             Fix For: 0.6.0
>
>
> We will add the ability to use provider parameters in order to dynamically create a disambiguated username for use in the Hadoop cluster.
> This will require unix accounts for the disambiguated name inside the cluster.
> The mapping syntax will be something like the following to dynamically append a domain/tenant id to the username:
> {code}
> <provider>
>     <role>identity-assertion</role>
>     <name>Default</name>
>     <enabled>true</enabled>
>     <param>
>         <name>tenant.id</name>
>         <value>_domain1</value>
>     </param>
>     <param>
>         <name>principal.mapping</name>
>         <value>*=_PRINCIPAL+$tenant.id</value>
>     </param>
> </provider>
> {code}
> The above demonstrates using a dynamic method of adding a tenant.id as a suffix for disambiguating users for this topology from users of another. Reversing the order of that idea would provide a prefix. This generic parameter name approach is very flexible.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)