You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Larry McCay (Jira)" <ji...@apache.org> on 2020/11/15 16:23:00 UTC

[jira] [Work started] (KNOX-2401) Extend ClientCert Authentication Provider for CN as PrimaryPrincipal

     [ https://issues.apache.org/jira/browse/KNOX-2401?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Work on KNOX-2401 started by Larry McCay.
-----------------------------------------
> Extend ClientCert Authentication Provider for CN as PrimaryPrincipal
> --------------------------------------------------------------------
>
>                 Key: KNOX-2401
>                 URL: https://issues.apache.org/jira/browse/KNOX-2401
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 1.5.0
>
>
> Currently, the ClientCert authentication provider extracts only the DN from the certificate as the user principal resulting from the authentication event.
> This works fine with the added use of the RegEx identity assertion provider that can transform that principal into an expected username as along as authorization is not required within the gateway at all. Authorization requires group lookup in order to scale the management of authorization policies in Ranger or ACLs for the AuthzAcl provider in Knox.
> This change will add additional configuration to designate a specific attribute to pull from the cert such as CN. This would then allow for the use of the HadoopGroupProvider identity assertion provider to lookup groups for authorization via Knox or Ranger.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)