You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/11/18 19:02:00 UTC

[jira] [Commented] (QPID-8374) [Broker-J][ACL] Allow case insensitive mapping of group members to groups in existing GroupProvider

    [ https://issues.apache.org/jira/browse/QPID-8374?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976795#comment-16976795 ] 

ASF subversion and git services commented on QPID-8374:
-------------------------------------------------------

Commit 29cb3747828abe3baac9477ed367cfcde77abc74 in qpid-broker-j's branch refs/heads/master from Stanislav Khomytskyi
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=29cb374 ]

QPID-8374: Code clean-up

This closes #41

The patch was supplied by Stanislav Khomytskyi <Re...@protonmail.com>


> [Broker-J][ACL] Allow case insensitive mapping of group members to groups in existing GroupProvider
> ---------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8374
>                 URL: https://issues.apache.org/jira/browse/QPID-8374
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Alex Rudyy
>            Priority: Major
>
> The user groups currently identified by exact equality of authenticated principal name and group member name. (See {{org.apache.qpid.server.security.group.GroupProviderImpl#getGroupPrincipalsForUser}} and {{org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl#getGroupPrincipalsForUser}}.) The user groups are used in in ACL  to define rules applicable to multiple users belonging to the same group. The ACL identities are case insensitive. As result, any letter case can be used in identities to express the ACL rule. In many cases, when authenticated principals are coming from external systems like LDAP, OAUTH2 based providers, etc, and they are case insensitive, it is desired to have group mapping case insensitive as well, as it is quite easy to make a mistake and specify the group member using upper cased letters rather than lower cased, for example, {{cn=Alex,ou=users,dc=qpid,dc=org}} vs {{cn=alex,ou=users,dc=qpid,dc=org}}.
> The existing GroupProviders can be modified to allow case insensitive mapping of group members to groups. Though, the existing case sensitive group mapping behaviour should be preserved for backward compatibility reasons. It should be enabled by default. A special switch (either attribute or/and context variable )  could be provided to make group mapping case insensitive if desired.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org