You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by mo...@apache.org on 2017/11/03 15:12:36 UTC
svn commit: r1814201 - in /knox: site/books/knox-0-14-0/user-guide.html
site/index.html site/issue-tracking.html site/license.html
site/mail-lists.html site/project-info.html site/team-list.html
trunk/books/0.14.0/config_id_assertion.md
Author: more
Date: Fri Nov 3 15:12:35 2017
New Revision: 1814201
URL: http://svn.apache.org/viewvc?rev=1814201&view=rev
Log:
KNOX-1097 - Document regex based identity assertion provider option
Modified:
knox/site/books/knox-0-14-0/user-guide.html
knox/site/index.html
knox/site/issue-tracking.html
knox/site/license.html
knox/site/mail-lists.html
knox/site/project-info.html
knox/site/team-list.html
knox/trunk/books/0.14.0/config_id_assertion.md
Modified: knox/site/books/knox-0-14-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-14-0/user-guide.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/books/knox-0-14-0/user-guide.html (original)
+++ knox/site/books/knox-0-14-0/user-guide.html Fri Nov 3 15:12:35 2017
@@ -1809,7 +1809,23 @@ session optional pam_keyinit.so f
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
@include password-auth
-</code></pre><h3><a id="Identity+Assertion">Identity Assertion</a> <a href="#Identity+Assertion"><img src="markbook-section-link.png"/></a></h3><p>The identity assertion provider within Knox plays the critical role of communicating the identity principal to be used within the Hadoop cluster to represent the identity that has been authenticated at the gateway.</p><p>The general responsibilities of the identity assertion provider is to interrogate the current Java Subject that has been established by the authentication or federation provider and:</p>
+</code></pre>
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--><h3><a id="Identity+Assertion">Identity Assertion</a> <a href="#Identity+Assertion"><img src="markbook-section-link.png"/></a></h3><p>The identity assertion provider within Knox plays the critical role of communicating the identity principal to be used within the Hadoop cluster to represent the identity that has been authenticated at the gateway.</p><p>The general responsibilities of the identity assertion provider is to interrogate the current Java Subject that has been established by the authentication or federation provider and:</p>
<ol>
<li>determine whether it matches any principal mapping rules and apply them appropriately</li>
<li>determine whether it matches any group principal mapping rules and apply them</li>
@@ -1922,6 +1938,10 @@ session required pam_env.so user_
<td>lookup</td>
<td>This lookup table provides a simple (albeit limited) way to translate text in the incoming identities. This configuration takes the form of “=” separated name values pairs separated by “;”. For example a lookup setting is “us=USA;ca=CANADA”. The lookup is invoked in the output setting by surrounding the desired group number in square brackets (i.e. []). Putting it all together, output setting of “{1}_[{2}]” combined with input of “(.*)@(.*?)..*” and lookup of “us=USA;ca=CANADA” will turn “<a href="mailto:nobody@us.imaginary.tld">nobody@us.imaginary.tld</a>” into "<a href="mailto:nobody@USA"">nobody@US&#x
41;"</a>.</td>
</tr>
+ <tr>
+ <td>use.original.on.lookup.failure </td>
+ <td>(Optional) Default value is false. If set to true, it will preserve the original string if there is no match. e.g. In the above lookup case for email <a href="mailto:nobody@uk.imaginary.tld">nobody@uk.imaginary.tld</a>, it will be transformed to nobody@ , if this property is set to true it will be transformed to <a href="mailto:nobody@uk">nobody@uk</a>.</td>
+ </tr>
</tbody>
</table><p>Within the topology file the provider configuration might look like this.</p>
<pre><code><provider>
Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – REST API and Application Gateway for the Apache Hadoop Ecosystem</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2017-11-03</li>
</ul>
</div>
Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Issue Tracking</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2017-11-03</li>
</ul>
</div>
Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project License</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2017-11-03</li>
</ul>
</div>
Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Mailing Lists</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2017-11-03</li>
</ul>
</div>
Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Project Information</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2017-11-03</li>
</ul>
</div>
Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Fri Nov 3 15:12:35 2017
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia at 2017-11-01
+ | Generated by Apache Maven Doxia at 2017-11-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20171101" />
+ <meta name="Date-Revision-yyyymmdd" content="20171103" />
<meta http-equiv="Content-Language" content="en" />
<title>Knox Gateway – Team list</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
- <li id="publishDate" class="pull-right">Last Published: 2017-11-01</li>
+ <li id="publishDate" class="pull-right">Last Published: 2017-11-03</li>
</ul>
</div>
Modified: knox/trunk/books/0.14.0/config_id_assertion.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.14.0/config_id_assertion.md?rev=1814201&r1=1814200&r2=1814201&view=diff
==============================================================================
--- knox/trunk/books/0.14.0/config_id_assertion.md (original)
+++ knox/trunk/books/0.14.0/config_id_assertion.md Fri Nov 3 15:12:35 2017
@@ -13,7 +13,7 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---->
+-->
### Identity Assertion ###
The identity assertion provider within Knox plays the critical role of communicating the identity principal to be used within the Hadoop cluster to represent the identity that has been authenticated at the gateway.
@@ -156,7 +156,8 @@ Param | Description
------|-----------
input | This is a regular expression that will be applied to the incoming identity. The most critical part of the regular expression is the group notation within the expression. In regular expressions, groups are expressed within parenthesis. For example in the regular expression "(.*)@(.*?)\..*" there are two groups. When this regular expression is applied to "nobody@us.imaginary.tld" group 1 matches "nobody" and group 2 matches "us".
output| This is a template that assembles the result identity. The result is assembled from the static text and the matched groups from the input regular expression. In addition, the matched group values can be looked up in the lookup table. An output value of "{1}_{2}" of will result in "nobody_us".
-lookup| This lookup table provides a simple (albeit limited) way to translate text in the incoming identities. This configuration takes the form of "=" separated name values pairs separated by ";". For example a lookup setting is "us=USA;ca=CANADA". The lookup is invoked in the output setting by surrounding the desired group number in square brackets (i.e. []). Putting it all together, output setting of "{1}_[{2}]" combined with input of "(.*)@(.*?)\..*" and lookup of "us=USA;ca=CANADA" will turn "nobody@us.imaginary.tld" into "nobody@USA".
+lookup| This lookup table provides a simple (albeit limited) way to translate text in the incoming identities. This configuration takes the form of "=" separated name values pairs separated by ";". For example a lookup setting is "us=USA;ca=CANADA". The lookup is invoked in the output setting by surrounding the desired group number in square brackets (i.e. []). Putting it all together, output setting of "{1}_[{2}]" combined with input of "(.*)@(.*?)\..*" and lookup of "us=USA;ca=CANADA" will turn "nobody@us.imaginary.tld" into "nobody@USA".
+use.original.on.lookup.failure | (Optional) Default value is false. If set to true, it will preserve the original string if there is no match. e.g. In the above lookup case for email nobody@uk.imaginary.tld, it will be transformed to nobody@ , if this property is set to true it will be transformed to nobody@uk.
Within the topology file the provider configuration might look like this.