You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Ruslan Dautkhanov (JIRA)" <ji...@apache.org> on 2017/10/17 18:22:00 UTC
[jira] [Commented] (SHIRO-631) Principal mapping rules similar to
Hadoop's auth_to_local
[ https://issues.apache.org/jira/browse/SHIRO-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208081#comment-16208081 ]
Ruslan Dautkhanov commented on SHIRO-631:
-----------------------------------------
Here's auth_to_local description from Kerberos man page
http://web.mit.edu/tsitkova/www/build/krb_admins/conf_files/krb5_conf.html#realms
{noformat}
auth_to_local
This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are:
RULE:exp
The local name will be formulated from exp.
The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the n‘th component of the principal for $n (e.g. if the principal was johndoe/admin then [2:$2$1foo] would result in the string adminjohndoefoo). If this string matches regexp, then the s//[g] substitution command will be run over the string. The optional g will cause the substitution to be global over the string, instead of replacing only the first match in the string.
DEFAULT
The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail.
For example:
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auto_to_local = DEFAULT
}
would result in any principal without root or admin as the second component to be translated with the default rule. A principal with a second component of admin will become its first component. root will be used as the local name for any principal with a second component of root. The exception to these two rules are any principals johndoe/*, which will always get the local name guest.
{noformat}
We use auth_to_local quite often in Hadoop clusters.
Yep, would be nice to have this in Shiro too.
> Principal mapping rules similar to Hadoop's auth_to_local
> ---------------------------------------------------------
>
> Key: SHIRO-631
> URL: https://issues.apache.org/jira/browse/SHIRO-631
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Authorization (access control) , Realms
> Environment: HDP 2.6 + Kerberos + AD LDAP multi-domain forest
> Reporter: Hari Sekhon
> Priority: Blocker
>
> Feature Request to add principal mapping rules similar to Hadoop's auth_to_local.
> This will allow munging pincipals and rule based remappings to differentiate duplicate users in multi-domain Active Directory forests where the LDAP results returned from the global catalog include duplicate usernames which need to be translated with a prefix/suffix in order to differentiate between domains to prevent users from different domains sharing logins, permissions etc.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)