You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Sandor Molnar (Jira)" <ji...@apache.org> on 2022/06/03 05:25:00 UTC

[jira] [Created] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider

Sandor Molnar created KNOX-2757:
-----------------------------------

             Summary: Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
                 Key: KNOX-2757
                 URL: https://issues.apache.org/jira/browse/KNOX-2757
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.0, 1.1.0, 1.6.1
            Reporter: Sandor Molnar
            Assignee: Sandor Molnar
             Fix For: 2.0.0


*Steps to reproduce:*

1. replace the {{Default}} identity-assertion provider in the {{sandbox}} topology with this:
{noformat}
    <provider>
        <role>identity-assertion</role>
        <name>HadoopGroupProvider</name>
        <enabled>true</enabled>
        <param>
            <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
            <value>gateway.group.config.</value>
        </param>
        <param>
            <name>group.mapping.scientist</name>
            <value>(!= 0 (size groups))</value>
        </param>
    </provider> {noformat}
2. wait until Knox redeploys the {{sandbox}} topology and check the generated {{gateway.xml}} in the newly deployed web application

*Actual results:*

The {{group.mapping.scientist}} filter parameter is missing; only the params in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
{noformat}
        <filter>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <class>org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter</class>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.attr.member</name>
                <value>member</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
                <value>(&amp;(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
                <value>cn</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.url</name>
                <value>ldap://localhost:33389</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping</name>
                <value>org.apache.hadoop.security.LdapGroupsMapping</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
                <value>(objectclass=groupOfNames)</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.bind.user</name>
                <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.bind.password</name>
                <value>guest-password</value>
            </param>
        </filter>
{noformat}
*Expected results:*

Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} provider parameter should be added to the filter.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)