You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Sandor Molnar (Jira)" <ji...@apache.org> on 2022/06/03 05:25:00 UTC
[jira] [Created] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
Sandor Molnar created KNOX-2757:
-----------------------------------
Summary: Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
Key: KNOX-2757
URL: https://issues.apache.org/jira/browse/KNOX-2757
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.0, 1.1.0, 1.6.1
Reporter: Sandor Molnar
Assignee: Sandor Molnar
Fix For: 2.0.0
*Steps to reproduce:*
1. replace the {{Default}} identity-assertion provider in the {{sandbox}} topology with this:
{noformat}
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>CENTRAL_GROUP_CONFIG_PREFIX</name>
<value>gateway.group.config.</value>
</param>
<param>
<name>group.mapping.scientist</name>
<value>(!= 0 (size groups))</value>
</param>
</provider> {noformat}
2. wait until Knox redeploys the {{sandbox}} topology and check the generated {{gateway.xml}} in the newly deployed web application
*Actual results:*
The {{group.mapping.scientist}} filter parameter is missing; only the params in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
{noformat}
<filter>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<class>org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter</class>
<param>
<name>hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>member</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value>cn</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://localhost:33389</value>
</param>
<param>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.search.filter.group</name>
<value>(objectclass=groupOfNames)</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.bind.user</name>
<value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.bind.password</name>
<value>guest-password</value>
</param>
</filter>
{noformat}
*Expected results:*
Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} provider parameter should be added to the filter.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)