You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Kevin Minder (JIRA)" <ji...@apache.org> on 2015/07/31 00:18:04 UTC

[jira] [Created] (KNOX-579) Regex based identity assertion provider with static dictionary lookup

Kevin Minder created KNOX-579:
---------------------------------

             Summary: Regex based identity assertion provider with static dictionary lookup
                 Key: KNOX-579
                 URL: https://issues.apache.org/jira/browse/KNOX-579
             Project: Apache Knox
          Issue Type: New Feature
          Components: Server
    Affects Versions: 0.5.0
            Reporter: Kevin Minder
            Assignee: Kevin Minder
             Fix For: 0.7.0


I've been running into situations where customers need to do more complex identity mapping than the current providers can handle.  I have a prototype that can do this sort of thing.

Static
{code}
        <provider>
            <role>federation</role>
            <name>HeaderPreAuth</name>
            <enabled>true</enabled>
        </provider>

        <provider>
            <role>identity-assertion</role>
            <name>Regex</name>
            <enabled>true</enabled>
            <param>
                <name>output</name>
                <value>static-user</value>
            </param>
        </provider>
{code}
This will yieid results like this
{code}
curl -k --header "SM_USER: member@us.apache.org" 'https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY'

{"Path":"/user/static-user"}
{code}

Regex
{code}
        <provider>
            <role>federation</role>
            <name>HeaderPreAuth</name>
            <enabled>true</enabled>
        </provider>

        <provider>
            <role>identity-assertion</role>
            <name>Regex</name>
            <enabled>true</enabled>
            <param>
                <name>input</name>
                <value>(.*)@(.*?)\..*</value>
            </param>
            <param>
                <name>output</name>
                <value>{1}_{[2]}</value>
            </param>
            <param>
                <name>lookup</name>
                <value>us=USA;ca=CANADA</value>
            </param>
        </provider>
{code}

This will yield this type of results.
{code}
curl -k --header "SM_USER: member@us.apache.org" 'https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY'

{"Path":"/user/member_USA"}

url -k --header "SM_USER: member@ca.apache.org" 'https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY'

{"Path":"/user/member_CANADA"}
{code}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)