You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "zeroflag (via GitHub)" <gi...@apache.org> on 2023/11/08 17:00:51 UTC
[PR] KNOX-2983 - Combine the functionality of different identity assertion providers [knox]
zeroflag opened a new pull request, #817:
URL: https://github.com/apache/knox/pull/817
## What changes were proposed in this pull request?
draft
## How was this patch tested?
draft
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] KNOX-2983 - Combine the functionality of different identity assertion providers [knox]
Posted by "zeroflag (via GitHub)" <gi...@apache.org>.
zeroflag commented on PR #817:
URL: https://github.com/apache/knox/pull/817#issuecomment-1814635567
@lmccay
1. Thanks, I renamed it to `expression.principal.mapping`.
2. The `HadoopGroupProvider` extends from CommonIdentityProvider, so it inherits all this functionality. I verified it with this config:
```xml
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>expression.principal.mapping</name>
<value>(concat username '_SUFFIX')</value>
</param>
<param>
<name>group.mapping.vgrp1</name>
<value>(starts-with username 'sam')</value>
</param>
<param>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://localhost:33389</value>
</param>
[....]
</provider>
```
```bash
$ curl -v -k -u sam:sam-password https://localhost:8443/gateway/sandbox/hive
```
```
23/11/16 16:02:14 ||4887dab7-ffa5-4d94-9343-9eedc140fd73|audit|[0:0:0:0:0:0:0:1]|HIVE|sam|sam_SUFFIX||identity-mapping|principal|sam_SUFFIX|success|Groups: [vgrp1]
```
3. The parentheses won't cause any encoding problem. The only thing I can think of as a problem is the greater than / less than signs. But those are rarely used and they can be encoded.
For example:
```lisp
(> (strlen username) 10)
```
Should be encoded as:
```
(> (strlen username) 10)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] KNOX-2983 - Combine the functionality of different identity assertion providers [knox]
Posted by "zeroflag (via GitHub)" <gi...@apache.org>.
zeroflag merged PR #817:
URL: https://github.com/apache/knox/pull/817
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org