-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KNOX-2983 - Combine the functionality of different identity assertion providers #817
Conversation
0354758
to
07a0ad4
Compare
07a0ad4
to
e7605fd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, @zeroflag ! Ship it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zeroflag - this looks amazing! I have a couple questions/nits:
- Can we think of a more descriptive prefix than 'advanced'? This is only advanced until your next great innovation. :) Maybe 'expression.principal.mapping'? Something like that?
- One of the most common issues that this addresses is the fact that our HadoopGroupProvider is mutually exclusive with other identity assertion providers. Have you tested explicitly with that provider?
- Management tooling like Cloudera Manager and Ambari will need to be able to support this via saftey valves and or properties syntax within the UIs. Do we know that this will work without having to do some funky encoding, etc?
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>expression.principal.mapping</name>
<value>(concat username '_SUFFIX')</value>
</param>
<param>
<name>group.mapping.vgrp1</name>
<value>(starts-with username 'sam')</value>
</param>
<param>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</param>
<param>
<name>hadoop.security.group.mapping.ldap.url</name>
<value>ldap://localhost:33389</value>
</param>
[....]
</provider> $ curl -v -k -u sam:sam-password https://localhost:8443/gateway/sandbox/hive
For example: (> (strlen username) 10) Should be encoded as:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ship it - I love this!
What changes were proposed in this pull request?
By incorporating the language which was introduced for the virtual group mapping, identity providers now support a flexible way to combine the functionality of different kind of principal mappings (e.g.: RegEx, Concat, Switch Case, ..).
How it works
The
indentity-assertion
provider supports aexpression.principal.mapping
config parameter that can contain an arbitrary expression. This expression is expected to return a String. This string will be the new, mapped principal.For example, every user will be mapped to
jozsi
Function calls can be used to make transformations on the original principal
This will convert all users to their uppercase variant.
This will prepend
prefix_
in front of the username.The combination of both:
E.g.:
admin
will becomePREFIX_ADMIN
The functionality of the Regex identity assertion provider is exposed via a
regex-template
function.E.g.:
This will map
prefix_user-1_suffix
touser.1
Few other functions were added, like
index-of
,strlen
,substr
,starts-with
,ends-with
.A new special form was also introduced to support
if
andif else
.How was this patch tested?
Constant user:
Invalid result:
(strlen username)
This mapping is invalid because it returned an integer, instead of a string.
Concat
(concat 'prefix_' username '_suffix')
Uppercase
(uppercase username)
If
Capitalize first character
Cut first and last characters
Regex Tempalte
This works the same way as the Regex Identity Assertion Provider
Map only one specific user
admin stays the same:
sam is mapped to SAM
Find a substring and remove everything after the substring
admin
becomesin
Hash lookup