[
https://issues.apache.org/jira/browse/KNOX-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-1119:
------------------------------
Description:
Currently, the Pac4JIdentityAdapter blindly accepts the subject of the returned
UserProfile which isn't directly usable in the Hadoop operating environment. We
need to be able to resolve it to an actual username.
It seems that we could take two different approaches for this.
1. Add a param to the pac4j provider to indicate the UserProfile attribute to
use as the PrimaryPrincipal
2. Add a new identity assertion provider that can decrypt the pac4jUserProfile
cookie and extract the configured attribute.
I lean towards #1 above so that identity assertion providers could be used to
munge the extracted attribute in interesting ways.
There was some discussion of this [1] back in 0.8.0 and we never really circled
back to it.
[~jleleu] - Am I missing anything that is already in place for this?
1.
http://mail-archives.apache.org/mod_mbox/knox-dev/201601.mbox/%3CCACRbFyitvZ72-oqu2triGmn%3DKhB8JE0pFONyFim63RKS4gZp0A%40mail.gmail.com%3E
was:
Currently, the Pac4JIdentityAdapter blindly accepts the subject of the returned
UserProfile which isn't directly usable in the Hadoop operating environment. We
need to be able to resolve it to an actual username.
It seems that we could take two different approaches for this.
1. Add a param to the pac4j provider to indicate the UserProfile attribute to
use as the PrimaryPrincipal
2. Add a new identity assertion provider that can decrypt the pac4jUserProfile
cookie and extract the configured attribute.
I lean towards #1 above so that identity assertion providers could be used to
munge the extracted attribute in interesting ways.
[~jleleu] - Am I missing anything that is already in place for this?
> Pac4J OAuth/OpenID Principal Needs to be Configurable
> -----------------------------------------------------
>
> Key: KNOX-1119
> URL: https://issues.apache.org/jira/browse/KNOX-1119
> Project: Apache Knox
> Issue Type: Bug
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 0.14.0
>
>
> Currently, the Pac4JIdentityAdapter blindly accepts the subject of the
> returned UserProfile which isn't directly usable in the Hadoop operating
> environment. We need to be able to resolve it to an actual username.
> It seems that we could take two different approaches for this.
> 1. Add a param to the pac4j provider to indicate the UserProfile attribute to
> use as the PrimaryPrincipal
> 2. Add a new identity assertion provider that can decrypt the
> pac4jUserProfile cookie and extract the configured attribute.
> I lean towards #1 above so that identity assertion providers could be used to
> munge the extracted attribute in interesting ways.
> There was some discussion of this [1] back in 0.8.0 and we never really
> circled back to it.
> [~jleleu] - Am I missing anything that is already in place for this?
> 1.
> http://mail-archives.apache.org/mod_mbox/knox-dev/201601.mbox/%3CCACRbFyitvZ72-oqu2triGmn%3DKhB8JE0pFONyFim63RKS4gZp0A%40mail.gmail.com%3E
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
