[ https://issues.apache.org/jira/browse/KNOX-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16270103#comment-16270103 ]
Larry McCay commented on KNOX-1119: ----------------------------------- I have created a new revision of the patch that avoids a NPE when an invalid profile attribute is configured and log the fact that it is invalid. I've also modified the existing test to set the attribute_id param. Should really revisit this area to extend testing. > Pac4J OAuth/OpenID Principal Needs to be Configurable > ----------------------------------------------------- > > Key: KNOX-1119 > URL: https://issues.apache.org/jira/browse/KNOX-1119 > Project: Apache Knox > Issue Type: Bug > Components: KnoxSSO > Reporter: Larry McCay > Assignee: Larry McCay > Priority: Blocker > Fix For: 0.14.0 > > Attachments: Add_configurable_id_attribute_to_pac4j_filter_.patch, > KNOX-1119-001.patch, KNOX-1119-002.patch > > > Currently, the Pac4JIdentityAdapter blindly accepts the subject of the > returned UserProfile which isn't directly usable in the Hadoop operating > environment. We need to be able to resolve it to an actual username. > It seems that we could take two different approaches for this. > 1. Add a param to the pac4j provider to indicate the UserProfile attribute to > use as the PrimaryPrincipal > 2. Add a new identity assertion provider that can decrypt the > pac4jUserProfile cookie and extract the configured attribute. > I lean towards #1 above so that identity assertion providers could be used to > munge the extracted attribute in interesting ways. > There was some discussion of this [1] back in 0.8.0 and we never really > circled back to it. > [~jleleu] - Am I missing anything that is already in place for this? > 1. > http://mail-archives.apache.org/mod_mbox/knox-dev/201601.mbox/%3CCACRbFyitvZ72-oqu2triGmn%3DKhB8JE0pFONyFim63RKS4gZp0A%40mail.gmail.com%3E -- This message was sent by Atlassian JIRA (v6.4.14#64029)