[
https://issues.apache.org/jira/browse/KNOX-2783?focusedWorklogId=793174&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-793174
]
ASF GitHub Bot logged work on KNOX-2783:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Jul/22 11:33
Start Date: 20/Jul/22 11:33
Worklog Time Spent: 10m
Work Description: zeroflag opened a new pull request, #611:
URL: https://github.com/apache/knox/pull/611
## What changes were proposed in this pull request?
If there is no group name after the `group.mapping.` then the user is mapped
to an empty group ("").
## How was this patch tested?
Toplogy:
```xml
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.pamRealm</name>
<value>org.apache.knox.gateway.shirorealm.KnoxPamRealm</value>
</param>
<param>
<name>main.pamRealm.service</name>
<value>login</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>HadoopGroupProvider</name>
<enabled>true</enabled>
<param>
<name>hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
</param>
<param>
<name>group.mapping.</name>
<value>true</value>
</param>
<param>
<name>group.mapping. </name>
<value>true</value>
</param>
<param>
<name>group.mapping.valid-group-name</name>
<value>true</value>
</param>
</provider>
```
```bash
curl -v -k -u sam:123456 https://localhost:8443/gateway/sandbox/hive
```
User was not added to "".
```
2022-07-20 10:29:30,034 abe3a1ca-aea1-4736-ae53-d2c8481a279a WARN
knox.gateway (CommonIdentityAssertionFilter.java:addGroup(147)) - Invalid
mapping parameter name: Missing required group name.
22/07/20 10:29:30
||abe3a1ca-aea1-4736-ae53-d2c8481a279a|audit|[0:0:0:0:0:0:0:1]|HIVE|sam|||identity-mapping|principal|sam|success|Groups:
[_lpoperator, everyone, com.apple.sharepoint.group.3, staff,
com.apple.sharepoint.group.2, com.apple.sharepoint.group.1, valid-group-name,
localaccounts]
```
Issue Time Tracking
-------------------
Worklog Id: (was: 793174)
Remaining Estimate: 0h
Time Spent: 10m
> User can be mapped to an empty virtual group
> --------------------------------------------
>
> Key: KNOX-2783
> URL: https://issues.apache.org/jira/browse/KNOX-2783
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> If there is no group name after the dot, the user is getting mapped to an ""
> group.
> {code}
> <provider>
> <role>identity-assertion</role>
> <name>HadoopGroupProvider</name>
> <enabled>true</enabled>
> <param>
> <name>hadoop.security.group.mapping</name>
>
> <value>org.apache.hadoop.security.ShellBasedUnixGroupsMapping</value>
> </param>
> <param>
> <name>group.mapping.</name>
> <value>true</value>
> </param>
> </provider>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
