zeroflag commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1031406217
##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -187,21 +216,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+ String mappedPrincipalName = null;
+ try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
Review Comment:
I see that the impersonation mapping is happening before the existing
principal/group mapping, in a transitive way.
So if a `user1` comes in, with doAs = `user2`, and `user2` is mapped to
`user3` (via principal-principal mapping) then the final user is going to be
`user3`. Correct?
I'm not sure if this is what I would want if explicitly specified `user2` as
the impersonated user, in my request. I find this chain of mapping a bit
confusing. An alternative way would be to ignore the principal-principal
mapping when the impersonated user is explicitly specified in the request? I'm
not sure which one is the best though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
