pzampino commented on code in PR #681:
URL: https://github.com/apache/knox/pull/681#discussion_r1033944407
##########
gateway-provider-identity-assertion-common/src/main/java/org/apache/knox/gateway/identityasserter/common/filter/CommonIdentityAssertionFilter.java:
##########
@@ -187,21 +216,46 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
}
String principalName = getPrincipalName(subject);
+ String mappedPrincipalName = null;
+ try {
+ mappedPrincipalName = handleProxyUserImpersonation(request,
principalName);
Review Comment:
I think the principal mapping is orthogonal to the requests that are
received by Knox. In the case without impersonation, the authenticated user
will be mapped to whatever is configured. Similarly, with impersonation, the
authenticated user (e.g., user1) is requesting to act on behalf of another user
(e.g., user2), who is then mapped to user3 just as in the non-impersonation
scenario. The client never has control over the mappings, impersonation or not;
That's a Knox admin decision.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
