[jira] [Commented] (KNOX-2983) Combine the functionality of different identity assertion providers

Tue, 07 Nov 2023 08:55:05 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17783700#comment-17783700
 ] 

Attila Magyar commented on KNOX-2983:
-------------------------------------

Here we could utilize the language which was introduced in KNOX-2707. The 
expressions of the language are already composable and new functions are very 
easy to add.

A combination of the concat and switch case provider would look like this:

{code}
    <provider>
      <role>identity-assertion</role>
      <name>Default</name>
      <enabled>true</enabled>
      <param>
        <name>principal.mapping.advanced</name>
        <value>(concat (lowercase username) 'suffix')</value>
      </param>
    </provider>
{code}

The way it works is that whatever the expression in the 
"principal.mapping.advanced" returns, will be the new username (principal).

Complex mapping can be expressed easily as shown in the following example:

{code}
    (if (= username "bob")
        (concat (lowercase username) "_suffix")
        (uppercase username))
{code}

We can add a function that takes a regexp pattern, a string and the group names 
what we're interested in.

{code}
    (regexp-group "AD\\(.*)" username "{1}")
{code}

This will transform AD\usr1 to usr1.

For simple cases can be solved with string manipulation as well, without using 
regexpes:

{code}
    (if (starts-with username "AD\\")
      (substring username 3)
      username)
{code}


Side note:

If we want to build up the regexp from the primitives of the language, it would 
look like this:

{code}
    (let ((m (matcher "AD(\.*)" username)))
      (if (matches m)
        (m 1)
        username))
{code}

This might be too much, and it is not needed if we add "regexp-group" function. 


We already have uppercase/lowercase functions, the only things which are needed 
are: concat, regexp-group, substring. And one special form, the if expression.



> Combine the functionality of different identity assertion providers
> -------------------------------------------------------------------
>
>                 Key: KNOX-2983
>                 URL: https://issues.apache.org/jira/browse/KNOX-2983
>             Project: Apache Knox
>          Issue Type: Improvement
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>            Priority: Major
>
> Currently there is no way to add  multiple identity assertion provider and 
> combine the functionality of them.
> For example one might want to use the Concat identity assertion filter 
> together with the Switch case provider.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to