[ https://issues.apache.org/jira/browse/KNOX-2983 ]
Attila Magyar deleted comment on KNOX-2983:
-------------------------------------
was (Author: amagyar):
Here we could utilize the language which was introduced in KNOX-2707. The
expressions of the language are already composable and new functions are very
easy to add.
A combination of the concat and switch case provider would look like this:
{code}
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
<param>
<name>advanced.principal.mapping</name>
<value>(concat (lowercase username) 'suffix')</value>
</param>
</provider>
{code}
The way it works is that whatever the expression in the
"principal.mapping.advanced" returns, will be the new username (principal).
Complex mapping can be expressed easily as shown in the following example:
{code}
(if (= username "BOB")
(concat (lowercase username) "_suffix")
(uppercase username))
{code}
This will transform "BOB" to "bob_suffix", and any other users other than bob
to its uppercase variant.
We can add a function that takes a regexp pattern, a string and the group names
what we're interested in.
{code}
(regex-template username "AD\\(.*)" "{1}")
{code}
This will transform AD\usr1 to usr1.
Simple cases can be solved with string manipulation as well, without using
regexpes:
{code}
(if (starts-with username "AD\\")
(substring username 3)
username)
{code}
Side note:
If we want to build up the regexp from the primitives of the language, it would
look like this:
{code}
(let ((m (matcher "AD(\.*)" username)))
(if (matches m)
(m 1)
username))
{code}
This might be too much, and it is not needed if we add "regex-template"
function.
We already have uppercase/lowercase functions, the only things which are needed
are: concat, regexp-group, substring. And one special form, for the if
expression.
> Combine the functionality of different identity assertion providers
> -------------------------------------------------------------------
>
> Key: KNOX-2983
> URL: https://issues.apache.org/jira/browse/KNOX-2983
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h2. Motivation
> Currently there is no way to add multiple identity assertion providers and
> combine the functionality of them. For example one might want to use the
> Concat identity assertion together with the Switch case provider. This is not
> possible due to a limitation of Knox which only allows having one identity
> assertion provider in the topology. Additionally, having a distinct provider
> for each functionality has its own limitations that prevents expressing
> complex mapping.
> h2. Expression-Based principal mapping
> The idea behind the Expression-Based principal mapping is that it leverages
> the language that was introduced by
> https://issues.apache.org/jira/browse/KNOX-2707.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <!-- expression that returns the new principal -->
> <value>...</value>
> </param>
> {code}
> The value of *expression.principal.mapping* must be a valid expression that
> evaluates to a string, which will be the new, mapped principal.
> For example, in the following example all authenticated users will be mapped
> to principal: 'bob'.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <value>'bob'</value>
> </param>
> {code}
> By adding a conditional you can selectively apply the mapping to specific
> users.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <!-- Only map sam/tom to bob -->
> <value>
> (if (or (= username 'sam')
> (= username 'tom'))
> 'bob')
> </value>
> </param>
> {code}
> When the expression returns *null*, the original principal will be unchanged.
> h2. Reference
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
