[PR] KNOX-2982 - Having one disabled one enabled identity-assertion providers doesn't work [knox]

Tue, 09 Jan 2024 05:14:31 -0800 


zeroflag opened a new pull request, #832:
URL: https://github.com/apache/knox/pull/832

   ## What changes were proposed in this pull request?
   
   When there are multiple providers in one topology, knox gets the first one, 
without checking if it's enabled or disabled.
   
   Therefore having 2 identity-assertion providers where the first is disabled 
and the 2nd is enabled, doesn't work.
   
   We find the first enabled provider instead.
   
   ## How was this patch tested?
   
   1st provider enabled
   
   ```xml
   <provider>
       <role>identity-assertion</role>
       <name>SwitchCase</name>
       <enabled>true</enabled>
       <param>
           <name>principal.case</name>
           <value>upper</value>
       </param>
       <param> 
           <name>group.principal.case</name>
           <value>upper</value>
       </param>    
   </provider>
   ```
   
   2nd provider disabled:
   
   ```xml
   <provider>
     <role>identity-assertion</role>
     <name>Regex</name>
     <enabled>false</enabled>
     <param>
       <name>input</name>
       <value>ad(.*)</value>
     </param>  
     <param>   
       <name>output</name>
       <value>{1}max</value>
     </param>      
   </provider>
   ```
   
   ```
   curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive
   
   24/01/09 14:04:50 
||eddb35a8-c6d7-4ae7-9d50-b0b3e50fddaa|audit|127.0.0.1|HIVE|admin|ADMIN||identity-mapping|principal|admin|success|Effective
 User: ADMIN
   24/01/09 14:04:50 
||eddb35a8-c6d7-4ae7-9d50-b0b3e50fddaa|audit|127.0.0.1|HIVE|admin|ADMIN||identity-mapping|principal|ADMIN|success|Groups:
 []
   ```
   
   
   1st provider disabled
   
   ```xml
   <provider>
       <role>identity-assertion</role>
       <name>SwitchCase</name>
       <enabled>false</enabled>
       <param>
           <name>principal.case</name>
           <value>upper</value>
       </param>
       <param> 
           <name>group.principal.case</name>
           <value>upper</value>
       </param>    
   </provider>
   ```
   
   2nd provider enabled:
   
   ```xml
   <provider>
     <role>identity-assertion</role>
     <name>Regex</name>
     <enabled>true</enabled>
     <param>
       <name>input</name>
       <value>ad(.*)</value>
     </param>  
     <param>   
       <name>output</name>
       <value>{1}max</value>
     </param>      
   </provider>
   ```
   
   ```bash
   curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive
   
   24/01/09 14:06:26 
||2d376454-b232-4011-85bd-cdbc526962e6|audit|127.0.0.1|HIVE|admin|minmax||identity-mapping|principal|admin|success|Effective
 User: minmax
   24/01/09 14:06:26 
||2d376454-b232-4011-85bd-cdbc526962e6|audit|127.0.0.1|HIVE|admin|minmax||identity-mapping|principal|minmax|success|Groups:
 []
   ```
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to