[
https://issues.apache.org/jira/browse/KNOX-2982?focusedWorklogId=898684&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-898684
]
ASF GitHub Bot logged work on KNOX-2982:
----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Jan/24 13:14
Start Date: 09/Jan/24 13:14
Worklog Time Spent: 10m
Work Description: zeroflag opened a new pull request, #832:
URL: https://github.com/apache/knox/pull/832
## What changes were proposed in this pull request?
When there are multiple providers in one topology, knox gets the first one,
without checking if it's enabled or disabled.
Therefore having 2 identity-assertion providers where the first is disabled
and the 2nd is enabled, doesn't work.
We find the first enabled provider instead.
## How was this patch tested?
1st provider enabled
```xml
<provider>
<role>identity-assertion</role>
<name>SwitchCase</name>
<enabled>true</enabled>
<param>
<name>principal.case</name>
<value>upper</value>
</param>
<param>
<name>group.principal.case</name>
<value>upper</value>
</param>
</provider>
```
2nd provider disabled:
```xml
<provider>
<role>identity-assertion</role>
<name>Regex</name>
<enabled>false</enabled>
<param>
<name>input</name>
<value>ad(.*)</value>
</param>
<param>
<name>output</name>
<value>{1}max</value>
</param>
</provider>
```
```
curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive
24/01/09 14:04:50
||eddb35a8-c6d7-4ae7-9d50-b0b3e50fddaa|audit|127.0.0.1|HIVE|admin|ADMIN||identity-mapping|principal|admin|success|Effective
User: ADMIN
24/01/09 14:04:50
||eddb35a8-c6d7-4ae7-9d50-b0b3e50fddaa|audit|127.0.0.1|HIVE|admin|ADMIN||identity-mapping|principal|ADMIN|success|Groups:
[]
```
1st provider disabled
```xml
<provider>
<role>identity-assertion</role>
<name>SwitchCase</name>
<enabled>false</enabled>
<param>
<name>principal.case</name>
<value>upper</value>
</param>
<param>
<name>group.principal.case</name>
<value>upper</value>
</param>
</provider>
```
2nd provider enabled:
```xml
<provider>
<role>identity-assertion</role>
<name>Regex</name>
<enabled>true</enabled>
<param>
<name>input</name>
<value>ad(.*)</value>
</param>
<param>
<name>output</name>
<value>{1}max</value>
</param>
</provider>
```
```bash
curl -vk -u admin:admin-password https://localhost:8443/gateway/sandbox/hive
24/01/09 14:06:26
||2d376454-b232-4011-85bd-cdbc526962e6|audit|127.0.0.1|HIVE|admin|minmax||identity-mapping|principal|admin|success|Effective
User: minmax
24/01/09 14:06:26
||2d376454-b232-4011-85bd-cdbc526962e6|audit|127.0.0.1|HIVE|admin|minmax||identity-mapping|principal|minmax|success|Groups:
[]
```
Issue Time Tracking
-------------------
Worklog Id: (was: 898684)
Remaining Estimate: 0h
Time Spent: 10m
> Having one disabled one enabled identity-assertion provider in knoxsso
> doesn't work
> -----------------------------------------------------------------------------------
>
> Key: KNOX-2982
> URL: https://issues.apache.org/jira/browse/KNOX-2982
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> If one has two identity-assertion providers, e.g.: HadoopGroupProvider and
> Regexp, where the HadoopGroupProvider is disabled, then the Regex provider
> doesn't work.
> The workaround is to delete the HadoopGroupProvider altogether (instead of
> just disabling it).
> This is a bug in JerseyServiceDeploymentContributorBase>contributeService.
> The addIdentityAssertionFilter is called with null provider names.
> The same thing applies to addAuthenticationFilter, addAuthorizationFilter
> too.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
