[
https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Attila Magyar updated KNOX-2983:
--------------------------------
Fix Version/s: 2.1.0
> Combine the functionality of different identity assertion providers
> -------------------------------------------------------------------
>
> Key: KNOX-2983
> URL: https://issues.apache.org/jira/browse/KNOX-2983
> Project: Apache Knox
> Issue Type: Improvement
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h2. Motivation
> Currently there is no way to add multiple identity assertion providers and
> combine the functionality of them. For example one might want to use the
> Concat identity assertion together with the Switch case provider. This is not
> possible due to a limitation of Knox which only allows having one identity
> assertion provider in the topology. Additionally, having a distinct provider
> for each functionality has its own limitations that prevents expressing
> complex mappings.
> h2. Expression-Based principal mapping
> The idea behind the Expression-Based principal mapping is that it leverages
> the language that was introduced by
> https://issues.apache.org/jira/browse/KNOX-2707.
> {code}
> <provider>
> <role>identity-assertion</role>
> <name>HadoopGroupProvider</name>
> <enabled>true</enabled>
> <param>
> <name>expression.principal.mapping</name>
> <!-- expression that returns the new principal -->
> <value>...</value>
> </param>
> [...]
> </provider>
> {code}
> The value of *expression.principal.mapping* must be a valid expression that
> evaluates to a string, which will be the new, mapped principal.
> For example, in the following example all authenticated users will be mapped
> to principal: 'bob'.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <value>'bob'</value>
> </param>
> {code}
> By adding a conditional you can selectively apply the mapping to specific
> users.
> {code}
> <param>
> <name>expression.principal.mapping</name>
> <!-- Only map sam/tom to bob -->
> <value>
> (if (or (= username 'sam')
> (= username 'tom'))
> 'bob')
> </value>
> </param>
> {code}
> When the expression returns *null*, the original principal will be unchanged.
> h2. Reference
> h3. if
> The *if* is an expression (rather than a statement), that has 2 or 3
> parameters. When you call it with 2 parameters it will behave like an
> *if-then*, when you call it with 3 parameters it will behave like an
> *if-then-else* expression.
> The first parameters is a conditional that must evaluate to either true or
> false. In case of true, the first branch is evaluated, otherwise the 2nd
> branch is evaluated. If the 2nd branch is omitted, and the conditional is
> false, then null is returned.
> Returns 1: {code}(if true 1){code}
> Returns null: {code}(if false 1){code}
> Returns 2: {code}(if false 1 2){code}
> Returns 1: {code}(if true 1 2){code}
> h4. concat
> The concat function takes variable number of arguments and concats them into
> one single string.
> {code}
> (concat 'The' 'sun' 'will' 'come' 'up' 'tomorrow.')
> {code}
> This can be used to concat/prepend a prefix or suffix to the usename.
> {code}
> (concat 'prefix_' username '_suffix')
> {code}
> h4. uppercase / lowercase
> Convert a string to upper case and lower case letters.
> {code}
> (uppercase 'sam')
> {code}
> returns 'SAM'
> {code}
> (lowercase 'SAM')
> {code}
> returns 'sam'
> The combination of uppercase/lowercase and concat can be used to capitalize a
> username
> {code}
> (concat
> (uppercase (substr username 0 1))
> (lowercase (substr username 1)))
> {code}
> h4. substr
> The substr function works the same way as Java's subString. It takes one or
> two parameters, where the first is the begin index, and the second is the end
> index.
> The substring begins with the character at the specified index and extends to
> the end of this string.
> {code}
> (substr 'unhappy' 2)
> {code}
> returns 'happy'
> The end index is exclusive. The substring begins at the specified beginIndex
> and extends to the character at index endIndex - 1.
> {code}
> (substr 'hamburger' 4 8)
> {code}
> returns 'urge'
> h4. strlen
> The strlen function returns the length of a string.
> {code}
> (strlen 'apple')
> {code}
> returns 5
> For example, a combination of substr and strlen can be used to cut the first
> and last characters of a username
> {code}
> (substr username 1 (- (strlen username) 1))
> {code}
>
> h4. contains
> Check if a string includes a substring.
> {code}
> (contains 'dm' 'admin')
> {code}
> returns true since 'admin' contains 'dm'
> h4. index-of
> Find a substring in the given string and return the (zero based) index.
> {code}
> (index-of 'ppl' 'apple')
> {code}
> returns 1
> {code}
> (index-of 'xx' 'apple')
> {code}
> If the given substring is not found, -1 is returned.
> For example this will find the '@' substring, and return the part coming
> after the '@' sign.
> {code}
> (if (contains '@' username)
> (substr username (+ (strlen '@')
> (index-of '@' username))))
> {code}
> ad...@hwx.site will be converted to hwx.site
> Similarly, this will cut everything after the @ sign, including the @ sign.
> {code}
> (if (contains '@' username)
> (substr username 0 (index-of '@' username)))
> {code}
> ad...@hwx.site will be converted to admin
>
> h4. starts-with / ends-with
> starts-with and ends-with can be used to check if a string begins or ends
> with a given substring.
> {code}
> (starts-with 'apple' 'app')
> {code}
> returns true
> {code}
> (ends-with 'apple' 'ple')
> {code}
> returns false
> For example, remove a prefix from a username
> {code}
> (if (starts-with username 'prefix_')
> (substr username (strlen 'prefix_')))
> {code}
> prefix_admin will be converted to admin
> h4. hash
> The hash function creates a hash table for holding key value pairs. The
> number or arguments varies, but it must be an even number.
> {code}
> (hash)
> {code}
> returns an empty hash table
> {code}
> (hash 'key1' 'value1' 'key2' 'value2')
> {code}
> returns a hash table with key1=value1, and key2=value2.
> h4. at
> The at function returns the value for the given key from a hash table.
> {code}
> (at username
> (hash
> 'tom' 'Thomas'
> 'sam' 'Samual'
> 'admin' 'Administrator'))
> {code}
> This maps the user 'admin' to 'Administrator', 'tom' to 'Thomas' and 'sam' to
> 'Samuel'
> h4. regex-template
> The regex-template template function works the same was as the [Regex type
> identity assertion
> provider|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Regular+Expression+Identity+Assertion+Provider].
> {code}
> (regex-template username '(.*)@(.*?)\..*' '{1}_{[2]}' (hash 'us' 'USA' 'ca'
> 'CANADA') true)
> {code}
> The above expression turns 'nob...@us.imaginary.tld' to 'nobody_USA'.
> The regular expression contains optional groups and the template can
> reference those groups. The last 2 parameters are optional. For more
> information
> [see|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Regular+Expression+Identity+Assertion+Provider].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
