[
https://issues.apache.org/jira/browse/KNOX-3036?focusedWorklogId=917637&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917637
]
ASF GitHub Bot logged work on KNOX-3036:
----------------------------------------
Author: ASF GitHub Bot
Created on: 04/May/24 23:59
Start Date: 04/May/24 23:59
Worklog Time Spent: 10m
Work Description: lmccay opened a new pull request, #905:
URL: https://github.com/apache/knox/pull/905
(It is very **important** that you created an Apache Knox JIRA for this
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
## What changes were proposed in this pull request?
The virtual groups through predicate evaluations should include a means to
dynamically add a group principal with the same name as the username.
This will require intercepting the configured mapping key name which usually
ends with the literal virtual group name that will be added upon matching of
the predicate logic.
For this, we will add an optional Logical Virtual Group which will need to
be resolved rather than used as a literal. For this specific usecase, we can
use syntax such as:
<param>
<name>group.mapping.$PRIMARY_GROUP</name>
<value>(not (member username))</value>
</param>
This will add a primary group for all authenticated users that don't already
have one in the current groups list.
## How was this patch tested?
Existing unit tests were run and a new one added to prove existing
capability to determine that a user is not a member of a group with the
username.
curl command used to test it manually
curl -ivku guest:guest-password
https://localhost:8443/gateway/sandbox/knoxtoken/v1/oauth/tokens
Audit entries show group added to match the name:
24/05/04 19:58:36
||142cc739-e70e-494e-926c-0c0f6df64171|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||authentication|uri|/gateway/sandbox/knoxtoken/v1/oauth/tokens|success|Groups:
[]
24/05/04 19:58:36
||142cc739-e70e-494e-926c-0c0f6df64171|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||identity-mapping|principal|guest|success|Groups:
[guest]
Issue Time Tracking
-------------------
Worklog Id: (was: 917637)
Remaining Estimate: 0h
Time Spent: 10m
> Add a Primary Group Function to Virtual Groups
> ----------------------------------------------
>
> Key: KNOX-3036
> URL: https://issues.apache.org/jira/browse/KNOX-3036
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The virtual groups through predicate evaluations should include a means to
> dynamically add a group principal with the same name as the username.
> This will require intercepting the configured mapping key name which usually
> ends with the literal virtual group name that will be added upon matching of
> the predicate logic.
> For this, we will add an optional Logical Virtual Group which will need to be
> resolved rather than used as a literal. For this specific usecase, we can use
> syntax such as:
> {code}
> <param>
> <name>group.mapping.$PRIMARY_GROUP</name>
> <value>(not (member username))</value>
> </param>
> {code}
> This will add a primary group for all authenticated users that don't already
> have one in the current groups list.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
