[ https://issues.apache.org/jira/browse/KNOX-3036?focusedWorklogId=917637&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917637 ]
ASF GitHub Bot logged work on KNOX-3036: ---------------------------------------- Author: ASF GitHub Bot Created on: 04/May/24 23:59 Start Date: 04/May/24 23:59 Worklog Time Spent: 10m Work Description: lmccay opened a new pull request, #905: URL: https://github.com/apache/knox/pull/905 (It is very **important** that you created an Apache Knox JIRA for this change and that the PR title/commit message includes the Apache Knox JIRA ID!) ## What changes were proposed in this pull request? The virtual groups through predicate evaluations should include a means to dynamically add a group principal with the same name as the username. This will require intercepting the configured mapping key name which usually ends with the literal virtual group name that will be added upon matching of the predicate logic. For this, we will add an optional Logical Virtual Group which will need to be resolved rather than used as a literal. For this specific usecase, we can use syntax such as: <param> <name>group.mapping.$PRIMARY_GROUP</name> <value>(not (member username))</value> </param> This will add a primary group for all authenticated users that don't already have one in the current groups list. ## How was this patch tested? Existing unit tests were run and a new one added to prove existing capability to determine that a user is not a member of a group with the username. curl command used to test it manually curl -ivku guest:guest-password https://localhost:8443/gateway/sandbox/knoxtoken/v1/oauth/tokens Audit entries show group added to match the name: 24/05/04 19:58:36 ||142cc739-e70e-494e-926c-0c0f6df64171|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||authentication|uri|/gateway/sandbox/knoxtoken/v1/oauth/tokens|success|Groups: [] 24/05/04 19:58:36 ||142cc739-e70e-494e-926c-0c0f6df64171|audit|[0:0:0:0:0:0:0:1]|KNOXTOKEN|guest|||identity-mapping|principal|guest|success|Groups: [guest] Issue Time Tracking ------------------- Worklog Id: (was: 917637) Remaining Estimate: 0h Time Spent: 10m > Add a Primary Group Function to Virtual Groups > ---------------------------------------------- > > Key: KNOX-3036 > URL: https://issues.apache.org/jira/browse/KNOX-3036 > Project: Apache Knox > Issue Type: Improvement > Components: Server > Reporter: Larry McCay > Assignee: Larry McCay > Priority: Major > Fix For: 2.1.0 > > Time Spent: 10m > Remaining Estimate: 0h > > The virtual groups through predicate evaluations should include a means to > dynamically add a group principal with the same name as the username. > This will require intercepting the configured mapping key name which usually > ends with the literal virtual group name that will be added upon matching of > the predicate logic. > For this, we will add an optional Logical Virtual Group which will need to be > resolved rather than used as a literal. For this specific usecase, we can use > syntax such as: > {code} > <param> > <name>group.mapping.$PRIMARY_GROUP</name> > <value>(not (member username))</value> > </param> > {code} > This will add a primary group for all authenticated users that don't already > have one in the current groups list. -- This message was sent by Atlassian Jira (v8.20.10#820010)