[
https://issues.apache.org/jira/browse/KNOX-3340?focusedWorklogId=1024634&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1024634
]
ASF GitHub Bot logged work on KNOX-3340:
----------------------------------------
Author: ASF GitHub Bot
Created on: 11/Jun/26 08:31
Start Date: 11/Jun/26 08:31
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #1258:
URL: https://github.com/apache/knox/pull/1258#discussion_r3394424270
##########
gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/control/RolesLookupBypassControl.java:
##########
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.services.ldap.control;
+
+import org.apache.directory.api.ldap.model.message.Control;
+
+public interface RolesLookupBypassControl extends Control {
+ // OID created from a UUID to ensure no collisions:
+ // Apache Root OID for core object classes 1.3.6.1.4.1.18060.2
+ // UUID "5236bee0-8a22-4419-9f8e-f1de43312ce1"
+ String OID =
"1.3.6.1.4.1.18060.2.1379319520.35362.17433.40846.265936912329953";
Review Comment:
That's an excellent question, @handavid !
You are correct that this UUID-based approach ensures no collisions, but we
should aim for a cleaner, official arc under the Apache Private Enterprise
Number (PEN).
As a PMC member, I can help facilitate this. Here is the path forward:
1. Apache Root: The ASF owns PEN 18060, so our official OID will start
with 1.3.6.1.4.1.18060.
2. Knox Sub-arc: I've checked the [IANA registry and confirmed Knox
doesn't have an explicit
entry](https://www.iana.org/assignments/enterprise-numbers/?q=Knox) because we
fall under the Apache root. The PMC needs to request a dedicated sub-arc (e.g.,
1.3.6.1.4.1.18060.X) for Knox by opening a JIRA with ASF Infrastructure
(INFRA). - I think @lmccay can help us with that.
3. Next Steps: For this PR, it's fine to keep the UUID-based OID as a
placeholder so we don't block progress. Once we secure the official Knox
sub-arc from INFRA, we can do a quick follow-up task to update this to a
shorter, official OID (like 1.3.6.1.4.1.18060.X.1.1).
Issue Time Tracking
-------------------
Worklog Id: (was: 1024634)
Time Spent: 50m (was: 40m)
> Enable KnoxLdapService Role Lookup to return either Roles or Groups
> -------------------------------------------------------------------
>
> Key: KNOX-3340
> URL: https://issues.apache.org/jira/browse/KNOX-3340
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Reporter: David Han
> Assignee: David Han
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> The KnoxLdapService, when configured with role lookup will replace all groups
> in the resulting entries with roles. This Jira provides a mechanism for
> clients to request the underlying groups instead of the roles. E.g., groups
> would be needed for some service to admin/manage the mapping between groups
> and roles.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
