[jira] [Work logged] (KNOX-3340) Enable KnoxLdapService Role Lookup to return either Roles or Groups

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-3340?focusedWorklogId=1024817&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1024817
 ]

ASF GitHub Bot logged work on KNOX-3340:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 12/Jun/26 08:18
            Start Date: 12/Jun/26 08:18
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #1258:
URL: https://github.com/apache/knox/pull/1258#discussion_r3401624364


##########
gateway-server/src/main/java/org/apache/knox/gateway/services/ldap/interceptor/LDAPRolesLookupInterceptorFactory.java:
##########
@@ -35,7 +37,16 @@ public Interceptor create(GatewayConfig gatewayConfig, 
String name, Map<String,
         if (ldapRolesLookupService == null || 
!ldapRolesLookupService.enabled()) {
             throw new ServiceLifecycleException("LDAP roles lookup service not 
found or disabled");
         }
-        return new LDAPRolesLookupInterceptor(ldapRolesLookupService);
+
+        // Configure the OID used for the RolesLookupBypassControl until an 
official OID is available
+        String rolesLookupBypassControlOid = 
gatewayConfig.getLdapRolesLookupBypassControlOid();
+        if (StringUtils.isNotBlank(rolesLookupBypassControlOid)) {
+            if (!Oid.isOid(rolesLookupBypassControlOid)) {
+                rolesLookupBypassControlOid = null;

Review Comment:
   I see you are throwing `throw new ConfigurationException("Roles Lookup 
Bypass Control OID is not valid");` below in `KnoxLDAPServerManager`. However, 
I think that exception belongs here, when the factory wants to create an 
instance of `LDAPRolesLookupInterceptor`.
   The creation of this interceptor is also happening in 
`KnoxLDAPServerManager.init()` by calling `createInterceptors`, so it'd fail 
fast in case someone provided an invalid OID.
   What do you think?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 1024817)
    Time Spent: 2.5h  (was: 2h 20m)

> Enable KnoxLdapService Role Lookup to return either Roles or Groups
> -------------------------------------------------------------------
>
>                 Key: KNOX-3340
>                 URL: https://issues.apache.org/jira/browse/KNOX-3340
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: David Han
>            Assignee: David Han
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 2.5h
>  Remaining Estimate: 0h
>
> The KnoxLdapService, when configured with role lookup will replace all groups 
> in the resulting entries with roles. This Jira provides a mechanism for 
> clients to request the underlying groups instead of the roles. E.g., groups 
> would be needed for some service to admin/manage the mapping between groups 
> and roles.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)