[jira] [Resolved] (QPID-8374) [Broker-J][ACL] Allow case insensitive mapping of group members to groups in existing GroupProvider

Fri, 06 Dec 2019 04:24:43 -0800 


     [ 
https://issues.apache.org/jira/browse/QPID-8374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy resolved QPID-8374.
------------------------------
    Fix Version/s: qpid-java-broker-8.0.0
       Resolution: Fixed

> [Broker-J][ACL] Allow case insensitive mapping of group members to groups in 
> existing GroupProvider
> ---------------------------------------------------------------------------------------------------
>
>                 Key: QPID-8374
>                 URL: https://issues.apache.org/jira/browse/QPID-8374
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Alex Rudyy
>            Priority: Major
>             Fix For: qpid-java-broker-8.0.0
>
>
> The user groups currently identified by exact equality of authenticated 
> principal name and group member name. (See 
> {{org.apache.qpid.server.security.group.GroupProviderImpl#getGroupPrincipalsForUser}}
>  and 
> {{org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl#getGroupPrincipalsForUser}}.)
>  The user groups are used in in ACL  to define rules applicable to multiple 
> users belonging to the same group. The ACL identities are case insensitive. 
> As result, any letter case can be used in identities to express the ACL rule. 
> In many cases, when authenticated principals are coming from external systems 
> like LDAP, OAUTH2 based providers, etc, and they are case insensitive, it is 
> desired to have group mapping case insensitive as well, as it is quite easy 
> to make a mistake and specify the group member using upper cased letters 
> rather than lower cased, for example, {{cn=Alex,ou=users,dc=qpid,dc=org}} vs 
> {{cn=alex,ou=users,dc=qpid,dc=org}}.
> The existing GroupProviders can be modified to allow case insensitive mapping 
> of group members to groups. Though, the existing case sensitive group mapping 
> behaviour should be preserved for backward compatibility reasons. It should 
> be enabled by default. A special switch (either attribute or/and context 
> variable )  could be provided to make group mapping case insensitive if 
> desired.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to