[KNOX-1119] Pac4J OAuth/OpenID Principal Needs to be Configurable - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.14.0
Component/s: KnoxSSO
Labels:
None

Description

Currently, the Pac4JIdentityAdapter blindly accepts the subject of the returned UserProfile which isn't directly usable in the Hadoop operating environment. We need to be able to resolve it to an actual username.

It seems that we could take two different approaches for this.

1. Add a param to the pac4j provider to indicate the UserProfile attribute to use as the PrimaryPrincipal
2. Add a new identity assertion provider that can decrypt the pac4jUserProfile cookie and extract the configured attribute.

I lean towards #1 above so that identity assertion providers could be used to munge the extracted attribute in interesting ways.

There was some discussion of this [1] back in 0.8.0 and we never really circled back to it.
jleleu - Am I missing anything that is already in place for this?

1. http://mail-archives.apache.org/mod_mbox/knox-dev/201601.mbox/%3CCACRbFyitvZ72-oqu2triGmn%3DKhB8JE0pFONyFim63RKS4gZp0A%40mail.gmail.com%3E

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

KNOX-1119-002.patch
29/Nov/17 04:12
3 kB
Larry McCay
KNOX-1119-001.patch
29/Nov/17 04:12
2 kB
Larry McCay
Add_configurable_id_attribute_to_pac4j_filter_.patch
22/Nov/17 11:44
2 kB
Andreas Hildebrandt

Issue Links

is related to

KNOX-1134 Regression due to KNOX-1119

Closed

Activity

People

Assignee:: Larry McCay

Reporter:: Larry McCay

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Nov/17 15:52

Updated:: 28/Mar/19 14:07

Resolved:: 29/Nov/17 04:18