Details
Description
Steps to reproduce:
1. replace the Default identity-assertion provider in the sandbox topology with this:
<provider> <role>identity-assertion</role> <name>HadoopGroupProvider</name> <enabled>true</enabled> <param> <name>CENTRAL_GROUP_CONFIG_PREFIX</name> <value>gateway.group.config.</value> </param> <param> <name>group.mapping.scientist</name> <value>(!= 0 (size groups))</value> </param> </provider>
2. wait until Knox redeploys the sandbox topology and check the generated gateway.xml in the newly deployed web application
Actual results:
The group.mapping.scientist filter parameter is missing; only the params in gateway-site.xml with the gateway.group.config. prefix were added:
<filter> <role>identity-assertion</role> <name>HadoopGroupProvider</name> <class>org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter</class> <param> <name>hadoop.security.group.mapping.ldap.search.attr.member</name> <value>member</value> </param> <param> <name>hadoop.security.group.mapping.ldap.search.filter.user</name> <value>(&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value> </param> <param> <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name> <value>cn</value> </param> <param> <name>hadoop.security.group.mapping.ldap.url</name> <value>ldap://localhost:33389</value> </param> <param> <name>hadoop.security.group.mapping</name> <value>org.apache.hadoop.security.LdapGroupsMapping</value> </param> <param> <name>hadoop.security.group.mapping.ldap.search.filter.group</name> <value>(objectclass=groupOfNames)</value> </param> <param> <name>hadoop.security.group.mapping.ldap.bind.user</name> <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value> </param> <param> <name>hadoop.security.group.mapping.ldap.bind.password</name> <value>guest-password</value> </param> </filter>
Expected results:
Both the pre-configured gateway-site.xml and the group.mapping.scientist provider parameter should be added to the filter.
Attachments
Issue Links
- links to