Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-2757

Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1
    • 2.0.0
    • Server
    • None

    Description

      Steps to reproduce:

      1. replace the Default identity-assertion provider in the sandbox topology with this:

          <provider>
        <role>identity-assertion</role>
        <name>HadoopGroupProvider</name>
        <enabled>true</enabled>
        <param>
            <name>CENTRAL_GROUP_CONFIG_PREFIX</name>
            <value>gateway.group.config.</value>
        </param>
        <param>
            <name>group.mapping.scientist</name>
            <value>(!= 0 (size groups))</value>
        </param>
    </provider>

      2. wait until Knox redeploys the sandbox topology and check the generated gateway.xml in the newly deployed web application

      Actual results:

      The group.mapping.scientist filter parameter is missing; only the params in gateway-site.xml with the gateway.group.config. prefix were added:

              <filter>
            <role>identity-assertion</role>
            <name>HadoopGroupProvider</name>
            <class>org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter</class>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.attr.member</name>
                <value>member</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.filter.user</name>
                <value>(&amp;(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.attr.group.name</name>
                <value>cn</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.url</name>
                <value>ldap://localhost:33389</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping</name>
                <value>org.apache.hadoop.security.LdapGroupsMapping</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.search.filter.group</name>
                <value>(objectclass=groupOfNames)</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.bind.user</name>
                <value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
            </param>
            <param>
                <name>hadoop.security.group.mapping.ldap.bind.password</name>
                <value>guest-password</value>
            </param>
        </filter>

      Expected results:

      Both the pre-configured gateway-site.xml and the group.mapping.scientist provider parameter should be added to the filter.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #590

          Activity

            People

              smolnar Sandor Molnar
              smolnar Sandor Molnar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m