Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The user groups currently identified by exact equality of authenticated principal name and group member name. (See org.apache.qpid.server.security.group.GroupProviderImpl#getGroupPrincipalsForUser and org.apache.qpid.server.model.adapter.FileBasedGroupProviderImpl#getGroupPrincipalsForUser.) The user groups are used in in ACL to define rules applicable to multiple users belonging to the same group. The ACL identities are case insensitive. As result, any letter case can be used in identities to express the ACL rule. In many cases, when authenticated principals are coming from external systems like LDAP, OAUTH2 based providers, etc, and they are case insensitive, it is desired to have group mapping case insensitive as well, as it is quite easy to make a mistake and specify the group member using upper cased letters rather than lower cased, for example, cn=Alex,ou=users,dc=qpid,dc=org vs cn=alex,ou=users,dc=qpid,dc=org.
The existing GroupProviders can be modified to allow case insensitive mapping of group members to groups. Though, the existing case sensitive group mapping behaviour should be preserved for backward compatibility reasons. It should be enabled by default. A special switch (either attribute or/and context variable ) could be provided to make group mapping case insensitive if desired.
Attachments
Issue Links
- supercedes
-
QPID-8127 [Broker-J][ACL] Allow case insensitive matching of group and user names in existing ACL
- Closed