knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kmin...@apache.org
Subject svn commit: r1705149 - in /knox: site/ site/books/knox-0-4-0/ site/books/knox-0-5-0/ site/books/knox-0-6-0/ site/books/knox-0-7-0/ trunk/books/0.7.0/
Date Thu, 24 Sep 2015 21:05:39 GMT
Author: kminder
Date: Thu Sep 24 21:05:38 2015
New Revision: 1705149

URL: http://svn.apache.org/viewvc?rev=1705149&view=rev
Log:
KNOX-579: Regex based identity assertion provider with static dictionary lookup

Modified:
    knox/site/books/knox-0-4-0/deployment-overview.png
    knox/site/books/knox-0-4-0/deployment-provider.png
    knox/site/books/knox-0-4-0/deployment-service.png
    knox/site/books/knox-0-4-0/runtime-overview.png
    knox/site/books/knox-0-4-0/runtime-request-processing.png
    knox/site/books/knox-0-5-0/deployment-overview.png
    knox/site/books/knox-0-5-0/deployment-provider.png
    knox/site/books/knox-0-5-0/deployment-service.png
    knox/site/books/knox-0-5-0/runtime-overview.png
    knox/site/books/knox-0-5-0/runtime-request-processing.png
    knox/site/books/knox-0-6-0/deployment-overview.png
    knox/site/books/knox-0-6-0/deployment-provider.png
    knox/site/books/knox-0-6-0/deployment-service.png
    knox/site/books/knox-0-6-0/runtime-overview.png
    knox/site/books/knox-0-6-0/runtime-request-processing.png
    knox/site/books/knox-0-7-0/deployment-overview.png
    knox/site/books/knox-0-7-0/deployment-provider.png
    knox/site/books/knox-0-7-0/deployment-service.png
    knox/site/books/knox-0-7-0/runtime-overview.png
    knox/site/books/knox-0-7-0/runtime-request-processing.png
    knox/site/books/knox-0-7-0/user-guide.html
    knox/site/index.html
    knox/site/issue-tracking.html
    knox/site/license.html
    knox/site/mail-lists.html
    knox/site/project-info.html
    knox/site/team-list.html
    knox/trunk/books/0.7.0/config_id_assertion.md

Modified: knox/site/books/knox-0-4-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-provider.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/deployment-service.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-4-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-4-0/runtime-request-processing.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-provider.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/deployment-service.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-5-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-5-0/runtime-request-processing.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-provider.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/deployment-service.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-6-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-6-0/runtime-request-processing.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-provider.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-provider.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/deployment-service.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/deployment-service.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/runtime-overview.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-overview.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/runtime-request-processing.png
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/runtime-request-processing.png?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
Binary files - no diff available.

Modified: knox/site/books/knox-0-7-0/user-guide.html
URL: http://svn.apache.org/viewvc/knox/site/books/knox-0-7-0/user-guide.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/books/knox-0-7-0/user-guide.html (original)
+++ knox/site/books/knox-0-7-0/user-guide.html Thu Sep 24 21:05:38 2015
@@ -1386,7 +1386,55 @@ ldapRealm.userDnTemplate=uid={0},ou=peop
       <value>_domain1</value>
     </param>
 </provider>
-</code></pre><p>The above configuration will result in all user interactions
through that topology to have their principal communicated to the Hadoop cluster with a domain
designator concatenated to the username. Possibly useful for multi-tenant deployment scenarios.</p><p>In
addition to the concat.suffix parameter, the provider supports the setting of a prefix through
a concat.prefix parameter.</p><h3><a id="Authorization"></a>Authorization</h3><h4><a
id="Service+Level+Authorization"></a>Service Level Authorization</h4><p>The
Knox Gateway has an out-of-the-box authorization provider that allows administrators to restrict
access to the individual services within a Hadoop cluster.</p><p>This provider
utilizes a simple and familiar pattern of using ACLs to protect Hadoop resources by specifying
users, groups and ip addresses that are permitted access.</p><p>Note: In the examples
below {serviceName} represents a real service name (e.g. WEBHDFS) and would be replaced with
these values i
 n an actual configuration.</p><h5><a id="Usecases"></a>Usecases</h5><h6><a
id="USECASE-1:+Restrict+access+to+specific+Hadoop+services+to+specific+Users"></a>USECASE-1:
Restrict access to specific Hadoop services to specific Users</h6>
+</code></pre><p>The above configuration will result in all user interactions
through that topology to have their principal communicated to the Hadoop cluster with a domain
designator concatenated to the username. Possibly useful for multi-tenant deployment scenarios.</p><p>In
addition to the concat.suffix parameter, the provider supports the setting of a prefix through
a concat.prefix parameter.</p><h4><a id="Regular+Expression+Identity+Assertion+Provider"></a>Regular
Expression Identity Assertion Provider</h4><p>The regular expression identity
assertion provider allows incoming identities to be translated using a regular expression,
template and lookup table. This will probably be most useful in conjunction with the HeaderPreAuth
federation provider.</p><p>There are three configuration parameters used to control
the behavior of the provider.</p>
+<table>
+  <thead>
+    <tr>
+      <th>Param </th>
+      <th>Description</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>input </td>
+      <td>This is a regular expression that will be applied to the incoming identity.
The most critical part of the regular expression is the group notation within the expression.
In regular expressions, groups are expressed within parenthesis. For example in the regular
expression &ldquo;(.*)@(.*?)..*&rdquo; there are two groups. When this regular expression
is applied to &ldquo;<a href="mailto:&#110;o&#98;&#x6f;&#x64;y&#x40;&#117;&#115;&#46;&#x69;&#109;a&#x67;&#105;&#110;&#x61;&#114;&#x79;&#46;&#116;&#108;&#x64;">&#110;o&#98;&#x6f;&#x64;y&#x40;&#117;&#115;&#46;&#x69;&#109;a&#x67;&#105;&#110;&#x61;&#114;&#x79;&#46;&#116;&#108;&#x64;</a>&rdquo;
group 1 matches &ldquo;nobody&rdquo; and group 2 matches &ldquo;us&rdquo;.</td>
+    </tr>
+    <tr>
+      <td>output</td>
+      <td>This is a template that assembles the result identity. The result is assembled
from the static text and the matched groups from the input regular expression. In addition,
the matched group values can be looked up in the lookup table. An output value of &ldquo;{1}_{2}&rdquo;
of will result in &ldquo;nobody_us&rdquo;.</td>
+    </tr>
+    <tr>
+      <td>lookup</td>
+      <td>This lookup table provides a simple (albeit limited) way to translate text
in the incoming identities. This configuration takes the form of &ldquo;=&rdquo; separated
name values pairs separated by &ldquo;;&rdquo;. For example an lookup setting is &ldquo;us=USA;ca=CANADA&rdquo;.
The lookup is invoked in the output setting by surrounding the desired group number in square
brackets (i.e. []). Putting it all together, output setting of &ldquo;{1}_[{2}]&rdquo;
combined with input of &ldquo;(.*)@(.*?)..*&rdquo; and lookup of &ldquo;us=USA;ca=CANADA&rdquo;
will turn &ldquo;<a href="mailto:&#x6e;&#x6f;&#98;&#111;&#100;&#x79;&#x40;&#117;&#115;.&#x69;m&#97;&#103;i&#x6e;&#x61;&#x72;&#121;&#46;t&#108;&#100;">&#x6e;&#x6f;&#98;&#111;&#100;&#x79;&#x40;&#117;&#115;.&#x69;m&#97;&#103;i&#x6e;&#x61;&#x72;&#121;&#46;t&#108;&#100;</a>&rdquo;
into &quot;<a href="mailto:&#x6e;o&#98;&#111;&#100;&#x79;&#64;U&#83;A&quot;">&#x6e;o&#98;&#111;&#100;&#x79;&#64;U&#83;A&quot;</a>.</td>
+    </tr>
+  </tbody>
+</table><p>Within the topology file the provider configuration might look like
this.</p>
+<pre><code>&lt;provider&gt;
+    &lt;role&gt;identity-assertion&lt;/role&gt;
+    &lt;name&gt;Regex&lt;/name&gt;
+    &lt;enabled&gt;true&lt;/enabled&gt;
+    &lt;param&gt;
+        &lt;name&gt;input&lt;/name&gt;
+        &lt;value&gt;(.*)@(.*?)\..*&lt;/value&gt;
+    &lt;/param&gt;
+    &lt;param&gt;
+        &lt;name&gt;output&lt;/name&gt;
+        &lt;value&gt;{1}_{[2]}&lt;/value&gt;
+    &lt;/param&gt;
+    &lt;param&gt;
+        &lt;name&gt;lookup&lt;/name&gt;
+        &lt;value&gt;us=USA;ca=CANADA&lt;/value&gt;
+    &lt;/param&gt;
+&lt;/provider&gt;  
+</code></pre><p>Using curl with this type of configuration might produce
the following results. </p>
+<pre><code>curl -k --header &quot;SM_USER: nobody@us.imaginary.tld&quot;
&#39;https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY&#39;
+
+{&quot;Path&quot;:&quot;/user/member_USA&quot;}
+
+url -k --header &quot;SM_USER: nobody@ca.imaginary.tld&quot; &#39;https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY&#39;
+
+{&quot;Path&quot;:&quot;/user/member_CANADA&quot;}
+</code></pre><h3><a id="Authorization"></a>Authorization</h3><h4><a
id="Service+Level+Authorization"></a>Service Level Authorization</h4><p>The
Knox Gateway has an out-of-the-box authorization provider that allows administrators to restrict
access to the individual services within a Hadoop cluster.</p><p>This provider
utilizes a simple and familiar pattern of using ACLs to protect Hadoop resources by specifying
users, groups and ip addresses that are permitted access.</p><p>Note: In the examples
below {serviceName} represents a real service name (e.g. WEBHDFS) and would be replaced with
these values in an actual configuration.</p><h5><a id="Usecases"></a>Usecases</h5><h6><a
id="USECASE-1:+Restrict+access+to+specific+Hadoop+services+to+specific+Users"></a>USECASE-1:
Restrict access to specific Hadoop services to specific Users</h6>
 <pre><code>&lt;param&gt;
     &lt;name&gt;{serviceName}.acl&lt;/name&gt;
     &lt;value&gt;guest;*;*&lt;/value&gt;

Modified: knox/site/index.html
URL: http://svn.apache.org/viewvc/knox/site/index.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/index.html (original)
+++ knox/site/index.html Thu Sep 24 21:05:38 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-09-08
+ | Generated by Apache Maven Doxia at 2015-09-24
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20150908" />
+    <meta name="Date-Revision-yyyymmdd" content="20150924" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; REST API Gateway for the Hadoop Ecosystem</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-09-08</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-09-24</li>

             
                             </ul>
       </div>

Modified: knox/site/issue-tracking.html
URL: http://svn.apache.org/viewvc/knox/site/issue-tracking.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/issue-tracking.html (original)
+++ knox/site/issue-tracking.html Thu Sep 24 21:05:38 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-09-08
+ | Generated by Apache Maven Doxia at 2015-09-24
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20150908" />
+    <meta name="Date-Revision-yyyymmdd" content="20150924" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Issue Tracking</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-09-08</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-09-24</li>

             
                             </ul>
       </div>

Modified: knox/site/license.html
URL: http://svn.apache.org/viewvc/knox/site/license.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/license.html (original)
+++ knox/site/license.html Thu Sep 24 21:05:38 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-09-08
+ | Generated by Apache Maven Doxia at 2015-09-24
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20150908" />
+    <meta name="Date-Revision-yyyymmdd" content="20150924" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project License</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-09-08</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-09-24</li>

             
                             </ul>
       </div>

Modified: knox/site/mail-lists.html
URL: http://svn.apache.org/viewvc/knox/site/mail-lists.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/mail-lists.html (original)
+++ knox/site/mail-lists.html Thu Sep 24 21:05:38 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-09-08
+ | Generated by Apache Maven Doxia at 2015-09-24
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20150908" />
+    <meta name="Date-Revision-yyyymmdd" content="20150924" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Mailing Lists</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-09-08</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-09-24</li>

             
                             </ul>
       </div>

Modified: knox/site/project-info.html
URL: http://svn.apache.org/viewvc/knox/site/project-info.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/project-info.html (original)
+++ knox/site/project-info.html Thu Sep 24 21:05:38 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-09-08
+ | Generated by Apache Maven Doxia at 2015-09-24
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20150908" />
+    <meta name="Date-Revision-yyyymmdd" content="20150924" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Project Information</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-09-08</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-09-24</li>

             
                             </ul>
       </div>

Modified: knox/site/team-list.html
URL: http://svn.apache.org/viewvc/knox/site/team-list.html?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/site/team-list.html (original)
+++ knox/site/team-list.html Thu Sep 24 21:05:38 2015
@@ -1,13 +1,13 @@
 <!DOCTYPE html>
 <!--
- | Generated by Apache Maven Doxia at 2015-09-08
+ | Generated by Apache Maven Doxia at 2015-09-24
  | Rendered using Apache Maven Fluido Skin 1.3.0
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <meta name="Date-Revision-yyyymmdd" content="20150908" />
+    <meta name="Date-Revision-yyyymmdd" content="20150924" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Knox Gateway &#x2013; Team list</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
@@ -58,7 +58,7 @@
               
                 
                     
-                  <li id="publishDate" class="pull-right">Last Published: 2015-09-08</li>

+                  <li id="publishDate" class="pull-right">Last Published: 2015-09-24</li>

             
                             </ul>
       </div>

Modified: knox/trunk/books/0.7.0/config_id_assertion.md
URL: http://svn.apache.org/viewvc/knox/trunk/books/0.7.0/config_id_assertion.md?rev=1705149&r1=1705148&r2=1705149&view=diff
==============================================================================
--- knox/trunk/books/0.7.0/config_id_assertion.md (original)
+++ knox/trunk/books/0.7.0/config_id_assertion.md Thu Sep 24 21:05:38 2015
@@ -117,4 +117,44 @@ The above configuration will result in a
 
 In addition to the concat.suffix parameter, the provider supports the setting of a prefix
through a concat.prefix parameter.
 
+#### Regular Expression Identity Assertion Provider ####
+The regular expression identity assertion provider allows incoming identities to be translated
using a regular expression, template and lookup table.
+This will probably be most useful in conjunction with the HeaderPreAuth federation provider.
 
+There are three configuration parameters used to control the behavior of the provider.
+
+Param | Description
+------|-----------
+input | This is a regular expression that will be applied to the incoming identity. The most
critical part of the regular expression is the group notation within the expression. In regular
expressions, groups are expressed within parenthesis. For example in the regular expression
"(.*)@(.*?)\..*" there are two groups. When this regular expression is applied to "nobody@us.imaginary.tld"
group 1 matches "nobody" and group 2 matches "us". 
+output| This is a template that assembles the result identity. The result is assembled from
the static text and the matched groups from the input regular expression. In addition, the
matched group values can be looked up in the lookup table. An output value of "{1}_{2}" of
will result in "nobody_us".                 
+lookup| This lookup table provides a simple (albeit limited) way to translate text in the
incoming identities. This configuration takes the form of "=" separated name values pairs
separated by ";". For example an lookup setting is "us=USA;ca=CANADA". The lookup is invoked
in the output setting by surrounding the desired group number in square brackets (i.e. []).
Putting it all together, output setting of "{1}_[{2}]" combined with input of "(.*)@(.*?)\..*"
and lookup of "us=USA;ca=CANADA" will turn "nobody@us.imaginary.tld" into "nobody@USA".  
   
+
+Within the topology file the provider configuration might look like this.
+
+    <provider>
+        <role>identity-assertion</role>
+        <name>Regex</name>
+        <enabled>true</enabled>
+        <param>
+            <name>input</name>
+            <value>(.*)@(.*?)\..*</value>
+        </param>
+        <param>
+            <name>output</name>
+            <value>{1}_{[2]}</value>
+        </param>
+        <param>
+            <name>lookup</name>
+            <value>us=USA;ca=CANADA</value>
+        </param>
+    </provider>  
+
+Using curl with this type of configuration might produce the following results. 
+
+    curl -k --header "SM_USER: nobody@us.imaginary.tld" 'https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY'
+    
+    {"Path":"/user/member_USA"}
+    
+    url -k --header "SM_USER: nobody@ca.imaginary.tld" 'https://localhost:8443/gateway/sandbox/webhdfs/v1?op=GETHOMEDIRECTORY'
+    
+    {"Path":"/user/member_CANADA"}



Mime
View raw message