[jira] [Commented] (SHIRO-631) Principal mapping rules similar to Hadoop's auth_to_local

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SHIRO-631) Principal mapping rules similar to Hadoop's auth_to_local

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SHIRO-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16095993#comment-16095993 ]

Hari Sekhon commented on SHIRO-631:

[~bdemers] It's possible that in an Active Directory forest with different domains, different people may end up having the same short user name in each of their own domains, eg. there may be a johnsmith user in each domain. When querying via the global catalog and having both users DOMAIN1\johnsmith and DOMAIN2\johnsmith or [hidden email] and [hidden email], usage of the short username is a common will result in a collision of both users being just 'johnsmith', and this could accidentally expose data permissions too as authorization mechanisms will just look at the username to compare to the permissions tables.

So authentication integration mechanisms need to be able to differentiate, either by using [hidden email] vs [hidden email] but this can cause issues where the dependent technology may not permit symbols like @, or may require filesystem home directories which will either not work or be messy looking.

If you have the ability to remap users based on a rule scheme like Hadoop's auth_to_local then you can handle this flexibly by translating or munging the user shortname based on the domain without having to use the AD UPN such as [hidden email], by adding prefixes/suffixes or converting characters that would otherwise be invalid to the top level technology by regex validation or characters not permitted in a filesystem path.

> Principal mapping rules similar to Hadoop's auth_to_local
> ---------------------------------------------------------
>                 Key: SHIRO-631
>                 URL: https://issues.apache.org/jira/browse/SHIRO-631
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Authorization (access control) , Realms
>         Environment: HDP 2.6 + Kerberos + AD LDAP multi-domain forest
>            Reporter: Hari Sekhon
>            Priority: Blocker
> Feature Request to add principal mapping rules similar to Hadoop's auth_to_local.
> This will allow munging pincipals and rule based remappings to differentiate duplicate users in multi-domain Active Directory forests where the LDAP results returned from the global catalog include duplicate usernames which need to be translated with a prefix/suffix in order to differentiate between domains to prevent users from different domains sharing logins, permissions etc.

This message was sent by Atlassian JIRA