The Knox Gatewayidentity-assertion
provider maps an authenticated user to an internal
cluster user and/or group. This allows the Knox Gateway accept requests from external users without requiring internal cluster user names to be exposed.
The gateway evaluates the authenticated user against the identity-assertion
provider to determine the following:
Does the user match any user mapping rules:
True:The first matching
$cluster_user
is asserted, that is it becomes the authenticated user.False:The authenticated user is asserted.
Does the authenticated user match any group mapping rules:
True:The authenticated user is a member of all matching groups (for the purpose of authorization).
False:The authenticated user is not a member of any mapped groups.
Note | |
---|---|
When authenticated by an SSO provider, the
authenticated user is a member of all groups defined in the request as well as any that
match the |