Knox Gateway Administration Guide
Also available as:
PDF
loading table of contents...

Structure of the Identity-Assertion Provider

All cluster topology descriptors must contain anidentity-assertion provider in thetopology/gateway definition.

The following is the complete structure of theidentity-assertion provider. The parameters are optional.

<provider>
 <role>identity-assertion</role> 
 <name>Pseudo</name> 
 <enabled>true</enabled>
 <param>
 <name>principal.mapping</name>
 <value> $user_ids = $cluster_user [; $user_ids = $cluster_user1 ;...]</value>
 </param>
 <param>
 <name>group.principal.mapping</name>
 <value> $cluster_users = $group1 ; $cluster_users = $group2 </value>
 </param>
 </provider>

where:

  • $user_idsis a comma-separated list of external users or the wildcard (*) indicates all users.

  • $cluster_user the Hadoop cluster user name the gateway asserts, that is the authenticated user name.

[Note]Note

Note that identity-assertion rules are not required; however, whenever an authentication provider is configured an identity-assertion provider is also required.