Concat Identity Assertion Provider
The Concat identity assertion provider allows for composition of a new user principal through the concatenation of optionally configured prefix and/or suffix provider parameters. This is a useful assertion provider for converting an incoming identity into a disambiguated identity within the Hadoop cluster based on what topology is used to access Hadoop.
Concat Identity Assertion is a new provider for the Knox Gateway that enables you to map principals by concatenating strings to either the front or the back of a specified username. The Identity Assertion Provider provides the critical function of determining the Identity Principal that you will want to use in your Hadoop cluster to represent the identity that has been authenticated at the gateway. For more information on the Identity Assertion Provider and how it is used in the Knox Gateway, refer to the Identity Assertion chapter in the Apache Knox 0.11.x User Guide. If you would like to convert the user principal into a value that represents an identity from a particular user domain, use a configuration similar to the below example.
<provider> <role>identity-assertion</role> <name>Concat</name> <enabled>true</enabled> <param> <name>concat.suffix</name> <value>domain1</value> </param> <provider>
Notice
in this example that the identity-assertion
role has been
named Concat
and has been enabled (true) for the Identity
Assertion Provider, with the conact.suffix
parameter given a
value of domain1
and concatenation will occur at the end of
the username (concat.suffix
). You may also use a parameter
called concat.prefix
to indicate a value to concatenate to
the front of the username.