Mapping Authenticated Users to Groups
The Knox Gateway uses group membership for Service Level Authorization only. The gateway does not propagate the user's group when communicating with the cluster.
group.principal.mapping parameter of the
identity-assertion provider determines the user's group membership. The
gateway evaluates this parameter after the
principal.mapping parameter using the authenticated
principal.mapping, the group mapping applies
all the matching values. A user is a member of all matching groups.