shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruslan Dautkhanov (JIRA)" <>
Subject [jira] [Commented] (SHIRO-631) Principal mapping rules similar to Hadoop's auth_to_local
Date Tue, 17 Oct 2017 18:22:00 GMT


Ruslan Dautkhanov commented on SHIRO-631:

Here's auth_to_local description from Kerberos man page 

This tag allows you to set a general rule for mapping principal names to local user names.
It will be used if there is not an explicit mapping for the principal name that is being translated.
The possible values are:

The local name will be formulated from exp.

The format for exp is [n:string](regexp)s/pattern/replacement/g. The integer n indicates how
many components the target principal should have. If this matches, then a string will be formed
from string, substituting the realm of the principal for $0 and the n‘th component of the
principal for $n (e.g. if the principal was johndoe/admin then [2:$2$1foo] would result in
the string adminjohndoefoo). If this string matches regexp, then the s//[g] substitution command
will be run over the string. The optional g will cause the substitution to be global over
the string, instead of replacing only the first match in the string.

The principal name will be used as the local user name. If the principal has more than one
component or is not in the default realm, this rule is not applicable and the conversion will
For example:
        auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
        auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
        auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
        auto_to_local = DEFAULT
would result in any principal without root or admin as the second component to be translated
with the default rule. A principal with a second component of admin will become its first
component. root will be used as the local name for any principal with a second component of
root. The exception to these two rules are any principals johndoe/*, which will always get
the local name guest.

We use auth_to_local quite often in Hadoop clusters. 
Yep, would be nice to have this in Shiro too.

> Principal mapping rules similar to Hadoop's auth_to_local
> ---------------------------------------------------------
>                 Key: SHIRO-631
>                 URL:
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Authorization (access control) , Realms

>         Environment: HDP 2.6 + Kerberos + AD LDAP multi-domain forest
>            Reporter: Hari Sekhon
>            Priority: Blocker
> Feature Request to add principal mapping rules similar to Hadoop's auth_to_local.
> This will allow munging pincipals and rule based remappings to differentiate duplicate
users in multi-domain Active Directory forests where the LDAP results returned from the global
catalog include duplicate usernames which need to be translated with a prefix/suffix in order
to differentiate between domains to prevent users from different domains sharing logins, permissions

This message was sent by Atlassian JIRA

View raw message