The Knox Gateway identity-assertion
provider maps an authenticated user
to an internal cluster user and/or group. This allows the Knox Gateway accept requests from
external users without requiring internal cluster user names to be exposed.
The gateway evaluates the authenticated user against the identity-assertion
provider to determine the following:
Does the user match any user mapping rules:
True: The first matching
$cluster_user
is asserted, that is it becomes the effective user.False: The authenticated user is asserted, that is the effective user is the same as the authenticated user.
Does the effective user match any group mapping rules:
True: The effective user is a member of all matching groups (for the purpose of authorization).
False: The effective user is not a member of any mapped groups.
Note | |
---|---|
When authenticated by an SSO provider, the effective user is a member of all groups
defined in the request as well as any that match the
|