The principal.mapping
parameter of an
identity-assertion
provider determines the user name that the gateway
asserts (uses as the effective user) for grouping, authorization, and to run the request
on the cluster.
Note | |
---|---|
If a user does not match a principal mapping definition, the authenticated user becomes the effective user. |
To add user mapping rule to an identity-assertion provider:
Open the cluster topology descriptor file,
, in a text editor.$cluster-name
.xmlAdd a
Pseudo
identity-assertion provider totopology/gateway
with theprincipal.mapping
parameter as follows:<provider> <role>identity-assertion</role> <name>Pseudo</name> <enabled>true</enabled> <param> <name>principal.mapping</name> <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value> </param> </provider>
where the value contains a semi-colon separated list of external to internal user mappings and the following variables match the names in your environment:
$user_ids
is a comma separated list of external users or the wildcard (*) indicates all users.$cluster_user
the Hadoop cluster user name the gateway asserts, that is the effective user name.
Save the file.
The gateway creates a new WAR file with modified timestamp in
/var/lib/knox/data/deployments
.