Configuring Proxy with Apache Knox
Also available as:
PDF
loading table of contents...

Map Authenticated Users to Other Users

How to add user mapping rule to an identity-assertion provider:

The principal.mapping parameter of an identity-assertion provider determines the user name that the gateway asserts (uses as the authenticated user) for grouping, authorization, and to run the request on the cluster.
  1. Open the cluster topology descriptor file, $cluster-name.xml, in a text editor.
  2. Add a Default identity-assertion provider to topology/gateway with the principal.mapping parameter as follows:
    <provider>
        <role>identity-assertion</role>
        <name>Default</name>
        <enabled>true</enabled>
        <param>
            <name>principal.mapping</name>
            <value>$user_ids=$cluster_user;$user_ids=$cluster_user1;...</value>
        </param>
    </provider>

    where the value contains a semi-colon-separated list of external to internal user mappings, and the following variables match the names in your environment:

    • $user_ids

      is a comma-separated list of external users or the wildcard (*) indicates all users.

    • $cluster_user

      is the Hadoop cluster user name the gateway asserts, that is the authenticated user name.

  3. Save the file.
    The gateway creates a new WAR file with modified timestamp in $gateway/data/deployments.