Authentication User Mapping

Authentication user mapping defines rules for mapping from users in the authentication system to openLooKeng users. This mapping is particularly important for Kerberos or LDAP authentication where the user names are complex like alice@example or CN=Alice Smith, OU=Finance, O=Acme, C=US.

Authentication user mapping can be configured with a simple regex extraction pattern, or more complex rules in a separate configuration file.

Pattern Mapping Rule

The pattern mapping rule maps the authentication user to the first matching group in the regular expression. If the regular expression does not match the authentication user, authentication is denied.

Each authentication system has a separate property for the user mapping pattern to allow different mapping when multiple authentication systems are enabled:

AuthenticationProperty
Username and Password (LDAP)http-server.authentication.password.user-mapping.pattern
Kerberoshttp-server.authentication.krb5.user-mapping.pattern
Certificatehttp-server.authentication.certificate.user-mapping.pattern
Json Web Tokenhttp-server.authentication.jwt.user-mapping.pattern

File Mapping Rules

The file mapping rules allow for more complex mappings from the authentication user. These rules are loaded from a JSON file defined in a configuration property. The mapping is based on the first matching rule, processed from top to bottom. If no rules match, authentication is denied. Each rule is composed of the following fields:

Field NameDefault ValueRequiredDescription
pattern(none)YesRegex to match against authentication user
user$1NoReplacement string to substitute against pattern
allowtrueNoBoolean indicating if the authentication should be allowed

The following example maps all users like alice@example.com to just alice, except for the testuser which is denied authentication, and it maps users like bob@uk.example.com to bob_uk:

{
    "rules": [
        {
            "pattern": "test@example\\.com",
            "allow": false
        },
        {
            "pattern": "(.+)@example\\.com"
        },
        {
            "pattern": "(?<user>.+)@(?<region>.+)\\.example\\.com",
            "user": "${user}_${region}"
        }
    ]
}

Each authentication system has a separate property for the user mapping file to allow different mapping when multiple authentication systems are enabled:

AuthenticationProperty
Username and Password (LDAP)http-server.authentication.password.user-mapping.file
Kerberoshttp-server.authentication.krb5.user-mapping.file
Certificatehttp-server.authentication.certificate.user-mapping.file
Json Web Tokenhttp-server.authentication.jwt.user-mapping.file

有奖捉虫

“有虫”文档片段

0/500

存在的问题

文档存在风险与错误

● 拼写,格式,无效链接等错误;

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 版本号不匹配:文档版本或内容描述和实际软件不一致;

● 对重要数据或系统存在风险的操作,缺少安全提示;

● 排版不美观,影响阅读;

内容描述不清晰

● 描述存在歧义;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

内容获取有困难

● 很难通过搜索引擎,openLooKeng官网,相关博客找到所需内容;

示例代码有错误

● 命令、命令参数等错误;

● 命令无法执行或无法完成对应功能;

内容有缺失

● 关键步骤错误或缺失,无法指导用户完成任务,比如安装、配置、部署等;

● 逻辑不清晰,该分类、分项、分步骤的没有给出

● 图形、表格、文字等晦涩难懂

● 缺少必要的前提条件、注意事项等;

● 描述存在歧义

0/500

您对文档的总体满意度

非常不满意
非常满意

请问是什么原因让您参与到这个问题中

您的邮箱

创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。
有奖捉虫