-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
None
-
False
-
-
-
-
-
-
Workaround Exists
-
-
-
The operator automatically configures the role-mapper AND the credentials used by the controllers based upon the client cert strategy configured in the Infinispan CR. The follow role-mapper configurations are applied:
`clientCert: None | Validate` -> `cluster-role-mapper`
`clientCert: Authenticate` -> `common-name-role-mapper`
A valid use-case is for a user to adopt the `clientCert: validate` strategy with a `common-name-role-mapper` to ensure that the CN of the certificate determines the capabilities of the client(s).
Currently it's not possible for the user to define a custom role-mapper via custom server configuration, as the Operator controllers need to be aware of the desired role-mapper in order to configure their rest client correctly.
We should add an optional field to the Infinispan CR that allows the role-mapper to be explicitly configured, with the previous defaults applied if the field is omitted.
Example Infinispan CR configuration:
spec: security: authorization: roleMapper: common-name-role-mapper
- links to