Mapping Authorization Groups

FTL allows administrators to map their own roles to FTL roles. This can be done via the auth.rolemap file that can contain a mapping specific to the authentication provider.

Rules on role mapping file

Role mapping within ‘ldap’ section applies to ldap or ldaps

e.g in the example below

[ldap]:

FTL-Admin: ftl-admin

Only one mapping per authentication provider is allowed, for example you cannot have two separate authentication sections for ldap/ldaps or mtls or oauth2

Note: Syntax Summary for the mapping file

A role mapping will have sub sections per authentication type
Each subsection starts with a square bracket [, followed by the authentication provider name and a closing square bracket ].

Allowed authentication provider names

ldap or ldaps
mtls
oauth2

A line with a header with this syntax [<authentication provider] defines the subsection of the authentication type and subsequent lines until the next [<authentication provider] section would be role mapping associated with that authentication provider.

There can be only one subsection per authentication provider.
A role mapping within the authentication provider section defines the mapping from the user defined role to FTL built in role that’s pertinent to the authentication provide
Delimit the user-defined role with a required colon. (e.g FTL-Admin: ftl-admin)
You may add optional space characters after the colon. The FTL built-in role begins with the first non-whitespace character after the colon.
Delimit the FTL role with a comma to add additional FTL built -in roles that map to the same user defined role to FTL roles.

Separate authorization roles or groups with a comma only (spaces are not valid).

Here is an example of role mapping file named rolemap.txt

[ldap]
FTL-Admin: ftl-admin
[mtls]
group1: ftl-admin, ftl-internal
group2: ftl
[oauth2]
oauth2-admin: ftl-admin
oauth2-apps: ftl

Did you find this helpful?

Yes No