[
https://issues.apache.org/jira/browse/RANGER-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16130060#comment-16130060
]
Nigel Jones commented on RANGER-1486:
-------------------------------------
The rationale behind this JIRA is as follows
In a complex enterprise environment there may be many 100s of thousands, or
even millions of users in LDAP. Similarly there could be many many roles
(thousands or more).
Initially a data lake environment may only be used directly by a small number -
perhaps 10,20,100,500...
If ranger were to pull in ALL users and ALL roles from ldap this could impact
the ldap server, and cause ranger issues due to the data set size.
The problem becomes how to scope the query. The usersync process does allow
ldap oriented filters to be used - however in the environment being considered
the data lake team do not make changes to ldap other than arrange for
membership for users to roles. That set of roles is specific to the data lake
environment and a small set - perhaps 10.
Policies that relate to controlling access to the data use roles almost
exclusively, and metadata including tags/classification is sourced from Atlas.
ATLAS itself is evolving to have a more complex data model which will
incorporate the concept of user roles . It is also providing new consumer
centric APIs such as "gaf omas" (see linked Jira), and the proposal is that
this seed list of roles can be used by the tagsync process in Atlas to optimize
pulling only user/role information that is relevant to the environment.
> New usersync alternative for Atlas (vdc)
> ----------------------------------------
>
> Key: RANGER-1486
> URL: https://issues.apache.org/jira/browse/RANGER-1486
> Project: Ranger
> Issue Type: New Feature
> Components: usersync
> Reporter: Nigel Jones
> Assignee: Nigel Jones
> Labels: VirtualDataConnector
>
> As part of the Atlas Virtualization Data Connector work we are using this
> within a large enterprise with a lot of users & groups stored in ldap.
> The connector -- which has a ranger plugin to apply access control policies
> -- is used by a relatively small subset of these users. However that can't
> easily be transcribed to an optimal ldap query.
> Since Atlas will have the definitive list of roles that are being used, this
> new usersync will instead retrieve a list of roles from Atlas, and will then
> use this list to retrieve only those users found in this list of roles from
> LDAP.
> This is an alternative usersync so shouldn't conflict and will use the same
> ranger APIs
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
