[jira] [Commented] (RANGER-1486) New usersync alternative for Atlas (vdc)

Mon, 28 Aug 2017 12:51:28 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16144250#comment-16144250
 ] 

Shi Wang commented on RANGER-1486:
----------------------------------

Hi [~jonesn],

The usage I could imagine is that when the user select ldap as usersync method, 
in the usersync config field there should be a checkbox "use Atlas to scope 
user roles" (if atlas tag sync is enabled), and if it is checked, it will ask 
user to specify the roles names(maybe multiple?) and use them as the parameters 
in the "gaf omas" REST call.

Some use cases I could think of:
1. we should sync those users that both satisfy ldap filter(if used) and with 
the role tag? (in a case that there are more users with the specified role than 
the users obtained by ldap filter)
2. when there is message indicating there are more users added in the specified 
role they should be added in ranger db.
3. when change the role, ranger db should remove the old synced users and add 
the users with added roles.

Above are a general picture of this feature from my understanding. Maybe it is 
not correct or there are other use cases. :)

> New usersync alternative for Atlas (vdc)
> ----------------------------------------
>
>                 Key: RANGER-1486
>                 URL: https://issues.apache.org/jira/browse/RANGER-1486
>             Project: Ranger
>          Issue Type: New Feature
>          Components: usersync
>            Reporter: Nigel Jones
>            Assignee: Nigel Jones
>              Labels: VirtualDataConnector
>
> As part of the Atlas Virtualization Data Connector work we are using this 
> within a large enterprise with a lot of users & groups stored in ldap.
> The connector -- which has a ranger plugin to apply access control policies 
> -- is used by a relatively small subset of these users. However that can't 
> easily be transcribed to an optimal ldap query.
> Since Atlas will have the definitive list of roles that are being used, this 
> new usersync will instead retrieve a list of roles from Atlas, and will then 
> use this list to retrieve only those users found in this list of roles from 
> LDAP.
> This is an alternative usersync so shouldn't conflict and will use the same 
> ranger APIs



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to