[
https://issues.apache.org/jira/browse/RANGER-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147417#comment-16147417
]
Nigel Jones commented on RANGER-1486:
-------------------------------------
* Making the use of restricted Atlas roles configurable makes sense - I'd add
that
* The role names wouldn't come from configuration - they would come from atlas
via the 'gaf omas' call (note: this OMAS we are now calling the governance
engine OMAS) (marketing, hr, datascientist etc). They would match the role
names defined in LDAP.
* I would apply the ldap filter too - indeed in some ways the list of roles
from atlas forms an additional predicate. However I'm not a specialist on ldap
queries. We do need to consider efficiency
* We can get a notification (using the governance engine omas, which will
deliver it over Kafka) when a new role is added or removed from atlas, which
should cause us to redo the query. However new users we won't see as they are
not defined in Atlas, only in LDAP & in general ldap doesn't offer an event. In
fact I think with both OpenLDAP & Active Directory it would be possible to
create triggers & generate notifications that ranger/usersync could use it's
not really standard. Perhaps we should open a separate JIRA on that as it
sounds like it could be genuinely useful in an enterprise environment (part B
though would be then having a trigger mechanism to push the update not just to
the ranger server, but to the plugins, and that's complex since they can be
based on many technologies. At best an optional feature for a plugin?)
* In terms of a role changing, currently in Atlas I don't think we're thinking
of any more than the role name. so there's not really anything to change.
Whilst ideally we should track the guid of the Atlas defined role, since this
doesn't tie up with ldap in any way it's difficult to see we could get much
value from this.
I think in general the idea of being able to further restrict an ldap search
makes sense in a large environment otherwise we're pointlessly pushing far too
much user/group info into ranger, but we do need consensus on whether the
community is happy that the scoping could come from Atlas. I hope that as long
as the feature is optional this would be ok.
> New usersync alternative for Atlas (vdc)
> ----------------------------------------
>
> Key: RANGER-1486
> URL: https://issues.apache.org/jira/browse/RANGER-1486
> Project: Ranger
> Issue Type: New Feature
> Components: usersync
> Reporter: Nigel Jones
> Assignee: Nigel Jones
> Labels: VirtualDataConnector
>
> As part of the Atlas Virtualization Data Connector work we are using this
> within a large enterprise with a lot of users & groups stored in ldap.
> The connector -- which has a ranger plugin to apply access control policies
> -- is used by a relatively small subset of these users. However that can't
> easily be transcribed to an optimal ldap query.
> Since Atlas will have the definitive list of roles that are being used, this
> new usersync will instead retrieve a list of roles from Atlas, and will then
> use this list to retrieve only those users found in this list of roles from
> LDAP.
> This is an alternative usersync so shouldn't conflict and will use the same
> ranger APIs
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
