[
https://issues.apache.org/jira/browse/RANGER-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16147516#comment-16147516
]
Nigel Jones commented on RANGER-1486:
-------------------------------------
We don't yet have a concept of user roles in the proposed atlas model. I added
thoughts in ATLAS-1768 though the specific dependency for usersync would be the
API being delivered via ATLAS-1796 which can be dummied up prior to the
necessary model updates.
One further thought... to limit interdependencies between atlas and ranger I
think we should fall back to the old behaviour if the atlas being contacted
does not support the new API. Initially it might also be wise to have a
property to enable the new behaviour (so as to not hit an existing/old atlas
server with a new API request), or to figure out (new JIRA?) an appropriate
more generic version check or capability strategy
> New usersync alternative for Atlas (vdc)
> ----------------------------------------
>
> Key: RANGER-1486
> URL: https://issues.apache.org/jira/browse/RANGER-1486
> Project: Ranger
> Issue Type: New Feature
> Components: usersync
> Reporter: Nigel Jones
> Assignee: Nigel Jones
> Labels: VirtualDataConnector
>
> As part of the Atlas Virtualization Data Connector work we are using this
> within a large enterprise with a lot of users & groups stored in ldap.
> The connector -- which has a ranger plugin to apply access control policies
> -- is used by a relatively small subset of these users. However that can't
> easily be transcribed to an optimal ldap query.
> Since Atlas will have the definitive list of roles that are being used, this
> new usersync will instead retrieve a list of roles from Atlas, and will then
> use this list to retrieve only those users found in this list of roles from
> LDAP.
> This is an alternative usersync so shouldn't conflict and will use the same
> ranger APIs
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
