[jira] [Created] (RANGER-1768) User Sync: add NSS standard user/group resolver mechanism to transparently support all Linux OS level identity management systems

Thu, 07 Sep 2017 03:45:21 -0700 

Hari Sekhon created RANGER-1768:
-----------------------------------

             Summary: User Sync: add NSS standard user/group resolver mechanism 
to transparently support all Linux OS level identity management systems
                 Key: RANGER-1768
                 URL: https://issues.apache.org/jira/browse/RANGER-1768
             Project: Ranger
          Issue Type: New Feature
          Components: usersync
    Affects Versions: 0.7.0
         Environment: HDP 2.6
            Reporter: Hari Sekhon


Feature Request to add UserSync support for the standard Linux NSS user/group 
resolver mechanism to allow offloading user/group integration to the standard 
OS tools like SSSD.

This will allow Ranger to sync users and groups from the Linux OS integration 
layer using the standard user/group resolver modules which will cover all 
possible mechanisms which can include anything that the widely used SSSD can do 
including both local and LDAP users (which would obsolete having to configure 
LDAP manually in Ranger as it would be transparent regardless of whether using 
Active Directory, Redhat IPA, OpenLDAP it would require no different schema 
configuration in Ranger etc) and it also allows more flexibility as the 
integration then becomes the more widely used standard Linux mechanisms, you 
can even mix different identity mechanisms through this one usersync method, 
including local accounts and AD / LDAP accounts if needed (some clients have 
asked for this).

This is more similar to what Hadoop does, just ask the OS, and is much more 
flexible, simpler to configure as it's transparent to Ranger once it switches 
to just doing the NSS lookup, rather than doing its own separate extra LDAP 
configuration integration directly and ending with up with issues like 
RANGER-1735 group nesting problems when SSSD solved that back in 2011. Although 
this group nesting problem is severe enough to likely be fixed soon (it affects 
customers I'm representing right now too), the point remains that offloading 
the integration to NSS is by definition more robust, feature complete and more 
widely tested across many other applications that leverage it.

This is also a Redhat recommendation, see:

http://rhelblog.redhat.com/2016/04/26/why-use-sssd-instead-of-a-direct-ldap-configuration-for-applications/



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to