> On April 30, 2018, 2:15 p.m., Velmurugan Periasamy wrote:
> > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
> > Line 854 (original), 854 (patched)
> > <https://reviews.apache.org/r/66852/diff/1/?file=2014334#file2014334line854>
> >
> > Use a configurable param for this?
Just to clarify, this is not the actual sync cycle interval. With Active
Directory we use uSNChanged attribute to track changes. Periodically we query
for all objects in subtree whose uSNChanged value is greater than or equal to
U. The query will return all objects that have changed since the previous sync.
Set U to the largest (uSNChanged+1) among these changed objects, and you are
ready to poll again. In this case uSNChanged is an sequential number and hence
incrementing by 1. For OpenLdap servers, we use modifyTimeStamp attribute to
track changes. Periodically we query for all objects in subtree whose
modifyTimestamp value is greater than or equal to U. The query will return all
objects that have changed since the previous sync. Set U to the largest
(modifiedTimestamp + 1sec) among these changed objects, and you are ready to
poll again. Since modifyTimestamp is a timestamp value, we are incrementing by
1sec, which is the lowest granularity of the timestamp value. Since this is int
ernal implementation and for AD the modifyTimestamp is not used, I don't think
this should be a configurable parameter.
PS:- According to RFC, ldap search filter only supports greaterOrEqual (>=) or
lessOrEqaul(<=)
Filter ::= CHOICE {
and [0] SET OF Filter,
or [1] SET OF Filter,
not [2] Filter,
equalityMatch [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual [6] AttributeValueAssertion,
present [7] AttributeDescription,
approxMatch [8] AttributeValueAssertion,
extensibleMatch [9] MatchingRuleAssertion
}
- Sailaja
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66852/#review202122
-----------------------------------------------------------
On April 27, 2018, 5:48 p.m., Sailaja Polavarapu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66852/
> -----------------------------------------------------------
>
> (Updated April 27, 2018, 5:48 p.m.)
>
>
> Review request for ranger.
>
>
> Bugs: RANGER-1852
> https://issues.apache.org/jira/browse/RANGER-1852
>
>
> Repository: ranger
>
>
> Description
> -------
>
> Incrementing timestamp value for groups to 1sec instead of 1min. This is
> in-sync with timestamp value for users.
>
>
> Diffs
> -----
>
>
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
> 2288ab8e
>
>
> Diff: https://reviews.apache.org/r/66852/diff/1/
>
>
> Testing
> -------
>
> 1. Verified the existing unit tests are ran successfully.
> 2. Verified basic usersync functionality with openldap server.
>
>
> Thanks,
>
> Sailaja Polavarapu
>
>
