[jira] [Commented] (RANGER-1735) Support representing nested group memberships in Ranger Admin

Tue, 22 May 2018 14:11:34 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1735?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16484579#comment-16484579
 ] 

Sailaja Polavarapu commented on RANGER-1735:
--------------------------------------------

[~aaneja],

 It is still correct as the group search filter and group search base are the 
final decision makers. If a group is in not matching the specified group search 
filter, it is not retrieved irrespective of it is part of another group or not.

Similarly we need to take the group search base also in consideration. Let's 
take the same example as you specified above:

Group1: user1
*Group2*: user2
Group3: user3
Group4: Group1, Group2, Group3, user4
2. Group Sync is enabled and Group Search First is also enabled
3. Group search filter is specified as : (|(CN=Group1)(CN=Group2)(CN=Group4))

*4. Group search base is configured as: ou=rangerGroups,dc=hadoop,dc=org*

And say "Group2" is not under "rangerGroups" OU. 

In this case "Group2" is not retrieved even though it is specified in the 
filter and it is part of "Group4" nested group list.

Hope this is clear.

 

 

> Support representing nested group memberships in Ranger Admin
> -------------------------------------------------------------
>
>                 Key: RANGER-1735
>                 URL: https://issues.apache.org/jira/browse/RANGER-1735
>             Project: Ranger
>          Issue Type: New Feature
>          Components: Ranger, usersync
>    Affects Versions: 0.7.1
>            Reporter: Sailaja Polavarapu
>            Assignee: Sailaja Polavarapu
>            Priority: Major
>             Fix For: 1.0.0, 0.7.2
>
>         Attachments: 
> 0001-RANGER-1735-Support-representing-nested-group-member.patch, Ranger 
> Usersync - Nested Group Support.docx
>
>
> Several large enterprises have their groups in LDAP/AD nested within other 
> groups. Since Ranger user sync currently only pulls in the immediate group, 
> it is possible that some nested memberships might not be available for policy 
> authoring. Hadoop user-group mapping already supports nested LDAP/AD groups 
> for policy enforcement at the Ranger plugin. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to