[jira] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter

Sailaja Polavarapu (Jira) Thu, 17 Feb 2022 07:08:12 -0800


    [ https://issues.apache.org/jira/browse/RANGER-3630 ]



    Sailaja Polavarapu deleted comment on RANGER-3630:
    --------------------------------------------

was (Author: spolavarapu):
 *Proposal:*

Majority of the use cases to filter users using the “memberof” attribute fall 
into two categories:
 # Unique pattern for the group name  - example, “eng_dev” and “finance”
 # Group names with wildcard character - example, “eng_dev” and “eng_testing”

As noted down earlier, since Active directory doesn’t support either wildcards 
or short names of the groups with memberof attributes, Ranger usersync must be 
improved to generate user search filter internally by taking list of individual 
group names or group names with wildcard character.

Instead of configuring user search filter as one big string, a new 
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync. 
Values can be either list of DN of the groups, list of short name of the 
groups, or list of group names with wildcard character with ";" separated like 
below:
 # DN of the groups - "memberof=CN=finance,ou=Hadoop 
Groups,dc=apache,dc=org{color:#ff0000}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
 
Groups,dc=apache,dc=org{color}{color}{color:#de350b}*;*{color}memberof=CN=eng_testing,ou=Hadoop
 Groups,dc=apache,dc=org"
 # Short names of the groups - 
"CN=finance{color:#de350b}*;*{color}CN=eng_dev{color:#de350b}*;*{color}CN=eng_testing"
 # Group names with wildcard character - 
CN=eng*{color:#de350b}*;*{color}CN=finance"

*Usersync Changes:*

Usersync reads these new configuration values and determines the format of the 
specified values as DN of the groups, short names of the groups, or group names 
with wildcard character.
 # Values specified as DN of the groups
 # In this case ranger usersync builds the user search filter by concatenating 
each DN with an OR (|) operator 
 # Example - (|(memberof=CN=finance,ou=Hadoop 
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop 
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop 
Groups,dc=apache,dc=org))

 # Values specified as short names of the groups or with wildcard character
 # In this case ranger usersync first contacts AD/LDAP server to retrieve the 
DN of the specified groups.
 # Build user search filter by prepending each DN with “memberof=” and 
concatenating with and OR(|) operator

Notes: 
 # This new configuration(ranger.usersync.ldap.groupnames) is read by usersync 
only when “ranger.usersync.ldap.user.searchfilter” configuration value is 
empty. 
 # When “ranger.usersync.ldap.user.searchfilter” configuration value is not 
empty, then usersync will ignore the value for 
“ranger.usersync.ldap.groupnames” configuration.
 # All the configured group names(ranger.usersync.ldap.groupnames) are 
concatenated with only OR (|) operator and are hardcoded for “memberof” 
attribute.

> Support wildcards, group short names, and list of memberof attribute DNs for 
> computing user search filter
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-3630
>                 URL: https://issues.apache.org/jira/browse/RANGER-3630
>             Project: Ranger
>          Issue Type: New Feature
>          Components: Ranger, usersync
>            Reporter: Sailaja Polavarapu
>            Assignee: Sailaja Polavarapu
>            Priority: Major
>
> Ranger Usersync provides multiple configuration properties to sync users & 
> groups from AD/LDAP. One of the key configuration properties is the User 
> Search filter (ranger.usersync.ldap.user.searchfilter). Currently, the value 
> of user search filter must be a valid ldap search filter and is used by 
> ranger usersync “as is” to limit the no. of users to be sync’d from AD/LDAP. 
> Example values include:
>  # samaccountname=*  
>  ** Syncs all users from a given user search base
>  # (|(memberof=CN=finance,ou=Hadoop 
> Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop 
> Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop 
> Groups,dc=apache,dc=org))
>  ** Sync users that are members of finance, eng_dev, and eng_testing groups
> According to [Microsoft 
> documentation|https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx],
>  the wildcard character * is not allowed when the <AD Attribute> is a DN 
> attribute. Examples of DN attributes are distinguishedName, manager, 
> directReports, member, and memberOf. If users need to be sync'd from multiple 
> Active Directory groups with memberOf filters, this value can quickly become 
> a long string of OR concatenated group DNs. A single misplaced character in 
> this cryptic string results in all users failing to sync. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter

Reply via email to