[
https://issues.apache.org/jira/browse/RANGER-3855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17578170#comment-17578170
]
Barbara Eckman commented on RANGER-3855:
----------------------------------------
patch file coming soon
> RangerExternalUserStoreRetriever class
> --------------------------------------
>
> Key: RANGER-3855
> URL: https://issues.apache.org/jira/browse/RANGER-3855
> Project: Ranger
> Issue Type: New Feature
> Components: plugins, Ranger
> Affects Versions: 3.0.0
> Reporter: Barbara Eckman
> Priority: Major
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or
> retrieve attributes to the database of users for whom Ranger controls access.
> This permits syntax like ${\{USER.aliases}}.includes("Dumbo") in any Ranger
> policy condition, including row and tag filters. This greatly enhances the
> ability to provide custom Attribute-based Access Control based on the
> specific business needs of one's organization.
> I believe that the original assumption was that such attributes would be
> added to AD/LDAP and enter Ranger via regular user sync's. However, this
> process does not currently work with Azure AD, which many organizations use.
> Neither does it provide timely support for organizations for whom adding each
> new attribute to AD would be subject to prolonged scrutiny by overworked
> security teams.
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have
> written a RangerExternalUserStoreRetriever class which adds arbitrary
> attributes to Ranger users via external API calls, thus freeing additions to
> the UserStore from dependency on AD/LDAP.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
