----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74142/ -----------------------------------------------------------
(Updated Oct. 21, 2022, 9:09 p.m.) Review request for ranger and madhan. Changes ------- added a new diff. I guess since the package name changed, or because of how I updated this repo from my working repo, the diff just shows deleted files and new files. There is also a lot of refactoring between diff 1 and diff 2. if this diff is not acceptable, let me know. (I might also need help on how to do better at updating this repo from my working repo.) I'm sorry if I'm causing undue inconvenience. Bugs: Ranger-3855 https://issues.apache.org/jira/browse/Ranger-3855 Repository: ranger Description ------- RangerExternalUserStoreRetriever class Ranger-3855 Ranger version 3.0.0 provides a means, via a context enricher, to add or retrieve attributes to the database of users for whom Ranger controls access. This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, including row and tag filters. This greatly enhances the ability to provide custom Attribute-based Access Control based on the specific business needs of one's organization. I believe that the original assumption was that such attributes would be added to AD/LDAP and enter Ranger via regular user sync's. However, this process does not currently work with Azure AD, which many organizations use. Neither does it provide timely support for organizations for whom adding each new attribute to AD would be subject to prolonged scrutiny by overworked security teams. In the spirit of the RangerAdminUserStoreRetriever context enricher, we have written a RangerExternalUserStoreRetriever class which adds arbitrary attributes to Ranger users via external API calls, thus freeing additions to the UserStore from dependency on AD/LDAP. We have also written a RangerRoleUserStoreRetriever class, which transforms role membership into user attributes, for ease of use in complex policy conditions. Diffs (updated) ----- agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java 4e1d19556 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java 60c7f22f7 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java 1b9335339 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java c5e13dbba agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md eaf9ae823 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java c7ab74bc7 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java 9eb50faa3 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java b9e1f0185 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml d2914dbc0 agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md PRE-CREATION agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java PRE-CREATION Diff: https://reviews.apache.org/r/74142/diff/2/ Changes: https://reviews.apache.org/r/74142/diff/1-2/ Testing ------- Thanks, Barbara Eckman