-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------

(Updated Oct. 21, 2022, 9:09 p.m.)


Review request for ranger and madhan.


Changes
-------

added a new diff.  I guess since the package name changed, or because of how I 
updated this repo from my working repo, the diff just shows deleted files and 
new files.  There is also a lot of refactoring between diff 1 and diff 2.  if 
this diff is not acceptable, let me know. (I might also need help on how to do 
better at updating this repo from my working repo.) I'm sorry if I'm causing 
undue inconvenience.


Bugs: Ranger-3855
    https://issues.apache.org/jira/browse/Ranger-3855


Repository: ranger


Description
-------

RangerExternalUserStoreRetriever class Ranger-3855

Ranger version 3.0.0 provides a means, via a context enricher, to add or 
retrieve attributes to the database of users for whom Ranger controls access. 
This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, 
including row and tag filters.   This greatly enhances the ability to provide 
custom Attribute-based Access Control based on the specific business needs of 
one's organization.

I believe that the original assumption was that such attributes would be added 
to AD/LDAP and enter Ranger via regular user sync's. However, this process does 
not currently work with Azure AD, which many organizations use. Neither does it 
provide timely support for organizations for whom adding each new attribute to 
AD would be subject to prolonged scrutiny by overworked security teams.  

In the spirit of the RangerAdminUserStoreRetriever context enricher, we have 
written a RangerExternalUserStoreRetriever class which adds arbitrary 
attributes to Ranger users via external API calls, thus freeing additions to 
the UserStore from dependency on AD/LDAP.   We have also written a 
RangerRoleUserStoreRetriever class, which transforms role membership into user 
attributes, for ease of use in complex policy conditions.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java
 4e1d19556 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java
 60c7f22f7 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java
 1b9335339 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java
 c5e13dbba 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE
  
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE
  
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md
 eaf9ae823 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java
 c7ab74bc7 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java
 9eb50faa3 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java
 b9e1f0185 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml
 d2914dbc0 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/74142/diff/2/

Changes: https://reviews.apache.org/r/74142/diff/1-2/


Testing
-------


Thanks,

Barbara Eckman

Reply via email to