> On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote: > >
Did you really mean to remove writeToFile() and encodeSecrets() from the project? I understand moving most of the HandleSecrets methods to getFromURL, but don't we want to give folks the tools to easily write to file secrets that are encoded the way we later decodethem? > On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java > > Lines 61 (patched) > > <https://reviews.apache.org/r/74142/diff/1/?file=2270187#file2270187line61> > > > > A comment here with details of hour RangerRoles contents are used to > > create RangerUserStore object - wth an example. Done. > On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java > > Lines 64 (patched) > > <https://reviews.apache.org/r/74142/diff/1/?file=2270187#file2270187line64> > > > > Given roleName is initialized in init() method, consider moving > > compliing patter to this method - this will help avoid compiling on every > > call to retrieveUserStoreInfo(). done > On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java > > Lines 62 (patched) > > <https://reviews.apache.org/r/74142/diff/2/?file=2271457#file2271457line62> > > > > Did you mean to check if response is null? Shouldn't this be "response > > == null"? Done > On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java > > Lines 85 (patched) > > <https://reviews.apache.org/r/74142/diff/2/?file=2271459#file2271459line85> > > > > Perhaps flattenedAttrMap.put() should be after the for loop at #81? I think you realized that it was in the right place as is-- that's where it is in your patch, I think.. > On Oct. 25, 2022, 7:43 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java > > Lines 56 (patched) > > <https://reviews.apache.org/r/74142/diff/2/?file=2271462#file2271462line56> > > > > Since the user-store returned by a given instance of > > RangerExternalUserStoreRetriever always contains the same userAttrMap, it > > might be useful to instantiate RangerUserStore in init() method itself. userStore is used in retrieveUserStoreInfo method as well as init, so it needs to be initiated outside. - Barbara ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74142/#review224827 ----------------------------------------------------------- On Oct. 21, 2022, 9:09 p.m., Barbara Eckman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74142/ > ----------------------------------------------------------- > > (Updated Oct. 21, 2022, 9:09 p.m.) > > > Review request for ranger and madhan. > > > Bugs: Ranger-3855 > https://issues.apache.org/jira/browse/Ranger-3855 > > > Repository: ranger > > > Description > ------- > > RangerExternalUserStoreRetriever class Ranger-3855 > > Ranger version 3.0.0 provides a means, via a context enricher, to add or > retrieve attributes to the database of users for whom Ranger controls access. > This permits syntax like "Dumbo" in $USER.aliases any Ranger policy > condition, including row and tag filters. This greatly enhances the ability > to provide custom Attribute-based Access Control based on the specific > business needs of one's organization. > > I believe that the original assumption was that such attributes would be > added to AD/LDAP and enter Ranger via regular user sync's. However, this > process does not currently work with Azure AD, which many organizations use. > Neither does it provide timely support for organizations for whom adding each > new attribute to AD would be subject to prolonged scrutiny by overworked > security teams. > > In the spirit of the RangerAdminUserStoreRetriever context enricher, we have > written a RangerExternalUserStoreRetriever class which adds arbitrary > attributes to Ranger users via external API calls, thus freeing additions to > the UserStore from dependency on AD/LDAP. We have also written a > RangerRoleUserStoreRetriever class, which transforms role membership into > user attributes, for ease of use in complex policy conditions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetBearerToken.java > 4e1d19556 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromDataFile.java > 60c7f22f7 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/GetFromURL.java > 1b9335339 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/HandleSecrets.java > c5e13dbba > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/LICENSE > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/NOTICE > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/README.md > eaf9ae823 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerExternalUserStoreRetriever.java > c7ab74bc7 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/RangerRoleUserStoreRetriever.java > 9eb50faa3 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/TokenInputs.java > b9e1f0185 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalUserStoreRetrievers/pom.xml > d2914dbc0 > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetBearerToken.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/HandleSecrets.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/RangerExternalUserStoreRetriever.java > PRE-CREATION > > > Diff: https://reviews.apache.org/r/74142/diff/2/ > > > Testing > ------- > > > Thanks, > > Barbara Eckman > >
