Re: Review Request 74142: RangerExternalUserStoreRetriever class Ranger-3855

Thu, 03 Nov 2022 10:36:44 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74142/
-----------------------------------------------------------

(Updated Nov. 3, 2022, 5:36 p.m.)


Review request for ranger and madhan.


Bugs: Ranger-3855
    https://issues.apache.org/jira/browse/Ranger-3855


Repository: ranger


Description
-------

RangerExternalUserStoreRetriever class Ranger-3855

Ranger version 3.0.0 provides a means, via a context enricher, to add or 
retrieve attributes to the database of users for whom Ranger controls access. 
This permits syntax like "Dumbo" in $USER.aliases any Ranger policy condition, 
including row and tag filters.   This greatly enhances the ability to provide 
custom Attribute-based Access Control based on the specific business needs of 
one's organization.

I believe that the original assumption was that such attributes would be added 
to AD/LDAP and enter Ranger via regular user sync's. However, this process does 
not currently work with Azure AD, which many organizations use. Neither does it 
provide timely support for organizations for whom adding each new attribute to 
AD would be subject to prolonged scrutiny by overworked security teams.  

In the spirit of the RangerAdminUserStoreRetriever context enricher, we have 
written a RangerExternalUserStoreRetriever class which adds arbitrary 
attributes to Ranger users via external API calls, thus freeing additions to 
the UserStore from dependency on AD/LDAP.   We have also written a 
RangerRoleUserStoreRetriever class, which transforms role membership into user 
attributes, for ease of use in complex policy conditions.


Diffs (updated)
-----

  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE
 PRE-CREATION 
  
agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md
 PRE-CREATION 
  dev-support/spotbugsIncludeFile.xml 3621e8c08 
  plugin-nestedstructure/README.md ea878f6a2 


Diff: https://reviews.apache.org/r/74142/diff/4/

Changes: https://reviews.apache.org/r/74142/diff/3-4/


Testing
-------


Thanks,

Barbara Eckman

Reply via email to