> On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 66 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line66> > > > > retrieveUserStoreInfo() returns userStore initialized in init() method. > > How are changes to user-attributes handled? For example: > > 1. changes to user-roles assignment > > 2. changes to attributes in remote server (retrieved via GetFromURL()). > > 3. changes to attributes loaded from data file (retrieved via > > GetFromDataFile()
You are right. I moved the assignment of userAttrsMap to userStore to the retrieveUserStoreInfo method. Hopefully that will solve this problem. > On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 198 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line198> > > > > Please review and update the package name: > > com.comcast.dx.ranger.contextenricher.externalretrievers Sorry, yes, done. > On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 222 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line222> > > > > rangerRoles is an instance member, hence it is not necessary to send as > > method parameter. Please review and update. Done > On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 226 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271947#file2271947line226> > > > > gson is unused. Please review and remove. done. > On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md > > Lines 99 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271952#file2271952line99> > > > > roleName here actually refers to the prefix of the roleName in Ranger. > > Also, roleName here is the name of the user-attribute. Hence, consider > > renaming this to attrName. > > > > "retriever2_role": "attrName=salesRegion", > > "retriever3_role": "attrName=sensitivityLevel" Good idea. I need the "." for pattern matching against role names, in case one attrName is a prefix for another one, eg these roles: region.northeast and regionSales.northeast. But (duh) I can add that to the attrName before matching against roles, in the code rather requiring it in the servicedef. So I will change this. Thanks! > On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md > > Lines 132 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271952#file2271952line132> > > > > Given each retriever handles a single attribute, 'name' option many not > > be useful/necessary. Consider the following simplified option string: > > "retriever0_api": > > "attrName=partner,userStoreURL=http://localhost:8000/security/getPartnersByUser";, > > "retriever1_api": > > "attrName=ownedResources,dataFile=/var/ranger/data/userOwnerResource.txt", > > "retriever2_role": "attrName=salesRegion", > > "retriever3_role": "attrName=sensitivityLevel" What you say makes sense. Originally I had thought the name was useful for documentation, at least. But now each retriever does the same thing: maps a user to an attribute. So if attrName is given, no additional documentation is needed. So I made the change. > On Nov. 18, 2022, 12:29 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md > > Lines 134 (patched) > > <https://reviews.apache.org/r/74142/diff/5/?file=2271952#file2271952line134> > > > > serviceType and serviceName are unused. Please review and remove from > > #134 and #135. Yes, sorry, I thought I'd fixed that. - Barbara ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74142/#review224885 ----------------------------------------------------------- On Nov. 17, 2022, 9:15 p.m., Barbara Eckman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74142/ > ----------------------------------------------------------- > > (Updated Nov. 17, 2022, 9:15 p.m.) > > > Review request for ranger and madhan. > > > Bugs: Ranger-3855 > https://issues.apache.org/jira/browse/Ranger-3855 > > > Repository: ranger > > > Description > ------- > > RangerExternalUserStoreRetriever class Ranger-3855 > > Ranger version 3.0.0 provides a means, via a context enricher, to add or > retrieve attributes to the database of users for whom Ranger controls access. > This permits syntax like "Dumbo" in $USER.aliases any Ranger policy > condition, including row and tag filters. This greatly enhances the ability > to provide custom Attribute-based Access Control based on the specific > business needs of one's organization. > > I believe that the original assumption was that such attributes would be > added to AD/LDAP and enter Ranger via regular user sync's. However, this > process does not currently work with Azure AD, which many organizations use. > Neither does it provide timely support for organizations for whom adding each > new attribute to AD would be subject to prolonged scrutiny by overworked > security teams. > > In the spirit of the RangerAdminUserStoreRetriever context enricher, we have > written a RangerExternalUserStoreRetriever class which adds arbitrary > attributes to Ranger users via external API calls, thus freeing additions to > the UserStore from dependency on AD/LDAP. We have also written a > RangerRoleUserStoreRetriever class, which transforms role membership into > user attributes, for ease of use in complex policy conditions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md > PRE-CREATION > > > Diff: https://reviews.apache.org/r/74142/diff/5/ > > > Testing > ------- > > > Thanks, > > Barbara Eckman > >
