> On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > >
Thank you for your comments, as always! > On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 39 (patched) > > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line39> > > > > Consider renaming AllRangerUserStoreRetrievers to > > RangerMultiSourceUserStoreRetriever. Cool. > On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 42 (patched) > > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line42> > > > > To avoid creation of RangerRoleUtils for every call to > > retrieveUserStoreInfo(), in #246, consider replacing "RangerRoles > > rangerRoles" here with "RangerRoleUtil roleUtil". This should be refreshed > > only when role updates are downloaded in #62. Yep. > On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 43 (patched) > > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line43> > > > > allUserAttrsMap is used only within retrieveUserStoreInfo(). Consider > > moving #43 to within this method i.e. avoid instance member. Yep, I thought of that last night after I uploaded the Diff. > On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 44 (patched) > > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line44> > > > > enricherOptionsMap => retrieverOptions Yep. That name was from a much earlier version and never updated. > On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > > Lines 62 (patched) > > <https://reviews.apache.org/r/74142/diff/7/?file=2272183#file2272183line62> > > > > Consider sending existing roles version to getRolesIfUpdated() so that > > roles will be downloaded from Ranger only when there are updates. Good. > On Nov. 29, 2022, 5 a.m., Madhan Neethiraj wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java > > Lines 55 (patched) > > <https://reviews.apache.org/r/74142/diff/7/?file=2272185#file2272185line55> > > > > To ensure httpClient is closed, consider moving #55 to within try() at > > #62. good - Barbara ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/74142/#review224914 ----------------------------------------------------------- On Nov. 28, 2022, 9:45 p.m., Barbara Eckman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/74142/ > ----------------------------------------------------------- > > (Updated Nov. 28, 2022, 9:45 p.m.) > > > Review request for ranger and madhan. > > > Bugs: Ranger-3855 > https://issues.apache.org/jira/browse/Ranger-3855 > > > Repository: ranger > > > Description > ------- > > RangerExternalUserStoreRetriever class Ranger-3855 > > Ranger version 3.0.0 provides a means, via a context enricher, to add or > retrieve attributes to the database of users for whom Ranger controls access. > This permits syntax like "Dumbo" in $USER.aliases any Ranger policy > condition, including row and tag filters. This greatly enhances the ability > to provide custom Attribute-based Access Control based on the specific > business needs of one's organization. > > I believe that the original assumption was that such attributes would be > added to AD/LDAP and enter Ranger via regular user sync's. However, this > process does not currently work with Azure AD, which many organizations use. > Neither does it provide timely support for organizations for whom adding each > new attribute to AD would be subject to prolonged scrutiny by overworked > security teams. > > In the spirit of the RangerAdminUserStoreRetriever context enricher, we have > written a RangerExternalUserStoreRetriever class which adds arbitrary > attributes to Ranger users via external API calls, thus freeing additions to > the UserStore from dependency on AD/LDAP. We have also written a > RangerRoleUserStoreRetriever class, which transforms role membership into > user attributes, for ease of use in complex policy conditions. > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/AllRangerUserStoreRetrievers.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromDataFile.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/GetFromURL.java > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/LICENSE > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/NOTICE > PRE-CREATION > > agents-common/src/main/java/org/apache/ranger/plugin/contextenricher/externalretrievers/README.md > PRE-CREATION > > > Diff: https://reviews.apache.org/r/74142/diff/7/ > > > Testing > ------- > > > Thanks, > > Barbara Eckman > >
