[
https://issues.apache.org/jira/browse/RANGER-3855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Barbara Eckman updated RANGER-3855:
-----------------------------------
Description:
Ranger version 3.0.0 provides a means, via a context enricher, to add or
retrieve attributes to the database of users for whom Ranger controls access.
This permits syntax like "Dumbo" in ${{{}USER.aliases{}}} in any Ranger policy
condition, including row and tag filters. This greatly enhances the ability
to provide custom Attribute-based Access Control based on the specific business
needs of one's organization.
I believe that the original assumption was that such attributes would be added
to AD/LDAP and enter Ranger via regular user sync's. However, this process does
not currently work with Azure AD, which many organizations use. Neither does it
provide timely support for organizations for whom adding each new attribute to
AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have
written a RangerExternalUserStoreRetriever class which adds arbitrary
attributes to Ranger users via external API calls, thus freeing additions to
the UserStore from dependency on AD/LDAP. We have also written a
RangerRoleUserStoreRetriever class, which transforms role membership into user
attributes, for ease of use in complex policy conditions.
was:
Ranger version 3.0.0 provides a means, via a context enricher, to add or
retrieve attributes to the database of users for whom Ranger controls access.
This permits syntax like "Dumbo" in ${{{}USER.aliases{}}} any Ranger policy
condition, including row and tag filters. This greatly enhances the ability
to provide custom Attribute-based Access Control based on the specific business
needs of one's organization.
I believe that the original assumption was that such attributes would be added
to AD/LDAP and enter Ranger via regular user sync's. However, this process does
not currently work with Azure AD, which many organizations use. Neither does it
provide timely support for organizations for whom adding each new attribute to
AD would be subject to prolonged scrutiny by overworked security teams.
In the spirit of the RangerAdminUserStoreRetriever context enricher, we have
written a RangerExternalUserStoreRetriever class which adds arbitrary
attributes to Ranger users via external API calls, thus freeing additions to
the UserStore from dependency on AD/LDAP. We have also written a
RangerRoleUserStoreRetriever class, which transforms role membership into user
attributes, for ease of use in complex policy conditions.
> RangerExternalUserStoreRetriever class
> --------------------------------------
>
> Key: RANGER-3855
> URL: https://issues.apache.org/jira/browse/RANGER-3855
> Project: Ranger
> Issue Type: New Feature
> Components: plugins, Ranger
> Affects Versions: 3.0.0
> Reporter: Barbara Eckman
> Assignee: Barbara Eckman
> Priority: Major
> Fix For: 3.0.0, 2.4.0
>
> Attachments:
> 0001-contextenricher-externalUserStoreRetrievers-first-co.patch
>
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or
> retrieve attributes to the database of users for whom Ranger controls access.
> This permits syntax like "Dumbo" in ${{{}USER.aliases{}}} in any Ranger
> policy condition, including row and tag filters. This greatly enhances the
> ability to provide custom Attribute-based Access Control based on the
> specific business needs of one's organization.
> I believe that the original assumption was that such attributes would be
> added to AD/LDAP and enter Ranger via regular user sync's. However, this
> process does not currently work with Azure AD, which many organizations use.
> Neither does it provide timely support for organizations for whom adding each
> new attribute to AD would be subject to prolonged scrutiny by overworked
> security teams.
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have
> written a RangerExternalUserStoreRetriever class which adds arbitrary
> attributes to Ranger users via external API calls, thus freeing additions to
> the UserStore from dependency on AD/LDAP. We have also written a
> RangerRoleUserStoreRetriever class, which transforms role membership into
> user attributes, for ease of use in complex policy conditions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
