Patryk Owczarek created RANGER-4772:
---------------------------------------
Summary: [usersync] Lost possibility to filter users based on
synchronized groups
Key: RANGER-4772
URL: https://issues.apache.org/jira/browse/RANGER-4772
Project: Ranger
Issue Type: Bug
Components: usersync
Affects Versions: 2.4.0, 2.3.0, 2.2.0
Reporter: Patryk Owczarek
Before this change
[https://github.com/apache/ranger/commit/9be6a7d01f8d6a83e740ac27225eda1fff83501a]
it was possible to configure Ranger User Sync to synchronize only those users
that are members of the synchronized groups. The implementation in
LdapDeltaUserGroupBuilder that did the in-memory filtering was removed in
Ranger 2.2, and the other implementation - LdapUserGroupBuilder - only allows
using LDAP-based search for filtering users by membership. This can become
cumbersome if there are a lot of groups or if the group search filter is
dynamic.
Example of Ranger usersync config:
{code:java}
SYNC_LDAP_USER_SEARCH_BASE: OU=Users,DC=domain,DC=com
SYNC_LDAP_USER_OBJECT_CLASS: person
SYNC_GROUP_SEARCH_ENABLED: true
SYNC_GROUP_SEARCH_BASE: OU=Users,DC=domain,DC=com
SYNC_LDAP_GROUP_SEARCH_FILTER: cn=admin
SYNC_GROUP_OBJECT_CLASS: group
SYNC_GROUP_SEARCH_FIRST_ENABLED: true
SYNC_USER_SEARCH_ENABLED: true {code}
Before Ranger 2.2, the above would synchronize only users that are members of
the admin group. Starting from Ranger 2.2, it would synchronize all users that
match the LDAP filter for the user search.
Was this functionality removed on purpose, or should this be considered a bug?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
