[ https://issues.apache.org/jira/browse/RANGER-5215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18010983#comment-18010983 ]
Dhaval Shah commented on RANGER-5215: ------------------------------------- Merged into apache master : [https://github.com/apache/ranger/commit/a642800b86b2b6f76cbcf653c668f2c156a93594] Thanks > Policy authroisation fails for Ranger Plugins in case of users/groups > converted by Ranger userysnc as per given Regex > ----------------------------------------------------------------------------------------------------------------------- > > Key: RANGER-5215 > URL: https://issues.apache.org/jira/browse/RANGER-5215 > Project: Ranger > Issue Type: Improvement > Components: Ranger, usersync > Reporter: Dhaval Shah > Assignee: Dhaval Shah > Priority: Major > Time Spent: 4h 10m > Remaining Estimate: 0h > > *Problem Statement:* > Currently, when Ranger Usersync is configured with case conversion and > special character replacement using regex, it transforms the original > user/group names from the source (e.g., AD/LDAP) before storing them in the > Ranger Admin database. > *Example:* > * Original name in LDAP/AD: {{John-jacobs}} > * Usersync configuration: > * > ** {{ranger.usersync.ldap.username.caseconversion = lower}} > * > ** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}} > * Transformed and stored name in Ranger: {{john_jacobs}} > *Issue:* > If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during > authorization checks, it fails because Ranger Admin only recognizes the > transformed name {{{}john_jacobs{}}}. > *Error Example:* > {code:java} > Permission denied: user [John-jacobs] does not have [SELECT] privilege on > [vehicle/cars/*] {code} > *Solution:* > To ensure consistency, the same transformation logic used by Usersync must > also be applied on the plugin side before authorization. This transformation > should be made available as a utility library packaged with the plugins. > *Configurability:* > This feature must be configurable at the plugin level via a property (e.g., > {{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing > users to enable or disable it based on their environment needs. > In ranger-admin-site.xml > # ranger.plugins.conf.ldap.username.caseconversion > # ranger.plugins.conf.ldap.groupname.caseconversion > # ranger.plugins.conf.mapping.username.handler > # ranger.plugins.conf.mapping.groupname.handler > # ranger.plugins.conf.mapping.regex.separator > # ranger.plugins.conf.mapping.username.regex > # ranger.plugins.conf.mapping.groupname.regex -- This message was sent by Atlassian Jira (v8.20.10#820010)