[ 
https://issues.apache.org/jira/browse/RANGER-5215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18010983#comment-18010983
 ] 

Dhaval Shah commented on RANGER-5215:
-------------------------------------

Merged into apache master : 
[https://github.com/apache/ranger/commit/a642800b86b2b6f76cbcf653c668f2c156a93594]
Thanks

> Policy authroisation fails for Ranger Plugins in case of users/groups 
> converted by Ranger userysnc as per given Regex  
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-5215
>                 URL: https://issues.apache.org/jira/browse/RANGER-5215
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger, usersync
>            Reporter: Dhaval Shah
>            Assignee: Dhaval Shah
>            Priority: Major
>          Time Spent: 4h 10m
>  Remaining Estimate: 0h
>
> *Problem Statement:*
> Currently, when Ranger Usersync is configured with case conversion and 
> special character replacement using regex, it transforms the original 
> user/group names from the source (e.g., AD/LDAP) before storing them in the 
> Ranger Admin database.
> *Example:*
>  * Original name in LDAP/AD: {{John-jacobs}}
>  * Usersync configuration:
>  * 
>  ** {{ranger.usersync.ldap.username.caseconversion = lower}}
>  * 
>  ** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
>  * Transformed and stored name in Ranger: {{john_jacobs}}
> *Issue:*
> If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during 
> authorization checks, it fails because Ranger Admin only recognizes the 
> transformed name {{{}john_jacobs{}}}.
> *Error Example:*
> {code:java}
> Permission denied: user [John-jacobs] does not have [SELECT] privilege on 
> [vehicle/cars/*] {code}
> *Solution:*
> To ensure consistency, the same transformation logic used by Usersync must 
> also be applied on the plugin side before authorization. This transformation 
> should be made available as a utility library packaged with the plugins.
> *Configurability:*
> This feature must be configurable at the plugin level via a property (e.g., 
> {{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing 
> users to enable or disable it based on their environment needs.
> In ranger-admin-site.xml
>  # ranger.plugins.conf.ldap.username.caseconversion
>  # ranger.plugins.conf.ldap.groupname.caseconversion
>  # ranger.plugins.conf.mapping.username.handler
>  # ranger.plugins.conf.mapping.groupname.handler
>  # ranger.plugins.conf.mapping.regex.separator
>  # ranger.plugins.conf.mapping.username.regex
>  # ranger.plugins.conf.mapping.groupname.regex



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to