[
https://issues.apache.org/jira/browse/RANGER-827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123239#comment-15123239
]
Bolke de Bruin edited comment on RANGER-827 at 1/29/16 9:26 AM:
----------------------------------------------------------------
This is the second version of the patch:
1. It addresses the issue of not using system supplied mechanisms for obtaining
users and groups
2. It allows to explicitly enumerate groups to pickup users from these groups
that are otherwise not visible for performance reasons
(ranger.usersync.group.enumerate = true)
3. It allows to add extra groups to enumerate for groups that are not visible
to ranger by default (ranger.usersync.group.enumerategroup =
[email protected], [email protected], myipagroup)
4. It allows to set a minimum group id to enumerate users from for both
performance reasons (ranger is really to greedy), preventing information
overload to the user and security reasons (
ranger.usersync.unix.minGroupId = X)
5. As enumeration is potentially an expensive operation in addition to 4,
ranger.usersync.unix.updatemillismin defaults to 1 min (6000).
Not addressed in this patch (yet) is backwards compatibility with /etc/passwd
and /etc/group
was (Author: bolke):
This is the second version of the patch:
1. It addresses the issue of not using system supplied mechanisms for obtaining
users and groups
2. It allows to explicitly enumerate groups to pickup users from these groups
that are otherwise not visible for performance reasons
(ranger.usersync.group.enumerate = true)
3. It allows to add extra groups to enumerate for groups that are not visible
to ranger by default (ranger.usersync.group.enumerategroup =
[email protected], [email protected], myipagroup)
4. It allows to set a minimum group id to enumerate users from for both
performance reasons (ranger is really to greedy), preventing information
overload to the user and security reasons (
ranger.usersync.unix.minGroupId = X)
Not addressed in this patch (yet) is backwards compatibility with /etc/passwd
and /etc/group
> Use system supplied mechanism to get users and groups on unix
> -------------------------------------------------------------
>
> Key: RANGER-827
> URL: https://issues.apache.org/jira/browse/RANGER-827
> Project: Ranger
> Issue Type: Improvement
> Components: usersync
> Affects Versions: 0.5.1
> Reporter: Bolke de Bruin
> Labels: integration, pam, sssd, sync
> Fix For: 0.6.0
>
> Attachments: 0001-RANGER-827-Improve-unix-usersync.patch,
> usersync.patch
>
>
> The unix user sync currently reads /etc/passwd /etc/groups . This is often
> not a reflection of users and groups available on a system especially when
> nsswitch is configured (eg. sssd, ldap etc).
> Secondly in some cases groups will contain user names that are not returned
> with "getent passwd", especially "external users" and it is required to add
> these using the group information.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
