[
https://issues.apache.org/jira/browse/OAK-4101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved OAK-4101.
-------------------------
Resolution: Fixed
Fix Version/s: 1.5.3
Committed revision 1744292.
In addition to the findings reported by [~tripod], I found some issues in the
test-cases, wrote additional tests for the principal query, renamed the new,
derived SyncContext implementation and moved it to the impl package.
Then: adjusted the external-auth benchmark base and improved the documentation
of the feature (and default user sync in general).
[~baedke], I would appreciate it you could take a closer look at the committed
changes and the documentation. I would suggest to open new follow-up issues for
your findings and only reopen this one if you find fundamental mistakes or
inconsistencies.
> Consider separate external (group) principal management
> -------------------------------------------------------
>
> Key: OAK-4101
> URL: https://issues.apache.org/jira/browse/OAK-4101
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: auth-external
> Reporter: angela
> Assignee: angela
> Fix For: 1.5.3
>
> Attachments: OAK-4101.patch, OAK-4101_test.patch
>
>
> Given the fact that user management is delegated to an external IDP provider,
> we might reconsider the current approach that attempts to synchronize user
> and particularly group and their membership into the repository.
> What would left with the repository is a dedicated {{PrincipalProvider}} for
> external groups (and maybe even users at a later stage), making sure that
> - the {{Subject}} is properly populated with {{Principal}} s upon login
> - access control can still be properly setup and managed in the repository
> for the principals defined in the external IDP.
> the consequences would be:
> - external groups (and potentially) users would no longer made available to
> the default user management implementation. alternatively: make them
> available as read-only stub i.e. group-membership as defined by the IDP could
> no longer be changed/manipulated in the reposiotry.
> - they are however exposed as principals to assert proper authentication +
> authorization. Note: any UI that properly reflects the fact that access
> control is being edited for principals (and not for users/groups) would not
> be affected at all; others might need to be adjusted to additionally support
> ac management based on the {{PrincipalManager}}
> will try to come up with a POC as soon as I find some time.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
