Re: Review Request 66852: RANGER-1852: some groups missed to be sync if they are syncd from openldap If deltasync is enabled

2018-05-02 Thread Sailaja Polavarapu 


> On April 30, 2018, 2:15 p.m., Velmurugan Periasamy wrote:
> > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
> > Line 854 (original), 854 (patched)
> > 
> >
> > Use a configurable param for this?

Just to clarify, this is not the actual sync cycle interval. With Active 
Directory we use uSNChanged attribute to track changes. Periodically we query 
for all objects in subtree whose uSNChanged value is greater than or equal to 
U. The query will return all objects that have changed since the previous sync. 
Set U to the largest (uSNChanged+1) among these changed objects, and you are 
ready to poll again. In this case uSNChanged is an sequential number and hence 
incrementing by 1. For OpenLdap servers, we use modifyTimeStamp attribute to 
track changes. Periodically we query for all objects in subtree whose 
modifyTimestamp value is greater than or equal to U. The query will return all 
objects that have changed since the previous sync. Set U to the largest 
(modifiedTimestamp + 1sec) among these changed objects, and you are ready to 
poll again. Since modifyTimestamp is a timestamp value, we are incrementing by 
1sec, which is the lowest granularity of the timestamp value. Since this is int
 ernal implementation and for AD the modifyTimestamp is not used, I don't think 
this should be a configurable parameter.

PS:- According to RFC, ldap search filter only supports greaterOrEqual (>=) or 
lessOrEqaul(<=)

Filter ::= CHOICE {
and[0] SET OF Filter,
or [1] SET OF Filter,
not[2] Filter,
equalityMatch  [3] AttributeValueAssertion,
substrings [4] SubstringFilter,
greaterOrEqual [5] AttributeValueAssertion,
lessOrEqual[6] AttributeValueAssertion,
present[7] AttributeDescription,
approxMatch[8] AttributeValueAssertion,
extensibleMatch[9] MatchingRuleAssertion
}


- Sailaja


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66852/#review202122
---


On April 27, 2018, 5:48 p.m., Sailaja Polavarapu wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66852/
> ---
> 
> (Updated April 27, 2018, 5:48 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-1852
> https://issues.apache.org/jira/browse/RANGER-1852
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Incrementing timestamp value for groups to 1sec instead of 1min. This is 
> in-sync with timestamp value for users.
> 
> 
> Diffs
> -
> 
>   
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
>  2288ab8e 
> 
> 
> Diff: https://reviews.apache.org/r/66852/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Verified the existing unit tests are ran successfully.
> 2. Verified basic usersync functionality with openldap server.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>

Re: Review Request 66852: RANGER-1852: some groups missed to be sync if they are syncd from openldap If deltasync is enabled

2018-04-30 Thread Velmurugan Periasamy 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66852/#review202122
---


Fix it, then Ship it!





ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
Line 854 (original), 854 (patched)


Use a configurable param for this?


- Velmurugan Periasamy


On April 27, 2018, 5:48 p.m., Sailaja Polavarapu wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66852/
> ---
> 
> (Updated April 27, 2018, 5:48 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-1852
> https://issues.apache.org/jira/browse/RANGER-1852
> 
> 
> Repository: ranger
> 
> 
> Description
> ---
> 
> Incrementing timestamp value for groups to 1sec instead of 1min. This is 
> in-sync with timestamp value for users.
> 
> 
> Diffs
> -
> 
>   
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
>  2288ab8e 
> 
> 
> Diff: https://reviews.apache.org/r/66852/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Verified the existing unit tests are ran successfully.
> 2. Verified basic usersync functionality with openldap server.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>