You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Sailaja Polavarapu (Jira)" <ji...@apache.org> on 2022/02/17 15:05:00 UTC
[jira] [Comment Edited] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter
[ https://issues.apache.org/jira/browse/RANGER-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17493992#comment-17493992 ]
Sailaja Polavarapu edited comment on RANGER-3630 at 2/17/22, 3:04 PM:
----------------------------------------------------------------------
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards or short names of the groups with memberof attributes, Ranger usersync must be improved to generate user search filter internally by taking list of individual group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync. Values can be either list of DN of the groups, list of short name of the groups, or list of group names with wildcard character with ";" separated like below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org{color:#ff0000}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org{color}{color}{*};{*}memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org"
# Short names of the groups - "CN=finance{*};{*}CN=eng_dev{color:#ff0000}*;*{color}CN=eng_testing"
# Group names with wildcard character - CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the specified values as DN of the groups, short names of the groups, or group names with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts AD/LDAP server to retrieve the DN of the specified groups.
# Build user search filter by prepending each DN with “memberof=” and concatenating with and OR(|) operator
Notes:
# This new configuration(ranger.usersync.ldap.groupnames) is read by usersync only when “ranger.usersync.ldap.user.searchfilter” configuration value is empty.
# When “ranger.usersync.ldap.user.searchfilter” configuration value is not empty, then usersync will ignore the value for “ranger.usersync.ldap.groupnames” configuration.
# All the configured group names(ranger.usersync.ldap.groupnames) are concatenated with only OR (|) operator and are hardcoded for “memberof” attribute.
was (Author: spolavarapu):
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards or short names of the groups with memberof attributes, Ranger usersync must be improved to generate user search filter internally by taking list of individual group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync. Values can be either list of DN of the groups, list of short name of the groups, or list of group names with wildcard character with ";" separated like below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org{color:#FF0000}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org{color}{color}{color:#FF0000}{*};{*}{color:#172b4d}memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org{color}{color}"
# Short names of the groups - "CN=finance{color:#FF0000}*;*{color}CN=eng_dev{color:#FF0000}*;*{color}CN=eng_testing"
# Group names with wildcard character - CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the specified values as DN of the groups, short names of the groups, or group names with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts AD/LDAP server to retrieve the DN of the specified groups.
# Build user search filter by prepending each DN with “memberof=” and concatenating with and OR(|) operator
Notes:
# This new configuration(ranger.usersync.ldap.groupnames) is read by usersync only when “ranger.usersync.ldap.user.searchfilter” configuration value is empty.
# When “ranger.usersync.ldap.user.searchfilter” configuration value is not empty, then usersync will ignore the value for “ranger.usersync.ldap.groupnames” configuration.
# All the configured group names(ranger.usersync.ldap.groupnames) are concatenated with only OR (|) operator and are hardcoded for “memberof” attribute.
> Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter
> ---------------------------------------------------------------------------------------------------------
>
> Key: RANGER-3630
> URL: https://issues.apache.org/jira/browse/RANGER-3630
> Project: Ranger
> Issue Type: New Feature
> Components: Ranger, usersync
> Reporter: Sailaja Polavarapu
> Assignee: Sailaja Polavarapu
> Priority: Major
>
> Ranger Usersync provides multiple configuration properties to sync users & groups from AD/LDAP. One of the key configuration properties is the User Search filter (ranger.usersync.ldap.user.searchfilter). Currently, the value of user search filter must be a valid ldap search filter and is used by ranger usersync “as is” to limit the no. of users to be sync’d from AD/LDAP.
> Example values include:
> # samaccountname=*
> ** Syncs all users from a given user search base
> # (|(memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org))
> ** Sync users that are members of finance, eng_dev, and eng_testing groups
> According to [Microsoft documentation|https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx], the wildcard character * is not allowed when the <AD Attribute> is a DN attribute. Examples of DN attributes are distinguishedName, manager, directReports, member, and memberOf. If users need to be sync'd from multiple Active Directory groups with memberOf filters, this value can quickly become a long string of OR concatenated group DNs. A single misplaced character in this cryptic string results in all users failing to sync.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)