You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Sailaja Polavarapu <sp...@hortonworks.com> on 2020/08/05 18:30:44 UTC
Review Request 72735: RANGER-2940: Added code to update user roles
when group memberships are changed with AD/LDAP incremental sync
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72735/
-----------------------------------------------------------
Review request for ranger, Abhay Kulkarni, Mehul Parikh, Ramesh Mani, and Velmurugan Periasamy.
Bugs: RANGER-2940
https://issues.apache.org/jira/browse/RANGER-2940
Repository: ranger
Description
-------
For AD/LDAP with incremental sync, usersync doesn't cache the user groups information. When a group memberships are update in AD/LDAP, role assignments for users in that group need to be recomputed based on the configured rules and other groups these users belong to. Since Ranger admin has all the information of all the groups these users belong to, added code to compute roles at ranger admin side. Added new API to update role assignments for users by passing the list of users and the configured role assignments from usersync to ranger admin.
Diffs
-----
security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 6a5ca7bca
security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 8ad5badaf
security-admin/src/main/java/org/apache/ranger/view/VXUsersGroupRoleAssignments.java PRE-CREATION
ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java 8dc05b016
ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java 4553d020f
Diff: https://reviews.apache.org/r/72735/diff/1/
Testing
-------
1. Patched cluster and tested funcationality by modifying group memberships in Active Directory
2. Verified existing unit tests are successful
Thanks,
Sailaja Polavarapu
Re: Review Request 72735: RANGER-2940: Added code to update user
roles when group memberships are changed with AD/LDAP incremental sync
Posted by Abhay Kulkarni <ak...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72735/#review221688
-----------------------------------------------------------
Ship it!
Ship It!
- Abhay Kulkarni
On Aug. 5, 2020, 6:30 p.m., Sailaja Polavarapu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72735/
> -----------------------------------------------------------
>
> (Updated Aug. 5, 2020, 6:30 p.m.)
>
>
> Review request for ranger, Abhay Kulkarni, Mehul Parikh, Ramesh Mani, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2940
> https://issues.apache.org/jira/browse/RANGER-2940
>
>
> Repository: ranger
>
>
> Description
> -------
>
> For AD/LDAP with incremental sync, usersync doesn't cache the user groups information. When a group memberships are update in AD/LDAP, role assignments for users in that group need to be recomputed based on the configured rules and other groups these users belong to. Since Ranger admin has all the information of all the groups these users belong to, added code to compute roles at ranger admin side. Added new API to update role assignments for users by passing the list of users and the configured role assignments from usersync to ranger admin.
>
>
> Diffs
> -----
>
> security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 6a5ca7bca
> security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 8ad5badaf
> security-admin/src/main/java/org/apache/ranger/view/VXUsersGroupRoleAssignments.java PRE-CREATION
> ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapPolicyMgrUserGroupBuilder.java 8dc05b016
> ugsync/src/main/java/org/apache/ranger/unixusersync/model/UserGroupList.java 4553d020f
>
>
> Diff: https://reviews.apache.org/r/72735/diff/1/
>
>
> Testing
> -------
>
> 1. Patched cluster and tested funcationality by modifying group memberships in Active Directory
> 2. Verified existing unit tests are successful
>
>
> Thanks,
>
> Sailaja Polavarapu
>
>