You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Nigel Jones (JIRA)" <ji...@apache.org> on 2017/09/01 15:22:00 UTC

[jira] [Commented] (RANGER-1486) New usersync alternative for Atlas (vdc)

    [ https://issues.apache.org/jira/browse/RANGER-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16150711#comment-16150711 ] 

Nigel Jones commented on RANGER-1486:
-------------------------------------

Thanks... the suggestion is purely to scope the groups based on a list from Atlas (we'll call them roles there as that usually how they are used). That's really the only change, other than effectively an additional predicate, usersync would work in the same way. I'm hoping it's a pragmatic way to significantly reduce how much user/group info is retrieved from ldap in a large enterprise environment with many many different apps & environments, and within which currently only a few roles are relevant to the data lake environment (& hence atlas/ranger). Maybe in future there's other ideas, including whether ranger even needs to store these (I know it does now..) but that's for another day

Makes sense?

Thanks, Nigel.

> New usersync alternative for Atlas (vdc)
> ----------------------------------------
>
>                 Key: RANGER-1486
>                 URL: https://issues.apache.org/jira/browse/RANGER-1486
>             Project: Ranger
>          Issue Type: New Feature
>          Components: usersync
>            Reporter: Nigel Jones
>            Assignee: Nigel Jones
>              Labels: VirtualDataConnector
>
> As part of the Atlas Virtualization Data Connector work we are using this within a large enterprise with a lot of users & groups stored in ldap.
> The connector -- which has a ranger plugin to apply access control policies -- is used by a relatively small subset of these users. However that can't easily be transcribed to an optimal ldap query.
> Since Atlas will have the definitive list of roles that are being used, this new usersync will instead retrieve a list of roles from Atlas, and will then use this list to retrieve only those users found in this list of roles from LDAP.
> This is an alternative usersync so shouldn't conflict and will use the same ranger APIs



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)