You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2016/05/19 07:44:12 UTC

[jira] [Commented] (OAK-4087) Replace Sync of configured AutoMembership by Dynamic Principal Generation

    [ https://issues.apache.org/jira/browse/OAK-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15290636#comment-15290636 ] 

angela commented on OAK-4087:
-----------------------------

with the introduction of the 'dynamic membership' option in OAK-4101, implementing this improvement should be really straight forward and just require additional handling for the auto-membership:

- {{DynamicSyncContext}}: needs to implement also {{applyMembership}} (and effectively not do anything there)
- {{ExternalPrincipalConfiguration}}: needs to become aware of the configured {{automembership}} and additionally include those auto-membership principals in the various methods of the {{PrincipalProvider}} implementation.

> Replace Sync of configured AutoMembership by Dynamic Principal Generation
> -------------------------------------------------------------------------
>
>                 Key: OAK-4087
>                 URL: https://issues.apache.org/jira/browse/OAK-4087
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>              Labels: performance
>
> the {{DefaultSyncConfig}} comes with a configuration option {{PARAM_USER_AUTO_MEMBERSHIP}} indicating the set of groups a given external user must always become member of upon sync into the repository.
> this results in groups containing almost all users in the system (at least those synchronized form the external IDP). while this behavior is straight forward (and corresponds to the behavior in the previous crx version), it wouldn't be necessary from a repository point of view as a given {{Subject}} can be populated from different principal sources and dealing with this kind of dynamic-auto-membership was a typical use-case.
> what does that mean:
> instead of performing the automembership on the user management, the external authentication setup could come with an auto-membership {{PrincipalProvider}} implementation that would expose the desired group membership for all external principals (assuming that they were identified as such).
> [~tripod], do you remember if that was ever an option while building the {{oak-auth-external}} module? if not, could that be worth a second thought also in the light of OAK-3933?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)