I've been mulling over an issue recently and interested in any
thoughts... I'm pretty new to ranger to very ready to hear why this
could never work ;-)
Today in an LDAP-managed enterprise environment user & group information
is replicated from the LDAP server such as MS Active Directory by the
usersync process. I have some control over
- the base DN
- whether to pull a list of groups from each user, or users from groups
- what additional attributes are pulled
This is then persisted in ranger & gets pulled by the plugins
However in some environments
- the numbers of users in LDAP could be very high (100,000+)
- it may be difficult to scope the query where ranger is securing
access to an enterprise service
If we assume any kind of service that involves a "connect" as well
read/write operations there could be an opportunity to retrieve
user/group information for that user at that point. It could then be
saved within the plugin to be used at data access time.
As a variation, Potentially we could still populate groups (or role)
information in the ranger server, making it easier for policy definitions
Has anyone considered this as an option?
In some environments selecting a subset of groups (which may be used as
roles), and just pulling users there MAY help if the applications being
secured have a more limited audience
if it sounds interesting I'm inclined to work through the flows in more
detail
Thanks
Nigel.
