On 12/02/2017 10:40, Zsombor wrote:
If the performance of the LDAP server is ever become a bottleneck, I would
rather see a dedicated/embedded LDAP server which is syncronized
automatically from the main LDAP server. I guess, this could be more easily
implemented than a complex partial synchronization/cache scenario.
Having explored the requirements a little more, though I can identify a
small set of roles (ldap groups) that constrain the number of users I'd
want to replicate into ranger. there's no easy way to do this via an
LDAP query (which contains huge number of users and can't easily be
changed in this environment) - for example I can't query the list of
users belonging to a particular role. In any case over time the number
of users will increase.
If I were to ONLY sync the groups, and not the users what breaks..
1. In the ranger UI I can only define policies based on roles (groups) -
which seems fine (if combined with a few local/admin roles)
2. Each Plugin would need to issue an LDAP query on first request to
pull in user attributes from LDAP specifically in order to determine
role/userid association. Issues here include
a) Extra configuration for the plugin,
b) a realtime query to a remote system - something we do not do in
ranger today. In mitigation if LDAP is down other infrastructure breaks
in any case, and an LDAP query is quick
c) This needs to go into every plugin as configurable
d) This could occur during any kind of connection phase or on first
request by a particular user - but how is somewhat engine dependent.
Will raise a JIRA....