[
https://issues.apache.org/jira/browse/RANGER-3855?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Barbara Eckman reassigned RANGER-3855:
--------------------------------------
Assignee: Barbara Eckman
> RangerExternalUserStoreRetriever class
> --------------------------------------
>
> Key: RANGER-3855
> URL: https://issues.apache.org/jira/browse/RANGER-3855
> Project: Ranger
> Issue Type: New Feature
> Components: plugins, Ranger
> Affects Versions: 3.0.0
> Reporter: Barbara Eckman
> Assignee: Barbara Eckman
> Priority: Major
> Attachments:
> 0001-contextenricher-externalUserStoreRetrievers-first-co.patch
>
>
> Ranger version 3.0.0 provides a means, via a context enricher, to add or
> retrieve attributes to the database of users for whom Ranger controls access.
> This permits syntax like "Dumbo" in ${{{}USER.aliases{}}} any Ranger policy
> condition, including row and tag filters. This greatly enhances the ability
> to provide custom Attribute-based Access Control based on the specific
> business needs of one's organization.
> I believe that the original assumption was that such attributes would be
> added to AD/LDAP and enter Ranger via regular user sync's. However, this
> process does not currently work with Azure AD, which many organizations use.
> Neither does it provide timely support for organizations for whom adding each
> new attribute to AD would be subject to prolonged scrutiny by overworked
> security teams.
> In the spirit of the RangerAdminUserStoreRetriever context enricher, we have
> written a RangerExternalUserStoreRetriever class which adds arbitrary
> attributes to Ranger users via external API calls, thus freeing additions to
> the UserStore from dependency on AD/LDAP. We have also written a
> RangerRoleUserStoreRetriever class, which transforms role membership into
> user attributes, for ease of use in complex policy conditions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
