[
https://issues.apache.org/jira/browse/RANGER-5215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dhaval Shah updated RANGER-5215:
--------------------------------
Description:
*Problem Statement:*
Currently, when Ranger Usersync is configured with case conversion and special
character replacement using regex, it transforms the original user/group names
from the source (e.g., AD/LDAP) before storing them in the Ranger Admin
database.
*Example:*
* Original name in LDAP/AD: {{John-jacobs}}
* Usersync configuration:
*
** {{ranger.usersync.ldap.username.caseconversion = lower}}
*
** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
* Transformed and stored name in Ranger: {{john_jacobs}}
*Issue:*
If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during
authorization checks, it fails because Ranger Admin only recognizes the
transformed name {{{}john_jacobs{}}}.
*Error Example:*
{code:java}
Permission denied: user [John-jacobs] does not have [SELECT] privilege on
[vehicle/cars/*] {code}
*Solution:*
To ensure consistency, the same transformation logic used by Usersync must also
be applied on the plugin side before authorization. This transformation should
be made available as a utility library packaged with the plugins.
*Configurability:*
This feature must be configurable at the plugin level via a property (e.g.,
{{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing
users to enable or disable it based on their environment needs.
In ranger-admin-site.xml
# ranger.plugins.ldap.username.caseconversion
# ranger.plugins.ldap.groupname.caseconversion
# ranger.plugins.mapping.username.handler
# ranger.plugins.mapping.groupname.handler
# ranger.plugins.mapping.regex.separator
# ranger.plugins.mapping.username.regex
# ranger.plugins.mapping.groupname.regex
was:
*Problem Statement:*
Currently, when Ranger Usersync is configured with case conversion and special
character replacement using regex, it transforms the original user/group names
from the source (e.g., AD/LDAP) before storing them in the Ranger Admin
database.
*Example:*
* Original name in LDAP/AD: {{John-jacobs}}
* Usersync configuration:
*
** {{ranger.usersync.ldap.username.caseconversion = lower}}
*
** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
* Transformed and stored name in Ranger: {{john_jacobs}}
*Issue:*
If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during
authorization checks, it fails because Ranger Admin only recognizes the
transformed name {{{}john_jacobs{}}}.
*Error Example:*
{code:java}
Permission denied: user [John-jacobs] does not have [SELECT] privilege on
[vehicle/cars/*] {code}
*Solution:*
To ensure consistency, the same transformation logic used by Usersync must also
be applied on the plugin side before authorization. This transformation should
be made available as a utility library packaged with the plugins.
*Configurability:*
This feature must be configurable at the plugin level via a property (e.g.,
{{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing
users to enable or disable it based on their environment needs.
> Policy authroisation fails for Ranger Plugins in case of users/groups
> converted by Ranger userysnc as per given Regex
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5215
> URL: https://issues.apache.org/jira/browse/RANGER-5215
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger, usersync
> Reporter: Dhaval Shah
> Assignee: Dhaval Shah
> Priority: Major
>
> *Problem Statement:*
> Currently, when Ranger Usersync is configured with case conversion and
> special character replacement using regex, it transforms the original
> user/group names from the source (e.g., AD/LDAP) before storing them in the
> Ranger Admin database.
> *Example:*
> * Original name in LDAP/AD: {{John-jacobs}}
> * Usersync configuration:
> *
> ** {{ranger.usersync.ldap.username.caseconversion = lower}}
> *
> ** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
> * Transformed and stored name in Ranger: {{john_jacobs}}
> *Issue:*
> If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during
> authorization checks, it fails because Ranger Admin only recognizes the
> transformed name {{{}john_jacobs{}}}.
> *Error Example:*
> {code:java}
> Permission denied: user [John-jacobs] does not have [SELECT] privilege on
> [vehicle/cars/*] {code}
> *Solution:*
> To ensure consistency, the same transformation logic used by Usersync must
> also be applied on the plugin side before authorization. This transformation
> should be made available as a utility library packaged with the plugins.
> *Configurability:*
> This feature must be configurable at the plugin level via a property (e.g.,
> {{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing
> users to enable or disable it based on their environment needs.
> In ranger-admin-site.xml
> # ranger.plugins.ldap.username.caseconversion
> # ranger.plugins.ldap.groupname.caseconversion
> # ranger.plugins.mapping.username.handler
> # ranger.plugins.mapping.groupname.handler
> # ranger.plugins.mapping.regex.separator
> # ranger.plugins.mapping.username.regex
> # ranger.plugins.mapping.groupname.regex
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
