[
https://issues.apache.org/jira/browse/RANGER-5215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18010983#comment-18010983
]
Dhaval Shah commented on RANGER-5215:
-------------------------------------
Merged into apache master :
[https://github.com/apache/ranger/commit/a642800b86b2b6f76cbcf653c668f2c156a93594]
Thanks
> Policy authroisation fails for Ranger Plugins in case of users/groups
> converted by Ranger userysnc as per given Regex
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5215
> URL: https://issues.apache.org/jira/browse/RANGER-5215
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger, usersync
> Reporter: Dhaval Shah
> Assignee: Dhaval Shah
> Priority: Major
> Time Spent: 4h 10m
> Remaining Estimate: 0h
>
> *Problem Statement:*
> Currently, when Ranger Usersync is configured with case conversion and
> special character replacement using regex, it transforms the original
> user/group names from the source (e.g., AD/LDAP) before storing them in the
> Ranger Admin database.
> *Example:*
> * Original name in LDAP/AD: {{John-jacobs}}
> * Usersync configuration:
> *
> ** {{ranger.usersync.ldap.username.caseconversion = lower}}
> *
> ** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
> * Transformed and stored name in Ranger: {{john_jacobs}}
> *Issue:*
> If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during
> authorization checks, it fails because Ranger Admin only recognizes the
> transformed name {{{}john_jacobs{}}}.
> *Error Example:*
> {code:java}
> Permission denied: user [John-jacobs] does not have [SELECT] privilege on
> [vehicle/cars/*] {code}
> *Solution:*
> To ensure consistency, the same transformation logic used by Usersync must
> also be applied on the plugin side before authorization. This transformation
> should be made available as a utility library packaged with the plugins.
> *Configurability:*
> This feature must be configurable at the plugin level via a property (e.g.,
> {{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing
> users to enable or disable it based on their environment needs.
> In ranger-admin-site.xml
> # ranger.plugins.conf.ldap.username.caseconversion
> # ranger.plugins.conf.ldap.groupname.caseconversion
> # ranger.plugins.conf.mapping.username.handler
> # ranger.plugins.conf.mapping.groupname.handler
> # ranger.plugins.conf.mapping.regex.separator
> # ranger.plugins.conf.mapping.username.regex
> # ranger.plugins.conf.mapping.groupname.regex
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
