[
https://issues.apache.org/jira/browse/OAK-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15298182#comment-15298182
]
angela commented on OAK-4087:
-----------------------------
attached a proposed fix including test-cases (doc update will follow) with the
following implementation details:
- additional service tracker with {{ExternalPrincipalConfiguration}} listening
for idp-synchandler mappings
- if dynamic membership is enabled the {{PrincipalProvider}} will be
constructed with a lookup that allow to map IDP-names to auto-membership as
configured by the corresponding sync-handler
- note: a given sync-handler configuration might consequently be used by
multiple IDPs; incomplete mappings of idp/synchandler will be ignored;
conflicting configurations will be logged
- upon {{PrincipalProvider.getPrincipals(String)}} and
{{PrincipalProvider.getGroupPrincipals(Principal)}} the principals associated
with the auto-membership entries (i.e. groupIDs) will additionally be added to
the set of {{Principal}}. the configured auto-membership is determined based on
the IDP as stored in {{rep:externalId}} and looked up from the map
- according to the behavior in full-sync mode, auto-membership entries that
cannot be resolved to an existing {{Group}} will be ignored
[~tripod], i would appreciate if you could review it.
> Replace Sync of configured AutoMembership by Dynamic Principal Generation
> -------------------------------------------------------------------------
>
> Key: OAK-4087
> URL: https://issues.apache.org/jira/browse/OAK-4087
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: angela
> Assignee: angela
> Labels: performance
> Attachments: OAK-4087.patch
>
>
> the {{DefaultSyncConfig}} comes with a configuration option
> {{PARAM_USER_AUTO_MEMBERSHIP}} indicating the set of groups a given external
> user must always become member of upon sync into the repository.
> this results in groups containing almost all users in the system (at least
> those synchronized form the external IDP). while this behavior is straight
> forward (and corresponds to the behavior in the previous crx version), it
> wouldn't be necessary from a repository point of view as a given {{Subject}}
> can be populated from different principal sources and dealing with this kind
> of dynamic-auto-membership was a typical use-case.
> what does that mean:
> instead of performing the automembership on the user management, the external
> authentication setup could come with an auto-membership {{PrincipalProvider}}
> implementation that would expose the desired group membership for all
> external principals (assuming that they were identified as such).
> [~tripod], do you remember if that was ever an option while building the
> {{oak-auth-external}} module? if not, could that be worth a second thought
> also in the light of OAK-3933?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
