[
https://issues.apache.org/jira/browse/OAK-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela updated OAK-4087:
------------------------
Fix Version/s: (was: 1.5.4)
1.5.3
> Replace Sync of configured AutoMembership by Dynamic Principal Generation
> -------------------------------------------------------------------------
>
> Key: OAK-4087
> URL: https://issues.apache.org/jira/browse/OAK-4087
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
> Reporter: angela
> Assignee: angela
> Labels: performance
> Fix For: 1.5.3
>
> Attachments: OAK-4087.patch, OAK-4087_documentation.patch
>
>
> the {{DefaultSyncConfig}} comes with a configuration option
> {{PARAM_USER_AUTO_MEMBERSHIP}} indicating the set of groups a given external
> user must always become member of upon sync into the repository.
> this results in groups containing almost all users in the system (at least
> those synchronized form the external IDP). while this behavior is straight
> forward (and corresponds to the behavior in the previous crx version), it
> wouldn't be necessary from a repository point of view as a given {{Subject}}
> can be populated from different principal sources and dealing with this kind
> of dynamic-auto-membership was a typical use-case.
> what does that mean:
> instead of performing the automembership on the user management, the external
> authentication setup could come with an auto-membership {{PrincipalProvider}}
> implementation that would expose the desired group membership for all
> external principals (assuming that they were identified as such).
> [~tripod], do you remember if that was ever an option while building the
> {{oak-auth-external}} module? if not, could that be worth a second thought
> also in the light of OAK-3933?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
