[ https://issues.apache.org/jira/browse/OAK-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela updated OAK-4087: ------------------------ Fix Version/s: (was: 1.5.4) 1.5.3 > Replace Sync of configured AutoMembership by Dynamic Principal Generation > ------------------------------------------------------------------------- > > Key: OAK-4087 > URL: https://issues.apache.org/jira/browse/OAK-4087 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external > Reporter: angela > Assignee: angela > Labels: performance > Fix For: 1.5.3 > > Attachments: OAK-4087.patch, OAK-4087_documentation.patch > > > the {{DefaultSyncConfig}} comes with a configuration option > {{PARAM_USER_AUTO_MEMBERSHIP}} indicating the set of groups a given external > user must always become member of upon sync into the repository. > this results in groups containing almost all users in the system (at least > those synchronized form the external IDP). while this behavior is straight > forward (and corresponds to the behavior in the previous crx version), it > wouldn't be necessary from a repository point of view as a given {{Subject}} > can be populated from different principal sources and dealing with this kind > of dynamic-auto-membership was a typical use-case. > what does that mean: > instead of performing the automembership on the user management, the external > authentication setup could come with an auto-membership {{PrincipalProvider}} > implementation that would expose the desired group membership for all > external principals (assuming that they were identified as such). > [~tripod], do you remember if that was ever an option while building the > {{oak-auth-external}} module? if not, could that be worth a second thought > also in the light of OAK-3933? -- This message was sent by Atlassian JIRA (v6.3.4#6332)