[jira] [Comment Edited] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter
[
https://issues.apache.org/jira/browse/RANGER-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17493992#comment-17493992
]
Sailaja Polavarapu edited comment on RANGER-3630 at 2/17/22, 3:05 PM:
--
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall
into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards
or short names of the groups with memberof attributes, Ranger usersync must be
improved to generate user search filter internally by taking list of individual
group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync.
Values can be either list of DN of the groups, list of short name of the
groups, or list of group names with wildcard character with ";" separated like
below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org{color:#ff}*;*
{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}{color:#de350b}*;*{color}memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org"
# Short names of the groups - "CN=finance{*};{*}CN=eng_dev{*};{*}CN=eng_testing"
# Group names with wildcard character -
CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the
specified values as DN of the groups, short names of the groups, or group names
with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating
each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts AD/LDAP server to retrieve the
DN of the specified groups.
# Build user search filter by prepending each DN with “memberof=” and
concatenating with and OR(|) operator
Notes:
# This new configuration(ranger.usersync.ldap.groupnames) is read by usersync
only when “ranger.usersync.ldap.user.searchfilter” configuration value is
empty.
# When “ranger.usersync.ldap.user.searchfilter” configuration value is not
empty, then usersync will ignore the value for
“ranger.usersync.ldap.groupnames” configuration.
# All the configured group names(ranger.usersync.ldap.groupnames) are
concatenated with only OR (|) operator and are hardcoded for “memberof”
attribute.
was (Author: spolavarapu):
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall
into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards
or short names of the groups with memberof attributes, Ranger usersync must be
improved to generate user search filter internally by taking list of individual
group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync.
Values can be either list of DN of the groups, list of short name of the
groups, or list of group names with wildcard character with ";" separated like
below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org{color:#ff}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}{*};{*}memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org"
# Short names of the groups -
"CN=finance{*};{*}CN=eng_dev{color:#ff}*;*{color}CN=eng_testing"
# Group names with wildcard character -
CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the
specified values as DN of the groups, short names of the groups, or group names
with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating
each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts AD/LDAP server to retrieve the
DN of
[jira] [Comment Edited] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter
[
https://issues.apache.org/jira/browse/RANGER-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17493992#comment-17493992
]
Sailaja Polavarapu edited comment on RANGER-3630 at 2/17/22, 3:05 PM:
--
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall
into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards
or short names of the groups with memberof attributes, Ranger usersync must be
improved to generate user search filter internally by taking list of individual
group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync.
Values can be either list of DN of the groups, list of short name of the
groups, or list of group names with wildcard character with ";" separated like
below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org{color:#ff}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}{color:#de350b}*;*{color}memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org"
# Short names of the groups -
"CN=finance{color:#de350b}*;*{color}CN=eng_dev{color:#de350b}*;*{color}CN=eng_testing"
# Group names with wildcard character -
CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the
specified values as DN of the groups, short names of the groups, or group names
with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating
each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts AD/LDAP server to retrieve the
DN of the specified groups.
# Build user search filter by prepending each DN with “memberof=” and
concatenating with and OR(|) operator
Notes:
# This new configuration(ranger.usersync.ldap.groupnames) is read by usersync
only when “ranger.usersync.ldap.user.searchfilter” configuration value is
empty.
# When “ranger.usersync.ldap.user.searchfilter” configuration value is not
empty, then usersync will ignore the value for
“ranger.usersync.ldap.groupnames” configuration.
# All the configured group names(ranger.usersync.ldap.groupnames) are
concatenated with only OR (|) operator and are hardcoded for “memberof”
attribute.
was (Author: spolavarapu):
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall
into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards
or short names of the groups with memberof attributes, Ranger usersync must be
improved to generate user search filter internally by taking list of individual
group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync.
Values can be either list of DN of the groups, list of short name of the
groups, or list of group names with wildcard character with ";" separated like
below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org{color:#ff}*;*
{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}{color:#de350b}*;*{color}memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org"
# Short names of the groups - "CN=finance{*};{*}CN=eng_dev{*};{*}CN=eng_testing"
# Group names with wildcard character -
CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the
specified values as DN of the groups, short names of the groups, or group names
with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating
each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts
[jira] [Comment Edited] (RANGER-3630) Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter
[
https://issues.apache.org/jira/browse/RANGER-3630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17493992#comment-17493992
]
Sailaja Polavarapu edited comment on RANGER-3630 at 2/17/22, 3:04 PM:
--
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall
into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards
or short names of the groups with memberof attributes, Ranger usersync must be
improved to generate user search filter internally by taking list of individual
group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync.
Values can be either list of DN of the groups, list of short name of the
groups, or list of group names with wildcard character with ";" separated like
below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org{color:#ff}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}{*};{*}memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org"
# Short names of the groups -
"CN=finance{*};{*}CN=eng_dev{color:#ff}*;*{color}CN=eng_testing"
# Group names with wildcard character -
CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the
specified values as DN of the groups, short names of the groups, or group names
with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating
each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case ranger usersync first contacts AD/LDAP server to retrieve the
DN of the specified groups.
# Build user search filter by prepending each DN with “memberof=” and
concatenating with and OR(|) operator
Notes:
# This new configuration(ranger.usersync.ldap.groupnames) is read by usersync
only when “ranger.usersync.ldap.user.searchfilter” configuration value is
empty.
# When “ranger.usersync.ldap.user.searchfilter” configuration value is not
empty, then usersync will ignore the value for
“ranger.usersync.ldap.groupnames” configuration.
# All the configured group names(ranger.usersync.ldap.groupnames) are
concatenated with only OR (|) operator and are hardcoded for “memberof”
attribute.
was (Author: spolavarapu):
*Proposal:*
Majority of the use cases to filter users using the “memberof” attribute fall
into two categories:
# Unique pattern for the group name - example, “eng_dev” and “finance”
# Group names with wildcard character - example, “eng_dev” and “eng_testing”
As noted down earlier, since Active directory doesn’t support either wildcards
or short names of the groups with memberof attributes, Ranger usersync must be
improved to generate user search filter internally by taking list of individual
group names or group names with wildcard character.
Instead of configuring user search filter as one big string, a new
configuration “ranger.usersync.ldap.groupnames” can be introduced for usersync.
Values can be either list of DN of the groups, list of short name of the
groups, or list of group names with wildcard character with ";" separated like
below:
# DN of the groups - "memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org{color:#FF}{*};{*}{color:#172b4d}memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}{color:#FF}{*};{*}{color:#172b4d}memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org{color}{color}"
# Short names of the groups -
"CN=finance{color:#FF}*;*{color}CN=eng_dev{color:#FF}*;*{color}CN=eng_testing"
# Group names with wildcard character -
CN=eng*{color:#de350b}*;*{color}CN=finance"
*Usersync Changes:*
Usersync reads these new configuration values and determines the format of the
specified values as DN of the groups, short names of the groups, or group names
with wildcard character.
# Values specified as DN of the groups
# In this case ranger usersync builds the user search filter by concatenating
each DN with an OR (|) operator
# Example - (|(memberof=CN=finance,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop
Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop
Groups,dc=apache,dc=org))
# Values specified as short names of the groups or with wildcard character
# In this case
