[RANGER-3630] Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.0.0, 2.3.0
Component/s: Ranger, usersync
Labels:
None

Description

Ranger Usersync provides multiple configuration properties to sync users & groups from AD/LDAP. One of the key configuration properties is the User Search filter (ranger.usersync.ldap.user.searchfilter). Currently, the value of user search filter must be a valid ldap search filter and is used by ranger usersync “as is” to limit the no. of users to be sync’d from AD/LDAP.

Example values include:

samaccountname=*
- Syncs all users from a given user search base
(|(memberof=CN=finance,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_dev,ou=Hadoop Groups,dc=apache,dc=org)(memberof=CN=eng_testing,ou=Hadoop Groups,dc=apache,dc=org))
- Sync users that are members of finance, eng_dev, and eng_testing groups

According to Microsoft documentation, the wildcard character * is not allowed when the <AD Attribute> is a DN attribute. Examples of DN attributes are distinguishedName, manager, directReports, member, and memberOf. If users need to be sync'd from multiple Active Directory groups with memberOf filters, this value can quickly become a long string of OR concatenated group DNs. A single misplaced character in this cryptic string results in all users failing to sync.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

RANGER-3630_proposal.pdf
17/Feb/22 15:10
45 kB
Sailaja Polavarapu
0001-RANGER-3630-Added-code-to-support-wildcards-group-sh.patch
25/Feb/22 04:12
31 kB
Sailaja Polavarapu

Activity

People

Assignee:: Sailaja Polavarapu

Reporter:: Sailaja Polavarapu

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Feb/22 14:53

Updated:: 16/Apr/22 06:26

Resolved:: 09/Mar/22 01:59