Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.2.0, 2.3.0, 2.4.0
-
None
-
None
Description
Before this change https://github.com/apache/ranger/commit/9be6a7d01f8d6a83e740ac27225eda1fff83501a it was possible to configure Ranger User Sync to synchronize only those users that are members of the synchronized groups. The implementation in LdapDeltaUserGroupBuilder that did the in-memory filtering was removed in Ranger 2.2, and the other implementation - LdapUserGroupBuilder - only allows using LDAP-based search for filtering users by membership. This can become cumbersome if there are a lot of groups or if the group search filter is dynamic.
Example of Ranger usersync config:
SYNC_LDAP_USER_SEARCH_BASE: OU=Users,DC=domain,DC=com SYNC_LDAP_USER_OBJECT_CLASS: person SYNC_GROUP_SEARCH_ENABLED: true SYNC_GROUP_SEARCH_BASE: OU=Users,DC=domain,DC=com SYNC_LDAP_GROUP_SEARCH_FILTER: cn=admin SYNC_GROUP_OBJECT_CLASS: group SYNC_GROUP_SEARCH_FIRST_ENABLED: true SYNC_USER_SEARCH_ENABLED: true
Before Ranger 2.2, the above would synchronize only users that are members of the admin group. Starting from Ranger 2.2, it would synchronize all users that match the LDAP filter for the user search.
Was this functionality removed on purpose, or should this be considered a bug?