jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (OAK-4101) Consider separate external (group) principal management
Date Tue, 17 May 2016 16:26:12 GMT

     [ https://issues.apache.org/jira/browse/OAK-4101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

angela resolved OAK-4101.
-------------------------
       Resolution: Fixed
    Fix Version/s: 1.5.3

Committed revision 1744292.

In addition to the findings reported by [~tripod], I found some issues in the test-cases,
wrote additional tests for the principal query, renamed the new, derived SyncContext implementation
and moved it to the impl package.
Then: adjusted the external-auth benchmark base and improved the documentation of the feature
(and default user sync in general).

[~baedke], I would appreciate it you could take a closer look at the committed changes and
the documentation. I would suggest to open new follow-up issues for your findings and only
reopen this one if you find fundamental mistakes or inconsistencies.

> Consider separate external (group) principal management
> -------------------------------------------------------
>
>                 Key: OAK-4101
>                 URL: https://issues.apache.org/jira/browse/OAK-4101
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>             Fix For: 1.5.3
>
>         Attachments: OAK-4101.patch, OAK-4101_test.patch
>
>
> Given the fact that user management is delegated to an external IDP provider, we might
reconsider the current approach that attempts to synchronize user and particularly group and
their membership into the repository.
> What would left with the repository is a dedicated {{PrincipalProvider}} for external
groups (and maybe even users at a later stage), making sure that
> - the {{Subject}} is properly populated with {{Principal}} s upon login
> - access control can still be properly setup and managed in the repository for the principals
defined in the external IDP.
> the consequences would be:
> - external groups (and potentially) users would no longer made available to the default
user management implementation. alternatively: make them available as read-only stub i.e.
group-membership as defined by the IDP could no longer be changed/manipulated in the reposiotry.
> - they are however exposed as principals to assert proper authentication + authorization.
Note: any UI that properly reflects the fact that access control is being edited for principals
(and not for users/groups) would not be affected at all; others might need to be adjusted
to additionally support ac management based on the {{PrincipalManager}}
> will try to come up with a POC as soon as I find some time.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message