jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OAK-4087) Replace Sync of configured AutoMembership by Dynamic Principal Generation
Date Wed, 06 Jul 2016 06:53:11 GMT

    [ https://issues.apache.org/jira/browse/OAK-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15363881#comment-15363881

angela commented on OAK-4087:

It works pretty much the same way for local groups: the automembership configuration option
of a given {{DefaultSyncHandler}} instance will be picked up by the {{ExternalPrincipalConfiguration}},
mapped to a given IDP for which the {{SyncHandler}} has been registered (see {{ExternalLoginModule}})
and ultimately evaluated by the {{ExternalGroupPrincipalProvider}} in order to make sure a
given {{Subject}} is not only populated with the principals defined on the external IDP but
also with the auto-membership principals. Note that the automembership defines the group IDs
and the corresponding call will first resolve the {{Group}} (as it used to do it before) and
then place the associated principal in the set of all (group) principals as requested by {{PrincipalProvider.getGroupMembership(Principal)}}
and {{PrincipalProvider.getPrincipals(String)}} respectively.

Hope that helps. Btw: I would appreciate if you could take a look at the corresponding documentation
section and let me know if there is something that needs additional clarification.

> Replace Sync of configured AutoMembership by Dynamic Principal Generation
> -------------------------------------------------------------------------
>                 Key: OAK-4087
>                 URL: https://issues.apache.org/jira/browse/OAK-4087
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>              Labels: performance
>             Fix For: 1.5.3
>         Attachments: OAK-4087.patch, OAK-4087_documentation.patch
> the {{DefaultSyncConfig}} comes with a configuration option {{PARAM_USER_AUTO_MEMBERSHIP}}
indicating the set of groups a given external user must always become member of upon sync
into the repository.
> this results in groups containing almost all users in the system (at least those synchronized
form the external IDP). while this behavior is straight forward (and corresponds to the behavior
in the previous crx version), it wouldn't be necessary from a repository point of view as
a given {{Subject}} can be populated from different principal sources and dealing with this
kind of dynamic-auto-membership was a typical use-case.
> what does that mean:
> instead of performing the automembership on the user management, the external authentication
setup could come with an auto-membership {{PrincipalProvider}} implementation that would expose
the desired group membership for all external principals (assuming that they were identified
as such).
> [~tripod], do you remember if that was ever an option while building the {{oak-auth-external}}
module? if not, could that be worth a second thought also in the light of OAK-3933?

This message was sent by Atlassian JIRA

View raw message