ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bolke de Bruin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (RANGER-827) Use system supplied mechanism to get users and groups on unix
Date Fri, 29 Jan 2016 09:26:39 GMT

    [ https://issues.apache.org/jira/browse/RANGER-827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123239#comment-15123239
] 

Bolke de Bruin edited comment on RANGER-827 at 1/29/16 9:26 AM:
----------------------------------------------------------------

This is the second version of the patch:

1. It addresses the issue of not using system supplied mechanisms for obtaining users and
groups
2. It allows to explicitly enumerate groups to pickup users from these groups that are otherwise
not visible for performance reasons (ranger.usersync.group.enumerate = true)
3. It allows to add extra groups to enumerate for groups that are not visible to ranger by
default (ranger.usersync.group.enumerategroup = myadgroup@ad.local, myotheradgroup@ad.local,
myipagroup) 
4. It allows to set a minimum group id to enumerate users from for both performance reasons
(ranger is really to greedy), preventing information overload to the user and security reasons
(
ranger.usersync.unix.minGroupId = X)
5. As enumeration is potentially an expensive operation in addition to 4, ranger.usersync.unix.updatemillismin
defaults to 1 min (6000).

Not addressed in this patch (yet) is backwards compatibility with /etc/passwd and /etc/group


was (Author: bolke):
This is the second version of the patch:

1. It addresses the issue of not using system supplied mechanisms for obtaining users and
groups
2. It allows to explicitly enumerate groups to pickup users from these groups that are otherwise
not visible for performance reasons (ranger.usersync.group.enumerate = true)
3. It allows to add extra groups to enumerate for groups that are not visible to ranger by
default (ranger.usersync.group.enumerategroup = myadgroup@ad.local, myotheradgroup@ad.local,
myipagroup) 
4. It allows to set a minimum group id to enumerate users from for both performance reasons
(ranger is really to greedy), preventing information overload to the user and security reasons
(
ranger.usersync.unix.minGroupId = X)

Not addressed in this patch (yet) is backwards compatibility with /etc/passwd and /etc/group

> Use system supplied mechanism to get users and groups on unix
> -------------------------------------------------------------
>
>                 Key: RANGER-827
>                 URL: https://issues.apache.org/jira/browse/RANGER-827
>             Project: Ranger
>          Issue Type: Improvement
>          Components: usersync
>    Affects Versions: 0.5.1
>            Reporter: Bolke de Bruin
>              Labels: integration, pam, sssd, sync
>             Fix For: 0.6.0
>
>         Attachments: 0001-RANGER-827-Improve-unix-usersync.patch, usersync.patch
>
>
> The unix user sync currently reads /etc/passwd /etc/groups . This is often not a reflection
of users and groups available on a system especially when nsswitch is configured (eg. sssd,
ldap etc).
> Secondly in some cases groups will contain user names that are not returned with "getent
passwd", especially "external users" and it is required to add these using the group information.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message