ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sailaja Polavarapu <spolavar...@hortonworks.com>
Subject Re: Review Request 66852: RANGER-1852: some groups missed to be sync if they are syncd from openldap If deltasync is enabled
Date Wed, 02 May 2018 21:42:25 GMT


> On April 30, 2018, 2:15 p.m., Velmurugan Periasamy wrote:
> > ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
> > Line 854 (original), 854 (patched)
> > <https://reviews.apache.org/r/66852/diff/1/?file=2014334#file2014334line854>
> >
> >     Use a configurable param for this?

Just to clarify, this is not the actual sync cycle interval. With Active Directory we use
uSNChanged attribute to track changes. Periodically we query for all objects in subtree whose
uSNChanged value is greater than or equal to U. The query will return all objects that have
changed since the previous sync. Set U to the largest (uSNChanged+1) among these changed objects,
and you are ready to poll again. In this case uSNChanged is an sequential number and hence
incrementing by 1. For OpenLdap servers, we use modifyTimeStamp attribute to track changes.
Periodically we query for all objects in subtree whose modifyTimestamp value is greater than
or equal to U. The query will return all objects that have changed since the previous sync.
Set U to the largest (modifiedTimestamp + 1sec) among these changed objects, and you are ready
to poll again. Since modifyTimestamp is a timestamp value, we are incrementing by 1sec, which
is the lowest granularity of the timestamp value. Since this is int
 ernal implementation and for AD the modifyTimestamp is not used, I don't think this should
be a configurable parameter.

PS:- According to RFC, ldap search filter only supports greaterOrEqual (>=) or lessOrEqaul(<=)

Filter ::= CHOICE {
                and                [0] SET OF Filter,
                or                 [1] SET OF Filter,
                not                [2] Filter,
                equalityMatch      [3] AttributeValueAssertion,
                substrings         [4] SubstringFilter,
                greaterOrEqual     [5] AttributeValueAssertion,
                lessOrEqual        [6] AttributeValueAssertion,
                present            [7] AttributeDescription,
                approxMatch        [8] AttributeValueAssertion,
                extensibleMatch    [9] MatchingRuleAssertion
        }


- Sailaja


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/66852/#review202122
-----------------------------------------------------------


On April 27, 2018, 5:48 p.m., Sailaja Polavarapu wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/66852/
> -----------------------------------------------------------
> 
> (Updated April 27, 2018, 5:48 p.m.)
> 
> 
> Review request for ranger.
> 
> 
> Bugs: RANGER-1852
>     https://issues.apache.org/jira/browse/RANGER-1852
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Incrementing timestamp value for groups to 1sec instead of 1min. This is in-sync with
timestamp value for users.
> 
> 
> Diffs
> -----
> 
>   ugsync/src/main/java/org/apache/ranger/ldapusersync/process/LdapDeltaUserGroupBuilder.java
2288ab8e 
> 
> 
> Diff: https://reviews.apache.org/r/66852/diff/1/
> 
> 
> Testing
> -------
> 
> 1. Verified the existing unit tests are ran successfully.
> 2. Verified basic usersync functionality with openldap server.
> 
> 
> Thanks,
> 
> Sailaja Polavarapu
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message