[OAK-4090] Consider decoupling of group-sync from repository login - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: None
Component/s: auth-external
Labels:
None

Description

currently the success of the login using ExternalLoginModule is tied to the completion of the user-synchronization which (may) also include sync of group membership. consequently performance of the repository login is always limited by the performance of write operations which in the case of group-sync is in any case expensive (irrespective on how much improvement we achieve with OAK-3933).

i would therefore like to the suggest that we consider if and how we could decouple the sync-mechanism from the login step. this could for example include async processing of the group-membership. this would also require to make sure that the initial as well as all subsequent login operations properly populate the subject with principals of type java.security.acl.Group i.e. not relying on the principal-membership being reflected in the user-management as long the sync is not completed.

Attachments

Issue Links

is related to

OAK-3933 potential improvements to membership management

Open

is superceded by

OAK-4101 Consider separate external (group) principal management

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 04/Mar/16 08:39

Updated:: 08/Mar/16 18:06

Resolved:: 08/Mar/16 18:06