Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
since OAK-4391 oak-auth-external comes with a dynamic membership option that limits the synchronization of external identities to users and their group membership (see https://jackrabbit.apache.org/oak/docs/security/authentication/external/dynamic.html for documentation).
while the feature meets the need to compute a set of principals for permission evaluation upon repository login, it has proven to cause some confusion when it comes to user management and discovering user-group relationship, which can be obtained from the principal management API (but no longer reflected in the repository's user management. reasoning: external identities are managed elsewhere and the repository is no longer in charge).
with the introduction of the DynamicMembershipService interface (see OAK-9462), we would be able to improve that by optionally synchronizing external groups as dynamic (similar to the everyone group) if dynamic membership flag is turned on.
cc: insuafer
Attachments
Issue Links
- relates to
-
-
- Closed
-
- requires
-
-
- Closed
-
- Testing discovered
-
OAK-9867 AutoMembershipProvider.isMember must not ignore 'includeInherited' flag
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- links to
1.
|
deploy oak docu |
|
Closed | Angela Schreiber |