Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-9803

Extend DynamicSyncHandler to allow for dynamic groups

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.46.0
    • auth-external
    • None

    Description

      since OAK-4391 oak-auth-external comes with a dynamic membership option that limits the synchronization of external identities to users and their group membership (see https://jackrabbit.apache.org/oak/docs/security/authentication/external/dynamic.html for documentation).
      while the feature meets the need to compute a set of principals for permission evaluation upon repository login, it has proven to cause some confusion when it comes to user management and discovering user-group relationship, which can be obtained from the principal management API (but no longer reflected in the repository's user management. reasoning: external identities are managed elsewhere and the repository is no longer in charge).

      with the introduction of the DynamicMembershipService interface (see OAK-9462), we would be able to improve that by optionally synchronizing external groups as dynamic (similar to the everyone group) if dynamic membership flag is turned on.

      cc: Jose Antonio Insua

      Attachments

        Issue Links

        relates to

        Improvement - An improvement or enhancement to an existing feature or task. OAK-9799 Optional validator to mark external users/groups as protected

        • Major - Major loss of function.
        • Closed
        requires

        Improvement - An improvement or enhancement to an existing feature or task. OAK-9865 DefaultSyncContext: extract method to get external group from ExternalIdentityRef

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Closed
        Testing discovered

        Bug - A problem which impairs or prevents the functions of the product. OAK-9867 AutoMembershipProvider.isMember must not ignore 'includeInherited' flag

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. OAK-9871 AutoMembershipPrincipals.getAutoMembership must resolved inherited groups

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. OAK-9839 DefaultSyncConfig.enforceDynamicMembership is not reflected in OSGi configuration

        • Minor - Minor loss of function, or other problem where easy workaround is present.
        • Closed
        links to

        Web Link GitHub Pull Request #648

        There are no Sub-Tasks for this issue.

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            angela Angela Schreiber
            angela Angela Schreiber
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment