Chris Lambertus created WHIMSY-298:
--------------------------------------
Summary: create/maintain meta-groups for PMCs in LDAP
Key: WHIMSY-298
URL: https://issues.apache.org/jira/browse/WHIMSY-298
Project: Whimsy
Issue Type: New Feature
Reporter: Chris Lambertus
Infra discovered a downside to the owner/member paradigm of the new LDAP group
management style, in that most commercial LDAP-based tooling doesn't have the
ability to set specific queries for various authentication parameters. This is
most notable in our Atlassian Crowd implementation, in that Crowd only "sees"
the members groups and has no way to parse out the Owners for additional
privilege scope. Infra has currently created a manual workaround, which is
documented in this (currently non-canonical, non-functional) script:
[https://github.com/apache/infrastructure-p6/blob/9813eacad87fcac69f21e7b7c3233541685bd789/modules/cwiki_asf/files/refresh_meta.sh]
As you can see, this script would create a new LDAP OU called 'meta' which ETLs
the existing owner attributes into a $project-pmc DN which is then visible to
Crowd and can be used to apply PMC permissions to Jira and Confluence. We're
currently doing this manually "on-demand" until we finish some necessary
back-end work for the script to function.
I realize it's a step backwards to once again have to manage multiple LDAP
groups, but unfortunately, this separation is required due to a lack of support
for the owner/member attributes for Crowd.
It may be worth Whimsy considering patching to update both the ou=projects and
the PMC-based ou=meta groups. If this is something you'd like to do, I would
recommend a new OU, as Infra will be continuing to do this purge/ETL for the
ou=meta group for the foreseeable future.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
