[
https://issues.apache.org/jira/browse/WHIMSY-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16965282#comment-16965282
]
Sebb commented on WHIMSY-298:
-----------------------------
I think the issue here is allowing someone in the (e.g.) cn=httpd, ou=project
owners list write access to the cn=httpd-pmc, ou=meta members list.
This suffers from the same limitation as described above.
One possible solution might be to have a specific id that has write access to
ou=meta, cn=* and allow Whimsy code to have its password.
Alternatively, Whimsy could perhaps send details of changes to another host
which has access to the id password.
If the refresh_meta script were enhanced to only apply changes, that would
probably not be too resource intensive whilst still reducing the time lag. The
refresh script need only be told that a particular project group has been
modified.
> create/maintain meta-groups for PMCs in LDAP
> --------------------------------------------
>
> Key: WHIMSY-298
> URL: https://issues.apache.org/jira/browse/WHIMSY-298
> Project: Whimsy
> Issue Type: New Feature
> Reporter: Chris Lambertus
> Priority: Minor
>
> Infra discovered a downside to the owner/member paradigm of the new LDAP
> group management style, in that most commercial LDAP-based tooling doesn't
> have the ability to set specific queries for various authentication
> parameters. This is most notable in our Atlassian Crowd implementation, in
> that Crowd only "sees" the members groups and has no way to parse out the
> Owners for additional privilege scope. Infra has currently created a manual
> workaround, which is documented in this (currently non-canonical,
> non-functional) script:
> [https://github.com/apache/infrastructure-p6/blob/9813eacad87fcac69f21e7b7c3233541685bd789/modules/cwiki_asf/files/refresh_meta.sh]
>
> As you can see, this script would create a new LDAP OU called 'meta' which
> ETLs the existing owner attributes into a $project-pmc DN which is then
> visible to Crowd and can be used to apply PMC permissions to Jira and
> Confluence. We're currently doing this manually "on-demand" until we finish
> some necessary back-end work for the script to function.
> I realize it's a step backwards to once again have to manage multiple LDAP
> groups, but unfortunately, this separation is required due to a lack of
> support for the owner/member attributes for Crowd.
> It may be worth Whimsy considering patching to update both the ou=projects
> and the PMC-based ou=meta groups. If this is something you'd like to do, I
> would recommend a new OU, as Infra will be continuing to do this purge/ETL
> for the ou=meta group for the foreseeable future.
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
