feat(ingestion) ldap: make ldap attrs keys configurable

[atulsaurav]

• Code changes to consume attrs_mapping from ldap recipe
• Doc changes outlining how to use different configurations in recipe

closes #4599

Checklist

• The PR conforms to DataHub's Contributing Guideline (particularly Commit Message Format)
• Links to related issues (if applicable)
• Tests for the changes have been added/updated (if applicable)
• Docs related to the changes have been added/updated (if applicable). If a new feature has been added a Usage Guide has been added for the same.
• For any breaking change/potential downtime/deprecation/big changes an entry has been made in Updating DataHub

[github-actions]

Unit Test Results (build & test)

385 tests  ±0   385 ✔️ +6   10m 7s ⏱️ -33s
  91 suites ±0       0 💤 ±0 
  91 files   ±0       0 ❌  - 6 

Results for commit ec943a4. ± Comparison against base commit 0949613.

♻️ This comment has been updated with latest results.

[github-actions]

Unit Test Results (metadata ingestion)

       8 files  ±0         8 suites  ±0   1h 17m 40s ⏱️ - 2m 24s
   565 tests ±0     562 ✔️ ±0    3 💤 ±0  0 ❌ ±0 
1 068 runs  ±0  1 025 ✔️ ±0  43 💤 ±0  0 ❌ ±0 

Results for commit ec943a4. ± Comparison against base commit 0949613.

♻️ This comment has been updated with latest results.

[jjoyce0510]

As discussed at office hours.. Let's move forward by duplicating the LDAP source and taking the caching approach you suggested:

1. Fetch all users, extract the attribute that should be used in urn (from config)
2. Create map from DN -> attribute for urn
3. Fetch all groups, link to members, build GroupMembership aspect for each user
4. Write back to DataHub

• John

[jjoyce0510]

@atulsaurav im wondering if this should really map "DataHub" concepts to specific attributes?

Like this:

urn_id:
email
firstName
lastName
displayName

Instead of mapping LDAP -> LDAP concepts

[atulsaurav]

Yes, good idea! Let me make changes and send you an update later in the evening. Thanks!

[jjoyce0510]

minor typo:

ineffecvtive -> ineffective

[jjoyce0510]

typo:

customiza -> customize

[atulsaurav]

Thanks for catching these!

[jjoyce0510]

Remember -> this members field is deprecated. instead, we should be populating the "GroupMembership" aspect of the user object.. Were you intending to do this as a followup?

[atulsaurav]

yes, as a part of #3335

[jjoyce0510]

Wonderful! Thanks for the update

[jjoyce0510]

Looking great so far. Once we do the "datahub concept" mapping piece we are good to go!

[jjoyce0510]

So this is the attribute used to construct the urn?

[atulsaurav]

yes, thanks for clarifying that in the docs!

[jjoyce0510]

Overall looks good. As a followup we definitely should fix the LDAP group extraction to use the GroupMembership MCEs!

[jjoyce0510]

Won't this overwrite the display name attribute defined above?

This makes me think we do need 2 distinct mappings:

userMappings
groupMappings

I should have called this out earlier - my apologies for that. What do you think?

[atulsaurav]

No worries, done!

[jjoyce0510]

This overwrites like 36

[jjoyce0510]

Thank you so much for improving this connector @atulsaurav !

[bda618]

int(attrs[self.config.attrs_mapping["departmentId"]][0].decode())

The line above is actually failing for me with the following error:

line 320, in build_corp_user_mce
int(attrs[self.config.user_attrs_map["departmentId"]][0].decode())

ValueError: invalid literal for int() with base 10: 'USE_NEW_GL_FIELDS'

It appears that "departmentId" has been mapped to "departmentNumber" which we don't have at our corp ldap. Thus, it is null. I think you can reproduce this error by rolling back changes at the test case to null.

I have temporali applied a fix as below:

attrs[self.config.attrs_mapping["departmentId"]][0]).decode()

It fixed a problem partly, but some users were not ingested and end up with error like " Failed to extract some records due to: source produced an invalid metadata work unit"

[atulsaurav]

Yes this is an oddity with the way the LDAP connector was written. DH has 2 fields for department - departmentId and departmentName. DH makes a strong assumption that departmentId field should be numeric. I have opened up a discussion on slack in metadata-modeling channel on this topic. If we relax the metadata model to allow string types in departmentId field, this would be the way to go. For now instead of code change, you could define the mapping for departmentId field in your recipe to read from LDAP attr (e.g.) departmentId. Since that will not be found in your ldap, the departmentId field in DH will be left as null as it used to. Please let me know if this helps/makes sense.

[bda618]

I have just done what you suggested and that fixed a problem, here is remapping from my receipt:

source:
    type: "ldap"
    config:
       # Map from a default mapping as departmentNumber to departmentId
       user_attrs_map: {"departmentId":"departmentId"}

The original source of the problem with our departmentNumber is that it is not a number, but a string.