question Re: How to restrict the groups seen in Ranger? in Archives of Support Questions (Read Only)

How to restrict the groups seen in Ranger?

smartninja723 — Tue, 24 May 2016 23:23:01 GMT

Guys,

We have setup a Kerberized and A/D integrated HDP 2.3 Cluster. On the same cluster, after setting up Ranger, when I try to define policies for any components, I see all the groups available in A/D. For a larger organization, I suspect it would go in terms of hundreds.In such scenario, how can I restrict the number of groups appearing in the drop down when defining policies?

Thanks.

Re: How to restrict the groups seen in Ranger?

pardeep_kumar — Tue, 24 May 2016 23:31:03 GMT

@Smart Solutions You can restrict groups to be synced using Group search filter. Refer below for detail.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user_sync_ldap_ad.html

And other option would be to use Ranger FileSource.

https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process

Re: How to restrict the groups seen in Ranger?

smartninja723 — Tue, 24 May 2016 23:33:52 GMT

Thanks I will have a look at them. What about the group which are already been imported. Can I delete for Ranger now?

Re: How to restrict the groups seen in Ranger?

pardeep_kumar — Tue, 24 May 2016 23:43:29 GMT

Yes, I think you can delete if you don't want those.

Re: How to restrict the groups seen in Ranger?

smartninja723 — Wed, 25 May 2016 16:20:37 GMT

@Pradeep I didn't find the delete option but found setting visibility to "hidden" option. Not sure if you are talking about.

Re: How to restrict the groups seen in Ranger?

frank93 — Wed, 25 May 2016 17:16:01 GMT

@Smart Solutions You can delete users and groups by doing this:

log into the ranger database, and delete the following rows in order.

delete from x_group_users where
added_by_id in (1,2)

delete from x_user where added_by_id in
(1,2)

delete from x_group where added_by_id in
(1,2)

Then you can sync your users/groups again with your restrictions.

Re: How to restrict the groups seen in Ranger?

smartninja723 — Wed, 25 May 2016 17:36:12 GMT

@Edgar Daeds Thank you. I will try this.

Re: How to restrict the groups seen in Ranger?

hellmar_becker — Tue, 07 Jun 2016 21:09:54 GMT

We came across a similar issue and our solution was to create a custom synchronization script which replaces the standard LDAP sync process.

We define a "super-group" whose members are all groups that are visible/relevant to Hadoop. This is helpful for several reasons:

It limits the group selection in Ranger itself
It limits the users that are pulled into Ranger - only members of one of the relevant groups will be visible to Ranger
It limits the amount of data that needs to be transfered during synchronization. (We have around 50k users in our Active Directory.)
It gives us an efficient filter for LDAP queries. (We cannot filter by base DN because of AD policy.)

The synchronization process knows only the DN of the super-group - it fetches that one LDAP entry; from there it determines the members, which are the authorization groups, and then the members of each authorization group, which are th authorized users.