Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Expert Contributor

Introduction

Adding a group as a member to another group is called nesting. If a group (groupA) is a member of another group (groupB), then the users belonging to the member group (groupA) are part of the parent group (groupB) as well. Nesting can be very useful in delegating access through inheritance. Several large enterprises have their groups in LDAP/AD nested within other groups. Security admins want the users in those nested groups to be associated in Ranger so that they are available for policy authoring in Ranger Admin. In HDP 2.6 (RANGER-1735), ranger usersync introduced support of nested group membership representation for policy authoring.

Note:- In order to utilize the nested group mapping across hadoop, this feature must be configured for hadoop LdapGroupMapping as well. Configuring hadoop LdapGroupMapping for nested groups is explained here.

Sample Active directory structure with Nested groups

Usecase: Admin wants to give access to some resources for all the users under “AMER Marketing Group”

In the above sample directory structure, all the marketing users are under one OU “Marketing Users”. All these users are members of different groups based on the location like US, Canada, London, etc… For example, user “Adam Will” from “Marketing Users” OU is a member of “Canada Marketing Group”.

Also, the above sample directory structure contains multiple nested group levels like - “US Marketing Group” is a member of “AMER Marketing Group” which again is a member of “Marketing Group”.

Ranger Usersync configuration

Ranger Usersync, by default, computes only the immediate groups for the users. For example, user “Adam Will” is part of “Canada Marketing Group” and only this information is available in ranger without nested group sync configuration. With this information, if an admin wants to provide access to all the users under “AMER Marketing Group”, then all the sub groups - “US Marketing Group” and “Canada Marketing Group” must be added in the ranger policy.

In order to simplify the policy configuration at parent level groups, Ranger supports evaluating nested group memberships by configuring “ranger.usersync.ldap.grouphierarchylevels”. If ranger.usersync.ldap.grouphierarchylevels is set to “3”, Ranger Usersync computes the group memberships for user “Adam Will” as “Canada Marketing Group”, “AMER Marketing Group”, “Marketing Group”. This way, admin can configure ranger policy at the parent group level (“AMER Marketing Group”) which will be applied for all the users (Mary Sam, John Doe, and Adam Will) under each sub group (US Marketing Group and Canada Marketing Group).

5,128 Views
Comments

Can you have multiple nested groups? Say you have some nested groups in ou=groups and ou=groups2 If you set the base to have ou=groups,dc=test,dc=com;ou=groups2,dc=test,dc=test,dc=com will it pick up the hierarchy levels for each ou?

avatar
Expert Contributor

Yes, for each configured OU in group search base, ranger usersync computes the nested groups. Group hierarchy level is applied for each OU independently. Few points to note:

1. If the directory server contains more levels of nested groups than the ones configured in the usersync group hierarchy levels, then usersync limits the nested group computation based on the usersync configuration

2. If the directory server contains less levels of nested groups than the ones configured in the usersync group hierarchy levels, then usersync limits the nested group computation based on the directory server nested group levels

3. Nested groups are computed only for the groups that are part of the group search base. For example, group search base is configured as "ou=groups,dc=test,dc=com;ou=groups2,dc=test,dc=test,dc=com" and if a group (grp1) that is part of the one of these configured OU has a member group (grp2) that is not part of any of the configured OUs, then grp2 is ignored from group computation.

4. Nested group computation is supported with Incremental sync as well as Full sync.