Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to Replicate policies across cluster?

Labels:
avatar
author-rank smartninja723
Expert Contributor

Created ‎06-01-2016 02:03 PM

Guys,

I have two HDP 2.4.0 clusters. On both the we have setup Ranger and integrated with different ADs. More or less users are same. I read on one of the HCC questions that we can use DB replication to keep both policy DB in sync.

What I want to achieve is : From Cluster-A, want to take up Ranger DB, replace environment specific values and restore it on another cluster, restart Ambari and I should be good to go. But more I study schema and spend more time analyzing the situation, it doesn't look practical to me.

Has anyone actually replaced DB for Ranger?

I was trying to check the Ranger DB and both these environments I found lot of differences in the table contents. Mostly because of the users and groups, as we are pointing to different Active Directories.

I've three questions here :

(1) If we backup ranger db from cluster-1, drop db of cluster-2, stop user sync in Ambari on cluster-2, restore db of cluster-1 and restart Ambari (keep user sync) off and restart the Ranger admin. Will it work? ( I am happy to have imported users/groups of Cluster-1 - which are imported from AD1 and OK to delete imported users of Cluster-2 Ranger DB, Will this create problem? )

(2) Any better suggestions to make db replication work?

(3) What is better way around syncing policies across clusters?

Thanks.

4,759 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank sshimpi
Super Guru

Created ‎06-01-2016 02:08 PM

@Smart Solutions

You can try policy replicate across cluster using ranger API. You can check this HCC questions -

https://community.hortonworks.com/questions/11369/is-there-a-way-to-export-ranger-policies-from-clus...

View solution in original post

4,225 Views
0
8 REPLIES 8

avatar
author-rank amiller
Guru

Created ‎06-01-2016 02:07 PM

It sounds like there are two conflicting goals you might want to achieve. Is the intention to migrate cluster-B/2 to use the same AD as cluster-A/1? Or do all users have accounts in both ADs, and you want to translate the policies from A to B but keep them on different ADs?

4,225 Views
0 Kudos

avatar
author-rank smartninja723
Expert Contributor

Created ‎06-01-2016 02:25 PM

@Alex Miller All the users have accounts in both the A/Ds. Except from Cluster-2 's Ranger DB contains users who are no longer in company and in A/D-1, so I am OK scrapping DB of cluster-2. And want to translate policies of A to B and still point to different A/Ds. Of course on the target cluster-2, will stop the user sync module once database is restored from Cluster-A.

4,225 Views
0 Kudos

avatar
author-rank amiller
Guru

Created ‎06-01-2016 03:04 PM

Sagar's answer is the best solution if both clusters will use the same AD. If each cluster has its own AD with unique users and groups, then you should clarify what you are hoping to gain by duplicating the policies. Keeping in mind that you'll need to sync them on an ongoing basis, it seems like "updating" every policy for a new set of users/groups would be more work than manually adding the policies on each cluster.

4,225 Views

avatar
author-rank smartninja723
Expert Contributor

Created ‎06-07-2016 03:49 PM

@Alex Miller Well in our scenario both the A/D are more or less replicas. Anyway I got this fixed.

4,225 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎06-01-2016 02:08 PM

@Smart Solutions

You can try policy replicate across cluster using ranger API. You can check this HCC questions -

https://community.hortonworks.com/questions/11369/is-there-a-way-to-export-ranger-policies-from-clus...

4,226 Views
0

avatar
author-rank smartninja723
Expert Contributor

Created ‎06-01-2016 02:29 PM

Thanks @Sagar Shimpi . Will check this. Meanwhile wanted to know if HWX has plan to have a centralized Ranger (single instance) to define policies for multiple clusters? This could be a great value and help keeping the policies in central location 🙂

4,225 Views
0 Kudos

avatar
author-rank sshimpi
Super Guru

Created ‎06-01-2016 02:58 PM

@Smart Solutions

I see a good discussion on this. Pls check - https://community.hortonworks.com/questions/6922/is-it-possible-to-manage-multiple-clusters-using-o....

4,225 Views

avatar
author-rank smartninja723
Expert Contributor

Created ‎06-07-2016 03:48 PM

Well I fixed this using REST APIs. Thanks.

4,225 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements