Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to restrict the groups seen in Ranger?

Labels:
avatar
author-rank smartninja723
Expert Contributor

Created ‎05-24-2016 04:23 PM

Guys,

We have setup a Kerberized and A/D integrated HDP 2.3 Cluster. On the same cluster, after setting up Ranger, when I try to define policies for any components, I see all the groups available in A/D. For a larger organization, I suspect it would go in terms of hundreds.In such scenario, how can I restrict the number of groups appearing in the drop down when defining policies?

Thanks.

2,764 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank pardeep_kumar
Guru

Created ‎05-24-2016 04:31 PM

@Smart Solutions You can restrict groups to be synced using Group search filter. Refer below for detail.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user...

And other option would be to use Ranger FileSource.

https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process

View solution in original post

2,575 Views
7 REPLIES 7

avatar
author-rank pardeep_kumar
Guru

Created ‎05-24-2016 04:31 PM

@Smart Solutions You can restrict groups to be synced using Group search filter. Refer below for detail.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user...

And other option would be to use Ranger FileSource.

https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process

2,576 Views

avatar
author-rank smartninja723
Expert Contributor

Created ‎05-24-2016 04:33 PM

Thanks I will have a look at them. What about the group which are already been imported. Can I delete for Ranger now?

2,575 Views
0 Kudos

avatar
author-rank pardeep_kumar
Guru

Created ‎05-24-2016 04:43 PM

Yes, I think you can delete if you don't want those.

2,575 Views
0 Kudos

avatar
author-rank smartninja723
Expert Contributor

Created ‎05-25-2016 09:20 AM

@Pradeep I didn't find the delete option but found setting visibility to "hidden" option. Not sure if you are talking about.

2,575 Views
0 Kudos

avatar
author-rank frank93
Super Collaborator

Created ‎05-25-2016 10:16 AM

@Smart Solutions You can delete users and groups by doing this:

log into the ranger database, and delete the following rows in order.

delete from x_group_users where
added_by_id in (1,2)
delete from x_user where added_by_id in
(1,2)
delete from x_group where added_by_id in
(1,2)

Then you can sync your users/groups again with your restrictions.

2,575 Views

avatar
author-rank smartninja723
Expert Contributor

Created ‎05-25-2016 10:36 AM

@Edgar Daeds Thank you. I will try this.

2,575 Views
0 Kudos

avatar
author-rank hellmar_becker
New Contributor

Created ‎06-07-2016 02:09 PM

We came across a similar issue and our solution was to create a custom synchronization script which replaces the standard LDAP sync process.

We define a "super-group" whose members are all groups that are visible/relevant to Hadoop. This is helpful for several reasons:

  • It limits the group selection in Ranger itself
  • It limits the users that are pulled into Ranger - only members of one of the relevant groups will be visible to Ranger
  • It limits the amount of data that needs to be transfered during synchronization. (We have around 50k users in our Active Directory.)
  • It gives us an efficient filter for LDAP queries. (We cannot filter by base DN because of AD policy.)

The synchronization process knows only the DN of the super-group - it fetches that one LDAP entry; from there it determines the members, which are the authorization groups, and then the members of each authorization group, which are th authorized users.

2,575 Views
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements