Support Questions

smartninja723 · ‎05-24-2016

Guys,

We have setup a Kerberized and A/D integrated HDP 2.3 Cluster. On the same cluster, after setting up Ranger, when I try to define policies for any components, I see all the groups available in A/D. For a larger organization, I suspect it would go in terms of hundreds.In such scenario, how can I restrict the number of groups appearing in the drop down when defining policies?

Thanks.

pardeep_kumar · ‎05-24-2016

@Smart Solutions You can restrict groups to be synced using Group search filter. Refer below for detail.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user...

And other option would be to use Ranger FileSource.

https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process

View solution in original post

pardeep_kumar · ‎05-24-2016

@Smart Solutions You can restrict groups to be synced using Group search filter. Refer below for detail.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user...

And other option would be to use Ranger FileSource.

https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process

smartninja723 · ‎05-24-2016

Thanks I will have a look at them. What about the group which are already been imported. Can I delete for Ranger now?

pardeep_kumar · ‎05-24-2016

Yes, I think you can delete if you don't want those.

smartninja723 · ‎05-25-2016

@Pradeep I didn't find the delete option but found setting visibility to "hidden" option. Not sure if you are talking about.

frank93 · ‎05-25-2016

@Smart Solutions You can delete users and groups by doing this:

log into the ranger database, and delete the following rows in order.

delete from x_group_users where
added_by_id in (1,2)

delete from x_user where added_by_id in
(1,2)

delete from x_group where added_by_id in
(1,2)

Then you can sync your users/groups again with your restrictions.

smartninja723 · ‎05-25-2016

@Edgar Daeds Thank you. I will try this.

hellmar_becker · ‎06-07-2016

We came across a similar issue and our solution was to create a custom synchronization script which replaces the standard LDAP sync process.

We define a "super-group" whose members are all groups that are visible/relevant to Hadoop. This is helpful for several reasons:

It limits the group selection in Ranger itself
It limits the users that are pulled into Ranger - only members of one of the relevant groups will be visible to Ranger
It limits the amount of data that needs to be transfered during synchronization. (We have around 50k users in our Active Directory.)
It gives us an efficient filter for LDAP queries. (We cannot filter by base DN because of AD policy.)

The synchronization process knows only the DN of the super-group - it fetches that one LDAP entry; from there it determines the members, which are the authorization groups, and then the members of each authorization group, which are th authorized users.

Cloudera Community

Support Questions

How to restrict the groups seen in Ranger?