Support Questions

Find answers, ask questions, and share your expertise

How to restrict the groups seen in Ranger?

Expert Contributor

Guys,

We have setup a Kerberized and A/D integrated HDP 2.3 Cluster. On the same cluster, after setting up Ranger, when I try to define policies for any components, I see all the groups available in A/D. For a larger organization, I suspect it would go in terms of hundreds.In such scenario, how can I restrict the number of groups appearing in the drop down when defining policies?

Thanks.

1 ACCEPTED SOLUTION

7 REPLIES 7

@Smart Solutions You can restrict groups to be synced using Group search filter. Refer below for detail.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.4/bk_Ranger_Install_Guide/content/ranger_user...

And other option would be to use Ranger FileSource.

https://cwiki.apache.org/confluence/display/RANGER/File+Source+User+Group+Sync+process

Expert Contributor

Thanks I will have a look at them. What about the group which are already been imported. Can I delete for Ranger now?

Yes, I think you can delete if you don't want those.

Expert Contributor

@Pradeep I didn't find the delete option but found setting visibility to "hidden" option. Not sure if you are talking about.

Expert Contributor

@Smart Solutions You can delete users and groups by doing this:

log into the ranger database, and delete the following rows in order.

delete from x_group_users where
added_by_id in (1,2)
delete from x_user where added_by_id in
(1,2)
delete from x_group where added_by_id in
(1,2)

Then you can sync your users/groups again with your restrictions.

Expert Contributor

@Edgar Daeds Thank you. I will try this.

New Contributor

We came across a similar issue and our solution was to create a custom synchronization script which replaces the standard LDAP sync process.

We define a "super-group" whose members are all groups that are visible/relevant to Hadoop. This is helpful for several reasons:

  • It limits the group selection in Ranger itself
  • It limits the users that are pulled into Ranger - only members of one of the relevant groups will be visible to Ranger
  • It limits the amount of data that needs to be transfered during synchronization. (We have around 50k users in our Active Directory.)
  • It gives us an efficient filter for LDAP queries. (We cannot filter by base DN because of AD policy.)

The synchronization process knows only the DN of the super-group - it fetches that one LDAP entry; from there it determines the members, which are the authorization groups, and then the members of each authorization group, which are th authorized users.