Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to restrict the groups seen in Ranger?

Solved Go to solution
Highlighted

How to restrict the groups seen in Ranger?

Expert Contributor

Guys,

We have setup a Kerberized and A/D integrated HDP 2.3 Cluster. On the same cluster, after setting up Ranger, when I try to define policies for any components, I see all the groups available in A/D. For a larger organization, I suspect it would go in terms of hundreds.In such scenario, how can I restrict the number of groups appearing in the drop down when defining policies?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: How to restrict the groups seen in Ranger?

7 REPLIES 7
Highlighted

Re: How to restrict the groups seen in Ranger?

Highlighted

Re: How to restrict the groups seen in Ranger?

Expert Contributor

Thanks I will have a look at them. What about the group which are already been imported. Can I delete for Ranger now?

Highlighted

Re: How to restrict the groups seen in Ranger?

Yes, I think you can delete if you don't want those.

Highlighted

Re: How to restrict the groups seen in Ranger?

Expert Contributor

@Pradeep I didn't find the delete option but found setting visibility to "hidden" option. Not sure if you are talking about.

Highlighted

Re: How to restrict the groups seen in Ranger?

Expert Contributor

@Smart Solutions You can delete users and groups by doing this:

log into the ranger database, and delete the following rows in order.

delete from x_group_users where
added_by_id in (1,2)
delete from x_user where added_by_id in
(1,2)
delete from x_group where added_by_id in
(1,2)

Then you can sync your users/groups again with your restrictions.

Highlighted

Re: How to restrict the groups seen in Ranger?

Expert Contributor

@Edgar Daeds Thank you. I will try this.

Highlighted

Re: How to restrict the groups seen in Ranger?

New Contributor

We came across a similar issue and our solution was to create a custom synchronization script which replaces the standard LDAP sync process.

We define a "super-group" whose members are all groups that are visible/relevant to Hadoop. This is helpful for several reasons:

  • It limits the group selection in Ranger itself
  • It limits the users that are pulled into Ranger - only members of one of the relevant groups will be visible to Ranger
  • It limits the amount of data that needs to be transfered during synchronization. (We have around 50k users in our Active Directory.)
  • It gives us an efficient filter for LDAP queries. (We cannot filter by base DN because of AD policy.)

The synchronization process knows only the DN of the super-group - it fetches that one LDAP entry; from there it determines the members, which are the authorization groups, and then the members of each authorization group, which are th authorized users.

Don't have an account?
Coming from Hortonworks? Activate your account here