Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

New users created in AD not showing in ranger while clicking on "Users/Groups" tab

avatar
Expert Contributor

Hi Team,

I have configured ranger with AD. I was able to see all the AD users in Ranger when clicked on "Users/Groups" tab for the first login but the newly created AD users are not showing or it is taking a long time to reflect in Ranger.

I want my AD users to be synced at the earliest. I followed https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_Install_Guide/content/ranger-user... to configure AD with ranger.

I found https://community.hortonworks.com/questions/19289/ranger-usersync-didnt-fetching-users-and-groups-fr... from community but it didn't helped much.

Any help would be highly appreciated.

1 ACCEPTED SOLUTION

avatar
Expert Contributor
@Shyam Shaw

Just want to clarify one thing - For AD/LDAP as the sync source, minimum allowed sync interval is 1hr. If you set the value for "ranger.usersync.sleeptimeinmillisbetweensynccycle" anything less than 1hr, it will be ignored and 1hr sync interval is used. Since add/update of users or groups in AD/LDAP server is not a frequent operation in most of the enterprise deployments, it is chosen to have minimum of 1hr sync interval. For Unix or File based sync, the minimum sync interval is 1min.

Either you can wait for 1hr for the next sync cycle to kick in and sync the new users/groups or restart usersync process.

Note:- Usersync process on restart will first get all the existing users, groups, and group memberships from ranger admin in order to build its local cache before doing any sync from AD. This can take long time depending on the size of the db tables for users, groups, and group memberships in ranger admin.

View solution in original post

18 REPLIES 18

avatar
Super Collaborator

Hi,

could you check your "ranger.usersync.sleeptimeinmillisbetweensynccycle" parameter's value? It can be found in "Advanced ranger-ugsync-site" in Ambari. It's value is time in milliseconds between every sync cycle.

In usersync.log you can see your last sync time. Therefore you can determine the reason why the user is not added.

avatar
Expert Contributor

Hi,

The current value for "ranger.usersync.sleeptimeinmillisbetweensynccycle" parameter is 60000. I tried to changed it to < 6000 but that too didn't helped.

My connection to AD server is working fine without any issues.

avatar
Super Collaborator

Changing the value to <6000 causes the default value to be set, which is 1 min (which was also your previous value - 60000millis). Can you check in usersync.log if the sync is really happening?

avatar
Super Collaborator

If your users and groups were synced for the first time, and now when you add user to AD he is not synced, the reason may be with your filter. Are you sure the user meets filter expression?

avatar
Expert Contributor

I have set "ranger.usersync.ldap.user.searchfilter" to single empty space as mentioned in the document. Can you please point me to properties which I should focus on? I checked usersync.log but didn't find any specific error log.

I noticed that newly created users are getting synced but it is taking a long time.

usersync.log:

12 Jan 2017 08:06:59 INFO LdapUserGroupBuilder [UnixUserSyncThread] - Updating user count: 20, userName: test1, groupList: [] 12 Jan 2017 08:06:59 INFO LdapUserGroupBuilder [UnixUserSyncThread] - LDAPUserGroupBuilder.getUsers() completed with user count: 20 12 Jan 2017 08:07:00 INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink

avatar
Super Collaborator

Newly created users should be synced during next synchronization which is 1 minute maximum in your case. If newly created user gets synced successfully, there is no problem in Ranger AD configuration. It seems that you have connection problems / delay with your AD server. What is the ping time when you do "ping ad-server-ip-address"? Try to ping your ad server with "-t 60" parameter, and observe if the connection is OK all the time.

avatar
Super Collaborator

Please check also whether your ranger-ugsync-site.xml file contains proper value of sleeptimeinmillisbetweensynccycle parameter. The file should be here: /usr/hdp/current/ranger-usersync/conf

avatar
Expert Contributor

I checked the value of sleeptimeinmillisbetweensynccycle parameter, and it is same (60000) as defined in ambari.

[root@master1 ~]# ping <ad-server-ip-address> -t 60

PING XXX.XX.XX.XX (XXX.XX.XX.XX) 56(84) bytes of data.

64 bytes from XXX.XX.XX.XX: icmp_seq=1 ttl=128 time=0.529 ms

64 bytes from XXX.XX.XX.XX: icmp_seq=2 ttl=128 time=0.525 ms

64 bytes from XXX.XX.XX.XX: icmp_seq=3 ttl=128 time=0.517 ms

64 bytes from XXX.XX.XX.XX: icmp_seq=4 ttl=128 time=0.429 ms

64 bytes from XXX.XX.XX.XX: icmp_seq=5 ttl=128 time=0.530 ms

64 bytes from XXX.XX.XX.XX: icmp_seq=6 ttl=128 time=0.474 ms

64 bytes from XXX.XX.XX.XX: icmp_seq=7 ttl=128 time=0.515 ms

avatar
Super Collaborator

Could you provide me also the output of command:

ll /usr/bin/ | grep ranger-usersync