Support Questions

shyamshaw · ‎01-12-2017

Hi Team,

I have configured ranger with AD. I was able to see all the AD users in Ranger when clicked on "Users/Groups" tab for the first login but the newly created AD users are not showing or it is taking a long time to reflect in Ranger.

I want my AD users to be synced at the earliest. I followed https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_Ranger_Install_Guide/content/ranger-user... to configure AD with ranger.

I found https://community.hortonworks.com/questions/19289/ranger-usersync-didnt-fetching-users-and-groups-fr... from community but it didn't helped much.

Any help would be highly appreciated.

spolavarapu · ‎01-12-2017

@Shyam Shaw

Just want to clarify one thing - For AD/LDAP as the sync source, minimum allowed sync interval is 1hr. If you set the value for "ranger.usersync.sleeptimeinmillisbetweensynccycle" anything less than 1hr, it will be ignored and 1hr sync interval is used. Since add/update of users or groups in AD/LDAP server is not a frequent operation in most of the enterprise deployments, it is chosen to have minimum of 1hr sync interval. For Unix or File based sync, the minimum sync interval is 1min.

Either you can wait for 1hr for the next sync cycle to kick in and sync the new users/groups or restart usersync process.

Note:- Usersync process on restart will first get all the existing users, groups, and group memberships from ranger admin in order to build its local cache before doing any sync from AD. This can take long time depending on the size of the db tables for users, groups, and group memberships in ranger admin.

View solution in original post

shyamshaw · ‎01-12-2017

[sbhdfs@master1 ~]$ ll /usr/bin/ | grep ranger-usersync

lrwxrwxrwx 1 root root 60 Jan 11 07:28 ranger-usersync -> /usr/hdp/current/ranger-usersync/ranger-usersync-services.sh

lrwxrwxrwx 1 root root 54 Dec 26 04:52 ranger-usersync-start -> /usr/hdp/current/ranger-usersync/ranger-usersync-start

lrwxrwxrwx 1 root root 53 Dec 26 04:52 ranger-usersync-stop -> /usr/hdp/current/ranger-usersync/ranger-usersync-stop

frank93 · ‎01-12-2017

Its ok. In usersync.log find last and first line of sync cycle and determine if the time difference equals the time you configured. Like here:

12 Jan 2017 16:44:33  INFO UserGroupSync [UnixUserSyncThread] - End: update user/group from source==>sink
12 Jan 2017 16:46:33  INFO UserGroupSync [UnixUserSyncThread] - Begin: update user/group from source==>sink

In my case its 2 mins. When you add a new user again, track your usersync.log whether your newly created user appears in the log file.

spolavarapu · ‎01-12-2017

@Shyam Shaw

Just want to clarify one thing - For AD/LDAP as the sync source, minimum allowed sync interval is 1hr. If you set the value for "ranger.usersync.sleeptimeinmillisbetweensynccycle" anything less than 1hr, it will be ignored and 1hr sync interval is used. Since add/update of users or groups in AD/LDAP server is not a frequent operation in most of the enterprise deployments, it is chosen to have minimum of 1hr sync interval. For Unix or File based sync, the minimum sync interval is 1min.

Either you can wait for 1hr for the next sync cycle to kick in and sync the new users/groups or restart usersync process.

Note:- Usersync process on restart will first get all the existing users, groups, and group memberships from ranger admin in order to build its local cache before doing any sync from AD. This can take long time depending on the size of the db tables for users, groups, and group memberships in ranger admin.

shyamshaw · ‎01-13-2017

Hi @spolavarapu,

Thanks for the detailed explanation. So, the "ranger.usersync.sleeptimeinmillisbetweensynccycle" property only applies to unix users and not LDAP/AD users. Is it correct?

spolavarapu · ‎01-13-2017

@Shyam Shaw, Not completely. For LDAP/AD users, this property will be used only when the value is >= 1hr. Anything that is <1hr is ignored and 1hr interval is used.

shyamshaw · ‎01-13-2017

@spolavarapu, thanks a lot!!!

frank93 · ‎01-13-2017

@spolavarapu @Shyam Shaw

In my case any user added in AD is synced every 2 minutes not 1hr. I am using HDP2.5 with Ranger 0.6.0. My test environment has got 2300 users.

shyamshaw · ‎01-13-2017

@Edgar Daeds @spolavarapu

I too using HDP 2.5 and ranger 0.6.0. my environment has only 30 users. It is taking around 40 minutes to sync the users.

spolavarapu · ‎01-16-2017

Can you provide the usersync logs? especially during startup of usersync

Cloudera Community

Support Questions

New users created in AD not showing in ranger while clicking on "Users/Groups" tab