I have an issue in our environment for AD groups via usersync: we are thinking to usersync ranger with AD; below is the issue I have:
AD group name: cfyG_GG-HDP_HadoopAdmins
SSD mapped group on linux machine: hadoopadmin
This command yields $hdfs groups hdpadmin
hdpadmin : hdpadmin hadoopadmin hadoopdev hadoopusers
Now the problem is I can save the AD group to lower case in ranger as : cfyg_gg-hdp_hadoopadmins
but, if I use this group to give permission it wont work, since the linux group name is hadoopadmin, as mapped in SSSD. How can I over come this issue?
any help is appreciated.
As you know user/group names in ranger should match the ones used by hadoop for authorization to work. In this case, since the group names mapped by SSSD are different from the ones in AD, ranger usersync can configured to sync from SSSD instead. Ranger introduced the support of syncing from SSSD as part of https://issues.apache.org/jira/browse/RANGER-827