Created 04-17-2017 02:29 PM
I am trying to implement our security integration with sssd and i could not make ranger to import users primary group from active directory. Our sssd configuration syncronizing groups of users correctly like
uid=908602857(ol889372) gid=908600513(domain users) groups=908600513(domain users),908603108(hadoopgroup)
But ranger could not get "domain users" group from active directory since it is the primary group. Any idea how to make it work?
Created 04-18-2017 03:55 AM
I assume you have already done hdfs group mapping. Could you please share your setting on the setting for ranger user sync ?
Created on 04-18-2017 11:30 AM - edited 08-17-2019 10:27 PM
Here is my configuration:
id output of bilgin user from shell:
id bilgin uid=908601104(bilgin) gid=908603108(hadoopgroup) groups=908603108(hadoopgroup),908600513(domain users)
id ol889372 uid=908602857(ol889372) gid=908600513(domain users) groups=908600513(domain users),908603108(hadoopgroup)
As you can see ranger takes user groups except primary group(hadoopgroup in case of user bilgin and "domain users" in case of ol889372). In the mean time we are using windows 2012 server. Thank you in advance..
Created 04-18-2017 01:50 PM
Is your hadoopgroup nested inside the domain users group?
Created 04-18-2017 02:06 PM
No. It is not nested.
Created 05-03-2017 06:47 PM
1. Ranger uses "memberof" attribute to pull the groups associated to the user if "Enable Group Sync" is disabled. In this case, the primary group (Domain Users) is not returned by AD and hence that info is not available to ranger (https://social.technet.microsoft.com/Forums/windows/en-US/ad1396f1-a951-4a28-9a35-e2c5d9a2b22f/finding-primary-group-of-users-in-ad?forum=winserverDS)
2. If "Enable Group Sync" is enabled, then ranger first syncs all the users based on the user config and then search groups with based on the group configuration and look for "member" attribute of the group to map the users that are pulled as part of the user search. As long as the users are part of the member attribute of the group, we sync that group. But looks like AD doesn't send all the users as part of the member attribute as part of ldap search.
Just curious, are you planning to configure any ranger policies for "Domain Users"? Is it possible to share more details of your usecase from ranger perspective (mainly how these users and/groups synced in ranger be used?)