Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Ranger active directory primarygroup sync

Labels:
capacman
Explorer

Created ‎04-17-2017 02:29 PM

Hi all,

I am trying to implement our security integration with sssd and i could not make ranger to import users primary group from active directory. Our sssd configuration syncronizing groups of users correctly like 

uid=908602857(ol889372) gid=908600513(domain users) groups=908600513(domain users),908603108(hadoopgroup)

But ranger could not get "domain users" group from active directory since it is the primary group. Any idea how to make it work?

1,241 Views
0 Kudos
5 REPLIES 5

ylu
Expert Contributor

Created ‎04-18-2017 03:55 AM

I assume you have already done hdfs group mapping. Could you please share your setting on the setting for ranger user sync ?

1,036 Views
0 Kudos

capacman
Explorer

Created on ‎04-18-2017 11:30 AM - edited ‎08-17-2019 10:27 PM

Hi Frank,

Here is my configuration:

14712-screenshot-20170418-112935.png

id output of bilgin user from shell:

id bilgin uid=908601104(bilgin) gid=908603108(hadoopgroup) groups=908603108(hadoopgroup),908600513(domain users)

14713-bilgin.png

another example:

id ol889372 uid=908602857(ol889372) gid=908600513(domain users) groups=908600513(domain users),908603108(hadoopgroup)

14714-ol889372.png

As you can see ranger takes user groups except primary group(hadoopgroup in case of user bilgin and "domain users" in case of ol889372). In the mean time we are using windows 2012 server. Thank you in advance..

1,036 Views
0 Kudos

ylu
Expert Contributor

Created ‎04-18-2017 01:50 PM

Is your hadoopgroup nested inside the domain users group?

1,036 Views
0 Kudos

capacman
Explorer

Created ‎04-18-2017 02:06 PM

No. It is not nested.

1,036 Views
0 Kudos

spolavarapu
Expert Contributor

Created ‎05-03-2017 06:47 PM

@Anıl Halil

1. Ranger uses "memberof" attribute to pull the groups associated to the user if "Enable Group Sync" is disabled. In this case, the primary group (Domain Users) is not returned by AD and hence that info is not available to ranger (https://social.technet.microsoft.com/Forums/windows/en-US/ad1396f1-a951-4a28-9a35-e2c5d9a2b22f/finding-primary-group-of-users-in-ad?forum=winserverDS)

2. If "Enable Group Sync" is enabled, then ranger first syncs all the users based on the user config and then search groups with based on the group configuration and look for "member" attribute of the group to map the users that are pulled as part of the user search. As long as the users are part of the member attribute of the group, we sync that group. But looks like AD doesn't send all the users as part of the member attribute as part of ldap search.

Just curious, are you planning to configure any ranger policies for "Domain Users"? Is it possible to share more details of your usecase from ranger perspective (mainly how these users and/groups synced in ranger be used?)

1,036 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements