You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Don Bosco Durai <bo...@apache.org> on 2017/02/10 17:07:05 UTC
Re: Scalability - large numbers of users/groups in LDAP
Seems you are suggesting two scenarios.
1. Ranger should have an option just to sync Group (without users). We should be already supporting it or there was an intention to support. If we are not doing it for any reason, I am a strong +1 for doing it.
2. Direct LDAP would have been ideal, but we were worried about the load we might put on LDAP for real-time queries. Just FYI, Ranger uses LDAP/AD for authentication and easy selection of users/groups during policy create. For authentication, it is already real-time (even though I would have preferred to get the roles also in real-time).
If you have a very high number of users/groups, then the short-term recommendation to is to apply LDAP filters and limit syncing users only to those using Hadoop.
Thanks
Bosco
On 2/10/17, 6:20 AM, "Nigel Jones" <jo...@uk.ibm.com> wrote:
On 10/02/2017 09:58, Velmurugan Periasamy wrote:
> Hi Nigel:
>
> Thanks for starting an interesting thread.
> I believe this is already addressed by
https://issues.apache.org/jira/browse/RANGER-869. Please take a look.
I took a look - indeed I had noticed this option to go via groups and
lookup "member" which does mitigate the issue somewhat, depending on the
number of groups
In the environment I'm thinking of I can probably find an "interesting"
list of groups. So I could modify usersync to not just use the
group->member lookup, but also to ONLY do that for certain groups (I'll
probably need "groupsync" for that... !)
Whether this work depends on how the ldap server is set up... I need to
take a look.. if so this is probably good enough for now.
But I'm still wondering if we really need to sync users at all since at
some point any kind of connector/engine may well be doing an ldap lookup
anyway - certainly that's true in an engine -- Apache Derby based - that
I'm looking at (and developing a plugin for). This may become more
important for large numbers of groups and users especially if we
consider applying ranger plugins to technologies used by a broad set of
users.
Out of interest I just noticed in the nifi mailing lists that there was
a recent thread on "LDAP Group Authorization". There is some discussion
of native nifi+ranger, but in either case the question about why not get
the info direct from ldap at connect time is being made. intriguing ...
Thanks for the link ... mulling over some more :-)
nigel.