You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Hellmar Becker <be...@hellmar-becker.de> on 2015/03/18 08:52:21 UTC
Restrict LDAP query for Ranger user synchronization
Hello,
We are going to synchronize our Ranger installation with the corporate
Active Directory, which contains users and groups. The issue we are
facing is:
- The number of users is high (around 100,000) but only a small
fraction of these users will get Hadoop access rights
- We want to synchronize only Hadoop authorized users, to reduce both
AD server load and network load
- For policy reasons, we cannot create an extra OU to hold just the
Hadoop users
- Filtering users by an attribute would cut down on network use but
would still scan all users in AD
The best workaround for our situation would be to create one group
that contains all Hadoop users, and query that group entry instead of
individual user entries. The user names can then be obtained from the
member attribute list of the group entry.
Is such an approach possible in Ranger, and/or could it be made a
feature request for a future version?
Kind regards,
Hellmar
========================================
Hellmar Becker
Edmond Audranstraat 55
NL-3543BG Utrecht
mail: becker@hellmar-becker.de
mobile: +31 6 29986670
========================================
Re: Restrict LDAP query for Ranger user synchronization
Posted by Don Bosco Durai <bo...@apache.org>.
Hellmar
>The best workaround for our situation would be to create one group that
>contains all Hadoop users, and query that group entry instead of
>individual user entries. The user names can then be obtained from the
>member attribute list of the group entry.
The UserSync design should support it, but would need some updates. There
were few other enhancement requests around UserSync. It might be good if
you can create a JIRA for this issue.
Another option is, if you have and IdM provisioning system, it can be used
to provision Ranger user database also. Let me know if that is an option
you want to pursue?
Thanks
Bosco
On 3/18/15, 12:52 AM, "Hellmar Becker" <be...@hellmar-becker.de> wrote:
>Hello,
>
>We are going to synchronize our Ranger installation with the corporate
>Active Directory, which contains users and groups. The issue we are
>facing is:
>
>- The number of users is high (around 100,000) but only a small
>fraction of these users will get Hadoop access rights
>- We want to synchronize only Hadoop authorized users, to reduce both
>AD server load and network load
>- For policy reasons, we cannot create an extra OU to hold just the
>Hadoop users
>- Filtering users by an attribute would cut down on network use but
>would still scan all users in AD
>
>The best workaround for our situation would be to create one group
>that contains all Hadoop users, and query that group entry instead of
>individual user entries. The user names can then be obtained from the
>member attribute list of the group entry.
>
>Is such an approach possible in Ranger, and/or could it be made a
>feature request for a future version?
>
>Kind regards,
>Hellmar
>
>
>========================================
>Hellmar Becker
>Edmond Audranstraat 55
>NL-3543BG Utrecht
>mail: becker@hellmar-becker.de
>mobile: +31 6 29986670
>========================================
>