On 10/02/2017 17:07, Don Bosco Durai wrote:
> 1. Ranger should have an option just to sync Group (without
users). We should be already supporting it or there was an intention to
support. If we are not doing it for any reason, I am a strong +1 for
doing it.
I'll experiment with this - only working off the docs so far, trying it
out is next :-)
> 2. Direct LDAP would have been ideal, but we were worried about
the load we might put on LDAP for real-time queries. Just FYI, Ranger
uses LDAP/AD for authentication and easy selection of users/groups
during policy create. For authentication, it is already real-time (even
though I would have preferred to get the roles also in real-time).
A fair concern, though at least it's only at connect time. The
enterprise I spoke to didn't seem to think it was a concern. I'll start
with option #1 though
> If you have a very high number of users/groups, then the short-term
recommendation to is to apply LDAP filters and limit syncing users only
to those using Hadoop.
This will be extending outside hadoop - I'm trying to determine how to
constrain the ldap query to the users using the relevant systems. I can
potentially obtain a list of groups from elsewhere via a new usersync
process, and then go back into ldap to query membership which would look
the same to ranger, just modify that sync.
Thanks for the info !
Nigel.