apache-ranger

Does Ranger incremental AD sync overwrite each time or leave previously synced users (eg. if filter changes)? Unix users recreated?


Looking for some clarification on how incremental sync works / does. I have recently configured Ranger/AD sync with incremental sync off and the user search filter blank. This resulted in all users from AD being added to Ranger.

This was just intended as a base-case test, but when adding a new user search filter for the Ranger AD configs in Ambari and restarting the Ranger service, no changes appear to have been made (which is what I had expected when setting incremental sync to off) and ALL of the AD users are still visible, not just the ones specified by the filter. At this point have a some questions:

  1. If I were to go into the Ranger UI and go to the users and groups menu and manually delete all of the AD users and groups, then add the user search filter to the Ranger configs, and restart Ranger would that wipe the rest of the users from Ranger's user DB and leave only the AD users from the search filter once Ranger was restarted? Any other way to get this desired result?

  2. What would happen if accidentally manually deleted a unix user from the users and groups menu in the Ranger UI? Would they repopulate once restarted Ranger or would I need to something else to fix the mistake?


Solution

  • From the Apache email list...

    1. Once Users are Groups are sync'd to Ranger DB, deleting them is an admin only manual operation. Ranger doesn't delete users and groups automatically based on the search filter changes. But once you cleanup the users are groups and restarting ranger usersyn should pull in only the users and groups based on the configured filter. Just an FYI - For testing purposes, ranger usersync supports one config "ranger.usersync.policymanager.mockrun" which can be set to true so that the sync'd users and groups are not updated to ranger DB. https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.4/installing-ranger/content/ranger_install_configure_ranger_user_sync.html

    2. If a user/group is deleted from Ranger UI, once ranger is restarted, these users/groups are sync'd to Ranger DB based on the sync configuration.

    So from these points, note that if the default HDP / hadoop users (eg. hdfs, yarn, livy) were created as unix users on each machine in cluster (eg. what HDP 3.1.0 does by default) and you manually delete these users from the Ranger UI, they will not reappear once Ranger restarted. That is, Ranger will not look at both AD and local unix users (perhaps there is a way to change this in configs?). So what you would need to do then is switch Ranger user sync to "unix", restart Ranger to let the local unix users sync, then switch configs to AD and restart again to get the AD users into Ranger (and the previously synced unix users should still be there since Ranger does not delete users based on the user sync configs).