Hi Nigel: Thanks for starting an interesting thread.
> In some environments selecting a subset of groups (which may be used as > roles), and just pulling users there MAY help if the applications being > secured have a more limited audience I believe this is already addressed by https://issues.apache.org/jira/browse/RANGER-869. Please take a look. Thank you, Vel From: Nigel Jones <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Friday, February 10, 2017 at 2:41 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Scalability - large numbers of users/groups in LDAP I've been mulling over an issue recently and interested in any thoughts... I'm pretty new to ranger to very ready to hear why this could never work ;-) Today in an LDAP-managed enterprise environment user & group information is replicated from the LDAP server such as MS Active Directory by the usersync process. I have some control over - the base DN - whether to pull a list of groups from each user, or users from groups - what additional attributes are pulled This is then persisted in ranger & gets pulled by the plugins However in some environments - the numbers of users in LDAP could be very high (100,000+) - it may be difficult to scope the query where ranger is securing access to an enterprise service If we assume any kind of service that involves a "connect" as well read/write operations there could be an opportunity to retrieve user/group information for that user at that point. It could then be saved within the plugin to be used at data access time. As a variation, Potentially we could still populate groups (or role) information in the ranger server, making it easier for policy definitions Has anyone considered this as an option? In some environments selecting a subset of groups (which may be used as roles), and just pulling users there MAY help if the applications being secured have a more limited audience if it sounds interesting I'm inclined to work through the flows in more detail Thanks Nigel.
