Hi Ranger experts, We are developing a custom Ranger Plugin for Apache HAWQ(incubating) and noticed that group policies are not behaving as we expected.
In Ranger, we define a user U (actually synched from OS). We then manually define group G and enroll user U into it. We then define a policy and grant a privilege to the group G in this policy. On the client side, we do not know that user U belongs to group G, as this information is only defined in Ranger. When we request policy evaluation, we send an empty set for the userGroups API parameter, assuming Ranger will use its internal mapping. But the access is denied by Ranger. So, it seems Ranger will not use the information from its internal user <--> group mapping when evaluating policies and would rely on client providing the set of groups for the user explicitly ? This also means user <--> group mapping in Ranger is NOT the source of truth, but rather a mirror of some other authentication system (OS, LDAP, etc) and a service will need to fetch this information upon user authentication and provide to Ranger ? I will appreciate clarification on these points. -- Thanks, Alex.
